Repository: cxf Updated Branches: refs/heads/master 332d930c5 -> 409f987dd
[CXF-6487] Support for nonce and few other oidc authorization flow paraneters Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/409f987d Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/409f987d Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/409f987d Branch: refs/heads/master Commit: 409f987dd9822b7ed0fca97cd795c9131882e07b Parents: 332d930 Author: Sergey Beryozkin <[email protected]> Authored: Fri Jul 10 12:45:37 2015 +0100 Committer: Sergey Beryozkin <[email protected]> Committed: Fri Jul 10 12:45:37 2015 +0100 ---------------------------------------------------------------------- .../oauth2/client/ClientCodeRequestFilter.java | 47 ++++++++--- .../client/JoseClientCodeStateManager.java | 46 ++++++++-- .../oauth2/client/OAuthClientUtils.java | 19 +++++ .../cxf/rs/security/oidc/common/IdToken.java | 14 ++++ .../cxf/rs/security/oidc/common/UserInfo.java | 4 +- .../cxf/rs/security/oidc/rp/IdTokenReader.java | 4 +- .../oidc/rp/OidcClientCodeRequestFilter.java | 88 +++++++++++++++++++- .../oidc/rp/OidcIdTokenRequestFilter.java | 2 +- 8 files changed, 196 insertions(+), 28 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/409f987d/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java index 72b2655..0e66e96 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java @@ -32,6 +32,7 @@ import javax.ws.rs.core.MediaType; import javax.ws.rs.core.MultivaluedMap; import javax.ws.rs.core.Response; import javax.ws.rs.core.SecurityContext; +import javax.ws.rs.core.UriBuilder; import javax.ws.rs.core.UriInfo; import org.apache.cxf.jaxrs.client.WebClient; @@ -63,7 +64,8 @@ public class ClientCodeRequestFilter implements ContainerRequestFilter { private boolean decodeRequestParameters; private long expiryThreshold; private String redirectUri; - + private boolean setFormPostResponseMode; + @Override public void filter(ContainerRequestContext rc) throws IOException { checkSecurityContextStart(rc); @@ -111,14 +113,24 @@ public class ClientCodeRequestFilter implements ContainerRequestFilter { String theState = redirectState != null ? redirectState.getFirst(OAuthConstants.STATE) : null; String redirectScope = redirectState != null ? redirectState.getFirst(OAuthConstants.SCOPE) : null; String theScope = redirectScope != null ? redirectScope : scopes; - URI uri = OAuthClientUtils.getAuthorizationURI(authorizationServiceUri, + UriBuilder ub = OAuthClientUtils.getAuthorizationURIBuilder(authorizationServiceUri, consumer.getKey(), getAbsoluteRedirectUri(ui).toString(), theState, theScope); + setAdditionalCodeRequestParams(ub, redirectState); + URI uri = ub.build(); return Response.seeOther(uri).build(); } + protected void setAdditionalCodeRequestParams(UriBuilder ub, MultivaluedMap<String, String> redirectState) { + if (setFormPostResponseMode) { + // This property is described in OIDC OAuth 2.0 Form Post Response Mode which is technically + // can be used without OIDC hence this is set in this filter as opposed to the OIDC specific one. + ub.queryParam("response_mode", "form_post"); + } + } + private URI getAbsoluteRedirectUri(UriInfo ui) { if (redirectUri != null) { return URI.create(redirectUri); @@ -146,19 +158,21 @@ public class ClientCodeRequestFilter implements ContainerRequestFilter { protected ClientTokenContext initializeClientTokenContext(ContainerRequestContext rc, ClientAccessToken at, - MultivaluedMap<String, String> params) { - ClientTokenContext tokenContext = createTokenContext(rc, at); - ((ClientTokenContextImpl)tokenContext).setToken(at); + MultivaluedMap<String, String> params) { + MultivaluedMap<String, String> state = null; if (clientStateManager != null) { - MultivaluedMap<String, String> state = clientStateManager.fromRedirectState(mc, params); - ((ClientTokenContextImpl)tokenContext).setState(state); + state = clientStateManager.fromRedirectState(mc, params); } - + ClientTokenContext tokenContext = createTokenContext(rc, at, state); + ((ClientTokenContextImpl)tokenContext).setToken(at); + ((ClientTokenContextImpl)tokenContext).setState(state); return tokenContext; } - protected