Repository: cxf Updated Branches: refs/heads/master 6094d8154 -> 57e150e67
Making it easier to customize the AT creation in the defaukt providers Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/57e150e6 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/57e150e6 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/57e150e6 Branch: refs/heads/master Commit: 57e150e672223dcda6da5557e4cd6f9405e99594 Parents: 6094d81 Author: Sergey Beryozkin <[email protected]> Authored: Wed Jan 25 12:57:17 2017 +0000 Committer: Sergey Beryozkin <[email protected]> Committed: Wed Jan 25 12:57:17 2017 +0000 ---------------------------------------------------------------------- .../oauth2/filters/JwtAccessTokenValidator.java | 5 +++++ .../oauth2/provider/AbstractOAuthDataProvider.java | 17 +++++++++++------ .../oauth2/provider/OAuthJSONProvider.java | 6 ++++++ .../oauth2/services/TokenIntrospectionService.java | 10 ++++++++++ .../rs/security/oauth2/utils/JwtTokenUtils.java | 5 ++++- 5 files changed, 36 insertions(+), 7 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/57e150e6/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/JwtAccessTokenValidator.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/JwtAccessTokenValidator.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/JwtAccessTokenValidator.java index 78c8821..7581cf7 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/JwtAccessTokenValidator.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/JwtAccessTokenValidator.java @@ -110,6 +110,11 @@ public class JwtAccessTokenValidator extends JoseJwtConsumer implements AccessTo } else if (claims.getSubject() != null) { atv.setTokenSubject(new UserSubject(claims.getSubject())); } + Map<String, String> extraProperties = CastUtils.cast((Map<?, ?>)claims.getClaim("extra_propertirs")); + if (extraProperties != null) { + atv.getExtraProps().putAll(extraProperties); + } + return atv; } http://git-wip-us.apache.org/repos/asf/cxf/blob/57e150e6/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java index d7d6169..00131bd 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java @@ -69,7 +69,7 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl } protected ServerAccessToken doCreateAccessToken(AccessTokenRegistration atReg) { - ServerAccessToken at = createNewAccessToken(atReg.getClient()); + ServerAccessToken at = createNewAccessToken(atReg.getClient(), atReg.getSubject()); at.setAudiences(atReg.getAudiences()); at.setGrantType(atReg.getGrantType()); List<String> theScopes = atReg.getApprovedScope(); @@ -151,13 +151,13 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl if (at.getClientCodeVerifier() != null) { claims.setClaim(OAuthConstants.AUTHORIZATION_CODE_VERIFIER, at.getClientCodeVerifier()); } - // ServerAccessToken 'nonce' property, if available, can be ignored for the purpose for persisting it - // further as a JWT claim - as it is only used once by (OIDC) IdTokenResponseFilter - // to set IdToken nonce property with the filter having an access to the current ServerAccessToken instance + if (at.getNonce() != null) { + claims.setClaim(OAuthConstants.NONCE, at.getNonce()); + } return claims; } - protected ServerAccessToken createNewAccessToken(Client client) { + protected ServerAccessToken createNewAccessToken(Client client, UserSubject userSub) { return new BearerAccessToken(client, accessTokenLifetime); } @@ -329,6 +329,8 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl scopes.addAll(at.getScopes()); rt.setScopes(scopes); } + rt.setGrantCode(at.getGrantCode()); + rt.setNonce(at.getNonce()); rt.setSubject(at.getSubject()); rt.setClientCodeVerifier(at.getClientCodeVerifier()); return rt; @@ -344,10 +346,13 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl protected ServerAccessToken doRefreshAccessToken(Client client, RefreshToken oldRefreshToken, List<String> restrictedScopes) { - ServerAccessToken at = createNewAccessToken(client); + ServerAccessToken at = createNewAccessToken(client, oldRefreshToken.getSubject()); at.setAudiences(oldRefreshToken.getAudiences()); at.setGrantType(oldRefreshToken.getGrantType()); + at.setGrantCode(oldRefreshToken.getGrantCode()); at.setSubject(oldRefreshToken.getSubject()); + at.setNonce(oldRefreshToken.getNonce()); + at.setClientCodeVerifier(oldRefreshToken.getClientCodeVerifier()); if (restrictedScopes.isEmpty()) { at.setScopes(oldRefreshToken.getScopes()); } else { http://git-wip-us.apache.org/repos/asf/cxf/blob/57e150e6/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthJSONProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthJSONProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthJSONProvider.java index 4656349..3d42b48 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthJSONProvider.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthJSONProvider.java @@ -123,6 +123,12 @@ public class OAuthJSONProvider implements MessageBodyWriter<Object>, sb.append(","); appendJsonPair(sb, "exp", obj.getExp(), false); } + if (!obj.getExtensions().isEmpty()) { + for (Map.Entry<String, String> entry : obj.getExtensions().entrySet()) { + sb.append(","); + appendJsonPair(sb, entry.getKey(), entry.getValue()); + } + } } sb.append("}"); String result = sb.toString(); http://git-wip-us.apache.org/repos/asf/cxf/blob/57e150e6/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenIntrospectionService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenIntrospectionService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenIntrospectionService.java index 65c1af6..c21d43e 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenIntrospectionService.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenIntrospectionService.java @@ -46,6 +46,7 @@ public class TokenIntrospectionService { private static final Logger LOG = LogUtils.getL7dLogger(TokenIntrospectionService.class); private boolean blockUnsecureRequests; private boolean blockUnauthorizedRequests = true; + private boolean reportExtraTokenProperties = true; private MessageContext mc; private OAuthDataProvider dataProvider; @POST @@ -83,6 +84,11 @@ public class TokenIntrospectionService { } response.setTokenType(at.getTokenType()); + + if (reportExtraTokenProperties) { + response.getExtensions().putAll(at.getExtraProperties()); + } + return response; } @@ -115,4 +121,8 @@ public class TokenIntrospectionService { public void setMessageContext(MessageContext context) { this.mc = context; } + + public void setReportExtraTokenProperties(boolean reportExtraTokenProperties) { + this.reportExtraTokenProperties = reportExtraTokenProperties; + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/57e150e6/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/JwtTokenUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/JwtTokenUtils.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/JwtTokenUtils.java index fb5888e..90de970 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/JwtTokenUtils.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/JwtTokenUtils.java @@ -112,7 +112,10 @@ public final class JwtTokenUtils { if (codeVerifier != null) { at.setClientCodeVerifier(codeVerifier); } - + String nonce = claims.getStringProperty(OAuthConstants.NONCE); + if (nonce != null) { + at.setNonce(nonce); + } Map<String, String> extraProperties = CastUtils.cast((Map<?, ?>)claims.getClaim("extra_propertirs")); if (extraProperties != null) { at.getExtraProperties().putAll(extraProperties);
