Repository: cxf Updated Branches: refs/heads/3.0.x-fixes cf10e17aa -> 2604c6060
[CXF-6165,CXF-5607] Cleaning up the demo a bit, minor OIDC RP code refactoring Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/2604c606 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/2604c606 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/2604c606 Branch: refs/heads/3.0.x-fixes Commit: 2604c60609d0beee42ecb27df56dc87078bdfc63 Parents: cf10e17 Author: Sergey Beryozkin <[email protected]> Authored: Tue Jul 7 15:24:31 2015 +0100 Committer: Sergey Beryozkin <[email protected]> Committed: Tue Jul 7 15:33:32 2015 +0100 ---------------------------------------------------------------------- .../cxf/rs/security/oidc/rp/IdTokenReader.java | 55 ++++++++++++++++++++ .../rs/security/oidc/rp/IdTokenValidator.java | 55 -------------------- .../oidc/rp/OidcClientCodeRequestFilter.java | 17 +++--- .../oidc/rp/OidcIdTokenRequestFilter.java | 8 +-- .../oidc/rp/OidcRpAuthenticationService.java | 8 ++- .../cxf/rs/security/oidc/rp/UserInfoClient.java | 2 +- 6 files changed, 74 insertions(+), 71 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/2604c606/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java new file mode 100644 index 0000000..35c2456 --- /dev/null +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java @@ -0,0 +1,55 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.oidc.rp; + +import org.apache.cxf.rs.security.jose.jwt.JwtToken; +import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken; +import org.apache.cxf.rs.security.oidc.common.IdToken; +import org.apache.cxf.rs.security.oidc.utils.OidcUtils; + +public class IdTokenReader extends AbstractTokenValidator { + private boolean requireAtHash = true; + + public IdToken getIdToken(ClientAccessToken at, String clientId) { + JwtToken jwt = getIdJwtToken(at, clientId); + return getIdTokenFromJwt(jwt); + } + public IdToken getIdToken(String idJwtToken, String clientId) { + JwtToken jwt = getIdJwtToken(idJwtToken, clientId); + return getIdTokenFromJwt(jwt); + } + public JwtToken getIdJwtToken(ClientAccessToken at, String clientId) { + String idJwtToken = at.getParameters().get(OidcUtils.ID_TOKEN); + JwtToken jwt = getIdJwtToken(idJwtToken, clientId); + OidcUtils.validateAccessTokenHash(at, jwt, requireAtHash); + return jwt; + } + public JwtToken getIdJwtToken(String idJwtToken, String clientId) { + JwtToken jwt = getJwtToken(idJwtToken, null, false); + validateJwtClaims(jwt.getClaims(), clientId, true); + return jwt; + } + public IdToken getIdTokenFromJwt(JwtToken jwt) { + //TODO: do the extra validation if needed + return new IdToken(jwt.getClaims().asMap()); + } + public void setRequireAtHash(boolean requireAtHash) { + this.requireAtHash = requireAtHash; + } +} http://git-wip-us.apache.org/repos/asf/cxf/blob/2604c606/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenValidator.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenValidator.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenValidator.java deleted file mode 100644 index 214a5b1..0000000 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenValidator.java +++ /dev/null @@ -1,55 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.oidc.rp; - -import org.apache.cxf.rs.security.jose.jwt.JwtToken; -import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken; -import org.apache.cxf.rs.security.oidc.common.IdToken; -import org.apache.cxf.rs.security.oidc.utils.OidcUtils; - -public class IdTokenValidator extends AbstractTokenValidator { - private boolean requireAtHash = true; - - public IdToken getIdToken(ClientAccessToken at, String clientId) { - JwtToken jwt = getIdJwtToken(at, clientId); - return getIdTokenFromJwt(jwt); - } - public IdToken getIdToken(String idJwtToken, String clientId) { - JwtToken jwt = getIdJwtToken(idJwtToken, clientId); - return getIdTokenFromJwt(jwt); - } - public JwtToken getIdJwtToken(ClientAccessToken at, String clientId) { - String idJwtToken = at.getParameters().get(OidcUtils.ID_TOKEN); - JwtToken jwt = getIdJwtToken(idJwtToken, clientId); - OidcUtils.validateAccessTokenHash(at, jwt, requireAtHash); - return jwt; - } - public JwtToken getIdJwtToken(String idJwtToken, String clientId) { - JwtToken jwt = getJwtToken(idJwtToken, null, false); - validateJwtClaims(jwt.getClaims(), clientId, true); - return jwt; - } - public IdToken getIdTokenFromJwt(JwtToken jwt) { - //TODO: do the extra validation if needed - return new IdToken(jwt.getClaims().asMap()); - } - public void setRequireAtHash(boolean requireAtHash) { - this.requireAtHash = requireAtHash; - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/2604c606/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java index a509be9..1e96b7d 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java @@ -28,8 +28,8 @@ import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken; public