cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: Adding DynReg and access token cert binding test
Date Thu, 27 Apr 2017 12:41:06 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.1.x-fixes c74fd3862 -> 1cfc45b66


Adding DynReg and access token cert binding test


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/1cfc45b6
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/1cfc45b6
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/1cfc45b6

Branch: refs/heads/3.1.x-fixes
Commit: 1cfc45b662e9b38af9ce6e3a2f6a96e3ca41c65a
Parents: c74fd38
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Thu Apr 27 13:33:36 2017 +0100
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Thu Apr 27 13:40:46 2017 +0100

----------------------------------------------------------------------
 .../cxf/jaxrs/json/basic/JsonMapObject.java     |  9 +++
 .../security/jose/jws/JwsCompactConsumer.java   |  1 +
 .../cxf/rs/security/oauth2/common/Client.java   |  9 +++
 .../DefaultEHCacheOAuthDataProvider.java        | 46 +----------
 .../services/DynamicRegistrationService.java    | 42 ++++++++--
 .../rs/security/oauth2/utils/EHCacheUtil.java   | 42 ++++++++++
 .../security/oauth2/utils/OAuthConstants.java   | 11 ++-
 .../security/oauth2/tls/JAXRSOAuth2TlsTest.java | 81 +++++++++++++++++++-
 .../oidc/OIDCDynamicRegistrationTest.java       | 47 ++++++++++++
 .../jaxrs/security/oauth2/tls/serverTls.xml     |  9 +++
 10 files changed, 245 insertions(+), 52 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/1cfc45b6/rt/rs/extensions/json-basic/src/main/java/org/apache/cxf/jaxrs/json/basic/JsonMapObject.java
----------------------------------------------------------------------
diff --git a/rt/rs/extensions/json-basic/src/main/java/org/apache/cxf/jaxrs/json/basic/JsonMapObject.java
b/rt/rs/extensions/json-basic/src/main/java/org/apache/cxf/jaxrs/json/basic/JsonMapObject.java
index 8c4fc85..484853d 100644
--- a/rt/rs/extensions/json-basic/src/main/java/org/apache/cxf/jaxrs/json/basic/JsonMapObject.java
+++ b/rt/rs/extensions/json-basic/src/main/java/org/apache/cxf/jaxrs/json/basic/JsonMapObject.java
@@ -58,6 +58,15 @@ public class JsonMapObject implements Serializable {
     public Object getProperty(String name) {
         return values.get(name);
     }
+    
+    public Map<String, Object> getMapProperty(String name) {
+        Object value = getProperty(name);
+        if (value != null) {
+            return CastUtils.cast((Map<?, ?>)value);
+        } else {
+            return null;
+        }
+    }
 
     public Map<String, Object> asMap() {
         return values;

http://git-wip-us.apache.org/repos/asf/cxf/blob/1cfc45b6/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactConsumer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactConsumer.java
b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactConsumer.java
index 485e022..0a0ffb2 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactConsumer.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactConsumer.java
@@ -76,6 +76,7 @@ public class JwsCompactConsumer {
     }
     public String getDecodedJwsPayload() {
         if (decodedJwsPayload == null) {
+            getJwsHeaders();
             if (JwsUtils.isPayloadUnencoded(jwsHeaders)) {
                 decodedJwsPayload = jwsPayload;
             } else {

http://git-wip-us.apache.org/repos/asf/cxf/blob/1cfc45b6/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java
index a754f88..561a8ca 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java
@@ -65,6 +65,7 @@ public class Client implements Serializable {
     private long registeredAt;
     private String homeRealm;
     private boolean registeredDynamically;
+    private String tokenEndpointAuthMethod;
     
     public Client() {
 
@@ -402,4 +403,12 @@ public class Client implements Serializable {
     public void setApplicationLogoutUri(String applicationLogoutUri) {
         this.applicationLogoutUri = applicationLogoutUri;
     }
+
+    public String getTokenEndpointAuthMethod() {
+        return tokenEndpointAuthMethod;
+    }
+
+    public void setTokenEndpointAuthMethod(String tokenEndpointAuthMethod) {
+        this.tokenEndpointAuthMethod = tokenEndpointAuthMethod;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/1cfc45b6/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultEHCacheOAuthDataProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultEHCacheOAuthDataProvider.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultEHCacheOAuthDataProvider.java
index f406185..ebb53f8 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultEHCacheOAuthDataProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultEHCacheOAuthDataProvider.java
@@ -18,8 +18,6 @@
  */
 package org.apache.cxf.rs.security.oauth2.provider;
 
