cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: Updating IdTokenResponseFilter with an initial code to delegate signing/encrypting to the external web service if needed
Date Mon, 14 Mar 2016 11:22:59 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.1.x-fixes 9d562b08c -> 09355c667


Updating IdTokenResponseFilter with an initial code to delegate signing/encrypting to the
external web service if needed


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/09355c66
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/09355c66
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/09355c66

Branch: refs/heads/3.1.x-fixes
Commit: 09355c667243314e64e2c54f8e21abb22f463d37
Parents: 9d562b0
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Mon Mar 14 11:20:41 2016 +0000
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Mon Mar 14 11:22:40 2016 +0000

----------------------------------------------------------------------
 .../oidc/idp/IdTokenResponseFilter.java         | 34 ++++++++++++++++++--
 .../rs/security/oidc/idp/OidcKeysService.java   | 10 +++---
 2 files changed, 36 insertions(+), 8 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/09355c66/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
index aa9e887..c05a9ce 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
@@ -18,13 +18,18 @@
  */
 package org.apache.cxf.rs.security.oidc.idp;
 
+import java.util.LinkedList;
+import java.util.List;
 import java.util.Properties;
 
+import org.apache.cxf.jaxrs.client.WebClient;
 import org.apache.cxf.jaxrs.utils.JAXRSUtils;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
+import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
 import org.apache.cxf.rs.security.jose.jws.JwsUtils;
 import org.apache.cxf.rs.security.jose.jwt.JwtToken;
+import org.apache.cxf.rs.security.oauth2.common.Client;
 import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
 import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
 import org.apache.cxf.rs.security.oauth2.provider.AccessTokenResponseFilter;
@@ -36,6 +41,7 @@ import org.apache.cxf.rs.security.oidc.utils.OidcUtils;
 
 public class IdTokenResponseFilter extends OAuthServerJoseJwtProducer implements AccessTokenResponseFilter
{
     private IdTokenProvider idTokenProvider;
+    private WebClient keyServiceClient;
     @Override
     public void process(ClientAccessToken ct, ServerAccessToken st) {
         if (st.getResponseType() != null
@@ -58,7 +64,7 @@ public class IdTokenResponseFilter extends OAuthServerJoseJwtProducer implements
                 idTokenProvider.getIdToken(st.getClient().getClientId(), st.getSubject(),

                                            OAuthUtils.convertPermissionsToScopeList(st.getScopes()));
             setAtHashAndNonce(idToken, st);
-            return super.processJwt(new JwtToken(idToken), st.getClient());
+            return processJwt(new JwtToken(idToken), st.getClient());
         } else if (st.getSubject().getProperties().containsKey(OidcUtils.ID_TOKEN)) {
             return st.getSubject().getProperties().get(OidcUtils.ID_TOKEN);
         } else if (st.getSubject() instanceof OidcUserSubject) {
@@ -69,7 +75,7 @@ public class IdTokenResponseFilter extends OAuthServerJoseJwtProducer implements
             // if this token was refreshed then the cloned IDToken might need to have its
             // issuedAt and expiry time properties adjusted if it proves to be necessary
             setAtHashAndNonce(idToken, st);
-            return super.processJwt(new JwtToken(idToken), st.getClient());
+            return processJwt(new JwtToken(idToken), st.getClient());
         } else {
             return null;
         }
@@ -113,5 +119,27 @@ public class IdTokenResponseFilter extends OAuthServerJoseJwtProducer
implements
     public void setIdTokenProvider(IdTokenProvider idTokenProvider) {
         this.idTokenProvider = idTokenProvider;
     }
-    
+    @Override
+    public String processJwt(JwtToken jwt, Client client) {
+        if (keyServiceClient != null) {
+            List<String> opers = new LinkedList<String>();
+            if (super.isJwsRequired()) {
+                opers.add(JsonWebKey.KEY_OPER_SIGN);
+            }
+            if (super.isJweRequired()) {
+                opers.add(JsonWebKey.KEY_OPER_ENCRYPT);
+            }
+            // the form request can be supported too
+            keyServiceClient.resetQuery();
+            keyServiceClient.query(JsonWebKey.KEY_OPERATIONS, opers);
+            //TODO: OIDC core talks about various security algorithm preferences
+            // that may be set during the client registrations, they can be passed along
too
+            return keyServiceClient.post(jwt, String.class);
+        } else {
+            return super.processJwt(jwt, client);
+        }
+    }
+    public void setKeyServiceClient(WebClient keyServiceClient) {
+        this.keyServiceClient = keyServiceClient;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/09355c66/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcKeysService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcKeysService.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcKeysService.java
index d312f9d..6455ee9 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcKeysService.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcKeysService.java
@@ -33,16 +33,16 @@ import org.apache.cxf.rs.security.jose.jws.JwsUtils;
 public class OidcKeysService {
 
     private volatile JsonWebKeys keySet;
-    private WebClient keySetClient;
+    private WebClient keyServiceClient;
     
     @GET
     @Produces("application/json")
     public JsonWebKeys getPublicVerificationKeys() {
         if (keySet == null) {
-            if (keySetClient == null) {
+            if (keyServiceClient == null) {
                 keySet = getFromLocalStore();
             } else {
-                keySet = keySetClient.get(JsonWebKeys.class);
+                keySet = keyServiceClient.get(JsonWebKeys.class);
             }
             
         }
@@ -54,8 +54,8 @@ public class OidcKeysService {
         return JwsUtils.loadPublicVerificationKeys(JAXRSUtils.getCurrentMessage(), props);
     }
 
-    public void setKeySetClient(WebClient keySetClient) {
-        this.keySetClient = keySetClient;
+    public void setKeyServiceClient(WebClient keyServiceClient) {
+        this.keyServiceClient = keyServiceClient;
     }
     
 }


Mime
View raw message