Adding more OIDC tests
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/8b3243e8 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/8b3243e8 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/8b3243e8 Branch: refs/heads/master-jaxrs-2.1 Commit: 8b3243e8bc2fc1882e605948ffe9f9550d7a0ecf Parents: cd0e74b Author: Colm O hEigeartaigh <[email protected]> Authored: Tue May 3 14:49:01 2016 +0100 Committer: Colm O hEigeartaigh <[email protected]> Committed: Tue May 3 14:49:01 2016 +0100 ---------------------------------------------------------------------- .../security/oauth2/common/OAuth2TestUtils.java | 3 + .../jaxrs/security/oidc/OIDCFlowTest.java | 59 +++++ .../jaxrs/security/oidc/OIDCNegativeServer.java | 48 +++++ .../jaxrs/security/oidc/OIDCNegativeTest.java | 216 +++++++++++++++++++ .../security/oidc/oidc-negative-server.xml | 184 ++++++++++++++++ 5 files changed, 510 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/8b3243e8/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/common/OAuth2TestUtils.java ---------------------------------------------------------------------- diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/common/OAuth2TestUtils.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/common/OAuth2TestUtils.java index 9d21f8e..8c44a42 100644 --- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/common/OAuth2TestUtils.java +++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/common/OAuth2TestUtils.java @@ -246,6 +246,9 @@ public final class OAuth2TestUtils { } public static String getSubstring(String parentString, String substringName) { + if (!parentString.contains(substringName)) { + return null; + } String foundString = parentString.substring(parentString.indexOf(substringName + "=") + (substringName + "=").length()); int ampersandIndex = foundString.indexOf('&'); http://git-wip-us.apache.org/repos/asf/cxf/blob/8b3243e8/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oidc/OIDCFlowTest.java ---------------------------------------------------------------------- diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oidc/OIDCFlowTest.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oidc/OIDCFlowTest.java index 168a5a1..2bccdc6 100644 --- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oidc/OIDCFlowTest.java +++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oidc/OIDCFlowTest.java @@ -371,6 +371,65 @@ public class OIDCFlowTest extends AbstractBusClientServerTestBase { } @org.junit.Test + public void testImplicitFlowNoAccessToken() throws Exception { + URL busFile = OIDCFlowTest.class.getResource("client.xml"); + + String address = "https://localhost:"; + PORT + "/services/"; + WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), + "alice", "security", busFile.toString()); + // Save the Cookie for the second request... + WebClient.getConfig(client).getRequestContext().put( + org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); + + // Get Access Token + client.type("application/json").accept("application/json"); + client.query("client_id", "consumer-id"); + client.query("redirect_uri", "http://www.blah.apache.org";); + client.query("scope", "openid"); + client.query("response_type", "id_token"); + client.query("nonce", "123456789"); + client.path("authorize-implicit/"); + Response response = client.get(); + + OAuthAuthorizationData authzData = response.readEntity(OAuthAuthorizationData.class); + + // Now call "decision" to get the access token + client.path("decision"); + client.type("application/x-www-form-urlencoded"); + + Form form = new Form(); + form.param("session_authenticity_token", authzData.getAuthenticityToken()); + form.param("client_id", authzData.getClientId()); + form.param("redirect_uri", authzData.getRedirectUri()); + form.param("scope", authzData.getProposedScope()); + if (authzData.getResponseType() != null) { + form.param("response_type", authzData.getResponseType()); + } + if (authzData.getNonce() != null) { + form.param("nonce", authzData.getNonce()); + } + form.param("oauthDecision", "allow"); + + response = client.post(form); + + String location = response.getHeaderString("Location"); + + // Check Access Token - it should not be present + String accessToken = OAuth2TestUtils.getSubstring(location, "access_token"); + assertNull(accessToken); + + // Check IdToken + String idToken = OAuth2TestUtils.getSubstring(location, "id_token"); + assertNotNull(idToken); + validateIdToken(idToken, null); + + JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(idToken); + JwtToken jwt = jwtConsumer.getJwtToken(); + Assert.assertNull(jwt.getClaims().getClaim(IdToken.ACCESS_TOKEN_HASH_CLAIM)); + Assert.assertNotNull(jwt.getClaims().getClaim(IdToken.NONCE_CLAIM)); + } + + @org.junit.Test public void testHybridCodeIdToken() throws Exception { URL busFile = OIDCFlowTest.class.getResource("client.xml"); http://git-wip-us.apache.org/repos/asf/cxf/blob/8b3243e8/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oidc/OIDCNegativeServer.java ---------------------------------------------------------------------- diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oidc/OIDCNegativeServer.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oidc/OIDCNegativeServer.java new file mode 100644 index 0000000..2504fd4 --- /dev/null +++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oidc/OIDCNegativeServer.java @@ -0,0 +1,48 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.cxf.systest.jaxrs.security.oidc; + +import java.net.URL; + +import org.apache.cxf.Bus; +import org.apache.cxf.BusFactory; +import org.apache.cxf.bus.spring.SpringBusFactory; +import org.apache.cxf.testutil.common.AbstractBusTestServerBase; +import org.apache.cxf.testutil.common.TestUtil; + +public class OIDCNegativeServer extends AbstractBusTestServerBase { + public static final String PORT = TestUtil.getPortNumber("jaxrs-oidc"); + private static final URL SERVER_CONFIG_FILE = + OIDCNegativeServer.class.getResource("oidc-negative-server.xml"); + + protected void run() { + SpringBusFactory bf = new SpringBusFactory(); + Bus springBus = bf.createBus(SERVER_CONFIG_FILE); + BusFactory.setDefaultBus(springBus); + setBus(springBus); + + try { + new OIDCNegativeServer(); + } catch (Exception e) { + throw new RuntimeException(e); + } + } + +} http://git-wip-us.apache.org/repos/asf/cxf/blob/8b3243e8/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oidc/OIDCNegativeTest.java ---------------------------------------------------------------------- diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oidc/OIDCNegativeTest.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oidc/OIDCNegativeTest.java new file mode 100644 index 0000000..5538344 --- /dev/null +++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oidc/OIDCNegativeTest.java @@ -0,0 +1,216 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.systest.jaxrs.security.oidc; + +import java.net.URL; +import java.util.Collections; +import java.util.Date; + +import javax.ws.rs.client.ResponseProcessingException; +import javax.ws.rs.core.Form; +import javax.ws.rs.core.Response; + +import org.apache.cxf.jaxrs.client.WebClient; +import org.apache.cxf.rs.security.jose.jws.JwsHeaders; +import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactProducer; +import org.apache.cxf.rs.security.jose.jwt.JwtClaims; +import org.apache.cxf.rs.security.jose.jwt.JwtToken; +import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken; +import org.apache.cxf.rs.security.oidc.common.UserInfo; +import org.apache.cxf.systest.jaxrs.security.oauth2.common.OAuth2TestUtils; +import org.apache.cxf.systest.jaxrs.security.oauth2.common.OAuth2TestUtils.AuthorizationCodeParameters; +import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase; +import org.apache.cxf.testutil.common.TestUtil; +import org.junit.BeforeClass; + +/** + * Some negative tests for OpenID Connect + */ +public class OIDCNegativeTest extends AbstractBusClientServerTestBase { + + static final String PORT = TestUtil.getPortNumber("jaxrs-negative-oidc"); + + @BeforeClass + public static void startServers() throws Exception { + assertTrue( + "Server failed to launch", + // run the server in the same process + // set this to false to fork + launchServer(OIDCNegativeServer.class, true) + ); + } + + @org.junit.Test + public void testJWTRequestNonmatchingResponseType() throws Exception { + URL busFile = OIDCNegativeTest.class.getResource("client.xml"); + + String address = "https://localhost:"; + PORT + "/unsignedjwtservices/"; + WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), + "alice", "security", busFile.toString()); + // Save the Cookie for the second