cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: Not persisting nonces if pre-authorized tokens are supported
Date Wed, 27 Jan 2016 14:05:25 GMT
Repository: cxf
Updated Branches:
  refs/heads/master a1710bdd7 -> 72653fd11


Not persisting nonces if pre-authorized tokens are supported


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/72653fd1
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/72653fd1
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/72653fd1

Branch: refs/heads/master
Commit: 72653fd113c3bbe0dd543200d982792802be2ae7
Parents: a1710bd
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Wed Jan 27 14:05:10 2016 +0000
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Wed Jan 27 14:05:10 2016 +0000

----------------------------------------------------------------------
 .../grants/code/AbstractCodeDataProvider.java   | 10 ++++--
 .../code/DefaultEHCacheCodeDataProvider.java    |  2 +-
 .../provider/AbstractOAuthDataProvider.java     | 36 ++++++++++++--------
 .../oidc/idp/IdTokenResponseFilter.java         | 25 +++++++-------
 4 files changed, 43 insertions(+), 30 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/72653fd1/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java
index 12fd14e..b89c247 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java
@@ -39,7 +39,7 @@ public abstract class AbstractCodeDataProvider extends AbstractOAuthDataProvider
     
     protected ServerAuthorizationCodeGrant doCreateCodeGrant(AuthorizationCodeRegistration
reg)
         throws OAuthServiceException {
-        return AbstractCodeDataProvider.initCodeGrant(reg, codeLifetime);
+        return AbstractCodeDataProvider.initCodeGrant(reg, codeLifetime, !isSupportPreauthorizedTokens());
     }
     
     public void setCodeLifetime(long codeLifetime) {
@@ -50,7 +50,9 @@ public abstract class AbstractCodeDataProvider extends AbstractOAuthDataProvider
             removeCodeGrant(grant.getCode());
         }
     }
-    public static ServerAuthorizationCodeGrant initCodeGrant(AuthorizationCodeRegistration
reg, long lifetime) {
+    public static ServerAuthorizationCodeGrant initCodeGrant(AuthorizationCodeRegistration
reg, 
+                                                             long lifetime,
+                                                             boolean useNonce) {
         ServerAuthorizationCodeGrant grant = new ServerAuthorizationCodeGrant(reg.getClient(),
lifetime);
         grant.setRedirectUri(reg.getRedirectUri());
         grant.setSubject(reg.getSubject());
@@ -59,7 +61,9 @@ public abstract class AbstractCodeDataProvider extends AbstractOAuthDataProvider
         grant.setApprovedScopes(reg.getApprovedScope());
         grant.setAudience(reg.getAudience());
         grant.setClientCodeChallenge(reg.getClientCodeChallenge());
-        grant.setNonce(reg.getNonce());
+        if (useNonce) {
+            grant.setNonce(reg.getNonce());
+        }
         return grant;
     }
     protected abstract void saveCodeGrant(ServerAuthorizationCodeGrant grant);

http://git-wip-us.apache.org/repos/asf/cxf/blob/72653fd1/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DefaultEHCacheCodeDataProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DefaultEHCacheCodeDataProvider.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DefaultEHCacheCodeDataProvider.java
index 12edf9b..f43d69e 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DefaultEHCacheCodeDataProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DefaultEHCacheCodeDataProvider.java
@@ -79,7 +79,7 @@ public class DefaultEHCacheCodeDataProvider extends DefaultEHCacheOAuthDataProvi
     
     protected ServerAuthorizationCodeGrant doCreateCodeGrant(AuthorizationCodeRegistration
reg)
         throws OAuthServiceException {
-        return AbstractCodeDataProvider.initCodeGrant(reg, codeLifetime);
+        return AbstractCodeDataProvider.initCodeGrant(reg, codeLifetime, !isSupportPreauthorizedTokens());
     }
 
     public List<ServerAuthorizationCodeGrant> getCodeGrants(Client c, UserSubject sub)
{

http://git-wip-us.apache.org/repos/asf/cxf/blob/72653fd1/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
index e27cf27..e508c7c 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
@@ -61,17 +61,22 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider,
Cl
         return at;
     }
     