ClientTokenContext createTokenContext(ContainerRequestContext rc, ClientAccessToken at) { + protected ClientTokenContext createTokenContext(ContainerRequestContext rc, + ClientAccessToken at, + MultivaluedMap<String, String> state) { return new ClientTokenContextImpl(); } @@ -166,14 +180,17 @@ public class ClientCodeRequestFilter implements ContainerRequestFilter { JAXRSUtils.getCurrentMessage().setContent(ClientTokenContext.class, request); } - private MultivaluedMap<String, String> createRedirectState(ContainerRequestContext rc, UriInfo ui) { + protected MultivaluedMap<String, String> createRedirectState(ContainerRequestContext rc, UriInfo ui) { if (clientStateManager == null) { return null; } - return clientStateManager.toRedirectState(mc, toRequestState(rc, ui)); + return clientStateManager.toRedirectState(mc, + toCodeRequestState(rc, ui)); } - - private MultivaluedMap<String, String> toRequestState(ContainerRequestContext rc, UriInfo ui) { + protected MultivaluedMap<String, String> toCodeRequestState(ContainerRequestContext rc, UriInfo ui) { + return toRequestState(rc, ui); + } + protected MultivaluedMap<String, String> toRequestState(ContainerRequestContext rc, UriInfo ui) { MultivaluedMap<String, String> requestState = new MetadataMap<String, String>(); requestState.putAll(ui.getQueryParameters(decodeRequestParameters)); if (MediaType.APPLICATION_FORM_URLENCODED_TYPE.isCompatible(rc.getMediaType())) { @@ -266,4 +283,8 @@ public class ClientCodeRequestFilter implements ContainerRequestFilter { // Can be set to something like "postmessage" in some flows this.redirectUri = redirectUri; } + + public void setSetFormPostResponseMode(boolean setFormPostResponseMode) { + this.setFormPostResponseMode = setFormPostResponseMode; + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/409f987d/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/JoseClientCodeStateManager.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/JoseClientCodeStateManager.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/JoseClientCodeStateManager.java index c3a7df4..4e90693 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/JoseClientCodeStateManager.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/JoseClientCodeStateManager.java @@ -37,32 +37,52 @@ import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider; import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier; import org.apache.cxf.rs.security.jose.jws.JwsUtils; import org.apache.cxf.rs.security.jose.jws.NoneJwsSignatureProvider; +import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException; import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants; +import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils; public class JoseClientCodeStateManager implements ClientCodeStateManager { - private JwsSignatureProvider sigProvider; private JweEncryptionProvider encryptionProvider; private JweDecryptionProvider decryptionProvider; private JwsSignatureVerifier signatureVerifier; private JsonMapObjectReaderWriter jsonp = new JsonMapObjectReaderWriter(); + private boolean generateNonce; + private boolean storeInSession; @Override public MultivaluedMap<String, String> toRedirectState(MessageContext mc, MultivaluedMap<String, String> requestState) { + JweEncryptionProvider theEncryptionProvider = getInitializedEncryptionProvider(); + JwsSignatureProvider theSigProvider = getInitializedSigProvider(theEncryptionProvider); + if (theEncryptionProvider == null && theSigProvider == null) { + throw new OAuthServiceException("The state can not be protected"); + } + if (generateNonce && theSigProvider != null) { + JwsCompactProducer nonceProducer = new JwsCompactProducer(OAuthUtils.generateRandomTokenKey()); + String nonceParam = nonceProducer.signWith(theSigProvider); + requestState.putSingle("nonce", nonceParam); + } Map<String, Object> stateMap = CastUtils.cast((Map<?, ?