diff --git a/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/IntrospectingTokenService.java b/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/IntrospectingTokenService.java index 6895a7e86..0494290e5 100644 --- a/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/IntrospectingTokenService.java +++ b/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/IntrospectingTokenService.java @@ -13,7 +13,7 @@ import org.springframework.security.core.authority.AuthorityUtils; import org.springframework.security.oauth2.common.OAuth2AccessToken; import org.springframework.security.oauth2.common.util.OAuth2Utils; import org.springframework.security.oauth2.provider.OAuth2Authentication; -import org.springframework.security.oauth2.provider.StoredOAuth2Request; +import org.springframework.security.oauth2.provider.OAuth2Request; import org.springframework.security.oauth2.provider.token.ResourceServerTokenServices; import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken; import org.springframework.util.LinkedMultiValueMap; @@ -80,7 +80,7 @@ public class IntrospectingTokenService implements ResourceServerTokenServices { return null; } - private StoredOAuth2Request createStoredRequest(final JsonObject token) { + private OAuth2Request createStoredRequest(final JsonObject token) { clientId = token.get("client_id").getAsString(); Set scopes = new HashSet(); for (JsonElement e : token.get("scope").getAsJsonArray()) { @@ -89,7 +89,7 @@ public class IntrospectingTokenService implements ResourceServerTokenServices { Map parameters = new HashMap(); parameters.put("client_id", clientId); parameters.put("scope", OAuth2Utils.formatParameterList(scopes)); - StoredOAuth2Request storedRequest = new StoredOAuth2Request(parameters, clientId, null, true, scopes, null, null, null); + OAuth2Request storedRequest = new OAuth2Request(parameters, clientId, null, true, scopes, null, null, null); return storedRequest; } diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java index c51c7cf9c..2be02465d 100644 --- a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java +++ b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java @@ -43,7 +43,7 @@ import org.springframework.security.core.AuthenticationException; import org.springframework.security.oauth2.common.exceptions.InvalidClientException; import org.springframework.security.oauth2.common.exceptions.InvalidTokenException; import org.springframework.security.oauth2.provider.OAuth2Authentication; -import org.springframework.security.oauth2.provider.StoredOAuth2Request; +import org.springframework.security.oauth2.provider.OAuth2Request; import org.springframework.security.oauth2.provider.TokenRequest; import org.springframework.security.oauth2.provider.token.TokenEnhancer; import org.springframework.stereotype.Service; @@ -79,9 +79,9 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi @Override public OAuth2AccessTokenEntity createAccessToken(OAuth2Authentication authentication) throws AuthenticationException, InvalidClientException { - if (authentication != null && authentication.getStoredRequest() != null) { + if (authentication != null && authentication.getOAuth2Request() != null) { // look up our client - StoredOAuth2Request clientAuth = authentication.getStoredRequest(); + OAuth2Request clientAuth = authentication.getOAuth2Request(); ClientDetailsEntity client = clientDetailsService.loadClientByClientId(clientAuth.getClientId()); @@ -152,11 +152,11 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi tokenRepository.saveAccessToken(token); //Add approved site reference, if any - StoredOAuth2Request originalAuthRequest = authHolder.getAuthentication().getStoredRequest(); + OAuth2Request originalAuthRequest = authHolder.getAuthentication().getOAuth2Request(); - if (originalAuthRequest.getExtensionProperties() != null && originalAuthRequest.getExtensionProperties().containsKey("approved_site")) { + if (originalAuthRequest.getExtensions() != null && originalAuthRequest.getExtensions().containsKey("approved_site")) { - Long apId = (Long) originalAuthRequest.getExtensionProperties().get("approved_site"); + Long apId = (Long) originalAuthRequest.getExtensions().get("approved_site"); ApprovedSite ap = approvedSiteService.getById(apId); Set apTokens = ap.getApprovedAccessTokens(); apTokens.add(token); @@ -208,7 +208,7 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi OAuth2AccessTokenEntity token = new