This is an automated email from the ASF dual-hosted git repository. rmannibucau pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/openwebbeans-meecrowave.git
The following commit(s) were added to refs/heads/master by this push: new 6eb8ed5 another cxf workard for authorization_code flow (oauth2-require-user-to-start-authorization_code-flow) 6eb8ed5 is described below commit 6eb8ed5b2e8abda3417408ed94a7ea3ceb6607d8 Author: Romain Manni-Bucau <rmannibu...@gmail.com> AuthorDate: Tue Nov 10 20:42:30 2020 +0100 another cxf workard for authorization_code flow (oauth2-require-user-to-start-authorization_code-flow) --- .../oauth2/configuration/OAuth2Options.java | 11 ++++++++ .../OAuth2AuthorizationCodeGrantService.java | 31 ++++++++++++++++++++++ 2 files changed, 42 insertions(+) diff --git a/meecrowave-oauth2-minimal/src/main/java/org/apache/meecrowave/oauth2/configuration/OAuth2Options.java b/meecrowave-oauth2-minimal/src/main/java/org/apache/meecrowave/oauth2/configuration/OAuth2Options.java index 15bdd57..97844a0 100644 --- a/meecrowave-oauth2-minimal/src/main/java/org/apache/meecrowave/oauth2/configuration/OAuth2Options.java +++ b/meecrowave-oauth2-minimal/src/main/java/org/apache/meecrowave/oauth2/configuration/OAuth2Options.java @@ -34,6 +34,9 @@ public class OAuth2Options implements Cli.Options { @CliOption(name = "oauth2-use-all-client-scopes", description = "Are all client scopes used for refresh tokens") private boolean useAllClientScopes; + @CliOption(name = "oauth2-require-user-to-start-authorization_code-flow", description = "Should the authorization_code flow require an authenicated user.") + private boolean requireUserToStartAuthorizationCodeFlow; + @CliOption(name = "oauth2-use-s256-code-challenge", description = "Are the code_challenge used by PKCE flow digested or not.") private boolean useS256CodeChallenge = true; @@ -178,6 +181,14 @@ public class OAuth2Options implements Cli.Options { @CliOption(name = "oauth2-redirection-scopes-requiring-no-consent", description = "For authorization code flow, the scopes using no consent") private String scopesRequiringNoConsent; + public boolean isRequireUserToStartAuthorizationCodeFlow() { + return requireUserToStartAuthorizationCodeFlow; + } + + public void setRequireUserToStartAuthorizationCodeFlow(final boolean requireUserToStartAuthorizationCodeFlow) { + this.requireUserToStartAuthorizationCodeFlow = requireUserToStartAuthorizationCodeFlow; + } + public boolean isUseS256CodeChallenge() { return useS256CodeChallenge; } diff --git a/meecrowave-oauth2-minimal/src/main/java/org/apache/meecrowave/oauth2/resource/OAuth2AuthorizationCodeGrantService.java b/meecrowave-oauth2-minimal/src/main/java/org/apache/meecrowave/oauth2/resource/OAuth2AuthorizationCodeGrantService.java index f8a2e76..7cd2582 100644 --- a/meecrowave-oauth2-minimal/src/main/java/org/apache/meecrowave/oauth2/resource/OAuth2AuthorizationCodeGrantService.java +++ b/meecrowave-oauth2-minimal/src/main/java/org/apache/meecrowave/oauth2/resource/OAuth2AuthorizationCodeGrantService.java @@ -19,9 +19,13 @@ package org.apache.meecrowave.oauth2.resource; import org.apache.cxf.jaxrs.ext.MessageContext; +import org.apache.cxf.rs.security.oauth2.common.Client; import org.apache.cxf.rs.security.oauth2.common.UserSubject; +import org.apache.cxf.rs.security.oauth2.provider.AuthorizationCodeResponseFilter; +import org.apache.cxf.rs.security.oauth2.provider.AuthorizationRequestFilter; import org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService; import org.apache.cxf.rs.security.oauth2.services.RedirectionBasedGrantService; +import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants; import org.apache.cxf.security.SecurityContext; import org.apache.meecrowave.oauth2.configuration.OAuth2Configurer; @@ -88,11 +92,35 @@ public class OAuth2AuthorizationCodeGrantService { @Vetoed public static class LazyImpl extends AuthorizationCodeGrantService { private OAuth2Configurer configurer; + private AuthorizationRequestFilter filter; public void setConfigurer(final OAuth2Configurer configurer) { this.configurer = configurer; } + public void setAuthorizationFilter(final AuthorizationRequestFilter authorizationFilter) { + this.filter = authorizationFilter; + super.setAuthorizationFilter(authorizationFilter); + } + + + @Override // https://issues.apache.org/jira/browse/CXF-8370 + protected Response startAuthorization(MultivaluedMap<String, String> params) { + final SecurityContext sc; + if (configurer.getConfiguration().isRequireUserToStartAuthorizationCodeFlow()) { + sc = getAndValidateSecurityContext(params); + } else { + sc = null; + } + final Client client = getClient(params.getFirst(OAuthConstants.CLIENT_ID), params); + final UserSubject userSubject = createUserSubject(sc, params); + if (filter != null) { + params = filter.process(params, userSubject, client); + } + final String redirectUri = validateRedirectUri(client, params.getFirst(OAuthConstants.REDIRECT_URI)); + return startAuthorization(params, userSubject, client, redirectUri); + } + @Override protected UserSubject createUserSubject(final SecurityContext securityContext, final MultivaluedMap<String, String> params) { @@ -101,6 +129,9 @@ public class OAuth2AuthorizationCodeGrantService { if (subject != null) { return subject; } + if (securityContext == null) { + return null; + } final Principal principal = securityContext.getUserPrincipal(); return configurer.doCreateUserSubject(principal); }