github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

MitreID code compiles against latest Spring libraries

pull/1611/head
Andrea Ceccanti 2021-10-25 17:13:07 +02:00
parent 711a2e7eab
commit 12bfab4f55
5 changed files with 441 additions and 443 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2AccessTokenEntity.java
View File

@ -50,8 +50,6 @@ import org.mitre.oauth2.model.convert.JWTStringConverter;
import org.mitre.openid.connect.model.ApprovedSite;
import org.mitre.uma.model.Permission;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.common.OAuth2AccessTokenJackson1Deserializer;
import org.springframework.security.oauth2.common.OAuth2AccessTokenJackson1Serializer;
import org.springframework.security.oauth2.common.OAuth2AccessTokenJackson2Deserializer;
import org.springframework.security.oauth2.common.OAuth2AccessTokenJackson2Serializer;
import org.springframework.security.oauth2.common.OAuth2RefreshToken;
@ -74,8 +72,6 @@ import com.nimbusds.jwt.JWT;
@NamedQuery(name = OAuth2AccessTokenEntity.QUERY_BY_RESOURCE_SET, query = "select a from OAuth2AccessTokenEntity a join a.permissions p where p.resourceSet.id = :" + OAuth2AccessTokenEntity.PARAM_RESOURCE_SET_ID),
@NamedQuery(name = OAuth2AccessTokenEntity.QUERY_BY_NAME, query = "select r from OAuth2AccessTokenEntity r where r.authenticationHolder.userAuth.name = :" + OAuth2AccessTokenEntity.PARAM_NAME)
})
@org.codehaus.jackson.map.annotate.JsonSerialize(using = OAuth2AccessTokenJackson1Serializer.class)
@org.codehaus.jackson.map.annotate.JsonDeserialize(using = OAuth2AccessTokenJackson1Deserializer.class)
@com.fasterxml.jackson.databind.annotation.JsonSerialize(using = OAuth2AccessTokenJackson2Serializer.class)
@com.fasterxml.jackson.databind.annotation.JsonDeserialize(using = OAuth2AccessTokenJackson2Deserializer.class)
public class OAuth2AccessTokenEntity implements OAuth2AccessToken {

3
openid-connect-common/src/main/java/org/mitre/oauth2/service/impl/UriEncodedClientUserDetailsService.java
View File

@ -15,7 +15,6 @@
*******************************************************************************/
package org.mitre.oauth2.service.impl;
import java.io.UnsupportedEncodingException;
import java.math.BigInteger;
import java.security.SecureRandom;
import java.util.Collection;
@ -91,7 +90,7 @@ public class UriEncodedClientUserDetailsService implements UserDetailsService {
} else {
throw new UsernameNotFoundException("Client not found: " + clientId);
}
} catch (UnsupportedEncodingException | InvalidClientException e) {
} catch (InvalidClientException e) {
throw new UsernameNotFoundException("Client not found: " + clientId);
}

16
openid-connect-server/src/main/java/org/mitre/openid/connect/web/DynamicClientRegistrationEndpoint.java
View File

@ -17,7 +17,6 @@
*******************************************************************************/
package org.mitre.openid.connect.web;
import java.io.UnsupportedEncodingException;
import java.text.ParseException;
import java.util.Date;
import java.util.Set;
@ -218,10 +217,6 @@ public class DynamicClientRegistrationEndpoint {
m.addAttribute(HttpCodeView.CODE, HttpStatus.CREATED); // http 201
return ClientInformationResponseView.VIEWNAME;
} catch (UnsupportedEncodingException e) {
logger.error("Unsupported encoding", e);
m.addAttribute(HttpCodeView.CODE, HttpStatus.INTERNAL_SERVER_ERROR);
return HttpCodeView.VIEWNAME;
} catch (IllegalArgumentException e) {
logger.error("Couldn't save client", e);
@ -260,8 +255,6 @@ public class DynamicClientRegistrationEndpoint {
ClientDetailsEntity client = clientService.loadClientByClientId(clientId);
if (client != null && client.getClientId().equals(auth.getOAuth2Request().getClientId())) {
try {
OAuth2AccessTokenEntity token = rotateRegistrationTokenIfNecessary(auth, client);
RegisteredClient registered =
new RegisteredClient(client, token.getValue(), config.getIssuer() + "register/"
@ -272,11 +265,6 @@ public class DynamicClientRegistrationEndpoint {
m.addAttribute(HttpCodeView.CODE, HttpStatus.OK); // http 200
return ClientInformationResponseView.VIEWNAME;
} catch (UnsupportedEncodingException e) {
logger.error("Unsupported encoding", e);
m.addAttribute(HttpCodeView.CODE, HttpStatus.INTERNAL_SERVER_ERROR);
return HttpCodeView.VIEWNAME;
}
} else {
// client mismatch
@ -380,10 +368,6 @@ public class DynamicClientRegistrationEndpoint {
m.addAttribute(HttpCodeView.CODE, HttpStatus.OK); // http 200
return ClientInformationResponseView.VIEWNAME;
} catch (UnsupportedEncodingException e) {
logger.error("Unsupported encoding", e);
m.addAttribute(HttpCodeView.CODE, HttpStatus.INTERNAL_SERVER_ERROR);
return HttpCodeView.VIEWNAME;
} catch (IllegalArgumentException e) {
logger.error("Couldn't save client", e);

