Repository: cxf Updated Branches: refs/heads/master e92477bc8 -> f3cfadb6e
[CXF-6165,CXF-5607] Cleaning up the demo a bit, minor OIDC RP code refactoring Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/f3cfadb6 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/f3cfadb6 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/f3cfadb6 Branch: refs/heads/master Commit: f3cfadb6e7bae9233a03fa6bf862ed8eb64ce237 Parents: e92477b Author: Sergey Beryozkin <[email protected]> Authored: Tue Jul 7 15:24:31 2015 +0100 Committer: Sergey Beryozkin <[email protected]> Committed: Tue Jul 7 15:24:31 2015 +0100 ---------------------------------------------------------------------- .../java/demo/jaxrs/server/BigQueryService.java | 11 +- .../main/webapp/WEB-INF/applicationContext.xml | 205 ++++++++++--------- .../cxf/rs/security/oidc/rp/IdTokenReader.java | 55 +++++ .../rs/security/oidc/rp/IdTokenValidator.java | 55 ----- .../oidc/rp/OidcClientCodeRequestFilter.java | 17 +- .../oidc/rp/OidcIdTokenRequestFilter.java | 8 +- .../oidc/rp/OidcRpAuthenticationService.java | 25 +-- .../cxf/rs/security/oidc/rp/UserInfoClient.java | 2 +- 8 files changed, 194 insertions(+), 184 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/f3cfadb6/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryService.java ---------------------------------------------------------------------- diff --git a/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryService.java b/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryService.java index 00151d9..2c1932f 100644 --- a/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryService.java +++ b/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryService.java @@ -67,12 +67,21 @@ public class BigQueryService { String searchWord = state.getFirst("word"); String maxResults = state.getFirst("maxResults"); - BigQueryResponse bigQueryResponse = new BigQueryResponse(context.getUserInfo().getName(), + BigQueryResponse bigQueryResponse = new BigQueryResponse(getUserInfo(context), searchWord); bigQueryResponse.setTexts(getMatchingTexts(bigQueryClient, accessToken, searchWord, maxResults)); return bigQueryResponse; } + private String getUserInfo(OidcClientTokenContext context) { + if (context.getUserInfo() != null) { + return context.getUserInfo().getName(); + } else { + return context.getIdToken().getSubject(); + } + + } + public void setBigQueryClient(WebClient bigQueryClient) { this.bigQueryClient = bigQueryClient; } http://git-wip-us.apache.org/repos/asf/cxf/blob/f3cfadb6/distribution/src/main/release/samples/jax_rs/big_query/src/main/webapp/WEB-INF/applicationContext.xml ---------------------------------------------------------------------- diff --git a/distribution/src/main/release/samples/jax_rs/big_query/src/main/webapp/WEB-INF/applicationContext.xml b/distribution/src/main/release/samples/jax_rs/big_query/src/main/webapp/WEB-INF/applicationContext.xml index b004067..e6d20df 100644 --- a/distribution/src/main/release/samples/jax_rs/big_query/src/main/webapp/WEB-INF/applicationContext.xml +++ b/distribution/src/main/release/samples/jax_rs/big_query/src/main/webapp/WEB-INF/applicationContext.xml @@ -6,24 +6,119 @@ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:jaxrs="http://cxf.apache.org/jaxrs"; xmlns:jaxrsclient="http://cxf.apache.org/jaxrs-client"; - xmlns:http="http://cxf.apache.org/transports/http/configuration"; - xmlns:sec="http://cxf.apache.org/configuration/security"; xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd http://cxf.apache.org/jaxrs http://cxf.apache.org/schemas/jaxrs.xsd http://cxf.apache.org/jaxrs-client - http://cxf.apache.org/schemas/jaxrs-client.xsd - http://cxf.apache.org/transports/http/configuration - http://cxf.apache.org/schemas/configuration/http-conf.xsd - http://cxf.apache.org/configuration/security - http://cxf.apache.org/schemas/configuration/security.xsd";> + http://cxf.apache.org/schemas/jaxrs-client.xsd";> - <!-- CXF Logging Feature --> <bean id="loggingFeature" class="org.apache.cxf.feature.LoggingFeature"/> + <!-- + 1. Big Query Client Application: + accepts a form query and uses an OAuth2 access token to query BigQuery service + with a bigQueryClient client + --> + <jaxrs:server id="bigQueryServer" address="/search"> + <jaxrs:serviceBeans> + <ref bean="bigQueryService"/> + </jaxrs:serviceBeans> + <jaxrs:providers> + <!