cxf git commit: Making sure OIDC RP validation errors can be caught by OAuthServiceException mappers, a specialized exception subclass might need to be introduced
Repository: cxf Updated Branches: refs/heads/master 3fb5e2464 -> dd76961dc Making sure OIDC RP validation errors can be caught by OAuthServiceException mappers, a specialized exception subclass might need to be introduced Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/dd76961d Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/dd76961d Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/dd76961d Branch: refs/heads/master Commit: dd76961dcd50dfb07dd95d37ecf9a2f457db18bf Parents: 3fb5e24 Author: Sergey BeryozkinAuthored: Tue Dec 15 17:43:58 2015 + Committer: Sergey Beryozkin Committed: Tue Dec 15 17:43:58 2015 + -- .../oidc/rp/AbstractTokenValidator.java | 34 ++-- .../cxf/rs/security/oidc/rp/UserInfoClient.java | 3 +- .../cxf/rs/security/oidc/utils/OidcUtils.java | 5 +-- 3 files changed, 30 insertions(+), 12 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/dd76961d/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java -- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java index 0db3541..9e305e3 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java @@ -29,9 +29,11 @@ import org.apache.cxf.rs.security.jose.jwk.JwkUtils; import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier; import org.apache.cxf.rs.security.jose.jws.JwsUtils; import org.apache.cxf.rs.security.jose.jwt.JwtClaims; +import org.apache.cxf.rs.security.jose.jwt.JwtException; import org.apache.cxf.rs.security.jose.jwt.JwtToken; import org.apache.cxf.rs.security.jose.jwt.JwtUtils; import org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthJoseJwtConsumer; +import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException; public abstract class AbstractTokenValidator extends AbstractOAuthJoseJwtConsumer { private static final String SELF_ISSUED_ISSUER = "https://self-issued.me;; @@ -54,44 +56,58 @@ public abstract class AbstractTokenValidator extends AbstractOAuthJoseJwtConsume // validate the issuer String issuer = claims.getIssuer(); if (issuer == null && validateClaimsAlways) { -throw new SecurityException("Invalid provider"); +throw new OAuthServiceException("Invalid issuer"); } if (supportSelfIssuedProvider && issuerId == null && issuer != null && SELF_ISSUED_ISSUER.equals(issuer)) { -//TODO: self-issued provider token validation +validateSelfIssuedProvider(claims, clientId, validateClaimsAlways); } else { if (issuer != null && !issuer.equals(issuerId)) { -throw new SecurityException("Invalid provider"); +throw new OAuthServiceException("Invalid issuer"); } // validate subject if (claims.getSubject() == null) { -throw new SecurityException("Invalid subject"); +throw new OAuthServiceException("Invalid subject"); } // validate audience List audiences = claims.getAudiences(); if (StringUtils.isEmpty(audiences) && validateClaimsAlways || !StringUtils.isEmpty(audiences) && !audiences.contains(clientId)) { -throw new SecurityException("Invalid audience"); +throw new OAuthServiceException("Invalid audience"); } // If strict time validation: if no issuedTime claim is set then an expiresAt claim must be set // Otherwise: validate only if expiresAt claim is set boolean expiredRequired = validateClaimsAlways || strictTimeValidation && claims.getIssuedAt() == null; -JwtUtils.validateJwtExpiry(claims, clockOffset, expiredRequired); +try { +JwtUtils.validateJwtExpiry(claims, clockOffset, expiredRequired); +} catch (JwtException ex) { +throw new OAuthServiceException("ID Token has expired", ex); +} // If strict time validation: If no expiresAt claim is set then an issuedAt claim must be set // Otherwise: validate only if issuedAt claim is set boolean issuedAtRequired = validateClaimsAlways ||
cxf git commit: Making sure OIDC RP validation errors can be caught by OAuthServiceException mappers, a specialized exception subclass might need to be introduced
Repository: cxf Updated Branches: refs/heads/3.1.x-fixes 9f746c97a -> 015d7a6dd Making sure OIDC RP validation errors can be caught by OAuthServiceException mappers, a specialized exception subclass might need to be introduced Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/015d7a6d Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/015d7a6d Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/015d7a6d Branch: refs/heads/3.1.x-fixes Commit: 015d7a6dde4e201aaf8eaa90343b6ca9a20f6856 Parents: 9f746c9 Author: Sergey BeryozkinAuthored: Tue Dec 15 17:43:58 2015 + Committer: Sergey Beryozkin Committed: Tue Dec 15 17:44:56 2015 + -- .../oidc/rp/AbstractTokenValidator.java | 34 ++-- .../cxf/rs/security/oidc/rp/UserInfoClient.java | 3 +- .../cxf/rs/security/oidc/utils/OidcUtils.java | 5 +-- 3 files changed, 30 insertions(+), 12 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/015d7a6d/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java -- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java index 0db3541..9e305e3 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java @@ -29,9 +29,11 @@ import org.apache.cxf.rs.security.jose.jwk.JwkUtils; import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier; import org.apache.cxf.rs.security.jose.jws.JwsUtils; import org.apache.cxf.rs.security.jose.jwt.JwtClaims; +import org.apache.cxf.rs.security.jose.jwt.JwtException; import org.apache.cxf.rs.security.jose.jwt.JwtToken; import org.apache.cxf.rs.security.jose.jwt.JwtUtils; import org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthJoseJwtConsumer; +import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException; public abstract class AbstractTokenValidator extends AbstractOAuthJoseJwtConsumer { private static final String SELF_ISSUED_ISSUER = "https://self-issued.me;; @@ -54,44 +56,58 @@ public abstract class AbstractTokenValidator extends AbstractOAuthJoseJwtConsume // validate the issuer String issuer = claims.getIssuer(); if (issuer == null && validateClaimsAlways) { -throw new SecurityException("Invalid provider"); +throw new OAuthServiceException("Invalid issuer"); } if (supportSelfIssuedProvider && issuerId == null && issuer != null && SELF_ISSUED_ISSUER.equals(issuer)) { -//TODO: self-issued provider token validation +validateSelfIssuedProvider(claims, clientId, validateClaimsAlways); } else { if (issuer != null && !issuer.equals(issuerId)) { -throw new SecurityException("Invalid provider"); +throw new OAuthServiceException("Invalid issuer"); } // validate subject if (claims.getSubject() == null) { -throw new SecurityException("Invalid subject"); +throw new OAuthServiceException("Invalid subject"); } // validate audience List audiences = claims.getAudiences(); if (StringUtils.isEmpty(audiences) && validateClaimsAlways || !StringUtils.isEmpty(audiences) && !audiences.contains(clientId)) { -throw new SecurityException("Invalid audience"); +throw new OAuthServiceException("Invalid audience"); } // If strict time validation: if no issuedTime claim is set then an expiresAt claim must be set // Otherwise: validate only if expiresAt claim is set boolean expiredRequired = validateClaimsAlways || strictTimeValidation && claims.getIssuedAt() == null; -JwtUtils.validateJwtExpiry(claims, clockOffset, expiredRequired); +try { +JwtUtils.validateJwtExpiry(claims, clockOffset, expiredRequired); +} catch (JwtException ex) { +throw new OAuthServiceException("ID Token has expired", ex); +} // If strict time validation: If no expiresAt claim is set then an issuedAt claim must be set // Otherwise: validate only if issuedAt claim is set boolean issuedAtRequired = validateClaimsAlways ||