github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge remote-tracking branch 'mitre/master' into devel-1.3.1 

* mitre/master: (153 commits)
  removed old document PDFs from repo
  check for missing refresh token value on refresh, closes #1242
  removed unused field from UI config bean
  fixed client readme file
  Updated copyrights
  Corrected typo
  fixed unit test for new default redirect behavior
  set redirect URI matching to strict by default
  escaped output values on approval page, closes #1111
  added changelog file
  [maven-release-plugin] prepare for next development iteration
  [maven-release-plugin] prepare release mitreid-connect-1.3.1
  downgrade mysql dependency to GA version
  Removed double 'sure'
  fixed discovery endpoint, closes #1230
  Completed end session endpoint
  end session endpoint
  skeleton of end session endpoint, maybe need a change to user info lookup
  Fix psql_database script, replace SERIAL with BIGSERIAL and fix ...
  [maven-release-plugin] prepare for next development iteration
  ...
pull/1611/head
Andrea Ceccanti 2017-09-21 14:25:06 +02:00
parent ebdce87f5f ef01d3032e
commit 2b1df25aad
470 changed files with 25142 additions and 20830 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1,4 +1,3 @@
local-values.conf
target
*~
bin

22
CHANGELOG.md Normal file
View File

@ -0,0 +1,22 @@
Unreleased:
- Added changelog
- Set default redirect URI resolver strict matching to true
- Fixed XSS vulnerability on redirect URI display on approval page
*1.3.1*:
- Added End Session endpoint
- Fixed discovery endpoint
- Downgrade MySQL connector dependency version from developer preview to GA release
*1.3.0*:
- Added device flow support
- Added PKCE support
- Modularized UI to allow better overlay and extensions
- Modularized data import/export API
- Added software statements to dynamic client registration
- Added assertion processing framework
- Removed ID tokens from storage
- Removed structured scopes
*1.2.6*:
- Added string HEART compliance mode

7
LICENSE.txt
View File

@ -1,8 +1,9 @@
Copyright 2016 The MITRE Corporation
and the MIT Internet Trust Consortium
Copyright 2017 The MIT Internet Trust Consortium
Portions copyright 2011-2013 The MITRE Corporation
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
you may not use this project except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0

7
README.md
View File

@ -1,7 +1,7 @@
# MITREid Connect
---
[![Maven Central](https://maven-badges.herokuapp.com/maven-central/org.mitre/openid-connect-parent/badge.svg)](https://maven-badges.herokuapp.com/maven-central/org.mitre/openid-connect-parent) [![Travis CI](https://travis-ci.org/mitreid-connect/OpenID-Connect-Java-Spring-Server.svg?branch=master)](https://travis-ci.org/mitreid-connect/OpenID-Connect-Java-Spring-Server)
[![Maven Central](https://maven-badges.herokuapp.com/maven-central/org.mitre/openid-connect-parent/badge.svg)](https://maven-badges.herokuapp.com/maven-central/org.mitre/openid-connect-parent) [![Travis CI](https://travis-ci.org/mitreid-connect/OpenID-Connect-Java-Spring-Server.svg?branch=master)](https://travis-ci.org/mitreid-connect/OpenID-Connect-Java-Spring-Server) [![Codecov](https://codecov.io/github/mitreid-connect/OpenID-Connect-Java-Spring-Server/coverage.svg?branch=master)](https://codecov.io/github/mitreid-connect/OpenID-Connect-Java-Spring-Server)
This project contains a certified OpenID Connect reference implementation in Java on the Spring platform, including a functioning [server library](openid-connect-server), [deployable server package](openid-connect-server-webapp), [client (RP) library](openid-connect-client), and general [utility libraries](openid-connect-common). The server can be used as an OpenID Connect Identity Provider as well as a general-purpose OAuth 2.0 Authorization Server.
@ -28,7 +28,4 @@ The authors and key contributors of the project include:
* [Mark Janssen](https://github.com/praseodym)
Copyright ©2016, [The MITRE Corporation](http://www.mitre.org/)
and the [MIT Internet Trust Consortium](http://www.mit-trust.org/). Licensed under the Apache 2.0 license, for details see `LICENSE.txt`.
Copyright ©2017, [MIT Internet Trust Consortium](http://www.trust.mit.edu/). Licensed under the Apache 2.0 license, for details see `LICENSE.txt`.

3
README_zh_CN.md
View File

@ -35,5 +35,4 @@
版权所有 ©2016, [ MITRE公司 ](http://www.mitre.org/)
以及 [MIT因特网信任联盟](http://www.mit-trust.org/). 采用Apache 2.0许可证, 详见 `LICENSE.txt`.
版权所有 ©2017 [MIT因特网信任联盟](http://www.mit-trust.org/). 采用Apache 2.0许可证, 详见 `LICENSE.txt`.

5
checkstyle.xml
View File

@ -1,7 +1,8 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright 2016 The MITRE Corporation
and the MIT Internet Trust Consortium
Copyright 2017 The MIT Internet Trust Consortium
Portions copyright 2011-2013 The MITRE Corporation
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.

BIN
docs/OAuth2.0_Diagrams.pdf
View File

Binary file not shown.

BIN
docs/OpenID_Connect_Diagrams.pdf
View File

Binary file not shown.

2
openid-connect-client/README.md
View File

@ -2,7 +2,7 @@
## Overview ##
This project contains an OpenID Connect Client implemented as a Spring Security AuthenticationFilter. The client facilitates a user's authentication into the secured application to an OpenID Connect Java Spring Server following the OpenID Connect Standard protocol.
This project contains an OpenID Connect Client implemented as a Spring Security AuthenticationFilter. The client facilitates a user's authentication into the secured application to an OpenID Connect Server following the OpenID Connect standard protocol.
## Configuring ##

7
openid-connect-client/pom.xml
View File

@ -1,7 +1,8 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright 2016 The MITRE Corporation
and the MIT Internet Trust Consortium
Copyright 2017 The MIT Internet Trust Consortium
Portions copyright 2011-2013 The MITRE Corporation
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@ -21,7 +22,7 @@
<parent>
<artifactId>openid-connect-parent</artifactId>
<groupId>org.mitre</groupId>
<version>1.3.0.cnaf-SNAPSHOT</version>
<version>1.3.2.cnaf-SNAPSHOT</version>
<relativePath>..</relativePath>
</parent>
<artifactId>openid-connect-client</artifactId>

33
openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/IntrospectingTokenService.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -16,6 +17,8 @@
*******************************************************************************/
package org.mitre.oauth2.introspectingfilter;
import static org.mitre.oauth2.model.ClientDetailsEntity.AuthMethod.SECRET_BASIC;
import java.io.IOException;
import java.net.URI;
import java.util.Calendar;
@ -54,8 +57,6 @@ import com.google.gson.JsonObject;
import com.google.gson.JsonParser;
import com.nimbusds.jose.util.Base64;
import static org.mitre.oauth2.model.ClientDetailsEntity.AuthMethod.SECRET_BASIC;
/**
* This ResourceServerTokenServices implementation introspects incoming tokens at a
* server's introspection endpoint URL and passes an Authentication object along
@ -73,10 +74,15 @@ public class IntrospectingTokenService implements ResourceServerTokenServices {
private boolean cacheNonExpiringTokens = false;
private boolean cacheTokens = true;
private HttpClient httpClient = HttpClientBuilder.create()
.useSystemProperties()
.build();
private HttpComponentsClientHttpRequestFactory factory = new HttpComponentsClientHttpRequestFactory(httpClient);
private HttpComponentsClientHttpRequestFactory factory;
public IntrospectingTokenService() {
this(HttpClientBuilder.create().useSystemProperties().build());
}
public IntrospectingTokenService(HttpClient httpClient) {
this.factory = new HttpComponentsClientHttpRequestFactory(httpClient);
}
// Inner class to store in the hash map
private class TokenCacheObject {
@ -235,8 +241,13 @@ public class IntrospectingTokenService implements ResourceServerTokenServices {
return storedRequest;
}
private Authentication createAuthentication(JsonObject token) {
return new PreAuthenticatedAuthenticationToken(token.get("sub").getAsString(), token, introspectionAuthorityGranter.getAuthorities(token));
private Authentication createUserAuthentication(JsonObject token) {
JsonElement userId = token.get("user_id");
if(userId == null) {
return null;
}
return new PreAuthenticatedAuthenticationToken(userId.getAsString(), token, introspectionAuthorityGranter.getAuthorities(token));
}
private OAuth2AccessToken createAccessToken(final JsonObject token, final String tokenString) {
@ -321,7 +332,7 @@ public class IntrospectingTokenService implements ResourceServerTokenServices {
return null;
}
// create an OAuth2Authentication
OAuth2Authentication auth = new OAuth2Authentication(createStoredRequest(tokenResponse), createAuthentication(tokenResponse));
OAuth2Authentication auth = new OAuth2Authentication(createStoredRequest(tokenResponse), createUserAuthentication(tokenResponse));
// create an OAuth2AccessToken
OAuth2AccessToken token = createAccessToken(tokenResponse, accessToken);

5
openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/OAuth2AccessTokenImpl.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

7
openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/service/IntrospectionAuthorityGranter.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -15,7 +16,7 @@
* limitations under the License.
*******************************************************************************/
/**
*
*
*/
package org.mitre.oauth2.introspectingfilter.service;

7
openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/service/IntrospectionConfigurationService.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -15,7 +16,7 @@
* limitations under the License.
*******************************************************************************/
/**
*
*
*/
package org.mitre.oauth2.introspectingfilter.service;

11
openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/service/impl/JWTParsingIntrospectionConfigurationService.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -15,7 +16,7 @@
* limitations under the License.
*******************************************************************************/
/**
*
*
*/
package org.mitre.oauth2.introspectingfilter.service.impl;
@ -32,11 +33,11 @@ import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTParser;
/**
*
*
* Parses the incoming accesstoken as a JWT and determines the issuer based on
* the "iss" field inside the JWT. Uses the ServerConfigurationService to determine
* the introspection URL for that issuer.
*
*
* @author jricher
*
*/

9
openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/service/impl/ScopeBasedIntrospectionAuthoritiesGranter.java
View File

@ -1,6 +1,5 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -34,7 +33,7 @@ import com.google.gson.JsonObject;
*
*/
public class ScopeBasedIntrospectionAuthoritiesGranter implements IntrospectionAuthorityGranter {
private List<GrantedAuthority> authorities = AuthorityUtils.createAuthorityList("ROLE_API");
/* (non-Javadoc)
@ -43,7 +42,7 @@ public class ScopeBasedIntrospectionAuthoritiesGranter implements IntrospectionA
@Override
public List<GrantedAuthority> getAuthorities(JsonObject introspectionResponse) {
List<GrantedAuthority> auth = new ArrayList<>(getAuthorities());
if (introspectionResponse.has("scope") && introspectionResponse.get("scope").isJsonPrimitive()) {
String scopeString = introspectionResponse.get("scope").getAsString();
Set<String> scopes = OAuth2Utils.parseParameterList(scopeString);
@ -51,7 +50,7 @@ public class ScopeBasedIntrospectionAuthoritiesGranter implements IntrospectionA
auth.add(new SimpleGrantedAuthority("OAUTH_SCOPE_" + scope));
}
}
return auth;
}

11
openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/service/impl/SimpleIntrospectionAuthorityGranter.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -15,7 +16,7 @@
* limitations under the License.
*******************************************************************************/
/**
*
*
*/
package org.mitre.oauth2.introspectingfilter.service.impl;
@ -28,9 +29,9 @@ import org.springframework.security.core.authority.AuthorityUtils;
import com.google.gson.JsonObject;
/**
*
*
* Grants the same set of authorities no matter what's passed in.
*
*
* @author jricher
*
*/

11
openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/service/impl/StaticIntrospectionConfigurationService.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -15,7 +16,7 @@
* limitations under the License.
*******************************************************************************/
/**
*
*
*/
package org.mitre.oauth2.introspectingfilter.service.impl;
@ -23,10 +24,10 @@ import org.mitre.oauth2.introspectingfilter.service.IntrospectionConfigurationSe
import org.mitre.oauth2.model.RegisteredClient;
/**
*
*
* Always provides the (configured) IntrospectionURL and RegisteredClient regardless
* of token. Useful for talking to a single, trusted authorization server.
*
*
* @author jricher
*
*/

56
openid-connect-client/src/main/java/org/mitre/openid/connect/client/AuthorizationEndpointException.java Normal file
View File

@ -0,0 +1,56 @@
/*******************************************************************************
* Copyright 2017 The MIT Internet Trust Consortium
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*******************************************************************************/
package org.mitre.openid.connect.client;
import org.springframework.security.authentication.AuthenticationServiceException;
public class AuthorizationEndpointException extends AuthenticationServiceException {
private static final long serialVersionUID = 6953119789654778380L;
private String error;
private String errorDescription;
private String errorURI;
public AuthorizationEndpointException(String error, String errorDescription, String errorURI) {
super("Error from Authorization Endpoint: " + error + " " + errorDescription + " " + errorURI);
this.error = error;
this.errorDescription = errorDescription;
this.errorURI = errorURI;
}
public String getError() {
return error;
}
public String getErrorDescription() {
return errorDescription;
}
public String getErrorURI() {
return errorURI;
}
/* (non-Javadoc)
* @see java.lang.Object#toString()
*/
@Override
public String toString() {
return "AuthorizationEndpointException [error=" + error + ", errorDescription=" + errorDescription + ", errorURI=" + errorURI + "]";
}
}

13
openid-connect-client/src/main/java/org/mitre/openid/connect/client/NamedAdminAuthoritiesMapper.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -15,7 +16,7 @@
* limitations under the License.
*******************************************************************************/
/**
*
*
*/
package org.mitre.openid.connect.client;
@ -34,13 +35,13 @@ import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
/**
*
*
* Simple mapper that adds ROLE_USER to the authorities map for all queries,
* plus adds ROLE_ADMIN if the subject and issuer pair are found in the
* configurable "admins" set.
*
*
* @author jricher
*
*
*/
public class NamedAdminAuthoritiesMapper implements OIDCAuthoritiesMapper {

