From 08413302eb57893c6aeaaf56deb90e92ab7a462b Mon Sep 17 00:00:00 2001
From: Justin Richer <jricher@mit.edu>
Date: Tue, 31 Mar 2015 15:35:20 -0400
Subject: [PATCH] configured OIDC client on claims collection endpoint

---
 .../src/main/webapp/WEB-INF/user-context.xml  | 99 ++++++++++++++++++-
 .../webapp/WEB-INF/views/external_login.jsp   | 54 ++++++++++
 .../util/ExternalLoginAuthoritiesMapper.java  | 44 +++++++++
 .../uma/web/ClaimsCollectionEndpoint.java     | 54 ++++++++++
 4 files changed, 249 insertions(+), 2 deletions(-)
 create mode 100644 openid-connect-server-webapp/src/main/webapp/WEB-INF/views/external_login.jsp
 create mode 100644 openid-connect-server/src/main/java/org/mitre/uma/util/ExternalLoginAuthoritiesMapper.java
 create mode 100644 openid-connect-server/src/main/java/org/mitre/uma/web/ClaimsCollectionEndpoint.java

diff --git a/openid-connect-server-webapp/src/main/webapp/WEB-INF/user-context.xml b/openid-connect-server-webapp/src/main/webapp/WEB-INF/user-context.xml
index 54b8b5a9b..d8f295620 100644
--- a/openid-connect-server-webapp/src/main/webapp/WEB-INF/user-context.xml
+++ b/openid-connect-server-webapp/src/main/webapp/WEB-INF/user-context.xml
@@ -29,6 +29,99 @@
 		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.1.xsd
 		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.1.xsd">
 
+
+	<!-- Support for external OIDC logins for claims gathering -->
+
+	<mvc:view-controller path="/external_login" view-name="external_login" />
+	
+	<mvc:view-controller path="/openid_connect_login" view-name="openid_connect_login" />
+	
+	<security:http pattern="/external_login**" use-expressions="true" entry-point-ref="http403EntryPoint">
+		<security:intercept-url pattern="/external_login**" access="permitAll"/>	
+	</security:http>
+
+	<security:http disable-url-rewriting="true" use-expressions="true"
+			auto-config="false" entry-point-ref="externalAuthenticationEntryPoint"
+			pattern="/#{T(org.mitre.uma.web.ClaimsCollectionEndpoint).URL}**"> 
+
+		<security:logout logout-url="/logout" />
+		<security:expression-handler ref="oauthWebExpressionHandler" />
+	</security:http>	
+
+	<bean id="externalAuthenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
+		<property name="loginFormUrl" value="/openid_connect_login" />
+	</bean>
+
+	<security:authentication-manager alias="externalAuthenticationManager">
+		<security:authentication-provider ref="externalAuthenticationProvider" />
+	</security:authentication-manager>
+
+	<bean id="externalAuthenticationProvider" class="org.mitre.openid.connect.client.OIDCAuthenticationProvider">
+		<property name="authoritiesMapper">
+			<bean class="org.mitre.uma.util.ExternalLoginAuthoritiesMapper" />
+		</property>
+	</bean>
+
+	<bean id="externalAuthenticationFilter" class="org.mitre.openid.connect.client.OIDCAuthenticationFilter">
+		<property name="authenticationManager" ref="externalAuthenticationManager" />
+
+		<property name="issuerService" ref="hybridIssuerService" />
+		<property name="serverConfigurationService" ref="dynamicServerConfigurationService" />
+		<property name="clientConfigurationService" ref="dynamicClientConfigurationService" />
+		<property name="authRequestOptionsService" ref="staticAuthRequestOptionsService" />
+		<property name="authRequestUrlBuilder" ref="plainAuthRequestUrlBuilder" />
+		
+	</bean>
+
+	<bean class="org.mitre.openid.connect.client.service.impl.HybridIssuerService" id="hybridIssuerService">
+		<property name="loginPageUrl" value="external_login" />
+	</bean>
+
+	<bean class="org.mitre.openid.connect.client.service.impl.DynamicServerConfigurationService" id="dynamicServerConfigurationService" />
+
+	<bean class="org.mitre.openid.connect.client.service.impl.DynamicRegistrationClientConfigurationService" id="dynamicClientConfigurationService">
+		<property name="template">
+			<bean class="org.mitre.oauth2.model.RegisteredClient">
+				<property name="clientName" value="Simple Web App" />
+				<property name="scope">
+					<set value-type="java.lang.String">
+						<value>openid</value>
+						<value>profile</value>
+						<value>email</value>
+						<value>phone</value>
+						<value>address</value>
+					</set>
+				</property>
+				<property name="tokenEndpointAuthMethod" value="SECRET_BASIC" />
+				<property name="redirectUris">
+					<set>
+						<value>#{configBean.issuer + "openid_connect_login"}</value>
+					</set>
+				</property>
+			</bean>
+		</property>
+		<!-- 
+			Registered Client Service. Uncomment this to save dynamically registered clients out to a
+			file on disk (indicated by the filename property) or replace this with another implementation
+			of RegisteredClientService. This defaults to an in-memory implementation of RegisteredClientService
+			which will forget and re-register all clients on restart.