request... + WebClient.getConfig(client).getRequestContext().put( + org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); + + JwtClaims claims = new JwtClaims(); + claims.setIssuer("consumer-id"); + claims.setIssuedAt(new Date().getTime() / 1000L); + claims.setAudiences( + Collections.singletonList("https://localhost:"; + PORT + "/unsignedjwtservices/")); + claims.setProperty("response_type", "token"); + + JwsHeaders headers = new JwsHeaders(); + headers.setAlgorithm("none"); + + JwtToken token = new JwtToken(headers, claims); + + JwsJwtCompactProducer jws = new JwsJwtCompactProducer(token); + String request = jws.getSignedEncodedJws(); + + AuthorizationCodeParameters parameters = new AuthorizationCodeParameters(); + parameters.setConsumerId("consumer-id"); + parameters.setScope("openid"); + parameters.setResponseType("code"); + parameters.setPath("authorize/"); + parameters.setRequest(request); + + // Get Authorization Code + try { + OAuth2TestUtils.getLocation(client, parameters); + fail("Failure expected on a non-matching response_type"); + } catch (ResponseProcessingException ex) { + // expected + } + } + + @org.junit.Test + public void testJWTRequestNonmatchingClientId() throws Exception { + URL busFile = OIDCNegativeTest.class.getResource("client.xml"); + + String address = "https://localhost:"; + PORT + "/unsignedjwtservices/"; + WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), + "alice", "security", busFile.toString()); + // Save the Cookie for the second request... + WebClient.getConfig(client).getRequestContext().put( + org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); + + JwtClaims claims = new JwtClaims(); + claims.setIssuer("consumer-id"); + claims.setIssuedAt(new Date().getTime() / 1000L); + claims.setAudiences( + Collections.singletonList("https://localhost:"; + PORT + "/unsignedjwtservices/")); + claims.setProperty("client_id", "consumer-id2"); + + JwsHeaders headers = new JwsHeaders(); + headers.setAlgorithm("none"); + + JwtToken token = new JwtToken(headers, claims); + + JwsJwtCompactProducer jws = new JwsJwtCompactProducer(token); + String request = jws.getSignedEncodedJws(); + + AuthorizationCodeParameters parameters = new AuthorizationCodeParameters(); + parameters.setConsumerId("consumer-id"); + parameters.setScope("openid"); + parameters.setResponseType("code"); + parameters.setPath("authorize/"); + parameters.setRequest(request); + + // Get Authorization Code + try { + OAuth2TestUtils.getLocation(client, parameters); + fail("Failure expected on a non-matching client id"); + } catch (ResponseProcessingException ex) { + // expected + } + } + + @org.junit.Test + public void testUserInfoRefreshToken() throws Exception { + URL busFile = UserInfoTest.class.getResource("client.xml"); + + String address = "https://localhost:"; + PORT + "/services/"; + WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), + "alice", "security", busFile.toString()); + // Save the Cookie for the second request... + WebClient.getConfig(client).getRequestContext().put( + org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); + + // Get Authorization Code + String code = OAuth2TestUtils.getAuthorizationCode(client, "openid"); + assertNotNull(code); + + // Now get the access token + client = WebClient.create(address, OAuth2TestUtils.setupProviders(), + "consumer-id", "this-is-a-secret", busFile.toString()); + // Save the Cookie for the second request... + WebClient.getConfig(client).getRequestContext().put( + org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); + + ClientAccessToken accessToken = + OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code); + assertNotNull(accessToken.getTokenKey()); + String oldAccessToken = accessToken.getTokenKey(); + assertTrue(accessToken.getApprovedScope().contains("openid")); + + String idToken = accessToken.getParameters().get("id_token"); + assertNotNull(idToken); + + // Refresh the access token + client.type("application/x-www-form-urlencoded").accept("application/json"); + + Form form = new Form(); + form.param("grant_type", "refresh_token"); + form.param("refresh_token", accessToken.getRefreshToken()); + form.param("client_id", "consumer-id"); + form.param("scope", "openid"); + Response response = client.post(form); + + accessToken = response.readEntity(ClientAccessToken.class); + assertNotNull(accessToken.getTokenKey()); + assertNotNull(accessToken.getRefreshToken()); + accessToken.getParameters().get("id_token"); + assertNotNull(idToken); + String