-    protected ServerAccessToken doCreateAccessToken(AccessTokenRegistration accessToken)
{
-        ServerAccessToken at = createNewAccessToken(accessToken.getClient());
-        at.setAudiences(accessToken.getAudiences());
-        at.setGrantType(accessToken.getGrantType());
-        List<String> theScopes = accessToken.getApprovedScope();
+    protected ServerAccessToken doCreateAccessToken(AccessTokenRegistration atReg) {
+        ServerAccessToken at = createNewAccessToken(atReg.getClient());
+        at.setAudiences(atReg.getAudiences());
+        at.setGrantType(atReg.getGrantType());
+        List<String> theScopes = atReg.getApprovedScope();
         List<OAuthPermission> thePermissions = 
-            convertScopeToPermissions(accessToken.getClient(), theScopes);
+            convertScopeToPermissions(atReg.getClient(), theScopes);
         at.setScopes(thePermissions);
-        at.setSubject(accessToken.getSubject());
-        at.setClientCodeVerifier(accessToken.getClientCodeVerifier());
-        at.setNonce(accessToken.getNonce());
+        at.setSubject(atReg.getSubject());
+        at.setClientCodeVerifier(atReg.getClientCodeVerifier());
+        if (!isSupportPreauthorizedTokens()) {
+            // if the nonce is persisted and the same token is reused then in some cases
+            // (when ID token is returned) the old nonce will be copied to ID token which
+            // may cause the validation failure at the cliend side
+            at.setNonce(atReg.getNonce());
+        }
         return at;
     }
     
@@ -180,7 +185,7 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider,
Cl
                                                    List<String> requestedScopes,
                                                    UserSubject sub, 
                                                    String grantType) throws OAuthServiceException
{
-        if (!supportPreauthorizedTokens) {
+        if (!isSupportPreauthorizedTokens()) {
             return null;
         }
 
@@ -196,6 +201,7 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider,
Cl
         if (token != null 
             && OAuthUtils.isExpired(token.getIssuedAt(), token.getExpiresIn())) {
             revokeToken(client, token.getTokenKey(), OAuthConstants.ACCESS_TOKEN);
+            token = null;
         }
         return token;
         
@@ -343,12 +349,14 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider,
Cl
         this.invisibleToClientScopes = invisibleToClientScopes;
     }
 
+    public boolean isSupportPreauthorizedTokens() {
+        return supportPreauthorizedTokens;
+    }
+
     public void setSupportPreauthorizedTokens(boolean supportPreauthorizedTokens) {
-        // This property can be enabled by default as it is generally a good thing to check
-        // if a token for a given client (+ user) pair exists but doing the queries on every
-        // authorization request for all the client-user combinations might be not cheap,
-        // hence this property is currently disabled by default
         this.supportPreauthorizedTokens = supportPreauthorizedTokens;
     }
 
+    
+
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/72653fd1/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
index 31b2666..ec3f364 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
@@ -63,19 +63,20 @@ public class IdTokenResponseFilter extends AbstractOAuthServerJoseJwtProducer
im
         }
     }
     private void setAtHashAndNonce(IdToken idToken, ServerAccessToken st) {
-        Properties props = JwsUtils.loadSignatureOutProperties(false);
-        SignatureAlgorithm sigAlgo = null;
-        if (super.isSignWithClientSecret()) {
-            sigAlgo = OAuthUtils.getClientSecretSignatureAlgorithm(props);
-        } else {
-            sigAlgo = JwsUtils.getSignatureAlgorithm(props, SignatureAlgorithm.RS256);
-        }
-        if (sigAlgo != SignatureAlgorithm.NONE) {
-            String atHash = OidcUtils.calculateAccessTokenHash(st.getTokenKey(), sigAlgo);
-            idToken.setAccessTokenHash(atHash);
+        if (idToken.getAccessTokenHash() != null) {
+            Properties props = JwsUtils.loadSignatureOutProperties(false);
+            SignatureAlgorithm sigAlgo = null;
+            if (super.isSignWithClientSecret()) {
+                sigAlgo = OAuthUtils.getClientSecretSignatureAlgorithm(props);
+            } else {
+                sigAlgo = JwsUtils.getSignatureAlgorithm(props, SignatureAlgorithm.RS256);
+            }
+            if (sigAlgo != SignatureAlgorithm.NONE) {
+                String atHash = OidcUtils.calculateAccessTokenHash(st.getTokenKey(), sigAlgo);
+                idToken.setAccessTokenHash(atHash);
+            }
         }
-        
-        if (st.getNonce() != null) {
+        if (idToken.getNonce() == null && st.getNonce() != null) {
             idToken.setNonce(st.getNonce());
         }
         


Mime
View raw message