cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: Adding OIDC specific validation of the refreshed token
Date Wed, 03 Feb 2016 12:54:39 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.1.x-fixes 59bbab2f1 -> 12c325a12


Adding OIDC specific validation of the refreshed token


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/12c325a1
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/12c325a1
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/12c325a1

Branch: refs/heads/3.1.x-fixes
Commit: 12c325a12e897b3fac6afbd9ec2fe34dcaaa9d02
Parents: 59bbab2
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Wed Feb 3 12:51:40 2016 +0000
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Wed Feb 3 12:54:23 2016 +0000

----------------------------------------------------------------------
 .../rs/security/oauth2/client/OAuthInvoker.java |  8 +++
 .../oidc/idp/IdTokenResponseFilter.java         |  2 +
 .../oidc/rp/AbstractTokenValidator.java         |  7 ++
 .../cxf/rs/security/oidc/rp/OidcInvoker.java    | 71 ++++++++++++++++++++
 4 files changed, 88 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/12c325a1/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/OAuthInvoker.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/OAuthInvoker.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/OAuthInvoker.java
index 8a28099..45b1dd3 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/OAuthInvoker.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/OAuthInvoker.java
@@ -57,6 +57,7 @@ public class OAuthInvoker extends JAXRSInvoker {
                     accessToken = OAuthClientUtils.refreshAccessToken(accessTokenServiceClient,

                                                         consumer, 
                                                         accessToken);
+                    validateRefreshedToken(tokenContext, accessToken);
                     MessageContext mc = new MessageContextImpl(inMessage);
                     ((ClientTokenContextImpl)tokenContext).setToken(accessToken);       
   
                     clientTokenContextManager.setClientTokenContext(mc, tokenContext);
@@ -74,6 +75,10 @@ public class OAuthInvoker extends JAXRSInvoker {
         }
     }
     
+    protected void validateRefreshedToken(ClientTokenContext tokenContext, ClientAccessToken
refreshedToken) {
+        // complete
+    }
+
     public void setAccessTokenServiceClient(WebClient accessTokenServiceClient) {
         this.accessTokenServiceClient = accessTokenServiceClient;
     }
@@ -82,6 +87,9 @@ public class OAuthInvoker extends JAXRSInvoker {
     public void setConsumer(Consumer consumer) {
         this.consumer = consumer;
     }
+    public Consumer getConsumer() {
+        return consumer;
+    }
 
     public void setClientTokenContextManager(ClientTokenContextManager clientTokenContextManager)
{
         this.clientTokenContextManager = clientTokenContextManager;

http://git-wip-us.apache.org/repos/asf/cxf/blob/12c325a1/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
index 6edcc7a..b7a7478 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
@@ -59,6 +59,8 @@ public class IdTokenResponseFilter extends AbstractOAuthServerJoseJwtProducer
im
         } else if (st.getSubject() instanceof OidcUserSubject) {
             OidcUserSubject sub = (OidcUserSubject)st.getSubject();
             IdToken idToken = new IdToken(sub.getIdToken());
+            // if this token was refreshed then the cloned IDToken might need to have its
+            // issuedAt and expiry time properties adjusted if it proves to be necessary
             setAtHashAndNonce(idToken, st);
             return super.processJwt(new JwtToken(idToken), st.getClient());
         } else {

http://git-wip-us.apache.org/repos/asf/cxf/blob/12c325a1/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
index 9e305e3..35c8e87 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
@@ -34,6 +34,7 @@ import org.apache.cxf.rs.security.jose.jwt.JwtToken;
 import org.apache.cxf.rs.security.jose.jwt.JwtUtils;
 import org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthJoseJwtConsumer;
 import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
+import org.apache.cxf.rs.security.oidc.common.IdToken;
 
 public abstract class AbstractTokenValidator extends AbstractOAuthJoseJwtConsumer {
     private static final String SELF_ISSUED_ISSUER = "https://self-issued.me";
@@ -69,6 +70,12 @@ public abstract class AbstractTokenValidator extends AbstractOAuthJoseJwtConsume
             if (claims.getSubject() == null) {
                 throw new OAuthServiceException("Invalid subject");
             }
+            
+            // validate authorized party
+            String authorizedParty = (String)claims.getClaim(IdToken.AZP_CLAIM);
+            if (authorizedParty != null && !authorizedParty.equals(clientId)) {
+                throw new OAuthServiceException("Invalid authorized party");
+            }
             // validate audience
             List<String> audiences = claims.getAudiences();
             if (StringUtils.isEmpty(audiences) && validateClaimsAlways 

http://git-wip-us.apache.org/repos/asf/cxf/blob/12c325a1/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcInvoker.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcInvoker.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcInvoker.java
new file mode 100644
index 0000000..986d7a5
--- /dev/null
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcInvoker.java
@@ -0,0 +1,71 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oidc.rp;
+
+import org.apache.cxf.rs.security.oauth2.client.ClientTokenContext;
+import org.apache.cxf.rs.security.oauth2.client.OAuthInvoker;
+import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
+import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
+import org.apache.cxf.rs.security.oidc.common.IdToken;
+import org.apache.cxf.rs.security.oidc.utils.OidcUtils;
+
+public class OidcInvoker extends OAuthInvoker {
+    private IdTokenReader idTokenReader;
+    @Override
+    protected void validateRefreshedToken(ClientTokenContext tokenContext, ClientAccessToken
refreshedToken) {
+        if (refreshedToken.getParameters().containsKey(OidcUtils.ID_TOKEN)) {
+            IdToken newIdToken = idTokenReader.getIdToken(refreshedToken, getConsumer());
+            
+            OidcClientTokenContextImpl oidcContext = (OidcClientTokenContextImpl)tokenContext;
+            IdToken currentIdToken = oidcContext.getIdToken();
+            
+            if (!newIdToken.getIssuer().equals(currentIdToken.getIssuer())) {
+                throw new OAuthServiceException("Invalid id token issuer");    
+            }
+            if (!newIdToken.getSubject().equals(currentIdToken.getSubject())) {
+                throw new OAuthServiceException("Invalid id token subject");
+            }
+            if (!newIdToken.getAudiences().containsAll(currentIdToken.getAudiences())) {
+                throw new OAuthServiceException("Invalid id token audience(s)");
+            }
+            Long newAuthTime = newIdToken.getAuthenticationTime();
+            if (newAuthTime != null && !newAuthTime.equals(currentIdToken.getAuthenticationTime()))
{
+                throw new OAuthServiceException("Invalid id token auth_time");
+            }
+            String newAzp = newIdToken.getAuthorizedParty();
+            String origAzp = currentIdToken.getAuthorizedParty();
+            if (newAzp != null && origAzp == null 
+                || newAzp == null && origAzp != null
+                || newAzp != null && origAzp != null && !newAzp.equals(origAzp))
{
+                throw new OAuthServiceException("Invalid id token authorized party");
+            }
+            Long newIssuedTime = newIdToken.getIssuedAt();
+            Long origIssuedTime = currentIdToken.getIssuedAt();
+            if (newIssuedTime < origIssuedTime) {
+                throw new OAuthServiceException("Invalid id token issued time");
+            }
+            
+            oidcContext.setIdToken(newIdToken);
+            
+        }
+    }
+    public void setIdTokenReader(IdTokenReader idTokenReader) {
+        this.idTokenReader = idTokenReader;
+    }
+}


Mime
View raw message