cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: Continuing prototyping the dynreg service code
Date Wed, 24 Aug 2016 14:47:28 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.1.x-fixes 0c01db46c -> 2e0451f31


Continuing prototyping the dynreg service code


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/2e0451f3
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/2e0451f3
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/2e0451f3

Branch: refs/heads/3.1.x-fixes
Commit: 2e0451f3195fb7f42c53c24910d630b1171ad002
Parents: 0c01db4
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Wed Aug 24 15:44:40 2016 +0100
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Wed Aug 24 15:47:01 2016 +0100

----------------------------------------------------------------------
 .../oauth2/services/ClientRegistration.java     | 124 ++++++++++++
 .../services/ClientRegistrationRequest.java     | 124 ------------
 .../services/DynamicRegistrationService.java    | 201 +++++++++++++++++--
 .../oidc/idp/OidcClientRegistration.java        |  27 +++
 .../oidc/idp/OidcClientRegistrationRequest.java |  27 ---
 .../idp/OidcDynamicRegistrationService.java     |  33 +++
 6 files changed, 369 insertions(+), 167 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/2e0451f3/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ClientRegistration.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ClientRegistration.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ClientRegistration.java
new file mode 100644
index 0000000..d81a623
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ClientRegistration.java
@@ -0,0 +1,124 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.services;
+
+import java.util.LinkedHashMap;
+import java.util.List;
+import java.util.Map;
+
+import org.apache.cxf.jaxrs.json.basic.JsonMapObject;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
+
+public class ClientRegistration extends JsonMapObject {
+    public static final String REDIRECT_URIS = "redirect_uris";
+    public static final String RESPONSE_TYPES = "response_types";
+    public static final String GRANT_TYPES = "grant_types";
+    public static final String APPLICATION_TYPE = "application_type";
+    public static final String CONTACTS = "contacts";
+    public static final String CLIENT_NAME = "client_name";
+    public static final String LOGO_URI = "logo_uri";
+    public static final String CLIENT_URI = "client_uri";
+    public static final String POLICY_URI = "policy_uri";
+    public static final String TOS_URI = "tos_uri";
+    public static final String TOKEN_ENDPOINT_AUTH_METHOD = "token_endpoint_auth_method";
+    public static final String SCOPE = OAuthConstants.SCOPE;
+        
+    private static final long serialVersionUID = 7903976943604132150L;
+
+    public ClientRegistration() {
+    }
+    
+    public ClientRegistration(Map<String, Object> props) {
+        super(new LinkedHashMap<String, Object>(props));
+    }
+    
+    public void setRedirectUris(List<String> redirectUris) {
+        super.setProperty(REDIRECT_URIS, redirectUris);
+    }
+    public List<String> getRedirectUris() {
+        return getListStringProperty(REDIRECT_URIS);
+    }
+    public void setResponseTypes(List<String> responseTypes) {
+        super.setProperty(RESPONSE_TYPES, responseTypes);
+    }
+    public List<String> getResponseTypes() {
+        return getListStringProperty(RESPONSE_TYPES);
+    }
+    public void setGrantTypes(List<String> grantTypes) {
+        super.setProperty(GRANT_TYPES, grantTypes);
+    }
+    public List<String> getGrantTypes() {
+        return getListStringProperty(GRANT_TYPES);
+    }
+    public void setApplicationType(String applicationType) {
+        super.setProperty(APPLICATION_TYPE, applicationType);
+    }
+    public String getApplicationType() {
+        return getStringProperty(APPLICATION_TYPE);
+    }
+    public void setContacts(List<String> contacts) {
+        super.setProperty(CONTACTS, contacts);
+    }
+    public List<String> getContacts() {
+        return getListStringProperty(CONTACTS);
+    }
+    public void setClientName(String clientName) {
+        super.setProperty(CLIENT_NAME, clientName);
+    }
+    public String getClientName() {
+        return getStringProperty(CLIENT_NAME);
+    }
+    public void setLogoUri(String logoUri) {
+        super.setProperty(LOGO_URI, logoUri);
+    }
+    public String getLogoUri() {
+        return getStringProperty(LOGO_URI);
+    }
+    public void setClientUri(String clientUri) {
+        super.setProperty(CLIENT_URI, clientUri);
+    }
+    public String getClientUri() {
+        return getStringProperty(CLIENT_URI);
+    }
+    public void setPolicyUri(String policyUri) {
+        super.setProperty(POLICY_URI, policyUri);
+    }
+    public String getPolicyUri() {
+        return getStringProperty(POLICY_URI);
+    }
+    public void setTosUri(String tosUri) {
+        super.setProperty(TOS_URI, tosUri);
+    }
+    public String getTosUri() {
+        return getStringProperty(TOS_URI);
+    }
+    public void setTokenEndpointAuthMethod(String method) {
+        super.setProperty(TOKEN_ENDPOINT_AUTH_METHOD, method);
+    }
