cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: Prototyping the code for validating c_hash in OIDC RP
Date Tue, 08 Mar 2016 16:41:07 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 409e99399 -> 36b48fe69


Prototyping the code for validating c_hash in OIDC RP


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/36b48fe6
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/36b48fe6
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/36b48fe6

Branch: refs/heads/master
Commit: 36b48fe69bc52aff505fc0af76208fd6f09a4346
Parents: 409e993
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Tue Mar 8 16:40:49 2016 +0000
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Tue Mar 8 16:40:49 2016 +0000

----------------------------------------------------------------------
 .../oauth2/client/ClientCodeRequestFilter.java   |  8 +++++---
 .../cxf/rs/security/oidc/rp/IdTokenReader.java   | 19 ++++++++++++++++---
 .../oidc/rp/OidcClientCodeRequestFilter.java     |  5 ++++-
 3 files changed, 25 insertions(+), 7 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/36b48fe6/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java
index be79d64..c777083 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java
@@ -201,7 +201,7 @@ public class ClientCodeRequestFilter implements ContainerRequestFilter
{
             grant.setCodeVerifier(state.getFirst(OAuthConstants.AUTHORIZATION_CODE_VERIFIER));
             at = OAuthClientUtils.getAccessToken(accessTokenServiceClient, consumer, grant);
         }
-        ClientTokenContext tokenContext = initializeClientTokenContext(rc, at, state);
+        ClientTokenContext tokenContext = initializeClientTokenContext(rc, at, requestParams,
state);
         if (at != null && clientTokenContextManager != null) {
             clientTokenContextManager.setClientTokenContext(mc, tokenContext);
         }
@@ -221,9 +221,10 @@ public class ClientCodeRequestFilter implements ContainerRequestFilter
{
     }
 
     protected ClientTokenContext initializeClientTokenContext(ContainerRequestContext rc,

-                                                              ClientAccessToken at, 
+                                                              ClientAccessToken at,
+                                                              MultivaluedMap<String, String>
requestParams,
                                                               MultivaluedMap<String, String>
state) {
-        ClientTokenContext tokenContext = createTokenContext(rc, at, state);
+        ClientTokenContext tokenContext = createTokenContext(rc, at, requestParams, state);
         ((ClientTokenContextImpl)tokenContext).setToken(at);
         ((ClientTokenContextImpl)tokenContext).setState(state);
         return tokenContext;
@@ -232,6 +233,7 @@ public class ClientCodeRequestFilter implements ContainerRequestFilter
{
 
     protected ClientTokenContext createTokenContext(ContainerRequestContext rc, 
                                                     ClientAccessToken at,
+                                                    MultivaluedMap<String, String>
requestParams,
                                                     MultivaluedMap<String, String>
state) {
         return new ClientTokenContextImpl();
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/36b48fe6/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java
index 832813d..514ff5f 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java
@@ -26,20 +26,30 @@ import org.apache.cxf.rs.security.oidc.utils.OidcUtils;
 
 public class IdTokenReader extends OidcClaimsValidator {
     private boolean requireAtHash = true;
-    public IdToken getIdToken(ClientAccessToken at, Consumer client) {
-        JwtToken jwt = getIdJwtToken(at, client);
+    private boolean requireCodeHash;
+    
+    public IdToken getIdToken(ClientAccessToken at, String code, Consumer client) {
+        JwtToken jwt = getIdJwtToken(at, code, client);
         return getIdTokenFromJwt(jwt);
     }
+    
+    public IdToken getIdToken(ClientAccessToken at, Consumer client) {
+        return getIdToken(at, null, client);
+    }
     public IdToken getIdToken(String idJwtToken, Consumer client) {
         JwtToken jwt = getIdJwtToken(idJwtToken, client);
         return getIdTokenFromJwt(jwt);
     }
-    public JwtToken getIdJwtToken(ClientAccessToken at, Consumer client) {
+    public JwtToken getIdJwtToken(ClientAccessToken at, String code, Consumer client) {
         String idJwtToken = at.getParameters().get(OidcUtils.ID_TOKEN);
         JwtToken jwt = getIdJwtToken(idJwtToken, client); 
         OidcUtils.validateAccessTokenHash(at, jwt, requireAtHash);
+        OidcUtils.validateCodeHash(code, jwt, requireCodeHash);
         return jwt;
     }
+    public JwtToken getIdJwtToken(ClientAccessToken at, Consumer client) {
+        return getIdJwtToken(at, null, client);
+    }
     public JwtToken getIdJwtToken(String idJwtToken, Consumer client) {
         JwtToken jwt = getJwtToken(idJwtToken, client.getClientSecret());
         validateJwtClaims(jwt.getClaims(), client.getClientId(), true);
@@ -51,4 +61,7 @@ public class IdTokenReader extends OidcClaimsValidator {
     public void setRequireAccessTokenHash(boolean require) {
         this.requireAtHash = require;
     }
+    public void setRequireCodeHash(boolean require) {
+        this.requireCodeHash = require;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/36b48fe6/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java
index f77efba..f465f1e 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java
@@ -60,13 +60,16 @@ public class OidcClientCodeRequestFilter extends ClientCodeRequestFilter
{
     @Override
     protected ClientTokenContext createTokenContext(ContainerRequestContext rc, 
                                                     ClientAccessToken at,
+                                                    MultivaluedMap<String, String>
requestParams,
                                                     MultivaluedMap<String, String>
state) {
         if (rc.getSecurityContext() instanceof OidcSecurityContext) {
             return ((OidcSecurityContext)rc.getSecurityContext()).getOidcContext();
         }
         OidcClientTokenContextImpl ctx = new OidcClientTokenContextImpl();
         if (at != null) {
-            IdToken idToken = idTokenReader.getIdToken(at, getConsumer());
+            IdToken idToken = idTokenReader.getIdToken(at, 
+                                  requestParams.getFirst(OAuthConstants.AUTHORIZATION_CODE_VALUE),
+                                  getConsumer());
             // Validate the properties set up at the redirection time.
             validateIdToken(idToken, state);
             


Mime
View raw message