57
openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationFilter.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -88,9 +89,9 @@ import com.nimbusds.jwt.SignedJWT;
/**
* OpenID Connect Authentication Filter class
*
*
* @author nemonik, jricher
*
*
*/
public class OIDCAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
@ -119,6 +120,8 @@ public class OIDCAuthenticationFilter extends AbstractAuthenticationProcessingFi
@Autowired(required=false)
private JWTSigningAndValidationService authenticationSignerService;
@Autowired(required=false)
private HttpClient httpClient;
/*
* Modular services to build out client filter.
@ -167,9 +170,9 @@ public class OIDCAuthenticationFilter extends AbstractAuthenticationProcessingFi
/*
* This is the main entry point for the filter.
*
*
* (non-Javadoc)
*
*
* @see org.springframework.security.web.authentication.
* AbstractAuthenticationProcessingFilter
* #attemptAuthentication(javax.servlet.http.HttpServletRequest,
@ -202,7 +205,7 @@ public class OIDCAuthenticationFilter extends AbstractAuthenticationProcessingFi
/**
* Initiate an Authorization request
*
*
* @param request
* The request from which to extract parameters and perform the
* authentication
@ -268,7 +271,7 @@ public class OIDCAuthenticationFilter extends AbstractAuthenticationProcessingFi
String state = createState(session);
Map<String, String> options = authOptions.getOptions(serverConfig, clientConfig, request);
// if we're using PKCE, handle the challenge here
if (clientConfig.getCodeChallengeMethod() != null) {
String codeVerifier = createCodeVerifier(session);
@ -285,7 +288,7 @@ public class OIDCAuthenticationFilter extends AbstractAuthenticationProcessingFi
e.printStackTrace();
}
}
}
@ -328,7 +331,7 @@ public class OIDCAuthenticationFilter extends AbstractAuthenticationProcessingFi
form.add("grant_type", "authorization_code");
form.add("code", authorizationCode);
form.setAll(authOptions.getTokenOptions(serverConfig, clientConfig, request));
String codeVerifier = getStoredCodeVerifier(session);
if (codeVerifier != null) {
form.add("code_verifier", codeVerifier);
@ -341,14 +344,14 @@ public class OIDCAuthenticationFilter extends AbstractAuthenticationProcessingFi
// Handle Token Endpoint interaction
HttpClient httpClient = HttpClientBuilder.create()
.useSystemProperties()
.setDefaultRequestConfig(
RequestConfig.custom()
.setSocketTimeout(httpSocketTimeout)
.build()
)
.build();
if(httpClient == null) {
httpClient = HttpClientBuilder.create()
.useSystemProperties()
.setDefaultRequestConfig(RequestConfig.custom()
.setSocketTimeout(httpSocketTimeout)
.build())
.build();
}
HttpComponentsClientHttpRequestFactory factory = new HttpComponentsClientHttpRequestFactory(httpClient);
@ -381,9 +384,9 @@ public class OIDCAuthenticationFilter extends AbstractAuthenticationProcessingFi
JWSAlgorithm alg = clientConfig.getTokenEndpointAuthSigningAlg();
if (SECRET_JWT.equals(clientConfig.getTokenEndpointAuthMethod()) &&
(alg.equals(JWSAlgorithm.HS256)
|| alg.equals(JWSAlgorithm.HS384)
|| alg.equals(JWSAlgorithm.HS512))) {
(JWSAlgorithm.HS256.equals(alg)
|| JWSAlgorithm.HS384.equals(alg)
|| JWSAlgorithm.HS512.equals(alg))) {
// generate one based on client secret
signer = symmetricCacheService.getSymmetricValidtor(clientConfig.getClient());
@ -632,7 +635,7 @@ public class OIDCAuthenticationFilter extends AbstractAuthenticationProcessingFi
/**
* Handle Authorization Endpoint error
*
*
* @param request
* The request from which to extract parameters and handle the
* error
@ -647,7 +650,7 @@ public class OIDCAuthenticationFilter extends AbstractAuthenticationProcessingFi
String errorDescription = request.getParameter("error_description");
String errorURI = request.getParameter("error_uri");
throw new AuthenticationServiceException("Error from Authorization Endpoint: " + error + " " + errorDescription + " " + errorURI);
throw new AuthorizationEndpointException(error, errorDescription, errorURI);
}
/**
@ -706,7 +709,7 @@ public class OIDCAuthenticationFilter extends AbstractAuthenticationProcessingFi
protected static String getStoredState(HttpSession session) {
return getStoredSessionString(session, STATE_SESSION_VARIABLE);
}
/**
* Create a random code challenge and store it in the session
* @param session
@ -717,7 +720,7 @@ public class OIDCAuthenticationFilter extends AbstractAuthenticationProcessingFi
session.setAttribute(CODE_VERIFIER_SESSION_VARIABLE, challenge);
return challenge;
}
/**
* Retrieve the stored challenge from our session
* @param session
@ -759,7 +762,9 @@ public class OIDCAuthenticationFilter extends AbstractAuthenticationProcessingFi
if (!Strings.isNullOrEmpty(target)) {
session.removeAttribute(TARGET_SESSION_VARIABLE);
target = deepLinkFilter.filter(target);
if (deepLinkFilter != null) {
target = deepLinkFilter.filter(target);
}
response.sendRedirect(target);
} else {

13
openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationProvider.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -34,7 +35,7 @@ import com.nimbusds.jwt.JWT;
/**
* @author nemonik, Justin Richer
*
*
*/
public class OIDCAuthenticationProvider implements AuthenticationProvider {
@ -46,7 +47,7 @@ public class OIDCAuthenticationProvider implements AuthenticationProvider {
/*
* (non-Javadoc)
*
*
* @see org.springframework.security.authentication.AuthenticationProvider#
* authenticate(org.springframework.security.core.Authentication)
*/
@ -86,7 +87,7 @@ public class OIDCAuthenticationProvider implements AuthenticationProvider {
/**
* Override this function to return a different kind of Authentication, processes the authorities differently,
* or do post-processing based on the UserInfo object.
*
*
* @param token
* @param authorities
* @param userInfo
@ -115,7 +116,7 @@ public class OIDCAuthenticationProvider implements AuthenticationProvider {
/*
* (non-Javadoc)
*
*
* @see
* org.springframework.security.authentication.AuthenticationProvider#supports
* (java.lang.Class)

3
openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthoritiesMapper.java
View File

@ -1,6 +1,5 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

5
openid-connect-client/src/main/java/org/mitre/openid/connect/client/StaticPrefixTargetLinkURIChecker.java
View File

@ -1,6 +1,5 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -19,7 +18,7 @@ package org.mitre.openid.connect.client;
/**
* Simple target URI checker, checks whether the string in question starts
* with a configured prefix. Returns "/" if the match fails.
*
*
* @author jricher
*
*/

13
openid-connect-client/src/main/java/org/mitre/openid/connect/client/SubjectIssuerGrantedAuthority.java
View File

@ -1,6 +1,5 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -15,7 +14,7 @@
* limitations under the License.
*******************************************************************************/
/**
*
*
*/
package org.mitre.openid.connect.client;
@ -24,9 +23,9 @@ import org.springframework.security.core.GrantedAuthority;
import com.google.common.base.Strings;
/**
*
*
* Simple authority representing a user at an issuer.
*
*
* @author jricher
*
*/
@ -51,9 +50,9 @@ public class SubjectIssuerGrantedAuthority implements GrantedAuthority {
/**
* Returns a string formed by concatenating the subject with the issuer, separated by _ and prepended with OIDC_
*
*
* For example, the user "bob" from issuer "http://id.example.com/" would return the authority string of:
*
*
* OIDC_bob_http://id.example.com/
*/
@Override

5
openid-connect-client/src/main/java/org/mitre/openid/connect/client/TargetLinkURIChecker.java
View File

@ -1,6 +1,5 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -20,7 +19,7 @@ public interface TargetLinkURIChecker {
/**
* Check the parameter to make sure that it's a valid deep-link into this application.
*
*
* @param target
* @return
*/

130
openid-connect-client/src/main/java/org/mitre/openid/connect/client/UserInfoFetcher.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -18,6 +19,7 @@ package org.mitre.openid.connect.client;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
@ -59,14 +61,18 @@ public class UserInfoFetcher {
private static final Logger logger = LoggerFactory.getLogger(UserInfoFetcher.class);
private LoadingCache<PendingOIDCAuthenticationToken, UserInfo> cache;
public UserInfoFetcher() {
this(HttpClientBuilder.create().useSystemProperties().build());
}
public UserInfoFetcher(HttpClient httpClient) {
cache = CacheBuilder.newBuilder()
.expireAfterWrite(1, TimeUnit.HOURS) // expires 1 hour after fetch
.maximumSize(100)
.build(new UserInfoLoader());
.build(new UserInfoLoader(httpClient));
}
public UserInfo loadUserInfo(final PendingOIDCAuthenticationToken token) {
try {
return cache.get(token);
@ -76,76 +82,72 @@ public class UserInfoFetcher {
}
}
private class UserInfoLoader extends CacheLoader<PendingOIDCAuthenticationToken, UserInfo> {
private HttpClient httpClient = HttpClientBuilder.create()
.useSystemProperties()
.build();
private HttpComponentsClientHttpRequestFactory factory = new HttpComponentsClientHttpRequestFactory(httpClient);
public UserInfo load(final PendingOIDCAuthenticationToken token) {
private HttpComponentsClientHttpRequestFactory factory;
UserInfoLoader(HttpClient httpClient) {
this.factory = new HttpComponentsClientHttpRequestFactory(httpClient);
}
@Override
public UserInfo load(final PendingOIDCAuthenticationToken token) throws URISyntaxException {
ServerConfiguration serverConfiguration = token.getServerConfiguration();
if (serverConfiguration == null) {
logger.warn("No server configuration found.");
return null;
}
if (Strings.isNullOrEmpty(serverConfiguration.getUserInfoUri())) {
logger.warn("No userinfo endpoint, not fetching.");
return null;
}
try {
String userInfoString = null;
if (serverConfiguration.getUserInfoTokenMethod() == null || serverConfiguration.getUserInfoTokenMethod().equals(UserInfoTokenMethod.HEADER)) {
RestTemplate restTemplate = new RestTemplate(factory) {
@Override
protected ClientHttpRequest createRequest(URI url, HttpMethod method) throws IOException {
ClientHttpRequest httpRequest = super.createRequest(url, method);
httpRequest.getHeaders().add("Authorization", String.format("Bearer %s", token.getAccessTokenValue()));
return httpRequest;
}
};
userInfoString = restTemplate.getForObject(serverConfiguration.getUserInfoUri(), String.class);
} else if (serverConfiguration.getUserInfoTokenMethod().equals(UserInfoTokenMethod.FORM)) {
MultiValueMap<String, String> form = new LinkedMultiValueMap<>();
form.add("access_token", token.getAccessTokenValue());
RestTemplate restTemplate = new RestTemplate(factory);
userInfoString = restTemplate.postForObject(serverConfiguration.getUserInfoUri(), form, String.class);
} else if (serverConfiguration.getUserInfoTokenMethod().equals(UserInfoTokenMethod.QUERY)) {
URIBuilder builder = new URIBuilder(serverConfiguration.getUserInfoUri());
builder.setParameter("access_token", token.getAccessTokenValue());
RestTemplate restTemplate = new RestTemplate(factory);
userInfoString = restTemplate.getForObject(builder.toString(), String.class);
}
if (!Strings.isNullOrEmpty(userInfoString)) {
JsonObject userInfoJson = new JsonParser().parse(userInfoString).getAsJsonObject();
UserInfo userInfo = fromJson(userInfoJson);
return userInfo;
} else {
// didn't get anything, return null
return null;
}
} catch (Exception e) {
logger.warn("Error fetching userinfo", e);
return null;
String userInfoString = null;
if (serverConfiguration.getUserInfoTokenMethod() == null || serverConfiguration.getUserInfoTokenMethod().equals(UserInfoTokenMethod.HEADER)) {
RestTemplate restTemplate = new RestTemplate(factory) {
@Override
protected ClientHttpRequest createRequest(URI url, HttpMethod method) throws IOException {
ClientHttpRequest httpRequest = super.createRequest(url, method);
httpRequest.getHeaders().add("Authorization", String.format("Bearer %s", token.getAccessTokenValue()));
return httpRequest;
}
};
userInfoString = restTemplate.getForObject(serverConfiguration.getUserInfoUri(), String.class);
} else if (serverConfiguration.getUserInfoTokenMethod().equals(UserInfoTokenMethod.FORM)) {
MultiValueMap<String, String> form = new LinkedMultiValueMap<>();
form.add("access_token", token.getAccessTokenValue());
RestTemplate restTemplate = new RestTemplate(factory);
userInfoString = restTemplate.postForObject(serverConfiguration.getUserInfoUri(), form, String.class);
} else if (serverConfiguration.getUserInfoTokenMethod().equals(UserInfoTokenMethod.QUERY)) {
URIBuilder builder = new URIBuilder(serverConfiguration.getUserInfoUri());
builder.setParameter("access_token", token.getAccessTokenValue());
RestTemplate restTemplate = new RestTemplate(factory);
userInfoString = restTemplate.getForObject(builder.toString(), String.class);
}
if (!Strings.isNullOrEmpty(userInfoString)) {
JsonObject userInfoJson = new JsonParser().parse(userInfoString).getAsJsonObject();
UserInfo userInfo = fromJson(userInfoJson);
return userInfo;
} else {
// didn't get anything throw exception
throw new IllegalArgumentException("Unable to load user info");
}
}
}

5
openid-connect-client/src/main/java/org/mitre/openid/connect/client/keypublisher/ClientKeyPublisher.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

7
openid-connect-client/src/main/java/org/mitre/openid/connect/client/keypublisher/ClientKeyPublisherMapping.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -15,7 +16,7 @@
* limitations under the License.
*******************************************************************************/
/**
*
*
*/
package org.mitre.openid.connect.client.keypublisher;

11
openid-connect-client/src/main/java/org/mitre/openid/connect/client/keypublisher/JwkViewResolver.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -15,7 +16,7 @@
* limitations under the License.
*******************************************************************************/
/**
*
*
*/
package org.mitre.openid.connect.client.keypublisher;
@ -26,9 +27,9 @@ import org.springframework.web.servlet.View;
import org.springframework.web.servlet.ViewResolver;
/**
*
*
* Simple view resolver to map JWK view names to appropriate beans
*
*
* @author jricher
*
*/

11
openid-connect-client/src/main/java/org/mitre/openid/connect/client/model/IssuerServiceResponse.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -15,14 +16,14 @@
* limitations under the License.
*******************************************************************************/
/**
*
*
*/
package org.mitre.openid.connect.client.model;
/**
*
*
* Data container to facilitate returns from the IssuerService API.
*
*
* @author jricher
*
*/