OAuth2AccessTokenEntity(); // get the stored scopes from the authentication holder's authorization request; these are the scopes associated with the refresh token - Set refreshScopes = new HashSet(refreshToken.getAuthenticationHolder().getAuthentication().getStoredRequest().getScope()); + Set refreshScopes = new HashSet(refreshToken.getAuthenticationHolder().getAuthentication().getOAuth2Request().getScope()); Set scope = new HashSet(authRequest.getScope()); if (scope != null && !scope.isEmpty()) { diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/token/ChainedTokenGranter.java b/openid-connect-server/src/main/java/org/mitre/oauth2/token/ChainedTokenGranter.java index acac2fcf1..211383ad6 100644 --- a/openid-connect-server/src/main/java/org/mitre/oauth2/token/ChainedTokenGranter.java +++ b/openid-connect-server/src/main/java/org/mitre/oauth2/token/ChainedTokenGranter.java @@ -6,7 +6,6 @@ package org.mitre.oauth2.token; import java.util.HashSet; import java.util.Set; -import org.mitre.oauth2.model.ClientDetailsEntity; import org.mitre.oauth2.model.OAuth2AccessTokenEntity; import org.mitre.oauth2.service.ClientDetailsEntityService; import org.mitre.oauth2.service.OAuth2TokenEntityService; @@ -14,6 +13,7 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.core.AuthenticationException; import org.springframework.security.oauth2.common.exceptions.InvalidScopeException; import org.springframework.security.oauth2.common.exceptions.InvalidTokenException; +import org.springframework.security.oauth2.provider.ClientDetails; import org.springframework.security.oauth2.provider.OAuth2Authentication; import org.springframework.security.oauth2.provider.OAuth2RequestFactory; import org.springframework.security.oauth2.provider.TokenRequest; @@ -51,7 +51,7 @@ public class ChainedTokenGranter extends AbstractTokenGranter { * @see org.springframework.security.oauth2.provider.token.AbstractTokenGranter#getOAuth2Authentication(org.springframework.security.oauth2.provider.AuthorizationRequest) */ @Override - protected OAuth2Authentication getOAuth2Authentication(TokenRequest tokenRequest) throws AuthenticationException, InvalidTokenException { + protected OAuth2Authentication getOAuth2Authentication(ClientDetails client, TokenRequest tokenRequest) throws AuthenticationException, InvalidTokenException { // read and load up the existing token String incomingTokenValue = tokenRequest.getRequestParameters().get("token"); OAuth2AccessTokenEntity incomingToken = tokenServices.readAccessToken(incomingTokenValue); @@ -65,8 +65,6 @@ public class ChainedTokenGranter extends AbstractTokenGranter { } // do a check on the requested scopes -- if they exactly match the client scopes, they were probably shadowed by the token granter - // FIXME: bug in SECOAUTH functionality - ClientDetailsEntity client = incomingToken.getClient(); if (client.getScope().equals(requestedScopes)) { requestedScopes = new HashSet(); } @@ -86,7 +84,7 @@ public class ChainedTokenGranter extends AbstractTokenGranter { // NOTE: don't revoke the existing access token // create a new access token - OAuth2Authentication authentication = new OAuth2Authentication(getRequestFactory().createStoredOAuth2Request(tokenRequest), incomingToken.getAuthenticationHolder().getAuthentication().getUserAuthentication()); + OAuth2Authentication authentication = new OAuth2Authentication(getRequestFactory().createOAuth2Request(client, tokenRequest), incomingToken.getAuthenticationHolder().getAuthentication().getUserAuthentication()); return authentication; diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/token/JwtAssertionTokenGranter.java b/openid-connect-server/src/main/java/org/mitre/oauth2/token/JwtAssertionTokenGranter.java index 1bb68734d..682fc5b23 100644 --- a/openid-connect-server/src/main/java/org/mitre/oauth2/token/JwtAssertionTokenGranter.java +++ b/openid-connect-server/src/main/java/org/mitre/oauth2/token/JwtAssertionTokenGranter.java @@ -17,6 +17,7 @@ import org.springframework.security.core.AuthenticationException; import org.springframework.security.oauth2.common.OAuth2AccessToken; import org.springframework.security.oauth2.common.exceptions.InvalidClientException; import org.springframework.security.oauth2.common.exceptions.InvalidTokenException; +import org.springframework.security.oauth2.provider.ClientDetails; import org.springframework.security.oauth2.provider.OAuth2RequestFactory; import