Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id CBE2F18273 for ; Mon, 15 Feb 2016 17:51:09 +0000 (UTC) Received: (qmail 7032 invoked by uid 500); 15 Feb 2016 17:51:09 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 6969 invoked by uid 500); 15 Feb 2016 17:51:09 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 6959 invoked by uid 99); 15 Feb 2016 17:51:09 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 15 Feb 2016 17:51:09 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 2927FE0A1B; Mon, 15 Feb 2016 17:51:09 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: sergeyb@apache.org To: commits@cxf.apache.org Message-Id: <821d860f704f4f25922b41bbbc02f388@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: cxf git commit: Making sure an open ended set of extra request properties can be passed through the whole OAuth2 chain, starting with supporting an OIDC claims request prop Date: Mon, 15 Feb 2016 17:51:09 +0000 (UTC) Repository: cxf Updated Branches: refs/heads/master b0aab58d3 -> 7d1890510 Making sure an open ended set of extra request properties can be passed through the whole OAuth2 chain, starting with supporting an OIDC claims request prop Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/7d189051 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/7d189051 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/7d189051 Branch: refs/heads/master Commit: 7d1890510a85d4fd7e70faebc56d6685f103621d Parents: b0aab58 Author: Sergey Beryozkin Authored: Mon Feb 15 17:50:51 2016 +0000 Committer: Sergey Beryozkin Committed: Mon Feb 15 17:50:51 2016 +0000 ---------------------------------------------------------------------- .../oauth2/common/AccessTokenRegistration.java | 11 +++++ .../oauth2/common/AccessTokenValidation.java | 1 + .../oauth2/common/OAuthAuthorizationData.java | 11 ----- .../rs/security/oauth2/common/OAuthContext.java | 11 +++++ .../oauth2/common/OAuthRedirectionState.java | 11 +++++ .../oauth2/common/ServerAccessToken.java | 11 +++++ .../oauth2/filters/OAuthRequestFilter.java | 1 + .../grants/code/AbstractCodeDataProvider.java | 1 + .../code/AuthorizationCodeRegistration.java | 9 ++++ .../code/DefaultEncryptingCodeDataProvider.java | 9 +--- .../code/ServerAuthorizationCodeGrant.java | 11 +++++ .../provider/AbstractOAuthDataProvider.java | 1 + .../provider/JoseSessionTokenProvider.java | 6 +++ .../services/AbstractImplicitGrantService.java | 31 +++++++++---- .../services/AuthorizationCodeGrantService.java | 47 +++++++++++++------- .../services/RedirectionBasedGrantService.java | 37 ++++++++------- .../utils/crypto/ModelEncryptionSupport.java | 17 +++++-- .../oidc/idp/OidcAuthorizationCodeService.java | 30 ++++++++++++- .../security/oidc/idp/OidcImplicitService.java | 21 +++++++++ .../cxf/rs/security/oidc/utils/OidcUtils.java | 13 +++++- 20 files changed, 223 insertions(+), 67 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/7d189051/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenRegistration.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenRegistration.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenRegistration.java index a4a4a2c..0a00ec4 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenRegistration.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenRegistration.java @@ -18,8 +18,10 @@ */ package org.apache.cxf.rs.security.oauth2.common; +import java.util.LinkedHashMap; import java.util.LinkedList; import java.util.List; +import java.util.Map; /** * Captures the information associated with the access token request. @@ -33,6 +35,7 @@ public class AccessTokenRegistration { private List audiences = new LinkedList(); private String nonce; private String clientCodeVerifier; + private Map extraProperties = new LinkedHashMap(); /** * Sets the {@link Client} instance @@ -138,4 +141,12 @@ public class AccessTokenRegistration { public void setNonce(String nonce) { this.nonce = nonce; } + + public Map getExtraProperties() { + return extraProperties; + } + + public void setExtraProperties(Map extraProperties) { + this.extraProperties = extraProperties; + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/7d189051/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenValidation.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenValidation.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenValidation.java index f7b945d..f48d51c 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenValidation.