Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 6743118B8C for ; Thu, 3 Mar 2016 18:02:49 +0000 (UTC) Received: (qmail 31145 invoked by uid 500); 3 Mar 2016 18:02:49 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 31080 invoked by uid 500); 3 Mar 2016 18:02:49 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 31071 invoked by uid 99); 3 Mar 2016 18:02:49 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 03 Mar 2016 18:02:49 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 1F762E78E9; Thu, 3 Mar 2016 18:02:49 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: sergeyb@apache.org To: commits@cxf.apache.org Message-Id: <28d63b01a1524573b5b4e5a1b5963546@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: cxf git commit: Prototying OidcHybridService Date: Thu, 3 Mar 2016 18:02:49 +0000 (UTC) Repository: cxf Updated Branches: refs/heads/3.1.x-fixes daf19cc33 -> a64b75033 Prototying OidcHybridService Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/a64b7503 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/a64b7503 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/a64b7503 Branch: refs/heads/3.1.x-fixes Commit: a64b75033db4d4f07052288b9b5c5c54b3d7f4a6 Parents: daf19cc Author: Sergey Beryozkin Authored: Thu Mar 3 18:00:54 2016 +0000 Committer: Sergey Beryozkin Committed: Thu Mar 3 18:02:27 2016 +0000 ---------------------------------------------------------------------- .../services/AbstractImplicitGrantService.java | 19 +++-- .../services/AuthorizationCodeGrantService.java | 55 ++++++++++--- .../oauth2/services/ImplicitGrantService.java | 4 +- .../oidc/idp/OidcAuthorizationCodeService.java | 3 +- .../rs/security/oidc/idp/OidcHybridService.java | 87 ++++++++++++++++++++ .../security/oidc/idp/OidcImplicitService.java | 19 +++-- 6 files changed, 156 insertions(+), 31 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/a64b7503/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java index 962ba4a..db5bc73 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java @@ -56,8 +56,18 @@ public abstract class AbstractImplicitGrantService extends RedirectionBasedGrant super(supportedResponseTypes, supportedGrantType); } - protected Response createGrant(OAuthRedirectionState state, + Client client, + List requestedScope, + List approvedScope, + UserSubject userSubject, + ServerAccessToken preAuthorizedToken) { + StringBuilder sb = + prepareGrant(state, client, requestedScope, approvedScope, userSubject, preAuthorizedToken); + return Response.seeOther(URI.create(sb.toString())).build(); + + } + public StringBuilder prepareGrant(OAuthRedirectionState state, Client client, List requestedScope, List approvedScope, @@ -105,7 +115,8 @@ public abstract class AbstractImplicitGrantService extends RedirectionBasedGrant processRefreshToken(sb, token.getRefreshToken()); } - return finalizeResponse(sb, state); + finalizeResponse(sb, state); + return sb; } protected AccessTokenRegistration createTokenRegistration(OAuthRedirectionState state, @@ -124,7 +135,7 @@ public abstract class AbstractImplicitGrantService extends RedirectionBasedGrant reg.setNonce(state.getNonce()); return reg; } - protected Response finalizeResponse(StringBuilder sb, OAuthRedirectionState state) { + protected void finalizeResponse(StringBuilder sb, OAuthRedirectionState state) { if (state.getState() != null) { sb.append("&"); sb.append(OAuthConstants.STATE).append("=").append(state.getState()); @@ -132,8 +143,6 @@ public abstract class AbstractImplicitGrantService extends RedirectionBasedGrant if (reportClientId) { sb.append("&").append(OAuthConstants.CLIENT_ID).append("=").append(state.getClientId()); } - - return Response.seeOther(URI.create(sb.toString())).build(); } protected void processRefreshToken(StringBuilder sb, String refreshToken) { http://git-wip-us.apache.org/repos/asf/cxf/blob/a64b7503/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java index b826108..4d58df7 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java @@ -45,7 +45,7 @@ import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants; /** - * This resource handles the End User authorising + * This resource handles the End User authorizing * or denying the Client to access its resources. * If End User approves the access this resource will * redirect End User back to the Client, supplying @@ -94,22 +94,17 @@ public class AuthorizationCodeGrantService extends RedirectionBasedGrantService ServerAccessToken preauthorizedToken) { // in this flow the code is still created, the preauthorized token // will be retrieved by the authorization code grant handler - AuthorizationCodeRegistration codeReg = createCodeRegistration(state, - client, - requestedScope, - approvedScope, - userSubject, - preauthorizedToken); - ServerAuthorizationCodeGrant