org.apache.cxf.rs.security.oidc.common.IdToken Java Examples

The following examples show how to use org.apache.cxf.rs.security.oidc.common.IdToken. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: OidcIdTokenRequestFilter.java    From cxf with Apache License 2.0 6 votes vote down vote up
@Override
public void filter(ContainerRequestContext requestContext) throws IOException {
    MultivaluedMap<String, String> form = toFormData(requestContext);
    String idTokenParamValue = form.getFirst(tokenFormParameter);
    if (idTokenParamValue == null) {
        requestContext.abortWith(Response.status(401).build());
        return;
    }

    IdToken idToken = idTokenReader.getIdToken(idTokenParamValue, consumer);
    JAXRSUtils.getCurrentMessage().setContent(IdToken.class, idToken);

    OidcSecurityContext oidcSecCtx = new OidcSecurityContext(idToken);
    oidcSecCtx.setRoleClaim(roleClaim);
    requestContext.setSecurityContext(oidcSecCtx);
}
 
Example #2
Source File: FedizSubjectCreator.java    From cxf-fediz with Apache License 2.0 6 votes vote down vote up
@Override
public OidcUserSubject createUserSubject(MessageContext mc, MultivaluedMap<String, String> params) {
    Principal principal = mc.getSecurityContext().getUserPrincipal();

    if (!(principal instanceof FedizPrincipal)) {
        throw new OAuthServiceException("Unsupported Principal");
    }
    FedizPrincipal fedizPrincipal = (FedizPrincipal) principal;

    // In the future FedizPrincipal will likely have JWT claims already prepared,
    // with IdToken being initialized here from those claims
    OidcUserSubject oidcSub = new OidcUserSubject();
    oidcSub.setLogin(fedizPrincipal.getName());

    // REVISIT: use fedizPrincipal.getId() to guarantee the uniqueness once FEDIZ-207 is resolved
    oidcSub.setId(fedizPrincipal.getName());

    IdToken idToken = convertToIdToken(mc, fedizPrincipal.getLoginToken(), oidcSub.getLogin(), oidcSub.getId(),
            fedizPrincipal.getClaims(), fedizPrincipal.getRoleClaims(), params);
    oidcSub.setIdToken(idToken);
    oidcSub.setRoles(fedizPrincipal.getRoleClaims());
    // UserInfo can be populated and set on OidcUserSubject too.
    // UserInfoService will create it otherwise.

    return oidcSub;
}
 
Example #3
Source File: BackChannelLogoutHandler.java    From cxf-fediz with Apache License 2.0 6 votes vote down vote up
public void handleLogout(Client client, OidcUserSubject subject, IdToken idTokenHint) {
    // At the moment the only way to find out which RPs a given User is logged in is
    // to check the access tokens - it can not offer a complete solution, for ex
    // in cases when ATs have expired or been revoked or Implicit id_token flow is used.
    // Most likely a 'visited sites' cookie as suggested by the spec will need to be used.
    List<ServerAccessToken> accessTokens = dataProvider.getAccessTokens(null,  subject);
    Set<String> processedClients = new HashSet<>();
    for (ServerAccessToken at : accessTokens) {
        Client atClient = at.getClient();
        if (client.getClientId().equals(atClient.getClientId())
            || processedClients.contains(atClient.getClientId())) {
            continue;
        }
        String uri = atClient.getProperties().get(BACK_CHANNEL_LOGOUT_URI);
        if (uri != null) {
            processedClients.add(atClient.getClientId());
            submitBackChannelLogoutRequest(atClient, subject, idTokenHint, uri);
        }
    }
    
    

}
 
Example #4
Source File: LogoutService.java    From cxf-fediz with Apache License 2.0 6 votes vote down vote up
private Client getClient(MultivaluedMap<String, String> params, IdToken idTokenHint) {
    String clientId = params.getFirst(OAuthConstants.CLIENT_ID);
    if (clientId == null && idTokenHint != null) {
        clientId = idTokenHint.getAudience();
        mc.getHttpServletRequest().setAttribute(OAuthConstants.CLIENT_ID, clientId);
    }
    if (clientId == null) {
        throw new BadRequestException();
    }
    Client c = dataProvider.getClient(clientId);
    if (c == null) {
        throw new BadRequestException();
    }
    if (StringUtils.isEmpty(c.getProperties().get(CLIENT_LOGOUT_URIS))) {
        throw new BadRequestException();
    }
    return c;
}
 
