cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: Making it possible to configure how some of AT properties are mapped to JWT claims
Date Tue, 16 Aug 2016 12:06:08 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.1.x-fixes 9d7793bb8 -> 2b24f8986


Making it possible to configure how some of AT properties are mapped to JWT claims


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/2b24f898
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/2b24f898
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/2b24f898

Branch: refs/heads/3.1.x-fixes
Commit: 2b24f8986897add53c9c7b76c4e5bd10dc5646d7
Parents: 9d7793b
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Tue Aug 16 13:03:18 2016 +0100
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Tue Aug 16 13:05:50 2016 +0100

----------------------------------------------------------------------
 .../oauth2/filters/JwtAccessTokenValidator.java |  14 ++-
 .../provider/AbstractOAuthDataProvider.java     |  40 ++++--
 .../DefaultEHCacheOAuthDataProvider.java        |   5 +-
 .../provider/JCacheOAuthDataProvider.java       |   8 +-
 .../oauth2/utils/JwtAccessTokenUtils.java       | 106 ----------------
 .../rs/security/oauth2/utils/JwtTokenUtils.java | 124 +++++++++++++++++++
 .../oauth2/filters/OAuth2JwtFiltersTest.java    |   2 +-
 7 files changed, 172 insertions(+), 127 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/2b24f898/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/JwtAccessTokenValidator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/JwtAccessTokenValidator.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/JwtAccessTokenValidator.java
index 769f7bb..78c8821 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/JwtAccessTokenValidator.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/JwtAccessTokenValidator.java
@@ -22,6 +22,7 @@ import java.util.Collections;
 import java.util.Date;
 import java.util.LinkedList;
 import java.util.List;
+import java.util.Map;
 
 import javax.ws.rs.core.MultivaluedMap;
 
@@ -36,13 +37,14 @@ import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
 import org.apache.cxf.rs.security.oauth2.common.UserSubject;
 import org.apache.cxf.rs.security.oauth2.provider.AccessTokenValidator;
 import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
+import org.apache.cxf.rs.security.oauth2.utils.JwtTokenUtils;
 import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
 
 public class JwtAccessTokenValidator extends JoseJwtConsumer implements AccessTokenValidator
{
 
-    private static final String USERNAME_CLAIM = "username";
+    private static final String USERNAME_PROP = "username";
     
-    private String usernameClaim = USERNAME_CLAIM;
+    private Map<String, String> jwtAccessTokenClaimMap;
     
     public List<String> getSupportedAuthorizationSchemes() {
         return Collections.singletonList(OAuthConstants.BEARER_AUTHORIZATION_SCHEME);
@@ -96,7 +98,9 @@ public class JwtAccessTokenValidator extends JoseJwtConsumer implements
AccessTo
             }
             atv.setTokenScopes(perms);
         }
-        String username = (String)claims.getClaim(usernameClaim);
+        String usernameClaimName = 
+            JwtTokenUtils.getClaimName(USERNAME_PROP, USERNAME_PROP, jwtAccessTokenClaimMap);
+        String username = claims.getStringProperty(usernameClaimName);
         if (username != null) {
             UserSubject userSubject = new UserSubject(username);
             if (claims.getSubject() != null) {
@@ -109,8 +113,8 @@ public class JwtAccessTokenValidator extends JoseJwtConsumer implements
AccessTo
         return atv;
     }
 
-    public void setUsernameClaim(String usernameClaim) {
-        this.usernameClaim = usernameClaim;
+    public void setJwtAccessTokenClaimMap(Map<String, String> jwtAccessTokenClaimMap)
{
+        this.jwtAccessTokenClaimMap = jwtAccessTokenClaimMap;
     }
 
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/2b24f898/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
index 48450f0..514724a 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
@@ -35,6 +35,7 @@ import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
 import org.apache.cxf.rs.security.oauth2.common.UserSubject;
 import org.apache.cxf.rs.security.oauth2.tokens.bearer.BearerAccessToken;
 import org.apache.cxf.rs.security.oauth2.tokens.refresh.RefreshToken;
+import org.apache.cxf.rs.security.oauth2.utils.JwtTokenUtils;
 import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
 import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
 
