Repository: cxf Updated Branches: refs/heads/master 409e99399 -> 36b48fe69
Prototyping the code for validating c_hash in OIDC RP Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/36b48fe6 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/36b48fe6 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/36b48fe6 Branch: refs/heads/master Commit: 36b48fe69bc52aff505fc0af76208fd6f09a4346 Parents: 409e993 Author: Sergey Beryozkin <[email protected]> Authored: Tue Mar 8 16:40:49 2016 +0000 Committer: Sergey Beryozkin <[email protected]> Committed: Tue Mar 8 16:40:49 2016 +0000 ---------------------------------------------------------------------- .../oauth2/client/ClientCodeRequestFilter.java | 8 +++++--- .../cxf/rs/security/oidc/rp/IdTokenReader.java | 19 ++++++++++++++++--- .../oidc/rp/OidcClientCodeRequestFilter.java | 5 ++++- 3 files changed, 25 insertions(+), 7 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/36b48fe6/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java index be79d64..c777083 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java @@ -201,7 +201,7 @@ public class ClientCodeRequestFilter implements ContainerRequestFilter { grant.setCodeVerifier(state.getFirst(OAuthConstants.AUTHORIZATION_CODE_VERIFIER)); at = OAuthClientUtils.getAccessToken(accessTokenServiceClient, consumer, grant); } - ClientTokenContext tokenContext = initializeClientTokenContext(rc, at, state); + ClientTokenContext tokenContext = initializeClientTokenContext(rc, at, requestParams, state); if (at != null && clientTokenContextManager != null) { clientTokenContextManager.setClientTokenContext(mc, tokenContext); } @@ -221,9 +221,10 @@ public class ClientCodeRequestFilter implements ContainerRequestFilter { } protected ClientTokenContext initializeClientTokenContext(ContainerRequestContext rc, - ClientAccessToken at, + ClientAccessToken at, + MultivaluedMap<String, String> requestParams, MultivaluedMap<String, String> state) { - ClientTokenContext tokenContext = createTokenContext(rc, at, state); + ClientTokenContext tokenContext = createTokenContext(rc, at, requestParams, state); ((ClientTokenContextImpl)tokenContext).setToken(at); ((ClientTokenContextImpl)tokenContext).setState(state); return tokenContext; @@ -232,6 +233,7 @@ public class ClientCodeRequestFilter implements ContainerRequestFilter { protected ClientTokenContext createTokenContext(ContainerRequestContext rc, ClientAccessToken at, + MultivaluedMap<String, String> requestParams, MultivaluedMap<String, String> state) { return new ClientTokenContextImpl(); } http://git-wip-us.apache.org/repos/asf/cxf/blob/36b48fe6/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java index 832813d..514ff5f 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java @@ -26,20 +26,30 @@ import org.apache.cxf.rs.security.oidc.utils.OidcUtils; public class IdTokenReader extends OidcClaimsValidator { private boolean requireAtHash = true; - public IdToken getIdToken(ClientAccessToken at, Consumer client) { - JwtToken jwt = getIdJwtToken(at, client); + private boolean requireCodeHash; + + public IdToken getIdToken(ClientAccessToken at, String code, Consumer client) { + JwtToken jwt = getIdJwtToken(at, code, client); return getIdTokenFromJwt(jwt); } + + public IdToken getIdToken(ClientAccessToken at, Consumer client) { + return getIdToken(at, null, client); + } public IdToken getIdToken(String idJwtToken, Consumer client) { JwtToken jwt = getIdJwtToken(idJwtToken, client); return getIdTokenFromJwt(jwt); } - public JwtToken getIdJwtToken(ClientAccessToken at, Consumer client) { + public JwtToken getIdJwtToken(ClientAccessToken at, String code, Consumer client) { String idJwtToken = at.getParameters().get(OidcUtils.ID_TOKEN); JwtToken jwt = getIdJwtToken(idJwtToken, client); OidcUtils.validateAccessTokenHash(at, jwt, requireAtHash); + OidcUtils.validateCodeHash(code, jwt, requireCodeHash); return jwt; } + public JwtToken getIdJwtToken(ClientAccessToken at, Consumer client) { + return getIdJwtToken(at, null, client); + } public JwtToken getIdJwtToken(String idJwtToken, Consumer client) { JwtToken jwt = getJwtToken(idJwtToken, client.getClientSecret()); validateJwtClaims(jwt.getClaims(), client.getClientId(), true); @@ -51,4 +61,7 @@ public class IdTokenReader extends OidcClaimsValidator { public void setRequireAccessTokenHash(boolean require) { this.requireAtHash = require; } + public void setRequireCodeHash(boolean require) { + this.requireCodeHash = require; + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/36b48fe6/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java index f77efba..f465f1e 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java @@ -60,13 +60,16 @@ public class OidcClientCodeRequestFilter extends ClientCodeRequestFilter { @Override protected ClientTokenContext createTokenContext(ContainerRequestContext rc, ClientAccessToken at, + MultivaluedMap<String, String> requestParams, MultivaluedMap<String, String> state) { if (rc.getSecurityContext() instanceof OidcSecurityContext) { return ((OidcSecurityContext)rc.getSecurityContext()).getOidcContext(); } OidcClientTokenContextImpl ctx = new OidcClientTokenContextImpl(); if (at != null) { - IdToken idToken = idTokenReader.getIdToken(at, getConsumer()); + IdToken idToken = idTokenReader.getIdToken(at, + requestParams.getFirst(OAuthConstants.AUTHORIZATION_CODE_VALUE), + getConsumer()); // Validate the properties set up at the redirection time. validateIdToken(idToken, state);
