cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: Prototying OidcHybridService
Date Thu, 03 Mar 2016 18:01:13 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 3770d8125 -> 998ff6e50


Prototying OidcHybridService


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/998ff6e5
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/998ff6e5
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/998ff6e5

Branch: refs/heads/master
Commit: 998ff6e505b05154873aaa048ff62b46378b50b0
Parents: 3770d81
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Thu Mar 3 18:00:54 2016 +0000
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Thu Mar 3 18:00:54 2016 +0000

----------------------------------------------------------------------
 .../services/AbstractImplicitGrantService.java  | 19 +++--
 .../services/AuthorizationCodeGrantService.java | 55 ++++++++++---
 .../oauth2/services/ImplicitGrantService.java   |  4 +-
 .../oidc/idp/OidcAuthorizationCodeService.java  |  3 +-
 .../rs/security/oidc/idp/OidcHybridService.java | 87 ++++++++++++++++++++
 .../security/oidc/idp/OidcImplicitService.java  | 19 +++--
 6 files changed, 156 insertions(+), 31 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/998ff6e5/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java
index 962ba4a..db5bc73 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java
@@ -56,8 +56,18 @@ public abstract class AbstractImplicitGrantService extends RedirectionBasedGrant
         super(supportedResponseTypes, supportedGrantType);
     }
     
-    
     protected Response createGrant(OAuthRedirectionState state,
+                                          Client client,
+                                          List<String> requestedScope,
+                                          List<String> approvedScope,
+                                          UserSubject userSubject,
+                                          ServerAccessToken preAuthorizedToken) {
+        StringBuilder sb =
+            prepareGrant(state, client, requestedScope, approvedScope, userSubject, preAuthorizedToken);
+        return Response.seeOther(URI.create(sb.toString())).build();
+        
+    }
+    public StringBuilder prepareGrant(OAuthRedirectionState state,
                                    Client client,
                                    List<String> requestedScope,
                                    List<String> approvedScope,
@@ -105,7 +115,8 @@ public abstract class AbstractImplicitGrantService extends RedirectionBasedGrant
             processRefreshToken(sb, token.getRefreshToken());
         }
         
-        return finalizeResponse(sb, state);
+        finalizeResponse(sb, state);
+        return sb;
     }
     
     protected AccessTokenRegistration createTokenRegistration(OAuthRedirectionState state,

@@ -124,7 +135,7 @@ public abstract class AbstractImplicitGrantService extends RedirectionBasedGrant
         reg.setNonce(state.getNonce());
         return reg;
     }
-    protected Response finalizeResponse(StringBuilder sb, OAuthRedirectionState state) {
+    protected void finalizeResponse(StringBuilder sb, OAuthRedirectionState state) {
         if (state.getState() != null) {
             sb.append("&");
             sb.append(OAuthConstants.STATE).append("=").append(state.getState());   
@@ -132,8 +143,6 @@ public abstract class AbstractImplicitGrantService extends RedirectionBasedGrant
         if (reportClientId) {
             sb.append("&").append(OAuthConstants.CLIENT_ID).append("=").append(state.getClientId());
         }
-        
-        return Response.seeOther(URI.create(sb.toString())).build();
     }
     
     protected void processRefreshToken(StringBuilder sb, String refreshToken) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/998ff6e5/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
index 4b78c4e..9efee12 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
@@ -44,7 +44,7 @@ import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
 
