org.apache.cxf.rs.security.oidc.common.IdToken Java Examples
The following examples show how to use
org.apache.cxf.rs.security.oidc.common.IdToken.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: OidcIdTokenRequestFilter.java From cxf with Apache License 2.0 | 6 votes |
@Override public void filter(ContainerRequestContext requestContext) throws IOException { MultivaluedMap<String, String> form = toFormData(requestContext); String idTokenParamValue = form.getFirst(tokenFormParameter); if (idTokenParamValue == null) { requestContext.abortWith(Response.status(401).build()); return; } IdToken idToken = idTokenReader.getIdToken(idTokenParamValue, consumer); JAXRSUtils.getCurrentMessage().setContent(IdToken.class, idToken); OidcSecurityContext oidcSecCtx = new OidcSecurityContext(idToken); oidcSecCtx.setRoleClaim(roleClaim); requestContext.setSecurityContext(oidcSecCtx); }
Example #2
Source File: FedizSubjectCreator.java From cxf-fediz with Apache License 2.0 | 6 votes |
@Override public OidcUserSubject createUserSubject(MessageContext mc, MultivaluedMap<String, String> params) { Principal principal = mc.getSecurityContext().getUserPrincipal(); if (!(principal instanceof FedizPrincipal)) { throw new OAuthServiceException("Unsupported Principal"); } FedizPrincipal fedizPrincipal = (FedizPrincipal) principal; // In the future FedizPrincipal will likely have JWT claims already prepared, // with IdToken being initialized here from those claims OidcUserSubject oidcSub = new OidcUserSubject(); oidcSub.setLogin(fedizPrincipal.getName()); // REVISIT: use fedizPrincipal.getId() to guarantee the uniqueness once FEDIZ-207 is resolved oidcSub.setId(fedizPrincipal.getName()); IdToken idToken = convertToIdToken(mc, fedizPrincipal.getLoginToken(), oidcSub.getLogin(), oidcSub.getId(), fedizPrincipal.getClaims(), fedizPrincipal.getRoleClaims(), params); oidcSub.setIdToken(idToken); oidcSub.setRoles(fedizPrincipal.getRoleClaims()); // UserInfo can be populated and set on OidcUserSubject too. // UserInfoService will create it otherwise. return oidcSub; }
Example #3
Source File: BackChannelLogoutHandler.java From cxf-fediz with Apache License 2.0 | 6 votes |
public void handleLogout(Client client, OidcUserSubject subject, IdToken idTokenHint) { // At the moment the only way to find out which RPs a given User is logged in is // to check the access tokens - it can not offer a complete solution, for ex // in cases when ATs have expired or been revoked or Implicit id_token flow is used. // Most likely a 'visited sites' cookie as suggested by the spec will need to be used. List<ServerAccessToken> accessTokens = dataProvider.getAccessTokens(null, subject); Set<String> processedClients = new HashSet<>(); for (ServerAccessToken at : accessTokens) { Client atClient = at.getClient(); if (client.getClientId().equals(atClient.getClientId()) || processedClients.contains(atClient.getClientId())) { continue; } String uri = atClient.getProperties().get(BACK_CHANNEL_LOGOUT_URI); if (uri != null) { processedClients.add(atClient.getClientId()); submitBackChannelLogoutRequest(atClient, subject, idTokenHint, uri); } } }
Example #4
Source File: LogoutService.java From cxf-fediz with Apache License 2.0 | 6 votes |
