Repository: cxf Updated Branches: refs/heads/master 72653fd11 -> 45f3d5944
Reverting some nonce related changes for now Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/45f3d594 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/45f3d594 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/45f3d594 Branch: refs/heads/master Commit: 45f3d59446327197a4fce267c51bdc7d8fafa03f Parents: 72653fd Author: Sergey Beryozkin <sberyoz...@gmail.com> Authored: Wed Jan 27 15:48:13 2016 +0000 Committer: Sergey Beryozkin <sberyoz...@gmail.com> Committed: Wed Jan 27 15:48:13 2016 +0000 ---------------------------------------------------------------------- .../oauth2/grants/code/AbstractCodeDataProvider.java | 9 +++------ .../oauth2/grants/code/DefaultEHCacheCodeDataProvider.java | 2 +- .../security/oauth2/provider/AbstractOAuthDataProvider.java | 7 +------ .../cxf/rs/security/oidc/idp/IdTokenResponseFilter.java | 2 +- 4 files changed, 6 insertions(+), 14 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/45f3d594/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java index b89c247..c03ccf3 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java @@ -39,7 +39,7 @@ public abstract class AbstractCodeDataProvider extends AbstractOAuthDataProvider protected ServerAuthorizationCodeGrant doCreateCodeGrant(AuthorizationCodeRegistration reg) throws OAuthServiceException { - return AbstractCodeDataProvider.initCodeGrant(reg, codeLifetime, !isSupportPreauthorizedTokens()); + return AbstractCodeDataProvider.initCodeGrant(reg, codeLifetime); } public void setCodeLifetime(long codeLifetime) { @@ -51,8 +51,7 @@ public abstract class AbstractCodeDataProvider extends AbstractOAuthDataProvider } } public static ServerAuthorizationCodeGrant initCodeGrant(AuthorizationCodeRegistration reg, - long lifetime, - boolean useNonce) { + long lifetime) { ServerAuthorizationCodeGrant grant = new ServerAuthorizationCodeGrant(reg.getClient(), lifetime); grant.setRedirectUri(reg.getRedirectUri()); grant.setSubject(reg.getSubject()); @@ -61,9 +60,7 @@ public abstract class AbstractCodeDataProvider extends AbstractOAuthDataProvider grant.setApprovedScopes(reg.getApprovedScope()); grant.setAudience(reg.getAudience()); grant.setClientCodeChallenge(reg.getClientCodeChallenge()); - if (useNonce) { - grant.setNonce(reg.getNonce()); - } + grant.setNonce(reg.getNonce()); return grant; } protected abstract void saveCodeGrant(ServerAuthorizationCodeGrant grant); http://git-wip-us.apache.org/repos/asf/cxf/blob/45f3d594/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DefaultEHCacheCodeDataProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DefaultEHCacheCodeDataProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DefaultEHCacheCodeDataProvider.java index f43d69e..12edf9b 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DefaultEHCacheCodeDataProvider.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DefaultEHCacheCodeDataProvider.java @@ -79,7 +79,7 @@ public class DefaultEHCacheCodeDataProvider extends DefaultEHCacheOAuthDataProvi protected ServerAuthorizationCodeGrant doCreateCodeGrant(AuthorizationCodeRegistration reg) throws OAuthServiceException { - return AbstractCodeDataProvider.initCodeGrant(reg, codeLifetime, !isSupportPreauthorizedTokens()); + return AbstractCodeDataProvider.initCodeGrant(reg, codeLifetime); } public List<ServerAuthorizationCodeGrant> getCodeGrants(Client c, UserSubject sub) { http://git-wip-us.apache.org/repos/asf/cxf/blob/45f3d594/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java index e508c7c..1673659 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java @@ -71,12 +71,7 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl at.setScopes(thePermissions); at.setSubject(atReg.getSubject()); at.setClientCodeVerifier(atReg.getClientCodeVerifier()); - if (!isSupportPreauthorizedTokens()) { - // if the nonce is persisted and the same token is reused then in some cases - // (when ID token is returned) the old nonce will be copied to ID token which - // may cause the validation failure at the cliend side - at.setNonce(atReg.getNonce()); - } + at.setNonce(atReg.getNonce()); return at; } http://git-wip-us.apache.org/repos/asf/cxf/blob/45f3d594/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java index ec3f364..509648a 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java @@ -63,7 +63,7 @@ public class IdTokenResponseFilter extends AbstractOAuthServerJoseJwtProducer im } } private void setAtHashAndNonce(IdToken idToken, ServerAccessToken st) { - if (idToken.getAccessTokenHash() != null) { + if (idToken.getAccessTokenHash() == null) { Properties props = JwsUtils.loadSignatureOutProperties(false); SignatureAlgorithm sigAlgo = null; if (super.isSignWithClientSecret()) {