@@ -48,8 +49,10 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider,
Cl
     private List<String> requiredScopes;
     private List<String> invisibleToClientScopes;
     private boolean supportPreauthorizedTokens;
+    
     private boolean useJwtFormatForAccessTokens;
-    private OAuthJoseJwtProducer jwtAccessTokenHandler;
+    private OAuthJoseJwtProducer jwtAccessTokenProducer;
+    private Map<String, String> jwtAccessTokenClaimMap;
     
     protected AbstractOAuthDataProvider() {
     }
@@ -92,7 +95,12 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider,
Cl
     protected JwtClaims createJwtAccessToken(ServerAccessToken at) {
         JwtClaims claims = new JwtClaims();
         claims.setTokenId(at.getTokenKey());
-        claims.setClaim(OAuthConstants.CLIENT_ID, at.getClient().getClientId());
+        
+        // 'client_id' or 'cid', default client_id
+        String clientIdClaimName = 
+            JwtTokenUtils.getClaimName(OAuthConstants.CLIENT_ID, OAuthConstants.CLIENT_ID,

+                                             getJwtAccessTokenClaimMap());
+        claims.setClaim(clientIdClaimName, at.getClient().getClientId());
         claims.setIssuedAt(at.getIssuedAt());
         if (at.getExpiresIn() > 0) {
             claims.setExpiryTime(at.getIssuedAt() + at.getExpiresIn());
@@ -102,8 +110,12 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider,
Cl
             if (userSubject.getId() != null) {
                 claims.setSubject(userSubject.getId());
             }
-            // to be consistent with the token introspection response
-            claims.setClaim("username", userSubject.getLogin());
+            
+            // 'username' by default to be consistent with the token introspection response
+            final String usernameProp = "username";
+            String usernameClaimName = 
+                JwtTokenUtils.getClaimName(usernameProp, usernameProp, getJwtAccessTokenClaimMap());
+            claims.setClaim(usernameClaimName, userSubject.getLogin());
         }
         if (at.getIssuer() != null) {
             claims.setIssuer(at.getIssuer());
@@ -144,7 +156,7 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider,
Cl
         // to set IdToken nonce property with the filter having an access to the current
ServerAccessToken instance
         return claims;
     }
-
+    
     protected ServerAccessToken createNewAccessToken(Client client) {
         return new BearerAccessToken(client, accessTokenLifetime);
     }
@@ -494,18 +506,26 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider,
Cl
         this.useJwtFormatForAccessTokens = useJwtFormatForAccessTokens;
     }
 
-    public OAuthJoseJwtProducer getJwtAccessTokenHandler() {
-        return jwtAccessTokenHandler;
+    public OAuthJoseJwtProducer getJwtAccessTokenProducer() {
+        return jwtAccessTokenProducer;
     }
 
-    public void setJwtAccessTokenHandler(OAuthJoseJwtProducer jwtAccessTokenHandler) {
-        this.jwtAccessTokenHandler = jwtAccessTokenHandler;
+    public void setJwtAccessTokenProducer(OAuthJoseJwtProducer jwtAccessTokenProducer) {
+        this.jwtAccessTokenProducer = jwtAccessTokenProducer;
     }
     
     protected String processJwtAccessToken(JwtClaims jwtCliams) {
         // It will JWS-sign (default) and/or JWE-encrypt
         OAuthJoseJwtProducer processor = 
-            getJwtAccessTokenHandler() == null ? new OAuthJoseJwtProducer() : getJwtAccessTokenHandler();

+            getJwtAccessTokenProducer() == null ? new OAuthJoseJwtProducer() : getJwtAccessTokenProducer();

         return processor.processJwt(new JwtToken(jwtCliams));
     }
+
+    public Map<String, String> getJwtAccessTokenClaimMap() {
+        return jwtAccessTokenClaimMap;
+    }
+
+    public void setJwtAccessTokenClaimMap(Map<String, String> jwtAccessTokenClaimMap)
{
+        this.jwtAccessTokenClaimMap = jwtAccessTokenClaimMap;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/2b24f898/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultEHCacheOAuthDataProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultEHCacheOAuthDataProvider.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultEHCacheOAuthDataProvider.java
index bb055a1..0db66e9 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultEHCacheOAuthDataProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultEHCacheOAuthDataProvider.java
@@ -42,7 +42,7 @@ import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
 import org.apache.cxf.rs.security.oauth2.common.UserSubject;
 import org.apache.cxf.rs.security.oauth2.tokens.refresh.RefreshToken;
 import org.apache.cxf.rs.security.oauth2.utils.EHCacheUtil;
-import org.apache.cxf.rs.security.oauth2.utils.JwtAccessTokenUtils;
+import org.apache.cxf.rs.security.oauth2.utils.JwtTokenUtils;
 
