cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: Checking none and consent prompt values before presenting an authorization consent screen
Date Wed, 25 May 2016 11:48:03 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 39b19384a -> dda4c7b82


Checking none and consent prompt values before presenting an authorization consent screen


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/dda4c7b8
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/dda4c7b8
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/dda4c7b8

Branch: refs/heads/master
Commit: dda4c7b8298a21e2dce24f72717edf0980285949
Parents: 39b1938
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Wed May 25 12:47:45 2016 +0100
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Wed May 25 12:47:45 2016 +0100

----------------------------------------------------------------------
 .../services/RedirectionBasedGrantService.java  |  5 +--
 .../oidc/idp/OidcAuthorizationCodeService.java  | 36 +++++++++++--------
 .../security/oidc/idp/OidcImplicitService.java  | 37 ++++++++++++--------
 .../cxf/rs/security/oidc/utils/OidcUtils.java   | 15 ++++++++
 4 files changed, 62 insertions(+), 31 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/dda4c7b8/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
index a6d5da8..8e45c36 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
@@ -200,7 +200,7 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
             }
         }
         final boolean authorizationCanBeSkipped = preAuthorizationComplete 
-            || canAuthorizationBeSkipped(client, userSubject, requestedScope, requestedPermissions);
+            || canAuthorizationBeSkipped(params, client, userSubject, requestedScope, requestedPermissions);
         
         // Populate the authorization challenge data 
         OAuthAuthorizationData data = 
@@ -228,7 +228,8 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
     public Set<String> getSupportedResponseTypes() {
         return supportedResponseTypes;
     }
-    protected boolean canAuthorizationBeSkipped(Client client, 
+    protected boolean canAuthorizationBeSkipped(MultivaluedMap<String, String> params,
+                                                Client client, 
                                                 UserSubject userSubject,
                                                 List<String> requestedScope, 
                                                 List<OAuthPermission> permissions)
{

http://git-wip-us.apache.org/repos/asf/cxf/blob/dda4c7b8/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java
index b616170..17f595d 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java
@@ -36,14 +36,29 @@ import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
 import org.apache.cxf.rs.security.oidc.utils.OidcUtils;
 
 public class OidcAuthorizationCodeService extends AuthorizationCodeGrantService {
-    private static final String PROMPT_PARAMETER = "prompt";
     
     @Override
-    protected boolean canAuthorizationBeSkipped(Client client,
+    protected boolean canAuthorizationBeSkipped(MultivaluedMap<String, String> params,
+                                                Client client,
                                                 UserSubject userSubject,
                                                 List<String> requestedScope,
                                                 List<OAuthPermission> permissions)
{
-        return super.canAuthorizationBeSkipped(client, userSubject, requestedScope, permissions);
+        List<String> promptValues = OidcUtils.getPromptValues(params);
+        if (promptValues.contains(OidcUtils.PROMPT_CONSENT_VALUE)) {
+            // Displaying the consent screen is preferred by the client
+            return false;
+        }
+        // Check the pre-configured consent
+        boolean preConfiguredConsentForScopes =
+            super.canAuthorizationBeSkipped(params, client, userSubject, requestedScope,
permissions);
+        boolean nonePromptRequested = promptValues.contains(OidcUtils.PROMPT_NONE_VALUE);
+        
+        if (nonePromptRequested && !preConfiguredConsentForScopes) {
+            // An error is returned if client does not have pre-configured consent for the
requested scopes/claims
+            LOG.log(Level.FINE, "Prompt 'none' request can not be met");
+            throw new OAuthServiceException(new OAuthError(OidcUtils.CONSENT_REQUIRED_ERROR));
+        }
+        return !nonePromptRequested && preConfiguredConsentForScopes;
     }
     
     public void setSkipAuthorizationWithOidcScope(boolean skipAuthorizationWithOidcScope)
{
@@ -55,17 +70,10 @@ public class OidcAuthorizationCodeService extends AuthorizationCodeGrantService
                                           UserSubject userSubject,
                                           Client client) {    
         // Validate the prompt - if it contains "none" then an error is returned with any
other value
-        String prompt = params.getFirst(PROMPT_PARAMETER);
-        if (prompt != null) {
-            String[] promptValues = prompt.trim().split(" ");
-            if (promptValues.length > 1) {
-                for (String promptValue : promptValues) {
-                    if ("none".equals(promptValue)) {
-                        LOG.log(Level.FINE, "The prompt value {} is invalid", prompt);
-                        throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_REQUEST));
-                    }
-                }
-            }
+        List<String> promptValues = OidcUtils.getPromptValues(params);
+        if (promptValues != null && promptValues.size() > 1 && promptValues.contains(OidcUtils.PROMPT_NONE_VALUE))
{
+            LOG.log(Level.FINE, "The prompt value {} is invalid", params.getFirst(OidcUtils.PROMPT_PARAMETER));
+            throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_REQUEST));
         }
         
         return super.startAuthorization(params, userSubject, client);

http://git-wip-us.apache.org/repos/asf/cxf/blob/dda4c7b8/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
index d689c21..b0a8e05 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
@@ -49,8 +49,6 @@ import org.apache.cxf.rs.security.oidc.utils.OidcUtils;
 
 
 public class OidcImplicitService extends ImplicitGrantService {
-    private static final String PROMPT_PARAMETER = "prompt";
-    
     private OAuthJoseJwtProducer idTokenHandler;
     private IdTokenProvider idTokenProvider;
     
