Repository: cxf Updated Branches: refs/heads/3.1.x-fixes d1f2b8736 -> 6fe70ffca
Recording the cert confirmation in the access token, with the validation work and tests to follow later on Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/6fe70ffc Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/6fe70ffc Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/6fe70ffc Branch: refs/heads/3.1.x-fixes Commit: 6fe70ffcadeaace30f8f49520948a560572753cd Parents: d1f2b87 Author: Sergey Beryozkin <[email protected]> Authored: Fri Apr 7 17:12:53 2017 +0100 Committer: Sergey Beryozkin <[email protected]> Committed: Fri Apr 7 17:22:37 2017 +0100 ---------------------------------------------------------------------- .../apache/cxf/rs/security/jose/jwt/JwtConstants.java | 3 ++- .../grants/code/AuthorizationCodeGrantHandler.java | 1 + .../oauth2/provider/AbstractOAuthDataProvider.java | 14 ++++++++++++++ .../cxf/rs/security/oauth2/utils/JwtTokenUtils.java | 13 +++++++++++-- 4 files changed, 28 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/6fe70ffc/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtConstants.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtConstants.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtConstants.java index eae9091..feaf9f1 100644 --- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtConstants.java +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtConstants.java @@ -28,7 +28,8 @@ public final class JwtConstants { public static final String CLAIM_NOT_BEFORE = "nbf"; public static final String CLAIM_ISSUED_AT = "iat"; public static final String CLAIM_JWT_ID = "jti"; - + public static final String CLAIM_CONFIRMATION = "cnf"; + public static final String JWT_TOKEN = "jwt.token"; public static final String JWT_CLAIMS = "jwt.claims"; http://git-wip-us.apache.org/repos/asf/cxf/blob/6fe70ffc/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java index 4e1121e..7adc665 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java @@ -147,6 +147,7 @@ public class AuthorizationCodeGrantHandler extends AbstractGrantHandler { reg.setResponseType(grant.getResponseType()); reg.setClientCodeVerifier(codeVerifier); reg.setGrantType(OAuthConstants.CODE_RESPONSE_TYPE); + reg.getExtraProperties().putAll(grant.getExtraProperties()); return getDataProvider().createAccessToken(reg); } http://git-wip-us.apache.org/repos/asf/cxf/blob/6fe70ffc/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java index c032f75..8c509d7 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java @@ -28,7 +28,9 @@ import java.util.Map; import javax.ws.rs.core.MultivaluedMap; import org.apache.cxf.jaxrs.ext.MessageContext; +import org.apache.cxf.rs.security.jose.common.JoseConstants; import org.apache.cxf.rs.security.jose.jwt.JwtClaims; +import org.apache.cxf.rs.security.jose.jwt.JwtConstants; import org.apache.cxf.rs.security.jose.jwt.JwtToken; import org.apache.cxf.rs.security.oauth2.common.AccessTokenRegistration; import org.apache.cxf.rs.security.oauth2.common.Client; @@ -85,11 +87,23 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl at.setResponseType(atReg.getResponseType()); at.setGrantCode(atReg.getGrantCode()); at.getExtraProperties().putAll(atReg.getExtraProperties()); + + String certCnf = null; + if (messageContext != null) { + certCnf = (String)messageContext.get(JoseConstants.HEADER_X509_THUMBPRINT_SHA256); + } if (isUseJwtFormatForAccessTokens()) { JwtClaims claims = createJwtAccessToken(at); + // At a later stage we will likely introduce a dedicate Confirmation bean (as it is used in POP etc) + if (certCnf != null) { + claims.setClaim(JwtConstants.CLAIM_CONFIRMATION, + Collections.singletonMap(JoseConstants.HEADER_X509_THUMBPRINT_SHA256, certCnf)); + } String jose = processJwtAccessToken(claims); at.setTokenKey(jose); + } else if (certCnf != null) { + at.getExtraProperties().put(JoseConstants.HEADER_X509_THUMBPRINT_SHA256, certCnf); } return at; http://git-wip-us.apache.org/repos/asf/cxf/blob/6fe70ffc/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/JwtTokenUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/JwtTokenUtils.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/JwtTokenUtils.java index 90de970..55527fa 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/JwtTokenUtils.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/JwtTokenUtils.java @@ -24,8 +24,10 @@ import java.util.Map; import org.apache.cxf.common.util.StringUtils; import org.apache.cxf.helpers.CastUtils; +import org.apache.cxf.rs.security.jose.common.JoseConstants; import org.apache.cxf.rs.security.jose.jwt.JoseJwtConsumer; import org.apache.cxf.rs.security.jose.jwt.JwtClaims; +import org.apache.cxf.rs.security.jose.jwt.JwtConstants; import org.apache.cxf.rs.security.oauth2.common.Client; import org.apache.cxf.rs.security.oauth2.common.OAuthPermission; import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken; @@ -116,12 +118,19 @@ public final class JwtTokenUtils { if (nonce != null) { at.setNonce(nonce); } + Map<String, String> extraProperties = CastUtils.cast((Map<?, ?>)claims.getClaim("extra_propertirs")); if (extraProperties != null) { at.getExtraProperties().putAll(extraProperties); } - - + + // At the moment only a string 'x5#S256' cnf property is recognized + Map<String, Object> cnf = CastUtils.cast((Map<?, ?>)claims.getClaim(JwtConstants.CLAIM_CONFIRMATION)); + if (cnf != null && cnf.containsKey(JoseConstants.HEADER_X509_THUMBPRINT_SHA256)) { + String certCnf = cnf.get(JoseConstants.HEADER_X509_THUMBPRINT_SHA256).toString(); + at.getExtraProperties().put(JoseConstants.HEADER_X509_THUMBPRINT_SHA256, certCnf); + } + return at; } }