-import java.io.File;
-import java.net.URL;
 import java.util.ArrayList;
 import java.util.List;
 
@@ -28,14 +26,10 @@ import net.sf.ehcache.CacheManager;
 import net.sf.ehcache.Ehcache;
 import net.sf.ehcache.Element;
 import net.sf.ehcache.config.CacheConfiguration;
-import net.sf.ehcache.config.Configuration;
-import net.sf.ehcache.config.ConfigurationFactory;
-import net.sf.ehcache.config.DiskStoreConfiguration;
 
 import org.apache.cxf.Bus;
 import org.apache.cxf.BusFactory;
 import org.apache.cxf.helpers.CastUtils;
-import org.apache.cxf.jaxrs.utils.ResourceUtils;
 import org.apache.cxf.rs.security.jose.jwt.JoseJwtConsumer;
 import org.apache.cxf.rs.security.oauth2.common.Client;
 import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
@@ -188,48 +182,16 @@ public class DefaultEHCacheOAuthDataProvider extends AbstractOAuthDataProvider
{
         cache.put(element);
     }
     
-    private static CacheManager createCacheManager(String configFile, Bus bus) {
-        if (bus == null) {
-            bus = BusFactory.getThreadDefaultBus(true);
-        }
-        
-        URL configFileURL = null;
-        try {
-            configFileURL = 
-                ResourceUtils.getClasspathResourceURL(configFile, DefaultEHCacheOAuthDataProvider.class,
bus);
-        } catch (Exception ex) {
-            // ignore
-        }
-        CacheManager cacheManager = null;
-        if (configFileURL == null) {
-            cacheManager = EHCacheUtil.createCacheManager();
-        } else {
-            Configuration conf = ConfigurationFactory.parseConfiguration(configFileURL);
-            
-            if (bus != null) {
-                conf.setName(bus.getId());
-                DiskStoreConfiguration dsc = conf.getDiskStoreConfiguration();
-                if (dsc != null && "java.io.tmpdir".equals(dsc.getOriginalPath()))
{
-                    String path = conf.getDiskStoreConfiguration().getPath() + File.separator
-                        + bus.getId();
-                    conf.getDiskStoreConfiguration().setPath(path);
-                }
-            }
-            
-            cacheManager = EHCacheUtil.createCacheManager(conf);
-        }
-        return cacheManager;
-    }
-    
-    protected static Ehcache createCache(CacheManager cacheManager, String cacheKey) { 
+
+    protected static Ehcache createCache(CacheManager cacheManager, String cacheKey) {
         CacheConfiguration clientCC = EHCacheUtil.getCacheConfiguration(cacheKey, cacheManager);
         return cacheManager.addCacheIfAbsent(new Cache(clientCC));
     }
     
     private void createCaches(String configFile, Bus bus, 
                               String clientCacheKey, String accessTokenKey, String refreshTokenKey)
{
-        cacheManager = createCacheManager(configFile, bus);
-        
+        cacheManager = EHCacheUtil.createCacheManager(configFile, bus);
+
         clientCache = createCache(cacheManager, clientCacheKey);
         accessTokenCache = createCache(cacheManager, accessTokenKey);
         refreshTokenCache = createCache(cacheManager, refreshTokenKey);

http://git-wip-us.apache.org/repos/asf/cxf/blob/1cfc45b6/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/DynamicRegistrationService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/DynamicRegistrationService.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/DynamicRegistrationService.java
index fab1886..c1d45d1 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/DynamicRegistrationService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/DynamicRegistrationService.java
@@ -180,7 +180,20 @@ public class DynamicRegistrationService {
         if (!c.getRegisteredAudiences().isEmpty()) {
             reg.setResourceUris(c.getRegisteredAudiences());
         }
-        //etc
+        if (c.getTokenEndpointAuthMethod() != null) {
+            reg.setTokenEndpointAuthMethod(c.getTokenEndpointAuthMethod());
+            if (OAuthConstants.TOKEN_ENDPOINT_AUTH_TLS.equals(c.getTokenEndpointAuthMethod()))
{
+                String subjectDn = c.getProperties().get(OAuthConstants.TLS_CLIENT_AUTH_SUBJECT_DN);
+                if (subjectDn != null) {
+                    reg.setProperty(OAuthConstants.TLS_CLIENT_AUTH_SUBJECT_DN, subjectDn);
+                }
+                String issuerDn = c.getProperties().get(OAuthConstants.TLS_CLIENT_AUTH_ISSUER_DN);
+                if (issuerDn != null) {
+                    reg.setProperty(OAuthConstants.TLS_CLIENT_AUTH_ISSUER_DN, issuerDn);
+                }
+            }
+        }
+        
         return reg;
     }
     