-- Checks that a client is authenticated with Google --> + <ref bean="oidcRpFilter"/> + + <!-- supports the mapping of the big query search result to HTML --> + <ref bean="searchView"/> + + <!-- JAX-RS provider that makes OidcClientTokenContext available as JAX-RS @Context --> + <ref bean="clientTokenContextProvider"/> + </jaxrs:providers> + <jaxrs:features> + <ref bean="loggingFeature"/> + </jaxrs:features> + </jaxrs:server> + + <!-- JAX-RS provider that makes OidcClientTokenContext available as JAX-RS @Context --> + <bean id="clientTokenContextProvider" class="org.apache.cxf.rs.security.oauth2.client.ClientTokenContextProvider"/> + + <bean id="bigQueryService" class="demo.jaxrs.server.BigQueryService"> + <property name="bigQueryClient" ref="bigQueryClient"/> + </bean> + + <jaxrsclient:client id="bigQueryClient" threadSafe="true" + address="https://www.googleapis.com/bigquery/v2/projects/${project_id}/queries"; + serviceClass="org.apache.cxf.jaxrs.client.WebClient"> + <jaxrsclient:headers> + <entry key="Accept" value="application/json"/> + <entry key="Content-Type" value="application/json"/> + </jaxrsclient:headers> + <jaxrsclient:providers> + <bean class="org.apache.cxf.jaxrs.provider.json.JsonMapObjectProvider"/> + </jaxrsclient:providers> + </jaxrsclient:client> + + <bean id="searchView" class="org.apache.cxf.jaxrs.provider.RequestDispatcherProvider"> + <property name="useClassNames" value="true"/> + <property name="locationPrefix" value="/forms/"/> + </bean> + + <bean id="oidcRpFilter" class="org.apache.cxf.rs.security.oidc.rp.OidcRpAuthenticationFilter"> + <!-- + This state manager is shared between this filter and the RP endpoint, + the RP endpoint sets an OIDC context on it and this filter checks the context is available + --> + <property name="stateManager" ref="stateManager"/> + + <!-- RP endpoint address to redirect to if no OIDC context is available --> + <property name="rpServiceAddress" value="oidc/rp"/> + </bean> + + <!-- + 2. OIDC RP endpoint: authenticates a user by redirecting a user to Google, and redirects the user + to the initial application form once the authentication is done + --> + <jaxrs:server id="oidcRpServer" address="/oidc"> + <jaxrs:serviceBeans> + <ref bean="oidcRpService"/> + </jaxrs:serviceBeans> + <jaxrs:providers> + <!-- the filter which does the actual work for obtaining an OIDC context --> + <ref bean="rpOidcRequestFilter"/> + + <!-- JAX-RS provider that makes OidcClientTokenContext available as JAX-RS @Context --> + <ref bean="clientTokenContextProvider"/> + </jaxrs:providers> + <jaxrs:features> + <ref bean="loggingFeature"/> + </jaxrs:features> + </jaxrs:server> + + <bean id="oidcRpService" class="org.apache.cxf.rs.security.oidc.rp.OidcRpAuthenticationService"> + <!-- This state manager is shared between this RP endpoint and the oidcRpFilter which protects + the application endpoint, the RP endpoint sets an OIDC context on it and the filter checks + the context is available --> + <property name="stateManager" ref="stateManager"/> + <!-- Where to redirect to once the authentication is complete --> + <property name="defaultLocation" value="/forms/startSearch.jsp"/> + </bean> + <!-- The state manager shared between the RP and application endpoints --> + <bean id="stateManager" class="org.apache.cxf.rs.security.oauth2.client.MemoryClientTokenContextManager"/> + + <bean id="rpOidcRequestFilter" class="org.apache.cxf.rs.security.oidc.rp.OidcClientCodeRequestFilter"> + <property name="clientCodeStateManager" ref="rpClientCodeStateManager"/> + <property name="scopes" value="openid email profile https://www.googleapis.com/auth/bigquery.readonly"/> + <property name="accessTokenServiceClient" ref="atServiceClient"/> + <property name="idTokenReader" ref="userInfoClient"/> + <property name="consumer" ref="consumer"/> + <property name="authorizationServiceUri" value="https://accounts.google.com/o/oauth2/auth"/> + <property name="startUri" value="rp"/> + <property name="completeUri" value="rp/complete"/> + </bean> + <bean id="rpClientCodeStateManager" class="org.apache.cxf.rs.security.oauth2.client.MemoryClientCodeStateManager"/> + <!