Example #5
Source File: LogoutService.java    From cxf-fediz with Apache License 2.0 6 votes vote down vote up
protected Response doInitiateLogout(MultivaluedMap<String, String> params) {

        IdToken idTokenHint = getIdTokenHint(params);
        Client client = getClient(params, idTokenHint);

        if (!allowAnonymousLogout || mc.getSecurityContext().getUserPrincipal() != null) {
            OidcUserSubject subject = subjectCreator.createUserSubject(mc, params);

            if (backChannelLogoutHandler != null) {
                backChannelLogoutHandler.handleLogout(client, subject, idTokenHint);
            }
            if (logoutHandlers != null) {

                for (LogoutHandler handler : logoutHandlers) {
                    handler.handleLogout(client, subject);
                }
            }
        }

        // Clear OIDC session now
        mc.getHttpServletRequest().getSession().invalidate();

        // Redirect to the core IDP
        URI idpLogoutUri = getAbsoluteIdpLogoutUri(client, params);
        return Response.seeOther(idpLogoutUri).build();
    }
 
Example #6
Source File: IdTokenProviderImpl.java    From cxf-fediz with Apache License 2.0 6 votes vote down vote up
@Override
public IdToken getIdToken(String clientId, UserSubject authenticatedUser, List<String> scopes) {
    IdToken token = new IdToken();

    Calendar cal = Calendar.getInstance();
    cal.add(Calendar.SECOND, 60);
    token.setExpiryTime(cal.getTimeInMillis() / 1000L);
    token.setIssuedAt(new Date().getTime() / 1000L);
    token.setAudience(clientId);
    token.setTokenId(UUID.randomUUID().toString());
    token.setSubject(authenticatedUser.getLogin().toLowerCase());
    token.setClaim("preferred_username", authenticatedUser.getLogin().toLowerCase());
    token.setIssuer("OIDC IdP");
    token.setClaim("role", "user");

    return token;
}
 
Example #7
Source File: OidcImplicitService.java    From cxf with Apache License 2.0 6 votes vote down vote up
protected String processIdToken(OAuthRedirectionState state, IdToken idToken) {
    OAuthJoseJwtProducer processor = idTokenHandler == null ? new OAuthJoseJwtProducer() : idTokenHandler;

    String code =
        (String)JAXRSUtils.getCurrentMessage().getExchange().get(OAuthConstants.AUTHORIZATION_CODE_VALUE);
    if (code != null) {
        // this service is invoked as part of the hybrid flow
        Properties props = JwsUtils.loadSignatureOutProperties(false);
        SignatureAlgorithm sigAlgo = null;
        if (processor.isSignWithClientSecret()) {
            sigAlgo = OAuthUtils.getClientSecretSignatureAlgorithm(props);
        } else {
            sigAlgo = JwsUtils.getSignatureAlgorithm(props, SignatureAlgorithm.RS256);
        }
        idToken.setAuthorizationCodeHash(OidcUtils.calculateAuthorizationCodeHash(code, sigAlgo));
    }

    idToken.setNonce(state.getNonce());
    return processor.processJwt(new JwtToken(idToken));
}
 
Example #8
Source File: OidcUserInfoProvider.java    From cxf with Apache License 2.0 6 votes vote down vote up
@Override
public UserInfoContext createContext(Message m) {
    final OidcClientTokenContext ctx = (OidcClientTokenContext)
        m.getContent(ClientTokenContext.class);
    final UserInfo userInfo = ctx != null ? ctx.getUserInfo() : m.getContent(UserInfo.class);
    if (userInfo != null) {
        final IdToken idToken = ctx != null ? ctx.getIdToken() : m.getContent(IdToken.class);
        return new UserInfoContext() {

            @Override
            public UserInfo getUserInfo() {
                return userInfo;
            }

            @Override
            public IdToken getIdToken() {
                return idToken;
            }

        };
    }
    return null;

}
 
Example #9
Source File: OidcClientCodeRequestFilter.java    From cxf with Apache License 2.0 6 votes vote down vote up
private void validateIdToken(IdToken idToken, MultivaluedMap<String, String> state) {

