From 074044376819c4eb5d4fd5dcf16c2e2f87b4a242 Mon Sep 17 00:00:00 2001 From: Justin Richer Date: Thu, 30 Jul 2015 13:56:14 -0400 Subject: [PATCH] added claims redirect uri set to client model for UMA usage --- .../oauth2/model/ClientDetailsEntity.java | 25 ++++++++++++++++++- .../db/tables/hsql_database_tables.sql | 5 ++++ .../db/tables/mysql_database_tables.sql | 5 ++++ .../db/tables/psql_database_tables.sql | 5 ++++ .../service/impl/MITREidDataService_1_2.java | 6 +++++ .../uma/web/ClaimsCollectionEndpoint.java | 11 ++++++-- 6 files changed, 54 insertions(+), 3 deletions(-) diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/model/ClientDetailsEntity.java b/openid-connect-common/src/main/java/org/mitre/oauth2/model/ClientDetailsEntity.java index e5634086e..dc09184d4 100644 --- a/openid-connect-common/src/main/java/org/mitre/oauth2/model/ClientDetailsEntity.java +++ b/openid-connect-common/src/main/java/org/mitre/oauth2/model/ClientDetailsEntity.java @@ -141,6 +141,9 @@ public class ClientDetailsEntity implements ClientDetails { private Integer idTokenValiditySeconds; //timeout for id tokens private Date createdAt; // time the client was created private boolean clearAccessTokensOnRefresh = true; // do we clear access tokens on refresh? + + /** fields for UMA */ + private Set claimsRedirectUris; public enum AuthMethod { SECRET_POST("client_secret_post"), @@ -964,5 +967,25 @@ public class ClientDetailsEntity implements ClientDetails { public void setClearAccessTokensOnRefresh(boolean clearAccessTokensOnRefresh) { this.clearAccessTokensOnRefresh = clearAccessTokensOnRefresh; } - + + /** + * @return the claimsRedirectUris + */ + @ElementCollection(fetch = FetchType.EAGER) + @CollectionTable( + name="client_claims_redirect_uri", + joinColumns=@JoinColumn(name="owner_id") + ) + @Column(name="redirect_uri") + public Set getClaimsRedirectUris() { + return claimsRedirectUris; + } + + /** + * @param claimsRedirectUris the claimsRedirectUris to set + */ + public void setClaimsRedirectUris(Set claimsRedirectUris) { + this.claimsRedirectUris = claimsRedirectUris; + } + } diff --git a/openid-connect-server-webapp/src/main/resources/db/tables/hsql_database_tables.sql b/openid-connect-server-webapp/src/main/resources/db/tables/hsql_database_tables.sql index df141d22a..dac2a9432 100644 --- a/openid-connect-server-webapp/src/main/resources/db/tables/hsql_database_tables.sql +++ b/openid-connect-server-webapp/src/main/resources/db/tables/hsql_database_tables.sql @@ -197,6 +197,11 @@ CREATE TABLE IF NOT EXISTS client_redirect_uri ( redirect_uri VARCHAR(2048) ); +CREATE TABLE IF NOT EXISTS client_claims_redirect_uri ( + owner_id BIGINT, + redirect_uri VARCHAR(2048) +); + CREATE TABLE IF NOT EXISTS refresh_token ( id BIGINT GENERATED BY DEFAULT AS IDENTITY(START WITH 1) PRIMARY KEY, token_value VARCHAR(4096), diff --git a/openid-connect-server-webapp/src/main/resources/db/tables/mysql_database_tables.sql b/openid-connect-server-webapp/src/main/resources/db/tables/mysql_database_tables.sql index c3a74d1dd..5d85eff60 100644 --- a/openid-connect-server-webapp/src/main/resources/db/tables/mysql_database_tables.sql +++ b/openid-connect-server-webapp/src/main/resources/db/tables/mysql_database_tables.sql @@ -197,6 +197,11 @@ CREATE TABLE IF NOT EXISTS client_redirect_uri ( redirect_uri VARCHAR(2048) ); +CREATE TABLE IF NOT EXISTS client_claims_redirect_uri ( + owner_id BIGINT, + redirect_uri VARCHAR(2048) +); + CREATE TABLE IF NOT EXISTS refresh_token ( id BIGINT AUTO_INCREMENT PRIMARY KEY, token_value VARCHAR(4096), diff --git a/openid-connect-server-webapp/src/main/resources/db/tables/psql_database_tables.sql b/openid-connect-server-webapp/src/main/resources/db/tables/psql_database_tables.sql index eef380b03..63462a171 100644 --- a/openid-connect-server-webapp/src/main/resources/db/tables/psql_database_tables.sql +++ b/openid-connect-server-webapp/src/main/resources/db/tables/psql_database_tables.sql @@ -197,6 +197,11 @@ CREATE TABLE IF NOT EXISTS client_redirect_uri ( redirect_uri VARCHAR(2048) ); +CREATE TABLE IF NOT EXISTS client_claims_redirect_uri ( + owner_id BIGINT, + redirect_uri VARCHAR(2048) +); + CREATE TABLE IF NOT EXISTS refresh_token ( id SERIAL PRIMARY KEY, token_value VARCHAR(4096), diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/MITREidDataService_1_2.