cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: More OidcHybridService work
Date Tue, 08 Mar 2016 15:36:32 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.1.x-fixes 7d51f38de -> ac05513f0


More OidcHybridService work


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/ac05513f
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/ac05513f
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/ac05513f

Branch: refs/heads/3.1.x-fixes
Commit: ac05513f03d20872279e0f5299f1b8acaf08c8c2
Parents: 7d51f38
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Tue Mar 8 15:35:05 2016 +0000
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Tue Mar 8 15:35:55 2016 +0000

----------------------------------------------------------------------
 .../oauth2/common/AccessTokenRegistration.java  | 17 ++++++++++
 .../oauth2/common/ServerAccessToken.java        | 18 ++++++++++-
 .../code/AuthorizationCodeGrantHandler.java     |  1 +
 .../provider/AbstractOAuthDataProvider.java     |  3 +-
 .../cxf/rs/security/oidc/common/IdToken.java    |  4 +--
 .../oidc/idp/IdTokenResponseFilter.java         | 22 ++++++++++---
 .../rs/security/oidc/idp/OidcHybridService.java | 34 ++++++--------------
 .../security/oidc/idp/OidcImplicitService.java  |  8 ++---
 .../cxf/rs/security/oidc/utils/OidcUtils.java   |  8 +++++
 9 files changed, 78 insertions(+), 37 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/ac05513f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenRegistration.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenRegistration.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenRegistration.java
index 1b862c0..910d382 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenRegistration.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenRegistration.java
@@ -36,6 +36,7 @@ public class AccessTokenRegistration {
     private String nonce;
     private String clientCodeVerifier;
     private String responseType;
+    private String grantCode;
     private Map<String, String> extraProperties = new LinkedHashMap<String, String>();
     
     /**
@@ -159,6 +160,22 @@ public class AccessTokenRegistration {
         return responseType;
     }
     
+    /**
+     * Set the grant code which was used to request the token
+     * @param grantCode the grant code
+     */
+    public void setGrantCode(String grantCode) {
+        this.grantCode = grantCode;
+    }
+
+    /**
+     * Get the grant code
+     * @return the grant code, null if no authorization code grant was used
+     */
+    public String getGrantCode() {
+        return grantCode;
+    }
+    
     public Map<String, String> getExtraProperties() {
         return extraProperties;
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/ac05513f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java
index 9833787..1f13877 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java
@@ -41,6 +41,7 @@ public abstract class ServerAccessToken extends AccessToken {
     private String clientCodeVerifier;
     private String nonce;
     private String responseType;
+    private String grantCode;
     private Map<String, String> extraProperties = new LinkedHashMap<String, String>();
     
     protected ServerAccessToken() {
@@ -78,7 +79,7 @@ public abstract class ServerAccessToken extends AccessToken {
         this.responseType = token.getResponseType();
         this.clientCodeVerifier = token.getClientCodeVerifier();
         this.nonce = token.getNonce();
-        
+        this.grantCode = token.getGrantCode();
     }
 
     /**
@@ -200,4 +201,19 @@ public abstract class ServerAccessToken extends AccessToken {
     public void setExtraProperties(Map<String, String> extraProperties) {
         this.extraProperties = extraProperties;
     }
+    /**
+     * Set the grant code which was used to request the token
+     * @param grantCode the grant code
+     */
+    public void setGrantCode(String grantCode) {
+        this.grantCode = grantCode;
+    }
+
+    /**
+     * Get the grant code
+     * @return the grant code, null if no authorization code grant was used
+     */
+    public String getGrantCode() {
+        return grantCode;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/ac05513f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
index 12e90fe..54d126a 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
@@ -126,6 +126,7 @@ public class AuthorizationCodeGrantHandler extends AbstractGrantHandler
{
         
