GUACAMOLE-210: Migrate to implicit flow (client-side, relies on "id_token"). Update to pre-release 0.9.9-incubating codebase.
Project: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/commit/fdc03133 Tree: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/tree/fdc03133 Diff: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/diff/fdc03133 Branch: refs/heads/master Commit: fdc031338722242e30d1ca0b2e393a4b2ae2e8f0 Parents: c3c6e0c Author: Michael Jumper <mjum...@apache.org> Authored: Sun Jun 12 00:14:00 2016 -0700 Committer: Michael Jumper <mjum...@apache.org> Committed: Mon Sep 25 13:06:43 2017 -0700 ---------------------------------------------------------------------- extensions/guacamole-auth-openid/pom.xml | 18 +-- .../oauth/AuthenticationProviderService.java | 46 ++---- .../auth/oauth/OAuthAuthenticationProvider.java | 10 +- .../OAuthAuthenticationProviderModule.java | 33 +--- .../auth/oauth/conf/ConfigurationService.java | 38 +---- .../oauth/conf/OAuthGuacamoleProperties.java | 26 +--- .../auth/oauth/form/OAuthCodeField.java | 97 ------------ .../auth/oauth/form/OAuthTokenField.java | 100 ++++++++++++ .../auth/oauth/token/TokenResponse.java | 153 ------------------- .../auth/oauth/token/TokenService.java | 101 ------------ .../auth/oauth/user/AuthenticatedUser.java | 6 +- .../src/main/resources/guac-manifest.json | 9 +- .../src/main/resources/oauthCodeField.html | 1 - .../src/main/resources/oauthConfig.js | 29 +++- .../src/main/resources/oauthController.js | 30 ++++ 15 files changed, 192 insertions(+), 505 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/fdc03133/extensions/guacamole-auth-openid/pom.xml ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-openid/pom.xml b/extensions/guacamole-auth-openid/pom.xml index d443cdd..60691e2 100644 --- a/extensions/guacamole-auth-openid/pom.xml +++ b/extensions/guacamole-auth-openid/pom.xml @@ -26,7 +26,7 @@ <groupId>org.apache.guacamole</groupId> <artifactId>guacamole-auth-openid</artifactId> <packaging>jar</packaging> - <version>0.9.9</version> + <version>0.9.9-incubating</version> <name>guacamole-auth-openid</name> <url>http://guacamole.incubator.apache.org/</url> @@ -80,24 +80,12 @@ <!-- Guacamole Extension API --> <dependency> - <groupId>org.glyptodon.guacamole</groupId> + <groupId>org.apache.guacamole</groupId> <artifactId>guacamole-ext</artifactId> - <version>0.9.9</version> + <version>0.9.9-incubating</version> <scope>provided</scope> </dependency> - <!-- Jersey Client --> - <dependency> - <groupId>com.sun.jersey</groupId> - <artifactId>jersey-client</artifactId> - <version>1.17.1</version> - </dependency> - <dependency> - <groupId>com.sun.jersey</groupId> - <artifactId>jersey-json</artifactId> - <version>1.17.1</version> - </dependency> - <!-- Guice --> <dependency> <groupId>com.google.inject</groupId> http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/fdc03133/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/AuthenticationProviderService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/AuthenticationProviderService.java b/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/AuthenticationProviderService.java index 5783faa..0aac968 100644 --- a/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/AuthenticationProviderService.java +++ b/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/AuthenticationProviderService.java @@ -25,14 +25,12 @@ import java.util.Arrays; import javax.servlet.http.HttpServletRequest; import org.apache.guacamole.auth.oauth.user.AuthenticatedUser; import org.apache.guacamole.auth.oauth.conf.ConfigurationService; -import org.apache.guacamole.auth.oauth.form.OAuthCodeField; -import org.apache.guacamole.auth.oauth.token.TokenResponse; -import org.apache.guacamole.auth.oauth.token.TokenService; -import org.glyptodon.guacamole.GuacamoleException; -import org.glyptodon.guacamole.form.Field; -import org.glyptodon.guacamole.net.auth.Credentials; -import org.glyptodon.guacamole.net.auth.credentials.CredentialsInfo; -import org.glyptodon.guacamole.net.auth.credentials.GuacamoleInvalidCredentialsException; +import org.apache.guacamole.auth.oauth.form.OAuthTokenField; +import org.apache.guacamole.GuacamoleException; +import org.apache.guacamole.form.Field; +import org.apache.guacamole.net.auth.Credentials; +import org.apache.guacamole.net.auth.credentials.CredentialsInfo; +import org.apache.guacamole.net.auth.credentials.GuacamoleInvalidCredentialsException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -54,12 +52,6 @@ public class AuthenticationProviderService { private ConfigurationService confService; /** - * Service for producing authentication tokens from OAuth codes. - */ - @Inject - private TokenService tokenService; - - /** * Provider for AuthenticatedUser objects. */ @Inject @@ -83,19 +75,15 @@ public class AuthenticationProviderService { public AuthenticatedUser authenticateUser(Credentials credentials) throws GuacamoleException { - String code = null; + String token = null; - // Pull OAuth code from request if present + // Pull OAuth token from request if present HttpServletRequest request = credentials.getRequest(); if (request != null) - code = request.getParameter(OAuthCodeField.PARAMETER_NAME); - - // TODO: Actually complete authentication using received code - if (code != null) { + token = request.getParameter(OAuthTokenField.PARAMETER_NAME); - // POST code and client information to OAuth token endpoint - TokenResponse response = tokenService.getTokenFromCode(code); - logger.debug("RESPONSE: {}", response); + // TODO: Actually validate received token + if (token != null) { // Create corresponding authenticated user AuthenticatedUser authenticatedUser = authenticatedUserProvider.get(); @@ -104,17 +92,13 @@ public class AuthenticationProviderService { } - // Request auth code + // Request OAuth token throw new GuacamoleInvalidCredentialsException("Invalid login.", new CredentialsInfo(Arrays.asList(new Field[] { - // Normal username/password fields - CredentialsInfo.USERNAME, - CredentialsInfo.PASSWORD, - - // OAuth-specific code (will be rendered as an appropriate - // "Log in with..." button - new OAuthCodeField( + // OAuth-specific token (will automatically redirect the user + // to the authorization page via JavaScript) + new OAuthTokenField( confService.getAuthorizationEndpoint(), confService.getClientID(), confService.getRedirectURI() http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/fdc03133/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/OAuthAuthenticationProvider.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/OAuthAuthenticationProvider.java b/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/OAuthAuthenticationProvider.java index 06255ac..6ede890 100644 --- a/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/OAuthAuthenticationProvider.java +++ b/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/OAuthAuthenticationProvider.java @@ -21,11 +21,11 @@ package org.apache.guacamole.auth.oauth; import com.google.inject.Guice; import com.google.inject.Injector; -import org.glyptodon.guacamole.GuacamoleException; -import org.glyptodon.guacamole.net.auth.AuthenticatedUser; -import org.glyptodon.guacamole.net.auth.AuthenticationProvider; -import org.glyptodon.guacamole.net.auth.Credentials; -import org.glyptodon.guacamole.net.auth.UserContext; +import org.apache.guacamole.GuacamoleException; +import org.apache.guacamole.net.auth.AuthenticatedUser; +import org.apache.guacamole.net.auth.AuthenticationProvider; +import org.apache.guacamole.net.auth.Credentials; +import org.apache.guacamole.net.auth.UserContext; /** * Guacamole authentication backend which authenticates users using an http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/fdc03133/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/OAuthAuthenticationProviderModule.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/OAuthAuthenticationProviderModule.java b/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/OAuthAuthenticationProviderModule.java index a5cef6d..202e6a2 100644 --- a/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/OAuthAuthenticationProviderModule.java +++ b/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/OAuthAuthenticationProviderModule.java @@ -20,17 +20,11 @@ package org.apache.guacamole.auth.oauth; import com.google.inject.AbstractModule; -import com.sun.jersey.api.client.Client; -import com.sun.jersey.api.client.config.ClientConfig; -import com.sun.jersey.api.client.config.DefaultClientConfig; import org.apache.guacamole.auth.oauth.conf.ConfigurationService; -import org.apache.guacamole.auth.oauth.token.TokenService; -import org.codehaus.jackson.jaxrs.JacksonJaxbJsonProvider; -import org.codehaus.jackson.map.DeserializationConfig; -import org.glyptodon.guacamole.GuacamoleException; -import org.glyptodon.guacamole.environment.Environment; -import org.glyptodon.guacamole.environment.LocalEnvironment; -import org.glyptodon.guacamole.net.auth.AuthenticationProvider; +import org.apache.guacamole.GuacamoleException; +import org.apache.guacamole.environment.Environment; +import org.apache.guacamole.environment.LocalEnvironment; +import org.apache.guacamole.net.auth.AuthenticationProvider; /** * Guice module which configures OAuth-specific injections. @@ -49,12 +43,6 @@ public class OAuthAuthenticationProviderModule extends AbstractModule { private final AuthenticationProvider authProvider; /** - * A reference to the shared HTTP client to be used when making calls to - * the OAuth service. - */ - private final Client client; - - /** * Creates a new OAuth authentication provider module which configures * injection for the OAuthAuthenticationProvider. * @@ -74,15 +62,6 @@ public class OAuthAuthenticationProviderModule extends AbstractModule { // Store associated auth provider this.authProvider = authProvider; - // Set up configuration for HTTP client - ClientConfig clientConfig = new DefaultClientConfig(); - clientConfig.getSingletons().add(new JacksonJaxbJsonProvider() - .configure(DeserializationConfig.Feature.FAIL_ON_UNKNOWN_PROPERTIES, false) - ); - - // Store pre-configured HTTP client - this.client = Client.create(clientConfig); - } @Override @@ -94,10 +73,6 @@ public class OAuthAuthenticationProviderModule extends AbstractModule { // Bind OAuth-specific services bind(ConfigurationService.class); - bind(TokenService.class); - - // Bind HTTP client - bind(Client.class).toInstance(client); } http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/fdc03133/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/conf/ConfigurationService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/conf/ConfigurationService.java b/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/conf/ConfigurationService.java index e1567d2..9debab7 100644 --- a/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/conf/ConfigurationService.java +++ b/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/conf/ConfigurationService.java @@ -20,8 +20,8 @@ package org.apache.guacamole.auth.oauth.conf; import com.google.inject.Inject; -import org.glyptodon.guacamole.GuacamoleException; -import org.glyptodon.guacamole.environment.Environment; +import org.apache.guacamole.GuacamoleException; +import org.apache.guacamole.environment.Environment; /** * Service for retrieving configuration information regarding the OAuth service. @@ -51,22 +51,6 @@ public class ConfigurationService { } /** - * Returns the token endpoint (URI) of the OAuth service as configured with - * guacamole.properties. - * - * @return - * The token endpoint of the OAuth service, as configured with - * guacamole.properties. - * - * @throws GuacamoleException - * If guacamole.properties cannot be parsed, or if the authorization - * endpoint property is missing. - */ - public String getTokenEndpoint() throws GuacamoleException { - return environment.getRequiredProperty(OAuthGuacamoleProperties.OAUTH_TOKEN_ENDPOINT); - } - - /** * Returns the OAuth client ID which should be submitted to the OAuth * service when necessary, as configured with guacamole.properties. This * value is typically provided by the OAuth service when OAuth credentials @@ -85,24 +69,6 @@ public class ConfigurationService { } /** - * Returns the OAuth client secret which should be submitted to the OAuth - * service when necessary, as configured with guacamole.properties. This - * value is typically provided by the OAuth service when OAuth credentials - * are generated for your application. - * - * @return - * The client secret to use when communicating with the OAuth service, - * as configured with guacamole.properties. - * - * @throws GuacamoleException - * If guacamole.properties cannot be parsed, or if the client secret - * property is missing. - */ - public String getClientSecret() throws GuacamoleException { - return environment.getRequiredProperty(OAuthGuacamoleProperties.OAUTH_CLIENT_SECRET); - } - - /** * Returns the URI that the OAuth service should redirect to after * the authentication process is complete, as configured with * guacamole.properties. This must be the full URL that a user would enter http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/fdc03133/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/conf/OAuthGuacamoleProperties.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/conf/OAuthGuacamoleProperties.java b/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/conf/OAuthGuacamoleProperties.java index 0ebb94f..34952fe 100644 --- a/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/conf/OAuthGuacamoleProperties.java +++ b/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/conf/OAuthGuacamoleProperties.java @@ -19,7 +19,7 @@ package org.apache.guacamole.auth.oauth.conf; -import org.glyptodon.guacamole.properties.StringGuacamoleProperty; +import org.apache.guacamole.properties.StringGuacamoleProperty; /** * Provides properties required for use of the OAuth authentication provider. @@ -45,17 +45,6 @@ public class OAuthGuacamoleProperties { }; /** - * The token endpoint (URI) of