Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 0920B200A5B for ; Wed, 25 May 2016 15:39:32 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 07EDC160A3A; Wed, 25 May 2016 13:39:32 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 11763160A0F for ; Wed, 25 May 2016 15:39:30 +0200 (CEST) Received: (qmail 65977 invoked by uid 500); 25 May 2016 11:58:07 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 65967 invoked by uid 99); 25 May 2016 11:58:06 -0000 Received: from Unknown (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 25 May 2016 11:58:06 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 4F379DFFC2; Wed, 25 May 2016 11:57:50 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: sergeyb@apache.org To: commits@cxf.apache.org Date: Wed, 25 May 2016 11:57:51 -0000 Message-Id: <655399c9e57f40fdb5e8e3efb3d89323@git.apache.org> In-Reply-To: <641987e37f2d4273b9b3713769e267d6@git.apache.org> References: <641987e37f2d4273b9b3713769e267d6@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: [2/2] cxf git commit: Checking none and consent prompt values before presenting an authorization consent screen archived-at: Wed, 25 May 2016 13:39:32 -0000 Checking none and consent prompt values before presenting an authorization consent screen Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/2c51dc39 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/2c51dc39 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/2c51dc39 Branch: refs/heads/3.1.x-fixes Commit: 2c51dc39c956f90ba50f01b7c230f8f9b33fe68b Parents: 49e1943 Author: Sergey Beryozkin Authored: Wed May 25 12:47:45 2016 +0100 Committer: Sergey Beryozkin Committed: Wed May 25 12:57:38 2016 +0100 ---------------------------------------------------------------------- .../services/RedirectionBasedGrantService.java | 5 +-- .../oidc/idp/OidcAuthorizationCodeService.java | 36 +++++++++++-------- .../security/oidc/idp/OidcImplicitService.java | 37 ++++++++++++-------- .../cxf/rs/security/oidc/utils/OidcUtils.java | 15 ++++++++ 4 files changed, 62 insertions(+), 31 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/2c51dc39/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java index a6d5da8..8e45c36 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java @@ -200,7 +200,7 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService } } final boolean authorizationCanBeSkipped = preAuthorizationComplete - || canAuthorizationBeSkipped(client, userSubject, requestedScope, requestedPermissions); + || canAuthorizationBeSkipped(params, client, userSubject, requestedScope, requestedPermissions); // Populate the authorization challenge data OAuthAuthorizationData data = @@ -228,7 +228,8 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService public Set getSupportedResponseTypes() { return supportedResponseTypes; } - protected boolean canAuthorizationBeSkipped(Client client, + protected boolean canAuthorizationBeSkipped(MultivaluedMap params, + Client client, UserSubject userSubject, List requestedScope, List permissions) { http://git-wip-us.apache.org/repos/asf/cxf/blob/2c51dc39/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java index b616170..17f595d 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java @@ -36,14 +36,29 @@ import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants; import org.apache.cxf.rs.security.oidc.utils.OidcUtils; public class OidcAuthorizationCodeService extends AuthorizationCodeGrantService { - private static final String PROMPT_PARAMETER = "prompt"; @Override - protected boolean canAuthorizationBeSkipped(Client client, + protected boolean canAuthorizationBeSkipped(MultivaluedMap params, + Client client, UserSubject userSubject, List requestedScope, List permissions) { - return super.canAuthorizationBeSkipped(client, userSubject, requestedScope, permissions); + List promptValues = OidcUtils.getPromptValues(params); + if (promptValues.contains(OidcUtils.PROMPT_CONSENT_VALUE)) { + // Displaying the consent screen is preferred by the client + return false; + } + // Check the pre-configured consent + boolean preConfiguredConsentForScopes = + super.canAuthorizationBeSkipped(params, client, userSubject, requestedScope, permissions); + boolean nonePromptRequested = promptValues.contains(OidcUtils.PROMPT_NONE_VALUE); + + if (nonePromptRequested && !preConfiguredConsentForScopes) { + // An error is returned if client does not have pre-configured consent for the requested scopes/claims + LOG.log(Level.FINE, "Prompt 'none' request can not be met"); + throw new OAuthServiceException(new OAuthError(OidcUtils.CONSENT_REQUIRED_ERROR)); + } + return !nonePromptRequested && preConfiguredConsentForScopes; } public void setSkipAuthorizationWithOidcScope(boolean skipAuthorizationWithOidcScope) { @@ -55,17 +70,10 @@ public class OidcAuthorizationCodeService extends AuthorizationCodeGrantService UserSubject userSubject, Client