Repository: cxf Updated Branches: refs/heads/master 4298ce8c4 -> 5c72fad58
Avoiding linking UserSubject to indiv clients too early Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/5c72fad5 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/5c72fad5 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/5c72fad5 Branch: refs/heads/master Commit: 5c72fad581d0c8abe3aa035108b11b5336e0dc6f Parents: 4298ce8 Author: Sergey Beryozkin <[email protected]> Authored: Tue Feb 9 16:17:00 2016 +0000 Committer: Sergey Beryozkin <[email protected]> Committed: Tue Feb 9 16:17:00 2016 +0000 ---------------------------------------------------------------------- .../oauth2/provider/DefaultSubjectCreator.java | 2 -- .../rs/security/oauth2/provider/SubjectCreator.java | 3 --- .../oauth2/services/AbstractImplicitGrantService.java | 6 +++--- .../oauth2/services/DirectAuthorizationService.java | 6 +++--- .../oauth2/services/RedirectionBasedGrantService.java | 14 ++++---------- .../rs/security/oidc/idp/IdTokenResponseFilter.java | 2 ++ .../cxf/rs/security/oidc/idp/OidcImplicitService.java | 4 +++- 7 files changed, 15 insertions(+), 22 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/5c72fad5/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultSubjectCreator.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultSubjectCreator.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultSubjectCreator.java index 53c1d54..6dc9dd8 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultSubjectCreator.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultSubjectCreator.java @@ -21,7 +21,6 @@ package org.apache.cxf.rs.security.oauth2.provider; import javax.ws.rs.core.MultivaluedMap; import org.apache.cxf.jaxrs.ext.MessageContext; -import org.apache.cxf.rs.security.oauth2.common.Client; import org.apache.cxf.rs.security.oauth2.common.UserSubject; import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils; import org.apache.cxf.security.SecurityContext; @@ -30,7 +29,6 @@ public class DefaultSubjectCreator implements SubjectCreator { @Override public UserSubject createUserSubject(MessageContext mc, - Client client, MultivaluedMap<String, String> params) throws OAuthServiceException { return OAuthUtils.createSubject(mc, (SecurityContext)mc.get(SecurityContext.class.getName())); http://git-wip-us.apache.org/repos/asf/cxf/blob/5c72fad5/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SubjectCreator.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SubjectCreator.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SubjectCreator.java index 4ddee90..25a14e6 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SubjectCreator.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/SubjectCreator.java @@ -22,7 +22,6 @@ package org.apache.cxf.rs.security.oauth2.provider; import javax.ws.rs.core.MultivaluedMap; import org.apache.cxf.jaxrs.ext.MessageContext; -import org.apache.cxf.rs.security.oauth2.common.Client; import org.apache.cxf.rs.security.oauth2.common.UserSubject; /** @@ -35,12 +34,10 @@ public interface SubjectCreator { /** * Create a {@link UserSubject} * @param mc the {@link MessageContext} of this request - * @param client the client * @param params the request parameters * @return {@link UserSubject} * @throws OAuthServiceException */ UserSubject createUserSubject(MessageContext mc, - Client client, MultivaluedMap<String, String> params) throws OAuthServiceException; } http://git-wip-us.apache.org/repos/asf/cxf/blob/5c72fad5/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java index 6c9349d..f3c466b 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java @@ -108,16 +108,16 @@ public abstract class AbstractImplicitGrantService extends RedirectionBasedGrant processRefreshToken(sb, token.getRefreshToken()); } - return finalizeResponse(sb, client, state); + return finalizeResponse(sb, state); } - protected Response finalizeResponse(StringBuilder sb, Client client, OAuthRedirectionState state) { + protected Response finalizeResponse(StringBuilder sb, OAuthRedirectionState state) { if (state.getState() != null) { sb.append("&"); sb.append(OAuthConstants.STATE).append("=").append(state.getState()); } if (reportClientId) { - sb.append("&").append(OAuthConstants.CLIENT_ID).append("=").append(client.getClientId()); + sb.append("&").append(OAuthConstants.CLIENT_ID).append("=").append(state.getClientId()); } return Response.seeOther(URI.create(sb.toString())).build(); http://git-wip-us.apache.org/repos/asf/cxf/blob/5c72fad5/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/DirectAuthorizationService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/DirectAuthorizationService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/DirectAuthorizationService.java index e8b5e16..a9fa8be 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/DirectAuthorizationService.