+    public String getTokenEndpointAuthMethod() {
+        return getStringProperty(TOKEN_ENDPOINT_AUTH_METHOD);
+    }
+    public void setScope(String scope) {
+        super.setProperty(SCOPE, scope);
+    }
+    public String getScope() {
+        return getStringProperty(SCOPE);
+    }
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/2e0451f3/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ClientRegistrationRequest.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ClientRegistrationRequest.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ClientRegistrationRequest.java
deleted file mode 100644
index d899343..0000000
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ClientRegistrationRequest.java
+++ /dev/null
@@ -1,124 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.oauth2.services;
-
-import java.util.LinkedHashMap;
-import java.util.List;
-import java.util.Map;
-
-import org.apache.cxf.jaxrs.json.basic.JsonMapObject;
-import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
-
-public class ClientRegistrationRequest extends JsonMapObject {
-    public static final String REDIRECT_URIS = "redirect_uris";
-    public static final String RESPONSE_TYPES = "response_types";
-    public static final String GRANT_TYPES = "grant_types";
-    public static final String APPLICATION_TYPE = "application_type";
-    public static final String CONTACTS = "contacts";
-    public static final String CLIENT_NAME = "client_name";
-    public static final String LOGO_URI = "logo_uri";
-    public static final String CLIENT_URI = "client_uri";
-    public static final String POLICY_URI = "policy_uri";
-    public static final String TOS_URI = "tos_uri";
-    public static final String TOKEN_ENDPOINT_AUTH_METHOD = "token_endpoint_auth_method";
-    public static final String SCOPE = OAuthConstants.SCOPE;
-        
-    private static final long serialVersionUID = 7903976943604132150L;
-
-    public ClientRegistrationRequest() {
-    }
-    
-    public ClientRegistrationRequest(Map<String, Object> props) {
-        super(new LinkedHashMap<String, Object>(props));
-    }
-    
-    public void setRedirectUris(List<String> redirectUris) {
-        super.setProperty(REDIRECT_URIS, redirectUris);
-    }
-    public List<String> getRedirectUris() {
-        return getListStringProperty(REDIRECT_URIS);
-    }
-    public void setResponseTypes(List<String> responseTypes) {
-        super.setProperty(RESPONSE_TYPES, responseTypes);
-    }
-    public List<String> getResponseTypes() {
-        return getListStringProperty(RESPONSE_TYPES);
-    }
-    public void setGrantTypes(List<String> grantTypes) {
-        super.setProperty(GRANT_TYPES, grantTypes);
-    }
-    public List<String> getGrantTypes() {
-        return getListStringProperty(GRANT_TYPES);
-    }
-    public void setApplicationType(String applicationType) {
-        super.setProperty(APPLICATION_TYPE, applicationType);
-    }
-    public String getApplicationType() {
-        return getStringProperty(APPLICATION_TYPE);
-    }
-    public void setContacts(List<String> contacts) {
-        super.setProperty(CONTACTS, contacts);
-    }
-    public List<String> getContacts() {
-        return getListStringProperty(CONTACTS);
-    }
-    public void setClientName(String clientName) {
-        super.setProperty(CLIENT_NAME, clientName);
-    }
-    public String getClientName() {
-        return getStringProperty(CLIENT_NAME);
-    }
-    public void setLogoUri(String logoUri) {
-        super.setProperty(LOGO_URI, logoUri);
-    }
-    public String getLogoUri() {
-        return getStringProperty(LOGO_URI);
-    }
-    public void setClientUri(String clientUri) {
-        super.setProperty(CLIENT_URI, clientUri);
-    }
-    public String getClientUri() {
-        return getStringProperty(CLIENT_URI);
-    }
-    public void setPolicyUri(String policyUri) {
-        super.setProperty(POLICY_URI, policyUri);
-    }
-    public String getPolicyUri() {
-        return getStringProperty(POLICY_URI);
-    }
-    public void setTosUri(String tosUri) {
-        super.setProperty(TOS_URI, tosUri);
-    }
-    public String getTosUri() {
-        return getStringProperty(TOS_URI);
-    }
-    public void setTokenEndpointAuthMethod(String method) {
-        super.setProperty(TOKEN_ENDPOINT_AUTH_METHOD, method);
-    }
-    public String getTokenEndpointAuthMethod() {
-        return getStringProperty(TOKEN_ENDPOINT_AUTH_METHOD);
-    }
-    public void setScope(String scope) {
-        super.setProperty(SCOPE, scope);
-    }
-    public String getScope() {
-        return getStringProperty(SCOPE);
-    }
-    
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/2e0451f3/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/DynamicRegistrationService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/DynamicRegistrationService.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/DynamicRegistrationService.java
index 130fb64..a0d6bc7 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/DynamicRegistrationService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/DynamicRegistrationService.java
@@ -18,6 +18,9 @@
  */
 package org.apache.cxf.rs.security.oauth2.services;
 