        String nonce = state.getFirst(IdToken.NONCE_CLAIM);
        String tokenNonce = idToken.getNonce();
        if (nonce != null && (tokenNonce == null || !nonce.equals(tokenNonce))) {
            throw new OAuthServiceException(OAuthConstants.INVALID_REQUEST);
        }
        if (maxAgeOffset != null) {
            long authTime = Long.parseLong(state.getFirst(MAX_AGE_PARAMETER));
            Long tokenAuthTime = idToken.getAuthenticationTime();
            if (tokenAuthTime > authTime) {
                throw new OAuthServiceException(OAuthConstants.INVALID_REQUEST);
            }
        }

        String acr = idToken.getAuthenticationContextRef();
        // Skip the check if the acr is not set given it is a voluntary claim
        if (acr != null && authenticationContextRef != null && !authenticationContextRef.contains(acr)) {
            throw new OAuthServiceException(OAuthConstants.INVALID_REQUEST);
        }

    }
 
Example #10
Source File: OidcRpAuthenticationFilter.java    From cxf with Apache License 2.0 6 votes vote down vote up
protected boolean checkSecurityContext(ContainerRequestContext rc) {
    OidcClientTokenContext tokenContext = (OidcClientTokenContext)stateManager.getClientTokenContext(mc);
    if (tokenContext == null) {
        return false;
    }
    IdToken idToken = tokenContext.getIdToken();
    try {
        // If ID token has expired then the context is no longer valid
        JwtUtils.validateJwtExpiry(idToken, 0, idToken.getExpiryTime() != null);
    } catch (JwtException ex) {
        stateManager.removeClientTokenContext(new MessageContextImpl(JAXRSUtils.getCurrentMessage()));
        return false;
    }
    OidcClientTokenContextImpl newTokenContext = new OidcClientTokenContextImpl();
    newTokenContext.setToken(tokenContext.getToken());
    newTokenContext.setIdToken(idToken);
    newTokenContext.setUserInfo(tokenContext.getUserInfo());
    newTokenContext.setState(toRequestState(rc));
    JAXRSUtils.getCurrentMessage().setContent(ClientTokenContext.class, newTokenContext);

    OidcSecurityContext oidcSecCtx = new OidcSecurityContext(newTokenContext);
    oidcSecCtx.setRoleClaim(roleClaim);
    rc.setSecurityContext(oidcSecCtx);
    return true;
}
 
Example #11
Source File: SetupAuthorizationFilter.java    From g-suite-identity-sync with Apache License 2.0 6 votes vote down vote up
@Override
public void filter(ContainerRequestContext requestContext) throws IOException {
    OidcSecurityContext secCtx = (OidcSecurityContext) requestContext.getSecurityContext();
    OidcClientTokenContext tokenCtx = secCtx.getOidcContext();
    IdToken idToken = tokenCtx.getIdToken();
    String email = idToken.getEmail();
    boolean configured = false;
    try {
        configured = googleConfig.getServiceAccountEmail() != null && googleConfig.readServiceAccountKey() != null;
    } catch (NoPrivateKeyException e) {
    }
    if (configured) {
        log.error("Unauthorized access from {}. Application is already configured!", email);
        ServerError err = new ServerError("E002", "Unauthorized access to Configuration API");
        requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).entity(err).type(MediaType.APPLICATION_JSON).build());
    }
}
 
Example #12
Source File: OidcIdTokenProvider.java    From cxf with Apache License 2.0 6 votes vote down vote up
@Override
public IdTokenContext createContext(Message m) {

    OidcClientTokenContext ctx = (OidcClientTokenContext)m.getContent(ClientTokenContext.class);
    final IdToken idToken = ctx != null ? ctx.getIdToken() : m.getContent(IdToken.class);
    if (idToken != null) {
        return new IdTokenContext() {

            @Override
            public IdToken getIdToken() {
                return idToken;
            }