newAccessToken = accessToken.getTokenKey(); + + // Now test the UserInfoService. + + // The old Access Token should fail + String userInfoAddress = "https://localhost:"; + PORT + "/ui/plain/userinfo"; + WebClient userInfoClient = WebClient.create(userInfoAddress, OAuth2TestUtils.setupProviders(), + busFile.toString()); + userInfoClient.accept("application/json"); + userInfoClient.header("Authorization", "Bearer " + oldAccessToken); + + Response serviceResponse = userInfoClient.get(); + assertEquals(serviceResponse.getStatus(), 401); + + // The refreshed Access Token should work + userInfoClient.replaceHeader("Authorization", "Bearer " + newAccessToken); + serviceResponse = userInfoClient.get(); + assertEquals(serviceResponse.getStatus(), 200); + + UserInfo userInfo = serviceResponse.readEntity(UserInfo.class); + assertNotNull(userInfo); + + assertEquals("alice", userInfo.getSubject()); + assertEquals("consumer-id", userInfo.getAudience()); + } + + +} http://git-wip-us.apache.org/repos/asf/cxf/blob/8b3243e8/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oidc/oidc-negative-server.xml ---------------------------------------------------------------------- diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oidc/oidc-negative-server.xml b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oidc/oidc-negative-server.xml new file mode 100644 index 0000000..f671aae --- /dev/null +++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oidc/oidc-negative-server.xml @@ -0,0 +1,184 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, +software distributed under the License is distributed on an +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +KIND, either express or implied. See the License for the +specific language governing permissions and limitations +under the License. +--> +<beans xmlns="http://www.springframework.org/schema/beans"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xmlns:http="http://cxf.apache.org/transports/http/configuration"; + xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration"; + xmlns:sec="http://cxf.apache.org/configuration/security"; + xmlns:cxf="http://cxf.apache.org/core"; + xmlns:jaxrs="http://cxf.apache.org/jaxrs"; + xmlns:util="http://www.springframework.org/schema/util"; + xsi:schemaLocation="http://cxf.apache.org/jaxrs http://cxf.apache.org/schemas/jaxrs.xsd + http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd + http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd + http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd + http://cxf.apache.org/transports/http-jetty/configuration http://cxf.apache.org/schemas/configuration/http-jetty.xsd + http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd";> + <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/> + <cxf:bus> + <cxf:features> + <cxf:logging/> + </cxf:features> + <cxf:properties> + <entry key="org.apache.cxf.jaxrs.bus.providers" value-ref="busProviders"/> + </cxf:properties> + </cxf:bus> + <!-- providers --> + <util:list id="busProviders"> + <ref bean="oauthJson"/> + </util:list> + <bean id="oauthJson" class="org.apache.cxf.rs.security.oauth2.provider.OAuthJSONProvider"/> + + <httpj:engine-factory id="tls-config"> + <httpj:engine port="${testutil.ports.jaxrs-negative-oidc}"> + <httpj:tlsServerParameters> + <sec:keyManagers keyPassword="password"> + <sec:keyStore type="JKS" password="password" file="src/test/java/org/apache/cxf/systest/http/resources/Bethal.jks"/> + </sec:keyManagers> + <sec:trustManagers> + <sec:keyStore type="JKS" password="password" file="src/test/java/org/apache/cxf/systest/http/resources/Truststore.jks"/> + </sec:trustManagers> + <sec:clientAuthentication want="false" required="false"/> + </httpj:tlsServerParameters> + <httpj:sessionSupport>true</httpj:sessionSupport> + </httpj:engine> + </httpj:engine-factory> + + <bean id="oauthProvider" class="org.apache.cxf.systest.jaxrs.security.oauth2.common.OAuthDataProviderImpl"> + <constructor-arg><value>${testutil.ports.jaxrs-negative-oidc}</value></constructor-arg> + </bean> + + <bean id="authorizationService" class="org.apache.cxf.rs.security.oidc.idp.OidcAuthorizationCodeService"> + <property name="dataProvider" ref="oauthProvider"/> + </bean> + + <bean