@@ -219,9 +232,13 @@ public class DynamicRegistrationService {
             grantTypes = Collections.singletonList("authorization_code");
         }
         
-        boolean passwordRequired = grantTypes.contains(OAuthConstants.AUTHORIZATION_CODE_GRANT)
-               || grantTypes.contains(OAuthConstants.RESOURCE_OWNER_GRANT)
-               || grantTypes.contains(OAuthConstants.CLIENT_CREDENTIALS_GRANT);
+        String tokenEndpointAuthMethod = request.getTokenEndpointAuthMethod();
+        //TODO: default is expected to be set to OAuthConstants.TOKEN_ENDPOINT_AUTH_BASIC
+        
+        boolean passwordRequired = !grantTypes.contains(OAuthConstants.IMPLICIT_GRANT)
+            && (tokenEndpointAuthMethod == null
+                || OAuthConstants.TOKEN_ENDPOINT_AUTH_BASIC.equals(tokenEndpointAuthMethod)
+                || OAuthConstants.TOKEN_ENDPOINT_AUTH_POST.equals(tokenEndpointAuthMethod));
 
         // Application Type
         // https://tools.ietf.org/html/rfc7591 has no this property but
@@ -231,7 +248,8 @@ public class DynamicRegistrationService {
             appType = DEFAULT_APPLICATION_TYPE;
         }
         boolean isConfidential = DEFAULT_APPLICATION_TYPE.equals(appType)
-            && !grantTypes.contains(OAuthConstants.IMPLICIT_GRANT);
+            && (passwordRequired
+                || OAuthConstants.TOKEN_ENDPOINT_AUTH_TLS.equals(tokenEndpointAuthMethod));
 
         // Client Secret
         String clientSecret = passwordRequired ? generateClientSecret(request) : null;
@@ -240,7 +258,19 @@ public class DynamicRegistrationService {
         Client newClient = new Client(clientId, clientSecret, isConfidential, clientName);
         
         newClient.setAllowedGrantTypes(grantTypes);
-        
+
+        newClient.setTokenEndpointAuthMethod(tokenEndpointAuthMethod);
+        if (OAuthConstants.TOKEN_ENDPOINT_AUTH_TLS.equals(tokenEndpointAuthMethod)) {
+            String subjectDn = (String)request.getProperty(OAuthConstants.TLS_CLIENT_AUTH_SUBJECT_DN);
+            if (subjectDn != null) {
+                newClient.getProperties().put(OAuthConstants.TLS_CLIENT_AUTH_SUBJECT_DN,
subjectDn);
+            }
+            String issuerDn = (String)request.getProperty(OAuthConstants.TLS_CLIENT_AUTH_ISSUER_DN);
+            if (issuerDn != null) {
+                newClient.getProperties().put(OAuthConstants.TLS_CLIENT_AUTH_ISSUER_DN, issuerDn);
+            }
+        }
+
         // Client Registration Time
         newClient.setRegisteredAt(System.currentTimeMillis() / 1000);
         

http://git-wip-us.apache.org/repos/asf/cxf/blob/1cfc45b6/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/EHCacheUtil.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/EHCacheUtil.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/EHCacheUtil.java
index adb160b..7555c6a 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/EHCacheUtil.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/EHCacheUtil.java
@@ -19,12 +19,21 @@
 
 package org.apache.cxf.rs.security.oauth2.utils;
 
