Add the ability to sign/encrypt UserInfoService responses using asymmetric keys
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/0130a152 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/0130a152 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/0130a152 Branch: refs/heads/3.0.x-fixes Commit: 0130a15283423feccda7f32cd5b8c57ffb728f4c Parents: ad191a9 Author: Colm O hEigeartaigh <[email protected]> Authored: Tue Feb 16 17:06:39 2016 +0000 Committer: Colm O hEigeartaigh <[email protected]> Committed: Tue Feb 16 17:10:28 2016 +0000 ---------------------------------------------------------------------- .../provider/AbstractOAuthServerJoseJwtProducer.java | 14 +++++++++++--- .../cxf/rs/security/oidc/idp/UserInfoService.java | 8 ++++++-- 2 files changed, 17 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/0130a152/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthServerJoseJwtProducer.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthServerJoseJwtProducer.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthServerJoseJwtProducer.java index 31d8506..f1dafaa 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthServerJoseJwtProducer.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthServerJoseJwtProducer.java @@ -25,6 +25,7 @@ import org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm; import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm; import org.apache.cxf.rs.security.jose.jwe.JweEncryptionProvider; import org.apache.cxf.rs.security.jose.jwe.JweUtils; +import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider; import org.apache.cxf.rs.security.jose.jwt.JwtToken; import org.apache.cxf.rs.security.oauth2.common.Client; import org.apache.cxf.rt.security.crypto.CryptoUtils; @@ -35,12 +36,12 @@ public abstract class AbstractOAuthServerJoseJwtProducer extends AbstractOAuthJo protected String processJwt(JwtToken jwt, Client client) { return processJwt(jwt, getInitializedEncryptionProvider(client), - getInitializedSignatureProvider(client.getClientSecret())); + getInitializedSignatureProvider(client)); } protected JweEncryptionProvider getInitializedEncryptionProvider(Client c) { JweEncryptionProvider theEncryptionProvider = null; - if (encryptWithClientCertificates) { + if (encryptWithClientCertificates && c != null && !c.getApplicationCertificates().isEmpty()) { X509Certificate cert = (X509Certificate)CryptoUtils.decodeCertificate(c.getApplicationCertificates().get(0)); theEncryptionProvider = JweUtils.createJweEncryptionProvider((RSAPublicKey)cert.getPublicKey(), @@ -48,12 +49,19 @@ public abstract class AbstractOAuthServerJoseJwtProducer extends AbstractOAuthJo ContentAlgorithm.A128GCM, null); } - if (theEncryptionProvider == null) { + if (theEncryptionProvider == null && c != null && c.getClientSecret() != null) { theEncryptionProvider = super.getInitializedEncryptionProvider(c.getClientSecret()); } return theEncryptionProvider; } + + protected JwsSignatureProvider getInitializedSignatureProvider(Client c) { + if (c == null) { + return null; + } + return super.getInitializedSignatureProvider(c.getClientSecret()); + } public void setEncryptWithClientCertificates(boolean encryptWithClientCertificates) { if (isEncryptWithClientSecret()) { http://git-wip-us.apache.org/repos/asf/cxf/blob/0130a152/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java index 1f5d99d..22b058a 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java @@ -28,6 +28,7 @@ import javax.ws.rs.core.Response; import org.apache.cxf.jaxrs.ext.MessageContext; import org.apache.cxf.rs.security.jose.jwt.JwtToken; +import org.apache.cxf.rs.security.oauth2.common.Client; import org.apache.cxf.rs.security.oauth2.common.OAuthContext; import org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthServerJoseJwtProducer; import org.apache.cxf.rs.security.oauth2.provider.OAuthDataProvider; @@ -54,8 +55,11 @@ public class UserInfoService extends AbstractOAuthServerJoseJwtProducer { userInfo.setAudiences(Collections.singletonList(oauth.getClientId())); Object responseEntity = userInfo; if (super.isJwsRequired() || super.isJweRequired()) { - responseEntity = super.processJwt(new JwtToken(userInfo), - oauthDataProvider.getClient(oauth.getClientId())); + Client client = null; + if (oauthDataProvider != null) { + client = oauthDataProvider.getClient(oauth.getClientId()); + } + responseEntity = super.processJwt(new JwtToken(userInfo), client); } return Response.ok(responseEntity).build();