@@ -78,28 +76,37 @@ public class OidcImplicitService extends ImplicitGrantService {
         }
         
         // Validate the prompt - if it contains "none" then an error is returned with any
other value
-        String prompt = params.getFirst(PROMPT_PARAMETER);
-        if (prompt != null) {
-            String[] promptValues = prompt.trim().split(" ");
-            if (promptValues.length > 1) {
-                for (String promptValue : promptValues) {
-                    if ("none".equals(promptValue)) {
-                        LOG.log(Level.FINE, "The prompt value {} is invalid", prompt);
-                        throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_REQUEST));
-                    }
-                }
-            }
+        List<String> promptValues = OidcUtils.getPromptValues(params);
+        if (promptValues.size() > 1 && promptValues.contains(OidcUtils.PROMPT_NONE_VALUE))
{
+            LOG.log(Level.FINE, "The prompt value {} is invalid", params.getFirst(OidcUtils.PROMPT_PARAMETER));
+            throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_REQUEST));
         }
         
         return super.startAuthorization(params, userSubject, client);
     }
     
     @Override
-    protected boolean canAuthorizationBeSkipped(Client client,
+    protected boolean canAuthorizationBeSkipped(MultivaluedMap<String, String> params,
+                                                Client client,
                                                 UserSubject userSubject,
                                                 List<String> requestedScope,
                                                 List<OAuthPermission> permissions)
{
-        return super.canAuthorizationBeSkipped(client, userSubject, requestedScope, permissions);
+        List<String> promptValues = OidcUtils.getPromptValues(params);
+        if (promptValues.contains(OidcUtils.PROMPT_CONSENT_VALUE)) {
+            // Displaying the consent screen is preferred by the client
+            return false;
+        }
+        // Check the pre-configured consent
+        boolean preConfiguredConsentForScopes =
+            super.canAuthorizationBeSkipped(params, client, userSubject, requestedScope,
permissions);
+        boolean nonePromptRequested = promptValues.contains(OidcUtils.PROMPT_NONE_VALUE);
+        
+        if (nonePromptRequested && !preConfiguredConsentForScopes) {
+            // An error is returned if client does not have pre-configured consent for the
requested scopes/claims
+            LOG.log(Level.FINE, "Prompt 'none' request can not be met");
+            throw new OAuthServiceException(new OAuthError(OidcUtils.CONSENT_REQUIRED_ERROR));
+        }
+        return !nonePromptRequested && preConfiguredConsentForScopes;
     }
     
     public void setSkipAuthorizationWithOidcScope(boolean skipAuthorizationWithOidcScope)
{

http://git-wip-us.apache.org/repos/asf/cxf/blob/dda4c7b8/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java
index 1f717c1..3bbc63a 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java
@@ -20,6 +20,7 @@ package org.apache.cxf.rs.security.oidc.utils;
 
 import java.security.NoSuchAlgorithmException;
 import java.util.Arrays;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -67,6 +68,11 @@ public final class OidcUtils {
     public static final String ENDPOINT_CLAIM_SOURCE_PROPERTY = "endpoint";
     public static final String TOKEN_CLAIM_SOURCE_PROPERTY = "access_token";
     
+    public static final String PROMPT_PARAMETER = "prompt";
+    public static final String PROMPT_NONE_VALUE = "none";
+    public static final String PROMPT_CONSENT_VALUE = "consent";
+    public static final String CONSENT_REQUIRED_ERROR = "consent_required";
+    
     private static final Map<String, List<String>> SCOPES_MAP;
     static {
         SCOPES_MAP = new HashMap<String, List<String>>();
@@ -79,6 +85,15 @@ public final class OidcUtils {
     private OidcUtils() {
         
     }
+    public static List<String> getPromptValues(MultivaluedMap<String, String>
params) {
+        String prompt = params.getFirst(PROMPT_PARAMETER);
+        if (prompt != null) {
+            return Arrays.asList(prompt.trim().split(" "));
+        } else {
+            return Collections.emptyList();
+        }
+    }
+    
     public static String getOpenIdScope() {
         return OPENID_SCOPE;
     }


Mime
View raw message