cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: Recording the cert confirmation in the access token, with the validation work and tests to follow later on
Date Fri, 07 Apr 2017 16:13:07 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 664e761fc -> 2519863ca


Recording the cert confirmation in the access token, with the validation work and tests to
follow later on


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/2519863c
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/2519863c
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/2519863c

Branch: refs/heads/master
Commit: 2519863ca4d11ca1b6f3ac74361f3eaba3918690
Parents: 664e761
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Fri Apr 7 17:12:53 2017 +0100
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Fri Apr 7 17:12:53 2017 +0100

----------------------------------------------------------------------
 .../apache/cxf/rs/security/jose/jwt/JwtConstants.java |  1 +
 .../grants/code/AuthorizationCodeGrantHandler.java    |  1 +
 .../oauth2/provider/AbstractOAuthDataProvider.java    | 14 ++++++++++++++
 .../cxf/rs/security/oauth2/utils/JwtTokenUtils.java   | 13 +++++++++++--
 4 files changed, 27 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/2519863c/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtConstants.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtConstants.java
b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtConstants.java
index a9f3d7f..2f18217 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtConstants.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtConstants.java
@@ -28,6 +28,7 @@ public final class JwtConstants {
     public static final String CLAIM_NOT_BEFORE = "nbf";
     public static final String CLAIM_ISSUED_AT = "iat";
     public static final String CLAIM_JWT_ID = "jti";
+    public static final String CLAIM_CONFIRMATION = "cnf";
 
     public static final String JWT_TOKEN = "jwt.token";
     public static final String JWT_CLAIMS = "jwt.claims";

http://git-wip-us.apache.org/repos/asf/cxf/blob/2519863c/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
index 9dfd7a3..1fe42d1 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
@@ -146,6 +146,7 @@ public class AuthorizationCodeGrantHandler extends AbstractGrantHandler
{
         reg.setResponseType(grant.getResponseType());
         reg.setClientCodeVerifier(codeVerifier);
         reg.setGrantType(OAuthConstants.CODE_RESPONSE_TYPE);
+        reg.getExtraProperties().putAll(grant.getExtraProperties());
         return getDataProvider().createAccessToken(reg);
     }
 

http://git-wip-us.apache.org/repos/asf/cxf/blob/2519863c/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
index 4b0509f..22568cb 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
@@ -28,7 +28,9 @@ import java.util.Map;
 import javax.ws.rs.core.MultivaluedMap;
 
 import org.apache.cxf.jaxrs.ext.MessageContext;
+import org.apache.cxf.rs.security.jose.common.JoseConstants;
 import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
+import org.apache.cxf.rs.security.jose.jwt.JwtConstants;
 import org.apache.cxf.rs.security.jose.jwt.JwtToken;
 import org.apache.cxf.rs.security.oauth2.common.AccessTokenRegistration;
 import org.apache.cxf.rs.security.oauth2.common.Client;
@@ -87,10 +89,22 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider,
Cl
         at.setGrantCode(atReg.getGrantCode());
         at.getExtraProperties().putAll(atReg.getExtraProperties());
 
+        String certCnf = null;
+        if (messageContext != null) {
+            certCnf = (String)messageContext.get(JoseConstants.HEADER_X509_THUMBPRINT_SHA256);
+        }
+        
         if (isUseJwtFormatForAccessTokens()) {
             JwtClaims claims = createJwtAccessToken(at);
+            // At a later stage we will likely introduce a dedicate Confirmation bean (as
it is used in POP etc) 
+            if (certCnf != null) {
+                claims.setClaim(JwtConstants.CLAIM_CONFIRMATION, 
+                            Collections.singletonMap(JoseConstants.HEADER_X509_THUMBPRINT_SHA256,
certCnf));
+            }
             String jose = processJwtAccessToken(claims);
             at.setTokenKey(jose);
+        } else if (certCnf != null) {
+            at.getExtraProperties().put(JoseConstants.HEADER_X509_THUMBPRINT_SHA256, certCnf);
         }
 
         return at;

http://git-wip-us.apache.org/repos/asf/cxf/blob/2519863c/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/JwtTokenUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/JwtTokenUtils.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/JwtTokenUtils.java
index 6afa739..8bfdf32 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/JwtTokenUtils.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/JwtTokenUtils.java
@@ -24,8 +24,10 @@ import java.util.Map;
 
 import org.apache.cxf.common.util.StringUtils;
 import org.apache.cxf.helpers.CastUtils;
+import org.apache.cxf.rs.security.jose.common.JoseConstants;
 import org.apache.cxf.rs.security.jose.jwt.JoseJwtConsumer;
 import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
+import org.apache.cxf.rs.security.jose.jwt.JwtConstants;
 import org.apache.cxf.rs.security.oauth2.common.Client;
 import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
 import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
@@ -116,12 +118,19 @@ public final class JwtTokenUtils {
         if (nonce != null) {
             at.setNonce(nonce);
         }
+        
         Map<String, String> extraProperties = CastUtils.cast((Map<?, ?>)claims.getClaim("extra_propertirs"));
         if (extraProperties != null) {
             at.getExtraProperties().putAll(extraProperties);
         }
-
-
+        
+        // At the moment only a string 'x5#S256' cnf property is recognized
+        Map<String, Object> cnf = CastUtils.cast((Map<?, ?>)claims.getClaim(JwtConstants.CLAIM_CONFIRMATION));
+        if (cnf != null && cnf.containsKey(JoseConstants.HEADER_X509_THUMBPRINT_SHA256))
{
+            String certCnf = cnf.get(JoseConstants.HEADER_X509_THUMBPRINT_SHA256).toString();
+            at.getExtraProperties().put(JoseConstants.HEADER_X509_THUMBPRINT_SHA256, certCnf);
   
+        }
+        
         return at;
     }
 }


Mime
View raw message