+		-->
+		<!--
+		<property name="registeredClientService">
+			<bean class="org.mitre.openid.connect.client.service.impl.JsonFileRegisteredClientService">
+				<constructor-arg name="filename" value="/tmp/simple-web-app-clients.json" />
+			</bean>
+		</property>
+		 -->
+	</bean>
+
+	<bean class="org.mitre.openid.connect.client.service.impl.StaticAuthRequestOptionsService" id="staticAuthRequestOptionsService" />
+
+	<bean class="org.mitre.openid.connect.client.service.impl.PlainAuthRequestUrlBuilder" id="plainAuthRequestUrlBuilder" />
+
+
+	<!-- Standard configuration -->
+
 	<security:authentication-manager alias="authenticationManager">
 		<security:authentication-provider>
 			<security:jdbc-user-service data-source-ref="dataSource"/>
@@ -36,14 +129,16 @@
 	</security:authentication-manager>
 		
 	<mvc:view-controller path="/login" view-name="login" />
-
+	
+	
 	<security:http pattern="/login**" use-expressions="true" entry-point-ref="http403EntryPoint">
 		<security:intercept-url pattern="/login**" access="permitAll"/>	
 	</security:http>
-	
+
 	<security:http disable-url-rewriting="true" use-expressions="true"> 
 		<security:form-login login-page="/login" authentication-failure-url="/login?error=failure" authentication-success-handler-ref="authenticationTimeStamper" />
 		<security:intercept-url pattern="/**" access="permitAll" />
+		<security:custom-filter before="PRE_AUTH_FILTER" ref="externalAuthenticationFilter" />
 		<security:custom-filter ref="authRequestFilter" after="SECURITY_CONTEXT_FILTER" />
 		<security:logout logout-url="/logout" />
 		<security:anonymous />
diff --git a/openid-connect-server-webapp/src/main/webapp/WEB-INF/views/external_login.jsp b/openid-connect-server-webapp/src/main/webapp/WEB-INF/views/external_login.jsp
new file mode 100644
index 000000000..a2171fe31
--- /dev/null
+++ b/openid-connect-server-webapp/src/main/webapp/WEB-INF/views/external_login.jsp
@@ -0,0 +1,54 @@
+<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
+<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
+<%@ taglib prefix="security" uri="http://www.springframework.org/security/tags" %>
+<%@ taglib prefix="o" tagdir="/WEB-INF/tags"%>
+<o:header title="Login"/>
+<o:topbar />
+<div class="container-fluid main">
+	<div class="row-fluid">
+		<div class="span10 offset1">
+
+			<h2>Log In</h2>
+			
+			<p>Use this page to log in by entering an <code>issuer URI</code> or a <code>webfinger identifier</code>. 
