Continuing prototyping the dynreg service code
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/3599f93d Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/3599f93d Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/3599f93d Branch: refs/heads/master-jaxrs-2.1 Commit: 3599f93db9a72f989de87f47a6e7c8c286683ad5 Parents: c0ca26c Author: Sergey Beryozkin <[email protected]> Authored: Wed Aug 24 15:44:40 2016 +0100 Committer: Sergey Beryozkin <[email protected]> Committed: Wed Aug 24 15:44:40 2016 +0100 ---------------------------------------------------------------------- .../oauth2/services/ClientRegistration.java | 124 ++++++++++++ .../services/ClientRegistrationRequest.java | 124 ------------ .../services/DynamicRegistrationService.java | 201 +++++++++++++++++-- .../oidc/idp/OidcClientRegistration.java | 27 +++ .../oidc/idp/OidcClientRegistrationRequest.java | 27 --- .../idp/OidcDynamicRegistrationService.java | 33 +++ 6 files changed, 369 insertions(+), 167 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/3599f93d/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ClientRegistration.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ClientRegistration.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ClientRegistration.java new file mode 100644 index 0000000..d81a623 --- /dev/null +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ClientRegistration.java @@ -0,0 +1,124 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.oauth2.services; + +import java.util.LinkedHashMap; +import java.util.List; +import java.util.Map; + +import org.apache.cxf.jaxrs.json.basic.JsonMapObject; +import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants; + +public class ClientRegistration extends JsonMapObject { + public static final String REDIRECT_URIS = "redirect_uris"; + public static final String RESPONSE_TYPES = "response_types"; + public static final String GRANT_TYPES = "grant_types"; + public static final String APPLICATION_TYPE = "application_type"; + public static final String CONTACTS = "contacts"; + public static final String CLIENT_NAME = "client_name"; + public static final String LOGO_URI = "logo_uri"; + public static final String CLIENT_URI = "client_uri"; + public static final String POLICY_URI = "policy_uri"; + public static final String TOS_URI = "tos_uri"; + public static final String TOKEN_ENDPOINT_AUTH_METHOD = "token_endpoint_auth_method"; + public static final String SCOPE = OAuthConstants.SCOPE; + + private static final long serialVersionUID = 7903976943604132150L; + + public ClientRegistration() { + } + + public ClientRegistration(Map<String, Object> props) { + super(new LinkedHashMap<String, Object>(props)); + } + + public void setRedirectUris(List<String> redirectUris) { + super.setProperty(REDIRECT_URIS, redirectUris); + } + public List<String> getRedirectUris() { + return getListStringProperty(REDIRECT_URIS); + } + public void setResponseTypes(List<String> responseTypes) { + super.setProperty(RESPONSE_TYPES, responseTypes); + } + public List<String> getResponseTypes() { + return getListStringProperty(RESPONSE_TYPES); + } + public void setGrantTypes(List<String> grantTypes) { + super.setProperty(GRANT_TYPES, grantTypes); + } + public List<String> getGrantTypes() { + return getListStringProperty(GRANT_TYPES); + } + public void setApplicationType(String applicationType) { + super.setProperty(APPLICATION_TYPE, applicationType); + } + public String getApplicationType() { + return getStringProperty(APPLICATION_TYPE); + } + public void setContacts(List<String> contacts) { + super.setProperty(CONTACTS, contacts); + } + public List<String> getContacts() { + return getListStringProperty(CONTACTS); + } + public void setClientName(String clientName) { + super.setProperty(CLIENT_NAME, clientName); + } + public String getClientName() { + return getStringProperty(CLIENT_NAME); + } + public void setLogoUri(String logoUri) { + super.setProperty(LOGO_URI, logoUri); + } + public String getLogoUri() { + return getStringProperty(LOGO_URI); + } + public void setClientUri(String clientUri) { + super.setProperty(CLIENT_URI, clientUri); + } + public String getClientUri() { + return getStringProperty(CLIENT_URI); + } + public void setPolicyUri(String policyUri) { + super.setProperty(POLICY_URI, policyUri); + } + public String getPolicyUri() { + return