Repository: cxf-fediz Updated Branches: refs/heads/master 0154f6606 -> d8d60f4c1
Making sure BackChannel handler can use id_token_hint if it is available Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/d8d60f4c Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/d8d60f4c Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/d8d60f4c Branch: refs/heads/master Commit: d8d60f4c1308b64df40b891a51d064b79028f457 Parents: 0154f66 Author: Sergey Beryozkin <[email protected]> Authored: Fri Jun 2 13:42:31 2017 +0100 Committer: Sergey Beryozkin <[email protected]> Committed: Fri Jun 2 13:42:31 2017 +0100 ---------------------------------------------------------------------- .../oidc/logout/BackChannelLogoutHandler.java | 17 ++++++++++------- .../fediz/service/oidc/logout/LogoutService.java | 2 +- 2 files changed, 11 insertions(+), 8 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d8d60f4c/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/logout/BackChannelLogoutHandler.java ---------------------------------------------------------------------- diff --git a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/logout/BackChannelLogoutHandler.java b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/logout/BackChannelLogoutHandler.java index 2c01b71..74687de 100644 --- a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/logout/BackChannelLogoutHandler.java +++ b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/logout/BackChannelLogoutHandler.java @@ -33,18 +33,20 @@ import org.apache.cxf.rs.security.jose.jwt.JwtToken; import org.apache.cxf.rs.security.oauth2.common.Client; import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken; import org.apache.cxf.rs.security.oauth2.provider.OAuthDataProvider; +import org.apache.cxf.rs.security.oidc.common.IdToken; import org.apache.cxf.rs.security.oidc.idp.OidcUserSubject; import org.apache.cxf.rt.security.crypto.CryptoUtils; public class BackChannelLogoutHandler extends JoseJwtProducer { private static final String BACK_CHANNEL_LOGOUT_URI = "backchannel_logout_uri"; private static final String LOGOUT_TOKEN = "logout_token"; + private static final String EVENTS_PROPERTY = "events"; private static final String BACK_CHANNEL_LOGOUT_EVENT = "http://schemas.openid.net/event/backchannel-logout";; private ExecutorService executorService = Executors.newCachedThreadPool(); private OAuthDataProvider dataProvider; - public void handleLogout(Client client, OidcUserSubject subject) { + public void handleLogout(Client client, OidcUserSubject subject, IdToken idTokenHint) { // At the moment the only to find out which RPs a given User is logged in is // to check the access tokens - it can not offer a complete solution, for ex // in cases when ATs have expired or been revoked or Implicit id_token flow is used. @@ -56,23 +58,24 @@ public class BackChannelLogoutHandler extends JoseJwtProducer { } String uri = client.getProperties().get(BACK_CHANNEL_LOGOUT_URI); if (uri != null) { - submitBackChannelLogoutRequest(client, subject, uri); + submitBackChannelLogoutRequest(client, subject, idTokenHint, uri); } } } - private void submitBackChannelLogoutRequest(Client client, OidcUserSubject subject, String uri) { + private void submitBackChannelLogoutRequest(Client client, OidcUserSubject subject, + IdToken idTokenHint, String uri) { // Application context is expected to contain HttpConduit HTTPS configuration final WebClient wc = WebClient.create(uri); - + IdToken idToken = idTokenHint != null ? idTokenHint : subject.getIdToken(); JwtClaims claims = new JwtClaims(); - claims.setIssuer(subject.getIdToken().getIssuer()); - claims.setSubject(subject.getIdToken().getSubject()); + claims.setIssuer(idToken.getIssuer()); + claims.setSubject(idToken.getSubject()); claims.setAudience(client.getClientId()); claims.setIssuedAt(System.currentTimeMillis() / 1000); claims.setTokenId(Base64UrlUtility.encode(CryptoUtils.generateSecureRandomBytes(16))); - claims.setProperty("events", + claims.setProperty(EVENTS_PROPERTY, Collections.singletonMap(BACK_CHANNEL_LOGOUT_EVENT, Collections.emptyMap())); final String logoutToken = super.processJwt(new JwtToken(claims)); executorService.submit(new Runnable() { http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d8d60f4c/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/logout/LogoutService.java ---------------------------------------------------------------------- diff --git a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/logout/LogoutService.java b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/logout/LogoutService.java index 2a67192..b9ee23b 100644 --- a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/logout/LogoutService.java +++ b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/logout/LogoutService.java @@ -75,7 +75,7 @@ public class LogoutService extends JoseJwtConsumer { Client client = getClient(params, idTokenHint); if (backChannelLogoutHandler != null) { - backChannelLogoutHandler.handleLogout(client, subject); + backChannelLogoutHandler.handleLogout(client, subject, idTokenHint); } if (logoutHandlers != null) {