id="implicitService" class="org.apache.cxf.rs.security.oidc.idp.OidcImplicitService"> + <property name="dataProvider" ref="oauthProvider"/> + <property name="responseFilter" ref="idTokenFilter"/> + <property name="idTokenProvider" ref="idTokenProviderImpl"/> + </bean> + + <bean id="refreshGrantHandler" class="org.apache.cxf.rs.security.oauth2.grants.refresh.RefreshTokenGrantHandler"> + <property name="dataProvider" ref="oauthProvider"/> + </bean> + + <bean id="idTokenProviderImpl" class="org.apache.cxf.systest.jaxrs.security.oidc.IdTokenProviderImpl"/> + + <bean id="idTokenFilter" class="org.apache.cxf.rs.security.oidc.idp.IdTokenResponseFilter"> + <property name="idTokenProvider" ref="idTokenProviderImpl"/> + </bean> + + <bean id="tokenService" class="org.apache.cxf.rs.security.oauth2.services.AccessTokenService"> + <property name="dataProvider" ref="oauthProvider"/> + <property name="grantHandlers"> + <list> + <ref bean="refreshGrantHandler"/> + </list> + </property> + <property name="responseFilter" ref="idTokenFilter"/> + </bean> + + <bean id="hybridService" class="org.apache.cxf.rs.security.oidc.idp.OidcHybridService"> + <property name="dataProvider" ref="oauthProvider"/> + <property name="responseFilter" ref="idTokenFilter"/> + <property name="idTokenProvider" ref="idTokenProviderImpl"/> + <property name="codeService" ref="authorizationService"/> + </bean> + + <bean id="callbackHandler" class="org.apache.cxf.systest.jaxrs.security.oauth2.common.CallbackHandlerImpl"/> + <bean id="basicAuthFilter" class="org.apache.cxf.systest.jaxrs.security.oauth2.common.WSS4JBasicAuthFilter"> + <property name="callbackHandler" ref="callbackHandler"/> + </bean> + + <bean id="oidcKeysService" class="org.apache.cxf.rs.security.oidc.idp.OidcKeysService"/> + + <jaxrs:server + depends-on="tls-config" + address="https://localhost:${testutil.ports.jaxrs-negative-oidc}/services";> + <jaxrs:serviceBeans> + <ref bean="authorizationService"/> + <ref bean="hybridService"/> + <ref bean="implicitService"/> + <ref bean="tokenService"/> + <ref bean="oidcKeysService"/> + </jaxrs:serviceBeans> + <jaxrs:providers> + <ref bean="basicAuthFilter"/> + <bean class="org.apache.cxf.rs.security.jose.jaxrs.JsonWebKeysProvider"/> + </jaxrs:providers> + <jaxrs:properties> + <entry key="rs.security.keystore.type" value="jks" /> + <entry key="rs.security.keystore.alias" value="alice"/> + <entry key="rs.security.keystore.password" value="password"/> + <entry key="rs.security.key.password" value="password"/> + <entry key="rs.security.keystore.file" + value="org/apache/cxf/systest/jaxrs/security/certs/alice.jks" /> + <entry key="rs.security.signature.algorithm" value="RS256" /> + </jaxrs:properties> + </jaxrs:server> + + <bean id="jwtRequestFilter" class="org.apache.cxf.rs.security.oauth2.grants.code.JwtRequestCodeFilter"/> + + <bean id="jwtAuthorizationService" class="org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService"> + <property name="dataProvider" ref="oauthProvider"/> + <property name="authorizationFilter" ref="jwtRequestFilter"/> + </bean> + + <jaxrs:server + depends-on="tls-config" + address="https://localhost:${testutil.ports.jaxrs-negative-oidc}/unsignedjwtservices";> + <jaxrs:serviceBeans> + <ref bean="jwtAuthorizationService"/> + </jaxrs:serviceBeans> + <jaxrs:providers> + <ref bean="basicAuthFilter"/> + </jaxrs:providers> + <jaxrs:properties> + <entry key="rs.security.signature.algorithm" value="none" /> + </jaxrs:properties> + </jaxrs:server> + + <bean id="oAuthFilter" class="org.apache.cxf.rs.security.oauth2.filters.OAuthRequestFilter"> + <property name="dataProvider" ref="oauthProvider"/> + </bean> + + <bean id="userInfoProvider" class="org.apache.cxf.systest.jaxrs.security.oidc.UserInfoProviderImpl" /> + + <bean id="userInfoService" class="org.apache.cxf.rs.security.oidc.idp.UserInfoService"> + <property name="userInfoProvider" ref="userInfoProvider"/> + <property name="jwsRequired" value="false"/> + </bean> + + <bean id="jsonProvider" class="org.apache.cxf.jaxrs.provider.json.JsonMapObjectProvider"/> + + <jaxrs:server + depends-on="tls-config" + address="https://localhost:${testutil.ports.jaxrs-negative-oidc}/ui/plain";> + <jaxrs:serviceBeans> + <ref bean="userInfoService"/> + </jaxrs:serviceBeans> + <jaxrs:providers> + <ref bean="oAuthFilter"/> + <ref bean="jsonProvider"/> + </jaxrs:providers> + </jaxrs:server> + +</beans>