grant = null; try { - grant = ((AuthorizationCodeDataProvider)getDataProvider()).createCodeGrant(codeReg); + grant = getGrantRepresentation(state, + client, + requestedScope, + approvedScope, + userSubject, + preauthorizedToken); } catch (OAuthServiceException ex) { return createErrorResponse(state.getState(), state.getRedirectUri(), OAuthConstants.ACCESS_DENIED); } - if (grant.getExpiresIn() > RECOMMENDED_CODE_EXPIRY_TIME_SECS) { - LOG.warning("Code expiry time exceeds 10 minutes"); - } String grantCode = processCodeGrant(client, grant.getCode(), grant.getSubject()); if (state.getRedirectUri() == null) { OOBAuthorizationResponse oobResponse = new OOBAuthorizationResponse(); @@ -127,6 +122,42 @@ public class AuthorizationCodeGrantService extends RedirectionBasedGrantService } } + protected ServerAuthorizationCodeGrant getGrantRepresentation(OAuthRedirectionState state, + Client client, + List requestedScope, + List approvedScope, + UserSubject userSubject, + ServerAccessToken preauthorizedToken) { + AuthorizationCodeRegistration codeReg = createCodeRegistration(state, + client, + requestedScope, + approvedScope, + userSubject, + preauthorizedToken); + + ServerAuthorizationCodeGrant grant = + ((AuthorizationCodeDataProvider)getDataProvider()).createCodeGrant(codeReg); + if (grant.getExpiresIn() > RECOMMENDED_CODE_EXPIRY_TIME_SECS) { + LOG.warning("Code expiry time exceeds 10 minutes"); + } + return grant; + } + + public String getGrantCode(OAuthRedirectionState state, + Client client, + List requestedScope, + List approvedScope, + UserSubject userSubject, + ServerAccessToken preauthorizedToken) { + ServerAuthorizationCodeGrant grant = getGrantRepresentation(state, + client, + requestedScope, + approvedScope, + userSubject, + preauthorizedToken); + return processCodeGrant(client, grant.getCode(), grant.getSubject()); + } + protected AuthorizationCodeRegistration createCodeRegistration(OAuthRedirectionState state, Client client, List requestedScope, http://git-wip-us.apache.org/repos/asf/cxf/blob/a64b7503/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java index 50aa491..e0fec11 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java @@ -35,11 +35,9 @@ import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants; /** * Redirection-based Implicit Grant Service * - * This resource handles the End User authorising + * This resource handles the End User authorizing * or denying the Client embedded in the Web agent. * - * We can consider having a single authorization service dealing with either - * authorization code or implicit grant. */ @Path("/authorize-implicit") public class ImplicitGrantService extends AbstractImplicitGrantService { http://git-wip-us.apache.org/repos/asf/cxf/blob/a64b7503/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java index 59ef008..9b6f4f8 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java @@ -32,7 +32,6 @@ import org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService; import org.apache.cxf.rs.security.oidc.utils.OidcUtils; public class OidcAuthorizationCodeService extends AuthorizationCodeGrantService { - private static final String OPEN_ID_CONNECT_SCOPE = "openid"; private boolean skipAuthorizationWithOidcScope; @Override protected boolean canAuthorizationBeSkipped(Client client, @@ -43,7 +42,7 @@ public class OidcAuthorizationCodeService extends AuthorizationCodeGrantService // if all the client application redirecting a user needs is to get this user authenticated // with OIDC IDP return requestedScope.size() == 1 && permissions.size() == 1 && skipAuthorizationWithOidcScope - && OPEN_ID_CONNECT_SCOPE.equals(requestedScope.get(0)); + && OidcUtils.OPENID_SCOPE.equals(requestedScope.get(0)); } public void setSkipAuthorizationWithOidcScope(boolean skipAuthorizationWithOidcScope) { this.skipAuthorizationWithOidcScope = skipAuthorizationWithOidcScope; http://git-wip-us.apache.org/repos/asf/cxf/blob/a64b7503/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcHybridService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcHybridService.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcHybridService.java new file mode 100644 index 0000000..401d254 --- /dev/null +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcHybridService.java @@ -0,0 +1,87 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.oidc.idp; + +import java.util.Arrays; +import java.util.HashMap; +import java.util.HashSet; +import java.util.List; +import java.util.Map; + +import org.apache.cxf.rs.security.oauth2.common.Client; +import org.apache.cxf.rs.security.oauth2.common.OAuthRedirectionState; +import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken; +import org.apache.cxf.rs.security.oauth2.common.UserSubject; +import