-- WebClient for requesting an OAuth2 Access token --> <jaxrsclient:client id="atServiceClient" threadSafe="true" @@ -78,100 +173,10 @@ <property name="userInfoServiceClient" ref="userInfoServiceClient"/> <property name="clockOffset" value="10"/> </bean> - + <bean id="consumer" class="org.apache.cxf.rs.security.oauth2.client.Consumer"> <property name="key" value="${client_id}"/> <property name="secret" value="${client_secret}"/> - </bean> - <bean id="clientCodeStateManager" class="org.apache.cxf.rs.security.oauth2.client.MemoryClientCodeStateManager"/> - - <bean id="bigQueryService" class="demo.jaxrs.server.BigQueryService"> - <property name="bigQueryClient" ref="bigQueryClient"/> - </bean> - - <!-- BigQuery WebClient --> - <jaxrsclient:client id="bigQueryClient" threadSafe="true" - address="https://www.googleapis.com/bigquery/v2/projects/${project_id}/queries"; - serviceClass="org.apache.cxf.jaxrs.client.WebClient"> - <jaxrsclient:headers> - <entry key="Accept" value="application/json"/> - <entry key="Content-Type" value="application/json"/> - </jaxrsclient:headers> - <jaxrsclient:providers> - <bean class="org.apache.cxf.jaxrs.provider.json.JsonMapObjectProvider"/> - </jaxrsclient:providers> - </jaxrsclient:client> - - <bean id="searchView" class="org.apache.cxf.jaxrs.provider.RequestDispatcherProvider"> - <property name="useClassNames" value="true"/> - <property name="locationPrefix" value="/forms/"/> - </bean> - <jaxrs:server id="bigQueryServer" address="/search"> - <jaxrs:serviceBeans> - <ref bean="bigQueryService"/> - </jaxrs:serviceBeans> - <jaxrs:providers> - <ref bean="oidcRpFilter"/> - <ref bean="searchView"/> - <bean class="org.apache.cxf.rs.security.oauth2.client.ClientTokenContextProvider"/> - </jaxrs:providers> - <jaxrs:features> - <ref bean="loggingFeature"/> - </jaxrs:features> - </jaxrs:server> - - <bean id="stateManager" class="org.apache.cxf.rs.security.oauth2.client.MemoryClientTokenContextManager"/> - - <bean id="oidcRpFilter" class="org.apache.cxf.rs.security.oidc.rp.OidcRpAuthenticationFilter"> - <property name="stateManager" ref="stateManager"/> - <property name="rpServiceAddress" value="oidc/rp"/> - </bean> - - <bean id="oidcRpService" class="org.apache.cxf.rs.security.oidc.rp.OidcRpAuthenticationService"> - <property name="stateManager" ref="stateManager"/> - <property name="defaultLocation" value="/forms/startSearch.jsp"/> - <!-- - <property name="useRedirect" value="false"/> - --> - </bean> - - <jaxrs:server id="oidcRpServer" address="/oidc"> - <jaxrs:serviceBeans> - <ref bean="oidcRpService"/> - </jaxrs:serviceBeans> - <jaxrs:providers> - <!-- - <ref bean="rpOidcRequestFilter"/> - --> - <ref bean="rpOidcTokenFilter"/> - <!-- - <ref bean="searchView"/> - --> - <!-- - <bean class="org.apache.cxf.rs.security.oauth2.client.ClientTokenContextProvider"/> - --> - <bean class="org.apache.cxf.rs.security.oidc.rp.OidcIdTokenProvider"/> - </jaxrs:providers> - <jaxrs:features> - <ref bean="loggingFeature"/> - </jaxrs:features> - </jaxrs:server> - - <bean id="rpClientCodeStateManager" class="org.apache.cxf.rs.security.oauth2.client.MemoryClientCodeStateManager"/> - <bean id="rpOidcRequestFilter" class="org.apache.cxf.rs.security.oidc.rp.OidcClientCodeRequestFilter"> - <property name="clientCodeStateManager" ref="rpClientCodeStateManager"/> - <property name="scopes" value="openid email profile https://www.googleapis.com/auth/bigquery.readonly"/> - <property name="accessTokenServiceClient" ref="atServiceClient"/> - <property name="userInfoClient" ref="userInfoClient"/> - <property name="consumer" ref="consumer"/> - <property name="authorizationServiceUri" value="https://accounts.google.com/o/oauth2/auth"/> - <property name="startUri" value="rp"/> - <property name="completeUri" value="rp/complete"/> - </bean> - <bean id="rpOidcTokenFilter" class="org.apache.cxf.rs.security.oidc.rp.OidcIdTokenRequestFilter"> - <property name="idTokenValidator" ref="userInfoClient"/> - <property name="consumer" ref="consumer"/> - </bean> - + </bean> </beans> http://git-wip-us.apache.org/repos/asf/cxf/blob/f3cfadb6/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java new file mode 100644 index 0000000..35c2456 --- /dev/null +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java @@ -0,0 +1,55 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.oidc.rp; + +import org.apache.cxf.rs.security.jose.jwt.JwtToken; +import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken; +import org.apache.cxf.rs.security.oidc.common.IdToken; +import org.apache.cxf.rs.security.oidc.utils.OidcUtils; + +public class IdTokenReader extends AbstractTokenValidator { + private boolean requireAtHash = true; + + public IdToken