        };
    }
    return null;
}
 
Example #13
Source File: OIDCClientLogic.java    From syncope with Apache License 2.0 6 votes vote down vote up
private static IdToken getValidatedIdToken(final OIDCProvider op, final Consumer consumer,
                                           final String jwtIdToken) {
    IdTokenReader idTokenReader = new IdTokenReader();
    idTokenReader.setClockOffset(10);
    idTokenReader.setIssuerId(op.getIssuer());
    idTokenReader.setJwkSetClient(WebClient.create(op.getJwksUri(), List.of(new JsonWebKeysProvider())).
            accept(MediaType.APPLICATION_JSON));
    IdToken idToken;
    try {
        idToken = idTokenReader.getIdToken(jwtIdToken, consumer);
    } catch (Exception e) {
        LOG.error("While validating the id_token", e);
        SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.Unknown);
        sce.getElements().add(e.getMessage());
        throw sce;
    }
    return idToken;
}
 
Example #14
Source File: OIDCClientLogic.java    From syncope with Apache License 2.0 6 votes vote down vote up
private static UserInfo getUserInfo(
    final String endpoint,
    final String accessToken,
    final IdToken idToken,
    final Consumer consumer) {

    WebClient userInfoServiceClient = WebClient.create(endpoint, List.of(new JsonMapObjectProvider())).
            accept(MediaType.APPLICATION_JSON);
    ClientAccessToken clientAccessToken =
            new ClientAccessToken(OAuthConstants.BEARER_AUTHORIZATION_SCHEME, accessToken);
    UserInfoClient userInfoClient = new UserInfoClient();
    userInfoClient.setUserInfoServiceClient(userInfoServiceClient);
    UserInfo userInfo = null;
    try {
        userInfo = userInfoClient.getUserInfo(clientAccessToken, idToken, consumer);
    } catch (Exception e) {
        LOG.error("While getting the userInfo", e);
        SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.Unknown);
        sce.getElements().add(e.getMessage());
        throw sce;
    }
    return userInfo;
}
 
Example #15
Source File: OIDCFlowTest.java    From cxf with Apache License 2.0 6 votes vote down vote up
private void validateIdToken(String idToken, String nonce)
    throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
    JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(idToken);
    JwtToken jwt = jwtConsumer.getJwtToken();

    // Validate claims
    assertEquals("alice", jwt.getClaim(JwtConstants.CLAIM_SUBJECT));
    assertEquals("OIDC IdP", jwt.getClaim(JwtConstants.CLAIM_ISSUER));
    assertEquals("consumer-id", jwt.getClaim(JwtConstants.CLAIM_AUDIENCE));
    assertNotNull(jwt.getClaim(JwtConstants.CLAIM_EXPIRY));
    assertNotNull(jwt.getClaim(JwtConstants.CLAIM_ISSUED_AT));
    if (nonce != null) {
        assertEquals(nonce, jwt.getClaim(IdToken.NONCE_CLAIM));
    }

    KeyStore keystore = KeyStore.getInstance("JKS");
    keystore.load(ClassLoaderUtils.getResourceAsStream("keys/alice.jks", this.getClass()),
                  "password".toCharArray());
    Certificate cert = keystore.getCertificate("alice");
    assertNotNull(cert);

    assertTrue(jwtConsumer.verifySignatureWith((X509Certificate)cert,
                                                      SignatureAlgorithm.RS256));
}
 
Example #16
Source File: UserInfoTest.java    From cxf with Apache License 2.0 6 votes vote down vote up
private void validateIdToken(String idToken, String nonce)
    throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
    JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(idToken);
    JwtToken jwt = jwtConsumer.getJwtToken();

    // Validate claims
    assertEquals("alice", jwt.getClaim(JwtConstants.CLAIM_SUBJECT));
    assertEquals("OIDC IdP", jwt.getClaim(JwtConstants.CLAIM_ISSUER));
    assertEquals("consumer-id", jwt.getClaim(JwtConstants.CLAIM_AUDIENCE));
    assertNotNull(jwt.getClaim(JwtConstants.CLAIM_EXPIRY));
    assertNotNull(jwt.getClaim(JwtConstants.CLAIM_ISSUED_AT));
    if (nonce != null) {
        assertEquals(nonce, jwt.getClaim(IdToken.NONCE_CLAIM));
    }

    KeyStore keystore = KeyStore.getInstance("JKS");
    keystore.load(ClassLoaderUtils.getResourceAsStream("keys/alice.jks", this.getClass()),
                  "password".toCharArray());
    Certificate cert = keystore.getCertificate("alice");
    assertNotNull(cert);

    assertTrue(jwtConsumer.verifySignatureWith((X509Certificate)cert,
                                                      SignatureAlgorithm.RS256));
}
 