+import java.io.File;
 import java.lang.reflect.Method;
+import java.net.URL;
 
 import net.sf.ehcache.CacheException;
 import net.sf.ehcache.CacheManager;
 import net.sf.ehcache.config.CacheConfiguration;
 import net.sf.ehcache.config.Configuration;
+import net.sf.ehcache.config.ConfigurationFactory;
+import net.sf.ehcache.config.DiskStoreConfiguration;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.BusFactory;
+import org.apache.cxf.jaxrs.utils.ResourceUtils;
+import org.apache.cxf.rs.security.oauth2.provider.DefaultEHCacheOAuthDataProvider;
 
 /**
  */
@@ -85,4 +94,37 @@ public final class EHCacheUtil {
             throw new CacheException(e);
         }
     }
+    
+    public static CacheManager createCacheManager(String configFile, Bus bus) {
+        if (bus == null) {
+            bus = BusFactory.getThreadDefaultBus(true);
+        }
+
+        URL configFileURL = null;
+        try {
+            configFileURL =
+                ResourceUtils.getClasspathResourceURL(configFile, DefaultEHCacheOAuthDataProvider.class,
bus);
+        } catch (Exception ex) {
+            // ignore
+        }
+        CacheManager cacheManager = null;
+        if (configFileURL == null) {
+            cacheManager = createCacheManager();
+        } else {
+            Configuration conf = ConfigurationFactory.parseConfiguration(configFileURL);
+
+            if (bus != null) {
+                conf.setName(bus.getId());
+                DiskStoreConfiguration dsc = conf.getDiskStoreConfiguration();
+                if (dsc != null && "java.io.tmpdir".equals(dsc.getOriginalPath()))
{
+                    String path = conf.getDiskStoreConfiguration().getPath() + File.separator
+                        + bus.getId();
+                    conf.getDiskStoreConfiguration().setPath(path);
+                }
+            }
+
+            cacheManager = EHCacheUtil.createCacheManager(conf);
+        }
+        return cacheManager;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/1cfc45b6/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java
index c07e585..7444dc8 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java
@@ -129,6 +129,15 @@ public final class OAuthConstants {
     public static final String TOKEN_ID = "token";
     public static final String TOKEN_TYPE_HINT = "token_type_hint";
     public static final String UNSUPPORTED_TOKEN_TYPE = "unsupported_token_type";
+
+    // Token Service Authentication Methods
+    public static final String TOKEN_ENDPOINT_AUTH_NONE = "none";
+    public static final String TOKEN_ENDPOINT_AUTH_BASIC = "client_secret_basic";
+    public static final String TOKEN_ENDPOINT_AUTH_POST = "client_secret_post";
+    public static final String TOKEN_ENDPOINT_AUTH_TLS = "tls_client_auth";
+    // TLS Authentication Binding Properties
+    public static final String TLS_CLIENT_AUTH_SUBJECT_DN = "tls_client_auth_subject_dn";
+    public static final String TLS_CLIENT_AUTH_ISSUER_DN = "tls_client_auth_issuer_dn";
     
     // Authorization scheme constants, used internally by AccessTokenValidation client and
service
     public static final String AUTHORIZATION_SCHEME_TYPE = "authScheme";
@@ -143,8 +152,6 @@ public final class OAuthConstants {
     public static final String CLIENT_SECRET_CONTENT_ENCRYPTION_ALGORITHM = 
         "client.secret.content.encryption.algorithm";
 
-    public static final String TLS_CLIENT_AUTH_SUBJECT_DN = "tls_client_auth_subject_dn";
-    public static final String TLS_CLIENT_AUTH_ISSUER_DN = "tls_client_auth_issuer_dn";
     private OAuthConstants() {
     }
     

http://git-wip-us.apache.org/repos/asf/cxf/blob/1cfc45b6/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/tls/JAXRSOAuth2TlsTest.java
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/tls/JAXRSOAuth2TlsTest.java
b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/tls/JAXRSOAuth2TlsTest.java
index 2614dea..ca85869 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/tls/JAXRSOAuth2TlsTest.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/tls/JAXRSOAuth2TlsTest.java
@@ -20,20 +20,33 @@
 package org.apache.cxf.systest.jaxrs.security.oauth2.tls;
 
 import java.net.URL;
+import java.util.Collections;
+import java.util.Map;
 
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.MultivaluedMap;
 