getStringProperty(POLICY_URI); + } + public void setTosUri(String tosUri) { + super.setProperty(TOS_URI, tosUri); + } + public String getTosUri() { + return getStringProperty(TOS_URI); + } + public void setTokenEndpointAuthMethod(String method) { + super.setProperty(TOKEN_ENDPOINT_AUTH_METHOD, method); + } + public String getTokenEndpointAuthMethod() { + return getStringProperty(TOKEN_ENDPOINT_AUTH_METHOD); + } + public void setScope(String scope) { + super.setProperty(SCOPE, scope); + } + public String getScope() { + return getStringProperty(SCOPE); + } + +} http://git-wip-us.apache.org/repos/asf/cxf/blob/3599f93d/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ClientRegistrationRequest.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ClientRegistrationRequest.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ClientRegistrationRequest.java deleted file mode 100644 index d899343..0000000 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ClientRegistrationRequest.java +++ /dev/null @@ -1,124 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.oauth2.services; - -import java.util.LinkedHashMap; -import java.util.List; -import java.util.Map; - -import org.apache.cxf.jaxrs.json.basic.JsonMapObject; -import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants; - -public class ClientRegistrationRequest extends JsonMapObject { - public static final String REDIRECT_URIS = "redirect_uris"; - public static final String RESPONSE_TYPES = "response_types"; - public static final String GRANT_TYPES = "grant_types"; - public static final String APPLICATION_TYPE = "application_type"; - public static final String CONTACTS = "contacts"; - public static final String CLIENT_NAME = "client_name"; - public static final String LOGO_URI = "logo_uri"; - public static final String CLIENT_URI = "client_uri"; - public static final String POLICY_URI = "policy_uri"; - public static final String TOS_URI = "tos_uri"; - public static final String TOKEN_ENDPOINT_AUTH_METHOD = "token_endpoint_auth_method"; - public static final String SCOPE = OAuthConstants.SCOPE; - - private static final long serialVersionUID = 7903976943604132150L; - - public ClientRegistrationRequest() { - } - - public ClientRegistrationRequest(Map<String, Object> props) { - super(new LinkedHashMap<String, Object>(props)); - } - - public void setRedirectUris(List<String> redirectUris) { - super.setProperty(REDIRECT_URIS, redirectUris); - } - public List<String> getRedirectUris() { - return getListStringProperty(REDIRECT_URIS); - } - public void setResponseTypes(List<String> responseTypes) { - super.setProperty(RESPONSE_TYPES, responseTypes); - } - public List<String> getResponseTypes() { - return getListStringProperty(RESPONSE_TYPES); - } - public void setGrantTypes(List<String> grantTypes) { - super.setProperty(GRANT_TYPES, grantTypes); - } - public List<String> getGrantTypes() { - return getListStringProperty(GRANT_TYPES); - } - public void setApplicationType(String applicationType) { - super.setProperty(APPLICATION_TYPE, applicationType); - } - public String getApplicationType() { - return getStringProperty(APPLICATION_TYPE); - } - public void setContacts(List<String> contacts) { - super.setProperty(CONTACTS, contacts); - } - public List<String> getContacts() { - return getListStringProperty(CONTACTS); - } - public void setClientName(String clientName) { - super.setProperty(CLIENT_NAME, clientName); - } - public String getClientName() { - return getStringProperty(CLIENT_NAME); - } - public void setLogoUri(String logoUri) { - super.setProperty(LOGO_URI, logoUri); - } - public String getLogoUri() { - return getStringProperty(LOGO_URI); - } - public void setClientUri(String clientUri) { - super.setProperty(CLIENT_URI, clientUri); - } - public String getClientUri() { - return getStringProperty(CLIENT_URI); - } - public void setPolicyUri(String policyUri) { - super.setProperty(POLICY_URI, policyUri); - } - public String getPolicyUri() { - return getStringProperty(POLICY_URI); - } - public void setTosUri(String tosUri) { - super.setProperty(TOS_URI, tosUri); - } - public String getTosUri() { - return getStringProperty(TOS_URI); - } - public void setTokenEndpointAuthMethod(String method) { - super.setProperty(TOKEN_ENDPOINT_AUTH_METHOD, method); - } - public String getTokenEndpointAuthMethod() { - return getStringProperty(TOKEN_ENDPOINT_AUTH_METHOD); - } - public void setScope(String scope) { - super.setProperty(SCOPE, scope); - } - public String getScope() { - return getStringProperty(SCOPE); - } - -} http://git-wip-us.apache.org/repos/asf/cxf/blob/3599f93d/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/DynamicRegistrationService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/DynamicRegistrationService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/DynamicRegistrationService.java index 130fb64..a0d6bc7 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/DynamicRegistrationService.