15
openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/AuthRequestOptionsService.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -15,7 +16,7 @@
* limitations under the License.
*******************************************************************************/
/**
*
*
*/
package org.mitre.openid.connect.client.service;
@ -27,11 +28,11 @@ import org.mitre.oauth2.model.RegisteredClient;
import org.mitre.openid.connect.config.ServerConfiguration;
/**
*
*
* This service provides any extra options that need to be passed to the authentication request,
* either through the authorization endpoint (getOptions) or the token endpoint (getTokenOptions).
* These options may depend on the server configuration, client configuration, or HTTP request.
*
*
* @author jricher
*
*/
@ -39,7 +40,7 @@ public interface AuthRequestOptionsService {
/**
* The set of options needed at the authorization endpoint.
*
*
* @param server
* @param client
* @param request
@ -49,7 +50,7 @@ public interface AuthRequestOptionsService {
/**
* The set of options needed at the token endpoint.
*
*
* @param server
* @param client
* @param request

9
openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/AuthRequestUrlBuilder.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -15,7 +16,7 @@
* limitations under the License.
*******************************************************************************/
/**
*
*
*/
package org.mitre.openid.connect.client.service;
@ -26,7 +27,7 @@ import org.mitre.openid.connect.config.ServerConfiguration;
/**
* Builds a URL string to the IdP's authorization endpoint.
*
*
* @author jricher
*
*/

7
openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/ClientConfigurationService.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -15,7 +16,7 @@
* limitations under the License.
*******************************************************************************/
/**
*
*
*/
package org.mitre.openid.connect.client.service;

11
openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/IssuerService.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -15,7 +16,7 @@
* limitations under the License.
*******************************************************************************/
/**
*
*
*/
package org.mitre.openid.connect.client.service;
@ -24,9 +25,9 @@ import javax.servlet.http.HttpServletRequest;
import org.mitre.openid.connect.client.model.IssuerServiceResponse;
/**
*
*
* Gets an issuer for the given request. Might do dynamic discovery, or might be statically configured.
*
*
* @author jricher
*
*/

7
openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/RegisteredClientService.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -15,7 +16,7 @@
* limitations under the License.
*******************************************************************************/
/**
*
*
*/
package org.mitre.openid.connect.client.service;

7
openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/ServerConfigurationService.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -15,7 +16,7 @@
* limitations under the License.
*******************************************************************************/
/**
*
*
*/
package org.mitre.openid.connect.client.service;

41
openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/DynamicRegistrationClientConfigurationService.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -15,7 +16,7 @@
* limitations under the License.
*******************************************************************************/
/**
*
*
*/
package org.mitre.openid.connect.client.service.impl;
@ -72,7 +73,11 @@ public class DynamicRegistrationClientConfigurationService implements ClientConf
private Set<String> blacklist = new HashSet<>();
public DynamicRegistrationClientConfigurationService() {
clients = CacheBuilder.newBuilder().build(new DynamicClientRegistrationLoader());
this(HttpClientBuilder.create().useSystemProperties().build());
}
public DynamicRegistrationClientConfigurationService(HttpClient httpClient) {
clients = CacheBuilder.newBuilder().build(new DynamicClientRegistrationLoader(httpClient));
}
@Override
@ -160,21 +165,25 @@ public class DynamicRegistrationClientConfigurationService implements ClientConf
/**
* Loader class that fetches the client information.
*
*
* If a client has been registered (ie, it's known to the RegisteredClientService), then this
* will fetch the client's configuration from the server.
*
*
* @author jricher
*
*/
public class DynamicClientRegistrationLoader extends CacheLoader<ServerConfiguration, RegisteredClient> {
private HttpClient httpClient = HttpClientBuilder.create()
.useSystemProperties()
.build();
private HttpComponentsClientHttpRequestFactory httpFactory = new HttpComponentsClientHttpRequestFactory(httpClient);
private HttpComponentsClientHttpRequestFactory httpFactory;
private Gson gson = new Gson(); // note that this doesn't serialize nulls by default
public DynamicClientRegistrationLoader() {
this(HttpClientBuilder.create().useSystemProperties().build());
}
public DynamicClientRegistrationLoader(HttpClient httpClient) {
this.httpFactory = new HttpComponentsClientHttpRequestFactory(httpClient);
}
@Override
public RegisteredClient load(ServerConfiguration serverConfig) throws Exception {
RestTemplate restTemplate = new RestTemplate(httpFactory);
@ -195,12 +204,12 @@ public class DynamicRegistrationClientConfigurationService implements ClientConf
try {
String registered = restTemplate.postForObject(serverConfig.getRegistrationEndpointUri(), entity, String.class);
RegisteredClient client = ClientDetailsEntityJsonProcessor.parseRegistered(registered);
// save this client for later
registeredClientService.save(serverConfig.getIssuer(), client);
return client;
} catch (RestClientException rce) {
throw new InvalidClientException("Error registering client with server");
@ -219,9 +228,9 @@ public class DynamicRegistrationClientConfigurationService implements ClientConf
try {
String registered = restTemplate.exchange(knownClient.getRegistrationClientUri(), HttpMethod.GET, entity, String.class).getBody();
// TODO: handle HTTP errors
RegisteredClient client = ClientDetailsEntityJsonProcessor.parseRegistered(registered);
return client;
} catch (RestClientException rce) {
throw new InvalidClientException("Error loading previously registered client information from server");

40
openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/DynamicServerConfigurationService.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -15,10 +16,17 @@
* limitations under the License.
*******************************************************************************/
/**
*
*
*/
package org.mitre.openid.connect.client.service.impl;
import static org.mitre.util.JsonUtils.getAsBoolean;
import static org.mitre.util.JsonUtils.getAsEncryptionMethodList;
import static org.mitre.util.JsonUtils.getAsJweAlgorithmList;
import static org.mitre.util.JsonUtils.getAsJwsAlgorithmList;
import static org.mitre.util.JsonUtils.getAsString;
import static org.mitre.util.JsonUtils.getAsStringList;
import java.util.HashSet;
import java.util.Set;
import java.util.concurrent.ExecutionException;
@ -41,17 +49,10 @@ import com.google.gson.JsonElement;
import com.google.gson.JsonObject;
import com.google.gson.JsonParser;
import static org.mitre.util.JsonUtils.getAsBoolean;
import static org.mitre.util.JsonUtils.getAsEncryptionMethodList;
import static org.mitre.util.JsonUtils.getAsJweAlgorithmList;
import static org.mitre.util.JsonUtils.getAsJwsAlgorithmList;
import static org.mitre.util.JsonUtils.getAsString;
import static org.mitre.util.JsonUtils.getAsStringList;
/**
*
*
* Dynamically fetches OpenID Connect server configurations based on the issuer. Caches the server configurations.
*
*
* @author jricher
*
*/
@ -69,8 +70,12 @@ public class DynamicServerConfigurationService implements ServerConfigurationSer
private Set<String> blacklist = new HashSet<>();
public DynamicServerConfigurationService() {
this(HttpClientBuilder.create().useSystemProperties().build());
}
public DynamicServerConfigurationService(HttpClient httpClient) {
// initialize the cache
servers = CacheBuilder.newBuilder().build(new OpenIDConnectServiceConfigurationFetcher());
servers = CacheBuilder.newBuilder().build(new OpenIDConnectServiceConfigurationFetcher(httpClient));
}
/**
@ -126,12 +131,13 @@ public class DynamicServerConfigurationService implements ServerConfigurationSer
*
*/
private class OpenIDConnectServiceConfigurationFetcher extends CacheLoader<String, ServerConfiguration> {
private HttpClient httpClient = HttpClientBuilder.create()
.useSystemProperties()
.build();
private HttpComponentsClientHttpRequestFactory httpFactory = new HttpComponentsClientHttpRequestFactory(httpClient);
private HttpComponentsClientHttpRequestFactory httpFactory;
private JsonParser parser = new JsonParser();
OpenIDConnectServiceConfigurationFetcher(HttpClient httpClient) {
this.httpFactory = new HttpComponentsClientHttpRequestFactory(httpClient);
}
@Override
public ServerConfiguration load(String issuer) throws Exception {
RestTemplate restTemplate = new RestTemplate(httpFactory);

7
openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/EncryptedAuthRequestUrlBuilder.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -15,7 +16,7 @@
* limitations under the License.
*******************************************************************************/
/**
*
*
*/
package org.mitre.openid.connect.client.service.impl;

13
openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/HybridClientConfigurationService.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -15,7 +16,7 @@
* limitations under the License.
*******************************************************************************/
/**
*
*
*/
package org.mitre.openid.connect.client.service.impl;
@ -31,12 +32,12 @@ import org.mitre.openid.connect.config.ServerConfiguration;
* Houses both a static client configuration and a dynamic client configuration
* service in one object. Checks the static service first, then falls through to
* the dynamic service.
*
*
* Provides configuration passthrough for the template, registered client service, whitelist,
* and blacklist for the dynamic service, and to the static service's client map.
*
*
* @author jricher
*
*
*/
public class HybridClientConfigurationService implements ClientConfigurationService {

9
openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/HybridIssuerService.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -26,11 +27,11 @@ import org.mitre.openid.connect.client.service.IssuerService;
import com.google.common.collect.Sets;
/**
*
*
* Issuer service that tries to parse input from the inputs from a third-party
* account chooser service (if possible), but falls back to webfinger discovery
* if not.
*
*
* @author jricher
*
*/

13
openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/HybridServerConfigurationService.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -15,7 +16,7 @@
* limitations under the License.
*******************************************************************************/
/**
*
*
*/
package org.mitre.openid.connect.client.service.impl;
@ -29,11 +30,11 @@ import org.mitre.openid.connect.config.ServerConfiguration;
* Houses both a static server configuration and a dynamic server configuration
* service in one object. Checks the static service first, then falls through to
* the dynamic service.
*
*
* Provides configuration passthrough to the dynamic service's whitelist and blacklist,
* and to the static service's server map.
*
*
*
*
* @author jricher
*
*/

7
openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/InMemoryRegisteredClientService.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -15,7 +16,7 @@
* limitations under the License.
*******************************************************************************/
/**
*
*
*/
package org.mitre.openid.connect.client.service.impl;

35
openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/JsonFileRegisteredClientService.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -15,7 +16,7 @@
* limitations under the License.
*******************************************************************************/
/**
*
*
*/
package org.mitre.openid.connect.client.service.impl;
@ -55,20 +56,20 @@ public class JsonFileRegisteredClientService implements RegisteredClientService
private static final Logger logger = LoggerFactory.getLogger(JsonFileRegisteredClientService.class);
private Gson gson = new GsonBuilder()
.registerTypeAdapter(RegisteredClient.class, new JsonSerializer<RegisteredClient>() {
@Override
public JsonElement serialize(RegisteredClient src, Type typeOfSrc, JsonSerializationContext context) {
return ClientDetailsEntityJsonProcessor.serialize(src);
}
})
.registerTypeAdapter(RegisteredClient.class, new JsonDeserializer<RegisteredClient>() {
@Override
public RegisteredClient deserialize(JsonElement json, Type typeOfT, JsonDeserializationContext context) throws JsonParseException {
return ClientDetailsEntityJsonProcessor.parseRegistered(json);
}
})
.setPrettyPrinting()
.create();
.registerTypeAdapter(RegisteredClient.class, new JsonSerializer<RegisteredClient>() {
@Override
public JsonElement serialize(RegisteredClient src, Type typeOfSrc, JsonSerializationContext context) {
return ClientDetailsEntityJsonProcessor.serialize(src);
}
})
.registerTypeAdapter(RegisteredClient.class, new JsonDeserializer<RegisteredClient>() {
@Override
public RegisteredClient deserialize(JsonElement json, Type typeOfT, JsonDeserializationContext context) throws JsonParseException {
return ClientDetailsEntityJsonProcessor.parseRegistered(json);
}
})
.setPrettyPrinting()
.create();
private File file;

11
openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/PlainAuthRequestUrlBuilder.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -15,7 +16,7 @@
* limitations under the License.
*******************************************************************************/
/**
*
*
*/
package org.mitre.openid.connect.client.service.impl;
@ -33,9 +34,9 @@ import com.google.common.base.Joiner;
import com.google.common.base.Strings;
/**
*
*
* Builds an auth request redirect URI with normal query parameters.
*
*
* @author jricher
*
*/

7
openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/SignedAuthRequestUrlBuilder.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -15,7 +16,7 @@
* limitations under the License.
*******************************************************************************/
/**
*
*
*/
package org.mitre.openid.connect.client.service.impl;

11
openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/StaticAuthRequestOptionsService.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -15,7 +16,7 @@
* limitations under the License.
*******************************************************************************/
/**
*
*
*/
package org.mitre.openid.connect.client.service.impl;
@ -29,9 +30,9 @@ import org.mitre.openid.connect.client.service.AuthRequestOptionsService;
import org.mitre.openid.connect.config.ServerConfiguration;
/**
*
*
* Always returns the same set of options.
*
*
* @author jricher
*
*/

13
openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/StaticClientConfigurationService.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -15,7 +16,7 @@
* limitations under the License.
*******************************************************************************/
/**
*
*
*/
package org.mitre.openid.connect.client.service.impl;
@ -29,9 +30,9 @@ import org.mitre.openid.connect.config.ServerConfiguration;
/**
* Client configuration service that holds a static map from issuer URL to a ClientDetails object to use at that issuer.
*
*
* Designed to be configured as a bean.
*
*
* @author jricher
*
*/
@ -56,7 +57,7 @@ public class StaticClientConfigurationService implements ClientConfigurationServ
/**
* Get the client configured for this issuer
*
*
* @see org.mitre.openid.connect.client.service.ClientConfigurationService#getClientConfiguration(java.lang.String)
*/
@Override

9
openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/StaticServerConfigurationService.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -15,7 +16,7 @@
* limitations under the License.
*******************************************************************************/
/**
*
*
*/
package org.mitre.openid.connect.client.service.impl;
@ -28,7 +29,7 @@ import org.mitre.openid.connect.config.ServerConfiguration;
/**
* Statically configured server configuration service that maps issuer URLs to server configurations to use at that issuer.
*
*
* @author jricher
*
*/