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/MITREidDataService_1_2.java index 26c200980..6eb9d07a5 100644 --- a/openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/MITREidDataService_1_2.java +++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/MITREidDataService_1_2.java @@ -143,6 +143,7 @@ public class MITREidDataService_1_2 extends MITREidDataServiceSupport implements private static final String AUTHENTICATION_HOLDER_ID = "authenticationHolderId"; private static final String CLIENT_ID = "clientId"; private static final String EXPIRATION = "expiration"; + private static final String CLAIMS_REDIRECT_URIS = "claimsRedirectUris"; private static final String ID = "id"; /** * Logger for this class @@ -432,6 +433,8 @@ public class MITREidDataService_1_2 extends MITREidDataServiceSupport implements writer.name(REFRESH_TOKEN_VALIDITY_SECONDS).value(client.getRefreshTokenValiditySeconds()); writer.name(REDIRECT_URIS); writeNullSafeArray(writer, client.getRedirectUris()); + writer.name(CLAIMS_REDIRECT_URIS); + writeNullSafeArray(writer, client.getClaimsRedirectUris()); writer.name(NAME).value(client.getClientName()); writer.name(URI).value(client.getClientUri()); writer.name(LOGO_URI).value(client.getLogoUri()); @@ -1034,6 +1037,9 @@ public class MITREidDataService_1_2 extends MITREidDataServiceSupport implements } else if (name.equals(REDIRECT_URIS)) { Set redirectUris = readSet(reader); client.setRedirectUris(redirectUris); + } else if (name.equals(CLAIMS_REDIRECT_URIS)) { + Set claimsRedirectUris = readSet(reader); + client.setClaimsRedirectUris(claimsRedirectUris); } else if (name.equals(NAME)) { client.setClientName(reader.nextString()); } else if (name.equals(URI)) { diff --git a/uma-server/src/main/java/org/mitre/uma/web/ClaimsCollectionEndpoint.java b/uma-server/src/main/java/org/mitre/uma/web/ClaimsCollectionEndpoint.java index b34d6e9eb..3d0c5ef25 100644 --- a/uma-server/src/main/java/org/mitre/uma/web/ClaimsCollectionEndpoint.java +++ b/uma-server/src/main/java/org/mitre/uma/web/ClaimsCollectionEndpoint.java @@ -32,6 +32,7 @@ import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.http.HttpStatus; import org.springframework.security.access.prepost.PreAuthorize; +import org.springframework.security.oauth2.common.exceptions.RedirectMismatchException; import org.springframework.stereotype.Controller; import org.springframework.ui.Model; import org.springframework.web.bind.annotation.RequestMapping; @@ -116,9 +117,15 @@ public class ClaimsCollectionEndpoint { PermissionTicket updatedTicket = permissionService.updateTicket(ticket); if (Strings.isNullOrEmpty(redirectUri)) { - if (client.getRedirectUris().size() == 1) { - redirectUri = client.getRedirectUris().iterator().next(); // get the first (and only) redirect URI to use here + if (client.getClaimsRedirectUris().size() == 1) { + redirectUri = client.getClaimsRedirectUris().iterator().next(); // get the first (and only) redirect URI to use here logger.info("No redirect URI passed in, using registered value: " + redirectUri); + } else { + throw new RedirectMismatchException("Unable to find redirect URI and none passed in."); + } + } else { + if (!client.getClaimsRedirectUris().contains(redirectUri)) { + throw new RedirectMismatchException("Claims redirect did not match the registered values."); } }