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenValidation.java @@ -79,6 +79,7 @@ public class AccessTokenValidation { this.tokenScopes = token.getScopes(); this.setAudiences(token.getAudiences()); this.clientCodeVerifier = token.getClientCodeVerifier(); + this.extraProps.putAll(token.getExtraProperties()); } public String getClientId() { http://git-wip-us.apache.org/repos/asf/cxf/blob/7d189051/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java index 278303f..ea8ded3 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java @@ -25,9 +25,7 @@ import java.util.LinkedList; import java.util.List; import java.util.Map; -import javax.ws.rs.core.MultivaluedMap; import javax.xml.bind.annotation.XmlRootElement; -import javax.xml.bind.annotation.XmlTransient; import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils; @@ -51,7 +49,6 @@ public class OAuthAuthorizationData extends OAuthRedirectionState implements Ser private String applicationLogoUri; private List applicationCertificates = new LinkedList(); private Map extraApplicationProperties = new HashMap(); - private MultivaluedMap requestParameters; private boolean implicitFlow; private List permissions; @@ -260,12 +257,4 @@ public class OAuthAuthorizationData extends OAuthRedirectionState implements Ser return allPerms; } - @XmlTransient - public MultivaluedMap getRequestParameters() { - return requestParameters; - } - - public void setRequestParameters(MultivaluedMap requestParameters) { - this.requestParameters = requestParameters; - } } http://git-wip-us.apache.org/repos/asf/cxf/blob/7d189051/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java index 74d7fc2..047208a 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java @@ -19,7 +19,9 @@ package org.apache.cxf.rs.security.oauth2.common; import java.util.Collections; +import java.util.LinkedHashMap; import java.util.List; +import java.util.Map; /** @@ -38,6 +40,7 @@ public class OAuthContext { private String tokenAudience; private String tokenIssuer; private String[] tokenRequestParts; + private Map tokenExtraProperties = new LinkedHashMap(); public OAuthContext(UserSubject resourceOwnerSubject, UserSubject clientSubject, @@ -143,4 +146,12 @@ public class OAuthContext { public void setTokenIssuer(String tokenIssuer) { this.tokenIssuer = tokenIssuer; } + + public Map getTokenExtraProperties() { + return tokenExtraProperties; + } + + public void setTokenExtraProperties(Map tokenExtraProperties) { + this.tokenExtraProperties = tokenExtraProperties; + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/7d189051/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthRedirectionState.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthRedirectionState.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthRedirectionState.java index 4a413a0..3ea84e8 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthRedirectionState.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthRedirectionState.java @@ -19,6 +19,8 @@ package org.apache.cxf.rs.security.oauth2.common; import java.io.Serializable; +import java.util.LinkedHashMap; +import java.util.Map; public class OAuthRedirectionState implements Serializable { @@ -32,6 +34,7 @@ public class OAuthRedirectionState implements Serializable { private String nonce; private String clientCodeChallenge; private String responseType; + private Map extraProperties = new LinkedHashMap(); public OAuthRedirectionState() { } @@ -134,6 +137,14 @@ public class OAuthRedirectionState implements Serializable { public void setResponseType(String responseType) { this.responseType = responseType; } + + public Map getExtraProperties() { + return extraProperties; + } + + public void setExtraProperties(Map extraProperties) { + this.extraProperties = extraProperties; + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/7d189051/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java index 89220f3..515568c 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java @@ -18,8 +18,10 @@ */ package org.apache.cxf.rs.security.oauth2.common; +import java.util.LinkedHashMap; import java.util.LinkedList; import java.util.List; +import java.util.Map; import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException; import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants; @@ -38,6 +40,7 @@ public abstract class ServerAccessToken extends AccessToken { private List audiences = new LinkedList(); private String clientCodeVerifier; private String nonce; + private Map extraProperties = new LinkedHashMap(); protected ServerAccessToken() { @@ -167,4 +170,12 @@ public abstract class ServerAccessToken extends AccessToken { public void setNonce(String nonce) { this.nonce = nonce; } + + public Map getExtraProperties() { + return extraProperties; + } + + public void setExtraProperties(Map extraProperties) { + this.extraProperties = extraProperties; + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/7d189051/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java index e8478ad..457beae 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java @@ -169,6 +169,7 @@ public class OAuthRequestFilter extends AbstractAccessTokenValidator oauthContext.setTokenAudience(validAudience); oauthContext.setTokenIssuer(accessTokenV.getTokenIssuer()); oauthContext.setTokenRequestParts(authParts); + oauthContext.setTokenExtraProperties(accessTokenV.getExtraProps()); m.setContent(OAuthContext.class, oauthContext); } http://git-wip-us.apache.org/repos/asf/cxf/blob/7d189051/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java index c03ccf3..f41e172 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java @@ -61,6 +61,7 @@ public abstract class AbstractCodeDataProvider extends AbstractOAuthDataProvider grant.setAudience(reg.getAudience()); grant.setClientCodeChallenge(reg.getClientCodeChallenge()); grant.setNonce(reg.getNonce()); + grant.getExtraProperties().putAll(reg.getExtraProperties()); return grant; } protected abstract void saveCodeGrant(ServerAuthorizationCodeGrant grant); http://git-wip-us.apache.org/repos/asf/cxf/blob/7d189051/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeRegistration.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeRegistration.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeRegistration.java index a3185b7..269e24e 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeRegistration.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeRegistration.java @@ -19,7 +19,9 @@ package org.apache.cxf.rs.security.oauth2.grants.code; import java.util.Collections; +import java.util.LinkedHashMap; import java.util.List; +import java.util.Map; import org.apache.cxf.rs.security.oauth2.common.Client; import org.apache.cxf.rs.security.oauth2.common.UserSubject; @@ -38,6 +40,7 @@ public class AuthorizationCodeRegistration { private String nonce; private String clientCodeChallenge; private boolean preauthorizedTokenAvailable; + private Map extraProperties = new LinkedHashMap(); /** * Sets the {@link Client} reference * @param client the client @@ -139,4 +142,10 @@ public class AuthorizationCodeRegistration { public void setPreauthorizedTokenAvailable(boolean preauthorizedTokenAvailable) { this.preauthorizedTokenAvailable = preauthorizedTokenAvailable; } + public Map getExtraProperties() { + return extraProperties; + } + public void setExtraProperties(Map extraProperties) { + this.extraProperties = extraProperties; + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/7d189051/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DefaultEncryptingCodeDataProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DefaultEncryptingCodeDataProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DefaultEncryptingCodeDataProvider.java index a3ff5b3..aa943dc 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DefaultEncryptingCodeDataProvider.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DefaultEncryptingCodeDataProvider.java @@ -98,14 +98,7 @@ public class DefaultEncryptingCodeDataProvider extends DefaultEncryptingOAuthDat protected ServerAuthorizationCodeGrant doCreateCodeGrant(AuthorizationCodeRegistration reg) throws OAuthServiceException { - ServerAuthorizationCodeGrant grant = - new ServerAuthorizationCodeGrant(reg.getClient(), getCode(reg), getGrantLifetime(), getIssuedAt()); - grant.setApprovedScopes(getApprovedScopes(reg)); - grant.setAudience(reg.getAudience()); - grant.setClientCodeChallenge(reg.getClientCodeChallenge()); - grant.setSubject(reg.getSubject()); - grant.setRedirectUri(reg.getRedirectUri()); - return grant; + return AbstractCodeDataProvider.initCodeGrant(reg, grantLifetime); } protected List getApprovedScopes(AuthorizationCodeRegistration reg) { http://git-wip-us.apache.org/repos/asf/cxf/blob/7d189051/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java index 119cc59..d345fb2 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java @@ -19,7 +19,9 @@ package org.apache.cxf.rs.security.oauth2.grants.code; import java.util.Collections; +import java.util.LinkedHashMap; import java.util.List; +import java.util.Map; import org.apache.cxf.rs.security.oauth2.common.Client; import org.apache.cxf.rs.security.oauth2.common.UserSubject; @@ -42,6 +44,7 @@ public class ServerAuthorizationCodeGrant extends AuthorizationCodeGrant { private String clientCodeChallenge; private String nonce; private boolean preauthorizedTokenAvailable; + private Map extraProperties = new LinkedHashMap(); public ServerAuthorizationCodeGrant() { @@ -174,4 +177,12 @@ public class ServerAuthorizationCodeGrant extends AuthorizationCodeGrant { public void setPreauthorizedTokenAvailable(boolean preauthorizedTokenAvailable) { this.preauthorizedTokenAvailable = preauthorizedTokenAvailable; } + + public Map getExtraProperties() { + return extraProperties; + } + + public void setExtraProperties(Map extraProperties) { + this.extraProperties = extraProperties; + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/7d189051/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java index 1673659..275081a 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java @@ -72,6 +72,7 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl at.setSubject(atReg.getSubject()); at.setClientCodeVerifier(atReg.getClientCodeVerifier()); at.setNonce(atReg.getNonce()); + at.getExtraProperties().putAll(atReg.getExtraProperties()); return at; } http://git-wip-us.apache.org/repos/asf/cxf/blob/7d189051/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JoseSessionTokenProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JoseSessionTokenProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JoseSessionTokenProvider.java index 0c23db1..edd14a6 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JoseSessionTokenProvider.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JoseSessionTokenProvider.java @@ -171,6 +171,9 @@ public class JoseSessionTokenProvider implements SessionAuthenticityTokenProvide if (!StringUtils.isEmpty(parts[7])) { state.setResponseType(parts[7]); } + if (!StringUtils.isEmpty(parts[8])) { + state.setExtraProperties(ModelEncryptionSupport.parseSimpleMap(parts[8])); + } return state; } protected String convertStateToString(OAuthRedirectionState secData) { @@ -199,6 +202,9 @@ public class JoseSessionTokenProvider implements SessionAuthenticityTokenProvide state.append(ModelEncryptionSupport.SEP); // 7: response_type state.append(ModelEncryptionSupport.tokenizeString(secData.getResponseType())); + state.append(ModelEncryptionSupport.SEP); + // 8: extra props + state.append(secData.getExtraProperties().toString()); return state.toString(); } http://git-wip-us.apache.org/repos/asf/cxf/blob/7d189051/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java index f3c466b..962ba4a 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java @@ -56,6 +56,7 @@ public abstract class AbstractImplicitGrantService extends RedirectionBasedGrant super(supportedResponseTypes, supportedGrantType); } + protected Response createGrant(OAuthRedirectionState state, Client client, List requestedScope, @@ -65,15 +66,11 @@ public abstract class AbstractImplicitGrantService extends RedirectionBasedGrant ServerAccessToken token = null; if (preAuthorizedToken == null) { - AccessTokenRegistration reg = new AccessTokenRegistration(); - reg.setClient(client); - reg.setGrantType(super.getSupportedGrantType()); - reg.setSubject(userSubject); - reg.setRequestedScope(requestedScope); - reg.setApprovedScope(getApprovedScope(requestedScope, approvedScope)); - - reg.setAudiences(Collections.singletonList(state.getAudience())); - reg.setNonce(state.getNonce()); + AccessTokenRegistration reg = createTokenRegistration(state, + client, + requestedScope, + approvedScope, + userSubject); token = getDataProvider().createAccessToken(reg); } else { token = preAuthorizedToken; @@ -111,6 +108,22 @@ public abstract class AbstractImplicitGrantService extends RedirectionBasedGrant return finalizeResponse(sb, state); } + protected AccessTokenRegistration createTokenRegistration(OAuthRedirectionState state, + Client client, + List requestedScope, + List approvedScope, + UserSubject userSubject) { + AccessTokenRegistration reg = new AccessTokenRegistration(); + reg.setClient(client); + reg.setGrantType(super.getSupportedGrantType()); + reg.setSubject(userSubject); + reg.setRequestedScope(requestedScope); + reg.setApprovedScope(getApprovedScope(requestedScope, approvedScope)); + + reg.setAudiences(Collections.singletonList(state.getAudience())); + reg.setNonce(state.getNonce()); + return reg; + } protected Response finalizeResponse(StringBuilder sb, OAuthRedirectionState state) { if (state.getState() != null) { sb.append("&"); http://git-wip-us.apache.org/repos/asf/cxf/blob/7d189051/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java