         // Delegate to the data provider to create the one
         AccessTokenRegistration reg = new AccessTokenRegistration();
+        reg.setGrantCode(grant.getCode());
         reg.setClient(client);
         reg.setGrantType(requestedGrant);
         reg.setSubject(grant.getSubject());

http://git-wip-us.apache.org/repos/asf/cxf/blob/ac05513f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
index 50dbe54..cdacbb6 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
@@ -72,7 +72,8 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider,
Cl
         at.setSubject(atReg.getSubject());
         at.setClientCodeVerifier(atReg.getClientCodeVerifier());
         at.setNonce(atReg.getNonce());
-        at.setResponseType(atReg.getResponseType()); 
+        at.setResponseType(atReg.getResponseType());
+        at.setGrantCode(atReg.getGrantCode());
         at.getExtraProperties().putAll(atReg.getExtraProperties());
         return at;
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/ac05513f/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/IdToken.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/IdToken.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/IdToken.java
index fd9ddc9..a4d1b18 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/IdToken.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/IdToken.java
@@ -83,10 +83,10 @@ public class IdToken extends AbstractUserInfo {
     public String getAccessTokenHash() {
         return (String)getProperty(ACCESS_TOKEN_HASH_CLAIM);
     }
-    public void setAuthCodeHash(String at) {
+    public void setAuthorizationCodeHash(String at) {
         setProperty(AUTH_CODE_HASH_CLAIM, at);
     }
-    public String getAuthCodeHash() {
+    public String getAuthorizationCodeHash() {
         return (String)getProperty(AUTH_CODE_HASH_CLAIM);
     }
     

http://git-wip-us.apache.org/repos/asf/cxf/blob/ac05513f/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
index ac35fbc..aa9e887 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
@@ -39,7 +39,7 @@ public class IdTokenResponseFilter extends OAuthServerJoseJwtProducer implements
     @Override
     public void process(ClientAccessToken ct, ServerAccessToken st) {
         if (st.getResponseType() != null
-            && OAuthConstants.TOKEN_RESPONSE_TYPE.equals(st.getResponseType())) {
+            && OidcUtils.CODE_AT_RESPONSE_TYPE.equals(st.getResponseType())) {
             return;
         }
         // Only add an IdToken if the client has the "openid" scope
@@ -75,7 +75,15 @@ public class IdTokenResponseFilter extends OAuthServerJoseJwtProducer implements
         }
     }
     private void setAtHashAndNonce(IdToken idToken, ServerAccessToken st) {
-        if (idToken.getAccessTokenHash() == null) {
+        String rType = st.getResponseType();
+        boolean atHashRequired = idToken.getAccessTokenHash() == null
+            && (rType == null || !rType.equals(OidcUtils.ID_TOKEN_RESPONSE_TYPE));
+        boolean cHashRequired = idToken.getAuthorizationCodeHash() == null && st.getGrantCode()
!= null 
+            && rType != null 
+            && (rType.equals(OidcUtils.CODE_ID_TOKEN_AT_RESPONSE_TYPE)
+                || rType.equals(OidcUtils.CODE_ID_TOKEN_RESPONSE_TYPE));
+        
+        if (atHashRequired || cHashRequired) {
             Properties props = JwsUtils.loadSignatureOutProperties(false);
             SignatureAlgorithm sigAlgo = null;
             if (super.isSignWithClientSecret()) {
@@ -84,8 +92,14 @@ public class IdTokenResponseFilter extends OAuthServerJoseJwtProducer implements
                 sigAlgo = JwsUtils.getSignatureAlgorithm(props, SignatureAlgorithm.RS256);
             }
             if (sigAlgo != SignatureAlgorithm.NONE) {
-                String atHash = OidcUtils.calculateAccessTokenHash(st.getTokenKey(), sigAlgo);
-                idToken.setAccessTokenHash(atHash);
+                if (atHashRequired) {
+                    String atHash = OidcUtils.calculateAccessTokenHash(st.getTokenKey(),
sigAlgo);
+                    idToken.setAccessTokenHash(atHash);
+                }
+                if (cHashRequired) {
+                    String cHash = OidcUtils.calculateAuthorizationCodeHash(st.getGrantCode(),
sigAlgo);
+                    idToken.setAuthorizationCodeHash(cHash);
+                }
             }
         }
         Message m = JAXRSUtils.getCurrentMessage();

