cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: Simplifying OIDC services a bit
Date Wed, 25 May 2016 10:02:15 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.1.x-fixes 4de35dea1 -> 49e194399


Simplifying OIDC services a bit


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/49e19439
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/49e19439
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/49e19439

Branch: refs/heads/3.1.x-fixes
Commit: 49e1943994503e96e6c69f4e55d8a0ba9f5464c8
Parents: 4de35de
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Wed May 25 10:59:17 2016 +0100
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Wed May 25 11:02:02 2016 +0100

----------------------------------------------------------------------
 .../services/AbstractImplicitGrantService.java  |  1 +
 .../services/AuthorizationCodeGrantService.java |  1 +
 .../services/RedirectionBasedGrantService.java  |  9 +++++-
 .../oidc/idp/OidcAuthorizationCodeService.java  | 29 +++-----------------
 .../security/oidc/idp/OidcImplicitService.java  | 23 +++-------------
 5 files changed, 18 insertions(+), 45 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/49e19439/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java
index 3a18a66..446f82c 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java
@@ -133,6 +133,7 @@ public abstract class AbstractImplicitGrantService extends RedirectionBasedGrant
         reg.setApprovedScope(getApprovedScope(requestedScope, approvedScope));
         reg.setAudiences(Collections.singletonList(state.getAudience()));
         reg.setNonce(state.getNonce());
+        reg.getExtraProperties().putAll(state.getExtraProperties());
         return reg;
     }
     protected void finalizeResponse(StringBuilder sb, OAuthRedirectionState state) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/49e19439/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
index af3e614..2a71cdb 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
@@ -160,6 +160,7 @@ public class AuthorizationCodeGrantService extends RedirectionBasedGrantService
         codeReg.setAudience(state.getAudience());
         codeReg.setNonce(state.getNonce());
         codeReg.setClientCodeChallenge(state.getClientCodeChallenge());
+        codeReg.getExtraProperties().putAll(state.getExtraProperties());
         return codeReg;
     }
     protected String processCodeGrant(Client client, String code, UserSubject endUser) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/49e19439/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
index 5ed3e2c..a6d5da8 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
@@ -70,6 +70,7 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
     private boolean matchRedirectUriWithApplicationUri;
     private boolean hidePreauthorizedScopesInForm;
     private AuthorizationRequestFilter authorizationFilter;
+    private List<String> scopesRequiringNoConsent;
     
     protected RedirectionBasedGrantService(String supportedResponseType,
                                            String supportedGrantType) {
@@ -231,7 +232,10 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
                                                 UserSubject userSubject,
                                                 List<String> requestedScope, 
                                                 List<OAuthPermission> permissions)
{
-        return false;
+        return scopesRequiringNoConsent != null 
+               && requestedScope != null
+               && requestedScope.size() == scopesRequiringNoConsent.size()
+               && requestedScope.containsAll(scopesRequiringNoConsent);
     }
 
     /**
@@ -554,4 +558,7 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
     public void setAuthorizationFilter(AuthorizationRequestFilter authorizationFilter) {
         this.authorizationFilter = authorizationFilter;
     }
+    public void setScopesRequiringNoConsent(List<String> scopesRequiringNoConsent)
{
+        this.scopesRequiringNoConsent = scopesRequiringNoConsent;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/49e19439/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java
index a4e9ed5..b616170 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java
@@ -18,6 +18,7 @@
  */
 package org.apache.cxf.rs.security.oidc.idp;
 
+import java.util.Collections;
 import java.util.List;
 import java.util.logging.Level;
 
@@ -28,9 +29,7 @@ import org.apache.cxf.rs.security.oauth2.common.Client;
 import org.apache.cxf.rs.security.oauth2.common.OAuthError;
 import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
 import org.apache.cxf.rs.security.oauth2.common.OAuthRedirectionState;
-import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
 import org.apache.cxf.rs.security.oauth2.common.UserSubject;
-import org.apache.cxf.rs.security.oauth2.grants.code.AuthorizationCodeRegistration;
 import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
 import org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService;
 import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
@@ -39,20 +38,16 @@ import org.apache.cxf.rs.security.oidc.utils.OidcUtils;
 public class OidcAuthorizationCodeService extends AuthorizationCodeGrantService {
     private static final String PROMPT_PARAMETER = "prompt";
     