the OAuth service. - */ - public static final StringGuacamoleProperty OAUTH_TOKEN_ENDPOINT = - new StringGuacamoleProperty() { - - @Override - public String getName() { return "oauth-token-endpoint"; } - - }; - - /** * OAuth client ID which should be submitted to the OAuth service when * necessary. This value is typically provided by the OAuth service when * OAuth credentials are generated for your application. @@ -69,19 +58,6 @@ public class OAuthGuacamoleProperties { }; /** - * OAuth client secret which should be submitted to the OAuth service when - * necessary. This value is typically provided by the OAuth service when - * OAuth credentials are generated for your application. - */ - public static final StringGuacamoleProperty OAUTH_CLIENT_SECRET = - new StringGuacamoleProperty() { - - @Override - public String getName() { return "oauth-client-secret"; } - - }; - - /** * The URI that the OAuth service should redirect to after the * authentication process is complete. This must be the full URL that a * user would enter into their browser to access Guacamole. http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/fdc03133/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/form/OAuthCodeField.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/form/OAuthCodeField.java b/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/form/OAuthCodeField.java deleted file mode 100644 index 9b0764a..0000000 --- a/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/form/OAuthCodeField.java +++ /dev/null @@ -1,97 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.guacamole.auth.oauth.form; - -import java.io.UnsupportedEncodingException; -import java.net.URLEncoder; -import org.glyptodon.guacamole.form.Field; - -/** - * Field definition which represents the code returned by an OAuth service. - * Within the user interface, this will be rendered as an appropriate "Log in - * with ..." button which links to the OAuth service. - */ -public class OAuthCodeField extends Field { - - /** - * The standard HTTP parameter which will be included within the URL by all - * OAuth services upon successful authentication and redirect. - */ - public static final String PARAMETER_NAME = "code"; - - /** - * The full URI which the field should link to. - */ - private final String authorizationURI; - - /** - * Creates a new OAuth "code" field which links to the given OAuth service - * using the provided client ID. Successful authentication at the OAuth - * service will result in the client being redirected to the specified - * redirect URI. The OAuth code will be embedded in the query parameters of - * that URI. - * - * @param authorizationEndpoint - * The full URL of the endpoint accepting OAuth authentication - * requests. - * - * @param clientID - * The ID of the OAuth client. This is normally determined ahead of - * time by the OAuth service through some manual credential request - * procedure. - * - * @param redirectURI - * The URI that the OAuth service should redirect to upon successful - * authentication. - */ - public OAuthCodeField(String authorizationEndpoint, String clientID, - String redirectURI) { - - // Init base field properties - super(PARAMETER_NAME, "GUAC_OAUTH_CODE"); - - // Build authorization URI from given values - try { - this.authorizationURI = authorizationEndpoint - + "?scope=openid%20email%20profile" - + "&response_type=code" - + "&client_id=" + URLEncoder.encode(clientID, "UTF-8") - + "&redirect_uri=" + URLEncoder.encode(redirectURI, "UTF-8"); - } - - // Java is required to provide UTF-8 support - catch (UnsupportedEncodingException e) { - throw new UnsupportedOperationException("Unexpected lack of UTF-8 support.", e); - } - - } - - /** - * Returns the full URI that this field should link to when a new code - * needs to be obtained from the OAuth service. - * - * @return - * The full URI that this field should link to. - */ - public String getAuthorizationURI() { - return authorizationURI; - } - -} http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/fdc03133/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/form/OAuthTokenField.