Repository: cxf Updated Branches: refs/heads/master a1710bdd7 -> 72653fd11
Not persisting nonces if pre-authorized tokens are supported Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/72653fd1 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/72653fd1 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/72653fd1 Branch: refs/heads/master Commit: 72653fd113c3bbe0dd543200d982792802be2ae7 Parents: a1710bd Author: Sergey Beryozkin <sberyoz...@gmail.com> Authored: Wed Jan 27 14:05:10 2016 +0000 Committer: Sergey Beryozkin <sberyoz...@gmail.com> Committed: Wed Jan 27 14:05:10 2016 +0000 ---------------------------------------------------------------------- .../grants/code/AbstractCodeDataProvider.java | 10 ++++-- .../code/DefaultEHCacheCodeDataProvider.java | 2 +- .../provider/AbstractOAuthDataProvider.java | 36 ++++++++++++-------- .../oidc/idp/IdTokenResponseFilter.java | 25 +++++++------- 4 files changed, 43 insertions(+), 30 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/72653fd1/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java index 12fd14e..b89c247 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java @@ -39,7 +39,7 @@ public abstract class AbstractCodeDataProvider extends AbstractOAuthDataProvider protected ServerAuthorizationCodeGrant doCreateCodeGrant(AuthorizationCodeRegistration reg) throws OAuthServiceException { - return AbstractCodeDataProvider.initCodeGrant(reg, codeLifetime); + return AbstractCodeDataProvider.initCodeGrant(reg, codeLifetime, !isSupportPreauthorizedTokens()); } public void setCodeLifetime(long codeLifetime) { @@ -50,7 +50,9 @@ public abstract class AbstractCodeDataProvider extends AbstractOAuthDataProvider removeCodeGrant(grant.getCode()); } } - public static ServerAuthorizationCodeGrant initCodeGrant(AuthorizationCodeRegistration reg, long lifetime) { + public static ServerAuthorizationCodeGrant initCodeGrant(AuthorizationCodeRegistration reg, + long lifetime, + boolean useNonce) { ServerAuthorizationCodeGrant grant = new ServerAuthorizationCodeGrant(reg.getClient(), lifetime); grant.setRedirectUri(reg.getRedirectUri()); grant.setSubject(reg.getSubject()); @@ -59,7 +61,9 @@ public abstract class AbstractCodeDataProvider extends AbstractOAuthDataProvider grant.setApprovedScopes(reg.getApprovedScope()); grant.setAudience(reg.getAudience()); grant.setClientCodeChallenge(reg.getClientCodeChallenge()); - grant.setNonce(reg.getNonce()); + if (useNonce) { + grant.setNonce(reg.getNonce()); + } return grant; } protected abstract void saveCodeGrant(ServerAuthorizationCodeGrant grant); http://git-wip-us.apache.org/repos/asf/cxf/blob/72653fd1/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DefaultEHCacheCodeDataProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DefaultEHCacheCodeDataProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DefaultEHCacheCodeDataProvider.java index 12edf9b..f43d69e 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DefaultEHCacheCodeDataProvider.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DefaultEHCacheCodeDataProvider.java @@ -79,7 +79,7 @@ public class DefaultEHCacheCodeDataProvider extends DefaultEHCacheOAuthDataProvi protected ServerAuthorizationCodeGrant doCreateCodeGrant(AuthorizationCodeRegistration reg) throws OAuthServiceException { - return AbstractCodeDataProvider.initCodeGrant(reg, codeLifetime); + return AbstractCodeDataProvider.initCodeGrant(reg, codeLifetime, !isSupportPreauthorizedTokens()); } public List<ServerAuthorizationCodeGrant> getCodeGrants(Client c, UserSubject sub) { http://git-wip-us.apache.org/repos/asf/cxf/blob/72653fd1/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java index e27cf27..e508c7c 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java @@ -61,17 +61,22 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl return at; } - protected ServerAccessToken doCreateAccessToken(AccessTokenRegistration accessToken) { - ServerAccessToken