index 943cfd9..4b78c4e 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java @@ -72,16 +72,16 @@ public class AuthorizationCodeGrantService extends RedirectionBasedGrantService OAuthAuthorizationData data = super.createAuthorizationData(client, params, redirectUri, subject, requestedPerms, alreadyAuthorizedPerms, authorizationCanBeSkipped); - setCodeQualifier(data, params); + setCodeChallenge(data, params); return data; } - protected OAuthRedirectionState recreateRedirectionStateFromSession( - UserSubject subject, MultivaluedMap params, String sessionToken) { - OAuthRedirectionState state = super.recreateRedirectionStateFromSession(subject, params, sessionToken); - setCodeQualifier(state, params); + protected OAuthRedirectionState recreateRedirectionStateFromParams( + MultivaluedMap params) { + OAuthRedirectionState state = super.recreateRedirectionStateFromParams(params); + setCodeChallenge(state, params); return state; } - private static void setCodeQualifier(OAuthRedirectionState data, MultivaluedMap params) { + private static void setCodeChallenge(OAuthRedirectionState data, MultivaluedMap params) { data.setClientCodeChallenge(params.getFirst(OAuthConstants.AUTHORIZATION_CODE_CHALLENGE)); } protected Response createGrant(OAuthRedirectionState state, @@ -92,16 +92,12 @@ public class AuthorizationCodeGrantService extends RedirectionBasedGrantService ServerAccessToken preauthorizedToken) { // in this flow the code is still created, the preauthorized token // will be retrieved by the authorization code grant handler - AuthorizationCodeRegistration codeReg = new AuthorizationCodeRegistration(); - codeReg.setPreauthorizedTokenAvailable(preauthorizedToken != null); - codeReg.setClient(client); - codeReg.setRedirectUri(state.getRedirectUri()); - codeReg.setRequestedScope(requestedScope); - codeReg.setApprovedScope(getApprovedScope(requestedScope, approvedScope)); - codeReg.setSubject(userSubject); - codeReg.setAudience(state.getAudience()); - codeReg.setNonce(state.getNonce()); - codeReg.setClientCodeChallenge(state.getClientCodeChallenge()); + AuthorizationCodeRegistration codeReg = createCodeRegistration(state, + client, + requestedScope, + approvedScope, + userSubject, + preauthorizedToken); ServerAuthorizationCodeGrant grant = null; try { @@ -128,6 +124,25 @@ public class AuthorizationCodeGrantService extends RedirectionBasedGrantService return Response.seeOther(ub.build()).build(); } } + + protected AuthorizationCodeRegistration createCodeRegistration(OAuthRedirectionState state, + Client client, + List requestedScope, + List approvedScope, + UserSubject userSubject, + ServerAccessToken preauthorizedToken) { + AuthorizationCodeRegistration codeReg = new AuthorizationCodeRegistration(); + codeReg.setPreauthorizedTokenAvailable(preauthorizedToken != null); + codeReg.setClient(client); + codeReg.setRedirectUri(state.getRedirectUri()); + codeReg.setRequestedScope(requestedScope); + codeReg.setApprovedScope(getApprovedScope(requestedScope, approvedScope)); + codeReg.setSubject(userSubject); + codeReg.setAudience(state.getAudience()); + codeReg.setNonce(state.getNonce()); + codeReg.setClientCodeChallenge(state.getClientCodeChallenge()); + return codeReg; + } protected String processCodeGrant(Client client, String code, UserSubject endUser) { if (codeResponseFilter != null) { return codeResponseFilter.process(client, code, endUser); http://git-wip-us.apache.org/repos/asf/cxf/blob/7d189051/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java index 22f248f..f7c3218 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java @@ -240,7 +240,6 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService boolean authorizationCanBeSkipped) { OAuthAuthorizationData secData = new OAuthAuthorizationData(); - secData.setRequestParameters(params); secData.setState(params.getFirst(OAuthConstants.STATE)); secData.setRedirectUri(redirectUri); @@ -277,26 +276,28 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService return secData; } protected OAuthRedirectionState recreateRedirectionStateFromSession( - UserSubject subject, MultivaluedMap params, String sessionToken) { - OAuthRedirectionState state = null; + UserSubject subject, String sessionToken) { if (sessionAuthenticityTokenProvider != null) { - state = sessionAuthenticityTokenProvider.getSessionState(super.getMessageContext(), + return sessionAuthenticityTokenProvider.getSessionState(super.getMessageContext(), sessionToken, subject); + } else { + return null; } - if (state == null) { - state = new OAuthRedirectionState(); - state.setClientId(params.getFirst(OAuthConstants.CLIENT_ID)); - state.setRedirectUri(params.getFirst(OAuthConstants.REDIRECT_URI)); - state.setAudience(params.getFirst(OAuthConstants.CLIENT_AUDIENCE)); - state.setProposedScope(params.getFirst(OAuthConstants.SCOPE)); - state.setState(params.getFirst(OAuthConstants.STATE)); - state.setNonce(params.getFirst(OAuthConstants.NONCE)); - state.setResponseType(params.getFirst(OAuthConstants.RESPONSE_TYPE)); - } - return state; } + + protected OAuthRedirectionState recreateRedirectionStateFromParams(MultivaluedMap params) { + OAuthRedirectionState state = new OAuthRedirectionState(); + state.setClientId(params.getFirst(OAuthConstants.CLIENT_ID)); + state.setRedirectUri(params.getFirst(OAuthConstants.REDIRECT_URI)); + state.setAudience(params.getFirst(OAuthConstants.CLIENT_AUDIENCE)); + state.setProposedScope(params.getFirst(OAuthConstants.SCOPE)); + state.setState(params.getFirst(OAuthConstants.STATE)); + state.setNonce(params.getFirst(OAuthConstants.NONCE)); + state.setResponseType(params.getFirst(OAuthConstants.RESPONSE_TYPE)); + return state; + } protected void personalizeData(OAuthAuthorizationData data, UserSubject userSubject) { if (resourceOwnerNameProvider != null) { data.setEndUserName(resourceOwnerNameProvider.getName(userSubject)); @@ -331,8 +332,10 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService throw ExceptionUtils.toBadRequestException(null, null); } - OAuthRedirectionState state = - recreateRedirectionStateFromSession(userSubject, params, sessionToken); + OAuthRedirectionState state = recreateRedirectionStateFromSession(userSubject, sessionToken); + if (state == null) { + state = recreateRedirectionStateFromParams(params); + } Client client = getClient(state.getClientId()); String redirectUri = validateRedirectUri(client, state.getRedirectUri()); http://git-wip-us.apache.org/repos/asf/cxf/blob/7d189051/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/ModelEncryptionSupport.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/ModelEncryptionSupport.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/ModelEncryptionSupport.java index c23f421..9f5a929 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/ModelEncryptionSupport.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/ModelEncryptionSupport.java @@ -256,7 +256,9 @@ public final class ModelEncryptionSupport { newToken.setClientCodeVerifier(parts[10]); //UserSubject: newToken.setSubject(recreateUserSubject(parts[11])); - + + newToken.setExtraProperties(parseSimpleMap(parts[12])); + return newToken; } @@ -322,7 +324,10 @@ public final class ModelEncryptionSupport { state.append(SEP); // 11: user subject tokenizeUserSubject(state, token.getSubject()); - + // 13: extra properties + state.append(SEP); + // {key=value, key=value} + state.append(token.getExtraProperties().toString()); return state.toString(); } @@ -402,6 +407,7 @@ public final class ModelEncryptionSupport { grant.setClientCodeChallenge(getStringPart(parts[6])); grant.setApprovedScopes(parseSimpleList(parts[7])); grant.setSubject(recreateUserSubject(parts[8])); + grant.setExtraProperties(parseSimpleMap(parts[9])); return grant; } private static String tokenizeCodeGrant(ServerAuthorizationCodeGrant grant) { @@ -432,7 +438,10 @@ public final class ModelEncryptionSupport { state.append(SEP); // 8: subject tokenizeUserSubject(state, grant.getSubject()); - + // 9: extra properties + state.append(SEP); + // {key=value, key=value} + state.append(grant.getExtraProperties().toString()); return state.toString(); } @@ -453,7 +462,7 @@ public final class ModelEncryptionSupport { } } - private static Map parseSimpleMap(String mapStr) { + public static Map parseSimpleMap(String mapStr) { Map props = new HashMap(); List entries = parseSimpleList(mapStr); for (String entry : entries) { http://git-wip-us.apache.org/repos/asf/cxf/blob/7d189051/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java index 67a7118..59ef008 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java @@ -20,10 +20,16 @@ package org.apache.cxf.rs.security.oidc.idp; import java.util.List; +import javax.ws.rs.core.MultivaluedMap; + import org.apache.cxf.rs.security.oauth2.common.Client; import org.apache.cxf.rs.security.oauth2.common.OAuthPermission; +import org.apache.cxf.rs.security.oauth2.common.OAuthRedirectionState; +import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken; import org.apache.cxf.rs.security.oauth2.common.UserSubject; +import