private Client getClient(MultivaluedMap<String, String> params, IdToken idTokenHint) { String clientId = params.getFirst(OAuthConstants.CLIENT_ID); if (clientId == null && idTokenHint != null) { clientId = idTokenHint.getAudience(); mc.getHttpServletRequest().setAttribute(OAuthConstants.CLIENT_ID, clientId); } if (clientId == null) { throw new BadRequestException(); } Client c = dataProvider.getClient(clientId); if (c == null) { throw new BadRequestException(); } if (StringUtils.isEmpty(c.getProperties().get(CLIENT_LOGOUT_URIS))) { throw new BadRequestException(); } return c; }
Example #5
Source File: LogoutService.java From cxf-fediz with Apache License 2.0 | 6 votes |
protected Response doInitiateLogout(MultivaluedMap<String, String> params) { IdToken idTokenHint = getIdTokenHint(params); Client client = getClient(params, idTokenHint); if (!allowAnonymousLogout || mc.getSecurityContext().getUserPrincipal() != null) { OidcUserSubject subject = subjectCreator.createUserSubject(mc, params); if (backChannelLogoutHandler != null) { backChannelLogoutHandler.handleLogout(client, subject, idTokenHint); } if (logoutHandlers != null) { for (LogoutHandler handler : logoutHandlers) { handler.handleLogout(client, subject); } } } // Clear OIDC session now mc.getHttpServletRequest().getSession().invalidate(); // Redirect to the core IDP URI idpLogoutUri = getAbsoluteIdpLogoutUri(client, params); return Response.seeOther(idpLogoutUri).build(); }
Example #6
Source File: IdTokenProviderImpl.java From cxf-fediz with Apache License 2.0 | 6 votes |
@Override public IdToken getIdToken(String clientId, UserSubject authenticatedUser, List<String> scopes) { IdToken token = new IdToken(); Calendar cal = Calendar.getInstance(); cal.add(Calendar.SECOND, 60); token.setExpiryTime(cal.getTimeInMillis() / 1000L); token.setIssuedAt(new Date().getTime() / 1000L); token.setAudience(clientId); token.setTokenId(UUID.randomUUID().toString()); token.setSubject(authenticatedUser.getLogin().toLowerCase()); token.setClaim("preferred_username", authenticatedUser.getLogin().toLowerCase()); token.setIssuer("OIDC IdP"); token.setClaim("role", "user"); return token; }
Example #7
Source File: OidcImplicitService.java From cxf with Apache License 2.0 | 6 votes |
protected String processIdToken(OAuthRedirectionState state, IdToken idToken) { OAuthJoseJwtProducer processor = idTokenHandler == null ? new OAuthJoseJwtProducer() : idTokenHandler; String code = (String)JAXRSUtils.getCurrentMessage().getExchange().get(OAuthConstants.AUTHORIZATION_CODE_VALUE); if (code != null) { // this service is invoked as part of the hybrid flow Properties props = JwsUtils.loadSignatureOutProperties(false); SignatureAlgorithm sigAlgo = null; if (processor.isSignWithClientSecret()) { sigAlgo = OAuthUtils.getClientSecretSignatureAlgorithm(props); } else { sigAlgo = JwsUtils.getSignatureAlgorithm(props, SignatureAlgorithm.RS256); } idToken.setAuthorizationCodeHash(OidcUtils.calculateAuthorizationCodeHash(code, sigAlgo)); } idToken.setNonce(state.getNonce()); return processor.processJwt(new JwtToken(idToken)); }
Example #8
Source File: OidcUserInfoProvider.java From cxf with Apache License 2.0 | 6 votes |
@Override public UserInfoContext createContext(Message m) { final OidcClientTokenContext ctx = (OidcClientTokenContext) m.getContent(ClientTokenContext.class); final UserInfo userInfo = ctx != null ? ctx.getUserInfo() : m.getContent(UserInfo.class); if (userInfo != null) { final IdToken idToken = ctx != null ? ctx.getIdToken() : m.getContent(IdToken.class); return new UserInfoContext() { @Override public UserInfo getUserInfo() { return userInfo; } @Override public IdToken getIdToken() { return idToken; } }; } return null; }
Example #9
