diff --git a/.settings/org.eclipse.m2e.core.prefs b/.settings/org.eclipse.m2e.core.prefs index f897a7f1c..be9944a7a 100644 --- a/.settings/org.eclipse.m2e.core.prefs +++ b/.settings/org.eclipse.m2e.core.prefs @@ -1,3 +1,4 @@ +#Thu Jun 28 14:40:29 EDT 2012 activeProfiles= eclipse.preferences.version=1 resolveWorkspaceProjects=true diff --git a/account-chooser/.settings/org.eclipse.m2e.core.prefs b/account-chooser/.settings/org.eclipse.m2e.core.prefs index f897a7f1c..be9944a7a 100644 --- a/account-chooser/.settings/org.eclipse.m2e.core.prefs +++ b/account-chooser/.settings/org.eclipse.m2e.core.prefs @@ -1,3 +1,4 @@ +#Thu Jun 28 14:40:29 EDT 2012 activeProfiles= eclipse.preferences.version=1 resolveWorkspaceProjects=true diff --git a/openid-connect-client/.classpath b/openid-connect-client/.classpath index 784c4613e..60a139828 100644 --- a/openid-connect-client/.classpath +++ b/openid-connect-client/.classpath @@ -1,7 +1,6 @@ - diff --git a/openid-connect-client/.settings/org.eclipse.jdt.core.prefs b/openid-connect-client/.settings/org.eclipse.jdt.core.prefs new file mode 100644 index 000000000..50381aa37 --- /dev/null +++ b/openid-connect-client/.settings/org.eclipse.jdt.core.prefs @@ -0,0 +1,6 @@ +#Thu Jun 28 14:40:32 EDT 2012 +eclipse.preferences.version=1 +org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.6 +org.eclipse.jdt.core.compiler.compliance=1.6 +org.eclipse.jdt.core.compiler.problem.forbiddenReference=warning +org.eclipse.jdt.core.compiler.source=1.6 diff --git a/openid-connect-client/.settings/org.eclipse.jdt.launching.prefs b/openid-connect-client/.settings/org.eclipse.jdt.launching.prefs index d211d3263..8f30fe98e 100644 --- a/openid-connect-client/.settings/org.eclipse.jdt.launching.prefs +++ b/openid-connect-client/.settings/org.eclipse.jdt.launching.prefs @@ -1,2 +1,3 @@ +#Thu Jun 28 14:40:29 EDT 2012 eclipse.preferences.version=1 org.eclipse.jdt.launching.PREF_STRICTLY_COMPATIBLE_JRE_NOT_AVAILABLE=warning diff --git a/openid-connect-common/.classpath b/openid-connect-common/.classpath index bf96ac098..191f61b4a 100644 --- a/openid-connect-common/.classpath +++ b/openid-connect-common/.classpath @@ -1,7 +1,6 @@ - diff --git a/openid-connect-common/.settings/org.eclipse.jdt.launching.prefs b/openid-connect-common/.settings/org.eclipse.jdt.launching.prefs index d211d3263..8f30fe98e 100644 --- a/openid-connect-common/.settings/org.eclipse.jdt.launching.prefs +++ b/openid-connect-common/.settings/org.eclipse.jdt.launching.prefs @@ -1,2 +1,3 @@ +#Thu Jun 28 14:40:29 EDT 2012 eclipse.preferences.version=1 org.eclipse.jdt.launching.PREF_STRICTLY_COMPATIBLE_JRE_NOT_AVAILABLE=warning diff --git a/openid-connect-server/.project b/openid-connect-server/.project index ad10df1ca..ede02b1be 100644 --- a/openid-connect-server/.project +++ b/openid-connect-server/.project @@ -1,8 +1,10 @@ - openid + openid-connect-server Reference implementation of OpenID Connect spec (http://openid.net/connect/). NO_M2ECLIPSE_SUPPORT: Project files created with the maven-eclipse-plugin are not supported in M2Eclipse. + openid-connect-common + spring-security-oauth2 @@ -21,12 +23,12 @@ - org.eclipse.wst.validation.validationbuilder + org.eclipse.m2e.core.maven2Builder - org.eclipse.m2e.core.maven2Builder + org.eclipse.wst.validation.validationbuilder @@ -34,9 +36,9 @@ org.eclipse.jem.workbench.JavaEMFNature org.eclipse.wst.common.modulecore.ModuleCoreNature + org.eclipse.m2e.core.maven2Nature org.eclipse.jdt.core.javanature org.eclipse.wst.common.project.facet.core.nature org.eclipse.wst.jsdt.core.jsNature - org.eclipse.m2e.core.maven2Nature diff --git a/openid-connect-server/.settings/com.springsource.sts.maven.prefs b/openid-connect-server/.settings/com.springsource.sts.maven.prefs