[1/2] cxf-fediz git commit: Updating the IdToken creation to have a principal id set as 'sub' and name - as preferresUserName with the config support to follow later

Wed, 24 Feb 2016 04:09:05 -0800 

Repository: cxf-fediz
Updated Branches:
  refs/heads/master 72f0c939b -> 47a23b88c


Updating the IdToken creation to have a principal id set as 'sub' and name - as 
preferresUserName with the config support to follow later


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/24339411
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/24339411
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/24339411

Branch: refs/heads/master
Commit: 243394119ef2eb8fdb70cd923f93593e0ce108fd
Parents: 48b9eed
Author: Sergey Beryozkin <[email protected]>
Authored: Wed Feb 24 12:08:20 2016 +0000
Committer: Sergey Beryozkin <[email protected]>
Committed: Wed Feb 24 12:08:20 2016 +0000

----------------------------------------------------------------------
 .../fediz/service/oidc/FedizSubjectCreator.java | 30 ++++++++++++++------
 1 file changed, 21 insertions(+), 9 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/24339411/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java
----------------------------------------------------------------------
diff --git 
a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java
 
b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java
index f134039..0568cd2 100644
--- 
a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java
+++ 
b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java
@@ -24,6 +24,7 @@ import javax.ws.rs.core.MultivaluedMap;
 
 import org.w3c.dom.Element;
 
+import org.apache.cxf.common.util.Base64UrlUtility;
 import org.apache.cxf.fediz.core.Claim;
 import org.apache.cxf.fediz.core.ClaimCollection;
 import org.apache.cxf.fediz.core.ClaimTypes;
@@ -34,6 +35,7 @@ import 
org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
 import org.apache.cxf.rs.security.oauth2.provider.SubjectCreator;
 import org.apache.cxf.rs.security.oidc.common.IdToken;
 import org.apache.cxf.rs.security.oidc.idp.OidcUserSubject;
+import org.apache.cxf.rt.security.crypto.CryptoUtils;
 import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
 import org.joda.time.DateTime;
@@ -58,30 +60,40 @@ public class FedizSubjectCreator implements SubjectCreator {
         FedizPrincipal fedizPrincipal = (FedizPrincipal)principal; 
         
         // In the future FedizPrincipal will likely have JWT claims already 
prepared,
-        // with IdToken being initialized here from those claims + client id 
+        // with IdToken being initialized here from those claims 
+        OidcUserSubject oidcSub = new OidcUserSubject();
+        oidcSub.setLogin(fedizPrincipal.getName());
+     
+        // Subject ID - a locally unique and never reassigned identifier 
allocated to the end user
+        // REVISIT: 
+        // Can it be allocated on per-session basis or is it something that is 
supposed to be created
+        // by the authentication system (IDP/STS) once and reported every time 
a given user signs in ?
+        
oidcSub.setId(Base64UrlUtility.encode(CryptoUtils.generateSecureRandomBytes(16)));
         
         IdToken idToken = convertToIdToken(fedizPrincipal.getLoginToken(),
-                                           fedizPrincipal.getName(), 
+                                           oidcSub.getLogin(),
+                                           oidcSub.getId(),
                                            fedizPrincipal.getClaims());
-        
-        OidcUserSubject oidcSub = new OidcUserSubject();
-        oidcSub.setLogin(fedizPrincipal.getName());
         oidcSub.setIdToken(idToken);
         // UserInfo can be populated and set on OidcUserSubject too.
+        // UserInfoService will create it otherwise.
         
         return oidcSub;
     }
     
     public IdToken convertToIdToken(Element samlToken, 
-            String subjectName, 
+            String subjectName,
+            String subjectId,
             ClaimCollection claims) {
-        // The current SAML Assertion represents anauthentication record.
+        // The current SAML Assertion represents an authentication record.
         // It has to be translated into IdToken (JWT) so that it can be 
returned 
         // to client applications participating in various OIDC flows.
         
         IdToken idToken = new IdToken();
-        // Subject name is provided by FedizPrincipal which is initialized 
from the current SAML token 
-        idToken.setSubject(subjectName);
+        
+        //TODO: make the mapping between the subject name and IdToken claim 
configurable
+        idToken.setPreferredUserName(subjectName);
+        idToken.setSubject(subjectId);
         
         Assertion saml2Assertion = getSaml2Assertion(samlToken);
         if (saml2Assertion != null) {

Reply via email to