124
openid-connect-server/src/main/java/org/mitre/openid/connect/web/ProtectedResourceRegistrationEndpoint.java
View File

@ -15,7 +15,6 @@
*******************************************************************************/
package org.mitre.openid.connect.web;
import java.io.UnsupportedEncodingException;
import java.text.ParseException;
import java.util.Date;
import java.util.HashSet;
@ -82,16 +81,19 @@ public class ProtectedResourceRegistrationEndpoint {
/**
* Logger for this class
*/
private static final Logger logger = LoggerFactory.getLogger(ProtectedResourceRegistrationEndpoint.class);
private static final Logger logger =
LoggerFactory.getLogger(ProtectedResourceRegistrationEndpoint.class);
/**
* Create a new Client, issue a client ID, and create a registration access token.
*
* @param jsonString
* @param m
* @param p
* @return
*/
@RequestMapping(method = RequestMethod.POST, consumes = MediaType.APPLICATION_JSON_VALUE, produces = MediaType.APPLICATION_JSON_VALUE)
@RequestMapping(method = RequestMethod.POST, consumes = MediaType.APPLICATION_JSON_VALUE,
produces = MediaType.APPLICATION_JSON_VALUE)
public String registerNewProtectedResource(@RequestBody String jsonString, Model m) {
ClientDetailsEntity newClient = null;
@ -172,20 +174,19 @@ public class ProtectedResourceRegistrationEndpoint {
// send it all out to the view
RegisteredClient registered = new RegisteredClient(savedClient, token.getValue(), config.getIssuer() + "resource/" + UriUtils.encodePathSegment(savedClient.getClientId(), "UTF-8"));
RegisteredClient registered =
new RegisteredClient(savedClient, token.getValue(), config.getIssuer() + "resource/"
+ UriUtils.encodePathSegment(savedClient.getClientId(), "UTF-8"));
m.addAttribute("client", registered);
m.addAttribute(HttpCodeView.CODE, HttpStatus.CREATED); // http 201
return ClientInformationResponseView.VIEWNAME;
} catch (UnsupportedEncodingException e) {
logger.error("Unsupported encoding", e);
m.addAttribute(HttpCodeView.CODE, HttpStatus.INTERNAL_SERVER_ERROR);
return HttpCodeView.VIEWNAME;
} catch (IllegalArgumentException e) {
logger.error("Couldn't save client", e);
m.addAttribute(JsonErrorView.ERROR, "invalid_client_metadata");
m.addAttribute(JsonErrorView.ERROR_MESSAGE, "Unable to save client due to invalid or inconsistent metadata.");
m.addAttribute(JsonErrorView.ERROR_MESSAGE,
"Unable to save client due to invalid or inconsistent metadata.");
m.addAttribute(HttpCodeView.CODE, HttpStatus.BAD_REQUEST); // http 400
return JsonErrorView.VIEWNAME;
@ -200,12 +201,14 @@ public class ProtectedResourceRegistrationEndpoint {
}
private ClientDetailsEntity validateScopes(ClientDetailsEntity newClient) throws ValidationException {
private ClientDetailsEntity validateScopes(ClientDetailsEntity newClient)
throws ValidationException {
// scopes that the client is asking for
Set<SystemScope> requestedScopes = scopeService.fromStrings(newClient.getScope());
// the scopes that the client can have must be a subset of the dynamically allowed scopes
Set<SystemScope> allowedScopes = scopeService.removeRestrictedAndReservedScopes(requestedScopes);
Set<SystemScope> allowedScopes =
scopeService.removeRestrictedAndReservedScopes(requestedScopes);
// if the client didn't ask for any, give them the defaults
if (allowedScopes == null || allowedScopes.isEmpty()) {
@ -219,41 +222,40 @@ public class ProtectedResourceRegistrationEndpoint {
/**
* Get the meta information for a client.
*
* @param clientId
* @param m
* @param auth
* @return
*/
@PreAuthorize("hasRole('ROLE_CLIENT') and #oauth2.hasScope('" + SystemScopeService.RESOURCE_TOKEN_SCOPE + "')")