>)requestState); String json = jsonp.toJson(stateMap); - JwsCompactProducer producer = new JwsCompactProducer(json); - JwsSignatureProvider theSigProvider = getInitializedSigProvider(); - String stateParam = producer.signWith(theSigProvider); + String stateParam = null; + if (theSigProvider != null) { + JwsCompactProducer stateProducer = new JwsCompactProducer(json); + stateParam = stateProducer.signWith(theSigProvider); + } - JweEncryptionProvider theEncryptionProvider = getInitializedEncryptionProvider(); if (theEncryptionProvider != null) { stateParam = theEncryptionProvider.encrypt(StringUtils.toBytesUTF8(stateParam), null); } MultivaluedMap<String, String> map = new MetadataMap<String, String>(); + if (storeInSession) { + String sessionStateAttribute = OAuthUtils.generateRandomTokenKey(); + OAuthUtils.setSessionToken(mc, stateParam, sessionStateAttribute, 0); + stateParam = sessionStateAttribute; + } map.putSingle(OAuthConstants.STATE, stateParam); + return map; } @@ -72,6 +92,10 @@ public class JoseClientCodeStateManager implements ClientCodeStateManager { String stateParam = redirectState.getFirst(OAuthConstants.STATE); + if (storeInSession) { + stateParam = OAuthUtils.getSessionToken(mc, stateParam); + } + JweDecryptionProvider jwe = getInitializedDecryptionProvider(); if (jwe != null) { stateParam = jwe.decrypt(stateParam).getContentText(); @@ -92,12 +116,12 @@ public class JoseClientCodeStateManager implements ClientCodeStateManager { this.sigProvider = signatureProvider; } - protected JwsSignatureProvider getInitializedSigProvider() { + protected JwsSignatureProvider getInitializedSigProvider(JweEncryptionProvider theEncryptionProvider) { if (sigProvider != null) { return sigProvider; } JwsSignatureProvider theSigProvider = JwsUtils.loadSignatureProvider(false); - if (theSigProvider == null) { + if (theSigProvider == null && theEncryptionProvider != null) { theSigProvider = new NoneJwsSignatureProvider(); } return theSigProvider; @@ -130,5 +154,13 @@ public class JoseClientCodeStateManager implements ClientCodeStateManager { } return JweUtils.loadEncryptionProvider(false); } + + public void setGenerateNonce(boolean generateNonce) { + this.generateNonce = generateNonce; + } + + public void setStoreInSession(boolean storeInSession) { + this.storeInSession = storeInSession; + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/409f987d/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/OAuthClientUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/OAuthClientUtils.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/OAuthClientUtils.java index 9b503d9..4ee712c 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/OAuthClientUtils.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/OAuthClientUtils.java @@ -68,6 +68,8 @@ public final class OAuthClientUtils { String scope) { UriBuilder ub = getAuthorizationURIBuilder(authorizationServiceURI, clientId, + redirectUri, + state, scope); if (redirectUri != null) { ub.queryParam(OAuthConstants.REDIRECT_URI, redirectUri); @@ -78,6 +80,23 @@ public final class OAuthClientUtils { return ub.build(); } + public static UriBuilder getAuthorizationURIBuilder(String authorizationServiceURI, + String clientId, + String redirectUri, + String state, + String scope) { + UriBuilder ub = getAuthorizationURIBuilder(authorizationServiceURI, + clientId, + scope); + if (redirectUri != null) { + ub.queryParam(OAuthConstants.REDIRECT_URI, redirectUri); + } + if (state != null) { + ub.queryParam(OAuthConstants.STATE, state); + } + return ub; + } + /** * Creates the builder for building OAuth AuthorizationService URIs * @param authorizationServiceURI the service endpoint address http://git-wip-us.apache.org/repos/asf/cxf/blob/409f987d/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/IdToken.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/IdToken.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/IdToken.java index f805128..aaee746 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/IdToken.