Source File: OidcClientCodeRequestFilter.java From cxf with Apache License 2.0 | 6 votes |
private void validateIdToken(IdToken idToken, MultivaluedMap<String, String> state) { String nonce = state.getFirst(IdToken.NONCE_CLAIM); String tokenNonce = idToken.getNonce(); if (nonce != null && (tokenNonce == null || !nonce.equals(tokenNonce))) { throw new OAuthServiceException(OAuthConstants.INVALID_REQUEST); } if (maxAgeOffset != null) { long authTime = Long.parseLong(state.getFirst(MAX_AGE_PARAMETER)); Long tokenAuthTime = idToken.getAuthenticationTime(); if (tokenAuthTime > authTime) { throw new OAuthServiceException(OAuthConstants.INVALID_REQUEST); } } String acr = idToken.getAuthenticationContextRef(); // Skip the check if the acr is not set given it is a voluntary claim if (acr != null && authenticationContextRef != null && !authenticationContextRef.contains(acr)) { throw new OAuthServiceException(OAuthConstants.INVALID_REQUEST); } }
Example #10
Source File: OidcRpAuthenticationFilter.java From cxf with Apache License 2.0 | 6 votes |
protected boolean checkSecurityContext(ContainerRequestContext rc) { OidcClientTokenContext tokenContext = (OidcClientTokenContext)stateManager.getClientTokenContext(mc); if (tokenContext == null) { return false; } IdToken idToken = tokenContext.getIdToken(); try { // If ID token has expired then the context is no longer valid JwtUtils.validateJwtExpiry(idToken, 0, idToken.getExpiryTime() != null); } catch (JwtException ex) { stateManager.removeClientTokenContext(new MessageContextImpl(JAXRSUtils.getCurrentMessage())); return false; } OidcClientTokenContextImpl newTokenContext = new OidcClientTokenContextImpl(); newTokenContext.setToken(tokenContext.getToken()); newTokenContext.setIdToken(idToken); newTokenContext.setUserInfo(tokenContext.getUserInfo()); newTokenContext.setState(toRequestState(rc)); JAXRSUtils.getCurrentMessage().setContent(ClientTokenContext.class, newTokenContext); OidcSecurityContext oidcSecCtx = new OidcSecurityContext(newTokenContext); oidcSecCtx.setRoleClaim(roleClaim); rc.setSecurityContext(oidcSecCtx); return true; }
Example #11
Source File: SetupAuthorizationFilter.java From g-suite-identity-sync with Apache License 2.0 | 6 votes |
@Override public void filter(ContainerRequestContext requestContext) throws IOException { OidcSecurityContext secCtx = (OidcSecurityContext) requestContext.getSecurityContext(); OidcClientTokenContext tokenCtx = secCtx.getOidcContext(); IdToken idToken = tokenCtx.getIdToken(); String email = idToken.getEmail(); boolean configured = false; try { configured = googleConfig.getServiceAccountEmail() != null && googleConfig.readServiceAccountKey() != null; } catch (NoPrivateKeyException e) { } if (configured) { log.error("Unauthorized access from {}. Application is already configured!", email); ServerError err = new ServerError("E002", "Unauthorized access to Configuration API"); requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).entity(err).type(MediaType.APPLICATION_JSON).build()); } }
Example #12
Source File: OidcIdTokenProvider.java From cxf with Apache License 2.0 | 6 votes |
@Override public IdTokenContext createContext(Message m) { OidcClientTokenContext ctx = (OidcClientTokenContext)m.getContent(ClientTokenContext.class); final IdToken idToken = ctx != null ? ctx.getIdToken() : m.getContent(IdToken.class); if (idToken != null) { return new IdTokenContext() { @Override public IdToken getIdToken() { return idToken; } }; } return null; }
Example #13