 public class DefaultEHCacheOAuthDataProvider extends AbstractOAuthDataProvider {
     public static final String CLIENT_CACHE_KEY = "cxf.oauth2.client.cache";
@@ -133,7 +133,8 @@ public class DefaultEHCacheOAuthDataProvider extends AbstractOAuthDataProvider
{
             String jose = getCacheValue(accessTokenCache, accessToken, String.class);
             if (jose != null) {
                 JoseJwtConsumer theConsumer = jwtTokenConsumer == null ? new JoseJwtConsumer()
: jwtTokenConsumer;
-                at = JwtAccessTokenUtils.createAccessTokenFromJwt(theConsumer, jose, this);
+                at = JwtTokenUtils.createAccessTokenFromJwt(theConsumer, jose, this, 
+                                                                  super.getJwtAccessTokenClaimMap());
             }
         } else {
             at = getCacheValue(accessTokenCache, accessToken, ServerAccessToken.class);

http://git-wip-us.apache.org/repos/asf/cxf/blob/2b24f898/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JCacheOAuthDataProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JCacheOAuthDataProvider.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JCacheOAuthDataProvider.java
index fa16612..9c73e26 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JCacheOAuthDataProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/JCacheOAuthDataProvider.java
@@ -38,7 +38,7 @@ import org.apache.cxf.rs.security.oauth2.common.Client;
 import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
 import org.apache.cxf.rs.security.oauth2.common.UserSubject;
 import org.apache.cxf.rs.security.oauth2.tokens.refresh.RefreshToken;
-import org.apache.cxf.rs.security.oauth2.utils.JwtAccessTokenUtils;
+import org.apache.cxf.rs.security.oauth2.utils.JwtTokenUtils;
 
 import static org.apache.cxf.jaxrs.utils.ResourceUtils.getClasspathResourceURL;
 
@@ -199,7 +199,8 @@ public class JCacheOAuthDataProvider extends AbstractOAuthDataProvider
{
         ServerAccessToken token = null;
         if (jose != null) {
             JoseJwtConsumer theConsumer = jwtTokenConsumer == null ? new JoseJwtConsumer()
: jwtTokenConsumer;
-            token = JwtAccessTokenUtils.createAccessTokenFromJwt(theConsumer, jose, this);
+            token = JwtTokenUtils.createAccessTokenFromJwt(theConsumer, jose, this,
+                                                                 super.getJwtAccessTokenClaimMap());
             if (isExpired(token)) {
                 jwtAccessTokenCache.remove(key);
                 token = null;
@@ -239,7 +240,8 @@ public class JCacheOAuthDataProvider extends AbstractOAuthDataProvider
{
             String jose = entry.getValue();
 
             JoseJwtConsumer theConsumer = jwtTokenConsumer == null ? new JoseJwtConsumer()
: jwtTokenConsumer;
-            ServerAccessToken token = JwtAccessTokenUtils.createAccessTokenFromJwt(theConsumer,
jose, this);
+            ServerAccessToken token = JwtTokenUtils.createAccessTokenFromJwt(theConsumer,
jose, this,
+                                                                                   super.getJwtAccessTokenClaimMap());
           
             if (!isExpired(token)) {
                 toRemove.add(entry.getKey());