@RequestMapping(value = "/{id}", method = RequestMethod.GET, produces = MediaType.APPLICATION_JSON_VALUE)
public String readResourceConfiguration(@PathVariable("id") String clientId, Model m, OAuth2Authentication auth) {
@PreAuthorize("hasRole('ROLE_CLIENT') and #oauth2.hasScope('"
+ SystemScopeService.RESOURCE_TOKEN_SCOPE + "')")
@RequestMapping(value = "/{id}", method = RequestMethod.GET,
produces = MediaType.APPLICATION_JSON_VALUE)
public String readResourceConfiguration(@PathVariable("id") String clientId, Model m,
OAuth2Authentication auth) {
ClientDetailsEntity client = clientService.loadClientByClientId(clientId);
if (client != null && client.getClientId().equals(auth.getOAuth2Request().getClientId())) {
try {
// possibly update the token
OAuth2AccessTokenEntity token = fetchValidRegistrationToken(auth, client);
RegisteredClient registered = new RegisteredClient(client, token.getValue(), config.getIssuer() + "resource/" + UriUtils.encodePathSegment(client.getClientId(), "UTF-8"));
RegisteredClient registered =
new RegisteredClient(client, token.getValue(), config.getIssuer() + "resource/"
+ UriUtils.encodePathSegment(client.getClientId(), "UTF-8"));
// send it all out to the view
m.addAttribute("client", registered);
m.addAttribute(HttpCodeView.CODE, HttpStatus.OK); // http 200
return ClientInformationResponseView.VIEWNAME;
} catch (UnsupportedEncodingException e) {
logger.error("Unsupported encoding", e);
m.addAttribute(HttpCodeView.CODE, HttpStatus.INTERNAL_SERVER_ERROR);
return HttpCodeView.VIEWNAME;
}
} else {
// client mismatch
logger.error("readResourceConfiguration failed, client ID mismatch: "
+ clientId + " and " + auth.getOAuth2Request().getClientId() + " do not match.");
logger.error("readResourceConfiguration failed, client ID mismatch: " + clientId + " and "
+ auth.getOAuth2Request().getClientId() + " do not match.");
m.addAttribute(HttpCodeView.CODE, HttpStatus.FORBIDDEN); // http 403
return HttpCodeView.VIEWNAME;
@ -262,15 +264,19 @@ public class ProtectedResourceRegistrationEndpoint {
/**
* Update the metainformation for a given client.
*
* @param clientId
* @param jsonString
* @param m
* @param auth
* @return
*/
@PreAuthorize("hasRole('ROLE_CLIENT') and #oauth2.hasScope('" + SystemScopeService.RESOURCE_TOKEN_SCOPE + "')")
@RequestMapping(value = "/{id}", method = RequestMethod.PUT, produces = MediaType.APPLICATION_JSON_VALUE, consumes = MediaType.APPLICATION_JSON_VALUE)
public String updateProtectedResource(@PathVariable("id") String clientId, @RequestBody String jsonString, Model m, OAuth2Authentication auth) {
@PreAuthorize("hasRole('ROLE_CLIENT') and #oauth2.hasScope('"
+ SystemScopeService.RESOURCE_TOKEN_SCOPE + "')")
@RequestMapping(value = "/{id}", method = RequestMethod.PUT,
produces = MediaType.APPLICATION_JSON_VALUE, consumes = MediaType.APPLICATION_JSON_VALUE)
public String updateProtectedResource(@PathVariable("id") String clientId,
@RequestBody String jsonString, Model m, OAuth2Authentication auth) {
ClientDetailsEntity newClient = null;
@ -287,8 +293,12 @@ public class ProtectedResourceRegistrationEndpoint {
ClientDetailsEntity oldClient = clientService.loadClientByClientId(clientId);
if (newClient != null && oldClient != null // we have an existing client and the new one parsed
&& oldClient.getClientId().equals(auth.getOAuth2Request().getClientId()) // the client passed in the URI matches the one in the auth
&& oldClient.getClientId().equals(newClient.getClientId()) // the client passed in the body matches the one in the URI
&& oldClient.getClientId().equals(auth.getOAuth2Request().getClientId()) // the client
// passed in the
// URI matches the
// one in the auth