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/DynamicRegistrationService.java @@ -18,6 +18,9 @@ */ package org.apache.cxf.rs.security.oauth2.services; +import java.util.Collections; +import java.util.List; + import javax.ws.rs.Consumes; import javax.ws.rs.DELETE; import javax.ws.rs.GET; @@ -28,34 +31,69 @@ import javax.ws.rs.PathParam; import javax.ws.rs.Produces; import javax.ws.rs.QueryParam; import javax.ws.rs.core.Response; +import javax.ws.rs.core.UriBuilder; -import org.apache.cxf.rs.security.oauth2.provider.OAuthDataProvider; +import org.apache.cxf.common.util.Base64UrlUtility; +import org.apache.cxf.common.util.StringUtils; +import org.apache.cxf.jaxrs.utils.ExceptionUtils; +import org.apache.cxf.rs.security.oauth2.common.Client; +import org.apache.cxf.rs.security.oauth2.provider.ClientRegistrationProvider; +import org.apache.cxf.rs.security.oauth2.utils.AuthorizationUtils; +import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants; +import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils; +import org.apache.cxf.rt.security.crypto.CryptoUtils; @Path("register") public class DynamicRegistrationService extends AbstractOAuthService { - - private OAuthDataProvider dataProvider; + private static final String DEFAULT_APPLICATION_TYPE = "web"; + private static final Integer DEFAULT_CLIENT_ID_SIZE = 10; + private ClientRegistrationProvider clientProvider; private String initialAccessToken; - + private int clientIdSizeInBytes = DEFAULT_CLIENT_ID_SIZE; @POST @Consumes("application/json") @Produces("application/json") - public ClientRegistrationResponse register(ClientRegistrationRequest request) { + public ClientRegistrationResponse register(ClientRegistration request) { + checkInitialAccessToken(); + Client client = createNewClient(request); + createRegAccessToken(client); + clientProvider.setClient(client); - return new ClientRegistrationResponse(); + return fromClientToRegistrationResponse(client); } + protected void checkInitialAccessToken() { + if (initialAccessToken != null) { + checkCurrentAccessToken(initialAccessToken); + } + + } + + protected String createRegAccessToken(Client client) { + //TODO: Passing AccessTokenRegistration to OAuthDataProvider may be needed + String regAccessToken = OAuthUtils.generateRandomTokenKey(); + client.getProperties().put(ClientRegistrationResponse.REG_ACCESS_TOKEN, + regAccessToken); + return regAccessToken; + } + protected void checkCurrentAccessToken(String accessToken) { + String[] authParts = AuthorizationUtils.getAuthorizationParts(getMessageContext(), + Collections.singleton(OAuthConstants.BEARER_AUTHORIZATION_SCHEME)); + if (authParts.length != 2 || !authParts[1].equals(accessToken)) { + throw ExceptionUtils.toForbiddenException(null, null); + } + } + @GET @Produces("application/json") - public ClientRegistrationResponse readClientRegistrationWithQuery(@QueryParam("client_id") String clientId) { - + public ClientRegistration readClientRegistrationWithQuery(@QueryParam("client_id") String clientId) { return doReadClientRegistration(clientId); } @GET @Path("{clientId}") @Produces("application/json") - public ClientRegistrationResponse readClientRegistrationWithPath(@PathParam("clientId") String clientId) { + public ClientRegistration readClientRegistrationWithPath(@PathParam("clientId") String clientId) { return doReadClientRegistration(clientId); } @@ -70,19 +108,49 @@ public class DynamicRegistrationService extends AbstractOAuthService { @DELETE @Path("{clientId}") public Response deleteClientRegistration(@PathParam("clientId") String clientId) { + if (readClient(clientId) != null) { + clientProvider.removeClient(clientId); + } + return Response.ok().build(); } - protected ClientRegistrationResponse