diff --git a/openid-connect-common/src/main/java/org/mitre/uma/service/UmaTokenService.java b/openid-connect-common/src/main/java/org/mitre/uma/service/UmaTokenService.java new file mode 100644 index 000000000..c644abbdb --- /dev/null +++ b/openid-connect-common/src/main/java/org/mitre/uma/service/UmaTokenService.java @@ -0,0 +1,41 @@ +/******************************************************************************* + * Copyright 2015 The MITRE Corporation + * and the MIT Kerberos and Internet Trust Consortium + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + *******************************************************************************/ + +package org.mitre.uma.service; + +import org.mitre.oauth2.model.OAuth2AccessTokenEntity; +import org.mitre.uma.model.PermissionTicket; +import org.springframework.security.oauth2.provider.OAuth2Authentication; + +/** + * Service to create special tokens for UMA. + * + * @author jricher + * + */ +public interface UmaTokenService { + + /** + * Create the RPT from the given authentication and ticket. + * + * @param o2auth + * @param ticket + * @return + */ + public OAuth2AccessTokenEntity createRequestingPartyToken(OAuth2Authentication o2auth, PermissionTicket ticket); + +} diff --git a/openid-connect-server/src/main/java/org/mitre/uma/service/impl/DefaultUmaTokenService.java b/openid-connect-server/src/main/java/org/mitre/uma/service/impl/DefaultUmaTokenService.java new file mode 100644 index 000000000..7acdb1153 --- /dev/null +++ b/openid-connect-server/src/main/java/org/mitre/uma/service/impl/DefaultUmaTokenService.java @@ -0,0 +1,97 @@ +/******************************************************************************* + * Copyright 2015 The MITRE Corporation + * and the MIT Kerberos and Internet Trust Consortium + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + *******************************************************************************/ + +package org.mitre.uma.service.impl; + +import java.util.UUID; + +import org.mitre.jwt.signer.service.JWTSigningAndValidationService; +import org.mitre.oauth2.model.AuthenticationHolderEntity; +import org.mitre.oauth2.model.ClientDetailsEntity; +import org.mitre.oauth2.model.OAuth2AccessTokenEntity; +import org.mitre.oauth2.repository.AuthenticationHolderRepository; +import org.mitre.oauth2.service.ClientDetailsEntityService; +import org.mitre.oauth2.service.OAuth2TokenEntityService; +import org.mitre.openid.connect.config.ConfigurationPropertiesBean; +import org.mitre.uma.model.PermissionTicket; +import org.mitre.uma.service.UmaTokenService; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.security.oauth2.provider.OAuth2Authentication; + +import com.google.common.collect.Lists; +import com.google.common.collect.Sets; +import com.nimbusds.jose.JWSAlgorithm; +import com.nimbusds.jose.JWSHeader; +import com.nimbusds.jwt.JWTClaimsSet; +import com.nimbusds.jwt.SignedJWT; + +/** + * @author jricher + * + */ +public class DefaultUmaTokenService implements UmaTokenService { + + @Autowired + private AuthenticationHolderRepository authenticationHolderRepository; + + @Autowired + private OAuth2TokenEntityService tokenService; + + @Autowired + private ClientDetailsEntityService clientService; + + @Autowired + private ConfigurationPropertiesBean configBean; + + @Autowired + private JWTSigningAndValidationService jwtService; + + + @Override + public OAuth2AccessTokenEntity createRequestingPartyToken(OAuth2Authentication o2auth, PermissionTicket ticket) { + OAuth2AccessTokenEntity token = new OAuth2AccessTokenEntity(); + AuthenticationHolderEntity authHolder = new AuthenticationHolderEntity(); + authHolder.setAuthentication(o2auth); + authHolder = authenticationHolderRepository.save(authHolder); + + token.setAuthenticationHolder(authHolder); + + ClientDetailsEntity client = clientService.loadClientByClientId(o2auth.getOAuth2Request().getClientId()); + token.setClient(client); + + token.setPermissions(Sets.newHashSet(ticket.getPermission())); + + + JWTClaimsSet claims = new JWTClaimsSet(); + + claims.setAudience(Lists.newArrayList(ticket.getPermission().getResourceSet().getId().toString())); + claims.setIssuer(configBean.getIssuer()); + claims.setJWTID(UUID.randomUUID().toString()); + + JWSAlgorithm signingAlgorithm = jwtService.getDefaultSigningAlgorithm(); + SignedJWT signed = new SignedJWT(new JWSHeader(signingAlgorithm), claims); + + jwtService.signJwt(signed); + + token.setJwt(signed); + + tokenService.saveAccessToken(token); + + return token; + } + +} diff --git a/openid-connect-server/src/main/java/org/mitre/uma/web/AuthorizationRequestEndpoint.java b/openid-connect-server/src/main/java/org/mitre/uma/web/AuthorizationRequestEndpoint.java index 50e9b38dc..8d7c259cd 100644 --- a/openid-connect-server/src/main/java/org/mitre/uma/web/AuthorizationRequestEndpoint.java +++ b/openid-connect-server/src/main/java/org/mitre/uma/web/AuthorizationRequestEndpoint.java @@ -43,6 +43,7 @@ import org.mitre.uma.model.PermissionTicket; import org.mitre.uma.model.ResourceSet; import org.mitre.uma.service.ClaimsProcessingService; import org.mitre.uma.service.PermissionService; +import org.mitre.uma.service.UmaTokenService; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; @@ -96,20 +97,15 @@ public class AuthorizationRequestEndpoint { @Autowired private OIDCTokenService oidcTokenService; - /////// TODO: TEMPORARY - @Autowired private AuthenticationHolderRepository authenticationHolderRepository; - @Autowired private OAuth2TokenRepository tokenRepository; - @Autowired private ClientDetailsEntityService clientService; - @Autowired private ConfigurationPropertiesBean configBean; - @Autowired private JWTSigningAndValidationService jwtService; - //////// - @Autowired private WebResponseExceptionTranslator providerExceptionHandler; @Autowired private ClaimsProcessingService claimsProcessingService; + @Autowired + private UmaTokenService umaTokenService; + @RequestMapping(method = RequestMethod.POST, consumes = MimeTypeUtils.APPLICATION_JSON_VALUE, produces = MimeTypeUtils.APPLICATION_JSON_VALUE) public String authorizationRequest(@RequestBody String jsonString, Model m, Authentication auth) { @@ -152,38 +148,10 @@ public class AuthorizationRequestEndpoint { if (claimsUnmatched.isEmpty()) { // if the unmatched claims come back empty, by function contract that means we're happy and can issue a token - - // TODO: move this whole mess to the OIDCTokenService (#797) - + OAuth2Authentication o2auth = (OAuth2Authentication) auth; - OAuth2AccessTokenEntity token = new OAuth2AccessTokenEntity(); - AuthenticationHolderEntity authHolder = new AuthenticationHolderEntity(); - authHolder.setAuthentication(o2auth); - authHolder = authenticationHolderRepository.save(authHolder); - - token.setAuthenticationHolder(authHolder); - - ClientDetailsEntity client = clientService.loadClientByClientId(o2auth.getOAuth2Request().getClientId()); - token.setClient(client); - - token.setPermissions(Sets.newHashSet(ticket.getPermission())); - - - JWTClaimsSet claims = new JWTClaimsSet(); - - claims.setAudience(Lists.newArrayList(ticket.getPermission().getResourceSet().getId().toString())); - claims.setIssuer(configBean.getIssuer()); - claims.setJWTID(UUID.randomUUID().toString()); - - JWSAlgorithm signingAlgorithm = jwtService.getDefaultSigningAlgorithm(); - SignedJWT signed = new SignedJWT(new JWSHeader(signingAlgorithm), claims); - - jwtService.signJwt(signed); - - token.setJwt(signed); - - tokenService.saveAccessToken(token); + OAuth2AccessTokenEntity token = umaTokenService.createRequestingPartyToken(o2auth, ticket); Map entity = ImmutableMap.of("rpt", token.getValue());