Simplifying OIDC services a bit
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/0182a290 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/0182a290 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/0182a290 Branch: refs/heads/master-jaxrs-2.1 Commit: 0182a29027e927abc170a7d6077aedeba7c974fb Parents: 28f130c Author: Sergey Beryozkin <sberyoz...@gmail.com> Authored: Wed May 25 10:59:17 2016 +0100 Committer: Sergey Beryozkin <sberyoz...@gmail.com> Committed: Wed May 25 10:59:17 2016 +0100 ---------------------------------------------------------------------- .../services/AbstractImplicitGrantService.java | 1 + .../services/AuthorizationCodeGrantService.java | 1 + .../services/RedirectionBasedGrantService.java | 9 +++++- .../oidc/idp/OidcAuthorizationCodeService.java | 29 +++----------------- .../security/oidc/idp/OidcImplicitService.java | 23 +++------------- 5 files changed, 18 insertions(+), 45 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/0182a290/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java index 3a18a66..446f82c 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java @@ -133,6 +133,7 @@ public abstract class AbstractImplicitGrantService extends RedirectionBasedGrant reg.setApprovedScope(getApprovedScope(requestedScope, approvedScope)); reg.setAudiences(Collections.singletonList(state.getAudience())); reg.setNonce(state.getNonce()); + reg.getExtraProperties().putAll(state.getExtraProperties()); return reg; } protected void finalizeResponse(StringBuilder sb, OAuthRedirectionState state) { http://git-wip-us.apache.org/repos/asf/cxf/blob/0182a290/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java index 5ec47d7..36c94f7 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java @@ -158,6 +158,7 @@ public class AuthorizationCodeGrantService extends RedirectionBasedGrantService codeReg.setAudience(state.getAudience()); codeReg.setNonce(state.getNonce()); codeReg.setClientCodeChallenge(state.getClientCodeChallenge()); + codeReg.getExtraProperties().putAll(state.getExtraProperties()); return codeReg; } protected String processCodeGrant(Client client, String code, UserSubject endUser) { http://git-wip-us.apache.org/repos/asf/cxf/blob/0182a290/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java index 5ed3e2c..a6d5da8 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java @@ -70,6 +70,7 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService private boolean matchRedirectUriWithApplicationUri; private boolean hidePreauthorizedScopesInForm; private AuthorizationRequestFilter authorizationFilter; + private List<String> scopesRequiringNoConsent; protected RedirectionBasedGrantService(String supportedResponseType, String supportedGrantType) { @@ -231,7 +232,10 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService UserSubject userSubject, List<String> requestedScope, List<OAuthPermission> permissions) { - return false; + return scopesRequiringNoConsent != null + && requestedScope != null + && requestedScope.size() == scopesRequiringNoConsent.size() + && requestedScope.containsAll(scopesRequiringNoConsent); } /** @@ -554,4 +558,7 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService public void setAuthorizationFilter(AuthorizationRequestFilter authorizationFilter) { this.authorizationFilter = authorizationFilter; } + public void setScopesRequiringNoConsent(List<String> scopesRequiringNoConsent) { + this.scopesRequiringNoConsent = scopesRequiringNoConsent; + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/0182a290/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java index a4e9ed5..b616170 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java @@ -18,6 +18,7 @@ */ package org.apache.cxf.rs.security.oidc.idp; +import java.util.Collections; import java.util.List; import java.util.logging.Level; @@ -28,9 +29,7 @@ import org.apache.cxf.rs.security.oauth2.common.Client; import org.apache.cxf.rs.security.oauth2.common.OAuthError; import org.apache.cxf.rs.security.oauth2.common.OAuthPermission; import org.apache.cxf.rs.security.oauth2.common.OAuthRedirectionState; -import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken; import org.apache.cxf.rs.security.oauth2.common.UserSubject; -import org.apache.cxf.rs.security.oauth2.grants.code.AuthorizationCodeRegistration; import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException; import org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService; import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants; @@ -39,20 +38,16 @@ import org.apache.cxf.rs.security.oidc.utils.OidcUtils; public