9
openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/StaticSingleIssuerService.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -15,7 +16,7 @@
* limitations under the License.
*******************************************************************************/
/**
*
*
*/
package org.mitre.openid.connect.client.service.impl;
@ -51,7 +52,7 @@ public class StaticSingleIssuerService implements IssuerService {
/**
* Always returns the configured issuer URL
*
*
* @see org.mitre.openid.connect.client.service.IssuerService#getIssuer(javax.servlet.http.HttpServletRequest)
*/
@Override

11
openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/ThirdPartyIssuerService.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -15,7 +16,7 @@
* limitations under the License.
*******************************************************************************/
/**
*
*
*/
package org.mitre.openid.connect.client.service.impl;
@ -34,9 +35,9 @@ import org.springframework.security.authentication.AuthenticationServiceExceptio
import com.google.common.base.Strings;
/**
*
*
* Determines the issuer using an account chooser or other third-party-initiated login
*
*
* @author jricher
*
*/

30
openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/WebfingerIssuerService.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -15,7 +16,7 @@
* limitations under the License.
*******************************************************************************/
/**
*
*
*/
package org.mitre.openid.connect.client.service.impl;
@ -74,7 +75,7 @@ public class WebfingerIssuerService implements IssuerService {
this.issuer = issuer;
}
}
private Set<String> whitelist = new HashSet<>();
private Set<String> blacklist = new HashSet<>();
@ -94,7 +95,11 @@ public class WebfingerIssuerService implements IssuerService {
private boolean forceHttps = true;
public WebfingerIssuerService() {
issuers = CacheBuilder.newBuilder().build(new WebfingerIssuerFetcher());
this(HttpClientBuilder.create().useSystemProperties().build());
}
public WebfingerIssuerService(HttpClient httpClient) {
issuers = CacheBuilder.newBuilder().build(new WebfingerIssuerFetcher(httpClient));
}
/* (non-Javadoc)
@ -115,7 +120,7 @@ public class WebfingerIssuerService implements IssuerService {
throw new AuthenticationServiceException("Issuer was in blacklist: " + lr.issuer);
}
return new IssuerServiceResponse(lr.issuer, lr.loginHint, null);
return new IssuerServiceResponse(lr.issuer, lr.loginHint, request.getParameter("target_link_uri"));
} catch (UncheckedExecutionException | ExecutionException e) {
logger.warn("Issue fetching issuer for user input: " + identifier + ": " + e.getMessage());
return null;
@ -203,17 +208,18 @@ public class WebfingerIssuerService implements IssuerService {
*
*/
private class WebfingerIssuerFetcher extends CacheLoader<String, LoadingResult> {
private HttpClient httpClient = HttpClientBuilder.create()
.useSystemProperties()
.build();
private HttpComponentsClientHttpRequestFactory httpFactory = new HttpComponentsClientHttpRequestFactory(httpClient);
private HttpComponentsClientHttpRequestFactory httpFactory;
private JsonParser parser = new JsonParser();
WebfingerIssuerFetcher(HttpClient httpClient) {
this.httpFactory = new HttpComponentsClientHttpRequestFactory(httpClient);
}
@Override
public LoadingResult load(String identifier) throws Exception {
UriComponents key = WebfingerURLNormalizer.normalizeResource(identifier);
RestTemplate restTemplate = new RestTemplate(httpFactory);
// construct the URL to go to
@ -263,7 +269,7 @@ public class WebfingerIssuerService implements IssuerService {
// we found the issuer, return it
String href = linkObj.get("href").getAsString();
if (identifier.equals(href)
|| identifier.startsWith("http")) {
// try to avoid sending a URL as the login hint

3
openid-connect-client/src/test/java/org/mitre/oauth2/introspectingfilter/TestOAuth2AccessTokenImpl.java
View File

@ -1,6 +1,5 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

17
openid-connect-client/src/test/java/org/mitre/oauth2/introspectingfilter/service/impl/TestScopeBasedIntrospectionAuthoritiesGranter.java
View File

@ -1,6 +1,5 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -38,7 +37,7 @@ public class TestScopeBasedIntrospectionAuthoritiesGranter {
private JsonObject introspectionResponse;
private ScopeBasedIntrospectionAuthoritiesGranter granter = new ScopeBasedIntrospectionAuthoritiesGranter();
/**
* @throws java.lang.Exception
*/
@ -53,16 +52,16 @@ public class TestScopeBasedIntrospectionAuthoritiesGranter {
@Test
public void testGetAuthoritiesJsonObject_withScopes() {
introspectionResponse.addProperty("scope", "foo bar baz batman");
List<GrantedAuthority> expected = new ArrayList<>();
expected.add(new SimpleGrantedAuthority("ROLE_API"));
expected.add(new SimpleGrantedAuthority("OAUTH_SCOPE_foo"));
expected.add(new SimpleGrantedAuthority("OAUTH_SCOPE_bar"));
expected.add(new SimpleGrantedAuthority("OAUTH_SCOPE_baz"));
expected.add(new SimpleGrantedAuthority("OAUTH_SCOPE_batman"));
List<GrantedAuthority> authorities = granter.getAuthorities(introspectionResponse);
assertTrue(authorities.containsAll(expected));
assertTrue(expected.containsAll(authorities));
}
@ -72,12 +71,12 @@ public class TestScopeBasedIntrospectionAuthoritiesGranter {
*/
@Test
public void testGetAuthoritiesJsonObject_withoutScopes() {
List<GrantedAuthority> expected = new ArrayList<>();
expected.add(new SimpleGrantedAuthority("ROLE_API"));
List<GrantedAuthority> authorities = granter.getAuthorities(introspectionResponse);
assertTrue(authorities.containsAll(expected));
assertTrue(expected.containsAll(authorities));
}

61
openid-connect-client/src/test/java/org/mitre/openid/connect/client/TestOIDCAuthenticationFilter.java Normal file
View File

@ -0,0 +1,61 @@
/*******************************************************************************
* Copyright 2017 The MIT Internet Trust Consortium
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*******************************************************************************/
package org.mitre.openid.connect.client;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.junit.Test;
import org.mockito.Mockito;
import org.springframework.security.authentication.AuthenticationServiceException;
import static org.hamcrest.CoreMatchers.instanceOf;
import static org.hamcrest.CoreMatchers.is;
import static org.mockito.Mockito.mock;
import static org.junit.Assert.assertThat;
import static org.junit.Assert.fail;
public class TestOIDCAuthenticationFilter {
private OIDCAuthenticationFilter filter = new OIDCAuthenticationFilter();
@Test
public void attemptAuthentication_error() throws Exception {
HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
Mockito.when(request.getParameter("error")).thenReturn("Error");
Mockito.when(request.getParameter("error_description")).thenReturn("Description");
Mockito.when(request.getParameter("error_uri")).thenReturn("http://example.com");
try {
filter.attemptAuthentication(request, mock(HttpServletResponse.class));
fail("AuthorizationEndpointException expected.");
}
catch (AuthorizationEndpointException exception) {
assertThat(exception.getMessage(),
is("Error from Authorization Endpoint: Error Description http://example.com"));
assertThat(exception.getError(), is("Error"));
assertThat(exception.getErrorDescription(), is("Description"));
assertThat(exception.getErrorURI(), is("http://example.com"));
assertThat(exception, is(instanceOf(AuthenticationServiceException.class)));
}
}
}

5
openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestHybridClientConfigurationService.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

5
openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestHybridServerConfigurationService.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

5
openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestPlainAuthRequestUrlBuilder.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

9
openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestSignedAuthRequestUrlBuilder.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -52,7 +53,7 @@ import static org.junit.Assert.fail;
/**
* @author wkim
*
*
*/
public class TestSignedAuthRequestUrlBuilder {
@ -91,7 +92,7 @@ public class TestSignedAuthRequestUrlBuilder {
@Before
public void prepare() throws NoSuchAlgorithmException, InvalidKeySpecException {
RSAKey key = new RSAKey(new Base64URL(n), new Base64URL(e), new Base64URL(d), KeyUse.SIGNATURE, null, new Algorithm(alg), kid, null, null, null);
RSAKey key = new RSAKey(new Base64URL(n), new Base64URL(e), new Base64URL(d), KeyUse.SIGNATURE, null, new Algorithm(alg), kid, null, null, null, null);
Map<String, JWK> keys = Maps.newHashMap();
keys.put("client", key);

5
openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestStaticClientConfigurationService.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

5
openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestStaticServerConfigurationService.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

5
openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestThirdPartyIssuerService.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

5
openid-connect-client/src/test/resources/test-context.xml
View File

@ -1,7 +1,8 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright 2016 The MITRE Corporation
and the MIT Internet Trust Consortium
Copyright 2017 The MIT Internet Trust Consortium
Portions copyright 2011-2013 The MITRE Corporation
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.

7
openid-connect-common/pom.xml
View File

@ -1,7 +1,8 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright 2016 The MITRE Corporation
and the MIT Internet Trust Consortium
Copyright 2017 The MIT Internet Trust Consortium
Portions copyright 2011-2013 The MITRE Corporation
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@ -21,7 +22,7 @@
<parent>
<artifactId>openid-connect-parent</artifactId>
<groupId>org.mitre</groupId>
<version>1.3.0.cnaf-SNAPSHOT</version>
<version>1.3.2.cnaf-SNAPSHOT</version>
<relativePath>..</relativePath>
</parent>
<artifactId>openid-connect-common</artifactId>

206
openid-connect-common/src/main/java/org/mitre/data/AbstractPageOperationTemplate.java Normal file
View File

@ -0,0 +1,206 @@
/*******************************************************************************
* Copyright 2017 The MIT Internet Trust Consortium
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*******************************************************************************/
package org.mitre.data;
import java.util.Collection;
import java.util.HashSet;
import java.util.Set;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* Abstract class for performing an operation on a potentially large
* number of items by paging through the items in discreet chunks.
*
* @param <T> the type parameter
* @author Colm Smyth.
*/
public abstract class AbstractPageOperationTemplate<T> {
private static final Logger logger = LoggerFactory.getLogger(AbstractPageOperationTemplate.class);
private static int DEFAULT_MAX_PAGES = 1000;
private static long DEFAULT_MAX_TIME_MILLIS = 600000L; //10 Minutes
/**
* int specifying the maximum number of
* pages which should be fetched before
* execution should terminate
*/
private int maxPages;
/**
* long specifying the maximum execution time
* in milliseconds
*/
private long maxTime;
/**
* boolean specifying whether or not Exceptions
* incurred performing the operation should be
* swallowed during execution default true.
*/
private boolean swallowExceptions = true;
/**
* String that is used for logging in final tallies.
*/
private String operationName = "";
/**
* default constructor which sets the value of
* maxPages and maxTime to DEFAULT_MAX_PAGES and
* DEFAULT_MAX_TIME_MILLIS respectively
*/
public AbstractPageOperationTemplate(String operationName){
this(DEFAULT_MAX_PAGES, DEFAULT_MAX_TIME_MILLIS, operationName);
}
/**
* Instantiates a new AbstractPageOperationTemplate with the
* given maxPages and maxTime
*
* @param maxPages the maximum number of pages to fetch.
* @param maxTime the maximum execution time.
*/
public AbstractPageOperationTemplate(int maxPages, long maxTime, String operationName){
this.maxPages = maxPages;
this.maxTime = maxTime;
this.operationName = operationName;
}
/**
* Execute the operation on each member of a page of results
* retrieved through the fetch method. the method will execute
* until either the maxPages or maxTime limit is reached or until
* the fetch method returns no more results. Exceptions thrown
* performing the operation on the item will be swallowed if the
* swallowException (default true) field is set true.
*/
public void execute(){
logger.debug("[" + getOperationName() + "] Starting execution of paged operation. maximum time: " + maxTime + ", maximum pages: " + maxPages);
long startTime = System.currentTimeMillis();
long executionTime = 0;
int i = 0;
int exceptionsSwallowedCount = 0;
int operationsCompleted = 0;
Set<String> exceptionsSwallowedClasses = new HashSet<String>();
while (i< maxPages && executionTime < maxTime){
Collection<T> page = fetchPage();
if(page == null || page.size() == 0){
break;
}
for (T item : page) {
try {
doOperation(item);
operationsCompleted++;
} catch (Exception e){
if(swallowExceptions){
exceptionsSwallowedCount++;
exceptionsSwallowedClasses.add(e.getClass().getName());
logger.debug("Swallowing exception " + e.getMessage(), e);
} else {
logger.debug("Rethrowing exception " + e.getMessage());
throw e;
}
}
}
i++;
executionTime = System.currentTimeMillis() - startTime;
}
finalReport(operationsCompleted, exceptionsSwallowedCount, exceptionsSwallowedClasses);
}
/**
* method responsible for fetching
* a page of items.
*
* @return the collection of items
*/
public abstract Collection<T> fetchPage();
/**
* method responsible for performing desired
* operation on a fetched page item.
*
* @param item the item
*/
protected abstract void doOperation(T item);
/**
* Method responsible for final report of progress.
* @return
*/
protected void finalReport(int operationsCompleted, int exceptionsSwallowedCount, Set<String> exceptionsSwallowedClasses) {
if (operationsCompleted > 0 || exceptionsSwallowedCount > 0) {
logger.info("[" + getOperationName() + "] Paged operation run: completed " + operationsCompleted + "; swallowed " + exceptionsSwallowedCount + " exceptions");
}
for(String className: exceptionsSwallowedClasses) {
logger.warn("[" + getOperationName() + "] Paged operation swallowed at least one exception of type " + className);
}
}
public int getMaxPages() {
return maxPages;
}
public void setMaxPages(int maxPages) {
this.maxPages = maxPages;
}
public long getMaxTime() {
return maxTime;
}
public void setMaxTime(long maxTime) {
this.maxTime = maxTime;
}
public boolean isSwallowExceptions() {
return swallowExceptions;
}
public void setSwallowExceptions(boolean swallowExceptions) {
this.swallowExceptions = swallowExceptions;
}
/**
* @return the operationName
*/
public String getOperationName() {
return operationName;
}
/**
* @param operationName the operationName to set
*/
public void setOperationName(String operationName) {
this.operationName = operationName;
}
}

50
openid-connect-common/src/main/java/org/mitre/data/DefaultPageCriteria.java Normal file
View File