org.apache.cxf.rs.security.oauth2.grants.code.AuthorizationCodeRegistration; import org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService; +import org.apache.cxf.rs.security.oidc.utils.OidcUtils; public class OidcAuthorizationCodeService extends AuthorizationCodeGrantService { private static final String OPEN_ID_CONNECT_SCOPE = "openid"; @@ -42,5 +48,27 @@ public class OidcAuthorizationCodeService extends AuthorizationCodeGrantService public void setSkipAuthorizationWithOidcScope(boolean skipAuthorizationWithOidcScope) { this.skipAuthorizationWithOidcScope = skipAuthorizationWithOidcScope; } - + protected AuthorizationCodeRegistration createCodeRegistration(OAuthRedirectionState state, + Client client, + List requestedScope, + List approvedScope, + UserSubject userSubject, + ServerAccessToken preauthorizedToken) { + AuthorizationCodeRegistration codeReg = super.createCodeRegistration(state, + client, + requestedScope, + approvedScope, + userSubject, + preauthorizedToken); + + codeReg.getExtraProperties().putAll(state.getExtraProperties()); + return codeReg; + } + @Override + protected OAuthRedirectionState recreateRedirectionStateFromParams( + MultivaluedMap params) { + OAuthRedirectionState state = super.recreateRedirectionStateFromParams(params); + OidcUtils.setStateClaimsProperty(state, params); + return state; + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/7d189051/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java index 359d172..94dd845 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java @@ -27,6 +27,7 @@ import javax.ws.rs.core.Response; import org.apache.cxf.rs.security.jose.jwt.JoseJwtProducer; import org.apache.cxf.rs.security.jose.jwt.JwtToken; +import org.apache.cxf.rs.security.oauth2.common.AccessTokenRegistration; import org.apache.cxf.rs.security.oauth2.common.Client; import org.apache.cxf.rs.security.oauth2.common.OAuthError; import org.apache.cxf.rs.security.oauth2.common.OAuthPermission; @@ -127,6 +128,26 @@ public class OidcImplicitService extends ImplicitGrantService { } } + @Override + protected OAuthRedirectionState recreateRedirectionStateFromParams( + MultivaluedMap params) { + OAuthRedirectionState state = super.recreateRedirectionStateFromParams(params); + OidcUtils.setStateClaimsProperty(state, params); + return state; + } + + @Override + protected AccessTokenRegistration createTokenRegistration(OAuthRedirectionState state, + Client client, + List requestedScope, + List approvedScope, + UserSubject userSubject) { + AccessTokenRegistration reg = + super.createTokenRegistration(state, client, requestedScope, approvedScope, userSubject); + reg.getExtraProperties().putAll(state.getExtraProperties()); + return reg; + } + protected String processIdToken(IdToken idToken) { JoseJwtProducer processor = idTokenHandler == null ? new JoseJwtProducer() : idTokenHandler; return processor.processJwt(new JwtToken(idToken)); http://git-wip-us.apache.org/repos/asf/cxf/blob/7d189051/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java index d6363e7..823e757 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java @@ -24,12 +24,15 @@ import java.util.HashMap; import java.util.List; import java.util.Map; +import javax.ws.rs.core.MultivaluedMap; + import org.apache.cxf.common.util.Base64UrlUtility; import org.apache.cxf.common.util.StringUtils; import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm; import org.apache.cxf.rs.security.jose.jws.JwsException; import org.apache.cxf.rs.security.jose.jwt.JwtToken; import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken; +import org.apache.cxf.rs.security.oauth2.common.OAuthRedirectionState; import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException; import org.apache.cxf.rs.security.oidc.common.IdToken; import org.apache.cxf.rs.security.oidc.common.UserInfo; @@ -48,6 +51,8 @@ public final class OidcUtils { UserInfo.EMAIL_VERIFIED_CLAIM); public static final List ADDRESS_CLAIMS = Arrays.asList(UserInfo.ADDRESS_CLAIM); public static final List PHONE_CLAIMS = Arrays.asList(UserInfo.PHONE_CLAIM); + public static final String CLAIMS_PARAM = "claims"; + private static final Map> SCOPES_MAP; static { SCOPES_MAP = new HashMap>(); @@ -140,5 +145,11 @@ public final class OidcUtils { throw new OAuthServiceException(ex); } } - + public static void setStateClaimsProperty(OAuthRedirectionState state, + MultivaluedMap params) { + String claims = params.getFirst(OidcUtils.CLAIMS_PARAM); + if (claims != null) { + state.getExtraProperties().put(OidcUtils.CLAIMS_PARAM, claims); + } + } }