-    private boolean skipAuthorizationWithOidcScope;
     @Override
     protected boolean canAuthorizationBeSkipped(Client client,
                                                 UserSubject userSubject,
                                                 List<String> requestedScope,
                                                 List<OAuthPermission> permissions)
{
-        // No need to challenge the authenticated user with the authorization form 
-        // if all the client application redirecting a user needs is to get this user authenticated
-        // with OIDC IDP
-        return requestedScope.size() == 1 && permissions.size() == 1 && skipAuthorizationWithOidcScope
-            && OidcUtils.OPENID_SCOPE.equals(requestedScope.get(0));
+        return super.canAuthorizationBeSkipped(client, userSubject, requestedScope, permissions);
     }
+    
     public void setSkipAuthorizationWithOidcScope(boolean skipAuthorizationWithOidcScope)
{
-        this.skipAuthorizationWithOidcScope = skipAuthorizationWithOidcScope;
+        super.setScopesRequiringNoConsent(Collections.singletonList(OidcUtils.OPENID_SCOPE));
     }
     
     @Override
@@ -76,22 +71,6 @@ public class OidcAuthorizationCodeService extends AuthorizationCodeGrantService
         return super.startAuthorization(params, userSubject, client);
     }
     
-    protected AuthorizationCodeRegistration createCodeRegistration(OAuthRedirectionState
state, 
-                                                                   Client client, 
-                                                                   List<String> requestedScope,

-                                                                   List<String> approvedScope,

-                                                                   UserSubject userSubject,

-                                                                   ServerAccessToken preauthorizedToken)
{
-        AuthorizationCodeRegistration codeReg = super.createCodeRegistration(state, 
-                                                                             client, 
-                                                                             requestedScope,

-                                                                             approvedScope,

-                                                                             userSubject,

-                                                                             preauthorizedToken);
-        
-        codeReg.getExtraProperties().putAll(state.getExtraProperties());
-        return codeReg;
-    }
     @Override
     protected OAuthRedirectionState recreateRedirectionStateFromParams(
         MultivaluedMap<String, String> params) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/49e19439/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
index c35526c..d689c21 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
@@ -19,6 +19,7 @@
 package org.apache.cxf.rs.security.oidc.idp;
 
 import java.util.Arrays;
+import java.util.Collections;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Properties;
@@ -32,7 +33,6 @@ import org.apache.cxf.jaxrs.utils.JAXRSUtils;
 import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
 import org.apache.cxf.rs.security.jose.jws.JwsUtils;
 import org.apache.cxf.rs.security.jose.jwt.JwtToken;
-import org.apache.cxf.rs.security.oauth2.common.AccessTokenRegistration;
 import org.apache.cxf.rs.security.oauth2.common.Client;
 import org.apache.cxf.rs.security.oauth2.common.OAuthError;
 import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
@@ -51,7 +51,6 @@ import org.apache.cxf.rs.security.oidc.utils.OidcUtils;
 public class OidcImplicitService extends ImplicitGrantService {
     private static final String PROMPT_PARAMETER = "prompt";
     
-    private boolean skipAuthorizationWithOidcScope;
     private OAuthJoseJwtProducer idTokenHandler;
     private IdTokenProvider idTokenProvider;
     
@@ -100,14 +99,11 @@ public class OidcImplicitService extends ImplicitGrantService {
                                                 UserSubject userSubject,
                                                 List<String> requestedScope,
                                                 List<OAuthPermission> permissions)
{
-        // No need to challenge the authenticated user with the authorization form 
-        // if all the client application redirecting a user needs is to get this user authenticated
-        // with OIDC IDP
-        return requestedScope.size() == 1 && permissions.size() == 1 && skipAuthorizationWithOidcScope
-            && OidcUtils.OPENID_SCOPE.equals(requestedScope.get(0));
+        return super.canAuthorizationBeSkipped(client, userSubject, requestedScope, permissions);
     }
+    
     public void setSkipAuthorizationWithOidcScope(boolean skipAuthorizationWithOidcScope)
{
-        this.skipAuthorizationWithOidcScope = skipAuthorizationWithOidcScope;
+        super.setScopesRequiringNoConsent(Collections.singletonList(OidcUtils.OPENID_SCOPE));
     }
     
     @Override
@@ -161,17 +157,6 @@ public class OidcImplicitService extends ImplicitGrantService {
         return state;
     }
     
-    @Override
-    protected AccessTokenRegistration createTokenRegistration(OAuthRedirectionState state,

-                                                              Client client, 
-                                                              List<String> requestedScope,

-                                                              List<String> approvedScope,

-                                                              UserSubject userSubject) {
-        AccessTokenRegistration reg = 
-            super.createTokenRegistration(state, client, requestedScope, approvedScope, userSubject);
-        reg.getExtraProperties().putAll(state.getExtraProperties());
-        return reg;
-    }
     
     protected String processIdToken(OAuthRedirectionState state, IdToken idToken) {
         OAuthJoseJwtProducer processor = idTokenHandler == null ? new OAuthJoseJwtProducer()
: idTokenHandler; 


Mime
View raw message