org.springframework.security.oauth2.provider.TokenRequest; import org.springframework.security.oauth2.provider.token.AbstractTokenGranter; @@ -56,14 +57,11 @@ public class JwtAssertionTokenGranter extends AbstractTokenGranter { * @see org.springframework.security.oauth2.provider.token.AbstractTokenGranter#getOAuth2Authentication(org.springframework.security.oauth2.provider.AuthorizationRequest) */ @Override - protected OAuth2AccessToken getAccessToken(TokenRequest tokenRequest) throws AuthenticationException, InvalidTokenException { + protected OAuth2AccessToken getAccessToken(ClientDetails client, TokenRequest tokenRequest) throws AuthenticationException, InvalidTokenException { // read and load up the existing token String incomingTokenValue = tokenRequest.getRequestParameters().get("assertion"); OAuth2AccessTokenEntity incomingToken = tokenServices.readAccessToken(incomingTokenValue); - ClientDetailsEntity client = incomingToken.getClient(); - - if (incomingToken.getScope().contains(OAuth2AccessTokenEntity.ID_TOKEN_SCOPE)) { if (!client.getClientId().equals(tokenRequest.getClientId())) { @@ -88,12 +86,21 @@ public class JwtAssertionTokenGranter extends AbstractTokenGranter { // copy over all existing claims JWTClaimsSet claims = new JWTClaimsSet(idToken.getJWTClaimsSet()); - // update expiration and issued-at claims - if (client.getIdTokenValiditySeconds() != null) { - Date expiration = new Date(System.currentTimeMillis() + (client.getIdTokenValiditySeconds() * 1000L)); - claims.setExpirationTime(expiration); - newIdTokenEntity.setExpiration(expiration); - } + if (client instanceof ClientDetailsEntity) { + + ClientDetailsEntity clientEntity = (ClientDetailsEntity) client; + + // update expiration and issued-at claims + if (clientEntity.getIdTokenValiditySeconds() != null) { + Date expiration = new Date(System.currentTimeMillis() + (clientEntity.getIdTokenValiditySeconds() * 1000L)); + claims.setExpirationTime(expiration); + newIdTokenEntity.setExpiration(expiration); + } + + } else { + //TODO: What should happen in this case? Is this possible? + } + claims.setIssueTime(new Date()); diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/view/TokenIntrospectionView.java b/openid-connect-server/src/main/java/org/mitre/oauth2/view/TokenIntrospectionView.java index 121a01f41..978494e92 100644 --- a/openid-connect-server/src/main/java/org/mitre/oauth2/view/TokenIntrospectionView.java +++ b/openid-connect-server/src/main/java/org/mitre/oauth2/view/TokenIntrospectionView.java @@ -101,7 +101,7 @@ public class TokenIntrospectionView extends AbstractView { token.addProperty("subject", src.getAuthenticationHolder().getAuthentication().getName()); - token.addProperty("client_id", src.getAuthenticationHolder().getAuthentication().getStoredRequest().getClientId()); + token.addProperty("client_id", src.getAuthenticationHolder().getAuthentication().getOAuth2Request().getClientId()); return token; } diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/web/RevocationEndpoint.java b/openid-connect-server/src/main/java/org/mitre/oauth2/web/RevocationEndpoint.java index 84a2a88cd..62790a234 100644 --- a/openid-connect-server/src/main/java/org/mitre/oauth2/web/RevocationEndpoint.java +++ b/openid-connect-server/src/main/java/org/mitre/oauth2/web/RevocationEndpoint.java @@ -28,7 +28,7 @@ import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.security.core.AuthenticationException; import org.springframework.security.oauth2.common.exceptions.InvalidTokenException; import org.springframework.security.oauth2.provider.OAuth2Authentication; -import org.springframework.security.oauth2.provider.StoredOAuth2Request; +import org.springframework.security.oauth2.provider.OAuth2Request; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestParam; @@ -86,7 +86,7 @@ public class RevocationEndpoint { // we've got a client acting on its own behalf, not an admin //ClientAuthentication clientAuth = (ClientAuthenticationToken) ((OAuth2Authentication) auth).getClientAuthentication(); - StoredOAuth2Request clientAuth = ((OAuth2Authentication) principal).getStoredRequest(); + OAuth2Request clientAuth = ((OAuth2Authentication) principal).getOAuth2Request(); if (refreshToken != null) { if (!refreshToken.getClient().getClientId().equals(clientAuth.getClientId())) { diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/ConnectOAuth2RequestFactory.