http://git-wip-us.apache.org/repos/asf/cxf/blob/2b24f898/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/JwtAccessTokenUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/JwtAccessTokenUtils.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/JwtAccessTokenUtils.java
deleted file mode 100644
index 92fdf6e..0000000
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/JwtAccessTokenUtils.java
+++ /dev/null
@@ -1,106 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.oauth2.utils;
-
-import java.util.LinkedList;
-import java.util.List;
-import java.util.Map;
-
-import org.apache.cxf.common.util.StringUtils;
-import org.apache.cxf.helpers.CastUtils;
-import org.apache.cxf.rs.security.jose.jwt.JoseJwtConsumer;
-import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
-import org.apache.cxf.rs.security.jose.jwt.JwtConstants;
-import org.apache.cxf.rs.security.oauth2.common.Client;
-import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
-import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
-import org.apache.cxf.rs.security.oauth2.common.UserSubject;
-import org.apache.cxf.rs.security.oauth2.provider.ClientRegistrationProvider;
-import org.apache.cxf.rs.security.oauth2.tokens.bearer.BearerAccessToken;
-
-public final class JwtAccessTokenUtils {
-    private JwtAccessTokenUtils() {
-        
-    }
-    
-    public static ServerAccessToken createAccessTokenFromJwt(JoseJwtConsumer consumer, 
-                                                             String jose,
-                                                             ClientRegistrationProvider clientProvider)
{
-        JwtClaims claims = consumer.getJwtToken(jose).getClaims();
-       
-        Client c = clientProvider.getClient(claims.getStringProperty(OAuthConstants.CLIENT_ID));
-        long issuedAt = claims.getLongProperty(JwtConstants.CLAIM_ISSUED_AT);
-        long lifetime = claims.getLongProperty(JwtConstants.CLAIM_EXPIRY) - issuedAt;
-        BearerAccessToken at = new BearerAccessToken(c, jose, lifetime, issuedAt);
-       
-        List<String> audiences = claims.getAudiences();
-        if (audiences != null && !audiences.isEmpty()) {
-            at.setAudiences(claims.getAudiences());
-        }
-        
-        String issuer = claims.getStringProperty(JwtConstants.CLAIM_ISSUER);
-        if (issuer != null) {
-            at.setIssuer(issuer);
-        }
-        Object scope = claims.getClaim(OAuthConstants.SCOPE);
-        if (scope != null) {
-            String[] scopes = scope instanceof String 
-                ? scope.toString().split(" ") : CastUtils.cast((List<?>)scope).toArray(new
String[]{});
-            List<OAuthPermission> perms = new LinkedList<OAuthPermission>();
-            for (String s : scopes) {    
-                if (!StringUtils.isEmpty(s)) {
-                    perms.add(new OAuthPermission(s.trim()));
-                }
-            }
-            at.setScopes(perms);
-        }
-        String username = claims.getStringProperty("username");
-        String subject = claims.getSubject();
-        if (username != null) {
-            UserSubject userSubject = new UserSubject(username);
-            if (subject != null) {
-                userSubject.setId(subject);
-            }
-            at.setSubject(userSubject);
-        } else if (subject != null) {
-            at.setSubject(new UserSubject(subject));
-        }
-       
-        String grantType = claims.getStringProperty(OAuthConstants.GRANT_TYPE);
-        if (grantType != null) {
-            at.setGrantType(grantType);
-        }
-        String grantCode = claims.getStringProperty(OAuthConstants.AUTHORIZATION_CODE_GRANT);
-        if (grantCode != null) {
-            at.setGrantCode(grantCode);
-        }
-        String codeVerifier = claims.getStringProperty(OAuthConstants.AUTHORIZATION_CODE_VERIFIER);
-        if (codeVerifier != null) {
-            at.setClientCodeVerifier(codeVerifier);
-        }
-        
-        Map<String, String> extraProperties = CastUtils.cast((Map<?, ?>)claims.getClaim("extra_propertirs"));
-        if (extraProperties != null) {
-            at.getExtraProperties().putAll(extraProperties);
-        }
-       
-       
-        return at;
-    }
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/2b24f898/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/JwtTokenUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/JwtTokenUtils.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/JwtTokenUtils.java
new file mode 100644
index 0000000..fb5888e
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/JwtTokenUtils.java
@@ -0,0 +1,124 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.utils;
+
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Map;
+
+import org.apache.cxf.common.util.StringUtils;
+import org.apache.cxf.helpers.CastUtils;
+import org.apache.cxf.rs.security.jose.jwt.JoseJwtConsumer;
+import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
+import org.apache.cxf.rs.security.oauth2.common.Client;
+import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