at = createNewAccessToken(accessToken.getClient()); - at.setAudiences(accessToken.getAudiences()); - at.setGrantType(accessToken.getGrantType()); - List<String> theScopes = accessToken.getApprovedScope(); + protected ServerAccessToken doCreateAccessToken(AccessTokenRegistration atReg) { + ServerAccessToken at = createNewAccessToken(atReg.getClient()); + at.setAudiences(atReg.getAudiences()); + at.setGrantType(atReg.getGrantType()); + List<String> theScopes = atReg.getApprovedScope(); List<OAuthPermission> thePermissions = - convertScopeToPermissions(accessToken.getClient(), theScopes); + convertScopeToPermissions(atReg.getClient(), theScopes); at.setScopes(thePermissions); - at.setSubject(accessToken.getSubject()); - at.setClientCodeVerifier(accessToken.getClientCodeVerifier()); - at.setNonce(accessToken.getNonce()); + at.setSubject(atReg.getSubject()); + at.setClientCodeVerifier(atReg.getClientCodeVerifier()); + if (!isSupportPreauthorizedTokens()) { + // if the nonce is persisted and the same token is reused then in some cases + // (when ID token is returned) the old nonce will be copied to ID token which + // may cause the validation failure at the cliend side + at.setNonce(atReg.getNonce()); + } return at; } @@ -180,7 +185,7 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl List<String> requestedScopes, UserSubject sub, String grantType) throws OAuthServiceException { - if (!supportPreauthorizedTokens) { + if (!isSupportPreauthorizedTokens()) { return null; } @@ -196,6 +201,7 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl if (token != null && OAuthUtils.isExpired(token.getIssuedAt(), token.getExpiresIn())) { revokeToken(client, token.getTokenKey(), OAuthConstants.ACCESS_TOKEN); + token = null; } return token; @@ -343,12 +349,14 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl this.invisibleToClientScopes = invisibleToClientScopes; } + public boolean isSupportPreauthorizedTokens() { + return supportPreauthorizedTokens; + } + public void setSupportPreauthorizedTokens(boolean supportPreauthorizedTokens) { - // This property can be enabled by default as it is generally a good thing to check - // if a token for a given client (+ user) pair exists but doing the queries on every - // authorization request for all the client-user combinations might be not cheap, - // hence this property is currently disabled by default this.supportPreauthorizedTokens = supportPreauthorizedTokens; } + + } http://git-wip-us.apache.org/repos/asf/cxf/blob/72653fd1/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java index 31b2666..ec3f364 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java @@ -63,19 +63,20 @@ public class IdTokenResponseFilter extends AbstractOAuthServerJoseJwtProducer im } } private void setAtHashAndNonce(IdToken idToken, ServerAccessToken st) { - Properties props = JwsUtils.loadSignatureOutProperties(false); - SignatureAlgorithm sigAlgo = null; - if (super.isSignWithClientSecret()) { - sigAlgo = OAuthUtils.getClientSecretSignatureAlgorithm(props); - } else { - sigAlgo = JwsUtils.getSignatureAlgorithm(props, SignatureAlgorithm.RS256); - } - if (sigAlgo != SignatureAlgorithm.NONE) { - String atHash = OidcUtils.calculateAccessTokenHash(st.getTokenKey(), sigAlgo); - idToken.setAccessTokenHash(atHash); + if (idToken.getAccessTokenHash() != null) { + Properties props = JwsUtils.loadSignatureOutProperties(false); + SignatureAlgorithm sigAlgo = null; + if (super.isSignWithClientSecret()) { + sigAlgo = OAuthUtils.getClientSecretSignatureAlgorithm(props); + } else { + sigAlgo = JwsUtils.getSignatureAlgorithm(props, SignatureAlgorithm.RS256); + } + if (sigAlgo != SignatureAlgorithm.NONE) { + String atHash = OidcUtils.calculateAccessTokenHash(st.getTokenKey(), sigAlgo); + idToken.setAccessTokenHash(atHash); + } } - - if (st.getNonce() != null) { + if (idToken.getNonce() == null && st.getNonce() != null) { idToken.setNonce(st.getNonce()); }