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/form/OAuthTokenField.java b/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/form/OAuthTokenField.java new file mode 100644 index 0000000..84484e5 --- /dev/null +++ b/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/form/OAuthTokenField.java @@ -0,0 +1,100 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.guacamole.auth.oauth.form; + +import java.io.UnsupportedEncodingException; +import java.net.URLEncoder; +import java.util.UUID; +import org.apache.guacamole.form.Field; + +/** + * Field definition which represents the token returned by an OAuth service. + * Within the user interface, this will be rendered as an appropriate "Log in + * with ..." button which links to the OAuth service. + */ +public class OAuthTokenField extends Field { + + /** + * The standard HTTP parameter which will be included within the URL by all + * OAuth services upon successful authentication and redirect. + */ + public static final String PARAMETER_NAME = "id_token"; + + /** + * The full URI which the field should link to. + */ + private final String authorizationURI; + + /** + * Creates a new OAuth "id_token" field which links to the given OAuth + * service using the provided client ID. Successful authentication at the + * OAuth service will result in the client being redirected to the specified + * redirect URI. The OAuth token will be embedded in the fragment (the part + * following the hash symbol) of that URI, which the JavaScript side of + * this extension will move to the query parameters. + * + * @param authorizationEndpoint + * The full URL of the endpoint accepting OAuth authentication + * requests. + * + * @param clientID + * The ID of the OAuth client. This is normally determined ahead of + * time by the OAuth service through some manual credential request + * procedure. + * + * @param redirectURI + * The URI that the OAuth service should redirect to upon successful + * authentication. + */ + public OAuthTokenField(String authorizationEndpoint, String clientID, + String redirectURI) { + + // Init base field properties + super(PARAMETER_NAME, "GUAC_OAUTH_TOKEN"); + + // Build authorization URI from given values + try { + this.authorizationURI = authorizationEndpoint + + "?scope=openid%20email%20profile" + + "&response_type=id_token" + + "&client_id=" + URLEncoder.encode(clientID, "UTF-8") + + "&redirect_uri=" + URLEncoder.encode(redirectURI, "UTF-8") + + "&nonce=" + UUID.randomUUID().toString(); + } + + // Java is required to provide UTF-8 support + catch (UnsupportedEncodingException e) { + throw new UnsupportedOperationException("Unexpected lack of UTF-8 support.", e); + } + + } + + /** + * Returns the full URI that this field should link to when a new token + * needs to be obtained from the OAuth service. + * + * @return + * The full URI that this field should link to. + */ + public String getAuthorizationURI() { + return authorizationURI; + } + +} http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/fdc03133/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/token/TokenResponse.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/token/TokenResponse.java b/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/token/TokenResponse.java deleted file mode 100644 index 5136830..0000000 --- a/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/token/TokenResponse.java +++ /dev/null @@ -1,153 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.guacamole.auth.oauth.token; - -import org.codehaus.jackson.annotate.JsonProperty; - -/** - * The response produced from a successful request to the token endpoint of an - * OAuth service. - */ -public class TokenResponse { - - /** - * An arbitrary access token which can be used for future requests against - * the API associated with the OAuth service. - */ - private String accessToken; - - /** - * The type of token present. This will always be "Bearer". - */ - private String tokenType; - - /** - * The number of seconds the access token will remain valid. - */ - private int expiresIn; - - /** - * A JWT (JSON Web Token) which containing identity information which has - * been cryptographically signed. - */ - private String idToken; - - /** - * Returns an arbitrary access token which can be used for future requests - * against the API associated with the OAuth service. - * - * @return - * An arbitrary access token provided by the OAuth service. - */ - @JsonProperty("access_token") - public String getAccessToken() { - return accessToken; - } - - /** - * Sets the arbitrary access token which can be used for future requests - * against the API associated with the OAuth service. - * - * @param accessToken - * The arbitrary access token provided by the OAuth service. - */ - @JsonProperty("access_token") - public void setAccessToken(String accessToken) { - this.accessToken = accessToken; - } - - /** - * Returns the type of token present in this response. This should always - * be "Bearer". - * - * @return - * The type of token present in this response. - */ - @JsonProperty("token_type") - public String getTokenType() { - return tokenType; - } - - /** - * Sets the type of token present in this response. This should always be - * "Bearer". - * - * @param