cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From r...@apache.org
Subject [01/13] cxf git commit: [CXF-6692] Prototyping the optional support for having Access tokens represented in JWT [Forced Update!]
Date Tue, 09 Aug 2016 01:34:17 GMT
Repository: cxf
Updated Branches:
  refs/heads/master-jaxrs-2.1 157d48aee -> 6c7552902 (forced update)


[CXF-6692] Prototyping the optional support for having Access tokens represented in JWT


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/07707cd5
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/07707cd5
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/07707cd5

Branch: refs/heads/master-jaxrs-2.1
Commit: 07707cd522e63cd0574db378e08f2f820882b5ec
Parents: e6ce20a
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Mon Aug 8 14:49:52 2016 +0100
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Mon Aug 8 14:49:52 2016 +0100

----------------------------------------------------------------------
 .../provider/AbstractOAuthDataProvider.java     | 80 ++++++++++++++++++--
 1 file changed, 74 insertions(+), 6 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/07707cd5/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
index 860fa7d..9b02d3b 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
@@ -26,6 +26,8 @@ import java.util.List;
 import java.util.Map;
 
 import org.apache.cxf.jaxrs.ext.MessageContext;
+import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
+import org.apache.cxf.rs.security.jose.jwt.JwtToken;
 import org.apache.cxf.rs.security.oauth2.common.AccessTokenRegistration;
 import org.apache.cxf.rs.security.oauth2.common.Client;
 import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
@@ -46,7 +48,8 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider,
Cl
     private List<String> requiredScopes;
     private List<String> invisibleToClientScopes;
     private boolean supportPreauthorizedTokens;
-    
+    private boolean useJwtFormatForAccessTokens;
+    private OAuthJoseJwtProducer jwtAccessTokenHandler;
     
     protected AbstractOAuthDataProvider() {
     }
@@ -76,9 +79,57 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider,
Cl
         at.setResponseType(atReg.getResponseType());
         at.setGrantCode(atReg.getGrantCode());
         at.getExtraProperties().putAll(atReg.getExtraProperties());
+        
+        if (isUseJwtFormatForAccessTokens()) {
+            JwtClaims claims = createJwtAccessToken(at);
+            String jose = processJwtAccessToken(claims);
+            at.setTokenKey(jose);
+        }
+        
         return at;
     }
     
+    protected JwtClaims createJwtAccessToken(ServerAccessToken at) {
+        JwtClaims claims = new JwtClaims();
+        claims.setTokenId(at.getTokenKey());
+        claims.setAudience(at.getClient().getClientId());
+        claims.setIssuedAt(at.getIssuedAt());
+        if (at.getExpiresIn() > 0) {
+            claims.setExpiryTime(at.getIssuedAt() + at.getExpiresIn());
+        }
+        if (at.getSubject() != null) {
+            claims.setSubject(at.getSubject().getLogin());
+        }
+        if (at.getIssuer() != null) {
+            claims.setIssuer(at.getIssuer());
+        }
+        if (!at.getScopes().isEmpty()) {
+            claims.setClaim(OAuthConstants.SCOPE, 
+                            OAuthUtils.convertPermissionsToScopeList(at.getScopes()));
+        }
+        // OAuth2 resource indicators (resource server audience)
+        if (at.getAudiences().isEmpty()) {
+            List<String> resourceAudiences = at.getAudiences();
+            claims.setClaim("resource", 
+                            resourceAudiences.size() == 1 ? resourceAudiences.get(0) : resourceAudiences);
+        }
+        
+        //TODO: consider auto-setting all the remaining token properties as claims either
optionally 
+        // or if JWE encryption is enabled for the providers be able to choose if they
+        // want to save JOSE token representations only - though the providers can always
override
+        // this method too and set the extra claims. If all ServerAccessToken properties
are set as claims
+        // then the providers will only have to save ServerAccessToken.getTokenKey() in 
+        // saveAccessToken(ServerAccessToken) which will be a JOSE representation of a given
ServerAccessToken
+        // instance but will have to restore ServerAccessToken from it when the runtime requests
ServerAccessToken
+        // for the validation purposes. 
+        
+        return claims;
+    }
+
+    protected ServerAccessToken createNewAccessToken(Client client) {
+        return new BearerAccessToken(client, accessTokenLifetime);
+    }
+    
     @Override
     public ServerAccessToken refreshAccessToken(Client client, String refreshTokenKey,
                                                 List<String> restrictedScopes) throws
OAuthServiceException {
@@ -210,10 +261,6 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider,
Cl
         return theScopes.contains(OAuthConstants.REFRESH_TOKEN_SCOPE);
     }
 
-    protected ServerAccessToken createNewAccessToken(Client client) {
-        return new BearerAccessToken(client, accessTokenLifetime);
-    }
-     
     protected String getCurrentRequestedGrantType() {
         return (String)messageContext.get(OAuthConstants.GRANT_TYPE);
     }
@@ -414,6 +461,27 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider,
Cl
             setClient(c);
         }
     }
-    
 
+    public boolean isUseJwtFormatForAccessTokens() {
+        return useJwtFormatForAccessTokens;
+    }
+
+    public void setUseJwtFormatForAccessTokens(boolean useJwtFormatForAccessTokens) {
+        this.useJwtFormatForAccessTokens = useJwtFormatForAccessTokens;
+    }
+
+    public OAuthJoseJwtProducer getJwtAccessTokenHandler() {
+        return jwtAccessTokenHandler;
+    }
+
+    public void setJwtAccessTokenHandler(OAuthJoseJwtProducer jwtAccessTokenHandler) {
+        this.jwtAccessTokenHandler = jwtAccessTokenHandler;
+    }
+    
+    protected String processJwtAccessToken(JwtClaims jwtCliams) {
+        // It will JWS-sign (default) and/or JWE-encrypt
+        OAuthJoseJwtProducer processor = 
+            getJwtAccessTokenHandler() == null ? new OAuthJoseJwtProducer() : getJwtAccessTokenHandler();

+        return processor.processJwt(new JwtToken(jwtCliams));
+    }
 }


Mime
View raw message