cxf-fediz git commit: Moving OidcUserSubject creation to an earlier stage with a custom SubjectCreator

sergeyb Mon, 08 Feb 2016 05:56:41 -0800

Repository: cxf-fediz
Updated Branches:
  refs/heads/master d87c3c0ca -> 4d9c688e1



Moving OidcUserSubject creation to an earlier stage with a custom SubjectCreator


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/4d9c688e
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/4d9c688e
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/4d9c688e

Branch: refs/heads/master
Commit: 4d9c688e177d6aeae34ca8dbcf95e09a6a086596
Parents: d87c3c0
Author: Sergey Beryozkin <[email protected]>
Authored: Mon Feb 8 13:55:13 2016 +0000
Committer: Sergey Beryozkin <[email protected]>
Committed: Mon Feb 8 13:55:13 2016 +0000

----------------------------------------------------------------------
 .../fediz/service/oidc/FedizSubjectCreator.java | 66 ++++++++++++++++++++
 .../fediz/service/oidc/OAuthDataManager.java    | 59 -----------------
 .../main/webapp/WEB-INF/applicationContext.xml  |  2 +
 .../src/main/webapp/WEB-INF/data-manager.xml    | 10 ++-
 4 files changed, 75 insertions(+), 62 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4d9c688e/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java
----------------------------------------------------------------------
diff --git 
a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java
 
b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java
new file mode 100644
index 0000000..f030f06
--- /dev/null
+++ 
b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java
@@ -0,0 +1,66 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.fediz.service.oidc;
+
+import java.security.Principal;
+
+import org.apache.cxf.fediz.core.FedizPrincipal;
+import org.apache.cxf.jaxrs.ext.MessageContext;
+import org.apache.cxf.rs.security.oauth2.common.Client;
+import org.apache.cxf.rs.security.oauth2.common.UserSubject;
+import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
+import org.apache.cxf.rs.security.oauth2.provider.SubjectCreator;
+import org.apache.cxf.rs.security.oidc.common.IdToken;
+import org.apache.cxf.rs.security.oidc.idp.OidcUserSubject;
+
+public class FedizSubjectCreator implements SubjectCreator {
+
+    private SamlTokenConverter tokenConverter = new SamlTokenConverter();
+    
+    
+    @Override
+    public UserSubject createUserSubject(MessageContext mc, Client client) 
throws OAuthServiceException {
+        Principal principal = mc.getSecurityContext().getUserPrincipal();
+        
+        if (!(principal instanceof FedizPrincipal)) {
+            throw new OAuthServiceException("Unsupported Principal");
+        }
+        FedizPrincipal fedizPrincipal = (FedizPrincipal)principal; 
+        
+        // In the future FedizPrincipal will likely have JWT claims already 
prepared,
+        // with IdToken being initialized here from those claims + client id 
+        
+        IdToken idToken = 
tokenConverter.convertToIdToken(fedizPrincipal.getLoginToken(),
+                                               fedizPrincipal.getName(), 
+                                               fedizPrincipal.getClaims(),
+                                               client.getClientId());
+        
+        OidcUserSubject oidcSub = new OidcUserSubject();
+        oidcSub.setLogin(fedizPrincipal.getName());
+        oidcSub.setIdToken(idToken);
+        // UserInfo can be populated and set on OidcUserSubject too.
+        
+        return oidcSub;
+    }
+    
+    public void setTokenConverter(SamlTokenConverter tokenConverter) {
+        this.tokenConverter = tokenConverter;
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4d9c688e/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java
----------------------------------------------------------------------
diff --git 
a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java
 
b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java
index 3f9b955..c822223 100644
--- 
a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java
+++ 
b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java
@@ -18,70 +18,11 @@
  */
 package org.apache.cxf.fediz.service.oidc;
 
-import java.security.Principal;
-
-import org.apache.cxf.fediz.core.FedizPrincipal;
-import org.apache.cxf.rs.security.oauth2.common.AccessTokenRegistration;
-import org.apache.cxf.rs.security.oauth2.common.Client;
-import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
-import org.apache.cxf.rs.security.oauth2.common.UserSubject;
-import 
org.apache.cxf.rs.security.oauth2.grants.code.AuthorizationCodeRegistration;
 import 
org.apache.cxf.rs.security.oauth2.grants.code.DefaultEHCacheCodeDataProvider;
-import 
org.apache.cxf.rs.security.oauth2.grants.code.ServerAuthorizationCodeGrant;
-import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
-import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
-import org.apache.cxf.rs.security.oidc.common.IdToken;
-import org.apache.cxf.rs.security.oidc.idp.OidcUserSubject;
 
 public class OAuthDataManager extends DefaultEHCacheCodeDataProvider {
-    private SamlTokenConverter tokenConverter = new SamlTokenConverter();
     
