Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@cxf.apache.org
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: sergeyb@apache.org
To: commits@cxf.apache.org
Message-Id: <d613bebe8bdf4d6d8075e952a3dfe55c@git.apache.org>
Subject: cxf git commit: Setting the nonce if IdToken is already available on
 the subject, minor tweak to the scope conversions to avoid the extra space
Date: Mon, 14 Dec 2015 11:08:39 +0000 (UTC)

Repository: cxf
Updated Branches:
  refs/heads/3.1.x-fixes 4cccc2361 -> b6fd55076


Setting the nonce if IdToken is already available on the subject, minor tweak to the scope conversions to avoid the extra space


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/b6fd5507
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/b6fd5507
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/b6fd5507

Branch: refs/heads/3.1.x-fixes
Commit: b6fd55076af90b68853c5b5db8fb8cb54174dd4c
Parents: 4cccc23
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Mon Dec 14 11:07:26 2015 +0000
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Mon Dec 14 11:08:14 2015 +0000

----------------------------------------------------------------------
 .../cxf/rs/security/oauth2/utils/OAuthUtils.java       |  6 ++----
 .../rs/security/oidc/idp/IdTokenResponseFilter.java    | 13 +++++++------
 2 files changed, 9 insertions(+), 10 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/b6fd5507/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
index 4974760..d2ae2fa 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
@@ -130,15 +130,13 @@ public final class OAuthUtils {
     public static String convertPermissionsToScope(List<OAuthPermission> perms) {
         StringBuilder sb = new StringBuilder();
         for (OAuthPermission perm : perms) {
-            if (perm.isInvisibleToClient()) {
+            if (perm.isInvisibleToClient() || perm.getPermission() == null) {
                 continue;
             }
             if (sb.length() > 0) {
                 sb.append(" ");
             }
-            if (perm.getPermission() != null) {
-                sb.append(perm.getPermission());
-            }
+            sb.append(perm.getPermission());
         }
         return sb.toString();
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/b6fd5507/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
index f7d6b9a..31b2666 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
@@ -49,23 +49,20 @@ public class IdTokenResponseFilter extends AbstractOAuthServerJoseJwtProducer im
         if (userInfoProvider != null) {
             IdToken idToken = 
                 userInfoProvider.getIdToken(st.getClient().getClientId(), st.getSubject(), st.getScopes());
-            if (st.getNonce() != null) {
-                idToken.setNonce(st.getNonce());
-            }
-            setAtHash(idToken, st);
+            setAtHashAndNonce(idToken, st);
             return super.processJwt(new JwtToken(idToken), st.getClient());
         } else if (st.getSubject().getProperties().containsKey(OidcUtils.ID_TOKEN)) {
             return st.getSubject().getProperties().get(OidcUtils.ID_TOKEN);
         } else if (st.getSubject() instanceof OidcUserSubject) {
             OidcUserSubject sub = (OidcUserSubject)st.getSubject();
             IdToken idToken = new IdToken(sub.getIdToken());
-            setAtHash(idToken, st);
+            setAtHashAndNonce(idToken, st);
             return super.processJwt(new JwtToken(idToken), st.getClient());
         } else {
             return null;
         }
     }
-    private void setAtHash(IdToken idToken, ServerAccessToken st) {
+    private void setAtHashAndNonce(IdToken idToken, ServerAccessToken st) {
         Properties props = JwsUtils.loadSignatureOutProperties(false);
         SignatureAlgorithm sigAlgo = null;
         if (super.isSignWithClientSecret()) {
@@ -78,6 +75,10 @@ public class IdTokenResponseFilter extends AbstractOAuthServerJoseJwtProducer im
             idToken.setAccessTokenHash(atHash);
         }
         
+        if (st.getNonce() != null) {
+            idToken.setNonce(st.getNonce());
+        }
+        
     }
     public void setUserInfoProvider(UserInfoProvider userInfoProvider) {
         this.userInfoProvider = userInfoProvider;