Example #17
Source File: OIDCFlowTest.java    From cxf with Apache License 2.0 5 votes vote down vote up
@org.junit.Test
public void testAuthorizationCodeFlowRefreshToken() throws Exception {
    URL busFile = OIDCFlowTest.class.getResource("client.xml");

    String address = "https://localhost:" + port + "/services/";
    WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(),
                                        "alice", "security", busFile.toString());
    // Save the Cookie for the second request...
    WebClient.getConfig(client).getRequestContext().put(
        org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE);

    // Get Authorization Code
    String code = OAuth2TestUtils.getAuthorizationCode(client,
        String.join(" ", OidcUtils.getOpenIdScope(), OAuthConstants.REFRESH_TOKEN_SCOPE),
        "consumer-id-oidc");
    assertNotNull(code);

    // Now get the access token
    client = WebClient.create(address, "consumer-id-oidc", "this-is-a-secret", busFile.toString());

    ClientAccessToken accessToken =
        OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code, "consumer-id-oidc", null);
    assertNotNull(accessToken.getTokenKey());
    assertTrue(accessToken.getApprovedScope().contains("openid"));

    IdToken idToken = getIdToken(accessToken, address + "keys/", "consumer-id-oidc");
    assertNotNull(idToken);
    Long issuedAt = idToken.getIssuedAt();

    TimeUnit.SECONDS.sleep(1L);

    accessToken = OAuthClientUtils.refreshAccessToken(
        client,
        new Consumer("consumer-id-oidc"),
        accessToken);
    idToken = getIdToken(accessToken, address + "keys/", "consumer-id-oidc");

    assertNotEquals(issuedAt, idToken.getIssuedAt());
}
 
Example #18
Source File: GSuiteGroupAuthorizationFilter.java    From g-suite-identity-sync with Apache License 2.0 5 votes vote down vote up
@Override
public void filter(ContainerRequestContext requestContext) throws IOException {
    OidcSecurityContext secCtx = (OidcSecurityContext) requestContext.getSecurityContext();
    OidcClientTokenContext tokenCtx = secCtx.getOidcContext();
    IdToken idToken = tokenCtx.getIdToken();
    String email = idToken.getEmail();
    String userDomain = idToken.getStringProperty("hd");
    String appDomain = gsuiteDirService.getDomainName();
    if (appDomain == null) {
        throw serverError(SERVICE_UNAVAILABLE, "E002", "Service not configured!");
    }

    boolean internal = gsuiteDirService.getDomainName().equalsIgnoreCase(userDomain);
    boolean external = false;
    Set<String> roles = new HashSet<>();
    String masterRole = null;
    if (internal) {
        roles.add(AuthzRole.INTERNAL);
        masterRole = AuthzRole.INTERNAL;
    } else if (externalUsersCache.get().contains(email)) {
        roles.add(AuthzRole.EXTERNAL);
        masterRole = AuthzRole.EXTERNAL;
        external = true;
    }
    if (adminUsersCache.get().contains(email)) {
        roles.add(AuthzRole.ADMIN);
        masterRole = AuthzRole.ADMIN;
    }
    if (internal || external) {
    } else {
        LOG.error("Unauthorized access from {}", userDomain);
        ServerError err = new ServerError("E001", "Sorry you are not allowed to enter this site");
        requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).entity(err).type(MediaType.APPLICATION_JSON).build());
    }
    secCtx.getOidcContext().getUserInfo().setProperty("securityRoles", roles);
    secCtx.getOidcContext().getUserInfo().setProperty("masterRole", masterRole);
    secCtx.setRoleClaim("masterRole");
}
 