+import net.sf.ehcache.CacheManager;
+
 import org.apache.cxf.Bus;
 import org.apache.cxf.bus.spring.SpringBusFactory;
 import org.apache.cxf.jaxrs.client.JAXRSClientFactoryBean;
 import org.apache.cxf.jaxrs.client.WebClient;
 import org.apache.cxf.jaxrs.impl.MetadataMap;
+import org.apache.cxf.jaxrs.provider.json.JsonMapObjectProvider;
+import org.apache.cxf.rs.security.jose.common.JoseConstants;
+import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer;
+import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
+import org.apache.cxf.rs.security.jose.jwt.JwtConstants;
+import org.apache.cxf.rs.security.jose.jwt.JwtUtils;
 import org.apache.cxf.rs.security.oauth2.client.Consumer;
 import org.apache.cxf.rs.security.oauth2.client.OAuthClientUtils;
 import org.apache.cxf.rs.security.oauth2.common.AccessTokenGrant;
 import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
 import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
+import org.apache.cxf.rs.security.oauth2.services.ClientRegistration;
+import org.apache.cxf.rs.security.oauth2.services.ClientRegistrationResponse;
+import org.apache.cxf.rs.security.oauth2.utils.EHCacheUtil;
 import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
 import org.apache.cxf.systest.jaxrs.security.Book;
 import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
@@ -46,6 +59,10 @@ public class JAXRSOAuth2TlsTest extends AbstractBusClientServerTestBase
{
     
     @BeforeClass
     public static void startServers() throws Exception {
+        CacheManager manager = EHCacheUtil.createCacheManager("cxf-oauth2-ehcache.xml", null);
+        if (manager != null) {
+            manager.clearAll();
+        }
         assertTrue("server did not launch correctly",
                    launchServer(BookServerOAuth2Tls.class, true));
     }
@@ -91,17 +108,50 @@ public class JAXRSOAuth2TlsTest extends AbstractBusClientServerTestBase
{
         ClientAccessToken at = OAuthClientUtils.getAccessToken(wc, new Consumer("bound"),

                                                                new CustomGrant());
         assertNotNull(at.getTokenKey());
-        
     }
     
     @Test
     public void testTwoWayTLSClientIdBoundJwt() throws Exception {
+        doTestTwoWayTLSClientIdBoundJwt("boundJwt");
+    }
+    
+    @Test
+    public void testRegisterClientTwoWayTLSClientIdBoundDynReg() throws Exception {
+        String dynRegAddress = "https://localhost:" + PORT + "/oauth2Jwt/register";
+        WebClient wcDynReg = createDynRegWebClient(dynRegAddress);
+        
+        wcDynReg.accept("application/json").type("application/json");
+        ClientRegistration reg = newClientRegistration(); 
+        wcDynReg.authorization(new ClientAccessToken("Bearer", "123456789"));
+        ClientRegistrationResponse resp = wcDynReg.post(reg, ClientRegistrationResponse.class);
+                
+        doTestTwoWayTLSClientIdBoundJwt(resp.getClientId());
+
+        // delete the client
+        String regAccessToken = resp.getRegistrationAccessToken();
+        assertNotNull(regAccessToken);
+        wcDynReg.path(resp.getClientId());
+        
+
+        wcDynReg.authorization(new ClientAccessToken("Bearer", regAccessToken));
+
+        assertEquals(200, wcDynReg.delete().getStatus());
+        assertNotNull(regAccessToken);
+    }
+
+    private void doTestTwoWayTLSClientIdBoundJwt(String clientId) throws Exception {
         String atServiceAddress = "https://localhost:" + PORT + "/oauth2Jwt/token";
         WebClient wc = createOAuth2WebClient(atServiceAddress);
 
-        ClientAccessToken at = OAuthClientUtils.getAccessToken(wc, new Consumer("boundJwt"),

+        ClientAccessToken at = OAuthClientUtils.getAccessToken(wc, new Consumer(clientId),

                                                                new CustomGrant());
         assertNotNull(at.getTokenKey());
+        JwsJwtCompactConsumer c = new JwsJwtCompactConsumer(at.getTokenKey());
+        JwtClaims claims = JwtUtils.jsonToClaims(c.getDecodedJwsPayload());
+        
+        Map<String, Object> cnfs = claims.getMapProperty(JwtConstants.CLAIM_CONFIRMATION);
+        assertNotNull(cnfs);
+        assertNotNull(cnfs.get(JoseConstants.HEADER_X509_THUMBPRINT_SHA256));
         