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/IdToken.java @@ -18,8 +18,10 @@ */ package org.apache.cxf.rs.security.oidc.common; +import java.util.List; import java.util.Map; +import org.apache.cxf.helpers.CastUtils; import org.apache.cxf.rs.security.jose.jwt.JwtClaims; public class IdToken extends JwtClaims { @@ -27,10 +29,15 @@ public class IdToken extends JwtClaims { public static final String NONCE_CLAIM = "nonce"; public static final String ACR_CLAIM = "acr"; public static final String AZP_CLAIM = "azp"; + public static final String AMR_CLAIM = "amr"; public IdToken() { } + public IdToken(JwtClaims claims) { + this(claims.asMap()); + } + public IdToken(Map<String, Object> claims) { super(claims); } @@ -52,10 +59,17 @@ public class IdToken extends JwtClaims { public String getAuthenticationContextRef() { return (String)getProperty(ACR_CLAIM); } + public void setAuthenticationMethodRefs(List<String> refs) { + setProperty(AMR_CLAIM, refs); + } + public List<String> getAuthenticationMethodRefs() { + return CastUtils.cast((List<?>)getProperty(AMR_CLAIM)); + } public void setAuthorizedParty(String azp) { setProperty(AZP_CLAIM, azp); } public String getAuthorizedParty() { return (String)getProperty(AZP_CLAIM); } + } http://git-wip-us.apache.org/repos/asf/cxf/blob/409f987d/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/UserInfo.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/UserInfo.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/UserInfo.java index 9607b07..eae6614 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/UserInfo.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/UserInfo.java @@ -33,7 +33,9 @@ public class UserInfo extends JwtClaims { public static final String ADDRESS_CLAIM = "address"; public UserInfo() { } - + public UserInfo(JwtClaims claims) { + this(claims.asMap()); + } public UserInfo(Map<String, Object> claims) { super(claims); } http://git-wip-us.apache.org/repos/asf/cxf/blob/409f987d/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java index 35c2456..f0305cd 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java @@ -25,7 +25,6 @@ import org.apache.cxf.rs.security.oidc.utils.OidcUtils; public class IdTokenReader extends AbstractTokenValidator { private boolean requireAtHash = true; - public IdToken getIdToken(ClientAccessToken at, String clientId) { JwtToken jwt = getIdJwtToken(at, clientId); return getIdTokenFromJwt(jwt); @@ -45,8 +44,7 @@ public class IdTokenReader extends AbstractTokenValidator { validateJwtClaims(jwt.getClaims(), clientId, true); return jwt; } - public IdToken getIdTokenFromJwt(JwtToken jwt) { - //TODO: do the extra validation if needed + private IdToken getIdTokenFromJwt(JwtToken jwt) { return new IdToken(jwt.getClaims().asMap()); } public void setRequireAtHash(boolean requireAtHash) { http://git-wip-us.apache.org/repos/asf/cxf/blob/409f987d/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java index 1e96b7d..c43e7f0 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java @@ -18,26 +18,50 @@ */ package org.apache.cxf.rs.security.oidc.rp; +import java.util.Arrays; +import java.util.List; + import javax.ws.rs.container.ContainerRequestContext; +import javax.ws.rs.core.MultivaluedMap; import javax.ws.rs.core.SecurityContext; +import javax.ws.rs.core.UriBuilder; +import javax.ws.rs.core.UriInfo; +import org.apache.cxf.common.util.StringUtils; import org.apache.cxf.jaxrs.utils.ExceptionUtils; import org.apache.cxf.rs.security.oauth2.client.ClientCodeRequestFilter; import org.apache.cxf.rs.security.oauth2.client.ClientTokenContext; import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken; +import org.apache.cxf.rs.security.oidc.common.IdToken; public class OidcClientCodeRequestFilter extends ClientCodeRequestFilter { - + + private static final String ACR_PARAMETER = "acr_values"; + private static final String PROMPT_PARAMETER = "prompt"; + private static final String MAX_AGE_PARAMETER = "max_age"; + private static final List<String> PROMPTS = Arrays.asList("none", "consent", "login", "select_account"); private IdTokenReader idTokenReader; + private List<String> authenticationContextRef; + private String promptLogin; + private Long maxAgeOffset; + public void setAuthenticationContextRef(String acr) { + this.authenticationContextRef = Arrays.asList(StringUtils.split(acr, " ")); + } @Override - protected ClientTokenContext createTokenContext(ContainerRequestContext rc, ClientAccessToken at) { + protected