index 049137b9c..36b712942 100644 --- a/openid-connect-server/.settings/com.springsource.sts.maven.prefs +++ b/openid-connect-server/.settings/com.springsource.sts.maven.prefs @@ -1,2 +1,3 @@ +#Thu Jun 28 14:40:29 EDT 2012 com.springsource.sts.maven.maven.automatically.update=true eclipse.preferences.version=1 diff --git a/openid-connect-server/.settings/org.eclipse.jdt.core.prefs b/openid-connect-server/.settings/org.eclipse.jdt.core.prefs index d47a0fc68..66cf82ef1 100644 --- a/openid-connect-server/.settings/org.eclipse.jdt.core.prefs +++ b/openid-connect-server/.settings/org.eclipse.jdt.core.prefs @@ -1,19 +1,9 @@ +#Thu Jun 28 14:40:32 EDT 2012 eclipse.preferences.version=1 -org.eclipse.jdt.core.builder.cleanOutputFolder=clean -org.eclipse.jdt.core.builder.duplicateResourceTask=warning -org.eclipse.jdt.core.builder.invalidClasspath=abort -org.eclipse.jdt.core.builder.recreateModifiedClassFileInOutputFolder=ignore -org.eclipse.jdt.core.builder.resourceCopyExclusionFilter=*.launch -org.eclipse.jdt.core.circularClasspath=warning -org.eclipse.jdt.core.classpath.exclusionPatterns=enabled -org.eclipse.jdt.core.classpath.multipleOutputLocations=enabled org.eclipse.jdt.core.compiler.codegen.inlineJsrBytecode=enabled org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.6 org.eclipse.jdt.core.compiler.compliance=1.6 -org.eclipse.jdt.core.compiler.maxProblemPerUnit=100 org.eclipse.jdt.core.compiler.problem.assertIdentifier=error org.eclipse.jdt.core.compiler.problem.enumIdentifier=error org.eclipse.jdt.core.compiler.problem.forbiddenReference=warning org.eclipse.jdt.core.compiler.source=1.6 -org.eclipse.jdt.core.incompatibleJDKLevel=ignore -org.eclipse.jdt.core.incompleteClasspath=error diff --git a/openid-connect-server/.settings/org.eclipse.wst.common.component b/openid-connect-server/.settings/org.eclipse.wst.common.component index 7becf4b04..abde0c586 100644 --- a/openid-connect-server/.settings/org.eclipse.wst.common.component +++ b/openid-connect-server/.settings/org.eclipse.wst.common.component @@ -1,17 +1,19 @@ - - - + - + + + + + uses - + uses - + diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java index c61618e04..697de46b2 100644 --- a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java +++ b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java @@ -21,6 +21,7 @@ package org.mitre.oauth2.service.impl; import java.util.Date; import java.util.List; import java.util.Set; +import java.util.UUID; import org.mitre.oauth2.model.ClientDetailsEntity; import org.mitre.oauth2.model.OAuth2AccessTokenEntity; @@ -64,19 +65,12 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi @Autowired private ClientDetailsEntityService clientDetailsService; - @Autowired - private OAuth2AccessTokenEntityFactory accessTokenFactory; - - @Autowired - private OAuth2RefreshTokenEntityFactory refreshTokenFactory; - @Autowired private TokenEnhancer tokenEnhancer; @Override public OAuth2AccessTokenEntity createAccessToken(OAuth2Authentication authentication) throws AuthenticationException, InvalidClientException { - if (authentication != null && - authentication.getAuthorizationRequest() != null) { + if (authentication != null && authentication.getAuthorizationRequest() != null) { // look up our client AuthorizationRequest clientAuth = authentication.getAuthorizationRequest(); @@ -121,8 +115,8 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi // attach a refresh token, if this client is allowed to request them if (client.isAllowRefresh()) { - OAuth2RefreshTokenEntity refreshToken = refreshTokenFactory.createNewRefreshToken(); - + OAuth2RefreshTokenEntity refreshToken = new OAuth2RefreshTokenEntity(); //refreshTokenFactory.createNewRefreshToken(); + // make it expire if necessary if (client.getRefreshTokenValiditySeconds() != null) { Date expiration = new Date(System.currentTimeMillis() + (client.getRefreshTokenValiditySeconds() * 1000L)); @@ -132,17 +126,22 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi // save our scopes so that we can reuse them later for more auth tokens // TODO: save the auth instead of the just the scope? if (client.isScoped()) { - refreshToken.setScope(clientAuth.getScope()); + refreshToken.setScope(token.getScope()); } - + + // save the token first so that we can set it to a member of the access token (NOTE: is this step necessary?) tokenRepository.saveRefreshToken(refreshToken); token.setRefreshToken(refreshToken); - } - + } + tokenEnhancer.enhance(token, authentication); - tokenRepository.saveAccessToken(token); + tokenRepository.saveAccessToken(token); + + if (token.getRefreshToken() != null) { + tokenRepository.saveRefreshToken(token.getRefreshToken()); // make sure we save any changes that might have been enhanced + } return token; } @@ -178,14 +177,14 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi // TODO: have the option to recycle the refresh token here, too // for now, we just reuse it as long as it's valid, which is the original intent - OAuth2AccessTokenEntity token = accessTokenFactory.createNewAccessToken(); + OAuth2AccessTokenEntity token = new OAuth2AccessTokenEntity(); //accessTokenFactory.createNewAccessToken(); if (scope != null && !scope.isEmpty()) { // ensure a proper subset of scopes if (refreshToken.getScope() != null && refreshToken.getScope().containsAll(scope)) { // set the scope of the new access token if requested - refreshToken.setScope(scope); + token.setScope(scope); } else { // up-scoping is not allowed // (TODO: should this throw InvalidScopeException? For now just pass through) @@ -204,6 +203,9 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi } token.setRefreshToken(refreshToken); + + // TODO: call the token enhancer on refresh, too + //tokenEnhancer.enhance(token, refreshToken.get) tokenRepository.saveAccessToken(token); @@ -348,16 +350,6 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi return this; } - public DefaultOAuth2ProviderTokenServicesBuilder setAccessTokenFactory(OAuth2AccessTokenEntityFactory accessTokenFactory) { - instance.accessTokenFactory = accessTokenFactory; - return this; - } - - public DefaultOAuth2ProviderTokenServicesBuilder setRefreshTokenFactory(OAuth2RefreshTokenEntityFactory refreshTokenFactory) { - instance.refreshTokenFactory = refreshTokenFactory; - return this; - } - public DefaultOAuth2ProviderTokenServicesBuilder setTokenEnhancer(TokenEnhancer tokenEnhancer) { instance.tokenEnhancer = tokenEnhancer; return this; diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java index 1665941b9..8a40906ce 100644 --- a/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java +++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java @@ -17,6 +17,7 @@ package org.mitre.openid.connect.token; import java.security.NoSuchAlgorithmException; import java.util.Date; +import java.util.UUID; import org.mitre.jwt.signer.service.JwtSigningAndValidationService; import org.mitre.oauth2.model.OAuth2AccessTokenEntity; @@ -61,6 +62,12 @@ public class ConnectTokenEnhancer implements TokenEnhancer { token.getJwt().getClaims().setIssuedAt(new Date()); token.getJwt().getClaims().setExpiration(token.getExpiration()); + + token.getJwt().getClaims().setNonce(UUID.randomUUID().toString()); // set a random NONCE in the middle of it + + if (token.getRefreshToken() != null) { + token.getRefreshToken().getJwt().getClaims().setNonce(UUID.randomUUID().toString()); // set a random nonce in the middle of it + } //TODO: check for client's preferred signer alg and use that try {