http://git-wip-us.apache.org/repos/asf/cxf/blob/ac05513f/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcHybridService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcHybridService.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcHybridService.java
index d73f2ea..22a4a69 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcHybridService.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcHybridService.java
@@ -20,10 +20,8 @@ package org.apache.cxf.rs.security.oidc.idp;
 
 import java.util.ArrayList;
 import java.util.Arrays;
-import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
-import java.util.Map;
 import java.util.Set;
 
 import javax.ws.rs.Path;
@@ -33,21 +31,10 @@ import org.apache.cxf.rs.security.oauth2.common.OAuthRedirectionState;
 import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
 import org.apache.cxf.rs.security.oauth2.common.UserSubject;
 import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
+import org.apache.cxf.rs.security.oidc.utils.OidcUtils;
 
 @Path("authorize-hybrid")
 public class OidcHybridService extends OidcImplicitService {
-    public static final String CODE_AT_RESPONSE_TYPE = "code token";
-    public static final String CODE_ID_TOKEN_RESPONSE_TYPE = "code id_token";
-    public static final String CODE_ID_TOKEN_AT_RESPONSE_TYPE = "code id_token token";
-    private static final Map<String, String> IMPLICIT_RESPONSE_TYPES;
-    static {
-        IMPLICIT_RESPONSE_TYPES = new HashMap<String, String>();
-        IMPLICIT_RESPONSE_TYPES.put(CODE_AT_RESPONSE_TYPE, OAuthConstants.TOKEN_RESPONSE_TYPE);
-        IMPLICIT_RESPONSE_TYPES.put(CODE_ID_TOKEN_RESPONSE_TYPE, ID_TOKEN_RESPONSE_TYPE);
-        IMPLICIT_RESPONSE_TYPES.put(CODE_ID_TOKEN_AT_RESPONSE_TYPE, ID_TOKEN_AT_RESPONSE_TYPE);
-        IMPLICIT_RESPONSE_TYPES.put(ID_TOKEN_RESPONSE_TYPE, ID_TOKEN_RESPONSE_TYPE);
-        IMPLICIT_RESPONSE_TYPES.put(ID_TOKEN_AT_RESPONSE_TYPE, ID_TOKEN_AT_RESPONSE_TYPE);
-    }
     private OidcAuthorizationCodeService codeService;
     
     public OidcHybridService() {
@@ -60,18 +47,21 @@ public class OidcHybridService extends OidcImplicitService {
     private static Set<String> getResponseTypes(boolean hybridOnly) {
         List<String> types = new ArrayList<String>(); 
         types.addAll(
-            Arrays.asList(CODE_AT_RESPONSE_TYPE, CODE_ID_TOKEN_RESPONSE_TYPE, CODE_ID_TOKEN_AT_RESPONSE_TYPE));
+            Arrays.asList(OidcUtils.CODE_AT_RESPONSE_TYPE, 
+                          OidcUtils.CODE_ID_TOKEN_RESPONSE_TYPE, 
+                          OidcUtils.CODE_ID_TOKEN_AT_RESPONSE_TYPE));
         if (!hybridOnly) {
-            types.add(ID_TOKEN_RESPONSE_TYPE);
-            types.add(ID_TOKEN_AT_RESPONSE_TYPE);
+            types.add(OidcUtils.ID_TOKEN_RESPONSE_TYPE);
+            types.add(OidcUtils.ID_TOKEN_AT_RESPONSE_TYPE);
         }
         return new HashSet<String>(types);
     }
     