+import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
+import org.apache.cxf.rs.security.oauth2.common.UserSubject;
+import org.apache.cxf.rs.security.oauth2.provider.ClientRegistrationProvider;
+import org.apache.cxf.rs.security.oauth2.tokens.bearer.BearerAccessToken;
+
+public final class JwtTokenUtils {
+    private JwtTokenUtils() {
+        
+    }
+    
+    public static String getClaimName(String tokenProperty, 
+                                      String defaultName,
+                                      Map<String, String> claimsMap) {
+        String claimName = null;
+        if (claimsMap != null) {
+            claimName = claimsMap.get(tokenProperty);
+        }
+        return claimName == null ? defaultName : claimName;
+    }
+    
+    public static ServerAccessToken createAccessTokenFromJwt(JoseJwtConsumer consumer, 
+                                                             String jose,
+                                                             ClientRegistrationProvider clientProvider,
+                                                             Map<String, String> claimsMap)
{
+        JwtClaims claims = consumer.getJwtToken(jose).getClaims();
+       
+        // 'client_id' or 'cid', default client_id
+        String clientIdClaimName = 
+            JwtTokenUtils.getClaimName(OAuthConstants.CLIENT_ID, OAuthConstants.CLIENT_ID,
claimsMap);
+        String clientId = claims.getStringProperty(clientIdClaimName);
+        Client c = clientProvider.getClient(clientId);
+        
+        long issuedAt = claims.getIssuedAt();
+        long lifetime = claims.getExpiryTime() - issuedAt;
+        BearerAccessToken at = new BearerAccessToken(c, jose, lifetime, issuedAt);
+       
+        List<String> audiences = claims.getAudiences();
+        if (audiences != null && !audiences.isEmpty()) {
+            at.setAudiences(claims.getAudiences());
+        }
+        
+        String issuer = claims.getIssuer();
+        if (issuer != null) {
+            at.setIssuer(issuer);
+        }
+        Object scope = claims.getClaim(OAuthConstants.SCOPE);
+        if (scope != null) {
+            String[] scopes = scope instanceof String 
+                ? scope.toString().split(" ") : CastUtils.cast((List<?>)scope).toArray(new
String[]{});
+            List<OAuthPermission> perms = new LinkedList<OAuthPermission>();
+            for (String s : scopes) {    
+                if (!StringUtils.isEmpty(s)) {
+                    perms.add(new OAuthPermission(s.trim()));
+                }
+            }
+            at.setScopes(perms);
+        }
+        final String usernameProp = "username";
+        String usernameClaimName = 
+            JwtTokenUtils.getClaimName(usernameProp, usernameProp, claimsMap);
+        String username = claims.getStringProperty(usernameClaimName);
+        String subject = claims.getSubject();
+        if (username != null) {
+            UserSubject userSubject = new UserSubject(username);
+            if (subject != null) {
+                userSubject.setId(subject);
+            }
+            at.setSubject(userSubject);
+        } else if (subject != null) {
+            at.setSubject(new UserSubject(subject));
+        }
+       
+        String grantType = claims.getStringProperty(OAuthConstants.GRANT_TYPE);
+        if (grantType != null) {
+            at.setGrantType(grantType);
+        }
+        String grantCode = claims.getStringProperty(OAuthConstants.AUTHORIZATION_CODE_GRANT);
+        if (grantCode != null) {
+            at.setGrantCode(grantCode);
+        }
+        String codeVerifier = claims.getStringProperty(OAuthConstants.AUTHORIZATION_CODE_VERIFIER);
+        if (codeVerifier != null) {
+            at.setClientCodeVerifier(codeVerifier);
+        }
+        
+        Map<String, String> extraProperties = CastUtils.cast((Map<?, ?>)claims.getClaim("extra_propertirs"));
+        if (extraProperties != null) {
+            at.getExtraProperties().putAll(extraProperties);
+        }
+       
+       
+        return at;
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/2b24f898/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/filters/OAuth2JwtFiltersTest.java
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/filters/OAuth2JwtFiltersTest.java
b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/filters/OAuth2JwtFiltersTest.java
index 0b5e53e..2f7f9ee 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/filters/OAuth2JwtFiltersTest.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/filters/OAuth2JwtFiltersTest.java
@@ -107,7 +107,7 @@ public class OAuth2JwtFiltersTest extends AbstractBusClientServerTestBase
{
         client.header("Authorization", "Bearer " + accessToken.getTokenKey());
         
         Response response = client.post(new Book("book", 123L));
-        assertEquals(response.getStatus(), 200);
+        assertEquals(200, response.getStatus());
         
         Book returnedBook = response.readEntity(Book.class);
         assertEquals(returnedBook.getName(), "book");


Mime
View raw message