Source File: OIDCClientLogic.java From syncope with Apache License 2.0 | 6 votes |
private static IdToken getValidatedIdToken(final OIDCProvider op, final Consumer consumer, final String jwtIdToken) { IdTokenReader idTokenReader = new IdTokenReader(); idTokenReader.setClockOffset(10); idTokenReader.setIssuerId(op.getIssuer()); idTokenReader.setJwkSetClient(WebClient.create(op.getJwksUri(), List.of(new JsonWebKeysProvider())). accept(MediaType.APPLICATION_JSON)); IdToken idToken; try { idToken = idTokenReader.getIdToken(jwtIdToken, consumer); } catch (Exception e) { LOG.error("While validating the id_token", e); SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.Unknown); sce.getElements().add(e.getMessage()); throw sce; } return idToken; }
Example #14
Source File: OIDCClientLogic.java From syncope with Apache License 2.0 | 6 votes |
private static UserInfo getUserInfo( final String endpoint, final String accessToken, final IdToken idToken, final Consumer consumer) { WebClient userInfoServiceClient = WebClient.create(endpoint, List.of(new JsonMapObjectProvider())). accept(MediaType.APPLICATION_JSON); ClientAccessToken clientAccessToken = new ClientAccessToken(OAuthConstants.BEARER_AUTHORIZATION_SCHEME, accessToken); UserInfoClient userInfoClient = new UserInfoClient(); userInfoClient.setUserInfoServiceClient(userInfoServiceClient); UserInfo userInfo = null; try { userInfo = userInfoClient.getUserInfo(clientAccessToken, idToken, consumer); } catch (Exception e) { LOG.error("While getting the userInfo", e); SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.Unknown); sce.getElements().add(e.getMessage()); throw sce; } return userInfo; }
Example #15
Source File: OIDCFlowTest.java From cxf with Apache License 2.0 | 6 votes |
private void validateIdToken(String idToken, String nonce) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException { JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(idToken); JwtToken jwt = jwtConsumer.getJwtToken(); // Validate claims assertEquals("alice", jwt.getClaim(JwtConstants.CLAIM_SUBJECT)); assertEquals("OIDC IdP", jwt.getClaim(JwtConstants.CLAIM_ISSUER)); assertEquals("consumer-id", jwt.getClaim(JwtConstants.CLAIM_AUDIENCE)); assertNotNull(jwt.getClaim(JwtConstants.CLAIM_EXPIRY)); assertNotNull(jwt.getClaim(JwtConstants.CLAIM_ISSUED_AT)); if (nonce != null) { assertEquals(nonce, jwt.getClaim(IdToken.NONCE_CLAIM)); } KeyStore keystore = KeyStore.getInstance("JKS"); keystore.load(ClassLoaderUtils.getResourceAsStream("keys/alice.jks", this.getClass()), "password".toCharArray()); Certificate cert = keystore.getCertificate("alice"); assertNotNull(cert); assertTrue(jwtConsumer.verifySignatureWith((X509Certificate)cert, SignatureAlgorithm.RS256)); }
Example #16
Source File: UserInfoTest.java From cxf with Apache License 2.0 | 6 votes |
private void validateIdToken(String idToken, String nonce) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException { JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(idToken); JwtToken jwt = jwtConsumer.getJwtToken(); // Validate claims assertEquals("alice", jwt.getClaim(JwtConstants.CLAIM_SUBJECT)); assertEquals("OIDC IdP", jwt.getClaim(JwtConstants.CLAIM_ISSUER)); assertEquals("consumer-id", jwt.getClaim(JwtConstants.CLAIM_AUDIENCE)); assertNotNull(jwt.getClaim(JwtConstants.CLAIM_EXPIRY)); assertNotNull(jwt.getClaim(JwtConstants.CLAIM_ISSUED_AT)); if (nonce != null) { assertEquals(nonce, jwt.getClaim(IdToken.NONCE_CLAIM)); } KeyStore keystore = KeyStore.getInstance("JKS"); keystore.load(ClassLoaderUtils.getResourceAsStream("keys/alice.jks", this.getClass()), "password".toCharArray()); Certificate cert = keystore.getCertificate("alice"); assertNotNull(cert); assertTrue(jwtConsumer.verifySignatureWith((X509Certificate)cert, SignatureAlgorithm.RS256)); }