+import java.util.Collections;
+import java.util.List;
+
 import javax.ws.rs.Consumes;
 import javax.ws.rs.DELETE;
 import javax.ws.rs.GET;
@@ -28,34 +31,69 @@ import javax.ws.rs.PathParam;
 import javax.ws.rs.Produces;
 import javax.ws.rs.QueryParam;
 import javax.ws.rs.core.Response;
+import javax.ws.rs.core.UriBuilder;
 
-import org.apache.cxf.rs.security.oauth2.provider.OAuthDataProvider;
+import org.apache.cxf.common.util.Base64UrlUtility;
+import org.apache.cxf.common.util.StringUtils;
+import org.apache.cxf.jaxrs.utils.ExceptionUtils;
+import org.apache.cxf.rs.security.oauth2.common.Client;
+import org.apache.cxf.rs.security.oauth2.provider.ClientRegistrationProvider;
+import org.apache.cxf.rs.security.oauth2.utils.AuthorizationUtils;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
+import org.apache.cxf.rt.security.crypto.CryptoUtils;
 
 @Path("register")
 public class DynamicRegistrationService extends AbstractOAuthService {
-    
-    private OAuthDataProvider dataProvider;
+    private static final String DEFAULT_APPLICATION_TYPE = "web";
+    private static final Integer DEFAULT_CLIENT_ID_SIZE = 10;
+    private ClientRegistrationProvider clientProvider;
     private String initialAccessToken;
-    
+    private int clientIdSizeInBytes = DEFAULT_CLIENT_ID_SIZE;
     @POST
     @Consumes("application/json")
     @Produces("application/json")
-    public ClientRegistrationResponse register(ClientRegistrationRequest request) {
+    public ClientRegistrationResponse register(ClientRegistration request) {
+        checkInitialAccessToken();
+        Client client = createNewClient(request);
+        createRegAccessToken(client);
+        clientProvider.setClient(client);
         
-        return new ClientRegistrationResponse();
+        return fromClientToRegistrationResponse(client);
     }
     
+    protected void checkInitialAccessToken() {
+        if (initialAccessToken != null) {
+            checkCurrentAccessToken(initialAccessToken);
+        }
+        
+    }
+
+    protected String createRegAccessToken(Client client) {
+        //TODO: Passing AccessTokenRegistration to OAuthDataProvider may be needed
+        String regAccessToken = OAuthUtils.generateRandomTokenKey();
+        client.getProperties().put(ClientRegistrationResponse.REG_ACCESS_TOKEN, 
+                                   regAccessToken);
+        return regAccessToken;
+    }
+    protected void checkCurrentAccessToken(String accessToken) {
+        String[] authParts = AuthorizationUtils.getAuthorizationParts(getMessageContext(),

+                             Collections.singleton(OAuthConstants.BEARER_AUTHORIZATION_SCHEME));
+        if (authParts.length != 2 || !authParts[1].equals(accessToken)) {
+            throw ExceptionUtils.toForbiddenException(null, null);
+        }
+    }
+
     @GET
     @Produces("application/json")
-    public ClientRegistrationResponse readClientRegistrationWithQuery(@QueryParam("client_id")
String clientId) {
-        
+    public ClientRegistration readClientRegistrationWithQuery(@QueryParam("client_id") String
clientId) {
         return doReadClientRegistration(clientId);
     }
     
     @GET
     @Path("{clientId}")
     @Produces("application/json")
-    public ClientRegistrationResponse readClientRegistrationWithPath(@PathParam("clientId")
String clientId) {
+    public ClientRegistration readClientRegistrationWithPath(@PathParam("clientId") String
clientId) {
         
         return doReadClientRegistration(clientId);
     }
@@ -70,19 +108,49 @@ public class DynamicRegistrationService extends AbstractOAuthService
{
     @DELETE
     @Path("{clientId}")
     public Response deleteClientRegistration(@PathParam("clientId") String clientId) {
+        if (readClient(clientId) != null) {
+            clientProvider.removeClient(clientId);    
+        }
+        
         return Response.ok().build();
     }
     
