Repository: cxf Updated Branches: refs/heads/master cdd1a9c9b -> 7d02ad7fc
Trying to make it simpler to start jose-processing IdTokens only at the AT response time Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/7d02ad7f Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/7d02ad7f Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/7d02ad7f Branch: refs/heads/master Commit: 7d02ad7fc862eb1413ae34d10d8cd2d4f20e35f3 Parents: cdd1a9c Author: Sergey Beryozkin <[email protected]> Authored: Mon Dec 7 11:05:08 2015 +0000 Committer: Sergey Beryozkin <[email protected]> Committed: Mon Dec 7 11:05:08 2015 +0000 ---------------------------------------------------------------------- .../oidc/idp/IdTokenResponseFilter.java | 33 +++++++++--------- .../rs/security/oidc/idp/OidcUserSubject.java | 35 ++++++++++++++++++++ .../rs/security/oidc/idp/UserInfoService.java | 10 ------ 3 files changed, 50 insertions(+), 28 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/7d02ad7f/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java index da93213..0d10d4e 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java @@ -18,8 +18,6 @@ */ package org.apache.cxf.rs.security.oidc.idp; -import java.util.Collections; - import org.apache.cxf.rs.security.jose.jwt.JwtToken; import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken; import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken; @@ -30,29 +28,28 @@ import org.apache.cxf.rs.security.oidc.utils.OidcUtils; public class IdTokenResponseFilter extends AbstractOAuthServerJoseJwtProducer implements AccessTokenResponseFilter { private UserInfoProvider userInfoProvider; - private String issuer; @Override public void process(ClientAccessToken ct, ServerAccessToken st) { - // This may also be done directly inside a data provider code creating the server token + String idToken = getProcessedIdToken(st); + if (idToken != null) { + ct.getParameters().put(OidcUtils.ID_TOKEN, idToken); + } + + } + private String getProcessedIdToken(ServerAccessToken st) { if (userInfoProvider != null) { IdToken token = userInfoProvider.getIdToken(st.getClient().getClientId(), st.getSubject(), st.getScopes()); - token.setIssuer(issuer); - token.setAudiences(Collections.singletonList(st.getClient().getClientId())); - - String responseEntity = super.processJwt(new JwtToken(token), - st.getClient()); - ct.getParameters().put(OidcUtils.ID_TOKEN, responseEntity); - } else if (st.getSubject().getProperties().containsKey("id_token")) { - ct.getParameters().put(OidcUtils.ID_TOKEN, - st.getSubject().getProperties().get("id_token")); + return super.processJwt(new JwtToken(token), st.getClient()); + } else if (st.getSubject().getProperties().containsKey(OidcUtils.ID_TOKEN)) { + return st.getSubject().getProperties().get(OidcUtils.ID_TOKEN); + } else if (st.getSubject() instanceof OidcUserSubject) { + OidcUserSubject sub = (OidcUserSubject)st.getSubject(); + return super.processJwt(new JwtToken(sub.getIdToken()), st.getClient()); + } else { + return null; } - - } - - public void setIssuer(String issuer) { - this.issuer = issuer; } public void setUserInfoProvider(UserInfoProvider userInfoProvider) { this.userInfoProvider = userInfoProvider; http://git-wip-us.apache.org/repos/asf/cxf/blob/7d02ad7f/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcUserSubject.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcUserSubject.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcUserSubject.java new file mode 100644 index 0000000..6c9690b --- /dev/null +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcUserSubject.java @@ -0,0 +1,35 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.oidc.idp; + +import org.apache.cxf.rs.security.oauth2.common.UserSubject; +import org.apache.cxf.rs.security.oidc.common.IdToken; + +public class OidcUserSubject extends UserSubject { + + private static final long serialVersionUID = 8806727177012442229L; + private IdToken idToken; + public IdToken getIdToken() { + return idToken; + } + public void setIdToken(IdToken idToken) { + this.idToken = idToken; + } + +} http://git-wip-us.apache.org/repos/asf/cxf/blob/7d02ad7f/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java index 1f5d99d..ae22b22 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java @@ -18,8 +18,6 @@ */ package org.apache.cxf.rs.security.oidc.idp; -import java.util.Collections; - import javax.ws.rs.GET; import javax.ws.rs.Path; import javax.ws.rs.Produces; @@ -38,7 +36,6 @@ import org.apache.cxf.rs.security.oidc.common.UserInfo; public class UserInfoService extends AbstractOAuthServerJoseJwtProducer { private UserInfoProvider userInfoProvider; private OAuthDataProvider oauthDataProvider; - private String issuer; @Context private MessageContext mc; @@ -48,10 +45,6 @@ public class UserInfoService extends AbstractOAuthServerJoseJwtProducer { OAuthContext oauth = OAuthContextUtils.getContext(mc); UserInfo userInfo = userInfoProvider.getUserInfo(oauth.getClientId(), oauth.getSubject(), oauth.getPermissions()); - if (userInfo != null) { - userInfo.setIssuer(issuer); - } - userInfo.setAudiences(Collections.singletonList(oauth.getClientId())); Object responseEntity = userInfo; if (super.isJwsRequired() || super.isJweRequired()) { responseEntity = super.processJwt(new JwtToken(userInfo), @@ -61,9 +54,6 @@ public class UserInfoService extends AbstractOAuthServerJoseJwtProducer { } - public void setIssuer(String issuer) { - this.issuer = issuer; - } public void setUserInfoProvider(UserInfoProvider userInfoProvider) { this.userInfoProvider = userInfoProvider; }