@ -0,0 +1,50 @@
/*******************************************************************************
* Copyright 2017 The MIT Internet Trust Consortium
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*******************************************************************************/
package org.mitre.data;
/**
* Default implementation of PageCriteria which specifies
* both page to be retrieved and page size in the constructor.
*
* @author Colm Smyth
*/
public class DefaultPageCriteria implements PageCriteria {
private static final int DEFAULT_PAGE_NUMBER = 0;
private static final int DEFAULT_PAGE_SIZE = 100;
private int pageNumber;
private int pageSize;
public DefaultPageCriteria(){
this(DEFAULT_PAGE_NUMBER, DEFAULT_PAGE_SIZE);
}
public DefaultPageCriteria(int pageNumber, int pageSize) {
this.pageNumber = pageNumber;
this.pageSize = pageSize;
}
@Override
public int getPageNumber() {
return pageNumber;
}
@Override
public int getPageSize() {
return pageSize;
}
}

28
openid-connect-common/src/main/java/org/mitre/data/PageCriteria.java Normal file
View File

@ -0,0 +1,28 @@
/*******************************************************************************
* Copyright 2017 The MIT Internet Trust Consortium
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*******************************************************************************/
package org.mitre.data;
/**
* Interface which defines page criteria for use in
* a repository operation.
*
* @author Colm Smyth
*/
public interface PageCriteria {
public int getPageNumber();
public int getPageSize();
}

7
openid-connect-common/src/main/java/org/mitre/discovery/util/WebfingerURLNormalizer.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -29,7 +30,7 @@ import com.google.common.base.Strings;
/**
* Provides utility methods for normalizing and parsing URIs for use with Webfinger Discovery.
*
*
* @author wkim
*
*/

7
openid-connect-common/src/main/java/org/mitre/jose/keystore/JWKSetKeyStore.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -15,7 +16,7 @@
* limitations under the License.
*******************************************************************************/
/**
*
*
*/
package org.mitre.jose.keystore;

5
openid-connect-common/src/main/java/org/mitre/jwt/assertion/AssertionValidator.java
View File

@ -1,6 +1,5 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -26,5 +25,5 @@ import com.nimbusds.jwt.JWT;
public interface AssertionValidator {
public boolean isValid(JWT assertion);
}

5
openid-connect-common/src/main/java/org/mitre/jwt/assertion/impl/NullAssertionValidator.java
View File

@ -1,6 +1,5 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -23,7 +22,7 @@ import com.nimbusds.jwt.JWT;
/**
* Reject all assertions passed in.
*
*
* @author jricher
*
*/

24
openid-connect-common/src/main/java/org/mitre/jwt/assertion/impl/SelfAssertionValidator.java
View File

@ -1,6 +1,5 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -25,6 +24,7 @@ import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import com.google.common.base.Strings;
import com.nimbusds.jwt.JWT;
@ -33,27 +33,28 @@ import com.nimbusds.jwt.SignedJWT;
/**
* Validates all assertions generated by this server
*
*
* @author jricher
*
*/
@Component("selfAssertionValidator")
public class SelfAssertionValidator implements AssertionValidator {
private static Logger logger = LoggerFactory.getLogger(SelfAssertionValidator.class);
@Autowired
private ConfigurationPropertiesBean config;
@Autowired
private JWTSigningAndValidationService jwtService;
@Override
public boolean isValid(JWT assertion) {
if (!(assertion instanceof SignedJWT)) {
// unsigned assertion
return false;
}
JWTClaimsSet claims;
try {
claims = assertion.getJWTClaimsSet();
@ -61,17 +62,20 @@ public class SelfAssertionValidator implements AssertionValidator {
logger.debug("Invalid assertion claims");
return false;
}
// make sure the issuer exists
if (Strings.isNullOrEmpty(claims.getIssuer())) {
logger.debug("No issuer for assertion, rejecting");
return false;
}
if (claims.getIssuer().equals(config.getIssuer())) {
// make sure the issuer is us
if (!claims.getIssuer().equals(config.getIssuer())) {
logger.debug("Issuer is not the same as this server, rejecting");
return false;
}
// validate the signature based on our public key
if (jwtService.validateSignature((SignedJWT) assertion)) {
return true;
} else {

23
openid-connect-common/src/main/java/org/mitre/jwt/assertion/impl/WhitelistedIssuerAssertionValidator.java
View File

@ -1,6 +1,5 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -41,12 +40,12 @@ import com.nimbusds.jwt.SignedJWT;
public class WhitelistedIssuerAssertionValidator implements AssertionValidator {
private static Logger logger = LoggerFactory.getLogger(WhitelistedIssuerAssertionValidator.class);
/**
* Map of issuer -> JWKSetUri
*/
private Map<String, String> whitelist = new HashMap<>();
/**
* @return the whitelist
*/
@ -63,15 +62,15 @@ public class WhitelistedIssuerAssertionValidator implements AssertionValidator {
@Autowired
private JWKSetCacheService jwkCache;
@Override
public boolean isValid(JWT assertion) {
if (!(assertion instanceof SignedJWT)) {
// unsigned assertion
return false;
}
JWTClaimsSet claims;
try {
claims = assertion.getJWTClaimsSet();
@ -79,21 +78,21 @@ public class WhitelistedIssuerAssertionValidator implements AssertionValidator {
logger.debug("Invalid assertion claims");
return false;
}
if (Strings.isNullOrEmpty(claims.getIssuer())) {
logger.debug("No issuer for assertion, rejecting");
return false;
}
if (!whitelist.containsKey(claims.getIssuer())) {
logger.debug("Issuer is not in whitelist, rejecting");
return false;
}
String jwksUri = whitelist.get(claims.getIssuer());
JWTSigningAndValidationService validator = jwkCache.getValidator(jwksUri);
if (validator.validateSignature((SignedJWT) assertion)) {
return true;
} else {

5
openid-connect-common/src/main/java/org/mitre/jwt/encryption/service/JWTEncryptionAndDecryptionService.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

16
openid-connect-common/src/main/java/org/mitre/jwt/encryption/service/impl/DefaultJWTEncryptionAndDecryptionService.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -45,7 +46,6 @@ import com.nimbusds.jose.crypto.ECDHEncrypter;
import com.nimbusds.jose.crypto.RSADecrypter;
import com.nimbusds.jose.crypto.RSAEncrypter;
import com.nimbusds.jose.crypto.bc.BouncyCastleProviderSingleton;
import com.nimbusds.jose.jca.JCAContext;
import com.nimbusds.jose.jwk.ECKey;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.OctetSequenceKey;
@ -80,7 +80,7 @@ public class DefaultJWTEncryptionAndDecryptionService implements JWTEncryptionAn
/**
* Build this service based on the keys given. All public keys will be used to make encrypters,
* all private keys will be used to make decrypters.
*
*
* @param keys
* @throws NoSuchAlgorithmException
* @throws InvalidKeySpecException
@ -94,7 +94,7 @@ public class DefaultJWTEncryptionAndDecryptionService implements JWTEncryptionAn
/**
* Build this service based on the given keystore. All keys must have a key
* id ({@code kid}) field in order to be used.
*
*
* @param keyStore
* @throws NoSuchAlgorithmException
* @throws InvalidKeySpecException
@ -240,13 +240,13 @@ public class DefaultJWTEncryptionAndDecryptionService implements JWTEncryptionAn
logger.warn("No private key for key #" + jwk.getKeyID());
}
} else if (jwk instanceof ECKey) {
// build EC Encrypters and decrypters
ECDHEncrypter encrypter = new ECDHEncrypter((ECKey) jwk);
encrypter.getJCAContext().setProvider(BouncyCastleProviderSingleton.getInstance());
encrypters.put(id, encrypter);
if (jwk.isPrivate()) { // we can decrypt too
ECDHDecrypter decrypter = new ECDHDecrypter((ECKey) jwk);
decrypter.getJCAContext().setProvider(BouncyCastleProviderSingleton.getInstance());

11
openid-connect-common/src/main/java/org/mitre/jwt/signer/service/JWTSigningAndValidationService.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -34,7 +35,7 @@ public interface JWTSigningAndValidationService {
/**
* Checks the signature of the given JWT against all configured signers,
* returns true if at least one of the signers validates it.
*
*
* @param jwtString
* the string representation of the JWT as sent on the wire
* @return true if the signature is valid, false if not
@ -45,7 +46,7 @@ public interface JWTSigningAndValidationService {
/**
* Called to sign a jwt in place for a client that hasn't registered a preferred signing algorithm.
* Use the default algorithm to sign.
*
*
* @param jwt the jwt to sign
* @return the signed jwt
* @throws NoSuchAlgorithmException
@ -67,7 +68,7 @@ public interface JWTSigningAndValidationService {
/**
* Sign a jwt using the selected algorithm. The algorithm is selected using the String parameter values specified
* in the JWT spec, section 6. I.E., "HS256" means HMAC with SHA-256 and corresponds to our HmacSigner class.
*
*
* @param jwt the jwt to sign
* @param alg the name of the algorithm to use, as specified in JWS s.6
* @return the signed jwt

7
openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/ClientKeyCacheService.java
View File

@ -1,6 +1,5 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -39,10 +38,10 @@ import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.JWKSet;
/**
*
*
* Takes in a client and returns the appropriate validator or encrypter for
* that client's registered key types.
*
*
* @author jricher
*
*/

33
openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/DefaultJWTSigningAndValidationService.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -17,8 +18,6 @@
package org.mitre.jwt.signer.service.impl;
import java.security.NoSuchAlgorithmException;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.ECPublicKey;
import java.security.spec.InvalidKeySpecException;
import java.util.Collection;
import java.util.HashMap;
@ -72,10 +71,10 @@ public class DefaultJWTSigningAndValidationService implements JWTSigningAndValid
/**
* Build this service based on the keys given. All public keys will be used
* to make verifiers, all private keys will be used to make signers.
*
*
* @param keys
* A map of key identifier to key
*
*
* @throws InvalidKeySpecException
* If the keys in the JWKs are not valid
* @throws NoSuchAlgorithmException
@ -89,10 +88,10 @@ public class DefaultJWTSigningAndValidationService implements JWTSigningAndValid
/**
* Build this service based on the given keystore. All keys must have a key
* id ({@code kid}) field in order to be used.
*
*
* @param keyStore
* the keystore to load all keys from
*
*
* @throws InvalidKeySpecException
* If the keys in the JWKs are not valid
* @throws NoSuchAlgorithmException
@ -165,37 +164,37 @@ public class DefaultJWTSigningAndValidationService implements JWTSigningAndValid
try {
if (jwk instanceof RSAKey) {
// build RSA signers & verifiers
if (jwk.isPrivate()) { // only add the signer if there's a private key
RSASSASigner signer = new RSASSASigner((RSAKey) jwk);
signers.put(id, signer);
}
RSASSAVerifier verifier = new RSASSAVerifier((RSAKey) jwk);
verifiers.put(id, verifier);
} else if (jwk instanceof ECKey) {
// build EC signers & verifiers
if (jwk.isPrivate()) {
ECDSASigner signer = new ECDSASigner((ECKey) jwk);
signers.put(id, signer);
}
ECDSAVerifier verifier = new ECDSAVerifier((ECKey) jwk);
verifiers.put(id, verifier);
} else if (jwk instanceof OctetSequenceKey) {
// build HMAC signers & verifiers
if (jwk.isPrivate()) { // technically redundant check because all HMAC keys are private
MACSigner signer = new MACSigner((OctetSequenceKey) jwk);
signers.put(id, signer);
}
MACVerifier verifier = new MACVerifier((OctetSequenceKey) jwk);
verifiers.put(id, verifier);
} else {
logger.warn("Unknown key type: " + jwk);
}

44
openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/JWKSetCacheService.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -15,7 +16,7 @@
* limitations under the License.
*******************************************************************************/
/**
*
*
*/
package org.mitre.jwt.signer.service.impl;
@ -43,12 +44,12 @@ import com.google.gson.JsonParseException;
import com.nimbusds.jose.jwk.JWKSet;
/**
*
*
* Creates a caching map of JOSE signers/validators and encrypters/decryptors
* keyed on the JWK Set URI. Dynamically loads JWK Sets to create the services.
*
*
* @author jricher
*
*
*/
@Service
public class JWKSetCacheService {
@ -68,11 +69,11 @@ public class JWKSetCacheService {
this.validators = CacheBuilder.newBuilder()
.expireAfterWrite(1, TimeUnit.HOURS) // expires 1 hour after fetch
.maximumSize(100)
.build(new JWKSetVerifierFetcher());
.build(new JWKSetVerifierFetcher(HttpClientBuilder.create().useSystemProperties().build()));
this.encrypters = CacheBuilder.newBuilder()
.expireAfterWrite(1, TimeUnit.HOURS) // expires 1 hour after fetch
.maximumSize(100)
.build(new JWKSetEncryptorFetcher());
.build(new JWKSetEncryptorFetcher(HttpClientBuilder.create().useSystemProperties().build()));
}
/**
@ -104,9 +105,13 @@ public class JWKSetCacheService {
*
*/
private class JWKSetVerifierFetcher extends CacheLoader<String, JWTSigningAndValidationService> {
private HttpClient httpClient = HttpClientBuilder.create().useSystemProperties().build();
private HttpComponentsClientHttpRequestFactory httpFactory = new HttpComponentsClientHttpRequestFactory(httpClient);
private RestTemplate restTemplate = new RestTemplate(httpFactory);
private HttpComponentsClientHttpRequestFactory httpFactory;
private RestTemplate restTemplate;
JWKSetVerifierFetcher(HttpClient httpClient) {
this.httpFactory = new HttpComponentsClientHttpRequestFactory(httpClient);
this.restTemplate = new RestTemplate(httpFactory);
}
/**
* Load the JWK Set and build the appropriate signing service.
@ -130,9 +135,14 @@ public class JWKSetCacheService {
*
*/
private class JWKSetEncryptorFetcher extends CacheLoader<String, JWTEncryptionAndDecryptionService> {
private HttpClient httpClient = HttpClientBuilder.create().useSystemProperties().build();
private HttpComponentsClientHttpRequestFactory httpFactory = new HttpComponentsClientHttpRequestFactory(httpClient);
private RestTemplate restTemplate = new RestTemplate(httpFactory);
private HttpComponentsClientHttpRequestFactory httpFactory;
private RestTemplate restTemplate;
public JWKSetEncryptorFetcher(HttpClient httpClient) {
this.httpFactory = new HttpComponentsClientHttpRequestFactory(httpClient);
this.restTemplate = new RestTemplate(httpFactory);
}
/* (non-Javadoc)
* @see com.google.common.cache.CacheLoader#load(java.lang.Object)
*/
@ -141,11 +151,11 @@ public class JWKSetCacheService {
try {
String jsonString = restTemplate.getForObject(key, String.class);
JWKSet jwkSet = JWKSet.parse(jsonString);
JWKSetKeyStore keyStore = new JWKSetKeyStore(jwkSet);
JWTEncryptionAndDecryptionService service = new DefaultJWTEncryptionAndDecryptionService(keyStore);
return service;
} catch (JsonParseException | RestClientException e) {
throw new IllegalArgumentException("Unable to load JWK Set");

