moved request object to request manager

openid-connect-server/src/main/java/org/mitre/openid/connect/ConnectAuthorizationRequestManager.java

@@ -3,11 +3,14 @@ package org.mitre.openid.connect;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.Date;
+import java.util.HashMap;
 import java.util.Map;
 import java.util.Set;
 
 import org.joda.time.DateTime;
 import org.joda.time.Period;
+import org.mitre.jwt.model.Jwt;
+import org.mitre.jwt.model.JwtClaims;
 import org.mitre.oauth2.exception.NonceReuseException;
 import org.mitre.openid.connect.model.Nonce;
 import org.mitre.openid.connect.service.NonceService;
@@ -15,6 +18,7 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.InitializingBean;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
@@ -27,6 +31,8 @@ import org.springframework.security.oauth2.provider.ClientDetailsService;
 import org.springframework.security.oauth2.provider.DefaultAuthorizationRequest;
 import org.springframework.stereotype.Component;
 
+import com.google.common.base.Strings;
+
 @Component("authorizationRequestManager")
 public class ConnectAuthorizationRequestManager implements AuthorizationRequestManager, InitializingBean {
 
@@ -68,7 +74,9 @@ public class ConnectAuthorizationRequestManager implements AuthorizationRequestM
 	}
 
 	@Override
-	public AuthorizationRequest createAuthorizationRequest(Map<String, String> parameters) {
+	public AuthorizationRequest createAuthorizationRequest(Map<String, String> inputParams) {
+
+		Map<String, String> parameters = processRequestObject(inputParams);
 		
 		String clientId = parameters.get("client_id");
 		if (clientId == null) {
@@ -83,7 +91,7 @@ public class ConnectAuthorizationRequestManager implements AuthorizationRequestM
 		//to the auth endpoint.
 		Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
 		
-		if (requestNonce != null && principal != null && principal instanceof User) {
+		if (requestNonce != null && principal != null && principal instanceof Authentication) {
 
 			//Check request nonce for reuse
 			Collection<Nonce> clientNonces = nonceService.getByClientId(client.getClientId());
@@ -119,12 +127,97 @@ public class ConnectAuthorizationRequestManager implements AuthorizationRequestM
 			}
 			scopes = clientScopes;
 		}
-		DefaultAuthorizationRequest request = new DefaultAuthorizationRequest(parameters, Collections.<String, String> emptyMap(), clientId, scopes);
+		DefaultAuthorizationRequest request = new DefaultAuthorizationRequest(inputParams, Collections.<String, String> emptyMap(), clientId, scopes);
 		request.addClientDetails(client);
 		return request;
 
 	}
 
+	/**
+	 * @param inputParams
+	 * @return
+	 */
+    private Map<String, String> processRequestObject(Map<String, String> inputParams) {
+    	
+    	String jwtString = inputParams.get("request");
+    	
+    	// if there's no request object, bail early
+    	if (Strings.isNullOrEmpty(jwtString)) {
+    		return inputParams;
+    	}
+
+    	// start by copying over what's already in there
+    	Map<String, String> parameters = new HashMap<String, String>(inputParams);
+
+    	// parse the request object
+		Jwt jwt = Jwt.parse(jwtString);
+		JwtClaims claims = jwt.getClaims();
+		
+		// TODO: validate JWT signature
+		
+		String clientId = claims.getClaimAsString("client_id");
+
+		// TODO: check parameter consistency, move keys to constants
+		
+		/*
+		 * if (in Claims):
+		 * 		if (in params):
+		 * 			if (equal):
+		 * 				all set
+		 * 			else (not equal):
+		 * 				error
+		 * 		else (not in params):
+		 * 			add to params
+		 * else (not in claims):
+		 * 		we don't care
+		 */
+		
+		String responseTypes = claims.getClaimAsString("response_type");
+		if (responseTypes != null) {
+			parameters.put("response_type", responseTypes);
+		}
+		
+		if (clientId != null) {
+			parameters.put("client_id", clientId);
+		}
+		
+		if (claims.getClaimAsString("redirect_uri") != null) {
+			if (inputParams.containsKey("redirect_uri") == false) {
+				parameters.put("redirect_uri", claims.getClaimAsString("redirect_uri"));
+			}
+		}
+		
+		String state = claims.getClaimAsString("state");
+		if(state != null) {
+			if (inputParams.containsKey("state") == false) {
+				parameters.put("state", state);
+			}
+		}
+		
+		String nonce = claims.getClaimAsString("nonce");
+		if(nonce != null) {
+			if (inputParams.containsKey("nonce") == false) {
+				parameters.put("nonce", nonce);
+			}
+		}
+		
+		String display = claims.getClaimAsString("display");
+		if (display != null) {
+			if (inputParams.containsKey("display") == false) {
+				parameters.put("display", display);
+			}
+		}
+		
+		String prompt = claims.getClaimAsString("prompt");
+		if (prompt != null) {
+			if (inputParams.containsKey("prompt") == false) {
+				parameters.put("prompt", prompt);
+			}
+		}
+		
+		return parameters;
+    }
+
 	@Override
 	public void validateParameters(Map<String, String> parameters, ClientDetails clientDetails) {
 		if (parameters.containsKey("scope")) {

openid-connect-server/src/main/java/org/mitre/openid/connect/web/RequestObjectAuthorizationEndpoint.java

@@ -15,7 +15,7 @@ import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.support.SessionStatus;
 import org.springframework.web.servlet.ModelAndView;
 
-@Controller("requestObjectAuthorzationEndpoint")
+//@Controller("requestObjectAuthorzationEndpoint")
 public class RequestObjectAuthorizationEndpoint {
 	
 	protected final Log logger = LogFactory.getLog(getClass());