&& oldClient.getClientId().equals(newClient.getClientId()) // the client passed in the body
// matches the one in the URI
) {
// a client can't ask to update its own client secret to any particular value
@ -349,31 +359,30 @@ public class ProtectedResourceRegistrationEndpoint {
// possibly update the token
OAuth2AccessTokenEntity token = fetchValidRegistrationToken(auth, savedClient);
RegisteredClient registered = new RegisteredClient(savedClient, token.getValue(), config.getIssuer() + "resource/" + UriUtils.encodePathSegment(savedClient.getClientId(), "UTF-8"));
RegisteredClient registered =
new RegisteredClient(savedClient, token.getValue(), config.getIssuer() + "resource/"
+ UriUtils.encodePathSegment(savedClient.getClientId(), "UTF-8"));
// send it all out to the view
m.addAttribute("client", registered);
m.addAttribute(HttpCodeView.CODE, HttpStatus.OK); // http 200
return ClientInformationResponseView.VIEWNAME;
} catch (UnsupportedEncodingException e) {
logger.error("Unsupported encoding", e);
m.addAttribute(HttpCodeView.CODE, HttpStatus.INTERNAL_SERVER_ERROR);
return HttpCodeView.VIEWNAME;
} catch (IllegalArgumentException e) {
logger.error("Couldn't save client", e);
m.addAttribute(JsonErrorView.ERROR, "invalid_client_metadata");
m.addAttribute(JsonErrorView.ERROR_MESSAGE, "Unable to save client due to invalid or inconsistent metadata.");
m.addAttribute(JsonErrorView.ERROR_MESSAGE,
"Unable to save client due to invalid or inconsistent metadata.");
m.addAttribute(HttpCodeView.CODE, HttpStatus.BAD_REQUEST); // http 400
return JsonErrorView.VIEWNAME;
}
} else {
// client mismatch
logger.error("updateProtectedResource" +
" failed, client ID mismatch: "
+ clientId + " and " + auth.getOAuth2Request().getClientId() + " do not match.");
logger.error("updateProtectedResource" + " failed, client ID mismatch: " + clientId + " and "
+ auth.getOAuth2Request().getClientId() + " do not match.");
m.addAttribute(HttpCodeView.CODE, HttpStatus.FORBIDDEN); // http 403
return HttpCodeView.VIEWNAME;
@ -382,14 +391,18 @@ public class ProtectedResourceRegistrationEndpoint {
/**
* Delete the indicated client from the system.
*
* @param clientId
* @param m
* @param auth
* @return
*/
@PreAuthorize("hasRole('ROLE_CLIENT') and #oauth2.hasScope('" + SystemScopeService.RESOURCE_TOKEN_SCOPE + "')")
@RequestMapping(value = "/{id}", method = RequestMethod.DELETE, produces = MediaType.APPLICATION_JSON_VALUE)
public String deleteResource(@PathVariable("id") String clientId, Model m, OAuth2Authentication auth) {
@PreAuthorize("hasRole('ROLE_CLIENT') and #oauth2.hasScope('"
+ SystemScopeService.RESOURCE_TOKEN_SCOPE + "')")
@RequestMapping(value = "/{id}", method = RequestMethod.DELETE,
produces = MediaType.APPLICATION_JSON_VALUE)
public String deleteResource(@PathVariable("id") String clientId, Model m,
OAuth2Authentication auth) {
ClientDetailsEntity client = clientService.loadClientByClientId(clientId);
@ -402,22 +415,23 @@ public class ProtectedResourceRegistrationEndpoint {
return HttpCodeView.VIEWNAME;
} else {
// client mismatch
logger.error("readClientConfiguration failed, client ID mismatch: "
+ clientId + " and " + auth.getOAuth2Request().getClientId() + " do not match.");
logger.error("readClientConfiguration failed, client ID mismatch: " + clientId + " and "
+ auth.getOAuth2Request().getClientId() + " do not match.");
m.addAttribute(HttpCodeView.CODE, HttpStatus.FORBIDDEN); // http 403
return HttpCodeView.VIEWNAME;
}
}
private ClientDetailsEntity validateAuth(ClientDetailsEntity newClient) throws ValidationException {
private ClientDetailsEntity validateAuth(ClientDetailsEntity newClient)
