Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 5B2A61802E for ; Mon, 14 Dec 2015 13:57:15 +0000 (UTC) Received: (qmail 99680 invoked by uid 500); 14 Dec 2015 13:57:15 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 99605 invoked by uid 500); 14 Dec 2015 13:57:15 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 99593 invoked by uid 99); 14 Dec 2015 13:57:15 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 14 Dec 2015 13:57:15 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id E7614DFF8D; Mon, 14 Dec 2015 13:57:14 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: coheigea@apache.org To: commits@cxf.apache.org Message-Id: X-Mailer: ASF-Git Admin Mailer Subject: cxf git commit: Fix the implicit flow for OIDC when returning both a access token + id token Date: Mon, 14 Dec 2015 13:57:14 +0000 (UTC) Repository: cxf Updated Branches: refs/heads/master 2f61e43a1 -> ad149504c Fix the implicit flow for OIDC when returning both a access token + id token Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/ad149504 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/ad149504 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/ad149504 Branch: refs/heads/master Commit: ad149504c75ba6bd7dce69861fbc223205569b11 Parents: 2f61e43 Author: Colm O hEigeartaigh Authored: Mon Dec 14 13:56:07 2015 +0000 Committer: Colm O hEigeartaigh Committed: Mon Dec 14 13:56:28 2015 +0000 ---------------------------------------------------------------------- .../security/oauth2/common/OAuthAuthorizationData.java | 9 +++++++++ .../rs/security/oauth2/common/OAuthRedirectionState.java | 11 +++++++++++ .../oauth2/services/AbstractImplicitGrantService.java | 6 ++++-- .../oauth2/services/RedirectionBasedGrantService.java | 2 ++ .../cxf/rs/security/oidc/idp/OidcImplicitService.java | 8 ++++++-- 5 files changed, 32 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/ad149504/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java index d71b228..d5fe5bc 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java @@ -39,6 +39,7 @@ public class OAuthAuthorizationData extends OAuthRedirectionState implements Ser private String endUserName; private String authenticityToken; private String replyTo; + private String responseType; private String applicationName; private String applicationWebUri; @@ -201,4 +202,12 @@ public class OAuthAuthorizationData extends OAuthRedirectionState implements Ser public void setImplicitFlow(boolean implicitFlow) { this.implicitFlow = implicitFlow; } + + public String getResponseType() { + return responseType; + } + + public void setResponseType(String responseType) { + this.responseType = responseType; + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/ad149504/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthRedirectionState.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthRedirectionState.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthRedirectionState.java index 4acc109..0ff4d47 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthRedirectionState.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthRedirectionState.java @@ -30,6 +30,7 @@ public class OAuthRedirectionState implements Serializable { private String audience; private String nonce; private String clientCodeChallenge; + private String responseType; public OAuthRedirectionState() { } @@ -123,4 +124,14 @@ public class OAuthRedirectionState implements Serializable { public void setNonce(String nonce) { this.nonce = nonce; } + + + public String getResponseType() { + return responseType; + } + + + public void setResponseType(String responseType) { + this.responseType = responseType; + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/ad149504/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java index cee77da..5ee52cc 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java @@ -64,7 +64,7 @@ public abstract class AbstractImplicitGrantService extends RedirectionBasedGrant boolean tokenCanBeReturned = preAuthorizedToken != null; ServerAccessToken token = null; if (preAuthorizedToken == null) { - tokenCanBeReturned = canAccessTokenBeReturned(requestedScope, approvedScope); + tokenCanBeReturned = canAccessTokenBeReturned(state, requestedScope, approvedScope); if (tokenCanBeReturned) { AccessTokenRegistration reg = new AccessTokenRegistration(); reg.setClient(client); @@ -135,7 +135,9 @@ public abstract class AbstractImplicitGrantService extends RedirectionBasedGrant return Response.seeOther(URI.create(sb.toString())).build(); } - protected boolean canAccessTokenBeReturned(List requestedScope, List approvedScope) { + protected boolean canAccessTokenBeReturned(OAuthRedirectionState state, + List requestedScope, + List approvedScope) { return true; } protected void processRefreshToken(StringBuilder sb, String refreshToken) { http://git-wip-us.apache.org/repos/asf/cxf/blob/ad149504/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java index 53cedaf..85b4b44 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java @@ -214,6 +214,7 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService secData.setAudience(params.getFirst(OAuthConstants.CLIENT_AUDIENCE)); secData.setNonce(params.getFirst(OAuthConstants.NONCE)); secData.setClientId(client.getClientId()); + secData.setResponseType(params.getFirst(OAuthConstants.RESPONSE_TYPE)); if (requestedScope != null && !requestedScope.isEmpty()) { StringBuilder builder = new StringBuilder(); for (String scope : requestedScope) { @@ -256,6 +257,7 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService state.setProposedScope(params.getFirst(OAuthConstants.SCOPE)); state.setState(params.getFirst(OAuthConstants.STATE)); state.setNonce(params.getFirst(OAuthConstants.NONCE)); + state.setResponseType(params.getFirst(OAuthConstants.RESPONSE_TYPE)); } return state; } http://git-wip-us.apache.org/repos/asf/cxf/blob/ad149504/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java index 66e5e8b..908d141 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java @@ -24,6 +24,7 @@ import java.util.List; import org.apache.cxf.rs.security.oauth2.common.Client; import org.apache.cxf.rs.security.oauth2.common.OAuthPermission; +import org.apache.cxf.rs.security.oauth2.common.OAuthRedirectionState; import org.apache.cxf.rs.security.oauth2.services.ImplicitGrantService; @@ -39,8 +40,11 @@ public class OidcImplicitService extends ImplicitGrantService { } @Override - protected boolean canAccessTokenBeReturned(List requestedScope, List approvedScope) { - return requestedScope.contains(ID_TOKEN_AND_AT_RESPONSE_TYPE); + protected boolean canAccessTokenBeReturned(OAuthRedirectionState state, + List requestedScope, + List approvedScope) { + return state.getResponseType() != null + && state.getResponseType().contains(ID_TOKEN_AND_AT_RESPONSE_TYPE); } @Override