tokenType - * The type of token present in this response, which should be - * "Bearer". - */ - @JsonProperty("token_type") - public void setTokenType(String tokenType) { - this.tokenType = tokenType; - } - - /** - * Returns the number of seconds the access token within this response will - * remain valid. - * - * @return - * The number of seconds the access token within this response will - * remain valid. - */ - @JsonProperty("expires_in") - public int getExpiresIn() { - return expiresIn; - } - - /** - * Sets the number of seconds the access token within this response will - * remain valid. - * - * @param expiresIn - * The number of seconds the access token within this response will - * remain valid. - */ - @JsonProperty("expires_in") - public void setExpiresIn(int expiresIn) { - this.expiresIn = expiresIn; - } - - /** - * Returns a JWT (JSON Web Token) containing identity information which has - * been cryptographically signed by the OAuth service. - * - * @return - * A JWT (JSON Web Token) containing identity information which has - * been cryptographically signed by the OAuth service. - */ - @JsonProperty("id_token") - public String getIdToken() { - return idToken; - } - - /** - * Sets the JWT (JSON Web Token) containing identity information which has - * been cryptographically signed by the OAuth service. - * - * @param idToken - * A JWT (JSON Web Token) containing identity information which has - * been cryptographically signed by the OAuth service. - */ - @JsonProperty("id_token") - public void setIdToken(String idToken) { - this.idToken = idToken; - } - -} http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/fdc03133/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/token/TokenService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/token/TokenService.java b/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/token/TokenService.java deleted file mode 100644 index a328bde..0000000 --- a/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/token/TokenService.java +++ /dev/null @@ -1,101 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.guacamole.auth.oauth.token; - -import com.google.inject.Inject; -import com.sun.jersey.api.client.Client; -import com.sun.jersey.api.client.UniformInterfaceException; -import com.sun.jersey.api.representation.Form; -import javax.ws.rs.core.MediaType; -import org.apache.guacamole.auth.oauth.AuthenticationProviderService; -import org.apache.guacamole.auth.oauth.conf.ConfigurationService; -import org.glyptodon.guacamole.GuacamoleException; -import org.glyptodon.guacamole.GuacamoleServerException; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -/** - * Provides relatively abstract means of producing authentication tokens from - * the codes received from OAuth services. - */ -public class TokenService { - - /** - * Logger for this class. - */ - private final Logger logger = LoggerFactory.getLogger(AuthenticationProviderService.class); - - /** - * Service for retrieving OAuth configuration information. - */ - @Inject - private ConfigurationService confService; - - /** - * Jersey HTTP client. - */ - @Inject - private Client client; - - /** - * Given an authorization code previously received from the OAuth service - * via the "code" parameter provided to the redirect URL, retrieves and - * returns an authentication token. - * - * @param code - * The value of the "code" parameter received from the OAuth service. - * - * @return - * The authentication roken response received from the OAuth service. - * - * @throws GuacamoleException - * If required properties within guacamole.properties cannot be read, - * or if an error occurs while contacting the OAuth service. - */ - public TokenResponse getTokenFromCode(String code) - throws GuacamoleException { - - try { - - // Generate POST data - Form form = new Form(); - form.add("code", code); - form.add("client_id", confService.getClientID()); - form.add("client_secret", confService.getClientSecret()); - form.add("redirect_uri", confService.getRedirectURI()); - form.add("grant_type", "authorization_code"); - - // POST code and client information to OAuth token endpoint - return client.resource(confService.getTokenEndpoint()) - .type(MediaType.APPLICATION_FORM_URLENCODED_TYPE) - .accept(MediaType.APPLICATION_JSON_TYPE) - .post(TokenResponse.class, form); - - } - - // Log any failure reaching the OAuth service - catch (UniformInterfaceException e) { - logger.debug("POST to token endpoint failed.", e); - throw new GuacamoleServerException("Unable to POST to token endpoint.", e); - } - - } - -} http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/fdc03133/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/user/AuthenticatedUser.