Example #19
Source File: BackChannelLogoutHandler.java    From cxf-fediz with Apache License 2.0 5 votes vote down vote up
private void submitBackChannelLogoutRequest(final Client client, final OidcUserSubject subject,
        final IdToken idTokenHint, final String uri) {
    // Application context is expected to contain HttpConduit HTTPS configuration
    final WebClient wc = WebClient.create(uri);
    IdToken idToken = idTokenHint != null ? idTokenHint : subject.getIdToken(); 
    JwtClaims claims = new JwtClaims();
    claims.setIssuer(idToken.getIssuer());
    claims.setSubject(idToken.getSubject());
    claims.setAudience(client.getClientId());
    claims.setIssuedAt(System.currentTimeMillis() / 1000);
    claims.setTokenId(Base64UrlUtility.encode(CryptoUtils.generateSecureRandomBytes(16)));
    claims.setClaim(EVENTS_PROPERTY, 
            Collections.singletonMap(BACK_CHANNEL_LOGOUT_EVENT, Collections.emptyMap()));
    if (idToken.getName() != null) {
        claims.setClaim(IdToken.NAME_CLAIM, idToken.getName());    
    }
    
    final String logoutToken = super.processJwt(new JwtToken(claims));
    executorService.submit(new Runnable() {

        @Override
        public void run() {
            try {
                wc.form(new Form().param(LOGOUT_TOKEN, logoutToken));
            } catch (Exception ex) {
                LOG.info(String.format("Back channel request to %s to log out %s from client %s has failed",
                    uri, subject.getLogin(), client.getClientId()));
                LOG.fine(String.format("%s request failure: %s", uri, ExceptionUtils.getStackTrace(ex)));
            }
        }
    
    });
    
}
 
Example #20
Source File: LogoutService.java    From cxf-fediz with Apache License 2.0 5 votes vote down vote up
private IdToken getIdTokenHint(MultivaluedMap<String, String> params) {
    String tokenHint = params.getFirst(ID_TOKEN_HINT);
    if (tokenHint == null) {
        return null;
    }
    JwtToken token = null;
    try {
        token = super.getJwtToken(tokenHint);
    } catch (JoseException ex) {
        throw new BadRequestException(ex);
    }
    return new IdToken(token.getClaims());
}
 
Example #21
Source File: JPAOidcUserSubjectTest.java    From cxf with Apache License 2.0 5 votes vote down vote up
@Test
public void testAccessTokenWithOidcUserSubject() {
    Client c = addClient("101", "bob");

    AccessTokenRegistration atr = new AccessTokenRegistration();
    atr.setClient(c);
    atr.setApprovedScope(Collections.singletonList("a"));

    OidcUserSubject oidcSubject = new OidcUserSubject();
    oidcSubject.setLogin("bob");
    IdToken idToken = new IdToken();
    idToken.setAudience(c.getClientId());
    oidcSubject.setIdToken(idToken);
    atr.setSubject(oidcSubject);

    ServerAccessToken at = getProvider().createAccessToken(atr);
    ServerAccessToken at2 = getProvider().getAccessToken(at.getTokenKey());
    assertEquals(at.getTokenKey(), at2.getTokenKey());

    OidcUserSubject oidcSubject2 = (OidcUserSubject)at2.getSubject();
    assertEquals(c.getClientId(), oidcSubject2.getIdToken().getAudience());

    OidcUserSubject oidcSubject3 = new OidcUserSubject();
    oidcSubject3.setLogin("bob");
    IdToken idToken2 = new IdToken();
    idToken2.setAudience(c.getClientId());
    oidcSubject3.setIdToken(idToken2);
    atr.setSubject(oidcSubject3);

    ServerAccessToken at3 = getProvider().createAccessToken(atr);
    ServerAccessToken at4 = getProvider().getAccessToken(at3.getTokenKey());
    OidcUserSubject oidcSubject4 = (OidcUserSubject)at4.getSubject();
    assertEquals(c.getClientId(), oidcSubject4.getIdToken().getAudience());
}
 
Example #22
Source File: UserInfoService.java    From cxf with Apache License 2.0 5 votes vote down vote up
protected UserInfo createFromIdToken(IdToken idToken) {
    UserInfo userInfo = new UserInfo();
    userInfo.setSubject(idToken.getSubject());

    if (super.isJwsRequired()) {
        userInfo.setIssuer(idToken.getIssuer());
        userInfo.setAudience(idToken.getAudience());
    }
    if (idToken.getPreferredUserName() != null) {
        userInfo.setPreferredUserName(idToken.getPreferredUserName());
    }
    if (idToken.getName() != null) {
        userInfo.setName(idToken.getName());
    }
    if (idToken.getGivenName() != null) {
        userInfo.setGivenName(idToken.getGivenName());
    }
    if (idToken.getFamilyName() != null) {
        userInfo.setFamilyName(idToken.getFamilyName());
    }
    if (idToken.getEmail() != null) {
        userInfo.setEmail(idToken.getEmail());
    }
    if (idToken.getNickName() != null) {
        userInfo.setNickName(idToken.getNickName());
    }

    if (additionalClaims != null && !additionalClaims.isEmpty()) {
        for (String additionalClaim : additionalClaims) {
            if (idToken.containsProperty(additionalClaim)) {
                userInfo.setClaim(additionalClaim, idToken.getClaim(additionalClaim));
            }
        }
    }