-    protected ClientRegistrationResponse doReadClientRegistration(String clientId) {
-        return new ClientRegistrationResponse();
+    protected ClientRegistrationResponse fromClientToRegistrationResponse(Client client)
{
+        ClientRegistrationResponse response = new ClientRegistrationResponse();
+        response.setClientId(client.getClientId());
+        response.setClientSecret(client.getClientSecret());
+        response.setClientIdIssuedAt(client.getRegisteredAt());
+        // TODO: consider making Client secret time limited
+        response.setClientSecretExpiresAt(Long.valueOf(0));
+        UriBuilder ub = getMessageContext().getUriInfo().getAbsolutePathBuilder();
+        response.setRegistrationClientUri(ub.path(client.getClientId()).build().toString());
+        
+        response.setRegistrationAccessToken(client.getProperties()
+                                            .get(ClientRegistrationResponse.REG_ACCESS_TOKEN));
+        return response;
     }
-
-    public OAuthDataProvider getDataProvider() {
-        return dataProvider;
+    
+    protected ClientRegistration doReadClientRegistration(String clientId) {
+        Client client = readClient(clientId);
+        return fromClientToClientRegistration(client);
     }
 
-    public void setDataProvider(OAuthDataProvider dataProvider) {
-        this.dataProvider = dataProvider;
+    protected ClientRegistration fromClientToClientRegistration(Client client) {
+        return new ClientRegistration();
+    }
+    
+    protected Client readClient(String clientId) {
+        Client c = clientProvider.getClient(clientId);
+        String regAccessToken = c.getProperties().get(ClientRegistrationResponse.REG_ACCESS_TOKEN);
+        // Or check OAuthDataProvider.getAccessToken
+        // if OAuthDataProvider.createAccessToken was used
+        
+        validateRegistrationAccessToken(regAccessToken);
+        return c;
+    }
+    
+    protected void validateRegistrationAccessToken(String accessToken) {
+        checkCurrentAccessToken(accessToken);
     }
 
     public String getInitialAccessToken() {
@@ -93,5 +161,106 @@ public class DynamicRegistrationService extends AbstractOAuthService
{
         this.initialAccessToken = registrationAccessToken;
     }
     
+    protected Client createNewClient(ClientRegistration request) {
+        // Client ID
+        String clientId = generateClientId();
+        
+        // Client Name
+        String clientName = request.getClientName();
+        if (StringUtils.isEmpty(clientName)) {
+            clientName = clientId;
+        }
+        
+        List<String> grantTypes = request.getGrantTypes();
+        
+        // Client Type
+        // https://tools.ietf.org/html/rfc7591 has no this property but
+        // but http://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata
does
+        String appType = request.getApplicationType();
+        if (appType == null) {
+            appType = DEFAULT_APPLICATION_TYPE;
+        }
+        boolean isConfidential = DEFAULT_APPLICATION_TYPE.equals(appType) 
+            && grantTypes != null && grantTypes.contains(OAuthConstants.AUTHORIZATION_CODE_GRANT);
+        
+        // Client Secret
+        String clientSecret = isConfidential
+            ? generateClientSecret(request)
+            : null;
+
+        Client newClient = new Client(clientId, clientSecret, isConfidential, clientName);
+        
+        if (grantTypes != null) {
+            newClient.setAllowedGrantTypes(grantTypes);
+        }    
+        
+        // Client Registration Time
+        newClient.setRegisteredAt(System.currentTimeMillis() / 1000);
+        
+        // Client Redirect URIs
+        List<String> redirectUris = request.getRedirectUris();
+        if (redirectUris != null) {
+            for (String uri : redirectUris) {
+                validateRequestUri(uri, appType, grantTypes);
+            }
+            newClient.setRedirectUris(redirectUris);
+        }
+        
+        // Client Scopes
+        String scope = request.getScope();
+        if (!StringUtils.isEmpty(scope)) {
+            newClient.setRegisteredScopes(OAuthUtils.parseScope(scope));
+        }
+        // Client Application URI
+        String clientUri = request.getClientUri();
+        if (clientUri != null) {
+            newClient.setApplicationWebUri(clientUri);
+        }
+        // Client Logo URI
+        String clientLogoUri = request.getLogoUri();
+        if (clientLogoUri != null) {
+            newClient.setApplicationLogoUri(clientLogoUri);
+        }
+        
+        //TODO: check other properties
+        // Add more typed properties like tosUri, policyUri, etc to Client
+        // or set them as Client extra properties
+        
+        return newClient;
+    }
+
+    protected void validateRequestUri(String uri, String appType, List<String> grantTypes)
{
+        // Web Clients using the OAuth Implicit Grant Type MUST only register URLs using
the https scheme 
+        // as redirect_uris; they MUST NOT use localhost as the hostname. Native Clients
MUST only register
+        // redirect_uris using custom URI schemes or URLs using the http: scheme with localhost
as the hostname.
+        // Authorization Servers MAY place additional constraints on Native Clients. Authorization
Servers MAY 
+        // reject Redirection URI values using the http scheme, other than the localhost
case for Native Clients
+    }
+
+    public void setClientProvider(ClientRegistrationProvider clientProvider) {
+        this.clientProvider = clientProvider;
+    }
     
