Java Code Examples for org.apache.cxf.rs.security.oauth2.common.ServerAccessToken#getGrantCode()
The following examples show how to use
org.apache.cxf.rs.security.oauth2.common.ServerAccessToken#getGrantCode() .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
| Source File: AbstractOAuthDataProvider.java From cxf with Apache License 2.0 | 4 votes |
|
protected JwtClaims createJwtAccessToken(ServerAccessToken at) {
JwtClaims claims = new JwtClaims();
claims.setTokenId(at.getTokenKey());
// 'client_id' or 'cid', default client_id
String clientIdClaimName =
JwtTokenUtils.getClaimName(OAuthConstants.CLIENT_ID, OAuthConstants.CLIENT_ID,
getJwtAccessTokenClaimMap());
claims.setClaim(clientIdClaimName, at.getClient().getClientId());
claims.setIssuedAt(at.getIssuedAt());
if (at.getExpiresIn() > 0) {
claims.setExpiryTime(at.getIssuedAt() + at.getExpiresIn());
}
UserSubject userSubject = at.getSubject();
if (userSubject != null) {
if (userSubject.getId() != null) {
claims.setSubject(userSubject.getId());
}
// 'username' by default to be consistent with the token introspection response
final String usernameProp = "username";
String usernameClaimName =
JwtTokenUtils.getClaimName(usernameProp, usernameProp, getJwtAccessTokenClaimMap());
claims.setClaim(usernameClaimName, userSubject.getLogin());
}
if (at.getIssuer() != null) {
claims.setIssuer(at.getIssuer());
}
if (!at.getScopes().isEmpty()) {
claims.setClaim(OAuthConstants.SCOPE,
OAuthUtils.convertPermissionsToScopeList(at.getScopes()));
}
// OAuth2 resource indicators (resource server audience)
if (!at.getAudiences().isEmpty()) {
List<String> resourceAudiences = at.getAudiences();
if (resourceAudiences.size() == 1) {
claims.setAudience(resourceAudiences.get(0));
} else {
claims.setAudiences(resourceAudiences);
}
}
if (!at.getExtraProperties().isEmpty()) {
Map<String, String> actualExtraProps = new HashMap<>();
for (Map.Entry<String, String> entry : at.getExtraProperties().entrySet()) {
if (JoseConstants.HEADER_X509_THUMBPRINT_SHA256.equals(entry.getKey())) {
claims.setClaim(JwtConstants.CLAIM_CONFIRMATION,
Collections.singletonMap(JoseConstants.HEADER_X509_THUMBPRINT_SHA256,
entry.getValue()));
} else {
actualExtraProps.put(entry.getKey(), entry.getValue());
}
}
claims.setClaim("extra_properties", actualExtraProps);
}
// Can be used to check at RS/etc which grant was used to get this token issued
if (at.getGrantType() != null) {
claims.setClaim(OAuthConstants.GRANT_TYPE, at.getGrantType());
}
// Can be used to check the original code grant value which was removed from the storage
// (and is no longer valid) when this token was issued; relevant only if the authorization
// code flow was used
if (at.getGrantCode() != null) {
claims.setClaim(OAuthConstants.AUTHORIZATION_CODE_GRANT, at.getGrantCode());
}
// Can be used to link the clients (especially public ones) to this token
// to have a knowledge which client instance is using this token - might be handy at the RS/etc
if (at.getClientCodeVerifier() != null) {
claims.setClaim(OAuthConstants.AUTHORIZATION_CODE_VERIFIER, at.getClientCodeVerifier());
}
if (at.getNonce() != null) {
claims.setClaim(OAuthConstants.NONCE, at.getNonce());
}
return claims;
}
Example 2
| Source File: IdTokenResponseFilter.java From cxf with Apache License 2.0 | 4 votes |
|
private void setAtHashAndNonce(IdToken idToken, ServerAccessToken st) {
String rType = st.getResponseType();
boolean atHashRequired = idToken.getAccessTokenHash() == null
&& (rType == null || !rType.equals(OidcUtils.ID_TOKEN_RESPONSE_TYPE));
boolean cHashRequired = idToken.getAuthorizationCodeHash() == null
&& rType != null
&& (rType.equals(OidcUtils.CODE_ID_TOKEN_AT_RESPONSE_TYPE)
|| rType.equals(OidcUtils.CODE_ID_TOKEN_RESPONSE_TYPE));
Message m = JAXRSUtils.getCurrentMessage();
if (atHashRequired || cHashRequired) {
Properties props = JwsUtils.loadSignatureOutProperties(false);
final SignatureAlgorithm sigAlgo;
if (super.isSignWithClientSecret()) {
sigAlgo = OAuthUtils.getClientSecretSignatureAlgorithm(props);
} else {
sigAlgo = JwsUtils.getSignatureAlgorithm(props, SignatureAlgorithm.RS256);
}
if (sigAlgo != SignatureAlgorithm.NONE) {
if (atHashRequired) {
String tokenKey = st.getEncodedToken() != null ? st.getEncodedToken() : st.getTokenKey();
String atHash = OidcUtils.calculateAccessTokenHash(tokenKey, sigAlgo);
idToken.setAccessTokenHash(atHash);
}
if (cHashRequired) {
// c_hash can be returned from either Authorization or Token endpoints
String code;
if (st.getGrantCode() != null) {
// This is a token endpoint, the code has been exchanged for a token
code = st.getGrantCode();
} else {
// Authorization endpoint: hybrid flow, implicit part
code = (String)m.getExchange().get(OAuthConstants.AUTHORIZATION_CODE_VALUE);
}
if (code != null) {
idToken.setAuthorizationCodeHash(OidcUtils.calculateAuthorizationCodeHash(code, sigAlgo));
}
}
}
}
if (m != null && m.getExchange().containsKey(OAuthConstants.NONCE)) {
idToken.setNonce((String)m.getExchange().get(OAuthConstants.NONCE));
} else if (st.getNonce() != null) {
idToken.setNonce(st.getNonce());
}
}