     @Override
     protected boolean canAccessTokenBeReturned(String responseType) {
-        return ID_TOKEN_AT_RESPONSE_TYPE.equals(responseType)
-            || OAuthConstants.TOKEN_RESPONSE_TYPE.equals(responseType);
+        return OidcUtils.ID_TOKEN_AT_RESPONSE_TYPE.equals(responseType)
+            || OidcUtils.CODE_ID_TOKEN_AT_RESPONSE_TYPE.equals(responseType)
+            || OidcUtils.CODE_AT_RESPONSE_TYPE.equals(responseType);
     }
     
     @Override
@@ -81,14 +71,10 @@ public class OidcHybridService extends OidcImplicitService {
                                    List<String> approvedScope,
                                    UserSubject userSubject,
                                    ServerAccessToken preAuthorizedToken) {
-        String actualResponseType = state.getResponseType();
-        
-        state.setResponseType(IMPLICIT_RESPONSE_TYPES.get(actualResponseType)); 
         StringBuilder sb = super.prepareGrant(state, client, requestedScope, 
                                                           approvedScope, userSubject, preAuthorizedToken);
    
-        if (actualResponseType.startsWith(OAuthConstants.CODE_RESPONSE_TYPE)) {
-            state.setResponseType(OAuthConstants.CODE_RESPONSE_TYPE);
+        if (state.getResponseType().startsWith(OAuthConstants.CODE_RESPONSE_TYPE)) {
             String code = codeService.getGrantCode(state, client, requestedScope,
                                                    approvedScope, userSubject, preAuthorizedToken);
             

http://git-wip-us.apache.org/repos/asf/cxf/blob/ac05513f/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
index 87d721b..faaac6d 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
@@ -43,15 +43,13 @@ import org.apache.cxf.rs.security.oidc.utils.OidcUtils;
 
 
 public class OidcImplicitService extends ImplicitGrantService {
-    public static final String ID_TOKEN_RESPONSE_TYPE = "id_token";
-    public static final String ID_TOKEN_AT_RESPONSE_TYPE = "id_token token";
     private boolean skipAuthorizationWithOidcScope;
     private JoseJwtProducer idTokenHandler;
     private IdTokenProvider idTokenProvider;
     
     public OidcImplicitService() {
-        super(new HashSet<String>(Arrays.asList(ID_TOKEN_RESPONSE_TYPE,
-                                                ID_TOKEN_AT_RESPONSE_TYPE)));
+        super(new HashSet<String>(Arrays.asList(OidcUtils.ID_TOKEN_RESPONSE_TYPE,
+                                                OidcUtils.ID_TOKEN_AT_RESPONSE_TYPE)));
     }
     protected OidcImplicitService(Set<String> supportedResponseTypes,
                                   String supportedGrantType) {
@@ -59,7 +57,7 @@ public class OidcImplicitService extends ImplicitGrantService {
     }
     @Override
     protected boolean canAccessTokenBeReturned(String responseType) {
-        return ID_TOKEN_AT_RESPONSE_TYPE.equals(responseType);
+        return OidcUtils.ID_TOKEN_AT_RESPONSE_TYPE.equals(responseType);
     }
     
     @Override

http://git-wip-us.apache.org/repos/asf/cxf/blob/ac05513f/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java
index abf11ef..26e8bcb 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java
@@ -39,6 +39,14 @@ import org.apache.cxf.rs.security.oidc.common.UserInfo;
 import org.apache.cxf.rt.security.crypto.MessageDigestUtils;
 
 public final class OidcUtils {
+    
+    public static final String ID_TOKEN_RESPONSE_TYPE = "id_token";
+    public static final String ID_TOKEN_AT_RESPONSE_TYPE = "id_token token";
+    public static final String CODE_AT_RESPONSE_TYPE = "code token";
+    public static final String CODE_ID_TOKEN_RESPONSE_TYPE = "code id_token";
+    public static final String CODE_ID_TOKEN_AT_RESPONSE_TYPE = "code id_token token";
+    
+    
     public static final String ID_TOKEN = "id_token";
     public static final String OPENID_SCOPE = "openid";
     public static final String PROFILE_SCOPE = "profile";


Mime
View raw message