org.apache.cxf.rs.security.oauth2.services.AbstractImplicitGrantService; +import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants; + + +public class OidcHybridService extends AbstractImplicitGrantService { + public static final String CODE_AT_RESPONSE_TYPE = "code token"; + public static final String CODE_ID_TOKEN_RESPONSE_TYPE = "code id_token"; + public static final String CODE_ID_TOKEN_AT_RESPONSE_TYPE = "code id_token token"; + private static final Map IMPLICIT_RESPONSE_TYPES; + static { + IMPLICIT_RESPONSE_TYPES = new HashMap(); + IMPLICIT_RESPONSE_TYPES.put(CODE_AT_RESPONSE_TYPE, OAuthConstants.TOKEN_RESPONSE_TYPE); + IMPLICIT_RESPONSE_TYPES.put(CODE_ID_TOKEN_RESPONSE_TYPE, OidcImplicitService.ID_TOKEN_RESPONSE_TYPE); + IMPLICIT_RESPONSE_TYPES.put(CODE_ID_TOKEN_AT_RESPONSE_TYPE, OidcImplicitService.ID_TOKEN_AT_RESPONSE_TYPE); + } + private OidcAuthorizationCodeService codeService; + private OidcImplicitService implicitService; + + public OidcHybridService() { + super(new HashSet(Arrays.asList(CODE_AT_RESPONSE_TYPE, + CODE_ID_TOKEN_RESPONSE_TYPE, + CODE_ID_TOKEN_AT_RESPONSE_TYPE)), + "Hybrid"); + } + + + @Override + public StringBuilder prepareGrant(OAuthRedirectionState state, + Client client, + List requestedScope, + List approvedScope, + UserSubject userSubject, + ServerAccessToken preAuthorizedToken) { + String actualResponseType = state.getResponseType(); + + state.setResponseType(OAuthConstants.CODE_RESPONSE_TYPE); + String code = codeService.getGrantCode(state, client, requestedScope, + approvedScope, userSubject, preAuthorizedToken); + state.setResponseType(IMPLICIT_RESPONSE_TYPES.get(actualResponseType)); + StringBuilder sb = implicitService.prepareGrant(state, client, requestedScope, + approvedScope, userSubject, preAuthorizedToken); + + sb.append("&"); + sb.append(OAuthConstants.AUTHORIZATION_CODE_VALUE).append("=").append(code); + return sb; + } + + + public void setCodeService(OidcAuthorizationCodeService codeService) { + this.codeService = codeService; + } + + + public void setImplicitService(OidcImplicitService implicitService) { + this.implicitService = implicitService; + } + } http://git-wip-us.apache.org/repos/asf/cxf/blob/a64b7503/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java index 94dd845..4d41da0 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java @@ -42,21 +42,20 @@ import org.apache.cxf.rs.security.oidc.utils.OidcUtils; public class OidcImplicitService extends ImplicitGrantService { - private static final String OPEN_ID_CONNECT_SCOPE = "openid"; - private static final String ID_TOKEN_RESPONSE_TYPE = "id_token"; - private static final String ID_TOKEN_AND_AT_RESPONSE_TYPE = "id_token token"; + public static final String ID_TOKEN_RESPONSE_TYPE = "id_token"; + public static final String ID_TOKEN_AT_RESPONSE_TYPE = "id_token token"; private boolean skipAuthorizationWithOidcScope; private JoseJwtProducer idTokenHandler; private IdTokenProvider idTokenProvider; public OidcImplicitService() { super(new HashSet(Arrays.asList(ID_TOKEN_RESPONSE_TYPE, - ID_TOKEN_AND_AT_RESPONSE_TYPE))); + ID_TOKEN_AT_RESPONSE_TYPE))); } @Override protected boolean canAccessTokenBeReturned(String responseType) { - return ID_TOKEN_AND_AT_RESPONSE_TYPE.equals(responseType); + return ID_TOKEN_AT_RESPONSE_TYPE.equals(responseType); } @Override @@ -79,13 +78,14 @@ public class OidcImplicitService extends ImplicitGrantService { // if all the client application redirecting a user needs is to get this user authenticated // with OIDC IDP return requestedScope.size() == 1 && permissions.size() == 1 && skipAuthorizationWithOidcScope - && OPEN_ID_CONNECT_SCOPE.equals(requestedScope.get(0)); + && OidcUtils.OPENID_SCOPE.equals(requestedScope.get(0)); } public void setSkipAuthorizationWithOidcScope(boolean skipAuthorizationWithOidcScope) { this.skipAuthorizationWithOidcScope = skipAuthorizationWithOidcScope; } - protected Response createGrant(OAuthRedirectionState state, + @Override + public StringBuilder prepareGrant(OAuthRedirectionState state, Client client, List requestedScope, List approvedScope, @@ -93,7 +93,7 @@ public class OidcImplicitService extends ImplicitGrantService { ServerAccessToken preAuthorizedToken) { if (canAccessTokenBeReturned(state.getResponseType())) { - return super.createGrant(state, client, requestedScope, approvedScope, userSubject, preAuthorizedToken); + return super.prepareGrant(state, client, requestedScope, approvedScope, userSubject, preAuthorizedToken); } // id_token response type processing @@ -104,7 +104,8 @@ public class OidcImplicitService extends ImplicitGrantService { if (idToken != null) { sb.append(OidcUtils.ID_TOKEN).append("=").append(idToken); } - return finalizeResponse(sb, state); + finalizeResponse(sb, state); + return sb; } private String getProcessedIdToken(OAuthRedirectionState state,