Repository: cxf-fediz Updated Branches: refs/heads/master 6d7bc5f9e -> 789d3fc38
[FEDIZ-134] Getting the JWS provider code more flexible Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/789d3fc3 Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/789d3fc3 Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/789d3fc3 Branch: refs/heads/master Commit: 789d3fc3898d6fb4adf001f58066a5a7689214d6 Parents: 6d7bc5f Author: Sergey Beryozkin <[email protected]> Authored: Wed Nov 11 14:15:14 2015 +0000 Committer: Sergey Beryozkin <[email protected]> Committed: Wed Nov 11 14:15:14 2015 +0000 ---------------------------------------------------------------------- .../service/oidc/ClientRegistrationService.java | 5 ++- .../fediz/service/oidc/OAuthDataManager.java | 43 ++++++++++++++++---- .../main/webapp/WEB-INF/applicationContext.xml | 3 ++ 3 files changed, 43 insertions(+), 8 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/789d3fc3/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/ClientRegistrationService.java ---------------------------------------------------------------------- diff --git a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/ClientRegistrationService.java b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/ClientRegistrationService.java index 070c5f7..cafe39a 100644 --- a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/ClientRegistrationService.java +++ b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/ClientRegistrationService.java @@ -50,6 +50,7 @@ public class ClientRegistrationService { @Context private SecurityContext sc; + @GET @Produces(MediaType.TEXT_HTML) @Path("/") @@ -82,7 +83,9 @@ public class ClientRegistrationService { } protected String generateClientSecret() { - return Base64UrlUtility.encode(CryptoUtils.generateSecureRandomBytes(15)); + // TODO: may need to be 384/8 or 512/8 if not a default HS256 but HS384 or HS512 + int keySizeOctets = manager.isSignIdTokenWithClientSecret() ? 32 : 16; + return Base64UrlUtility.encode(CryptoUtils.generateSecureRandomBytes(keySizeOctets)); } private Consumers registerNewClient(Client newClient) { http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/789d3fc3/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java ---------------------------------------------------------------------- diff --git a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java index c00197d..085ea54 100644 --- a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java +++ b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java @@ -23,12 +23,16 @@ import java.util.ArrayList; import java.util.HashMap; import java.util.List; import java.util.Map; +import java.util.Properties; import java.util.concurrent.ConcurrentHashMap; import org.apache.cxf.fediz.core.FedizPrincipal; import org.apache.cxf.jaxrs.ext.MessageContext; +import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils; +import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm; import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactProducer; -import org.apache.cxf.rs.security.jose.jws.NoneJwsSignatureProvider; +import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider; +import org.apache.cxf.rs.security.jose.jws.JwsUtils; import org.apache.cxf.rs.security.oauth2.common.Client; import org.apache.cxf.rs.security.oauth2.common.OAuthPermission; import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken; @@ -57,7 +61,7 @@ public class OAuthDataManager extends AbstractCodeDataProvider { private Map<String, RefreshToken> refreshTokens = new ConcurrentHashMap<String, RefreshToken>(); private Map<String, ServerAuthorizationCodeGrant> codeGrants = new ConcurrentHashMap<String, ServerAuthorizationCodeGrant>(); - + private boolean signIdTokenWithClientSecret; public OAuthDataManager() { @@ -83,8 +87,7 @@ public class OAuthDataManager extends AbstractCodeDataProvider { if (principal instanceof FedizPrincipal) { grant.getSubject().getProperties().put("id_token", - getJoseIdToken((FedizPrincipal)principal, - grant.getClient().getClientId())); + getJoseIdToken((FedizPrincipal)principal, grant.getClient())); } else { throw new OAuthServiceException("Unsupported principal"); } @@ -96,12 +99,26 @@ public class OAuthDataManager extends AbstractCodeDataProvider { } - protected String getJoseIdToken(FedizPrincipal principal, String clientId) { + protected String getJoseIdToken(FedizPrincipal principal, Client client) { IdToken jwtClaims = tokenConverter.convertToIdToken(principal.getLoginToken().getOwnerDocument(), principal.getName(), - clientId); + client.getClientId()); JwsJwtCompactProducer p = new JwsJwtCompactProducer(jwtClaims); - return p.signWith(new NoneJwsSignatureProvider()); + return p.signWith(getJwsSignatureProvider(client)); + } + + protected JwsSignatureProvider getJwsSignatureProvider(Client client) { + if (signIdTokenWithClientSecret && client.isConfidential() && client.getClientSecret() != null) { + Properties sigProps = JwsUtils.loadSignatureOutProperties(false); + // HS256, HS384, HS512 + SignatureAlgorithm sigAlgo = JwsUtils.getSignatureAlgorithm(sigProps, + SignatureAlgorithm.HS256); + if (AlgorithmUtils.isHmacSign(sigAlgo.getJwaName())) { + return JwsUtils.getHmacSignatureProvider(client.getClientSecret(), sigAlgo); + } + } + return JwsUtils.loadSignatureProvider(true); + } @Override @@ -176,4 +193,16 @@ public class OAuthDataManager extends AbstractCodeDataProvider { permissionMap.put(entry.getKey(), permission); } } + + /** + * Enable the symmetric signature with the client secret. + * This property will be ignored if a client is public + */ + public void setSignIdTokenWithClientSecret(boolean signIdTokenWithClientSecret) { + this.signIdTokenWithClientSecret = signIdTokenWithClientSecret; + } + + public boolean isSignIdTokenWithClientSecret() { + return signIdTokenWithClientSecret; + } } http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/789d3fc3/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml ---------------------------------------------------------------------- diff --git a/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml b/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml index 20044c0..7b5f660 100644 --- a/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml +++ b/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml @@ -90,6 +90,9 @@ </map> </property> --> + <!-- + <property name="signIdTokenWithClientSecret" value="true"/> + --> </bean> </beans>