class OidcClientCodeRequestFilter extends ClientCodeRequestFilter { - private UserInfoClient userInfoClient; - private boolean userInfoRequired = true; + private IdTokenReader idTokenReader; + @Override protected ClientTokenContext createTokenContext(ContainerRequestContext rc, ClientAccessToken at) { if (rc.getSecurityContext() instanceof OidcSecurityContext) { @@ -37,8 +37,9 @@ public class OidcClientCodeRequestFilter extends ClientCodeRequestFilter { } OidcClientTokenContextImpl ctx = new OidcClientTokenContextImpl(); if (at != null) { - ctx.setIdToken(userInfoClient.getIdToken(at, getConsumer().getKey())); - if (userInfoRequired) { + ctx.setIdToken(idTokenReader.getIdToken(at, getConsumer().getKey())); + if (idTokenReader instanceof UserInfoClient) { + UserInfoClient userInfoClient = (UserInfoClient)idTokenReader; ctx.setUserInfo(userInfoClient.getUserInfo(at, ctx.getIdToken())); } rc.setSecurityContext(new OidcSecurityContext(ctx)); @@ -46,12 +47,10 @@ public class OidcClientCodeRequestFilter extends ClientCodeRequestFilter { return ctx; } - public void setUserInfoClient(UserInfoClient userInfoClient) { - this.userInfoClient = userInfoClient; - } - public void setUserInfoRequired(boolean userInfoRequired) { - this.userInfoRequired = userInfoRequired; + public void setIdTokenReader(IdTokenReader idTokenReader) { + this.idTokenReader = idTokenReader; } + @Override protected void checkSecurityContextStart(ContainerRequestContext rc) { SecurityContext sc = rc.getSecurityContext(); http://git-wip-us.apache.org/repos/asf/cxf/blob/2604c606/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcIdTokenRequestFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcIdTokenRequestFilter.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcIdTokenRequestFilter.java index 26845e0..57c6b24 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcIdTokenRequestFilter.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcIdTokenRequestFilter.java @@ -34,7 +34,7 @@ import org.apache.cxf.rs.security.oidc.common.IdToken; public class OidcIdTokenRequestFilter implements ContainerRequestFilter { private String tokenFormParameter = "idtoken"; - private IdTokenValidator idTokenValidator; + private IdTokenReader idTokenReader; private OAuthClientUtils.Consumer consumer; @Override @@ -46,7 +46,7 @@ public class OidcIdTokenRequestFilter implements ContainerRequestFilter { return; } - IdToken idToken = idTokenValidator.getIdToken(idTokenParamValue, consumer.getKey()); + IdToken idToken = idTokenReader.getIdToken(idTokenParamValue, consumer.getKey()); JAXRSUtils.getCurrentMessage().setContent(IdToken.class, idToken); requestContext.setSecurityContext(new OidcSecurityContext(idToken)); @@ -60,8 +60,8 @@ public class OidcIdTokenRequestFilter implements ContainerRequestFilter { } return requestState; } - public void setIdTokenValidator(IdTokenValidator validator) { - this.idTokenValidator = validator; + public void setIdTokenReader(IdTokenReader idTokenReader) { + this.idTokenReader = idTokenReader; } public void setTokenFormParameter(String tokenFormParameter) { this.tokenFormParameter = tokenFormParameter; http://git-wip-us.apache.org/repos/asf/cxf/blob/2604c606/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationService.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationService.java index 26f2366..5857159 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationService.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationService.java @@ -58,13 +58,17 @@ public class OidcRpAuthenticationService { URI redirectUri = null; MultivaluedMap<String, String> state = oidcContext.getState(); String location = state != null ? state.getFirst("state") : null; - if (location == null) { + if (location == null && defaultLocation != null) { String basePath = (String)mc.get("http.base.path"); redirectUri = UriBuilder.fromUri(basePath).path(defaultLocation).build(); } else { redirectUri = URI.create(location); } - return Response.seeOther(redirectUri).build(); + if (redirectUri != null) { + return Response.seeOther(redirectUri).build(); + } else { + return Response.ok(oidcContext).build(); + } } public void setDefaultLocation(String defaultLocation) { http://git-wip-us.apache.org/repos/asf/cxf/blob/2604c606/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java index 20cf640..1823f12 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java @@ -25,7 +25,7 @@ import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken; import org.apache.cxf.rs.security.oidc.common.IdToken; import org.apache.cxf.rs.security.oidc.common.UserInfo; -public class UserInfoClient extends IdTokenValidator { +public class UserInfoClient extends IdTokenReader { private boolean encryptedOnly; private WebClient profileClient; public UserInfo getUserInfo(ClientAccessToken at, IdToken idToken) {
