cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: Updating OIDC RP filter to check if the context ID token has expired
Date Wed, 03 Feb 2016 11:04:17 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.1.x-fixes 809080335 -> 59bbab2f1


Updating OIDC RP filter to check if the context ID token has expired


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/59bbab2f
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/59bbab2f
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/59bbab2f

Branch: refs/heads/3.1.x-fixes
Commit: 59bbab2f13a9e56dcd2dfff971bd608549454b91
Parents: 8090803
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Wed Feb 3 11:02:32 2016 +0000
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Wed Feb 3 11:03:51 2016 +0000

----------------------------------------------------------------------
 .../security/oidc/rp/OidcRpAuthenticationFilter.java  | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/59bbab2f/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationFilter.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationFilter.java
index 43950fe..3cead95 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationFilter.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationFilter.java
@@ -36,11 +36,15 @@ import javax.ws.rs.core.UriBuilder;
 
 import org.apache.cxf.common.util.StringUtils;
 import org.apache.cxf.jaxrs.ext.MessageContext;
+import org.apache.cxf.jaxrs.ext.MessageContextImpl;
 import org.apache.cxf.jaxrs.impl.MetadataMap;
 import org.apache.cxf.jaxrs.utils.FormUtils;
 import org.apache.cxf.jaxrs.utils.JAXRSUtils;
+import org.apache.cxf.rs.security.jose.jwt.JwtException;
+import org.apache.cxf.rs.security.jose.jwt.JwtUtils;
 import org.apache.cxf.rs.security.oauth2.client.ClientTokenContext;
 import org.apache.cxf.rs.security.oauth2.client.ClientTokenContextManager;
+import org.apache.cxf.rs.security.oidc.common.IdToken;
 
 @PreMatching
 @Priority(Priorities.AUTHENTICATION)
@@ -77,9 +81,17 @@ public class OidcRpAuthenticationFilter implements ContainerRequestFilter
{
         if (tokenContext == null) {
             return false;
         }
+        IdToken idToken = tokenContext.getIdToken();
+        try {
+            // If ID token has expired then the context is no longer valid
+            JwtUtils.validateJwtExpiry(idToken, 0, idToken.getExpiryTime() != null);
+        } catch (JwtException ex) {
+            stateManager.removeClientTokenContext(new MessageContextImpl(JAXRSUtils.getCurrentMessage()));
+            return false;
+        }
         OidcClientTokenContextImpl newTokenContext = new OidcClientTokenContextImpl();
         newTokenContext.setToken(tokenContext.getToken());
-        newTokenContext.setIdToken(tokenContext.getIdToken());
+        newTokenContext.setIdToken(idToken);
         newTokenContext.setUserInfo(tokenContext.getUserInfo());
         newTokenContext.setState(toRequestState(rc));
         JAXRSUtils.getCurrentMessage().setContent(ClientTokenContext.class, newTokenContext);


Mime
View raw message