Example #17
Source File: OIDCFlowTest.java From cxf with Apache License 2.0 | 5 votes |
@org.junit.Test public void testAuthorizationCodeFlowRefreshToken() throws Exception { URL busFile = OIDCFlowTest.class.getResource("client.xml"); String address = "https://localhost:" + port + "/services/"; WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), "alice", "security", busFile.toString()); // Save the Cookie for the second request... WebClient.getConfig(client).getRequestContext().put( org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); // Get Authorization Code String code = OAuth2TestUtils.getAuthorizationCode(client, String.join(" ", OidcUtils.getOpenIdScope(), OAuthConstants.REFRESH_TOKEN_SCOPE), "consumer-id-oidc"); assertNotNull(code); // Now get the access token client = WebClient.create(address, "consumer-id-oidc", "this-is-a-secret", busFile.toString()); ClientAccessToken accessToken = OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code, "consumer-id-oidc", null); assertNotNull(accessToken.getTokenKey()); assertTrue(accessToken.getApprovedScope().contains("openid")); IdToken idToken = getIdToken(accessToken, address + "keys/", "consumer-id-oidc"); assertNotNull(idToken); Long issuedAt = idToken.getIssuedAt(); TimeUnit.SECONDS.sleep(1L); accessToken = OAuthClientUtils.refreshAccessToken( client, new Consumer("consumer-id-oidc"), accessToken); idToken = getIdToken(accessToken, address + "keys/", "consumer-id-oidc"); assertNotEquals(issuedAt, idToken.getIssuedAt()); }
Example #18
Source File: GSuiteGroupAuthorizationFilter.java From g-suite-identity-sync with Apache License 2.0 | 5 votes |
@Override public void filter(ContainerRequestContext requestContext) throws IOException { OidcSecurityContext secCtx = (OidcSecurityContext) requestContext.getSecurityContext(); OidcClientTokenContext tokenCtx = secCtx.getOidcContext(); IdToken idToken = tokenCtx.getIdToken(); String email = idToken.getEmail(); String userDomain = idToken.getStringProperty("hd"); String appDomain = gsuiteDirService.getDomainName(); if (appDomain == null) { throw serverError(SERVICE_UNAVAILABLE, "E002", "Service not configured!"); } boolean internal = gsuiteDirService.getDomainName().equalsIgnoreCase(userDomain); boolean external = false; Set<String> roles = new HashSet<>(); String masterRole = null; if (internal) { roles.add(AuthzRole.INTERNAL); masterRole = AuthzRole.INTERNAL; } else if (externalUsersCache.get().contains(email)) { roles.add(AuthzRole.EXTERNAL); masterRole = AuthzRole.EXTERNAL; external = true; } if (adminUsersCache.get().contains(email)) { roles.add(AuthzRole.ADMIN); masterRole = AuthzRole.ADMIN; } if (internal || external) { } else { LOG.error("Unauthorized access from {}", userDomain); ServerError err = new ServerError("E001", "Sorry you are not allowed to enter this site"); requestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).entity(err).type(MediaType.APPLICATION_JSON).build()); } secCtx.getOidcContext().getUserInfo().setProperty("securityRoles", roles); secCtx.getOidcContext().getUserInfo().setProperty("masterRole", masterRole); secCtx.setRoleClaim("masterRole"); }
Example #19
Source File: BackChannelLogoutHandler.java From cxf-fediz with Apache License 2.0 | 5 votes |
