This is an automated email from the ASF dual-hosted git repository. rmannibucau pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/openwebbeans-meecrowave.git
The following commit(s) were added to refs/heads/master by this push: new a050f92 dropping cxf workaround since cxf 3.2 is released since a lot time now + adding useS256CodeChallenge option as a workaround until CXF-8369 is fixed a050f92 is described below commit a050f92f60fe63ad96181003100572e1875eb6a4 Author: Romain Manni-Bucau <rmannibu...@gmail.com> AuthorDate: Tue Nov 10 20:17:32 2020 +0100 dropping cxf workaround since cxf 3.2 is released since a lot time now + adding useS256CodeChallenge option as a workaround until CXF-8369 is fixed --- .../oauth2/configuration/OAuth2Configurer.java | 56 +++++----------------- .../oauth2/configuration/OAuth2Options.java | 11 +++++ 2 files changed, 24 insertions(+), 43 deletions(-) diff --git a/meecrowave-oauth2-minimal/src/main/java/org/apache/meecrowave/oauth2/configuration/OAuth2Configurer.java b/meecrowave-oauth2-minimal/src/main/java/org/apache/meecrowave/oauth2/configuration/OAuth2Configurer.java index b07981f..7421631 100644 --- a/meecrowave-oauth2-minimal/src/main/java/org/apache/meecrowave/oauth2/configuration/OAuth2Configurer.java +++ b/meecrowave-oauth2-minimal/src/main/java/org/apache/meecrowave/oauth2/configuration/OAuth2Configurer.java @@ -20,17 +20,11 @@ package org.apache.meecrowave.oauth2.configuration; import org.apache.catalina.realm.GenericPrincipal; import org.apache.cxf.Bus; -import org.apache.cxf.common.util.StringUtils; import org.apache.cxf.interceptor.security.AuthenticationException; import org.apache.cxf.jaxrs.ext.MessageContext; import org.apache.cxf.jaxrs.utils.JAXRSUtils; import org.apache.cxf.message.Message; import org.apache.cxf.phase.PhaseInterceptorChain; -import org.apache.cxf.rs.security.jose.jwe.JweEncryptionProvider; -import org.apache.cxf.rs.security.jose.jwe.JweHeaders; -import org.apache.cxf.rs.security.jose.jwe.JweUtils; -import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider; -import org.apache.cxf.rs.security.jose.jws.JwsUtils; import org.apache.cxf.rs.security.jose.jwt.JwtClaims; import org.apache.cxf.rs.security.oauth2.common.AuthenticationMethod; import org.apache.cxf.rs.security.oauth2.common.Client; @@ -41,7 +35,9 @@ import org.apache.cxf.rs.security.oauth2.grants.AbstractGrantHandler; import org.apache.cxf.rs.security.oauth2.grants.clientcred.ClientCredentialsGrantHandler; import org.apache.cxf.rs.security.oauth2.grants.code.AuthorizationCodeGrantHandler; import org.apache.cxf.rs.security.oauth2.grants.code.DefaultEncryptingCodeDataProvider; +import org.apache.cxf.rs.security.oauth2.grants.code.DigestCodeVerifier; import org.apache.cxf.rs.security.oauth2.grants.code.JPACodeDataProvider; +import org.apache.cxf.rs.security.oauth2.grants.code.PlainCodeVerifier; import org.apache.cxf.rs.security.oauth2.grants.jwt.JwtBearerGrantHandler; import org.apache.cxf.rs.security.oauth2.grants.owner.JAASResourceOwnerLoginHandler; import org.apache.cxf.rs.security.oauth2.grants.owner.ResourceOwnerGrantHandler; @@ -59,7 +55,6 @@ import org.apache.cxf.rs.security.oauth2.services.AbstractTokenService; import org.apache.cxf.rs.security.oauth2.services.AccessTokenService; import org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService; import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants; -import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils; import org.apache.meecrowave.Meecrowave; import org.apache.meecrowave.oauth2.data.RefreshTokenEnabledProvider; import org.apache.meecrowave.oauth2.provider.JCacheCodeDataProvider; @@ -310,6 +305,14 @@ public class OAuth2Configurer { }); handlers.add(new AuthorizationCodeGrantHandler() { @Override + public ServerAccessToken createAccessToken(final Client client, final MultivaluedMap<String, String> params) throws OAuthServiceException { + if (configuration.isUseS256CodeChallenge()) { + setCodeVerifierTransformer(new DigestCodeVerifier()); + } + return super.createAccessToken(client, params); + } + + @Override protected ServerAccessToken doCreateAccessToken(final Client client, final UserSubject subject, final String requestedGrant, @@ -391,44 +394,11 @@ public class OAuth2Configurer { .collect(toMap(s -> s.substring("oauth2.cxf.".length()), s -> builder.getProperties().getProperty(s))); final JoseSessionTokenProvider sessionAuthenticityTokenProvider = new JoseSessionTokenProvider() { - private int maxDefaultSessionInterval; - private boolean jweRequired; - private JweEncryptionProvider jweEncryptor; - - @Override // workaround a NPE of 3.2.0 - https://issues.apache.org/jira/browse/CXF-7504 + @Override public String createSessionToken(final MessageContext mc, final MultivaluedMap<String, String> params, final UserSubject subject, final OAuthRedirectionState secData) { - String stateString = convertStateToString(secData); - final JwsSignatureProvider jws = getInitializedSigProvider(); - final JweEncryptionProvider jwe = jweEncryptor == null ? - JweUtils.loadEncryptionProvider(new JweHeaders(), jweRequired) : jweEncryptor; - if (jws == null && jwe == null) { - throw new OAuthServiceException("Session token can not be created"); - } - if (jws != null) { - stateString = JwsUtils.sign(jws, stateString, null); - } - if (jwe != null) { - stateString = jwe.encrypt(StringUtils.toBytesUTF8(stateString), null); - } - return OAuthUtils.setSessionToken(mc, stateString, maxDefaultSessionInterval); - } - - public void setJweEncryptor(final JweEncryptionProvider jweEncryptor) { - super.setJweEncryptor(jweEncryptor); - this.jweEncryptor = jweEncryptor; - } - - @Override - public void setJweRequired(final boolean jweRequired) { - super.setJweRequired(jweRequired); - this.jweRequired = jweRequired; - } - - @Override - public void setMaxDefaultSessionInterval(final int maxDefaultSessionInterval) { - super.setMaxDefaultSessionInterval(maxDefaultSessionInterval); - this.maxDefaultSessionInterval = maxDefaultSessionInterval; + secData.setClientCodeChallenge(params.getFirst(OAuthConstants.AUTHORIZATION_CODE_CHALLENGE)); // CXF-8368 + return super.createSessionToken(mc, params, subject, secData); } }; sessionAuthenticityTokenProvider.setMaxDefaultSessionInterval(configuration.getMaxDefaultSessionInterval()); diff --git a/meecrowave-oauth2-minimal/src/main/java/org/apache/meecrowave/oauth2/configuration/OAuth2Options.java b/meecrowave-oauth2-minimal/src/main/java/org/apache/meecrowave/oauth2/configuration/OAuth2Options.java index 1190c8e..15bdd57 100644 --- a/meecrowave-oauth2-minimal/src/main/java/org/apache/meecrowave/oauth2/configuration/OAuth2Options.java +++ b/meecrowave-oauth2-minimal/src/main/java/org/apache/meecrowave/oauth2/configuration/OAuth2Options.java @@ -34,6 +34,9 @@ public class OAuth2Options implements Cli.Options { @CliOption(name = "oauth2-use-all-client-scopes", description = "Are all client scopes used for refresh tokens") private boolean useAllClientScopes; + @CliOption(name = "oauth2-use-s256-code-challenge", description = "Are the code_challenge used by PKCE flow digested or not.") + private boolean useS256CodeChallenge = true; + @CliOption(name = "oauth2-write-custom-errors", description = "Should custom errors be written") private boolean writeCustomErrors; @@ -175,6 +178,14 @@ public class OAuth2Options implements Cli.Options { @CliOption(name = "oauth2-redirection-scopes-requiring-no-consent", description = "For authorization code flow, the scopes using no consent") private String scopesRequiringNoConsent; + public boolean isUseS256CodeChallenge() { + return useS256CodeChallenge; + } + + public void setUseS256CodeChallenge(final boolean useS256CodeChallenge) { + this.useS256CodeChallenge = useS256CodeChallenge; + } + public boolean isForwardRoleAsJwtClaims() { return forwardRoleAsJwtClaims; }