 
 /**
- * This resource handles the End User authorising
+ * This resource handles the End User authorizing
  * or denying the Client to access its resources.
  * If End User approves the access this resource will
  * redirect End User back to the Client, supplying 
@@ -92,22 +92,17 @@ public class AuthorizationCodeGrantService extends RedirectionBasedGrantService
                                    ServerAccessToken preauthorizedToken) {
         // in this flow the code is still created, the preauthorized token
         // will be retrieved by the authorization code grant handler
-        AuthorizationCodeRegistration codeReg = createCodeRegistration(state,
-                                                                       client,
-                                                                       requestedScope,
-                                                                       approvedScope,
-                                                                       userSubject,
-                                                                       preauthorizedToken);
-        
         ServerAuthorizationCodeGrant grant = null;
         try {
-            grant = ((AuthorizationCodeDataProvider)getDataProvider()).createCodeGrant(codeReg);
+            grant = getGrantRepresentation(state,
+                                           client,
+                                           requestedScope,
+                                           approvedScope,
+                                           userSubject,
+                                           preauthorizedToken);
         } catch (OAuthServiceException ex) {
             return createErrorResponse(state.getState(), state.getRedirectUri(), OAuthConstants.ACCESS_DENIED);
         }
-        if (grant.getExpiresIn() > RECOMMENDED_CODE_EXPIRY_TIME_SECS) {
-            LOG.warning("Code expiry time exceeds 10 minutes");
-        }
         String grantCode = processCodeGrant(client, grant.getCode(), grant.getSubject());
         if (state.getRedirectUri() == null) {
             OOBAuthorizationResponse oobResponse = new OOBAuthorizationResponse();
@@ -125,6 +120,42 @@ public class AuthorizationCodeGrantService extends RedirectionBasedGrantService
         }
     }
     
+    protected ServerAuthorizationCodeGrant getGrantRepresentation(OAuthRedirectionState state,
+                           Client client,
+                           List<String> requestedScope,
+                           List<String> approvedScope,
+                           UserSubject userSubject,
+                           ServerAccessToken preauthorizedToken) {
+        AuthorizationCodeRegistration codeReg = createCodeRegistration(state,
+                                                                       client,
+                                                                       requestedScope,
+                                                                       approvedScope,
+                                                                       userSubject,
+                                                                       preauthorizedToken);
+        
+        ServerAuthorizationCodeGrant grant = 
+            ((AuthorizationCodeDataProvider)getDataProvider()).createCodeGrant(codeReg);
+        if (grant.getExpiresIn() > RECOMMENDED_CODE_EXPIRY_TIME_SECS) {
+            LOG.warning("Code expiry time exceeds 10 minutes");
+        }
+        return grant;
+    }
+    
+    public String getGrantCode(OAuthRedirectionState state,
+                               Client client,
+                               List<String> requestedScope,
+                               List<String> approvedScope,
+                               UserSubject userSubject,
+                               ServerAccessToken preauthorizedToken) {
+        ServerAuthorizationCodeGrant grant =  getGrantRepresentation(state,
+                                      client,
+                                      requestedScope,
+                                      approvedScope,
+                                      userSubject,
+                                      preauthorizedToken);
+        return processCodeGrant(client, grant.getCode(), grant.getSubject());
+    }
+    
     protected AuthorizationCodeRegistration createCodeRegistration(OAuthRedirectionState
state, 
                                                                    Client client, 
                                                                    List<String> requestedScope,


http://git-wip-us.apache.org/repos/asf/cxf/blob/998ff6e5/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java
index 50aa491..e0fec11 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java
@@ -35,11 +35,9 @@ import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
 /**
  * Redirection-based Implicit Grant Service
  * 
- * This resource handles the End User authorising
+ * This resource handles the End User authorizing
  * or denying the Client embedded in the Web agent.
  * 
- * We can consider having a single authorization service dealing with either
- * authorization code or implicit grant.
  */
 @Path("/authorize-implicit")
 public class ImplicitGrantService extends AbstractImplicitGrantService {

http://git-wip-us.apache.org/repos/asf/cxf/blob/998ff6e5/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java
index 59ef008..9b6f4f8 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java
@@ -32,7 +32,6 @@ import org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService;
 import org.apache.cxf.rs.security.oidc.utils.OidcUtils;
 