private void submitBackChannelLogoutRequest(final Client client, final OidcUserSubject subject, final IdToken idTokenHint, final String uri) { // Application context is expected to contain HttpConduit HTTPS configuration final WebClient wc = WebClient.create(uri); IdToken idToken = idTokenHint != null ? idTokenHint : subject.getIdToken(); JwtClaims claims = new JwtClaims(); claims.setIssuer(idToken.getIssuer()); claims.setSubject(idToken.getSubject()); claims.setAudience(client.getClientId()); claims.setIssuedAt(System.currentTimeMillis() / 1000); claims.setTokenId(Base64UrlUtility.encode(CryptoUtils.generateSecureRandomBytes(16))); claims.setClaim(EVENTS_PROPERTY, Collections.singletonMap(BACK_CHANNEL_LOGOUT_EVENT, Collections.emptyMap())); if (idToken.getName() != null) { claims.setClaim(IdToken.NAME_CLAIM, idToken.getName()); } final String logoutToken = super.processJwt(new JwtToken(claims)); executorService.submit(new Runnable() { @Override public void run() { try { wc.form(new Form().param(LOGOUT_TOKEN, logoutToken)); } catch (Exception ex) { LOG.info(String.format("Back channel request to %s to log out %s from client %s has failed", uri, subject.getLogin(), client.getClientId())); LOG.fine(String.format("%s request failure: %s", uri, ExceptionUtils.getStackTrace(ex))); } } }); }
Example #20
Source File: LogoutService.java From cxf-fediz with Apache License 2.0 | 5 votes |
private IdToken getIdTokenHint(MultivaluedMap<String, String> params) { String tokenHint = params.getFirst(ID_TOKEN_HINT); if (tokenHint == null) { return null; } JwtToken token = null; try { token = super.getJwtToken(tokenHint); } catch (JoseException ex) { throw new BadRequestException(ex); } return new IdToken(token.getClaims()); }
Example #21
Source File: JPAOidcUserSubjectTest.java From cxf with Apache License 2.0 | 5 votes |
@Test public void testAccessTokenWithOidcUserSubject() { Client c = addClient("101", "bob"); AccessTokenRegistration atr = new AccessTokenRegistration(); atr.setClient(c); atr.setApprovedScope(Collections.singletonList("a")); OidcUserSubject oidcSubject = new OidcUserSubject(); oidcSubject.setLogin("bob"); IdToken idToken = new IdToken(); idToken.setAudience(c.getClientId()); oidcSubject.setIdToken(idToken); atr.setSubject(oidcSubject); ServerAccessToken at = getProvider().createAccessToken(atr); ServerAccessToken at2 = getProvider().getAccessToken(at.getTokenKey()); assertEquals(at.getTokenKey(), at2.getTokenKey()); OidcUserSubject oidcSubject2 = (OidcUserSubject)at2.getSubject(); assertEquals(c.getClientId(), oidcSubject2.getIdToken().getAudience()); OidcUserSubject oidcSubject3 = new OidcUserSubject(); oidcSubject3.setLogin("bob"); IdToken idToken2 = new IdToken(); idToken2.setAudience(c.getClientId()); oidcSubject3.setIdToken(idToken2); atr.setSubject(oidcSubject3); ServerAccessToken at3 = getProvider().createAccessToken(atr); ServerAccessToken at4 = getProvider().getAccessToken(at3.getTokenKey()); OidcUserSubject oidcSubject4 = (OidcUserSubject)at4.getSubject(); assertEquals(c.getClientId(), oidcSubject4.getIdToken().getAudience()); }
Example #22
Source File: UserInfoService.java From cxf with Apache License 2.0 | 5 votes |