9
openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/SymmetricKeyJWTValidatorCacheService.java
View File

@ -1,6 +1,5 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -41,7 +40,7 @@ import com.nimbusds.jose.util.Base64URL;
/**
* Creates and caches symmetrical validators for clients based on client secrets.
*
*
* @author jricher
*
*/
@ -66,7 +65,7 @@ public class SymmetricKeyJWTValidatorCacheService {
/**
* Create a symmetric signing and validation service for the given client
*
*
* @param client
* @return
*/
@ -101,7 +100,7 @@ public class SymmetricKeyJWTValidatorCacheService {
String id = "SYMMETRIC-KEY";
JWK jwk = new OctetSequenceKey(Base64URL.encode(key), KeyUse.SIGNATURE, null, null, id, null, null, null);
JWK jwk = new OctetSequenceKey(Base64URL.encode(key), KeyUse.SIGNATURE, null, null, id, null, null, null, null);
Map<String, JWK> keys = ImmutableMap.of(id, jwk);
JWTSigningAndValidationService service = new DefaultJWTSigningAndValidationService(keys);

50
openid-connect-common/src/main/java/org/mitre/oauth2/exception/DeviceCodeCreationException.java Normal file
View File

@ -0,0 +1,50 @@
/*******************************************************************************
* Copyright 2017 The MIT Internet Trust Consortium
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*******************************************************************************/
package org.mitre.oauth2.exception;
/**
* @author jricher
*
*/
public class DeviceCodeCreationException extends Exception {
private static final long serialVersionUID = 8078568710169208466L;
private String error;
public DeviceCodeCreationException(String error, String message) {
super(message);
this.error = error;
}
/**
* @return the error
*/
public String getError() {
return error;
}
/**
* @param error the error to set
*/
public void setError(String error) {
this.error = error;
}
}

59
openid-connect-common/src/main/java/org/mitre/oauth2/model/AuthenticationHolderEntity.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -66,7 +67,7 @@ public class AuthenticationHolderEntity {
private SavedUserAuthentication userAuth;
private Collection<? extends GrantedAuthority> authorities;
private Collection<GrantedAuthority> authorities;
private Set<String> resourceIds;
@ -116,14 +117,14 @@ public class AuthenticationHolderEntity {
// pull apart the request and save its bits
OAuth2Request o2Request = authentication.getOAuth2Request();
setAuthorities(o2Request.getAuthorities());
setAuthorities(o2Request.getAuthorities() == null ? null : new HashSet<>(o2Request.getAuthorities()));
setClientId(o2Request.getClientId());
setExtensions(o2Request.getExtensions());
setExtensions(o2Request.getExtensions() == null ? null : new HashMap<>(o2Request.getExtensions()));
setRedirectUri(o2Request.getRedirectUri());
setRequestParameters(o2Request.getRequestParameters());
setResourceIds(o2Request.getResourceIds());
setResponseTypes(o2Request.getResponseTypes());
setScope(o2Request.getScope());
setRequestParameters(o2Request.getRequestParameters() == null ? null : new HashMap<>(o2Request.getRequestParameters()));
setResourceIds(o2Request.getResourceIds() == null ? null : new HashSet<>(o2Request.getResourceIds()));
setResponseTypes(o2Request.getResponseTypes() == null ? null : new HashSet<>(o2Request.getResponseTypes()));
setScope(o2Request.getScope() == null ? null : new HashSet<>(o2Request.getScope()));
setApproved(o2Request.isApproved());
if (authentication.getUserAuthentication() != null) {
@ -159,19 +160,15 @@ public class AuthenticationHolderEntity {
)
@Convert(converter = SimpleGrantedAuthorityStringConverter.class)
@Column(name="authority")
public Collection<? extends GrantedAuthority> getAuthorities() {
public Collection<GrantedAuthority> getAuthorities() {
return authorities;
}
/**
* @param authorities the authorities to set
*/
public void setAuthorities(Collection<? extends GrantedAuthority> authorities) {
if (authorities != null) {
this.authorities = new HashSet<>(authorities);
} else {
this.authorities = null;
}
public void setAuthorities(Collection<GrantedAuthority> authorities) {
this.authorities = authorities;
}
/**
@ -191,11 +188,7 @@ public class AuthenticationHolderEntity {
* @param resourceIds the resourceIds to set
*/
public void setResourceIds(Set<String> resourceIds) {
if (resourceIds != null) {
this.resourceIds = new HashSet<>(resourceIds);
} else {
this.resourceIds = null;
}
this.resourceIds = resourceIds;
}
/**
@ -247,11 +240,7 @@ public class AuthenticationHolderEntity {
* @param responseTypes the responseTypes to set
*/
public void setResponseTypes(Set<String> responseTypes) {
if (responseTypes != null) {
this.responseTypes = new HashSet<>(responseTypes);
} else {
this.responseTypes = null;
}
this.responseTypes = responseTypes;
}
/**
@ -273,11 +262,7 @@ public class AuthenticationHolderEntity {
* @param extensions the extensions to set
*/
public void setExtensions(Map<String, Serializable> extensions) {
if (extensions != null) {
this.extensions = new HashMap<>(extensions);
} else {
this.extensions = null;
}
this.extensions = extensions;
}
/**
@ -313,11 +298,7 @@ public class AuthenticationHolderEntity {
* @param scope the scope to set
*/
public void setScope(Set<String> scope) {
if (scope != null) {
this.scope = new HashSet<>(scope);
} else {
this.scope = null;
}
this.scope = scope;
}
/**
@ -338,11 +319,7 @@ public class AuthenticationHolderEntity {
* @param requestParameters the requestParameters to set
*/
public void setRequestParameters(Map<String, String> requestParameters) {
if (requestParameters != null) {
this.requestParameters = new HashMap<>(requestParameters);
} else {
this.requestParameters = null;
}
this.requestParameters = requestParameters;
}

9
openid-connect-common/src/main/java/org/mitre/oauth2/model/AuthorizationCodeEntity.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -33,7 +34,7 @@ import javax.persistence.Temporal;
/**
* Entity class for authorization codes
*
*
* @author aanganes
*
*/
@ -67,7 +68,7 @@ public class AuthorizationCodeEntity {
/**
* Create a new AuthorizationCodeEntity with the given code and AuthorizationRequestHolder.
*
*
* @param code the authorization code
* @param authRequest the AuthoriztionRequestHolder associated with the original code request
*/

77
openid-connect-common/src/main/java/org/mitre/oauth2/model/ClientDetailsEntity.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -15,7 +16,7 @@
* limitations under the License.
*******************************************************************************/
/**
*
*
*/
package org.mitre.oauth2.model;
@ -57,7 +58,6 @@ import org.mitre.oauth2.model.convert.SimpleGrantedAuthorityStringConverter;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.oauth2.provider.ClientDetails;
import com.nimbusds.jose.Algorithm;
import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWSAlgorithm;
@ -66,7 +66,7 @@ import com.nimbusds.jwt.JWT;
/**
* @author jricher
*
*
*/
@Entity
@Table(name = "client_details")
@ -103,6 +103,8 @@ public class ClientDetailsEntity implements ClientDetails {
private String policyUri;
private String jwksUri; // URI pointer to keys
private JWKSet jwks; // public key stored by value
private String softwareId;
private String softwareVersion;
/** Fields from OIDC Client Registration Specification **/
private AppType applicationType; // application_type
@ -145,13 +147,14 @@ public class ClientDetailsEntity implements ClientDetails {
private Integer idTokenValiditySeconds; //timeout for id tokens
private Date createdAt; // time the client was created
private boolean clearAccessTokensOnRefresh = true; // do we clear access tokens on refresh?
private Integer deviceCodeValiditySeconds; // timeout for device codes
/** fields for UMA */
private Set<String> claimsRedirectUris;
/** Software statement **/
private JWT softwareStatement;
/** PKCE **/
private PKCEAlgorithm codeChallengeMethod;
@ -236,7 +239,7 @@ public class ClientDetailsEntity implements ClientDetails {
return lookup.get(value);
}
}
/**
* Create a blank ClientDetailsEntity
*/
@ -264,7 +267,7 @@ public class ClientDetailsEntity implements ClientDetails {
}
/**
*
*
* @param id the id to set
*/
public void setId(Long id) {
@ -311,7 +314,7 @@ public class ClientDetailsEntity implements ClientDetails {
/**
* Number of seconds ID token is valid for. MUST be a positive integer, can not be null.
*
*
* @return the idTokenValiditySeconds
*/
@Basic
@ -364,7 +367,7 @@ public class ClientDetailsEntity implements ClientDetails {
}
/**
*
*
*/
@Override
@Transient
@ -577,9 +580,9 @@ public class ClientDetailsEntity implements ClientDetails {
/**
* This library does not make use of this field, so it is not
* stored using our persistence layer.
*
*
* However, it's somehow required by SECOUATH.
*
*
* @return an empty map
*/
@Override
@ -1032,4 +1035,52 @@ public class ClientDetailsEntity implements ClientDetails {
this.codeChallengeMethod = codeChallengeMethod;
}
/**
* @return the deviceCodeValiditySeconds
*/
@Basic
@Column(name="device_code_validity_seconds")
public Integer getDeviceCodeValiditySeconds() {
return deviceCodeValiditySeconds;
}
/**
* @param deviceCodeValiditySeconds the deviceCodeValiditySeconds to set
*/
public void setDeviceCodeValiditySeconds(Integer deviceCodeValiditySeconds) {
this.deviceCodeValiditySeconds = deviceCodeValiditySeconds;
}
/**
* @return the softwareId
*/
@Basic
@Column(name="software_id")
public String getSoftwareId() {
return softwareId;
}
/**
* @param softwareId the softwareId to set
*/
public void setSoftwareId(String softwareId) {
this.softwareId = softwareId;
}
/**
* @return the softwareVersion
*/
@Basic
@Column(name="software_version")
public String getSoftwareVersion() {
return softwareVersion;
}
/**
* @param softwareVersion the softwareVersion to set
*/
public void setSoftwareVersion(String softwareVersion) {
this.softwareVersion = softwareVersion;
}
}

234
openid-connect-common/src/main/java/org/mitre/oauth2/model/DeviceCode.java Normal file
View File

@ -0,0 +1,234 @@
/*******************************************************************************
* Copyright 2017 The MIT Internet Trust Consortium
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*******************************************************************************/
package org.mitre.oauth2.model;
import java.util.Date;
import java.util.Map;
import java.util.Set;
import javax.persistence.Basic;
import javax.persistence.CollectionTable;
import javax.persistence.Column;
import javax.persistence.ElementCollection;
import javax.persistence.Entity;
import javax.persistence.FetchType;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
import javax.persistence.JoinColumn;
import javax.persistence.ManyToOne;
import javax.persistence.MapKeyColumn;
import javax.persistence.NamedQueries;
import javax.persistence.NamedQuery;
import javax.persistence.Table;
import javax.persistence.Temporal;
/**
* @author jricher
*
*/
@Entity
@Table(name = "device_code")
@NamedQueries({
@NamedQuery(name = DeviceCode.QUERY_BY_USER_CODE, query = "select d from DeviceCode d where d.userCode = :" + DeviceCode.PARAM_USER_CODE),
@NamedQuery(name = DeviceCode.QUERY_BY_DEVICE_CODE, query = "select d from DeviceCode d where d.deviceCode = :" + DeviceCode.PARAM_DEVICE_CODE),
@NamedQuery(name = DeviceCode.QUERY_EXPIRED_BY_DATE, query = "select d from DeviceCode d where d.expiration <= :" + DeviceCode.PARAM_DATE)
})
public class DeviceCode {
public static final String QUERY_BY_USER_CODE = "DeviceCode.queryByUserCode";
public static final String QUERY_BY_DEVICE_CODE = "DeviceCode.queryByDeviceCode";
public static final String QUERY_EXPIRED_BY_DATE = "DeviceCode.queryExpiredByDate";
public static final String PARAM_USER_CODE = "userCode";
public static final String PARAM_DEVICE_CODE = "deviceCode";
public static final String PARAM_DATE = "date";
private Long id;
private String deviceCode;
private String userCode;
private Set<String> scope;
private Date expiration;
private String clientId;
private Map<String, String> requestParameters;
private boolean approved;
private AuthenticationHolderEntity authenticationHolder;
public DeviceCode() {
}
public DeviceCode(String deviceCode, String userCode, Set<String> scope, String clientId, Map<String, String> params) {
this.deviceCode = deviceCode;
this.userCode = userCode;
this.scope = scope;
this.clientId = clientId;
this.requestParameters = params;
}
/**
* @return the id
*/
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
@Column(name = "id")
public Long getId() {
return id;
}
/**
* @param id the id to set
*/
public void setId(Long id) {
this.id = id;
}
/**
* @return the deviceCode
*/
@Basic
@Column(name = "device_code")
public String getDeviceCode() {
return deviceCode;
}
/**
* @param deviceCode the deviceCode to set
*/
public void setDeviceCode(String deviceCode) {
this.deviceCode = deviceCode;
}
/**
* @return the userCode
*/
@Basic
@Column(name = "user_code")
public String getUserCode() {
return userCode;
}
/**
* @param userCode the userCode to set
*/
public void setUserCode(String userCode) {
this.userCode = userCode;
}
/**
* @return the scope
*/
@ElementCollection(fetch = FetchType.EAGER)
@CollectionTable(
name="device_code_scope",
joinColumns=@JoinColumn(name="owner_id")
)
@Column(name="scope")
public Set<String> getScope() {
return scope;
}
/**
* @param scope the scope to set
*/
public void setScope(Set<String> scope) {
this.scope = scope;
}
@Basic
@Temporal(javax.persistence.TemporalType.TIMESTAMP)
@Column(name = "expiration")
public Date getExpiration() {
return expiration;
}
public void setExpiration(Date expiration) {
this.expiration = expiration;
}
/**
* @return the clientId
*/
@Basic
@Column(name = "client_id")
public String getClientId() {
return clientId;
}
/**
* @param clientId the clientId to set
*/
public void setClientId(String clientId) {
this.clientId = clientId;
}
/**
* @return the params
*/
@ElementCollection(fetch = FetchType.EAGER)
@CollectionTable(
name="device_code_request_parameter",
joinColumns=@JoinColumn(name="owner_id")
)
@Column(name="val")
@MapKeyColumn(name="param")
public Map<String, String> getRequestParameters() {
return requestParameters;
}
/**
* @param params the params to set
*/
public void setRequestParameters(Map<String, String> params) {
this.requestParameters = params;
}
/**
* @return the approved
*/
@Basic
@Column(name = "approved")
public boolean isApproved() {
return approved;
}
/**
* @param approved the approved to set
*/
public void setApproved(boolean approved) {
this.approved = approved;
}
/**
* The authentication in place when this token was created.
* @return the authentication
*/
@ManyToOne
@JoinColumn(name = "auth_holder_id")
public AuthenticationHolderEntity getAuthenticationHolder() {
return authenticationHolder;
}
/**
* @param authentication the authentication to set
*/
public void setAuthenticationHolder(AuthenticationHolderEntity authenticationHolder) {
this.authenticationHolder = authenticationHolder;
}
}

