Repository: cxf Updated Branches: refs/heads/3.1.x-fixes 809080335 -> 59bbab2f1
Updating OIDC RP filter to check if the context ID token has expired Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/59bbab2f Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/59bbab2f Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/59bbab2f Branch: refs/heads/3.1.x-fixes Commit: 59bbab2f13a9e56dcd2dfff971bd608549454b91 Parents: 8090803 Author: Sergey Beryozkin <[email protected]> Authored: Wed Feb 3 11:02:32 2016 +0000 Committer: Sergey Beryozkin <[email protected]> Committed: Wed Feb 3 11:03:51 2016 +0000 ---------------------------------------------------------------------- .../security/oidc/rp/OidcRpAuthenticationFilter.java | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/59bbab2f/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationFilter.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationFilter.java index 43950fe..3cead95 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationFilter.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationFilter.java @@ -36,11 +36,15 @@ import javax.ws.rs.core.UriBuilder; import org.apache.cxf.common.util.StringUtils; import org.apache.cxf.jaxrs.ext.MessageContext; +import org.apache.cxf.jaxrs.ext.MessageContextImpl; import org.apache.cxf.jaxrs.impl.MetadataMap; import org.apache.cxf.jaxrs.utils.FormUtils; import org.apache.cxf.jaxrs.utils.JAXRSUtils; +import org.apache.cxf.rs.security.jose.jwt.JwtException; +import org.apache.cxf.rs.security.jose.jwt.JwtUtils; import org.apache.cxf.rs.security.oauth2.client.ClientTokenContext; import org.apache.cxf.rs.security.oauth2.client.ClientTokenContextManager; +import org.apache.cxf.rs.security.oidc.common.IdToken; @PreMatching @Priority(Priorities.AUTHENTICATION) @@ -77,9 +81,17 @@ public class OidcRpAuthenticationFilter implements ContainerRequestFilter { if (tokenContext == null) { return false; } + IdToken idToken = tokenContext.getIdToken(); + try { + // If ID token has expired then the context is no longer valid + JwtUtils.validateJwtExpiry(idToken, 0, idToken.getExpiryTime() != null); + } catch (JwtException ex) { + stateManager.removeClientTokenContext(new MessageContextImpl(JAXRSUtils.getCurrentMessage())); + return false; + } OidcClientTokenContextImpl newTokenContext = new OidcClientTokenContextImpl(); newTokenContext.setToken(tokenContext.getToken()); - newTokenContext.setIdToken(tokenContext.getIdToken()); + newTokenContext.setIdToken(idToken); newTokenContext.setUserInfo(tokenContext.getUserInfo()); newTokenContext.setState(toRequestState(rc)); JAXRSUtils.getCurrentMessage().setContent(ClientTokenContext.class, newTokenContext);