protected UserInfo createFromIdToken(IdToken idToken) { UserInfo userInfo = new UserInfo(); userInfo.setSubject(idToken.getSubject()); if (super.isJwsRequired()) { userInfo.setIssuer(idToken.getIssuer()); userInfo.setAudience(idToken.getAudience()); } if (idToken.getPreferredUserName() != null) { userInfo.setPreferredUserName(idToken.getPreferredUserName()); } if (idToken.getName() != null) { userInfo.setName(idToken.getName()); } if (idToken.getGivenName() != null) { userInfo.setGivenName(idToken.getGivenName()); } if (idToken.getFamilyName() != null) { userInfo.setFamilyName(idToken.getFamilyName()); } if (idToken.getEmail() != null) { userInfo.setEmail(idToken.getEmail()); } if (idToken.getNickName() != null) { userInfo.setNickName(idToken.getNickName()); } if (additionalClaims != null && !additionalClaims.isEmpty()) { for (String additionalClaim : additionalClaims) { if (idToken.containsProperty(additionalClaim)) { userInfo.setClaim(additionalClaim, idToken.getClaim(additionalClaim)); } } } //etc return userInfo; }
Example #23
Source File: OidcInvoker.java From cxf with Apache License 2.0 | 5 votes |
@Override protected void validateRefreshedToken(ClientTokenContext tokenContext, ClientAccessToken refreshedToken) { if (refreshedToken.getParameters().containsKey(OidcUtils.ID_TOKEN)) { IdToken newIdToken = idTokenReader.getIdToken(refreshedToken, getConsumer()); OidcClientTokenContextImpl oidcContext = (OidcClientTokenContextImpl)tokenContext; IdToken currentIdToken = oidcContext.getIdToken(); if (!newIdToken.getIssuer().equals(currentIdToken.getIssuer())) { throw new OAuthServiceException("Invalid id token issuer"); } if (!newIdToken.getSubject().equals(currentIdToken.getSubject())) { throw new OAuthServiceException("Invalid id token subject"); } if (!newIdToken.getAudiences().containsAll(currentIdToken.getAudiences())) { throw new OAuthServiceException("Invalid id token audience(s)"); } Long newAuthTime = newIdToken.getAuthenticationTime(); if (newAuthTime != null && !newAuthTime.equals(currentIdToken.getAuthenticationTime())) { throw new OAuthServiceException("Invalid id token auth_time"); } String newAzp = newIdToken.getAuthorizedParty(); String origAzp = currentIdToken.getAuthorizedParty(); if (newAzp != null && origAzp == null || newAzp == null && origAzp != null || newAzp != null && origAzp != null && !newAzp.equals(origAzp)) { throw new OAuthServiceException("Invalid id token authorized party"); } Long newIssuedTime = newIdToken.getIssuedAt(); Long origIssuedTime = currentIdToken.getIssuedAt(); if (newIssuedTime < origIssuedTime) { throw new OAuthServiceException("Invalid id token issued time"); } oidcContext.setIdToken(newIdToken); } }
Example #24
Source File: OidcClientCodeRequestFilter.java From cxf with Apache License 2.0 | 5 votes |
@Override protected void setAdditionalCodeRequestParams(UriBuilder ub, MultivaluedMap<String, String> redirectState, MultivaluedMap<String, String> codeRequestState) { if (redirectState != null) { if (redirectState.getFirst(IdToken.NONCE_CLAIM) != null) { ub.queryParam(IdToken.NONCE_CLAIM, redirectState.getFirst(IdToken.NONCE_CLAIM)); } if (redirectState.getFirst(MAX_AGE_PARAMETER) != null) { ub.queryParam(MAX_AGE_PARAMETER, redirectState.getFirst(MAX_AGE_PARAMETER)); } } if (codeRequestState != null && codeRequestState.getFirst(LOGIN_HINT_PARAMETER) != null) { ub.queryParam(LOGIN_HINT_PARAMETER, codeRequestState.getFirst(LOGIN_HINT_PARAMETER)); } if (claims != null) { ub.queryParam("claims", claims); } if (claimsLocales != null) { ub.queryParam("claims_locales", claimsLocales); } if (authenticationContextRef != null) { ub.queryParam(ACR_PARAMETER, authenticationContextRef); } if (promptLogin != null) { ub.queryParam(PROMPT_PARAMETER, promptLogin); } }
Example #25
