Repository: cxf-fediz Updated Branches: refs/heads/master 680cb0d74 -> 220ce5e5e
Add the ability to map claims in the FedizSubjectCreator Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/220ce5e5 Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/220ce5e5 Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/220ce5e5 Branch: refs/heads/master Commit: 220ce5e5ef09b49e251b8619bf1834f4e6e85c98 Parents: 680cb0d Author: Colm O hEigeartaigh <[email protected]> Authored: Fri Jul 15 17:36:29 2016 +0100 Committer: Colm O hEigeartaigh <[email protected]> Committed: Fri Jul 15 17:36:29 2016 +0100 ---------------------------------------------------------------------- .../fediz/service/oidc/FedizSubjectCreator.java | 48 ++++++++++++++++++-- 1 file changed, 43 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/220ce5e5/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java ---------------------------------------------------------------------- diff --git a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java index 0568cd2..8511aca 100644 --- a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java +++ b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java @@ -19,6 +19,10 @@ package org.apache.cxf.fediz.service.oidc; import java.security.Principal; +import java.util.Arrays; +import java.util.Collections; +import java.util.List; +import java.util.Map; import javax.ws.rs.core.MultivaluedMap; @@ -28,6 +32,7 @@ import org.apache.cxf.common.util.Base64UrlUtility; import org.apache.cxf.fediz.core.Claim; import org.apache.cxf.fediz.core.ClaimCollection; import org.apache.cxf.fediz.core.ClaimTypes; +import org.apache.cxf.fediz.core.FedizConstants; import org.apache.cxf.fediz.core.FedizPrincipal; import org.apache.cxf.jaxrs.ext.MessageContext; import org.apache.cxf.rs.security.oauth2.common.UserSubject; @@ -47,7 +52,7 @@ public class FedizSubjectCreator implements SubjectCreator { private String issuer; private long defaultTimeToLive = 3600L; - + private Map<String, String> supportedClaims = Collections.emptyMap(); @Override public UserSubject createUserSubject(MessageContext mc, @@ -73,7 +78,9 @@ public class FedizSubjectCreator implements SubjectCreator { IdToken idToken = convertToIdToken(fedizPrincipal.getLoginToken(), oidcSub.getLogin(), oidcSub.getId(), - fedizPrincipal.getClaims()); + fedizPrincipal.getClaims(), + fedizPrincipal.getRoleClaims(), + params.getFirst("claims")); oidcSub.setIdToken(idToken); // UserInfo can be populated and set on OidcUserSubject too. // UserInfoService will create it otherwise. @@ -81,10 +88,12 @@ public class FedizSubjectCreator implements SubjectCreator { return oidcSub; } - public IdToken convertToIdToken(Element samlToken, + private IdToken convertToIdToken(Element samlToken, String subjectName, String subjectId, - ClaimCollection claims) { + ClaimCollection claims, + List<String> roles, + String requestedClaims) { // The current SAML Assertion represents an authentication record. // It has to be translated into IdToken (JWT) so that it can be returned // to client applications participating in various OIDC flows. @@ -136,6 +145,12 @@ public class FedizSubjectCreator implements SubjectCreator { idToken.setExpiryTime(currentTimeInSecs + defaultTimeToLive); } + // Additional claims requested + List<String> requestedClaimsList = Collections.emptyList(); + if (requestedClaims != null && !supportedClaims.isEmpty()) { + requestedClaimsList = Arrays.asList(requestedClaims.trim().split(" ")); + } + // Map claims if (claims != null) { String firstName = null; @@ -160,13 +175,25 @@ public class FedizSubjectCreator implements SubjectCreator { idToken.setGender((String)c.getValue()); } else if (ClaimTypes.WEB_PAGE.equals(c.getClaimType())) { idToken.setWebsite((String)c.getValue()); + } else if (supportedClaims.containsKey(c.getClaimType().toString()) + && requestedClaimsList.contains(supportedClaims.get(c.getClaimType().toString()))) { + idToken.setClaim(supportedClaims.get(c.getClaimType().toString()), (String)c.getValue()); } } if (firstName != null && lastName != null) { idToken.setName(firstName + " " + lastName); } - + } + + if (roles != null && !roles.isEmpty() + && supportedClaims.containsKey(FedizConstants.DEFAULT_ROLE_URI.toString()) + && requestedClaimsList.contains(supportedClaims.get(FedizConstants.DEFAULT_ROLE_URI.toString()))) { + if (roles.size() == 1) { + idToken.setClaim(supportedClaims.get(FedizConstants.DEFAULT_ROLE_URI.toString()), roles.get(0)); + } else { + idToken.setClaim(supportedClaims.get(FedizConstants.DEFAULT_ROLE_URI.toString()), roles); + } } return idToken; @@ -194,4 +221,15 @@ public class FedizSubjectCreator implements SubjectCreator { this.defaultTimeToLive = idTokenTimeToLive; } + /** + * Set a map of supported claims. The map is from a SAML ClaimType URI String to a claim value that is + * sent in the claims parameter. So for example: + * http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role -> role + * If the token contains a the former, and the OpenId claims contains the latter, then the claim value + * will be encoded in the IdToken using the latter key. + */ + public void setSupportedClaims(Map<String, String> supportedClaims) { + this.supportedClaims = supportedClaims; + } + }