client) { // Validate the prompt - if it contains "none" then an error is returned with any other value - String prompt = params.getFirst(PROMPT_PARAMETER); - if (prompt != null) { - String[] promptValues = prompt.trim().split(" "); - if (promptValues.length > 1) { - for (String promptValue : promptValues) { - if ("none".equals(promptValue)) { - LOG.log(Level.FINE, "The prompt value {} is invalid", prompt); - throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_REQUEST)); - } - } - } + List promptValues = OidcUtils.getPromptValues(params); + if (promptValues != null && promptValues.size() > 1 && promptValues.contains(OidcUtils.PROMPT_NONE_VALUE)) { + LOG.log(Level.FINE, "The prompt value {} is invalid", params.getFirst(OidcUtils.PROMPT_PARAMETER)); + throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_REQUEST)); } return super.startAuthorization(params, userSubject, client); http://git-wip-us.apache.org/repos/asf/cxf/blob/2c51dc39/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java index d689c21..b0a8e05 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java @@ -49,8 +49,6 @@ import org.apache.cxf.rs.security.oidc.utils.OidcUtils; public class OidcImplicitService extends ImplicitGrantService { - private static final String PROMPT_PARAMETER = "prompt"; - private OAuthJoseJwtProducer idTokenHandler; private IdTokenProvider idTokenProvider; @@ -78,28 +76,37 @@ public class OidcImplicitService extends ImplicitGrantService { } // Validate the prompt - if it contains "none" then an error is returned with any other value - String prompt = params.getFirst(PROMPT_PARAMETER); - if (prompt != null) { - String[] promptValues = prompt.trim().split(" "); - if (promptValues.length > 1) { - for (String promptValue : promptValues) { - if ("none".equals(promptValue)) { - LOG.log(Level.FINE, "The prompt value {} is invalid", prompt); - throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_REQUEST)); - } - } - } + List promptValues = OidcUtils.getPromptValues(params); + if (promptValues.size() > 1 && promptValues.contains(OidcUtils.PROMPT_NONE_VALUE)) { + LOG.log(Level.FINE, "The prompt value {} is invalid", params.getFirst(OidcUtils.PROMPT_PARAMETER)); + throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_REQUEST)); } return super.startAuthorization(params, userSubject, client); } @Override - protected boolean canAuthorizationBeSkipped(Client client, + protected boolean canAuthorizationBeSkipped(MultivaluedMap params, + Client client, UserSubject userSubject, List requestedScope, List permissions) { - return super.canAuthorizationBeSkipped(client, userSubject, requestedScope, permissions); + List promptValues = OidcUtils.getPromptValues(params); + if (promptValues.contains(OidcUtils.PROMPT_CONSENT_VALUE)) { + // Displaying the consent screen is preferred by the client + return false; + } + // Check the pre-configured consent + boolean preConfiguredConsentForScopes = + super.canAuthorizationBeSkipped(params, client, userSubject, requestedScope, permissions); + boolean nonePromptRequested = promptValues.contains(OidcUtils.PROMPT_NONE_VALUE); + + if (nonePromptRequested && !preConfiguredConsentForScopes) { + // An error is returned if client does not have pre-configured consent for the requested scopes/claims + LOG.log(Level.FINE, "Prompt 'none' request can not be met"); + throw new OAuthServiceException(new OAuthError(OidcUtils.CONSENT_REQUIRED_ERROR)); + } + return !nonePromptRequested && preConfiguredConsentForScopes; } public void setSkipAuthorizationWithOidcScope(boolean skipAuthorizationWithOidcScope) { http://git-wip-us.apache.org/repos/asf/cxf/blob/2c51dc39/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java index 1f717c1..3bbc63a 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java @@ -20,6 +20,7 @@ package org.apache.cxf.rs.security.oidc.utils; import java.security.NoSuchAlgorithmException; import java.util.Arrays; +import java.util.Collections; import java.util.HashMap; import java.util.List; import java.util.Map; @@ -67,6 +68,11 @@ public final class OidcUtils { public static final String ENDPOINT_CLAIM_SOURCE_PROPERTY = "endpoint"; public static final String TOKEN_CLAIM_SOURCE_PROPERTY = "access_token"; + public static final String PROMPT_PARAMETER = "prompt"; + public static final String PROMPT_NONE_VALUE = "none"; + public static final String PROMPT_CONSENT_VALUE = "consent"; + public static final String CONSENT_REQUIRED_ERROR = "consent_required"; + private static final Map> SCOPES_MAP; static { SCOPES_MAP = new HashMap>(); @@ -79,6 +85,15 @@ public final class OidcUtils { private OidcUtils() { } + public static List getPromptValues(MultivaluedMap params) { + String prompt = params.getFirst(PROMPT_PARAMETER); + if (prompt != null) { + return Arrays.asList(prompt.trim().split(" ")); + } else { + return Collections.emptyList(); + } + } + public static String getOpenIdScope() { return OPENID_SCOPE; }