         String protectedRsAddress = "https://localhost:" + PORT + "/rsJwt/bookstore/books/123";
         WebClient wcRs = createRsWebClient(protectedRsAddress, at, "client.xml");
@@ -127,6 +177,19 @@ public class JAXRSOAuth2TlsTest extends AbstractBusClientServerTestBase
{
         assertEquals(401, wcRsDiffClientCert.get().getStatus());
     }
     
+    private ClientRegistration newClientRegistration() {
+        ClientRegistration reg = new ClientRegistration();
+        reg.setApplicationType("web");
+        reg.setScope("openid");
+        reg.setClientName("dynamic_client");
+        reg.setGrantTypes(Collections.singletonList("custom_grant"));
+        reg.setRedirectUris(Collections.singletonList("https://a/b/c"));
+        reg.setTokenEndpointAuthMethod(OAuthConstants.TOKEN_ENDPOINT_AUTH_TLS);
+        reg.setProperty(OAuthConstants.TLS_CLIENT_AUTH_SUBJECT_DN, 
+                        "CN=whateverhost.com,OU=Morpit,O=ApacheTest,L=Syracuse,C=US");
+        return reg;
+    }
+    
     @Test
     public void testTwoWayTLSClientUnbound() throws Exception {
         String address = "https://localhost:" + PORT + "/oauth2/token";
@@ -156,6 +219,20 @@ public class JAXRSOAuth2TlsTest extends AbstractBusClientServerTestBase
{
         wc.type(MediaType.APPLICATION_FORM_URLENCODED).accept(MediaType.APPLICATION_JSON);
         return wc;
     }
+    private WebClient createDynRegWebClient(String address) {
+        JAXRSClientFactoryBean bean = new JAXRSClientFactoryBean();
+        bean.setAddress(address);
+        bean.setProvider(new JsonMapObjectProvider());
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = JAXRSOAuth2TlsTest.class.getResource("client.xml");
+        Bus springBus = bf.createBus(busFile.toString());
+        bean.setBus(springBus);
+
+        WebClient wc = bean.createWebClient();
+        wc.type(MediaType.APPLICATION_JSON).accept(MediaType.APPLICATION_JSON);
+        return wc;
+    }
     private WebClient createRsWebClient(String address, ClientAccessToken at, String clientContext)
{
         JAXRSClientFactoryBean bean = new JAXRSClientFactoryBean();
         bean.setAddress(address);

http://git-wip-us.apache.org/repos/asf/cxf/blob/1cfc45b6/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oidc/OIDCDynamicRegistrationTest.java
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oidc/OIDCDynamicRegistrationTest.java
b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oidc/OIDCDynamicRegistrationTest.java
index 6c9bfe2..82e759d 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oidc/OIDCDynamicRegistrationTest.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oidc/OIDCDynamicRegistrationTest.java
@@ -29,6 +29,7 @@ import org.apache.cxf.jaxrs.provider.json.JsonMapObjectProvider;
 import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
 import org.apache.cxf.rs.security.oauth2.services.ClientRegistration;
 import org.apache.cxf.rs.security.oauth2.services.ClientRegistrationResponse;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
 import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
 
 import org.junit.BeforeClass;
@@ -90,6 +91,13 @@ public class OIDCDynamicRegistrationTest extends AbstractBusClientServerTestBase
         