doReadClientRegistration(String clientId) { - return new ClientRegistrationResponse(); + protected ClientRegistrationResponse fromClientToRegistrationResponse(Client client) { + ClientRegistrationResponse response = new ClientRegistrationResponse(); + response.setClientId(client.getClientId()); + response.setClientSecret(client.getClientSecret()); + response.setClientIdIssuedAt(client.getRegisteredAt()); + // TODO: consider making Client secret time limited + response.setClientSecretExpiresAt(Long.valueOf(0)); + UriBuilder ub = getMessageContext().getUriInfo().getAbsolutePathBuilder(); + response.setRegistrationClientUri(ub.path(client.getClientId()).build().toString()); + + response.setRegistrationAccessToken(client.getProperties() + .get(ClientRegistrationResponse.REG_ACCESS_TOKEN)); + return response; } - - public OAuthDataProvider getDataProvider() { - return dataProvider; + + protected ClientRegistration doReadClientRegistration(String clientId) { + Client client = readClient(clientId); + return fromClientToClientRegistration(client); } - public void setDataProvider(OAuthDataProvider dataProvider) { - this.dataProvider = dataProvider; + protected ClientRegistration fromClientToClientRegistration(Client client) { + return new ClientRegistration(); + } + + protected Client readClient(String clientId) { + Client c = clientProvider.getClient(clientId); + String regAccessToken = c.getProperties().get(ClientRegistrationResponse.REG_ACCESS_TOKEN); + // Or check OAuthDataProvider.getAccessToken + // if OAuthDataProvider.createAccessToken was used + + validateRegistrationAccessToken(regAccessToken); + return c; + } + + protected void validateRegistrationAccessToken(String accessToken) { + checkCurrentAccessToken(accessToken); } public String getInitialAccessToken() { @@ -93,5 +161,106 @@ public class DynamicRegistrationService extends AbstractOAuthService { this.initialAccessToken = registrationAccessToken; } + protected Client createNewClient(ClientRegistration request) { + // Client ID + String clientId = generateClientId(); + + // Client Name + String clientName = request.getClientName(); + if (StringUtils.isEmpty(clientName)) { + clientName = clientId; + } + + List<String> grantTypes = request.getGrantTypes(); + + // Client Type + // https://tools.ietf.org/html/rfc7591 has no this property but + // but http://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata does + String appType = request.getApplicationType(); + if (appType == null) { + appType = DEFAULT_APPLICATION_TYPE; + } + boolean isConfidential = DEFAULT_APPLICATION_TYPE.equals(appType) + && grantTypes != null && grantTypes.contains(OAuthConstants.AUTHORIZATION_CODE_GRANT); + + // Client Secret + String clientSecret = isConfidential + ? generateClientSecret(request) + : null; + + Client newClient = new Client(clientId, clientSecret, isConfidential, clientName); + + if (grantTypes != null) { + newClient.setAllowedGrantTypes(grantTypes); + } + + // Client Registration Time + newClient.setRegisteredAt(System.currentTimeMillis() / 1000); + + // Client Redirect URIs + List<String> redirectUris = request.getRedirectUris(); + if (redirectUris != null) { + for (String uri : redirectUris) { + validateRequestUri(uri, appType, grantTypes); + } + newClient.setRedirectUris(redirectUris); + } + + // Client Scopes + String scope = request.getScope(); + if (!StringUtils.isEmpty(scope)) { + newClient.setRegisteredScopes(OAuthUtils.parseScope(scope)); + } + // Client Application URI + String clientUri = request.getClientUri(); + if (clientUri != null) { + newClient.setApplicationWebUri(clientUri); + } + // Client Logo URI + String clientLogoUri = request.getLogoUri(); + if (clientLogoUri != null) { + newClient.setApplicationLogoUri(clientLogoUri); + } + + //TODO: check other properties + // Add more typed properties like tosUri, policyUri, etc to Client + // or set them as Client extra properties + + return newClient; + } + + protected void validateRequestUri(String uri, String appType, List<String> grantTypes) { + // Web Clients using the OAuth Implicit Grant Type MUST only register URLs using the https scheme + // as redirect_uris; they MUST NOT use localhost as the hostname. Native Clients MUST only register + // redirect_uris using custom URI schemes or URLs using the http: scheme with localhost as the hostname. + // Authorization