596
openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2AccessTokenEntity.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -15,7 +16,7 @@
* limitations under the License.
*******************************************************************************/
/**
*
*
*/
package org.mitre.oauth2.model;
@ -41,12 +42,12 @@ import javax.persistence.ManyToOne;
import javax.persistence.NamedQueries;
import javax.persistence.NamedQuery;
import javax.persistence.OneToMany;
import javax.persistence.OneToOne;
import javax.persistence.Table;
import javax.persistence.Temporal;
import javax.persistence.Transient;
import org.mitre.oauth2.model.convert.JWTStringConverter;
import org.mitre.openid.connect.model.ApprovedSite;
import org.mitre.uma.model.Permission;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.common.OAuth2AccessTokenJackson1Deserializer;
@ -64,330 +65,269 @@ import com.nimbusds.jwt.JWT;
@Entity
@Table(name = "access_token")
@NamedQueries({
@NamedQuery(name = OAuth2AccessTokenEntity.QUERY_ALL,
query = "select a from OAuth2AccessTokenEntity a"),
@NamedQuery(name = OAuth2AccessTokenEntity.QUERY_EXPIRED_BY_DATE,
query = "select a from OAuth2AccessTokenEntity a where a.expiration <= :"
+ OAuth2AccessTokenEntity.PARAM_DATE),
@NamedQuery(name = OAuth2AccessTokenEntity.QUERY_BY_REFRESH_TOKEN,
query = "select a from OAuth2AccessTokenEntity a where a.refreshToken = :"
+ OAuth2AccessTokenEntity.PARAM_REFERSH_TOKEN),
@NamedQuery(name = OAuth2AccessTokenEntity.QUERY_BY_CLIENT,
query = "select a from OAuth2AccessTokenEntity a where a.client = :"
+ OAuth2AccessTokenEntity.PARAM_CLIENT),
@NamedQuery(name = OAuth2AccessTokenEntity.QUERY_BY_ID_TOKEN,
query = "select a from OAuth2AccessTokenEntity a where a.idToken = :"
+ OAuth2AccessTokenEntity.PARAM_ID_TOKEN),
@NamedQuery(name = OAuth2AccessTokenEntity.QUERY_BY_TOKEN_VALUE,
query = "select a from OAuth2AccessTokenEntity a where a.jwt = :"
+ OAuth2AccessTokenEntity.PARAM_TOKEN_VALUE),
@NamedQuery(name = OAuth2AccessTokenEntity.QUERY_BY_RESOURCE_SET,
query = "select a from OAuth2AccessTokenEntity a join a.permissions p where p.resourceSet.id = :"
+ OAuth2AccessTokenEntity.PARAM_RESOURCE_SET_ID) })
@org.codehaus.jackson.map.annotate.JsonSerialize(
using = OAuth2AccessTokenJackson1Serializer.class)
@org.codehaus.jackson.map.annotate.JsonDeserialize(
using = OAuth2AccessTokenJackson1Deserializer.class)
@com.fasterxml.jackson.databind.annotation.JsonSerialize(
using = OAuth2AccessTokenJackson2Serializer.class)
@com.fasterxml.jackson.databind.annotation.JsonDeserialize(
using = OAuth2AccessTokenJackson2Deserializer.class)
@NamedQuery(name = OAuth2AccessTokenEntity.QUERY_ALL, query = "select a from OAuth2AccessTokenEntity a"),
@NamedQuery(name = OAuth2AccessTokenEntity.QUERY_EXPIRED_BY_DATE, query = "select a from OAuth2AccessTokenEntity a where a.expiration <= :" + OAuth2AccessTokenEntity.PARAM_DATE),
@NamedQuery(name = OAuth2AccessTokenEntity.QUERY_BY_REFRESH_TOKEN, query = "select a from OAuth2AccessTokenEntity a where a.refreshToken = :" + OAuth2AccessTokenEntity.PARAM_REFERSH_TOKEN),
@NamedQuery(name = OAuth2AccessTokenEntity.QUERY_BY_CLIENT, query = "select a from OAuth2AccessTokenEntity a where a.client = :" + OAuth2AccessTokenEntity.PARAM_CLIENT),
@NamedQuery(name = OAuth2AccessTokenEntity.QUERY_BY_TOKEN_VALUE, query = "select a from OAuth2AccessTokenEntity a where a.jwt = :" + OAuth2AccessTokenEntity.PARAM_TOKEN_VALUE),
@NamedQuery(name = OAuth2AccessTokenEntity.QUERY_BY_APPROVED_SITE, query = "select a from OAuth2AccessTokenEntity a where a.approvedSite = :" + OAuth2AccessTokenEntity.PARAM_APPROVED_SITE),
@NamedQuery(name = OAuth2AccessTokenEntity.QUERY_BY_RESOURCE_SET, query = "select a from OAuth2AccessTokenEntity a join a.permissions p where p.resourceSet.id = :" + OAuth2AccessTokenEntity.PARAM_RESOURCE_SET_ID)
})
@org.codehaus.jackson.map.annotate.JsonSerialize(using = OAuth2AccessTokenJackson1Serializer.class)
@org.codehaus.jackson.map.annotate.JsonDeserialize(using = OAuth2AccessTokenJackson1Deserializer.class)
@com.fasterxml.jackson.databind.annotation.JsonSerialize(using = OAuth2AccessTokenJackson2Serializer.class)
@com.fasterxml.jackson.databind.annotation.JsonDeserialize(using = OAuth2AccessTokenJackson2Deserializer.class)
public class OAuth2AccessTokenEntity implements OAuth2AccessToken {
public static final String QUERY_BY_TOKEN_VALUE = "OAuth2AccessTokenEntity.getByTokenValue";
public static final String QUERY_BY_ID_TOKEN = "OAuth2AccessTokenEntity.getByIdToken";
public static final String QUERY_BY_CLIENT = "OAuth2AccessTokenEntity.getByClient";
public static final String QUERY_BY_REFRESH_TOKEN = "OAuth2AccessTokenEntity.getByRefreshToken";
public static final String QUERY_EXPIRED_BY_DATE = "OAuth2AccessTokenEntity.getAllExpiredByDate";
public static final String QUERY_ALL = "OAuth2AccessTokenEntity.getAll";
public static final String QUERY_BY_RESOURCE_SET = "OAuth2AccessTokenEntity.getByResourceSet";
public static final String PARAM_TOKEN_VALUE = "tokenValue";
public static final String PARAM_ID_TOKEN = "idToken";
public static final String PARAM_CLIENT = "client";
public static final String PARAM_REFERSH_TOKEN = "refreshToken";
public static final String PARAM_DATE = "date";
public static final String PARAM_RESOURCE_SET_ID = "rsid";
public static String ID_TOKEN_FIELD_NAME = "id_token";
private Long id;
private ClientDetailsEntity client;
private AuthenticationHolderEntity authenticationHolder; // the authentication
// that made this
// access
private JWT jwtValue; // JWT-encoded access token value
private OAuth2AccessTokenEntity idToken; // JWT-encoded OpenID Connect IdToken
private Date expiration;
private String tokenType = OAuth2AccessToken.BEARER_TYPE;
private OAuth2RefreshTokenEntity refreshToken;
private Set<String> scope;
private Set<Permission> permissions;
private Map<String, Object> additionalInfo = new HashMap<>();
/**
* Create a new, blank access token
*/
public OAuth2AccessTokenEntity() {
}
/**
* @return the id
*/
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
@Column(name = "id")
public Long getId() {
return id;
}
/**
* @param id
* the id to set
*/
public void setId(final Long id) {
this.id = id;
}
/**
* Get all additional information to be sent to the serializer. Inserts a copy
* of the IdToken (in JWT String form).
*/
@Override
@Transient
public Map<String, Object> getAdditionalInformation() {
if (getIdToken() != null) {
additionalInfo.put(ID_TOKEN_FIELD_NAME, getIdTokenString());
}
return additionalInfo;
}
/**
* The authentication in place when this token was created.
*
* @return the authentication
*/
@ManyToOne
@JoinColumn(name = "auth_holder_id")
public AuthenticationHolderEntity getAuthenticationHolder() {
return authenticationHolder;
}
/**
* @param authentication
* the authentication to set
*/
public void setAuthenticationHolder(
final AuthenticationHolderEntity authenticationHolder) {
this.authenticationHolder = authenticationHolder;
}
/**
* @return the client
*/
@ManyToOne
@JoinColumn(name = "client_id")
public ClientDetailsEntity getClient() {
return client;
}
/**
* @param client
* the client to set
*/
public void setClient(final ClientDetailsEntity client) {
this.client = client;
}
/**
* Get the string-encoded value of this access token.
*/
@Override
@Transient
public String getValue() {
return jwtValue.serialize();
}
@Override
@Basic
@Temporal(javax.persistence.TemporalType.TIMESTAMP)
@Column(name = "expiration")
public Date getExpiration() {
return expiration;
}
public void setExpiration(final Date expiration) {
this.expiration = expiration;
}
@Override
@Basic
@Column(name = "token_type")
public String getTokenType() {
return tokenType;
}
public void setTokenType(final String tokenType) {
this.tokenType = tokenType;
}
@Override
@ManyToOne
@JoinColumn(name = "refresh_token_id")
public OAuth2RefreshTokenEntity getRefreshToken() {
return refreshToken;
}
public void setRefreshToken(final OAuth2RefreshTokenEntity refreshToken) {
this.refreshToken = refreshToken;
}
public void setRefreshToken(final OAuth2RefreshToken refreshToken) {
if (!(refreshToken instanceof OAuth2RefreshTokenEntity)) {
throw new IllegalArgumentException(
"Not a storable refresh token entity!");
}
// force a pass through to the entity version
setRefreshToken((OAuth2RefreshTokenEntity) refreshToken);
}
@Override
@ElementCollection(fetch = FetchType.EAGER)
@CollectionTable(joinColumns = @JoinColumn(name = "owner_id"),
name = "token_scope")
public Set<String> getScope() {
return scope;
}
public void setScope(final Set<String> scope) {
this.scope = scope;
}
@Override
@Transient
public boolean isExpired() {
return getExpiration() == null ? false
: System.currentTimeMillis() > getExpiration().getTime();
}
/**
* @return the idToken
*/
@OneToOne(cascade = CascadeType.ALL) // one-to-one mapping for now
@JoinColumn(name = "id_token_id")
public OAuth2AccessTokenEntity getIdToken() {
return idToken;
}
/**
* @param idToken
* the idToken to set
*/
public void setIdToken(final OAuth2AccessTokenEntity idToken) {
this.idToken = idToken;
}
/**
* @return the idTokenString
*/
@Transient
public String getIdTokenString() {
if (idToken != null) {
return idToken.getValue(); // get the JWT string value of the id token
// entity
} else {
return null;
}
}
/**
* @return the jwtValue
*/
@Basic
@Column(name = "token_value")
@Convert(converter = JWTStringConverter.class)
public JWT getJwt() {
return jwtValue;
}
/**
* @param jwtValue
* the jwtValue to set
*/
public void setJwt(final JWT jwt) {
this.jwtValue = jwt;
}
@Override
@Transient
public int getExpiresIn() {
if (getExpiration() == null) {
return -1; // no expiration time
} else {
int secondsRemaining = (int) ((getExpiration().getTime()
- System.currentTimeMillis()) / 1000);
if (isExpired()) {
return 0; // has an expiration time and expired
} else { // has an expiration time and not expired
return secondsRemaining;
}
}
}
/**
* @return the permissions
*/
@OneToMany(fetch = FetchType.EAGER, cascade = CascadeType.ALL)
@JoinTable(name = "access_token_permissions",
joinColumns = @JoinColumn(name = "access_token_id"),
inverseJoinColumns = @JoinColumn(name = "permission_id"))
public Set<Permission> getPermissions() {
return permissions;
}
/**
* @param permissions
* the permissions to set
*/
public void setPermissions(final Set<Permission> permissions) {
this.permissions = permissions;
}
public static final String QUERY_BY_APPROVED_SITE = "OAuth2AccessTokenEntity.getByApprovedSite";
public static final String QUERY_BY_TOKEN_VALUE = "OAuth2AccessTokenEntity.getByTokenValue";
public static final String QUERY_BY_CLIENT = "OAuth2AccessTokenEntity.getByClient";
public static final String QUERY_BY_REFRESH_TOKEN = "OAuth2AccessTokenEntity.getByRefreshToken";
public static final String QUERY_EXPIRED_BY_DATE = "OAuth2AccessTokenEntity.getAllExpiredByDate";
public static final String QUERY_ALL = "OAuth2AccessTokenEntity.getAll";
public static final String QUERY_BY_RESOURCE_SET = "OAuth2AccessTokenEntity.getByResourceSet";
public static final String PARAM_TOKEN_VALUE = "tokenValue";
public static final String PARAM_CLIENT = "client";
public static final String PARAM_REFERSH_TOKEN = "refreshToken";
public static final String PARAM_DATE = "date";
public static final String PARAM_RESOURCE_SET_ID = "rsid";
public static final String PARAM_APPROVED_SITE = "approvedSite";
public static final String ID_TOKEN_FIELD_NAME = "id_token";
private Long id;
private ClientDetailsEntity client;
private AuthenticationHolderEntity authenticationHolder; // the authentication that made this access
private JWT jwtValue; // JWT-encoded access token value
private Date expiration;
private String tokenType = OAuth2AccessToken.BEARER_TYPE;
private OAuth2RefreshTokenEntity refreshToken;
private Set<String> scope;
private Set<Permission> permissions;
private ApprovedSite approvedSite;
private Map<String, Object> additionalInformation = new HashMap<>(); // ephemeral map of items to be added to the OAuth token response
/**
* Create a new, blank access token
*/
public OAuth2AccessTokenEntity() {
}
/**
* @return the id
*/
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
@Column(name = "id")
public Long getId() {
return id;
}
/**
* @param id the id to set
*/
public void setId(Long id) {
this.id = id;
}
/**
* Get all additional information to be sent to the serializer as part of the token response.
* This map is not persisted to the database.
*/
@Override
@Transient
public Map<String, Object> getAdditionalInformation() {
return additionalInformation;
}
/**
* The authentication in place when this token was created.
* @return the authentication
*/
@ManyToOne
@JoinColumn(name = "auth_holder_id")
public AuthenticationHolderEntity getAuthenticationHolder() {
return authenticationHolder;
}
/**
* @param authentication the authentication to set
*/
public void setAuthenticationHolder(AuthenticationHolderEntity authenticationHolder) {
this.authenticationHolder = authenticationHolder;
}
/**
* @return the client
*/
@ManyToOne
@JoinColumn(name = "client_id")
public ClientDetailsEntity getClient() {
return client;
}
/**
* @param client the client to set
*/
public void setClient(ClientDetailsEntity client) {
this.client = client;
}
/**
* Get the string-encoded value of this access token.
*/
@Override
@Transient
public String getValue() {
return jwtValue.serialize();
}
@Override
@Basic
@Temporal(javax.persistence.TemporalType.TIMESTAMP)
@Column(name = "expiration")
public Date getExpiration() {
return expiration;
}
public void setExpiration(Date expiration) {
this.expiration = expiration;
}
@Override
@Basic
@Column(name="token_type")
public String getTokenType() {
return tokenType;
}
public void setTokenType(String tokenType) {
this.tokenType = tokenType;
}
@Override
@ManyToOne
@JoinColumn(name="refresh_token_id")
public OAuth2RefreshTokenEntity getRefreshToken() {
return refreshToken;
}
public void setRefreshToken(OAuth2RefreshTokenEntity refreshToken) {
this.refreshToken = refreshToken;
}
public void setRefreshToken(OAuth2RefreshToken refreshToken) {
if (!(refreshToken instanceof OAuth2RefreshTokenEntity)) {
throw new IllegalArgumentException("Not a storable refresh token entity!");
}
// force a pass through to the entity version
setRefreshToken((OAuth2RefreshTokenEntity)refreshToken);
}
@Override
@ElementCollection(fetch=FetchType.EAGER)
@CollectionTable(
joinColumns=@JoinColumn(name="owner_id"),
name="token_scope"
)
public Set<String> getScope() {
return scope;
}
public void setScope(Set<String> scope) {
this.scope = scope;
}
@Override
@Transient
public boolean isExpired() {
return getExpiration() == null ? false : System.currentTimeMillis() > getExpiration().getTime();
}
/**
* @return the jwtValue
*/
@Basic
@Column(name="token_value")
@Convert(converter = JWTStringConverter.class)
public JWT getJwt() {
return jwtValue;
}
/**
* @param jwtValue the jwtValue to set
*/
public void setJwt(JWT jwt) {
this.jwtValue = jwt;
}
@Override
@Transient
public int getExpiresIn() {
if (getExpiration() == null) {
return -1; // no expiration time
} else {
int secondsRemaining = (int) ((getExpiration().getTime() - System.currentTimeMillis()) / 1000);
if (isExpired()) {
return 0; // has an expiration time and expired
} else { // has an expiration time and not expired
return secondsRemaining;
}
}
}
/**
* @return the permissions
*/
@OneToMany(fetch = FetchType.EAGER, cascade = CascadeType.ALL)
@JoinTable(
name = "access_token_permissions",
joinColumns = @JoinColumn(name = "access_token_id"),
inverseJoinColumns = @JoinColumn(name = "permission_id")
)
public Set<Permission> getPermissions() {
return permissions;
}
/**
* @param permissions the permissions to set
*/
public void setPermissions(Set<Permission> permissions) {
this.permissions = permissions;
}
>>>>>>> mitre/master
@ManyToOne
@JoinColumn(name="approved_site_id")
public ApprovedSite getApprovedSite() {
return approvedSite;
}
public void setApprovedSite(ApprovedSite approvedSite) {
this.approvedSite = approvedSite;
}
/**
* Add the ID Token to the additionalInformation map for a token response.
* @param idToken
*/
@Transient
public void setIdToken(JWT idToken) {
if (idToken != null) {
additionalInformation.put(ID_TOKEN_FIELD_NAME, idToken.serialize());
}
}
}

