From 16aa0c59b574ece677916e8c8d5baa6c2388ea8a Mon Sep 17 00:00:00 2001
From: Amanda Anganes <aanganes@mitre.org>
Date: Wed, 30 May 2012 12:31:12 -0400
Subject: [PATCH] Added token enhancer. Now to plug it in.

---
 .../connect/token/ConnectTokenEnhancer.java   | 79 +++++++++++++++++++
 1 file changed, 79 insertions(+)
 create mode 100644 openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java

diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java
new file mode 100644
index 000000000..c44ee1146
--- /dev/null
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java
@@ -0,0 +1,79 @@
+package org.mitre.openid.connect.token;
+
+import java.util.Date;
+
+import org.mitre.jwt.signer.service.JwtSigningAndValidationService;
+import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
+import org.mitre.oauth2.service.OAuth2TokenEntityService;
+import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
+import org.mitre.openid.connect.model.IdToken;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.oauth2.common.OAuth2AccessToken;
+import org.springframework.security.oauth2.provider.OAuth2Authentication;
+import org.springframework.security.oauth2.provider.token.TokenEnhancer;
+
+import com.google.common.base.Strings;
+
+public class ConnectTokenEnhancer implements TokenEnhancer {
+
+	@Autowired
+	private ConfigurationPropertiesBean configBean;
+	
+	@Autowired
+	private OAuth2TokenEntityService tokenServices;
+	
+	@Autowired
+	private IdTokenGeneratorService idTokenService;
+	
+	@Autowired
+	private JwtSigningAndValidationService jwtService;
+	
+	@Override
+	public OAuth2AccessToken enhance(OAuth2AccessToken accessToken,	OAuth2Authentication authentication) {
+		
+		OAuth2AccessTokenEntity token = (OAuth2AccessTokenEntity) accessToken;
+		
+		String clientId = "";
+		token.getJwt().getClaims().setAudience(clientId);
+		
+		token.getJwt().getClaims().setIssuer(configBean.getIssuer());
+
+		token.getJwt().getClaims().setIssuedAt(new Date());
+		// handle expiration
+		token.getJwt().getClaims().setExpiration(token.getExpiration());
+		
+		jwtService.signJwt(token.getJwt());
+		
+		/**
+		 * Authorization request scope MUST include "openid", but access token request 
+		 * may or may not include the scope parameter. As long as the AuthorizationRequest 
+		 * has the proper scope, we can consider this a valid OpenID Connect request.
+		 */
+		if (authentication.getAuthorizationRequest().getScope().contains("openid")) {
+
+			String userId = authentication.getName();
+		
+			IdToken idToken = idTokenService.generateIdToken(userId, configBean.getIssuer());
+			idToken.getClaims().setAudience(clientId);
+			idToken.getClaims().setIssuedAt(new Date());
+			idToken.getClaims().setIssuer(configBean.getIssuer());
+			
+			String nonce = authentication.getAuthorizationRequest().getParameters().get("nonce");
+			if (!Strings.isNullOrEmpty(nonce)) {
+				idToken.getClaims().setNonce(nonce);
+			}
+			// TODO: expiration? other fields?
+			
+			//Sign
+			//TODO: check client to see if they have a preferred alg, attempt to use that
+			
+			jwtService.signJwt(idToken);
+			
+			token.setIdToken(idToken);
+		}
+		
+		tokenServices.saveAccessToken(token);
+		return token;
+	}
+
+}