Repository: cxf-fediz Updated Branches: refs/heads/master 6068e648c -> d56d64742
Update the converter to use the original assertion's time properties if available Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/d56d6474 Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/d56d6474 Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/d56d6474 Branch: refs/heads/master Commit: d56d6474227d15fac434d510bd76a85f0a2e0452 Parents: 6068e64 Author: Sergey Beryozkin <sberyoz...@gmail.com> Authored: Tue Dec 15 17:21:42 2015 +0000 Committer: Sergey Beryozkin <sberyoz...@gmail.com> Committed: Tue Dec 15 17:21:42 2015 +0000 ---------------------------------------------------------------------- .../fediz/service/oidc/SamlTokenConverter.java | 93 +++++++++++++++----- 1 file changed, 69 insertions(+), 24 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d56d6474/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/SamlTokenConverter.java ---------------------------------------------------------------------- diff --git a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/SamlTokenConverter.java b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/SamlTokenConverter.java index 4178017..2d0e31d 100644 --- a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/SamlTokenConverter.java +++ b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/SamlTokenConverter.java @@ -27,6 +27,7 @@ import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException; import org.apache.cxf.rs.security.oidc.common.IdToken; import org.apache.wss4j.common.ext.WSSecurityException; import org.apache.wss4j.common.saml.SamlAssertionWrapper; +import org.joda.time.DateTime; import org.opensaml.saml.saml2.core.Assertion; import org.opensaml.saml.saml2.core.Issuer; @@ -34,33 +35,69 @@ import org.opensaml.saml.saml2.core.Issuer; public class SamlTokenConverter { private String issuer; + private long defaultTimeToLive = 3600L; public IdToken convertToIdToken(Element samlToken, String subjectName, ClaimCollection claims, String clientId) { + // The current SAML Assertion represents an authentication record. + // It has to be translated into IdToken (JWT) so that it can be returned + // to client applications participating in various OIDC flows. + IdToken idToken = new IdToken(); + // Subject name is provided by FedizPrincipal which is initialized from the current SAML token idToken.setSubject(subjectName); + // SAML assertion audiences might be added if needed given that JWT can hold an array of audiences idToken.setAudience(clientId); - long currentTimeInSeconds = System.currentTimeMillis() / 1000L; - idToken.setIssuedAt(currentTimeInSeconds); - idToken.setExpiryTime(currentTimeInSeconds + 60000L); - - Assertion saml2Assertion = null; - // Set the authInstant - try { - SamlAssertionWrapper wrapper = new SamlAssertionWrapper(samlToken); - saml2Assertion = wrapper.getSaml2(); - if (saml2Assertion != null && !saml2Assertion.getAuthnStatements().isEmpty()) { - long authInstant = - saml2Assertion.getAuthnStatements().get(0).getAuthnInstant().getMillis(); - idToken.setAuthenticationTime(authInstant / 1000L); + Assertion saml2Assertion = getSaml2Assertion(samlToken); + if (saml2Assertion != null) { + // Issuer + Issuer assertionIssuer = saml2Assertion.getIssuer(); + if (assertionIssuer != null) { + idToken.setIssuer(assertionIssuer.getValue()); } - } catch (WSSecurityException ex) { - throw new OAuthServiceException("Error converting SAML token", ex); + // issueInstant + DateTime issueInstant = saml2Assertion.getIssueInstant(); + if (issueInstant != null) { + idToken.setIssuedAt(issueInstant.getMillis() / 1000); + } + + // expiryTime + if (saml2Assertion.getConditions() != null) { + DateTime expires = saml2Assertion.getConditions().getNotOnOrAfter(); + if (expires != null) { + idToken.setExpiryTime(expires.getMillis() / 1000); + } + } + + // authInstant + if (!saml2Assertion.getAuthnStatements().isEmpty()) { + DateTime authInstant = + saml2Assertion.getAuthnStatements().get(0).getAuthnInstant(); + idToken.setAuthenticationTime(authInstant.getMillis() / 1000L); + } + } + // Check if default issuer, issuedAt and expiryTime values have to be set + if (issuer != null) { + idToken.setIssuer(issuer); + } else if (saml2Assertion != null) { + Issuer assertionIssuer = saml2Assertion.getIssuer(); + if (assertionIssuer != null) { + idToken.setIssuer(assertionIssuer.getValue()); + } + } + + long currentTimeInSecs = System.currentTimeMillis() / 1000; + if (idToken.getIssuedAt() == null) { + idToken.setIssuedAt(currentTimeInSecs); + } + if (idToken.getExpiryTime() == null) { + idToken.setExpiryTime(currentTimeInSecs + defaultTimeToLive); } + // Map claims if (claims != null) { String firstName = null; @@ -93,21 +130,29 @@ public class SamlTokenConverter { } } - if (issuer != null) { - idToken.setIssuer(issuer); - } else if (saml2Assertion != null) { - Issuer assertionIssuer = saml2Assertion.getIssuer(); - if (assertionIssuer != null) { - idToken.setIssuer(assertionIssuer.getValue()); - } - } - return idToken; } + private Assertion getSaml2Assertion(Element samlToken) { + // Should a null assertion lead to the exception ? + try { + SamlAssertionWrapper wrapper = new SamlAssertionWrapper(samlToken); + return wrapper.getSaml2(); + } catch (WSSecurityException ex) { + throw new OAuthServiceException("Error converting SAML token", ex); + } + + } + + public void setIssuer(String issuer) { this.issuer = issuer; } + + public void setDefaultTimeToLive(long defaultTimeToLive) { + this.defaultTimeToLive = defaultTimeToLive; + } + }