         wc.authorization(new ClientAccessToken("Bearer", regAccessToken));
         ClientRegistration clientRegResp = wc.get(ClientRegistration.class);
+        testCommonRegProperties(clientRegResp);
+
+        assertNull(clientRegResp.getTokenEndpointAuthMethod());
+        
+        assertEquals(200, wc.delete().getStatus());
+    }
+    private void testCommonRegProperties(ClientRegistration clientRegResp) {
         assertNotNull(clientRegResp);
         assertEquals("web", clientRegResp.getApplicationType());
         assertEquals("dynamic_client", clientRegResp.getClientName());
@@ -100,7 +108,45 @@ public class OIDCDynamicRegistrationTest extends AbstractBusClientServerTestBase
                      clientRegResp.getRedirectUris());
         assertEquals(Collections.singletonList("https://rp/logout"),
                      clientRegResp.getListStringProperty("post_logout_redirect_uris"));
+    }
+
+    @org.junit.Test
+    public void testRegisterClientInitialAccessTokenCodeGrantTls() throws Exception {
+        URL busFile = OIDCDynamicRegistrationTest.class.getResource("client.xml");
+        String address = "https://localhost:" + PORT + "/services/dynamicWithAt/register";
+        WebClient wc = WebClient.create(address, Collections.singletonList(new JsonMapObjectProvider()),
+                         busFile.toString());
+
+        wc.accept("application/json").type("application/json");
+        ClientRegistration reg = newClientRegistration();
+        reg.setTokenEndpointAuthMethod(OAuthConstants.TOKEN_ENDPOINT_AUTH_TLS);
+        reg.setProperty(OAuthConstants.TLS_CLIENT_AUTH_SUBJECT_DN, 
+                        "CN=whateverhost.com,OU=Morpit,O=ApacheTest,L=Syracuse,C=US");
+        
+        ClientRegistrationResponse resp = null;
+        assertEquals(401, wc.post(reg).getStatus());
+        
+        wc.authorization(new ClientAccessToken("Bearer", "123456789"));
+        resp = wc.post(reg, ClientRegistrationResponse.class);
+        
+        assertNotNull(resp.getClientId());
+        assertNull(resp.getClientSecret());
+        assertEquals(address + "/" + resp.getClientId(),
+                     resp.getRegistrationClientUri());
+        String regAccessToken = resp.getRegistrationAccessToken();
+        assertNotNull(regAccessToken);
 
+        wc.reset();
+        wc.path(resp.getClientId());
+        assertEquals(401, wc.get().getStatus());
+
+        wc.authorization(new ClientAccessToken("Bearer", regAccessToken));
+        ClientRegistration clientRegResp = wc.get(ClientRegistration.class);
+        testCommonRegProperties(clientRegResp);
+        assertEquals(OAuthConstants.TOKEN_ENDPOINT_AUTH_TLS, clientRegResp.getTokenEndpointAuthMethod());
+        assertEquals("CN=whateverhost.com,OU=Morpit,O=ApacheTest,L=Syracuse,C=US", 
+                     clientRegResp.getProperty(OAuthConstants.TLS_CLIENT_AUTH_SUBJECT_DN));
+        
         assertEquals(200, wc.delete().getStatus());
     }
 
@@ -111,6 +157,7 @@ public class OIDCDynamicRegistrationTest extends AbstractBusClientServerTestBase
         reg.setClientName("dynamic_client");
         reg.setGrantTypes(Collections.singletonList("authorization_code"));
         reg.setRedirectUris(Collections.singletonList("https://a/b/c"));
+        
         reg.setProperty("post_logout_redirect_uris", 
                         Collections.singletonList("https://rp/logout"));
         return reg;

http://git-wip-us.apache.org/repos/asf/cxf/blob/1cfc45b6/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/tls/serverTls.xml
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/tls/serverTls.xml
b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/tls/serverTls.xml
index 1d3d2e5..9485580 100644
--- a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/tls/serverTls.xml
+++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/tls/serverTls.xml
@@ -104,6 +104,11 @@ under the License.
        <property name="blockUnauthorizedRequests" value="false"/>
     </bean>
     
+    <bean id="dynRegServiceWithAt" class="org.apache.cxf.rs.security.oauth2.services.DynamicRegistrationService">
+      <property name="clientProvider" ref="dataProviderJwt"/>
+      <property name="initialAccessToken" value="123456789"/>
+    </bean>
+    
     <jaxrs:server id="tokenServer1" address="https://localhost:${testutil.ports.jaxrs-oauth2-tls}/oauth2">
         <jaxrs:serviceBeans>
             <ref bean="accessTokenService1"/>
@@ -116,7 +121,11 @@ under the License.
         <jaxrs:serviceBeans>
             <ref bean="accessTokenServiceJwt"/>
             <ref bean="tokenIntrospectionServiceJwt"/>
+            <ref bean="dynRegServiceWithAt"/>
         </jaxrs:serviceBeans>
+        <jaxrs:providers>
+           <bean class="org.apache.cxf.jaxrs.provider.json.JsonMapObjectProvider"/>
+        </jaxrs:providers>
         <jaxrs:properties>
             <entry key="rs.security.signature.properties" value="org/apache/cxf/systest/jaxrs/security/alice.rs.properties"/>
             <entry key="rs.security.signature.key.password.provider" value-ref="keyPasswordProvider"/>


Mime
View raw message