 public class OidcAuthorizationCodeService extends AuthorizationCodeGrantService {
-    private static final String OPEN_ID_CONNECT_SCOPE = "openid";
     private boolean skipAuthorizationWithOidcScope;
     @Override
     protected boolean canAuthorizationBeSkipped(Client client,
@@ -43,7 +42,7 @@ public class OidcAuthorizationCodeService extends AuthorizationCodeGrantService
         // if all the client application redirecting a user needs is to get this user authenticated
         // with OIDC IDP
         return requestedScope.size() == 1 && permissions.size() == 1 && skipAuthorizationWithOidcScope
-            && OPEN_ID_CONNECT_SCOPE.equals(requestedScope.get(0));
+            && OidcUtils.OPENID_SCOPE.equals(requestedScope.get(0));
     }
     public void setSkipAuthorizationWithOidcScope(boolean skipAuthorizationWithOidcScope)
{
         this.skipAuthorizationWithOidcScope = skipAuthorizationWithOidcScope;

http://git-wip-us.apache.org/repos/asf/cxf/blob/998ff6e5/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcHybridService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcHybridService.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcHybridService.java
new file mode 100644
index 0000000..401d254
--- /dev/null
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcHybridService.java
@@ -0,0 +1,87 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oidc.idp;
+
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+
+import org.apache.cxf.rs.security.oauth2.common.Client;
+import org.apache.cxf.rs.security.oauth2.common.OAuthRedirectionState;
+import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
+import org.apache.cxf.rs.security.oauth2.common.UserSubject;
+import org.apache.cxf.rs.security.oauth2.services.AbstractImplicitGrantService;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
+
+
+public class OidcHybridService extends AbstractImplicitGrantService {
+    public static final String CODE_AT_RESPONSE_TYPE = "code token";
+    public static final String CODE_ID_TOKEN_RESPONSE_TYPE = "code id_token";
+    public static final String CODE_ID_TOKEN_AT_RESPONSE_TYPE = "code id_token token";
+    private static final Map<String, String> IMPLICIT_RESPONSE_TYPES;
+    static {
+        IMPLICIT_RESPONSE_TYPES = new HashMap<String, String>();
+        IMPLICIT_RESPONSE_TYPES.put(CODE_AT_RESPONSE_TYPE, OAuthConstants.TOKEN_RESPONSE_TYPE);
+        IMPLICIT_RESPONSE_TYPES.put(CODE_ID_TOKEN_RESPONSE_TYPE, OidcImplicitService.ID_TOKEN_RESPONSE_TYPE);
+        IMPLICIT_RESPONSE_TYPES.put(CODE_ID_TOKEN_AT_RESPONSE_TYPE, OidcImplicitService.ID_TOKEN_AT_RESPONSE_TYPE);
+    }
+    private OidcAuthorizationCodeService codeService;
+    private OidcImplicitService implicitService;
+    
+    public OidcHybridService() {
+        super(new HashSet<String>(Arrays.asList(CODE_AT_RESPONSE_TYPE,
+                                                CODE_ID_TOKEN_RESPONSE_TYPE,
+                                                CODE_ID_TOKEN_AT_RESPONSE_TYPE)), 
+                                  "Hybrid");
+    }
+    
+    
+    @Override
+    public StringBuilder prepareGrant(OAuthRedirectionState state,
+                                   Client client,
+                                   List<String> requestedScope,
+                                   List<String> approvedScope,
+                                   UserSubject userSubject,
+                                   ServerAccessToken preAuthorizedToken) {
+        String actualResponseType = state.getResponseType();
+        
+        state.setResponseType(OAuthConstants.CODE_RESPONSE_TYPE);
+        String code = codeService.getGrantCode(state, client, requestedScope,
+                                               approvedScope, userSubject, preAuthorizedToken);
+        state.setResponseType(IMPLICIT_RESPONSE_TYPES.get(actualResponseType)); 
+        StringBuilder sb = implicitService.prepareGrant(state, client, requestedScope, 
+                                                          approvedScope, userSubject, preAuthorizedToken);
+   
+        sb.append("&");
+        sb.append(OAuthConstants.AUTHORIZATION_CODE_VALUE).append("=").append(code);
+        return sb;
+    }
+
+
+    public void setCodeService(OidcAuthorizationCodeService codeService) {
+        this.codeService = codeService;
+    }
+
+
+    public void setImplicitService(OidcImplicitService implicitService) {
+        this.implicitService = implicitService;
+    }
+ }