+			Use the buttons to pre-fill the form with a known identifier.</p> 
+			
+			<div class="well">
+				<div class="row-fluid">
+					
+					<div class="span2">
+						<button class="btn" id="localhost">Local MITREid Connect Server (default setup)</button>
+					</div>
+				
+					<div class="span2">
+						<button class="btn" id="mitreidorg">mitre.org integration site demo user</button>
+					</div>
+				</div>
+				
+				<div class="row-fluid">
+	
+					<div class="span8">
+						<form action="openid_connect_login" method="get">
+							<input type="text" class="input-xxlarge" name="identifier" id="identifier" />
+							<input type="submit" value="Log In" />
+						</form>
+					</div>
+	
+				</div>
+
+		</div>
+	</div>
+</div>
+
+<script type="text/javascript">
+	$(document).ready(function () {
+		$('#localhost').on('click', function() {
+			$('#identifier').val('http://localhost:8080/openid-connect-server-webapp/');
+		});
+		$('#mitreidorg').on('click', function() {
+			$('#identifier').val('user@mitreid.org');
+		});
+		
+	});
+</script>
+<o:footer />
\ No newline at end of file
diff --git a/openid-connect-server/src/main/java/org/mitre/uma/util/ExternalLoginAuthoritiesMapper.java b/openid-connect-server/src/main/java/org/mitre/uma/util/ExternalLoginAuthoritiesMapper.java
new file mode 100644
index 000000000..1b23f53c7
--- /dev/null
+++ b/openid-connect-server/src/main/java/org/mitre/uma/util/ExternalLoginAuthoritiesMapper.java
@@ -0,0 +1,44 @@
+/*******************************************************************************
+ * Copyright 2015 The MITRE Corporation
+ *   and the MIT Kerberos and Internet Trust Consortium
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *******************************************************************************/
+
+package org.mitre.uma.util;
+
+import java.util.Collection;
+import java.util.Set;
+
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
+
+import com.google.common.collect.Sets;
+
+/**
+ * @author jricher
+ *
+ */
+public class ExternalLoginAuthoritiesMapper implements GrantedAuthoritiesMapper {
+
+	private static final GrantedAuthority ROLE_EXTERNAL_USER = new SimpleGrantedAuthority("ROLE_EXTERNAL_USER");
+	
+	@Override
+	public Collection<? extends GrantedAuthority> mapAuthorities(Collection<? extends GrantedAuthority> authorities) {
+		Set<GrantedAuthority> out = Sets.newHashSet(authorities);
+		out.add(ROLE_EXTERNAL_USER);
+		return out;
+	}
+
+}
diff --git a/openid-connect-server/src/main/java/org/mitre/uma/web/ClaimsCollectionEndpoint.java b/openid-connect-server/src/main/java/org/mitre/uma/web/ClaimsCollectionEndpoint.java
new file mode 100644
index 000000000..6162b2bce
--- /dev/null
+++ b/openid-connect-server/src/main/java/org/mitre/uma/web/ClaimsCollectionEndpoint.java
@@ -0,0 +1,54 @@
+/*******************************************************************************
+ * Copyright 2015 The MITRE Corporation
+ *   and the MIT Kerberos and Internet Trust Consortium
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *******************************************************************************/
+
+package org.mitre.uma.web;
+
+import org.mitre.openid.connect.view.JsonErrorView;
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.security.core.Authentication;
+import org.springframework.stereotype.Controller;
+import org.springframework.ui.Model;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
+
+/**
+ * 
+ * Collect claims interactively from the end user.
+ * 
+ * @author jricher
+ *
+ */
+@Controller
+@PreAuthorize("hasRole('ROLE_EXTERNAL_USER')")
+@RequestMapping("/" + ClaimsCollectionEndpoint.URL)
+public class ClaimsCollectionEndpoint {
+
+	public static final String URL = "rqp_claims";
+
+	
+	@RequestMapping(method = RequestMethod.GET)
+	public String collectClaims(@RequestParam("client_id") String clientId, @RequestParam("redirect_uri") String redirectUri, 
+			@RequestParam("ticket") String ticket, @RequestParam("state") String state,
+			Model m, Authentication auth) {
+
+		
+		
+		return JsonErrorView.VIEWNAME;
+	}
+	
+}