cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: Splitting UserInfoProvider into two interfaces for OidcImplicitService support the custom id token creation as opposed to users having to do it in SubjectCreator/etc
Date Thu, 11 Feb 2016 12:31:35 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 5fb017cfd -> f32598d94


Splitting UserInfoProvider into two interfaces for OidcImplicitService support the custom
id token creation as opposed to users having to do it in SubjectCreator/etc


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/f32598d9
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/f32598d9
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/f32598d9

Branch: refs/heads/master
Commit: f32598d94cc4b95ebd464ebdde9f646caff18c59
Parents: 5fb017c
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Thu Feb 11 12:31:21 2016 +0000
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Thu Feb 11 12:31:21 2016 +0000

----------------------------------------------------------------------
 .../rs/security/oidc/idp/IdTokenProvider.java   | 28 ++++++++++++++++++++
 .../oidc/idp/IdTokenResponseFilter.java         | 11 ++++----
 .../security/oidc/idp/OidcImplicitService.java  | 24 +++++++++++++----
 .../rs/security/oidc/idp/UserInfoProvider.java  |  5 +---
 .../rs/security/oidc/idp/UserInfoService.java   |  6 ++---
 5 files changed, 57 insertions(+), 17 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/f32598d9/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenProvider.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenProvider.java
new file mode 100644
index 0000000..5bfb0ef
--- /dev/null
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenProvider.java
@@ -0,0 +1,28 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oidc.idp;
+
+import java.util.List;
+
+import org.apache.cxf.rs.security.oauth2.common.UserSubject;
+import org.apache.cxf.rs.security.oidc.common.IdToken;
+
+public interface IdTokenProvider {
+    IdToken getIdToken(String clientId, UserSubject authenticatedUser, List<String>
scopes);
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/f32598d9/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
index 6e7bb92..963aab2 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
@@ -35,7 +35,7 @@ import org.apache.cxf.rs.security.oidc.common.IdToken;
 import org.apache.cxf.rs.security.oidc.utils.OidcUtils;
 
 public class IdTokenResponseFilter extends OAuthServerJoseJwtProducer implements AccessTokenResponseFilter
{
-    private UserInfoProvider userInfoProvider;
+    private IdTokenProvider idTokenProvider;
     @Override
     public void process(ClientAccessToken ct, ServerAccessToken st) {
         // Only add an IdToken if the client has the "openid" scope
@@ -49,9 +49,10 @@ public class IdTokenResponseFilter extends OAuthServerJoseJwtProducer implements
         
     }
     private String getProcessedIdToken(ServerAccessToken st) {
-        if (userInfoProvider != null) {
+        if (idTokenProvider != null) {
             IdToken idToken = 
-                userInfoProvider.getIdToken(st.getClient().getClientId(), st.getSubject(),
st.getScopes());
+                idTokenProvider.getIdToken(st.getClient().getClientId(), st.getSubject(),

+                                           OAuthUtils.convertPermissionsToScopeList(st.getScopes()));
             setAtHashAndNonce(idToken, st);
             return super.processJwt(new JwtToken(idToken), st.getClient());
         } else if (st.getSubject().getProperties().containsKey(OidcUtils.ID_TOKEN)) {
@@ -91,8 +92,8 @@ public class IdTokenResponseFilter extends OAuthServerJoseJwtProducer implements
         }
         
     }
-    public void setUserInfoProvider(UserInfoProvider userInfoProvider) {
-        this.userInfoProvider = userInfoProvider;
+    public void setIdTokenProvider(IdTokenProvider idTokenProvider) {
+        this.idTokenProvider = idTokenProvider;
     }
     
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/f32598d9/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
index 60b638d..359d172 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
@@ -46,6 +46,7 @@ public class OidcImplicitService extends ImplicitGrantService {
     private static final String ID_TOKEN_AND_AT_RESPONSE_TYPE = "id_token token";
     private boolean skipAuthorizationWithOidcScope;
     private JoseJwtProducer idTokenHandler;
+    private IdTokenProvider idTokenProvider;
     
     public OidcImplicitService() {
         super(new HashSet<String>(Arrays.asList(ID_TOKEN_RESPONSE_TYPE,
@@ -97,31 +98,44 @@ public class OidcImplicitService extends ImplicitGrantService {
         
         StringBuilder sb = getUriWithFragment(state.getRedirectUri());
         