getIdToken(ClientAccessToken at, String clientId) { + JwtToken jwt = getIdJwtToken(at, clientId); + return getIdTokenFromJwt(jwt); + } + public IdToken getIdToken(String idJwtToken, String clientId) { + JwtToken jwt = getIdJwtToken(idJwtToken, clientId); + return getIdTokenFromJwt(jwt); + } + public JwtToken getIdJwtToken(ClientAccessToken at, String clientId) { + String idJwtToken = at.getParameters().get(OidcUtils.ID_TOKEN); + JwtToken jwt = getIdJwtToken(idJwtToken, clientId); + OidcUtils.validateAccessTokenHash(at, jwt, requireAtHash); + return jwt; + } + public JwtToken getIdJwtToken(String idJwtToken, String clientId) { + JwtToken jwt = getJwtToken(idJwtToken, null, false); + validateJwtClaims(jwt.getClaims(), clientId, true); + return jwt; + } + public IdToken getIdTokenFromJwt(JwtToken jwt) { + //TODO: do the extra validation if needed + return new IdToken(jwt.getClaims().asMap()); + } + public void setRequireAtHash(boolean requireAtHash) { + this.requireAtHash = requireAtHash; + } +} http://git-wip-us.apache.org/repos/asf/cxf/blob/f3cfadb6/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenValidator.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenValidator.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenValidator.java deleted file mode 100644 index 214a5b1..0000000 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenValidator.java +++ /dev/null @@ -1,55 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.oidc.rp; - -import org.apache.cxf.rs.security.jose.jwt.JwtToken; -import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken; -import org.apache.cxf.rs.security.oidc.common.IdToken; -import org.apache.cxf.rs.security.oidc.utils.OidcUtils; - -public class IdTokenValidator extends AbstractTokenValidator { - private boolean requireAtHash = true; - - public IdToken getIdToken(ClientAccessToken at, String clientId) { - JwtToken jwt = getIdJwtToken(at, clientId); - return getIdTokenFromJwt(jwt); - } - public IdToken getIdToken(String idJwtToken, String clientId) { - JwtToken jwt = getIdJwtToken(idJwtToken, clientId); - return getIdTokenFromJwt(jwt); - } - public JwtToken getIdJwtToken(ClientAccessToken at, String clientId) { - String idJwtToken = at.getParameters().get(OidcUtils.ID_TOKEN); - JwtToken jwt = getIdJwtToken(idJwtToken, clientId); - OidcUtils.validateAccessTokenHash(at, jwt, requireAtHash); - return jwt; - } - public JwtToken getIdJwtToken(String idJwtToken, String clientId) { - JwtToken jwt = getJwtToken(idJwtToken, null, false); - validateJwtClaims(jwt.getClaims(), clientId, true); - return jwt; - } - public IdToken getIdTokenFromJwt(JwtToken jwt) { - //TODO: do the extra validation if needed - return new IdToken(jwt.getClaims().asMap()); - } - public void setRequireAtHash(boolean requireAtHash) { - this.requireAtHash = requireAtHash; - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/f3cfadb6/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java index a509be9..1e96b7d 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java @@ -28,8 +28,8 @@ import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken; public class OidcClientCodeRequestFilter extends ClientCodeRequestFilter { - private UserInfoClient userInfoClient; - private boolean userInfoRequired = true; + private IdTokenReader idTokenReader; + @Override protected ClientTokenContext createTokenContext(ContainerRequestContext rc, ClientAccessToken at) { if (rc.getSecurityContext() instanceof OidcSecurityContext) { @@ -37,8 +37,9 @@ public class OidcClientCodeRequestFilter extends ClientCodeRequestFilter { } OidcClientTokenContextImpl ctx = new OidcClientTokenContextImpl(); if (at != null) { - ctx.setIdToken(userInfoClient.getIdToken(at, getConsumer().getKey())); - if (userInfoRequired) { + ctx.setIdToken(idTokenReader.getIdToken(at, getConsumer().getKey())); + if (idTokenReader instanceof UserInfoClient) { + UserInfoClient userInfoClient = (UserInfoClient)idTokenReader; ctx.setUserInfo(userInfoClient.getUserInfo(at, ctx.getIdToken())); } rc.setSecurityContext(new OidcSecurityContext(ctx)); @@ -46,12 +47,10 @@ public class OidcClientCodeRequestFilter extends ClientCodeRequestFilter { return ctx; } - public void setUserInfoClient(UserInfoClient userInfoClient) { - this.userInfoClient = userInfoClient; - } - public void setUserInfoRequired(boolean userInfoRequired) { - this.userInfoRequired = userInfoRequired; + public void setIdTokenReader(IdTokenReader idTokenReader) { + this.idTokenReader = idTokenReader; } + @Override protected void checkSecurityContextStart(ContainerRequestContext rc) { SecurityContext sc = rc.getSecurityContext(); http://git-wip-us.apache.org/repos/asf/cxf/blob/f3cfadb6/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcIdTokenRequestFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcIdTokenRequestFilter.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcIdTokenRequestFilter.java index e7a6e64..d075b0b 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcIdTokenRequestFilter.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcIdTokenRequestFilter.java @@ -34,7 +34,7 @@ import org.apache.cxf.rs.security.oidc.common.IdToken; public class OidcIdTokenRequestFilter implements ContainerRequestFilter { private String tokenFormParameter = "idtoken"; - private IdTokenValidator idTokenValidator; + private IdTokenReader idTokenReader; private Consumer consumer; @Override @@ -46,7 +46,7 @@ public class OidcIdTokenRequestFilter implements ContainerRequestFilter { return; } - IdToken idToken = idTokenValidator.getIdToken(idTokenParamValue, consumer.getKey()); + IdToken idToken = idTokenReader.getIdToken(idTokenParamValue, consumer.getKey()); JAXRSUtils.getCurrentMessage().setContent(IdToken.class, idToken); requestContext.setSecurityContext(new OidcSecurityContext(idToken)); @@ -60,8 +60,8 @@ public class OidcIdTokenRequestFilter implements ContainerRequestFilter { } return requestState; } - public void setIdTokenValidator(IdTokenValidator validator) { - this.idTokenValidator = validator; + public void setIdTokenReader(IdTokenReader idTokenReader) { + this.idTokenReader = idTokenReader; } public void setTokenFormParameter(String tokenFormParameter) { this.tokenFormParameter = tokenFormParameter; http://git-wip-us.apache.org/repos/asf/cxf/blob/f3cfadb6/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationService.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationService.java index 74cccf0..0bb5239 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationService.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationService.java @@ -38,7 +38,6 @@ import org.apache.cxf.rs.security.oidc.common.IdToken; public class OidcRpAuthenticationService { private ClientTokenContextManager stateManager; private String defaultLocation; - private boolean useRedirect; @Context private MessageContext mc; @@ -55,16 +54,17 @@ public class OidcRpAuthenticationService { @Path("complete") public Response completeAuthentication(@Context OidcClientTokenContext oidcContext) { stateManager.setClientTokenContext(mc, oidcContext); - if (useRedirect) { - URI redirectUri = null; - MultivaluedMap<String, String> state = oidcContext.getState(); - String location = state != null ? state.getFirst("state") : null; - if (location == null) { - String basePath = (String)mc.get("http.base.path"); - redirectUri = UriBuilder.fromUri(basePath).path(defaultLocation).build(); - } else { - redirectUri = URI.create(location); - } + + URI redirectUri = null; + MultivaluedMap<String, String> state = oidcContext.getState(); + String location = state != null ? state.getFirst("state") : null; + if (location == null && defaultLocation != null) { + String basePath = (String)mc.get("http.base.path"); + redirectUri = UriBuilder.fromUri(basePath).path(defaultLocation).build(); + } else { + redirectUri = URI.create(location); + } + if (redirectUri != null) { return Response.seeOther(redirectUri).build(); } else { return Response.ok(oidcContext).build(); @@ -79,7 +79,4 @@ public class OidcRpAuthenticationService { this.stateManager = stateManager; } - public void setUseRedirect(boolean useRedirect) { - this.useRedirect = useRedirect; - } } http://git-wip-us.apache.org/repos/asf/cxf/blob/f3cfadb6/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java index 20cf640..1823f12 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java @@ -25,7 +25,7 @@ import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken; import org.apache.cxf.rs.security.oidc.common.IdToken; import org.apache.cxf.rs.security.oidc.common.UserInfo; -public class UserInfoClient extends IdTokenValidator { +public class UserInfoClient extends IdTokenReader { private boolean encryptedOnly; private WebClient profileClient; public UserInfo getUserInfo(ClientAccessToken at, IdToken idToken) {