Source File: OidcClientCodeRequestFilter.java From cxf with Apache License 2.0 | 5 votes |
@Override protected ClientTokenContext createTokenContext(ContainerRequestContext rc, ClientAccessToken at, MultivaluedMap<String, String> requestParams, MultivaluedMap<String, String> state) { if (rc.getSecurityContext() instanceof OidcSecurityContext) { return ((OidcSecurityContext)rc.getSecurityContext()).getOidcContext(); } OidcClientTokenContextImpl ctx = new OidcClientTokenContextImpl(); if (at != null) { if (idTokenReader == null) { throw new OAuthServiceException(OAuthConstants.SERVER_ERROR); } IdToken idToken = idTokenReader.getIdToken(at, requestParams.getFirst(OAuthConstants.AUTHORIZATION_CODE_VALUE), getConsumer()); // Validate the properties set up at the redirection time. validateIdToken(idToken, state); ctx.setIdToken(idToken); if (userInfoClient != null) { ctx.setUserInfo(userInfoClient.getUserInfo(at, ctx.getIdToken(), getConsumer())); } OidcSecurityContext oidcSecCtx = new OidcSecurityContext(ctx); oidcSecCtx.setRoleClaim(roleClaim); rc.setSecurityContext(oidcSecCtx); } return ctx; }
Example #26
Source File: OIDCFlowTest.java From cxf with Apache License 2.0 | 5 votes |
private static IdToken getIdToken(ClientAccessToken accessToken, String jwksUri, String clientId) { WebClient c = WebClient.create(jwksUri, Collections.singletonList(new JsonWebKeysProvider()), "alice", "security", OIDCFlowTest.class.getResource("client.xml").toString()) .accept(MediaType.APPLICATION_JSON); IdTokenReader idTokenReader = new IdTokenReader(); idTokenReader.setJwkSetClient(c); idTokenReader.setIssuerId("OIDC IdP"); return idTokenReader.getIdToken(accessToken, new Consumer(clientId)); }
Example #27
Source File: IdTokenProviderImpl.java From cxf with Apache License 2.0 | 5 votes |
@Override public IdToken getIdToken(String clientId, UserSubject authenticatedUser, List<String> scopes) { IdToken token = new IdToken(); token.setIssuedAt(OAuthUtils.getIssuedAt()); token.setExpiryTime(token.getIssuedAt() + 60L); token.setAudience(clientId); token.setSubject(authenticatedUser.getLogin()); token.setIssuer("OIDC IdP"); return token; }
Example #28
Source File: UserInfoClient.java From cxf with Apache License 2.0 | 5 votes |
public void validateUserInfo(UserInfo profile, IdToken idToken, Consumer client) { validateJwtClaims(profile, client.getClientId(), false); // validate subject if (!idToken.getSubject().equals(profile.getSubject())) { throw new OAuthServiceException("Invalid subject"); } }
Example #29
Source File: OidcUtils.java From cxf with Apache License 2.0 | 5 votes |
public static void validateAccessTokenHash(String accessToken, JwtToken jwt, boolean required) { String hashClaim = (String)jwt.getClaims().getClaim(IdToken.ACCESS_TOKEN_HASH_CLAIM); if (hashClaim == null && required) { throw new OAuthServiceException("Invalid hash"); } if (hashClaim != null) { validateHash(accessToken, (String)jwt.getClaims().getClaim(IdToken.ACCESS_TOKEN_HASH_CLAIM), jwt.getJwsHeaders().getSignatureAlgorithm()); } }
Example #30
Source File: OidcUtils.java From cxf with Apache License 2.0 | 5 votes |
public static void validateCodeHash(String code, JwtToken jwt, boolean required) { String hashClaim = (String)jwt.getClaims().getClaim(IdToken.AUTH_CODE_HASH_CLAIM); if (hashClaim == null && required) { throw new OAuthServiceException("Invalid hash"); } if (hashClaim != null) { validateHash(code, (String)jwt.getClaims().getClaim(IdToken.AUTH_CODE_HASH_CLAIM), jwt.getJwsHeaders().getSignatureAlgorithm()); } }