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/DirectAuthorizationService.java @@ -53,7 +53,7 @@ public class DirectAuthorizationService extends AbstractOAuthService { SecurityContext sc = getAndValidateSecurityContext(params); Client client = getClient(params); // Create a UserSubject representing the end user - UserSubject userSubject = createUserSubject(sc, client, params); + UserSubject userSubject = createUserSubject(sc, params); AccessTokenRegistration reg = new AccessTokenRegistration(); @@ -83,11 +83,11 @@ public class DirectAuthorizationService extends AbstractOAuthService { checkTransportSecurity(); return securityContext; } - protected UserSubject createUserSubject(SecurityContext securityContext, Client client, + protected UserSubject createUserSubject(SecurityContext securityContext, MultivaluedMap<String, String> params) { UserSubject subject = null; if (subjectCreator != null) { - subject = subjectCreator.createUserSubject(getMessageContext(), client, params); + subject = subjectCreator.createUserSubject(getMessageContext(), params); if (subject != null) { return subject; } http://git-wip-us.apache.org/repos/asf/cxf/blob/5c72fad5/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java index ab4bba8..094c5af 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java @@ -120,7 +120,7 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService SecurityContext sc = getAndValidateSecurityContext(params); Client client = getClient(params); // Create a UserSubject representing the end user - UserSubject userSubject = createUserSubject(sc, client, params); + UserSubject userSubject = createUserSubject(sc, params); return startAuthorization(params, userSubject, client); } @@ -274,9 +274,6 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService state = sessionAuthenticityTokenProvider.getSessionState(super.getMessageContext(), sessionToken, subject); - if (!state.getClientId().equals(params.getFirst(OAuthConstants.CLIENT_ID))) { - throw ExceptionUtils.toBadRequestException(null, null); - } } if (state == null) { state = new OAuthRedirectionState(); @@ -312,11 +309,8 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService protected Response completeAuthorization(MultivaluedMap<String, String> params) { // Make sure the end user has authenticated, check if HTTPS is used SecurityContext securityContext = getAndValidateSecurityContext(params); - // Client id may also be preserved in a session but it must be set - // as a authorization form parameter - Client client = getClient(params.getFirst(OAuthConstants.CLIENT_ID)); - UserSubject userSubject = createUserSubject(securityContext, client, params); + UserSubject userSubject = createUserSubject(securityContext, params); // Make sure the session is valid String sessionTokenParamName = params.getFirst(OAuthConstants.SESSION_AUTHENTICITY_TOKEN_PARAM_NAME); @@ -330,6 +324,8 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService OAuthRedirectionState state = recreateRedirectionStateFromSession(userSubject, params, sessionToken); + + Client client = getClient(state.getClientId()); String redirectUri = validateRedirectUri(client, state.getRedirectUri()); // Get the end user decision value @@ -375,12 +371,10 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService } protected UserSubject createUserSubject(SecurityContext securityContext, - Client client, MultivaluedMap<String, String> params) { UserSubject subject = null; if (subjectCreator != null) { subject = subjectCreator.createUserSubject(getMessageContext(), - client, params); if (subject != null) { return subject; http://git-wip-us.apache.org/repos/asf/cxf/blob/5c72fad5/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java index 7051090..6e7bb92 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java @@ -59,6 +59,8 @@ public class IdTokenResponseFilter extends OAuthServerJoseJwtProducer implements } else if (st.getSubject() instanceof OidcUserSubject) { OidcUserSubject sub = (OidcUserSubject)st.getSubject(); IdToken idToken = new IdToken(sub.getIdToken()); + idToken.setAudience(st.getClient().getClientId()); + idToken.setAuthorizedParty(st.getClient().getClientId()); // if this token was refreshed then the cloned IDToken might need to have its // issuedAt and expiry time properties adjusted if it proves to be necessary setAtHashAndNonce(idToken, st); http://git-wip-us.apache.org/repos/asf/cxf/blob/5c72fad5/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java index 40f29ea4..60b638d 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java @@ -101,7 +101,7 @@ public class OidcImplicitService extends ImplicitGrantService { if (idToken != null) { sb.append(OidcUtils.ID_TOKEN).append("=").append(idToken); } - return finalizeResponse(sb, client, state); + return finalizeResponse(sb, state); } private String getProcessedIdToken(OAuthRedirectionState state, UserSubject subject) { @@ -110,6 +110,8 @@ public class OidcImplicitService extends ImplicitGrantService { } else if (subject instanceof OidcUserSubject) { OidcUserSubject sub = (OidcUserSubject)subject; IdToken idToken = new IdToken(sub.getIdToken()); + idToken.setAudience(state.getClientId()); + idToken.setAuthorizedParty(state.getClientId()); idToken.setNonce(state.getNonce()); JoseJwtProducer processor = idTokenHandler == null ? new JoseJwtProducer() : idTokenHandler; return processor.processJwt(new JwtToken(idToken));
