From 2108311d65f07f2352dc127829f76d947c693c1e Mon Sep 17 00:00:00 2001 From: William Kim Date: Mon, 26 Aug 2013 15:33:08 -0400 Subject: [PATCH] Revert "refactored code to use the more generic JWT declaration." This reverts commit e0b56bc72a42ae073020af428ea3c58bffbdd5ad. --- .../impl/SignedAuthRequestUrlBuilder.java | 13 ++----------- .../JwtSigningAndValidationService.java | 13 ++++++------- .../connect/token/ConnectTokenEnhancer.java | 18 +++++++----------- .../web/ClientDynamicRegistrationEndpoint.java | 15 +++------------ 4 files changed, 18 insertions(+), 41 deletions(-) diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/SignedAuthRequestUrlBuilder.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/SignedAuthRequestUrlBuilder.java index d8d1d8e8e..79413a69f 100644 --- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/SignedAuthRequestUrlBuilder.java +++ b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/SignedAuthRequestUrlBuilder.java @@ -31,11 +31,8 @@ import org.mitre.openid.connect.config.ServerConfiguration; import org.springframework.security.authentication.AuthenticationServiceException; import com.google.common.base.Joiner; -import com.nimbusds.jose.JWSAlgorithm; import com.nimbusds.jose.JWSHeader; -import com.nimbusds.jwt.JWT; import com.nimbusds.jwt.JWTClaimsSet; -import com.nimbusds.jwt.PlainJWT; import com.nimbusds.jwt.SignedJWT; /** @@ -74,15 +71,9 @@ public class SignedAuthRequestUrlBuilder implements AuthRequestUrlBuilder { claims.setClaim(option.getKey(), option.getValue()); } - JWSAlgorithm alg = signingAndValidationService.getDefaultSigningAlgorithm(); - JWT jwt; - - if (alg.equals(JWSAlgorithm.NONE)) { // alg:none - jwt = new PlainJWT(claims); - } else { // signature needed - jwt = new SignedJWT(new JWSHeader(alg), claims); - } + + SignedJWT jwt = new SignedJWT(new JWSHeader(signingAndValidationService.getDefaultSigningAlgorithm()), claims); signingAndValidationService.signJwt(jwt); diff --git a/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/JwtSigningAndValidationService.java b/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/JwtSigningAndValidationService.java index 5dcce563b..04f8b69d1 100644 --- a/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/JwtSigningAndValidationService.java +++ b/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/JwtSigningAndValidationService.java @@ -22,7 +22,7 @@ import java.util.Map; import com.nimbusds.jose.JWSAlgorithm; import com.nimbusds.jose.jwk.JWK; -import com.nimbusds.jwt.JWT; +import com.nimbusds.jwt.SignedJWT; public interface JwtSigningAndValidationService { @@ -32,16 +32,15 @@ public interface JwtSigningAndValidationService { public Map getAllPublicKeys(); /** - * If alg:none is the default algorithm, verifies that the signature part is empty. - * Otherwise, checks the signature of the given JWT against all configured non-plain signers, - * returns true if at least one of the non-plain signers validates it. + * Checks the signature of the given JWT against all configured signers, + * returns true if at least one of the signers validates it. * * @param jwtString * the string representation of the JWT as sent on the wire * @return true if the signature is valid, false if not * @throws NoSuchAlgorithmException */ - public boolean validateSignature(JWT jwtString); + public boolean validateSignature(SignedJWT jwtString); /** * Called to sign a jwt in place for a client that hasn't registered a preferred signing algorithm. @@ -51,7 +50,7 @@ public interface JwtSigningAndValidationService { * @return the signed jwt * @throws NoSuchAlgorithmException */ - public void signJwt(JWT jwt); + public void signJwt(SignedJWT jwt); /** * Get the default signing algorithm for use when nothing else has been specified. @@ -73,7 +72,7 @@ public interface JwtSigningAndValidationService { * @param alg the name of the algorithm to use, as specified in JWS s.6 * @return the signed jwt */ - public void signJwt(JWT jwt, JWSAlgorithm alg); + public void signJwt(SignedJWT jwt, JWSAlgorithm alg); /** * TODO: method to sign a jwt using a specified algorithm and a key id diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java index 78262482f..d66251bab 100644 --- a/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java +++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java @@ -20,6 +20,8 @@ import java.util.Date; import java.util.Set; import java.util.UUID; +import javax.servlet.http.HttpSession; + import org.mitre.jwt.signer.service.JwtSigningAndValidationService; import org.mitre.oauth2.model.ClientDetailsEntity; import org.mitre.oauth2.model.OAuth2AccessTokenEntity; @@ -37,6 +39,8 @@ import org.springframework.security.oauth2.provider.OAuth2Authentication; import org.springframework.security.oauth2.provider.OAuth2Request; import org.springframework.security.oauth2.provider.token.TokenEnhancer; import org.springframework.stereotype.Service; +import org.springframework.web.context.request.RequestContextHolder; +import org.springframework.web.context.request.ServletRequestAttributes; import com.google.common.base.Strings; import com.google.common.collect.Lists; @@ -44,9 +48,7 @@ import com.google.common.collect.Sets; import com.nimbusds.jose.JWSAlgorithm; import com.nimbusds.jose.JWSHeader; import com.nimbusds.jose.util.Base64URL; -import com.nimbusds.jwt.JWT; import com.nimbusds.jwt.JWTClaimsSet; -import com.nimbusds.jwt.PlainJWT; import com.nimbusds.jwt.SignedJWT; @Service @@ -92,17 +94,11 @@ public class ConnectTokenEnhancer implements TokenEnhancer { signingAlg = client.getIdTokenSignedResponseAlg().getAlgorithm(); } - JWT jwt; - - if (signingAlg.equals(JWSAlgorithm.NONE)) { // alg:none - jwt = new PlainJWT(claims); - } else { // signature needed - jwt = new SignedJWT(new JWSHeader(signingAlg), claims); - } + SignedJWT signed = new SignedJWT(new JWSHeader(signingAlg), claims); - jwtService.signJwt(jwt); + jwtService.signJwt(signed); - token.setJwt(jwt); + token.setJwt(signed); /** * Authorization request scope MUST include "openid" in OIDC, but access token request diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientDynamicRegistrationEndpoint.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientDynamicRegistrationEndpoint.java index a599ffd9b..dbacb3d27 100644 --- a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientDynamicRegistrationEndpoint.java +++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientDynamicRegistrationEndpoint.java @@ -57,9 +57,7 @@ import com.google.common.collect.Maps; import com.google.common.collect.Sets; import com.nimbusds.jose.JWSAlgorithm; import com.nimbusds.jose.JWSHeader; -import com.nimbusds.jwt.JWT; import com.nimbusds.jwt.JWTClaimsSet; -import com.nimbusds.jwt.PlainJWT; import com.nimbusds.jwt.SignedJWT; @Controller @@ -365,18 +363,11 @@ public class ClientDynamicRegistrationEndpoint { // TODO: use client's default signing algorithm JWSAlgorithm signingAlg = jwtService.getDefaultSigningAlgorithm(); - - JWT jwt; - - if (signingAlg.equals(JWSAlgorithm.NONE)) { // alg:none - jwt = new PlainJWT(claims); - } else { // signature needed - jwt = new SignedJWT(new JWSHeader(signingAlg), claims); - } + SignedJWT signed = new SignedJWT(new JWSHeader(signingAlg), claims); - jwtService.signJwt(jwt); + jwtService.signJwt(signed); - token.setJwt(jwt); + token.setJwt(signed); tokenService.saveAccessToken(token);