cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject [2/2] cxf-fediz git commit: [FEDIZ-203] Fediz-level work based on Jan's contribution
Date Wed, 12 Jul 2017 14:43:27 GMT
[FEDIZ-203] Fediz-level work based on Jan's contribution


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/71591cfd
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/71591cfd
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/71591cfd

Branch: refs/heads/master
Commit: 71591cfd3fa44ddb69cfa8978dd21fd983d68fb9
Parents: cc76fc3
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Wed Jul 12 14:45:30 2017 +0100
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Wed Jul 12 15:43:09 2017 +0100

----------------------------------------------------------------------
 pom.xml                                         |  2 +-
 .../fediz/service/oidc/FedizSubjectCreator.java | 49 ++++++++++++++------
 2 files changed, 36 insertions(+), 15 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/71591cfd/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 399d327..4f3340f 100644
--- a/pom.xml
+++ b/pom.xml
@@ -43,7 +43,7 @@
         <commons.logging.version>1.2</commons.logging.version>
         <commons.io.version>2.5</commons.io.version>
         <commons.validator.version>1.6</commons.validator.version>
-        <cxf.version>3.1.12</cxf.version>
+        <cxf.version>3.1.13-SNAPSHOT</cxf.version>
         <cxf.build-utils.version>3.2.0</cxf.build-utils.version>
         <dbcp.version>2.1.1</dbcp.version>
         <easymock.version>3.4</easymock.version>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/71591cfd/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java
b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java
index ac35b70..c2ebc1a 100644
--- a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java
+++ b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java
@@ -19,6 +19,7 @@
 package org.apache.cxf.fediz.service.oidc;
 
 import java.security.Principal;
+import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
@@ -38,8 +39,10 @@ import org.apache.cxf.fediz.core.FedizPrincipal;
 import org.apache.cxf.jaxrs.ext.MessageContext;
 import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
 import org.apache.cxf.rs.security.oauth2.provider.SubjectCreator;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
 import org.apache.cxf.rs.security.oidc.common.IdToken;
 import org.apache.cxf.rs.security.oidc.idp.OidcUserSubject;
+import org.apache.cxf.rs.security.oidc.utils.OidcUtils;
 import org.apache.cxf.rt.security.crypto.CryptoUtils;
 import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
@@ -49,7 +52,7 @@ import org.opensaml.saml.saml2.core.Issuer;
 
 
 public class FedizSubjectCreator implements SubjectCreator {
-
+    private static final String ROLES_SCOPE = "roles";
     private String issuer;
     private long defaultTimeToLive = 3600L;
     private Map<String, String> supportedClaims = Collections.emptyMap();
@@ -81,7 +84,7 @@ public class FedizSubjectCreator implements SubjectCreator {
                                            oidcSub.getId(),
                                            fedizPrincipal.getClaims(),
                                            fedizPrincipal.getRoleClaims(),
-                                           params.getFirst("claims"));
+                                           params);
         oidcSub.setIdToken(idToken);
         // UserInfo can be populated and set on OidcUserSubject too.
         // UserInfoService will create it otherwise.
@@ -95,7 +98,7 @@ public class FedizSubjectCreator implements SubjectCreator {
             String subjectId,
             ClaimCollection claims,
             List<String> roles,
-            String requestedClaims) {
+            MultivaluedMap<String, String> params) {
         // The current SAML Assertion represents an authentication record.
         // It has to be translated into IdToken (JWT) so that it can be returned
         // to client applications participating in various OIDC flows.
@@ -154,10 +157,24 @@ public class FedizSubjectCreator implements SubjectCreator {
             idToken.setExpiryTime(currentTimeInSecs + defaultTimeToLive);
         }
 
+        List<String> requestedClaimsList = new ArrayList<String>();
+        //Derive claims from scope
+        String requestedScope = params.getFirst(OAuthConstants.SCOPE);
+        if (requestedScope != null && !requestedScope.isEmpty()) {
+            String[] scopes = requestedScope.split(" ");
+            //TODO: Note that if the consent screen enabled then it is feasible
+            // that the claims added in this code after mapping the scopes to claims
+            // may need to be removed if the user disapproves the related scope
+            
+            // standard scope to claims mapping:
+            requestedClaimsList.addAll(OidcUtils.getScopeClaims(scopes));
+            // custom scopes to claims mapping
+            requestedClaimsList.addAll(getCustomScopeClaims(scopes));
+        }
         // Additional claims requested
-        List<String> requestedClaimsList = Collections.emptyList();
-        if (requestedClaims != null && !supportedClaims.isEmpty()) {
-            requestedClaimsList = Arrays.asList(requestedClaims.trim().split(" "));
+        String requestedClaims = params.getFirst("claims");
+        if (requestedClaims != null && !requestedClaims.isEmpty()) {
+            requestedClaimsList.addAll(Arrays.asList(requestedClaims.trim().split(" ")));
         }
 
         // Map claims
@@ -176,14 +193,6 @@ public class FedizSubjectCreator implements SubjectCreator {
                     lastName = (String)c.getValue();
                 } else if (ClaimTypes.EMAILADDRESS.equals(c.getClaimType())) {
                     idToken.setEmail((String)c.getValue());
-                } else if (ClaimTypes.DATEOFBIRTH.equals(c.getClaimType())) {
-                    idToken.setBirthDate((String)c.getValue());
-                } else if (ClaimTypes.HOMEPHONE.equals(c.getClaimType())) {
-                    idToken.setPhoneNumber((String)c.getValue());
-                } else if (ClaimTypes.GENDER.equals(c.getClaimType())) {
-                    idToken.setGender((String)c.getValue());
-                } else if (ClaimTypes.WEB_PAGE.equals(c.getClaimType())) {
-                    idToken.setWebsite((String)c.getValue());
                 } else if (supportedClaims.containsKey(c.getClaimType().toString())
                     && requestedClaimsList.contains(supportedClaims.get(c.getClaimType().toString())))
{
                     idToken.setClaim(supportedClaims.get(c.getClaimType().toString()), (String)c.getValue());
@@ -208,6 +217,18 @@ public class FedizSubjectCreator implements SubjectCreator {
     }
 
 
+    private List<String> getCustomScopeClaims(String[] scopes) {
+        // For now the only custom scope (to claims) mapping Fediz supports is
+        // roles where the scope name is expected to be 'roles' and the role name must be
configured
+        String roleClaimName = supportedClaims.get(FedizConstants.DEFAULT_ROLE_URI.toString());
+        if (roleClaimName != null && Arrays.asList(scopes).contains(ROLES_SCOPE))
{
+            return Collections.singletonList(roleClaimName);    
+        } else {
+            return Collections.emptyList();
+        }
+        
+    }
+
     private Assertion getSaml2Assertion(Element samlToken) {
         // Should a null assertion lead to the exception ?
         try {


Mime
View raw message