Servers MAY place additional constraints on Native Clients. Authorization Servers MAY + // reject Redirection URI values using the http scheme, other than the localhost case for Native Clients + } + + public void setClientProvider(ClientRegistrationProvider clientProvider) { + this.clientProvider = clientProvider; + } + protected String generateClientId() { + return Base64UrlUtility.encode( + CryptoUtils.generateSecureRandomBytes( + getClientIdSizeInBytes())); + } + + public int getClientIdSizeInBytes() { + return clientIdSizeInBytes; + } + public void setClientIdSizeInBytes(int size) { + clientIdSizeInBytes = size; + } + + protected String generateClientSecret(ClientRegistration request) { + return Base64UrlUtility.encode( + CryptoUtils.generateSecureRandomBytes( + getClientSecretSizeInBytes(request))); + } + + protected int getClientSecretSizeInBytes(ClientRegistration request) { + return 16; + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/3599f93d/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcClientRegistration.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcClientRegistration.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcClientRegistration.java new file mode 100644 index 0000000..fd717d9 --- /dev/null +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcClientRegistration.java @@ -0,0 +1,27 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.oidc.idp; + +import org.apache.cxf.rs.security.oauth2.services.ClientRegistration; + +public class OidcClientRegistration extends ClientRegistration { + + private static final long serialVersionUID = -7941815270850562749L; + +} http://git-wip-us.apache.org/repos/asf/cxf/blob/3599f93d/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcClientRegistrationRequest.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcClientRegistrationRequest.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcClientRegistrationRequest.java deleted file mode 100644 index 7a9dbe3..0000000 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcClientRegistrationRequest.java +++ /dev/null @@ -1,27 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.oidc.idp; - -import org.apache.cxf.rs.security.oauth2.services.ClientRegistrationRequest; - -public class OidcClientRegistrationRequest extends ClientRegistrationRequest { - - private static final long serialVersionUID = -7941815270850562749L; - -} http://git-wip-us.apache.org/repos/asf/cxf/blob/3599f93d/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcDynamicRegistrationService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcDynamicRegistrationService.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcDynamicRegistrationService.java index bb9d080..e4d9840 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcDynamicRegistrationService.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcDynamicRegistrationService.java @@ -18,9 +18,42 @@ */ package org.apache.cxf.rs.security.oidc.idp; +import javax.ws.rs.Consumes; +import javax.ws.rs.POST; +import javax.ws.rs.Produces; + +import org.apache.cxf.rs.security.oauth2.common.Client; +import org.apache.cxf.rs.security.oauth2.services.ClientRegistration; +import org.apache.cxf.rs.security.oauth2.services.ClientRegistrationResponse; import org.apache.cxf.rs.security.oauth2.services.DynamicRegistrationService; public class OidcDynamicRegistrationService extends DynamicRegistrationService { + private boolean protectIdTokenWithClientSecret; + + @POST + @Consumes("application/json") + @Produces("application/json") + public ClientRegistrationResponse register(OidcClientRegistration request) { + return super.register(request); + } + @Override + protected Client createNewClient(ClientRegistration request) { + // TODO: cast to OidcClientRegistrationRequest, + // set OIDC specific properties as Client extra properties + return super.createNewClient(request); + } + protected int getClientSecretSizeInBytes(ClientRegistration request) { + + // TODO: may need to be 384/8 or 512/8 if not a default HS256 but HS384 or HS512 + int keySizeOctets = protectIdTokenWithClientSecret + ? 32 + : super.getClientSecretSizeInBytes(request); + + return keySizeOctets; + } + public void setProtectIdTokenWithClientSecret(boolean protectIdTokenWithClientSecret) { + this.protectIdTokenWithClientSecret = protectIdTokenWithClientSecret; + } }