class OidcAuthorizationCodeService extends AuthorizationCodeGrantService { private static final String PROMPT_PARAMETER = "prompt"; - private boolean skipAuthorizationWithOidcScope; @Override protected boolean canAuthorizationBeSkipped(Client client, UserSubject userSubject, List<String> requestedScope, List<OAuthPermission> permissions) { - // No need to challenge the authenticated user with the authorization form - // if all the client application redirecting a user needs is to get this user authenticated - // with OIDC IDP - return requestedScope.size() == 1 && permissions.size() == 1 && skipAuthorizationWithOidcScope - && OidcUtils.OPENID_SCOPE.equals(requestedScope.get(0)); + return super.canAuthorizationBeSkipped(client, userSubject, requestedScope, permissions); } + public void setSkipAuthorizationWithOidcScope(boolean skipAuthorizationWithOidcScope) { - this.skipAuthorizationWithOidcScope = skipAuthorizationWithOidcScope; + super.setScopesRequiringNoConsent(Collections.singletonList(OidcUtils.OPENID_SCOPE)); } @Override @@ -76,22 +71,6 @@ public class OidcAuthorizationCodeService extends AuthorizationCodeGrantService return super.startAuthorization(params, userSubject, client); } - protected AuthorizationCodeRegistration createCodeRegistration(OAuthRedirectionState state, - Client client, - List<String> requestedScope, - List<String> approvedScope, - UserSubject userSubject, - ServerAccessToken preauthorizedToken) { - AuthorizationCodeRegistration codeReg = super.createCodeRegistration(state, - client, - requestedScope, - approvedScope, - userSubject, - preauthorizedToken); - - codeReg.getExtraProperties().putAll(state.getExtraProperties()); - return codeReg; - } @Override protected OAuthRedirectionState recreateRedirectionStateFromParams( MultivaluedMap<String, String> params) { http://git-wip-us.apache.org/repos/asf/cxf/blob/0182a290/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java index c35526c..d689c21 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java @@ -19,6 +19,7 @@ package org.apache.cxf.rs.security.oidc.idp; import java.util.Arrays; +import java.util.Collections; import java.util.HashSet; import java.util.List; import java.util.Properties; @@ -32,7 +33,6 @@ import org.apache.cxf.jaxrs.utils.JAXRSUtils; import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm; import org.apache.cxf.rs.security.jose.jws.JwsUtils; import org.apache.cxf.rs.security.jose.jwt.JwtToken; -import org.apache.cxf.rs.security.oauth2.common.AccessTokenRegistration; import org.apache.cxf.rs.security.oauth2.common.Client; import org.apache.cxf.rs.security.oauth2.common.OAuthError; import org.apache.cxf.rs.security.oauth2.common.OAuthPermission; @@ -51,7 +51,6 @@ import org.apache.cxf.rs.security.oidc.utils.OidcUtils; public class OidcImplicitService extends ImplicitGrantService { private static final String PROMPT_PARAMETER = "prompt"; - private boolean skipAuthorizationWithOidcScope; private OAuthJoseJwtProducer idTokenHandler; private IdTokenProvider idTokenProvider; @@ -100,14 +99,11 @@ public class OidcImplicitService extends ImplicitGrantService { UserSubject userSubject, List<String> requestedScope, List<OAuthPermission> permissions) { - // No need to challenge the authenticated user with the authorization form - // if all the client application redirecting a user needs is to get this user authenticated - // with OIDC IDP - return requestedScope.size() == 1 && permissions.size() == 1 && skipAuthorizationWithOidcScope - && OidcUtils.OPENID_SCOPE.equals(requestedScope.get(0)); + return super.canAuthorizationBeSkipped(client, userSubject, requestedScope, permissions); } + public void setSkipAuthorizationWithOidcScope(boolean skipAuthorizationWithOidcScope) { - this.skipAuthorizationWithOidcScope = skipAuthorizationWithOidcScope; + super.setScopesRequiringNoConsent(Collections.singletonList(OidcUtils.OPENID_SCOPE)); } @Override @@ -161,17 +157,6 @@ public class OidcImplicitService extends ImplicitGrantService { return state; } - @Override - protected AccessTokenRegistration createTokenRegistration(OAuthRedirectionState state, - Client client, - List<String> requestedScope, - List<String> approvedScope, - UserSubject userSubject) { - AccessTokenRegistration reg = - super.createTokenRegistration(state, client, requestedScope, approvedScope, userSubject); - reg.getExtraProperties().putAll(state.getExtraProperties()); - return reg; - } protected String processIdToken(OAuthRedirectionState state, IdToken idToken) { OAuthJoseJwtProducer processor = idTokenHandler == null ? new OAuthJoseJwtProducer() : idTokenHandler;