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/ConnectOAuth2RequestFactory.java index 922d70ff4..94a7a4f61 100644 --- a/openid-connect-server/src/main/java/org/mitre/openid/connect/ConnectOAuth2RequestFactory.java +++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/ConnectOAuth2RequestFactory.java @@ -37,10 +37,10 @@ public class ConnectOAuth2RequestFactory extends DefaultOAuth2RequestFactory { private static Logger logger = LoggerFactory.getLogger(ConnectOAuth2RequestFactory.class); - @Autowired + //@Autowired private NonceService nonceService; - @Autowired + //@Autowired private ClientDetailsEntityService clientDetailsService; @Autowired @@ -52,6 +52,7 @@ public class ConnectOAuth2RequestFactory extends DefaultOAuth2RequestFactory { * @param clientDetailsService * @param nonceService */ + @Autowired public ConnectOAuth2RequestFactory(ClientDetailsEntityService clientDetailsService, NonceService nonceService) { super(clientDetailsService); this.clientDetailsService = clientDetailsService; diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java index 09aed7219..934b18c58 100644 --- a/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java +++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java @@ -30,7 +30,7 @@ import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.oauth2.common.OAuth2AccessToken; import org.springframework.security.oauth2.provider.OAuth2Authentication; -import org.springframework.security.oauth2.provider.StoredOAuth2Request; +import org.springframework.security.oauth2.provider.OAuth2Request; import org.springframework.security.oauth2.provider.token.TokenEnhancer; import org.springframework.stereotype.Service; @@ -62,7 +62,7 @@ public class ConnectTokenEnhancer implements TokenEnhancer { public OAuth2AccessToken enhance(OAuth2AccessToken accessToken, OAuth2Authentication authentication) { OAuth2AccessTokenEntity token = (OAuth2AccessTokenEntity) accessToken; - StoredOAuth2Request originalAuthRequest = authentication.getStoredRequest(); + OAuth2Request originalAuthRequest = authentication.getOAuth2Request(); String clientId = originalAuthRequest.getClientId(); ClientDetailsEntity client = clientService.loadClientByClientId(clientId); diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/token/TofuUserApprovalHandler.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/token/TofuUserApprovalHandler.java index 0c28406ac..a48f5c6a0 100644 --- a/openid-connect-server/src/main/java/org/mitre/openid/connect/token/TofuUserApprovalHandler.java +++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/token/TofuUserApprovalHandler.java @@ -117,7 +117,7 @@ public class TofuUserApprovalHandler implements UserApprovalHandler { ap.setAccessDate(new Date()); approvedSiteService.save(ap); - authorizationRequest.getExtensionProperties().put("approved_site", ap.getId()); + authorizationRequest.getExtensions().put("approved_site", ap.getId()); authorizationRequest.setApproved(true); alreadyApproved = true; } @@ -130,7 +130,7 @@ public class TofuUserApprovalHandler implements UserApprovalHandler { //Create an approved site ApprovedSite newSite = approvedSiteService.createApprovedSite(clientId, userId, null, ws.getAllowedScopes(), ws); - authorizationRequest.getExtensionProperties().put("approved_site", newSite.getId()); + authorizationRequest.getExtensions().put("approved_site", newSite.getId()); authorizationRequest.setApproved(true); } } @@ -192,7 +192,7 @@ public class TofuUserApprovalHandler implements UserApprovalHandler { } ApprovedSite newSite = approvedSiteService.createApprovedSite(clientId, userId, timeout, allowedScopes, null); - authorizationRequest.getExtensionProperties().put("approved_site", newSite.getId()); + authorizationRequest.getExtensions().put("approved_site", newSite.getId()); } } diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientDynamicRegistrationEndpoint.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientDynamicRegistrationEndpoint.java index b3c1ead96..a1b9e9bd1 100644 --- a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientDynamicRegistrationEndpoint.java +++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientDynamicRegistrationEndpoint.java @@ -26,8 +26,8 @@ import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.oauth2.provider.OAuth2Authentication; +import org.springframework.security.oauth2.provider.OAuth2Request; import org.springframework.security.oauth2.provider.OAuth2RequestFactory; -import org.springframework.security.oauth2.provider.StoredOAuth2Request; import org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationDetails; import org.springframework.stereotype.Controller; import org.springframework.ui.Model; @@ -173,7 +173,7 @@ public class ClientDynamicRegistrationEndpoint { ClientDetailsEntity client = clientService.loadClientByClientId(clientId); - if (client != null && client.getClientId().equals(auth.getStoredRequest().getClientId())) { + if (client != null && client.getClientId().equals(auth.getOAuth2Request().getClientId())) { // we return the token that we got in @@ -189,7 +189,7 @@ public class ClientDynamicRegistrationEndpoint { } else { // client mismatch logger.error("readClientConfiguration failed, client ID mismatch: " - + clientId + " and " + auth.getStoredRequest().getClientId() + " do not match."); + + clientId + " and " + auth.getOAuth2Request().getClientId() + " do not match."); m.addAttribute("code", HttpStatus.FORBIDDEN); // http 403 return "httpCodeView"; @@ -213,7 +213,7 @@ public class ClientDynamicRegistrationEndpoint { ClientDetailsEntity oldClient = clientService.loadClientByClientId(clientId); if (newClient != null && oldClient != null // we have an existing client and the new one parsed - && oldClient.getClientId().equals(auth.getStoredRequest().getClientId()) // the client passed in the URI matches the one in the auth + && oldClient.getClientId().equals(auth.getOAuth2Request().getClientId()) // the client passed in the URI matches the one in the auth && oldClient.getClientId().equals(newClient.getClientId()) // the client passed in the body matches the one in the URI ) { @@ -260,7 +260,7 @@ public class ClientDynamicRegistrationEndpoint { } else { // client mismatch logger.error("readClientConfiguration failed, client ID mismatch: " - + clientId + " and " + auth.getStoredRequest().getClientId() + " do not match."); + + clientId + " and " + auth.getOAuth2Request().getClientId() + " do not match."); m.addAttribute("code", HttpStatus.FORBIDDEN); // http 403 return "httpCodeView"; @@ -280,7 +280,7 @@ public class ClientDynamicRegistrationEndpoint { ClientDetailsEntity client = clientService.loadClientByClientId(clientId); - if (client != null && client.getClientId().equals(auth.getStoredRequest().getClientId())) { + if (client != null && client.getClientId().equals(auth.getOAuth2Request().getClientId())) { clientService.deleteClient(client); @@ -297,7 +297,7 @@ public class ClientDynamicRegistrationEndpoint { } else { // client mismatch logger.error("readClientConfiguration failed, client ID mismatch: " - + clientId + " and " + auth.getStoredRequest().getClientId() + " do not match."); + + clientId + " and " + auth.getOAuth2Request().getClientId() + " do not match."); m.addAttribute("code", HttpStatus.FORBIDDEN); // http 403 return "httpCodeView"; @@ -470,7 +470,7 @@ public class ClientDynamicRegistrationEndpoint { Map authorizationParameters = Maps.newHashMap(); authorizationParameters.put("client_id", client.getClientId()); authorizationParameters.put("scope", OAuth2AccessTokenEntity.REGISTRATION_TOKEN_SCOPE); - StoredOAuth2Request storedRequest = new StoredOAuth2Request(authorizationParameters, client.getClientId(), + OAuth2Request storedRequest = new OAuth2Request(authorizationParameters, client.getClientId(), Sets.newHashSet(new SimpleGrantedAuthority("ROLE_CLIENT")), true, Sets.newHashSet(OAuth2AccessTokenEntity.REGISTRATION_TOKEN_SCOPE), null, null, null); OAuth2Authentication authentication = new OAuth2Authentication(storedRequest, null); diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/UserInfoEndpoint.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/UserInfoEndpoint.java index e5832c1d2..4e6625fc7 100644 --- a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/UserInfoEndpoint.java +++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/UserInfoEndpoint.java @@ -98,8 +98,8 @@ public class UserInfoEndpoint { if (p instanceof OAuth2Authentication) { OAuth2Authentication authentication = (OAuth2Authentication)p; - model.addAttribute("scope", authentication.getStoredRequest().getScope()); - model.addAttribute("requestObject", authentication.getStoredRequest().getRequestParameters().get("request")); + model.addAttribute("scope", authentication.getOAuth2Request().getScope()); + model.addAttribute("requestObject", authentication.getOAuth2Request().getRequestParameters().get("request")); } model.addAttribute("userInfo", userInfo);