+    protected String generateClientId() {
+        return Base64UrlUtility.encode(
+                   CryptoUtils.generateSecureRandomBytes(
+                        getClientIdSizeInBytes()));
+    }
+
+    public int getClientIdSizeInBytes() {
+        return clientIdSizeInBytes;
+    }
+    public void setClientIdSizeInBytes(int size) {
+        clientIdSizeInBytes = size;
+    }
+
+    protected String generateClientSecret(ClientRegistration request) {
+        return Base64UrlUtility.encode(
+                   CryptoUtils.generateSecureRandomBytes(
+                       getClientSecretSizeInBytes(request)));
+    }
+
+    protected int getClientSecretSizeInBytes(ClientRegistration request) {
+        return 16;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/2e0451f3/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcClientRegistration.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcClientRegistration.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcClientRegistration.java
new file mode 100644
index 0000000..fd717d9
--- /dev/null
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcClientRegistration.java
@@ -0,0 +1,27 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oidc.idp;
+
+import org.apache.cxf.rs.security.oauth2.services.ClientRegistration;
+
+public class OidcClientRegistration extends ClientRegistration {
+
+    private static final long serialVersionUID = -7941815270850562749L;
+        
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/2e0451f3/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcClientRegistrationRequest.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcClientRegistrationRequest.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcClientRegistrationRequest.java
deleted file mode 100644
index 7a9dbe3..0000000
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcClientRegistrationRequest.java
+++ /dev/null
@@ -1,27 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.oidc.idp;
-
-import org.apache.cxf.rs.security.oauth2.services.ClientRegistrationRequest;
-
-public class OidcClientRegistrationRequest extends ClientRegistrationRequest {
-
-    private static final long serialVersionUID = -7941815270850562749L;
-        
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/2e0451f3/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcDynamicRegistrationService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcDynamicRegistrationService.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcDynamicRegistrationService.java
index bb9d080..e4d9840 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcDynamicRegistrationService.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcDynamicRegistrationService.java
@@ -18,9 +18,42 @@
  */
 package org.apache.cxf.rs.security.oidc.idp;
 
+import javax.ws.rs.Consumes;
+import javax.ws.rs.POST;
+import javax.ws.rs.Produces;
+
+import org.apache.cxf.rs.security.oauth2.common.Client;
+import org.apache.cxf.rs.security.oauth2.services.ClientRegistration;
+import org.apache.cxf.rs.security.oauth2.services.ClientRegistrationResponse;
 import org.apache.cxf.rs.security.oauth2.services.DynamicRegistrationService;
 
 public class OidcDynamicRegistrationService extends DynamicRegistrationService {
+    private boolean protectIdTokenWithClientSecret;
+    
+    @POST
+    @Consumes("application/json")
+    @Produces("application/json")
+    public ClientRegistrationResponse register(OidcClientRegistration request) {
+        return super.register(request);
+    }
     
+    @Override
+    protected Client createNewClient(ClientRegistration request) {
+        // TODO: cast to OidcClientRegistrationRequest, 
+        // set OIDC specific properties as Client extra properties 
+        return super.createNewClient(request);
+    }
     
+    protected int getClientSecretSizeInBytes(ClientRegistration request) {
+           
+        // TODO: may need to be 384/8 or 512/8 if not a default HS256 but HS384 or HS512
+        int keySizeOctets = protectIdTokenWithClientSecret
+            ? 32
+            : super.getClientSecretSizeInBytes(request);
+       
+        return keySizeOctets;
+    }
+    public void setProtectIdTokenWithClientSecret(boolean protectIdTokenWithClientSecret)
{
+        this.protectIdTokenWithClientSecret = protectIdTokenWithClientSecret;
+    }
 }


Mime
View raw message