    //etc
    return userInfo;
}
 
Example #23
Source File: OidcInvoker.java    From cxf with Apache License 2.0 5 votes vote down vote up
@Override
protected void validateRefreshedToken(ClientTokenContext tokenContext, ClientAccessToken refreshedToken) {
    if (refreshedToken.getParameters().containsKey(OidcUtils.ID_TOKEN)) {
        IdToken newIdToken = idTokenReader.getIdToken(refreshedToken, getConsumer());

        OidcClientTokenContextImpl oidcContext = (OidcClientTokenContextImpl)tokenContext;
        IdToken currentIdToken = oidcContext.getIdToken();

        if (!newIdToken.getIssuer().equals(currentIdToken.getIssuer())) {
            throw new OAuthServiceException("Invalid id token issuer");
        }
        if (!newIdToken.getSubject().equals(currentIdToken.getSubject())) {
            throw new OAuthServiceException("Invalid id token subject");
        }
        if (!newIdToken.getAudiences().containsAll(currentIdToken.getAudiences())) {
            throw new OAuthServiceException("Invalid id token audience(s)");
        }
        Long newAuthTime = newIdToken.getAuthenticationTime();
        if (newAuthTime != null && !newAuthTime.equals(currentIdToken.getAuthenticationTime())) {
            throw new OAuthServiceException("Invalid id token auth_time");
        }
        String newAzp = newIdToken.getAuthorizedParty();
        String origAzp = currentIdToken.getAuthorizedParty();
        if (newAzp != null && origAzp == null
            || newAzp == null && origAzp != null
            || newAzp != null && origAzp != null && !newAzp.equals(origAzp)) {
            throw new OAuthServiceException("Invalid id token authorized party");
        }
        Long newIssuedTime = newIdToken.getIssuedAt();
        Long origIssuedTime = currentIdToken.getIssuedAt();
        if (newIssuedTime < origIssuedTime) {
            throw new OAuthServiceException("Invalid id token issued time");
        }

        oidcContext.setIdToken(newIdToken);

    }
}
 
Example #24
Source File: OidcClientCodeRequestFilter.java    From cxf with Apache License 2.0 5 votes vote down vote up
@Override
protected void setAdditionalCodeRequestParams(UriBuilder ub,
                                              MultivaluedMap<String, String> redirectState,
                                              MultivaluedMap<String, String> codeRequestState) {
    if (redirectState != null) {
        if (redirectState.getFirst(IdToken.NONCE_CLAIM) != null) {
            ub.queryParam(IdToken.NONCE_CLAIM, redirectState.getFirst(IdToken.NONCE_CLAIM));
        }
        if (redirectState.getFirst(MAX_AGE_PARAMETER) != null) {
            ub.queryParam(MAX_AGE_PARAMETER, redirectState.getFirst(MAX_AGE_PARAMETER));
        }
    }
    if (codeRequestState != null && codeRequestState.getFirst(LOGIN_HINT_PARAMETER) != null) {
        ub.queryParam(LOGIN_HINT_PARAMETER, codeRequestState.getFirst(LOGIN_HINT_PARAMETER));
    }
    if (claims != null) {
        ub.queryParam("claims", claims);
    }
    if (claimsLocales != null) {
        ub.queryParam("claims_locales", claimsLocales);
    }
    if (authenticationContextRef != null) {
        ub.queryParam(ACR_PARAMETER, authenticationContextRef);
    }
    if (promptLogin != null) {
        ub.queryParam(PROMPT_PARAMETER, promptLogin);
    }