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/user/AuthenticatedUser.java b/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/user/AuthenticatedUser.java index 935c270..3a798eb 100644 --- a/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/user/AuthenticatedUser.java +++ b/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/user/AuthenticatedUser.java @@ -20,9 +20,9 @@ package org.apache.guacamole.auth.oauth.user; import com.google.inject.Inject; -import org.glyptodon.guacamole.net.auth.AbstractAuthenticatedUser; -import org.glyptodon.guacamole.net.auth.AuthenticationProvider; -import org.glyptodon.guacamole.net.auth.Credentials; +import org.apache.guacamole.net.auth.AbstractAuthenticatedUser; +import org.apache.guacamole.net.auth.AuthenticationProvider; +import org.apache.guacamole.net.auth.Credentials; /** * An OAuth-specific implementation of AuthenticatedUser, associating a http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/fdc03133/extensions/guacamole-auth-openid/src/main/resources/guac-manifest.json ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-openid/src/main/resources/guac-manifest.json b/extensions/guacamole-auth-openid/src/main/resources/guac-manifest.json index e8f2fac..cc74547 100644 --- a/extensions/guacamole-auth-openid/src/main/resources/guac-manifest.json +++ b/extensions/guacamole-auth-openid/src/main/resources/guac-manifest.json @@ -1,6 +1,6 @@ { - "guacamoleVersion" : "0.9.9", + "guacamoleVersion" : "0.9.9-incubating", "name" : "OAuth Authentication Extension", "namespace" : "guac-oauth", @@ -11,11 +11,8 @@ "js" : [ "oauthModule.js", + "oauthController.js", "oauthConfig.js" - ], - - "resources" : { - "oauthCodeField.html" : "text/html" - } + ] } http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/fdc03133/extensions/guacamole-auth-openid/src/main/resources/oauthCodeField.html ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-openid/src/main/resources/oauthCodeField.html b/extensions/guacamole-auth-openid/src/main/resources/oauthCodeField.html deleted file mode 100644 index e6c4fff..0000000 --- a/extensions/guacamole-auth-openid/src/main/resources/oauthCodeField.html +++ /dev/null @@ -1 +0,0 @@ -<a href="{{field.authorizationURI}}">Log in using OAuth</a> \ No newline at end of file http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/fdc03133/extensions/guacamole-auth-openid/src/main/resources/oauthConfig.js ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-openid/src/main/resources/oauthConfig.js b/extensions/guacamole-auth-openid/src/main/resources/oauthConfig.js index ba6f0cc..4319656 100644 --- a/extensions/guacamole-auth-openid/src/main/resources/oauthConfig.js +++ b/extensions/guacamole-auth-openid/src/main/resources/oauthConfig.js @@ -23,9 +23,32 @@ angular.module('guacOAuth').config(['formServiceProvider', function guacOAuthConfig(formServiceProvider) { - // Define field for code from OAuth service - formServiceProvider.registerFieldType("GUAC_OAUTH_CODE", { - templateUrl : 'app/ext/guac-oauth/oauthCodeField.html' + // Define field for token from OAuth service + formServiceProvider.registerFieldType("GUAC_OAUTH_TOKEN", { + template : '', + controller : 'guacOAuthController', + module : 'guacOAuth' + }); + +}]); + +/** + * Config block which augments the existing routing, providing special handling + * for the "id_token=" fragments provided by OpenID Connect. + */ +angular.module('index').config(['$routeProvider', + function indexRouteConfig($routeProvider) { + + // Transform "/#/id_token=..." to "/#/?id_token=..." + $routeProvider.when('/id_token=:response', { + + template : '', + controller : ['$location', function reroute($location) { + var params = $location.path().substring(1); + $location.url('/'); + $location.search(params); + }] + }); }]); http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/fdc03133/extensions/guacamole-auth-openid/src/main/resources/oauthController.js ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-openid/src/main/resources/oauthController.js b/extensions/guacamole-auth-openid/src/main/resources/oauthController.js new file mode 100644 index 0000000..ba7a120 --- /dev/null +++ b/extensions/guacamole-auth-openid/src/main/resources/oauthController.js @@ -0,0 +1,30 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +/** + * Controller for the "GUAC_OAUTH_TOKEN" field which simply redirects the user + * immediately to the authorization URI. + */ +angular.module('guacOAuth').controller('guacOAuthController', ['$scope', + function guacOAuthController($scope) { + + // Redirect to authorization URI + window.location = $scope.field.authorizationURI; + +}]);