11
openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2RefreshTokenEntity.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -15,7 +16,7 @@
* limitations under the License.
*******************************************************************************/
/**
*
*
*/
package org.mitre.oauth2.model;
@ -78,7 +79,7 @@ public class OAuth2RefreshTokenEntity implements OAuth2RefreshToken {
private Date expiration;
/**
*
*
*/
public OAuth2RefreshTokenEntity() {
@ -104,7 +105,7 @@ public class OAuth2RefreshTokenEntity implements OAuth2RefreshToken {
/**
* The authentication in place when the original access token was
* created
*
*
* @return the authentication
*/
@ManyToOne

18
openid-connect-common/src/main/java/org/mitre/oauth2/model/PKCEAlgorithm.java
View File

@ -1,6 +1,5 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -26,8 +25,13 @@ import com.nimbusds.jose.Requirement;
*/
public final class PKCEAlgorithm extends Algorithm {
/**
*
*/
private static final long serialVersionUID = 7752852583210088925L;
public static final PKCEAlgorithm plain = new PKCEAlgorithm("plain", Requirement.REQUIRED);
public static final PKCEAlgorithm S256 = new PKCEAlgorithm("S256", Requirement.OPTIONAL);
public PKCEAlgorithm(String name, Requirement req) {
@ -37,7 +41,7 @@ public final class PKCEAlgorithm extends Algorithm {
public PKCEAlgorithm(String name) {
super(name, null);
}
public static PKCEAlgorithm parse(final String s) {
if (s.equals(plain.getName())) {
return plain;
@ -47,7 +51,7 @@ public final class PKCEAlgorithm extends Algorithm {
return new PKCEAlgorithm(s);
}
}
}

59
openid-connect-common/src/main/java/org/mitre/oauth2/model/RegisteredClient.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -15,7 +16,7 @@
* limitations under the License.
*******************************************************************************/
/**
*
*
*/
package org.mitre.oauth2.model;
@ -50,7 +51,7 @@ public class RegisteredClient {
private JsonObject src;
/**
*
*
*/
public RegisteredClient() {
this.client = new ClientDetailsEntity();
@ -815,7 +816,7 @@ public class RegisteredClient {
public void setSoftwareStatement(JWT softwareStatement) {
client.setSoftwareStatement(softwareStatement);
}
/**
* @return
* @see org.mitre.oauth2.model.ClientDetailsEntity#getCodeChallengeMethod()
@ -846,6 +847,54 @@ public class RegisteredClient {
this.src = src;
}
/**
* @return
* @see org.mitre.oauth2.model.ClientDetailsEntity#getDeviceCodeValiditySeconds()
*/
public Integer getDeviceCodeValiditySeconds() {
return client.getDeviceCodeValiditySeconds();
}
/**
* @param deviceCodeValiditySeconds
* @see org.mitre.oauth2.model.ClientDetailsEntity#setDeviceCodeValiditySeconds(java.lang.Integer)
*/
public void setDeviceCodeValiditySeconds(Integer deviceCodeValiditySeconds) {
client.setDeviceCodeValiditySeconds(deviceCodeValiditySeconds);
}
/**
* @return
* @see org.mitre.oauth2.model.ClientDetailsEntity#getSoftwareId()
*/
public String getSoftwareId() {
return client.getSoftwareId();
}
/**
* @param softwareId
* @see org.mitre.oauth2.model.ClientDetailsEntity#setSoftwareId(java.lang.String)
*/
public void setSoftwareId(String softwareId) {
client.setSoftwareId(softwareId);
}
/**
* @return
* @see org.mitre.oauth2.model.ClientDetailsEntity#getSoftwareVersion()
*/
public String getSoftwareVersion() {
return client.getSoftwareVersion();
}
/**
* @param softwareVersion
* @see org.mitre.oauth2.model.ClientDetailsEntity#setSoftwareVersion(java.lang.String)
*/
public void setSoftwareVersion(String softwareVersion) {
client.setSoftwareVersion(softwareVersion);
}
}

7
openid-connect-common/src/main/java/org/mitre/oauth2/model/RegisteredClientFields.java
View File

@ -1,6 +1,5 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -17,6 +16,8 @@
package org.mitre.oauth2.model;
public interface RegisteredClientFields {
public String SOFTWARE_ID = "software_id";
public String SOFTWARE_VERSION = "software_version";
public String SOFTWARE_STATEMENT = "software_statement";
public String CLAIMS_REDIRECT_URIS = "claims_redirect_uris";
public String CLIENT_SECRET_EXPIRES_AT = "client_secret_expires_at";
@ -56,5 +57,5 @@ public interface RegisteredClientFields {
public String REDIRECT_URIS = "redirect_uris";
public String CLIENT_SECRET = "client_secret";
public String CLIENT_ID = "client_id";
public String CODE_CHALLENGE_METHOD = "code_challenge_method";
}

6
openid-connect-common/src/main/java/org/mitre/oauth2/model/SavedUserAuthentication.java
View File

@ -1,5 +1,5 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
* in compliance with the License. You may obtain a copy of the License at
@ -40,7 +40,7 @@ import org.springframework.security.core.GrantedAuthority;
/**
* This class stands in for an original Authentication object.
*
*
* @author jricher
*
*/
@ -202,6 +202,4 @@ public class SavedUserAuthentication implements Authentication {
public void setAdditionalInfo(Map<String, String> additionalInfo) {
this.additionalInfo = additionalInfo;
}
}

87
openid-connect-common/src/main/java/org/mitre/oauth2/model/SystemScope.java
View File

@ -1,6 +1,7 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Portions copyright 2011-2013 The MITRE Corporation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -15,7 +16,7 @@
* limitations under the License.
*******************************************************************************/
/**
*
*
*/
package org.mitre.oauth2.model;
@ -28,7 +29,6 @@ import javax.persistence.Id;
import javax.persistence.NamedQueries;
import javax.persistence.NamedQuery;
import javax.persistence.Table;
import javax.persistence.Transient;
/**
* @author jricher
@ -53,9 +53,6 @@ public class SystemScope {
private String icon; // class of the icon to display on the auth page
private boolean defaultScope = false; // is this a default scope for newly-registered clients?
private boolean restricted = false; // is this scope restricted to admin-only registration access?
private boolean structured = false; // is this a default scope for newly-registered clients?
private String structuredParamDescription;
private String structuredValue;
/**
* Make a blank system scope with no value
@ -162,52 +159,6 @@ public class SystemScope {
this.restricted = restricted;
}
/**
* @return the isStructured status
*/
@Basic
@Column(name = "structured")
public boolean isStructured() {
return structured;
}
/**
* @param structured the structured to set
*/
public void setStructured(boolean structured) {
this.structured = structured;
}
@Basic
@Column(name = "structured_param_description")
public String getStructuredParamDescription() {
return structuredParamDescription;
}
/**
* @param isStructured the isStructured to set
*/
public void setStructuredParamDescription(String d) {
this.structuredParamDescription = d;
}
/**
* @return the structuredValue
*/
@Transient // we don't save the value of a system scope separately
public String getStructuredValue() {
return structuredValue;
}
/**
* @param structuredValue the structuredValue to set
*/
public void setStructuredValue(String structuredValue) {
this.structuredValue = structuredValue;
}
/* (non-Javadoc)
* @see java.lang.Object#hashCode()
*/
@ -221,13 +172,6 @@ public class SystemScope {
result = prime * result + ((icon == null) ? 0 : icon.hashCode());
result = prime * result + ((id == null) ? 0 : id.hashCode());
result = prime * result + (restricted ? 1231 : 1237);
result = prime * result + (structured ? 1231 : 1237);
result = prime
* result
+ ((structuredParamDescription == null) ? 0
: structuredParamDescription.hashCode());
result = prime * result
+ ((structuredValue == null) ? 0 : structuredValue.hashCode());
result = prime * result + ((value == null) ? 0 : value.hashCode());
return result;
}
@ -274,24 +218,6 @@ public class SystemScope {
if (restricted != other.restricted) {
return false;
}
if (structured != other.structured) {
return false;
}
if (structuredParamDescription == null) {
if (other.structuredParamDescription != null) {
return false;
}
} else if (!structuredParamDescription
.equals(other.structuredParamDescription)) {
return false;
}
if (structuredValue == null) {
if (other.structuredValue != null) {
return false;
}
} else if (!structuredValue.equals(other.structuredValue)) {
return false;
}
if (value == null) {
if (other.value != null) {
return false;
@ -309,10 +235,7 @@ public class SystemScope {
public String toString() {
return "SystemScope [id=" + id + ", value=" + value + ", description="
+ description + ", icon=" + icon + ", defaultScope="
+ defaultScope + ", restricted=" + restricted + ", structured="
+ structured + ", structuredParamDescription="
+ structuredParamDescription + ", structuredValue="
+ structuredValue + "]";
+ defaultScope + ", restricted=" + restricted + "]";
}
}

3
openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/JWEAlgorithmStringConverter.java
View File

@ -1,6 +1,5 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

3
openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/JWEEncryptionMethodStringConverter.java
View File

@ -1,6 +1,5 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

3
openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/JWKSetStringConverter.java
View File

@ -1,6 +1,5 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

3
openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/JWSAlgorithmStringConverter.java
View File

@ -1,6 +1,5 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

3
openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/JWTStringConverter.java
View File

@ -1,6 +1,5 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

3
openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/JsonElementStringConverter.java
View File

@ -1,6 +1,5 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

3
openid-connect-common/src/main/java/org/mitre/oauth2/model/convert/PKCEAlgorithmStringConverter.java
View File

@ -1,6 +1,5 @@
/*******************************************************************************
* Copyright 2016 The MITRE Corporation
* and the MIT Internet Trust Consortium
* Copyright 2017 The MIT Internet Trust Consortium
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.

Some files were not shown because too many files have changed in this diff Show More