added basic support for encrypted request objects, addresses #475

2013-09-12 17:05:12 -04:00 · 2013-09-12 17:05:12 -04:00 · 09cd752c86
parent a52f86db49
commit 09cd752c86
2 changed files with 30 additions and 5 deletions
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/ConnectOAuth2RequestFactory.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/ConnectOAuth2RequestFactory.java
@ -24,6 +24,7 @@ import java.util.HashMap;
 import java.util.Map;
 import java.util.Set;

+import org.mitre.jwt.encryption.service.JwtEncryptionAndDecryptionService;
 import org.mitre.jwt.signer.service.JwtSigningAndValidationService;
 import org.mitre.jwt.signer.service.impl.DefaultJwtSigningAndValidationService;
 import org.mitre.jwt.signer.service.impl.JWKSetSigningAndValidationServiceCacheService;
@ -45,11 +46,13 @@ import org.springframework.stereotype.Component;
 import com.google.common.base.Strings;
 import com.google.common.collect.ImmutableMap;
 import com.nimbusds.jose.Algorithm;
+import com.nimbusds.jose.JWEObject.State;
 import com.nimbusds.jose.JWSAlgorithm;
 import com.nimbusds.jose.jwk.JWK;
 import com.nimbusds.jose.jwk.OctetSequenceKey;
 import com.nimbusds.jose.jwk.Use;
 import com.nimbusds.jose.util.Base64URL;
+import com.nimbusds.jwt.EncryptedJWT;
 import com.nimbusds.jwt.JWT;
 import com.nimbusds.jwt.JWTParser;
 import com.nimbusds.jwt.PlainJWT;
@ -68,6 +71,9 @@ public class ConnectOAuth2RequestFactory extends DefaultOAuth2RequestFactory {
 	
 	@Autowired
 	private SystemScopeService systemScopes;
+	
+	@Autowired
+	private JwtEncryptionAndDecryptionService encryptionService;

 	/**
 	 * Constructor with arguments
@ -237,6 +243,18 @@ public class ConnectOAuth2RequestFactory extends DefaultOAuth2RequestFactory {
 				
 				// if we got here, we're OK, keep processing
 				
+			} else if (jwt instanceof EncryptedJWT) {
+				
+				EncryptedJWT encryptedJWT = (EncryptedJWT)jwt;
+				
+				// decrypt the jwt if we can
+				
+				encryptionService.decryptJwt(encryptedJWT);
+				
+				if (!encryptedJWT.getState().equals(State.DECRYPTED)) {
+					throw new InvalidClientException("Unable to decrypt the request object");
+				}
+				
 			}
 			
 			/*
--- a/openid-connect-server/src/main/webapp/WEB-INF/crypto-config.xml
+++ b/openid-connect-server/src/main/webapp/WEB-INF/crypto-config.xml
@ -19,14 +19,21 @@
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">

+	<bean id="defaultKeyStore" class="org.mitre.jose.keystore.JWKSetKeyStore">
+		<property name="location" value="classpath:keystore.jwks" />
+	</bean>
+	
 	<bean id="defaultsignerService" class="org.mitre.jwt.signer.service.impl.DefaultJwtSigningAndValidationService">
-		<constructor-arg name="keyStore">
-			<bean id="defaultKeyStore" class="org.mitre.jose.keystore.JWKSetKeyStore">
-				<property name="location" value="classpath:keystore.jwks" />
-			</bean>
-		</constructor-arg>
+		<constructor-arg name="keyStore" ref="defaultKeyStore" />
 		<property name="defaultSignerKeyId" value="rsa1" />
 		<property name="defaultSigningAlgorithmName" value="RS256" />
 	</bean>

+	<bean id="defaultEncryptionService" class="org.mitre.jwt.encryption.service.impl.DefaultJwtEncryptionAndDecryptionService">
+		<constructor-arg name="keyStore" ref="defaultKeyStore" />
+		<property name="defaultAlgorithm" value="RSA1_5" />
+		<property name="defaultDecryptionKeyId" value="rsa1" />
+		<property name="defaultEncryptionKeyId" value="rsa1" />
+	</bean>
+
 </beans>