[cxf] 02/03: Enforce the access token has an openid scope for the UserInfo endpoint

Wed, 18 Sep 2019 06:54:15 -0700 

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch 3.2.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git

commit 28bdc918221aa790979b98cb304651886d5983d0
Author: Colm O hEigeartaigh <cohei...@apache.org>
AuthorDate: Wed Sep 18 12:19:24 2019 +0100

    Enforce the access token has an openid scope for the UserInfo endpoint
    
    (cherry picked from commit 5e1a2a2257535e957b52ee721a81b741800a3171)
    (cherry picked from commit 661c271f4890b05896eee5de9cb8fb503fb3bccb)
---
 .../org/apache/cxf/rs/security/oidc/idp/UserInfoService.java   | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git 
a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java
 
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java
index 385fb6c..78e25f9 100644
--- 
a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java
+++ 
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java
@@ -32,12 +32,14 @@ import org.apache.cxf.rs.security.jose.jwt.JwtToken;
 import org.apache.cxf.rs.security.jose.jwt.JwtUtils;
 import org.apache.cxf.rs.security.oauth2.common.Client;
 import org.apache.cxf.rs.security.oauth2.common.OAuthContext;
+import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
 import org.apache.cxf.rs.security.oauth2.provider.OAuthDataProvider;
 import org.apache.cxf.rs.security.oauth2.provider.OAuthServerJoseJwtProducer;
 import org.apache.cxf.rs.security.oauth2.utils.OAuthContextUtils;
 import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
 import org.apache.cxf.rs.security.oidc.common.IdToken;
 import org.apache.cxf.rs.security.oidc.common.UserInfo;
+import org.apache.cxf.rs.security.oidc.utils.OidcUtils;
 
 @Path("/userinfo")
 public class UserInfoService extends OAuthServerJoseJwtProducer {
@@ -51,6 +53,14 @@ public class UserInfoService extends 
OAuthServerJoseJwtProducer {
     @Produces({"application/json", "application/jwt" })
     public Response getUserInfo() {
         OAuthContext oauth = OAuthContextUtils.getContext(mc);
+
+        // Check the access token has the "openid" scope
+        if (!oauth.getPermissions().stream()
+            .map(OAuthPermission::getPermission)
+            .anyMatch(OidcUtils.OPENID_SCOPE::equals)) {
+            Response.status(401);
+        }
+
         UserInfo userInfo = null;
         if (userInfoProvider != null) {
             userInfo = userInfoProvider.getUserInfo(oauth.getClientId(), 
oauth.getSubject(),

Reply via email to