throws ValidationException {
if (newClient.getTokenEndpointAuthMethod() == null) {
newClient.setTokenEndpointAuthMethod(AuthMethod.SECRET_BASIC);
}
if (newClient.getTokenEndpointAuthMethod() == AuthMethod.SECRET_BASIC ||
newClient.getTokenEndpointAuthMethod() == AuthMethod.SECRET_JWT ||
newClient.getTokenEndpointAuthMethod() == AuthMethod.SECRET_POST) {
if (newClient.getTokenEndpointAuthMethod() == AuthMethod.SECRET_BASIC
|| newClient.getTokenEndpointAuthMethod() == AuthMethod.SECRET_JWT
|| newClient.getTokenEndpointAuthMethod() == AuthMethod.SECRET_POST) {
if (Strings.isNullOrEmpty(newClient.getClientSecret())) {
// no secret yet, we need to generate a secret
@ -425,19 +439,22 @@ public class ProtectedResourceRegistrationEndpoint {
}
} else if (newClient.getTokenEndpointAuthMethod() == AuthMethod.PRIVATE_KEY) {
if (Strings.isNullOrEmpty(newClient.getJwksUri()) && newClient.getJwks() == null) {
throw new ValidationException("invalid_client_metadata", "JWK Set URI required when using private key authentication", HttpStatus.BAD_REQUEST);
throw new ValidationException("invalid_client_metadata",
"JWK Set URI required when using private key authentication", HttpStatus.BAD_REQUEST);
}
newClient.setClientSecret(null);
} else if (newClient.getTokenEndpointAuthMethod() == AuthMethod.NONE) {
newClient.setClientSecret(null);
} else {
throw new ValidationException("invalid_client_metadata", "Unknown authentication method", HttpStatus.BAD_REQUEST);
throw new ValidationException("invalid_client_metadata", "Unknown authentication method",
HttpStatus.BAD_REQUEST);
}
return newClient;
}
private OAuth2AccessTokenEntity fetchValidRegistrationToken(OAuth2Authentication auth, ClientDetailsEntity client) {
private OAuth2AccessTokenEntity fetchValidRegistrationToken(OAuth2Authentication auth,
ClientDetailsEntity client) {
OAuth2AuthenticationDetails details = (OAuth2AuthenticationDetails) auth.getDetails();
OAuth2AccessTokenEntity token = tokenService.readAccessToken(details.getTokenValue());
@ -446,8 +463,9 @@ public class ProtectedResourceRegistrationEndpoint {
try {
// Re-issue the token if it has been issued before [currentTime - validity]
Date validToDate = new Date(System.currentTimeMillis() - config.getRegTokenLifeTime() * 1000);
if(token.getJwt().getJWTClaimsSet().getIssueTime().before(validToDate)) {
Date validToDate =
new Date(System.currentTimeMillis() - config.getRegTokenLifeTime() * 1000);
if (token.getJwt().getJWTClaimsSet().getIssueTime().before(validToDate)) {
logger.info("Rotating the registration access token for " + client.getClientId());
tokenService.revokeAccessToken(token);
OAuth2AccessTokenEntity newToken = connectTokenService.createResourceAccessToken(client);

11
pom.xml
View File

@ -385,35 +385,36 @@
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-framework-bom</artifactId>
<version>4.3.7.RELEASE</version>
<version>5.3.12</version>
<type>pom</type>
<scope>import</scope>
</dependency>
<!-- Jackson -->
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.9.0.pr2</version>
<version>2.12.5</version>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-annotations</artifactId>
<version>2.9.0.pr2</version>
<version>2.12.5</version>
</dependency>
<!-- Spring Security -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-bom</artifactId>
<version>4.2.4.RELEASE</version>
<version>5.5.3</version>
<type>pom</type>
<scope>import</scope>
</dependency>
<dependency>
<groupId>org.springframework.security.oauth</groupId>
<artifactId>spring-security-oauth2</artifactId>
<version>2.1.0.RELEASE</version>
<version>2.5.1.RELEASE</version>
</dependency>
<!-- Servlet -->