Repository: cxf Updated Branches: refs/heads/3.0.x-fixes 273351c1d -> d0b90bc40
[CXF-5607] Prototyping the code for supporting the script sending a jwt id token Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/d0b90bc4 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/d0b90bc4 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/d0b90bc4 Branch: refs/heads/3.0.x-fixes Commit: d0b90bc4046687d127fd00ec71ab61ce62e0a6b2 Parents: 273351c Author: Sergey Beryozkin <sberyoz...@talend.com> Authored: Wed Jun 24 17:18:02 2015 +0100 Committer: Sergey Beryozkin <sberyoz...@talend.com> Committed: Wed Jun 24 17:19:04 2015 +0100 ---------------------------------------------------------------------- .../oidc/rp/AbstractTokenValidator.java | 1 - .../rs/security/oidc/rp/IdTokenValidator.java | 21 +++++++---- .../oidc/rp/OidcRpAuthenticationService.java | 37 +++++++++++++++++--- .../cxf/rs/security/oidc/rp/UserInfoClient.java | 2 +- 4 files changed, 47 insertions(+), 14 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/d0b90bc4/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java index 74c0c00..6037c53 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java @@ -43,7 +43,6 @@ public abstract class AbstractTokenValidator { private ConcurrentHashMap<String, JsonWebKey> keyMap = new ConcurrentHashMap<String, JsonWebKey>(); protected JwtToken getJwtToken(String wrappedJwtToken, - String clientId, String idTokenKid, boolean jweOnly) { if (wrappedJwtToken == null) { http://git-wip-us.apache.org/repos/asf/cxf/blob/d0b90bc4/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenValidator.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenValidator.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenValidator.java index 378cbe5..214a5b1 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenValidator.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenValidator.java @@ -28,20 +28,27 @@ public class IdTokenValidator extends AbstractTokenValidator { public IdToken getIdToken(ClientAccessToken at, String clientId) { JwtToken jwt = getIdJwtToken(at, clientId); - return getIdTokenFromJwt(jwt, clientId); + return getIdTokenFromJwt(jwt); } - public IdToken getIdTokenFromJwt(JwtToken jwt, String clientId) { - //TODO: do the extra validation if needed - return new IdToken(jwt.getClaims().asMap()); + public IdToken getIdToken(String idJwtToken, String clientId) { + JwtToken jwt = getIdJwtToken(idJwtToken, clientId); + return getIdTokenFromJwt(jwt); } public JwtToken getIdJwtToken(ClientAccessToken at, String clientId) { String idJwtToken = at.getParameters().get(OidcUtils.ID_TOKEN); - JwtToken jwt = getJwtToken(idJwtToken, clientId, null, false); - validateJwtClaims(jwt.getClaims(), clientId, true); + JwtToken jwt = getIdJwtToken(idJwtToken, clientId); OidcUtils.validateAccessTokenHash(at, jwt, requireAtHash); return jwt; } - + public JwtToken getIdJwtToken(String idJwtToken, String clientId) { + JwtToken jwt = getJwtToken(idJwtToken, null, false); + validateJwtClaims(jwt.getClaims(), clientId, true); + return jwt; + } + public IdToken getIdTokenFromJwt(JwtToken jwt) { + //TODO: do the extra validation if needed + return new IdToken(jwt.getClaims().asMap()); + } public void setRequireAtHash(boolean requireAtHash) { this.requireAtHash = requireAtHash; } http://git-wip-us.apache.org/repos/asf/cxf/blob/d0b90bc4/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationService.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationService.java index 49388e0..3320f7f 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationService.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationService.java @@ -20,28 +20,51 @@ package org.apache.cxf.rs.security.oidc.rp; import java.net.URI; +import javax.ws.rs.Consumes; import javax.ws.rs.GET; +import javax.ws.rs.POST; import javax.ws.rs.Path; import javax.ws.rs.core.Context; +import javax.ws.rs.core.MediaType; +import javax.ws.rs.core.MultivaluedMap; import javax.ws.rs.core.Response; import javax.ws.rs.core.UriBuilder; import org.apache.cxf.jaxrs.ext.MessageContext; +import org.apache.cxf.rs.security.oauth2.client.Consumer; import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils; @Path("rp") public class OidcRpAuthenticationService { private OidcRpStateManager stateManager; private String defaultLocation; - + private String tokenFormParameter = "idtoken"; + @Context + private MessageContext mc; + private UserInfoClient userInfoClient; + private Consumer consumer; + + public void setUserInfoClient(UserInfoClient userInfoClient) { + this.userInfoClient = userInfoClient; + } + + @POST + @Path("complete") + @Consumes(MediaType.APPLICATION_FORM_URLENCODED) + public Response completeScriptAuthentication(MultivaluedMap<String, String> map) { + String idTokenParamValue = map.getFirst(tokenFormParameter); + OidcClientTokenContextImpl ctx = new OidcClientTokenContextImpl(); + ctx.setIdToken(userInfoClient.getIdToken(idTokenParamValue, consumer.getKey())); + return completeAuthentication(ctx); + } + @GET @Path("complete") - public Response completeAuthentication(@Context OidcClientTokenContext context, - @Context MessageContext mc) { + public Response completeAuthentication(@Context OidcClientTokenContext oidcContext) { String key = OAuthUtils.generateRandomTokenKey(); - stateManager.setTokenContext(key, context); + stateManager.setTokenContext(key, oidcContext); URI redirectUri = null; - String location = context.getState().getFirst("state"); + String location = oidcContext.getState().getFirst("state"); if (location == null) { String basePath = (String)mc.get("http.base.path"); redirectUri = UriBuilder.fromUri(basePath).path(defaultLocation).build(); @@ -59,4 +82,8 @@ public class OidcRpAuthenticationService { public void setStateManager(OidcRpStateManager stateManager) { this.stateManager = stateManager; } + + public void setTokenFormParameter(String tokenFormParameter) { + this.tokenFormParameter = tokenFormParameter; + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/d0b90bc4/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java index b6cab0c..20cf640 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java @@ -52,7 +52,7 @@ public class UserInfoClient extends IdTokenValidator { return profile; } public JwtToken getUserInfoJwt(String profileJwtToken, IdToken idToken) { - return getJwtToken(profileJwtToken, idToken.getAudience(), (String)idToken.getProperty("kid"), encryptedOnly); + return getJwtToken(profileJwtToken, (String)idToken.getProperty("kid"), encryptedOnly); } public void validateUserInfo(UserInfo profile, IdToken idToken) { validateJwtClaims(profile, idToken.getAudience(), false);