     public OAuthDataManager() {
     }
     
-    @Override
-    protected ServerAuthorizationCodeGrant 
doCreateCodeGrant(AuthorizationCodeRegistration reg) 
-        throws OAuthServiceException {
-        ServerAuthorizationCodeGrant grant = super.doCreateCodeGrant(reg);
-        OidcUserSubject oidcSub = createOidcSubject(grant.getClient(), 
-                                                    grant.getSubject());
-        grant.setSubject(oidcSub);
-        return grant;
-    }
-    
-    @Override
-    protected ServerAccessToken doCreateAccessToken(AccessTokenRegistration 
reg)
-        throws OAuthServiceException {
-        ServerAccessToken token = super.doCreateAccessToken(reg);
-        if (OAuthConstants.IMPLICIT_GRANT.equals(reg.getGrantType())) {
-            OidcUserSubject oidcSub = createOidcSubject(token.getClient(), 
-                                                        token.getSubject());
-            token.setSubject(oidcSub);
-        }
-        return token;
-    }
-    
-    protected OidcUserSubject createOidcSubject(Client client, UserSubject 
subject) {
-        Principal principal = 
getMessageContext().getSecurityContext().getUserPrincipal();
-        
-        if (!(principal instanceof FedizPrincipal)) {
-            throw new OAuthServiceException("Unsupported Principal");
-        }
-        FedizPrincipal fedizPrincipal = (FedizPrincipal)principal; 
-        IdToken idToken = 
tokenConverter.convertToIdToken(fedizPrincipal.getLoginToken(),
-                                               fedizPrincipal.getName(), 
-                                               fedizPrincipal.getClaims(),
-                                               client.getClientId());
-        
-        OidcUserSubject oidcSub = new OidcUserSubject(subject);
-        oidcSub.setIdToken(idToken);
-        // UserInfo can be populated and set on OidcUserSubject too.
-        
-        
-        return oidcSub;
-    }
-    
-    public void setTokenConverter(SamlTokenConverter tokenConverter) {
-        this.tokenConverter = tokenConverter;
-    }
 }

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4d9c688e/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml 
b/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml
index 8f9340f..4ff8856 100644
--- a/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml
+++ b/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml
@@ -42,6 +42,7 @@
     
     <bean id="oidcAuthorizationService" 
class="org.apache.cxf.rs.security.oidc.idp.OidcAuthorizationCodeService">
          <property name="dataProvider" ref="oauthProvider"/>
+         <property name="subjectCreator" ref="subjectCreator"/>
          <property name="skipAuthorizationWithOidcScope" value="true"/>
          <!--
          <property name="useAllClientScopes" value="true"/>
@@ -50,6 +51,7 @@
     </bean>
     <bean id="oidcImplicitService" 
class="org.apache.cxf.rs.security.oidc.idp.OidcImplicitService">
          <property name="dataProvider" ref="oauthProvider"/>
+         <property name="subjectCreator" ref="subjectCreator"/>
          <property name="skipAuthorizationWithOidcScope" value="true"/>
          <property name="responseFilter" ref="idTokenFilter"/>
     </bean>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4d9c688e/services/oidc/src/main/webapp/WEB-INF/data-manager.xml
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/webapp/WEB-INF/data-manager.xml 
b/services/oidc/src/main/webapp/WEB-INF/data-manager.xml
index d496731..d6e06af 100644
--- a/services/oidc/src/main/webapp/WEB-INF/data-manager.xml
+++ b/services/oidc/src/main/webapp/WEB-INF/data-manager.xml
@@ -29,9 +29,6 @@
 
     <bean id="applicationContextProvider" 
class="org.apache.cxf.fediz.service.oidc.ApplicationContextProvider"/>
 
-    <bean id="samlTokenConverter" 
class="org.apache.cxf.fediz.service.oidc.SamlTokenConverter">
-        <property name="issuer" value="accounts.fediz.com"/>
-    </bean>
     <util:map id="supportedScopes">
         <entry key="openid" value="Access the authentication claims" />
         <entry key="refreshToken" value="Refresh access tokens" />
@@ -54,6 +51,13 @@
         <!--
         <property name="accessTokenLifetime" value="3600"/>
         -->
+    </bean>
+    
+    <bean id="samlTokenConverter" 
class="org.apache.cxf.fediz.service.oidc.SamlTokenConverter">
+        <property name="issuer" value="accounts.fediz.com"/>
+    </bean>
+    
+    <bean id="subjectCreator" 
class="org.apache.cxf.fediz.service.oidc.FedizSubjectCreator">
         <property name="tokenConverter" ref="samlTokenConverter"/>
     </bean>

cxf-fediz git commit: Moving OidcUserSubject creation to an earlier stage with a custom SubjectCreator

Reply via email to