ClientTokenContext createTokenContext(ContainerRequestContext rc, + ClientAccessToken at, + MultivaluedMap<String, String> state) { if (rc.getSecurityContext() instanceof OidcSecurityContext) { return ((OidcSecurityContext)rc.getSecurityContext()).getOidcContext(); } OidcClientTokenContextImpl ctx = new OidcClientTokenContextImpl(); if (at != null) { - ctx.setIdToken(idTokenReader.getIdToken(at, getConsumer().getKey())); + IdToken idToken = idTokenReader.getIdToken(at, getConsumer().getKey()); + // Validate the properties set up at the redirection time. + validateIdToken(idToken, state); + + ctx.setIdToken(idToken); if (idTokenReader instanceof UserInfoClient) { UserInfoClient userInfoClient = (UserInfoClient)idTokenReader; ctx.setUserInfo(userInfoClient.getUserInfo(at, ctx.getIdToken())); @@ -47,6 +71,36 @@ public class OidcClientCodeRequestFilter extends ClientCodeRequestFilter { return ctx; } + @Override + protected MultivaluedMap<String, String> toCodeRequestState(ContainerRequestContext rc, UriInfo ui) { + MultivaluedMap<String, String> state = super.toCodeRequestState(rc, ui); + if (maxAgeOffset != null) { + state.putSingle(MAX_AGE_PARAMETER, Long.toString(System.currentTimeMillis() + maxAgeOffset)); + } + return state; + } + private void validateIdToken(IdToken idToken, MultivaluedMap<String, String> state) { + + String nonce = state.getFirst("nonce"); + String tokenNonce = idToken.getNonce(); + if (nonce != null && (tokenNonce == null || !nonce.equals(tokenNonce))) { + throw ExceptionUtils.toNotAuthorizedException(null, null); + } + if (maxAgeOffset != null) { + Long authTime = Long.parseLong(state.getFirst(MAX_AGE_PARAMETER)); + Long tokenAuthTime = idToken.getAuthenticationTime(); + if (tokenAuthTime > authTime) { + throw ExceptionUtils.toNotAuthorizedException(null, null); + } + } + + String acr = idToken.getAuthenticationContextRef(); + // Skip the check if the acr is not set given it is a voluntary claim + if (acr != null && authenticationContextRef != null && !authenticationContextRef.contains(acr)) { + throw ExceptionUtils.toNotAuthorizedException(null, null); + } + + } public void setIdTokenReader(IdTokenReader idTokenReader) { this.idTokenReader = idTokenReader; } @@ -58,4 +112,32 @@ public class OidcClientCodeRequestFilter extends ClientCodeRequestFilter { throw ExceptionUtils.toNotAuthorizedException(null, null); } } + @Override + protected void setAdditionalCodeRequestParams(UriBuilder ub, MultivaluedMap<String, String> redirectState) { + if (redirectState != null) { + if (redirectState.getFirst(IdToken.NONCE_CLAIM) != null) { + ub.queryParam(IdToken.NONCE_CLAIM, redirectState.getFirst(IdToken.NONCE_CLAIM)); + } + if (redirectState.getFirst(MAX_AGE_PARAMETER) != null) { + ub.queryParam(MAX_AGE_PARAMETER, redirectState.getFirst(MAX_AGE_PARAMETER)); + } + } + if (authenticationContextRef != null) { + ub.queryParam(ACR_PARAMETER, authenticationContextRef); + } + if (promptLogin != null) { + ub.queryParam(PROMPT_PARAMETER, promptLogin); + } + } + + public void setPromptLogin(String promptLogin) { + if (PROMPTS.contains(promptLogin)) { + this.promptLogin = promptLogin; + } else { + throw new IllegalArgumentException("Illegal prompt value"); + } + } + public void setMaxAgeOffset(Long maxAgeOffset) { + this.maxAgeOffset = maxAgeOffset; + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/409f987d/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcIdTokenRequestFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcIdTokenRequestFilter.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcIdTokenRequestFilter.java index d075b0b..cb7b25a 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcIdTokenRequestFilter.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcIdTokenRequestFilter.java @@ -33,7 +33,7 @@ import org.apache.cxf.rs.security.oauth2.client.Consumer; import org.apache.cxf.rs.security.oidc.common.IdToken; public class OidcIdTokenRequestFilter implements ContainerRequestFilter { - private String tokenFormParameter = "idtoken"; + private String tokenFormParameter = "id_token"; private IdTokenReader idTokenReader; private Consumer consumer;