-        String idToken = getProcessedIdToken(state, userSubject);
+        String idToken = getProcessedIdToken(state, userSubject, 
+                                             getApprovedScope(requestedScope, approvedScope));
         if (idToken != null) {
             sb.append(OidcUtils.ID_TOKEN).append("=").append(idToken);
         }
         return finalizeResponse(sb, state);
     }
     
-    private String getProcessedIdToken(OAuthRedirectionState state, UserSubject subject)
{
+    private String getProcessedIdToken(OAuthRedirectionState state, 
+                                       UserSubject subject,
+                                       List<String> scopes) {
         if (subject.getProperties().containsKey(OidcUtils.ID_TOKEN)) {
             return subject.getProperties().get(OidcUtils.ID_TOKEN);
+        } else if (idTokenProvider != null) {
+            IdToken idToken = idTokenProvider.getIdToken(state.getClientId(), subject, scopes);
+            idToken.setNonce(state.getNonce());
+            return processIdToken(idToken);
         } else if (subject instanceof OidcUserSubject) {
             OidcUserSubject sub = (OidcUserSubject)subject;
             IdToken idToken = new IdToken(sub.getIdToken());
             idToken.setAudience(state.getClientId());
             idToken.setAuthorizedParty(state.getClientId());
             idToken.setNonce(state.getNonce());
-            JoseJwtProducer processor = idTokenHandler == null ? new JoseJwtProducer() :
idTokenHandler; 
-            return processor.processJwt(new JwtToken(idToken));
+            return processIdToken(idToken);
         } else {
             return null;
         }
     }
 
+    protected String processIdToken(IdToken idToken) {
+        JoseJwtProducer processor = idTokenHandler == null ? new JoseJwtProducer() : idTokenHandler;

+        return processor.processJwt(new JwtToken(idToken));
+    }
+
     public void setIdTokenJoseHandler(JoseJwtProducer idTokenJoseHandler) {
         this.idTokenHandler = idTokenJoseHandler;
     }
-    
+    public void setIdTokenProvider(IdTokenProvider idTokenProvider) {
+        this.idTokenProvider = idTokenProvider;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/f32598d9/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoProvider.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoProvider.java
index 0a3320a..f318a5b 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoProvider.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoProvider.java
@@ -20,12 +20,9 @@ package org.apache.cxf.rs.security.oidc.idp;
 
 import java.util.List;
 
-import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
 import org.apache.cxf.rs.security.oauth2.common.UserSubject;
-import org.apache.cxf.rs.security.oidc.common.IdToken;
 import org.apache.cxf.rs.security.oidc.common.UserInfo;
 
 public interface UserInfoProvider {
-    IdToken getIdToken(String clientId, UserSubject authenticatedUser, List<OAuthPermission>
scopes);
-    UserInfo getUserInfo(String clientId, UserSubject authenticatedUser, List<OAuthPermission>
scopes);
+    UserInfo getUserInfo(String clientId, UserSubject authenticatedUser, List<String>
scopes);
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/f32598d9/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java
index ae9a75a..9955bf9 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java
@@ -30,6 +30,7 @@ import org.apache.cxf.rs.security.oauth2.common.OAuthContext;
 import org.apache.cxf.rs.security.oauth2.provider.OAuthDataProvider;
 import org.apache.cxf.rs.security.oauth2.provider.OAuthServerJoseJwtProducer;
 import org.apache.cxf.rs.security.oauth2.utils.OAuthContextUtils;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
 import org.apache.cxf.rs.security.oidc.common.IdToken;
 import org.apache.cxf.rs.security.oidc.common.UserInfo;
 
@@ -46,9 +47,8 @@ public class UserInfoService extends OAuthServerJoseJwtProducer {
         OAuthContext oauth = OAuthContextUtils.getContext(mc);
         UserInfo userInfo = null;
         if (userInfoProvider != null) {
-            userInfo = userInfoProvider.getUserInfo(oauth.getClientId(), 
-                                         oauth.getSubject(), 
-                                         oauth.getPermissions());
+            userInfo = userInfoProvider.getUserInfo(oauth.getClientId(), oauth.getSubject(),

+                OAuthUtils.convertPermissionsToScopeList(oauth.getPermissions()));
         } else if (oauth.getSubject() instanceof OidcUserSubject) {
             OidcUserSubject oidcUserSubject = (OidcUserSubject)oauth.getSubject();
             userInfo = oidcUserSubject.getUserInfo();


Mime
View raw message