cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [cxf] 03/03: Validate some claims for OIDC even if they are not required
Date Wed, 18 Sep 2019 13:01:18 GMT
This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf.git

commit 746b00b04cc87b5aedeb89d3e8cb6e256d011afa
Author: Colm O hEigeartaigh <coheigea@apache.org>
AuthorDate: Wed Sep 18 12:40:32 2019 +0100

    Validate some claims for OIDC even if they are not required
---
 .../apache/cxf/rs/security/oidc/rp/OidcClaimsValidator.java  | 12 ++++++------
 .../org/apache/cxf/rs/security/oidc/utils/OidcUtils.java     | 12 ++++++++++--
 2 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClaimsValidator.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClaimsValidator.java
index 6dfaf2b..3edf57e 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClaimsValidator.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClaimsValidator.java
@@ -100,12 +100,12 @@ public class OidcClaimsValidator extends OAuthJoseJwtConsumer {
             } catch (JwtException ex) {
                 throw new OAuthServiceException("Invalid issuedAt claim", ex);
             }
-            if (strictTimeValidation) {
-                try {
-                    JwtUtils.validateJwtNotBefore(claims, getClockOffset(), strictTimeValidation);
-                } catch (JwtException ex) {
-                    throw new OAuthServiceException("ID Token can not be used yet", ex);
-                }
+
+            // Validate nbf - but don't require it to be present
+            try {
+                JwtUtils.validateJwtNotBefore(claims, getClockOffset(), false);
+            } catch (JwtException ex) {
+                throw new OAuthServiceException("ID Token can not be used yet", ex);
             }
         }
     }
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java
index 5a61379..d9bb20c 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java
@@ -151,7 +151,11 @@ public final class OidcUtils {
         validateAccessTokenHash(at.getTokenKey(), jwt, required);
     }
     public static void validateAccessTokenHash(String accessToken, JwtToken jwt, boolean
required) {
-        if (required) {
+        String hashClaim = (String)jwt.getClaims().getClaim(IdToken.ACCESS_TOKEN_HASH_CLAIM);
+        if (hashClaim == null && required) {
+            throw new OAuthServiceException("Invalid hash");
+        }
+        if (hashClaim != null) {
             validateHash(accessToken,
                          (String)jwt.getClaims().getClaim(IdToken.ACCESS_TOKEN_HASH_CLAIM),
                          jwt.getJwsHeaders().getSignatureAlgorithm());
@@ -161,7 +165,11 @@ public final class OidcUtils {
         validateCodeHash(code, jwt, true);
     }
     public static void validateCodeHash(String code, JwtToken jwt, boolean required) {
-        if (required) {
+        String hashClaim = (String)jwt.getClaims().getClaim(IdToken.AUTH_CODE_HASH_CLAIM);
+        if (hashClaim == null && required) {
+            throw new OAuthServiceException("Invalid hash");
+        }
+        if (hashClaim != null) {
             validateHash(code,
                          (String)jwt.getClaims().getClaim(IdToken.AUTH_CODE_HASH_CLAIM),
                          jwt.getJwsHeaders().getSignatureAlgorithm());


Mime
View raw message