}
 
Example #25
Source File: OidcClientCodeRequestFilter.java    From cxf with Apache License 2.0 5 votes vote down vote up
@Override
protected ClientTokenContext createTokenContext(ContainerRequestContext rc,
                                                ClientAccessToken at,
                                                MultivaluedMap<String, String> requestParams,
                                                MultivaluedMap<String, String> state) {
    if (rc.getSecurityContext() instanceof OidcSecurityContext) {
        return ((OidcSecurityContext)rc.getSecurityContext()).getOidcContext();
    }
    OidcClientTokenContextImpl ctx = new OidcClientTokenContextImpl();
    if (at != null) {
        if (idTokenReader == null) {
            throw new OAuthServiceException(OAuthConstants.SERVER_ERROR);
        }
        IdToken idToken = idTokenReader.getIdToken(at,
                              requestParams.getFirst(OAuthConstants.AUTHORIZATION_CODE_VALUE),
                              getConsumer());
        // Validate the properties set up at the redirection time.
        validateIdToken(idToken, state);

        ctx.setIdToken(idToken);
        if (userInfoClient != null) {
            ctx.setUserInfo(userInfoClient.getUserInfo(at,
                                                       ctx.getIdToken(),
                                                       getConsumer()));
        }
        OidcSecurityContext oidcSecCtx = new OidcSecurityContext(ctx);
        oidcSecCtx.setRoleClaim(roleClaim);
        rc.setSecurityContext(oidcSecCtx);
    }

    return ctx;
}
 
Example #26
Source File: OIDCFlowTest.java    From cxf with Apache License 2.0 5 votes vote down vote up
private static IdToken getIdToken(ClientAccessToken accessToken, String jwksUri, String clientId) {
    WebClient c = WebClient.create(jwksUri,
        Collections.singletonList(new JsonWebKeysProvider()),
        "alice", "security",
        OIDCFlowTest.class.getResource("client.xml").toString())
        .accept(MediaType.APPLICATION_JSON);
    IdTokenReader idTokenReader = new IdTokenReader();
    idTokenReader.setJwkSetClient(c);
    idTokenReader.setIssuerId("OIDC IdP");

    return idTokenReader.getIdToken(accessToken, new Consumer(clientId));
}
 
Example #27
Source File: IdTokenProviderImpl.java    From cxf with Apache License 2.0 5 votes vote down vote up
@Override
public IdToken getIdToken(String clientId, UserSubject authenticatedUser, List<String> scopes) {
    IdToken token = new IdToken();

    token.setIssuedAt(OAuthUtils.getIssuedAt());
    token.setExpiryTime(token.getIssuedAt() + 60L);
    token.setAudience(clientId);
    token.setSubject(authenticatedUser.getLogin());
    token.setIssuer("OIDC IdP");

    return token;
}
 
Example #28
Source File: UserInfoClient.java    From cxf with Apache License 2.0 5 votes vote down vote up
public void validateUserInfo(UserInfo profile, IdToken idToken, Consumer client) {
    validateJwtClaims(profile, client.getClientId(), false);
    // validate subject
    if (!idToken.getSubject().equals(profile.getSubject())) {
        throw new OAuthServiceException("Invalid subject");
    }
}
 
Example #29
Source File: OidcUtils.java    From cxf with Apache License 2.0 5 votes vote down vote up
public static void validateAccessTokenHash(String accessToken, JwtToken jwt, boolean required) {
    String hashClaim = (String)jwt.getClaims().getClaim(IdToken.ACCESS_TOKEN_HASH_CLAIM);
    if (hashClaim == null && required) {
        throw new OAuthServiceException("Invalid hash");
    }
    if (hashClaim != null) {
        validateHash(accessToken,
                     (String)jwt.getClaims().getClaim(IdToken.ACCESS_TOKEN_HASH_CLAIM),
                     jwt.getJwsHeaders().getSignatureAlgorithm());
    }
}
 
Example #30
Source File: OidcUtils.java    From cxf with Apache License 2.0 5 votes vote down vote up
public static void validateCodeHash(String code, JwtToken jwt, boolean required) {
    String hashClaim = (String)jwt.getClaims().getClaim(IdToken.AUTH_CODE_HASH_CLAIM);
    if (hashClaim == null && required) {
        throw new OAuthServiceException("Invalid hash");
    }
    if (hashClaim != null) {
        validateHash(code,
                     (String)jwt.getClaims().getClaim(IdToken.AUTH_CODE_HASH_CLAIM),
                     jwt.getJwsHeaders().getSignatureAlgorithm());
    }
}