http://git-wip-us.apache.org/repos/asf/cxf/blob/998ff6e5/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
index 94dd845..4d41da0 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
@@ -42,21 +42,20 @@ import org.apache.cxf.rs.security.oidc.utils.OidcUtils;
 
 
 public class OidcImplicitService extends ImplicitGrantService {
-    private static final String OPEN_ID_CONNECT_SCOPE = "openid";
-    private static final String ID_TOKEN_RESPONSE_TYPE = "id_token";
-    private static final String ID_TOKEN_AND_AT_RESPONSE_TYPE = "id_token token";
+    public static final String ID_TOKEN_RESPONSE_TYPE = "id_token";
+    public static final String ID_TOKEN_AT_RESPONSE_TYPE = "id_token token";
     private boolean skipAuthorizationWithOidcScope;
     private JoseJwtProducer idTokenHandler;
     private IdTokenProvider idTokenProvider;
     
     public OidcImplicitService() {
         super(new HashSet<String>(Arrays.asList(ID_TOKEN_RESPONSE_TYPE,
-                                                ID_TOKEN_AND_AT_RESPONSE_TYPE)));
+                                                ID_TOKEN_AT_RESPONSE_TYPE)));
     }
     
     @Override
     protected boolean canAccessTokenBeReturned(String responseType) {
-        return ID_TOKEN_AND_AT_RESPONSE_TYPE.equals(responseType);
+        return ID_TOKEN_AT_RESPONSE_TYPE.equals(responseType);
     }
     
     @Override
@@ -79,13 +78,14 @@ public class OidcImplicitService extends ImplicitGrantService {
         // if all the client application redirecting a user needs is to get this user authenticated
         // with OIDC IDP
         return requestedScope.size() == 1 && permissions.size() == 1 && skipAuthorizationWithOidcScope
-            && OPEN_ID_CONNECT_SCOPE.equals(requestedScope.get(0));
+            && OidcUtils.OPENID_SCOPE.equals(requestedScope.get(0));
     }
     public void setSkipAuthorizationWithOidcScope(boolean skipAuthorizationWithOidcScope)
{
         this.skipAuthorizationWithOidcScope = skipAuthorizationWithOidcScope;
     }
     
-    protected Response createGrant(OAuthRedirectionState state,
+    @Override
+    public StringBuilder prepareGrant(OAuthRedirectionState state,
                                    Client client,
                                    List<String> requestedScope,
                                    List<String> approvedScope,
@@ -93,7 +93,7 @@ public class OidcImplicitService extends ImplicitGrantService {
                                    ServerAccessToken preAuthorizedToken) {
         
         if (canAccessTokenBeReturned(state.getResponseType())) {
-            return super.createGrant(state, client, requestedScope, approvedScope, userSubject,
preAuthorizedToken);
+            return super.prepareGrant(state, client, requestedScope, approvedScope, userSubject,
preAuthorizedToken);
         }
         // id_token response type processing
         
@@ -104,7 +104,8 @@ public class OidcImplicitService extends ImplicitGrantService {
         if (idToken != null) {
             sb.append(OidcUtils.ID_TOKEN).append("=").append(idToken);
         }
-        return finalizeResponse(sb, state);
+        finalizeResponse(sb, state);
+        return sb;
     }
     
     private String getProcessedIdToken(OAuthRedirectionState state, 


Mime
View raw message