Repository: cxf Updated Branches: refs/heads/master a3023aa0d -> 2df002245
Updating OIDC RP filter to check if the context ID token has expired Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/2df00224 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/2df00224 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/2df00224 Branch: refs/heads/master Commit: 2df002245e1fdc60020e110d6d290d3d13d305ad Parents: a3023aa Author: Sergey Beryozkin <[email protected]> Authored: Wed Feb 3 11:02:32 2016 +0000 Committer: Sergey Beryozkin <[email protected]> Committed: Wed Feb 3 11:02:32 2016 +0000 ---------------------------------------------------------------------- .../security/oidc/rp/OidcRpAuthenticationFilter.java | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/2df00224/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationFilter.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationFilter.java index 43950fe..3cead95 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationFilter.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationFilter.java @@ -36,11 +36,15 @@ import javax.ws.rs.core.UriBuilder; import org.apache.cxf.common.util.StringUtils; import org.apache.cxf.jaxrs.ext.MessageContext; +import org.apache.cxf.jaxrs.ext.MessageContextImpl; import org.apache.cxf.jaxrs.impl.MetadataMap; import org.apache.cxf.jaxrs.utils.FormUtils; import org.apache.cxf.jaxrs.utils.JAXRSUtils; +import org.apache.cxf.rs.security.jose.jwt.JwtException; +import org.apache.cxf.rs.security.jose.jwt.JwtUtils; import org.apache.cxf.rs.security.oauth2.client.ClientTokenContext; import org.apache.cxf.rs.security.oauth2.client.ClientTokenContextManager; +import org.apache.cxf.rs.security.oidc.common.IdToken; @PreMatching @Priority(Priorities.AUTHENTICATION) @@ -77,9 +81,17 @@ public class OidcRpAuthenticationFilter implements ContainerRequestFilter { if (tokenContext == null) { return false; } + IdToken idToken = tokenContext.getIdToken(); + try { + // If ID token has expired then the context is no longer valid + JwtUtils.validateJwtExpiry(idToken, 0, idToken.getExpiryTime() != null); + } catch (JwtException ex) { + stateManager.removeClientTokenContext(new MessageContextImpl(JAXRSUtils.getCurrentMessage())); + return false; + } OidcClientTokenContextImpl newTokenContext = new OidcClientTokenContextImpl(); newTokenContext.setToken(tokenContext.getToken()); - newTokenContext.setIdToken(tokenContext.getIdToken()); + newTokenContext.setIdToken(idToken); newTokenContext.setUserInfo(tokenContext.getUserInfo()); newTokenContext.setState(toRequestState(rc)); JAXRSUtils.getCurrentMessage().setContent(ClientTokenContext.class, newTokenContext);
