cxf git commit: [CXF-6487] Initial prototyping of validatig self-issued idp

Sun, 26 Jul 2015 12:00:17 -0700 

Repository: cxf
Updated Branches:
  refs/heads/3.0.x-fixes e8c388af3 -> 7dfe07160


[CXF-6487] Initial prototyping of validatig self-issued idp


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/7dfe0716
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/7dfe0716
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/7dfe0716

Branch: refs/heads/3.0.x-fixes
Commit: 7dfe071606aab478bc3a26d278aacf84d7e1d8ab
Parents: e8c388a
Author: Sergey Beryozkin <[email protected]>
Authored: Sun Jul 26 21:58:04 2015 +0300
Committer: Sergey Beryozkin <[email protected]>
Committed: Sun Jul 26 21:59:46 2015 +0300

----------------------------------------------------------------------
 .../oidc/rp/AbstractTokenValidator.java         | 41 +++++++++++++-------
 1 file changed, 28 insertions(+), 13 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/7dfe0716/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
----------------------------------------------------------------------
diff --git 
a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
 
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
index a84dfa1..84d7650 100644
--- 
a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
+++ 
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
@@ -34,12 +34,14 @@ import org.apache.cxf.rs.security.jose.jwt.JwtToken;
 import org.apache.cxf.rs.security.jose.jwt.JwtUtils;
 
 public abstract class AbstractTokenValidator {
+    private static final String SELF_ISSUED_ISSUER = "https://self-issued.me";;
     private JweDecryptionProvider jweDecryptor;
     private JwsSignatureVerifier jwsVerifier;
     private String issuerId;
     private int issuedAtRange;
     private int clockOffset;
     private WebClient jwkSetClient;
+    private boolean supportSelfIssuedProvider;
     private ConcurrentHashMap<String, JsonWebKey> keyMap = new 
ConcurrentHashMap<String, JsonWebKey>(); 
     
     protected JwtToken getJwtToken(String wrappedJwtToken, boolean jweOnly) {
@@ -62,22 +64,30 @@ public abstract class AbstractTokenValidator {
     }
     
     protected void validateJwtClaims(JwtClaims claims, String clientId, 
boolean validateClaimsAlways) {
-        // validate subject
-        if (claims.getSubject() == null) {
-            throw new SecurityException("Invalid subject");
-        }
-        // validate audience
-        String aud = claims.getAudience();
-        if (aud == null && validateClaimsAlways || aud != null && 
!clientId.equals(aud)) {
-            throw new SecurityException("Invalid audience");
-        }
-
-        // validate the provider
+        // validate the issuer
         String issuer = claims.getIssuer();
-        if (issuer == null && validateClaimsAlways || issuer != null && 
!issuer.equals(issuerId)) {
+        if (issuer == null && validateClaimsAlways) {
             throw new SecurityException("Invalid provider");
         }
-        JwtUtils.validateJwtTimeClaims(claims, clockOffset, issuedAtRange, 
validateClaimsAlways);
+        if (supportSelfIssuedProvider && issuerId == null 
+            && issuer != null && SELF_ISSUED_ISSUER.equals(issuer)) {
+            //TODO: self-issued provider token validation
+        } else {
+            if (issuer != null && !issuer.equals(issuerId)) {
+                throw new SecurityException("Invalid provider");
+            }
+            // validate subject
+            if (claims.getSubject() == null) {
+                throw new SecurityException("Invalid subject");
+            }
+            // validate audience
+            String aud = claims.getAudience();
+            if (aud == null && validateClaimsAlways || aud != null && 
!clientId.equals(aud)) {
+                throw new SecurityException("Invalid audience");
+            }
+    
+            JwtUtils.validateJwtTimeClaims(claims, clockOffset, issuedAtRange, 
validateClaimsAlways);
+        }
     }
     
     
@@ -125,6 +135,7 @@ public abstract class AbstractTokenValidator {
         String keyId = jwt.getHeaders().getKeyId();
         JsonWebKey key = keyId != null ? keyMap.get(keyId) : null;
         if (key == null) {
+            //TODO: check self-issued JWK 
             if (jwkSetClient == null) {
                 throw new SecurityException("Provider Jwk Set Client is not 
available");
             }
@@ -151,4 +162,8 @@ public abstract class AbstractTokenValidator {
     public void setClockOffset(int clockOffset) {
         this.clockOffset = clockOffset;
     }
+
+    public void setSupportSelfIssuedProvider(boolean 
supportSelfIssuedProvider) {
+        this.supportSelfIssuedProvider = supportSelfIssuedProvider;
+    }
 }

Reply via email to