From 5e81ed6346013aa7e1330ed34931229fd0846643 Mon Sep 17 00:00:00 2001 From: Justin Richer Date: Mon, 14 May 2012 15:00:06 -0400 Subject: [PATCH 01/12] added some content to the architecture file --- docs/Architecture.txt | 18 ++++++++++++++++++ .../.settings/org.eclipse.wst.common.component | 4 ++-- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/docs/Architecture.txt b/docs/Architecture.txt index 834683911..2b30a9024 100644 --- a/docs/Architecture.txt +++ b/docs/Architecture.txt @@ -21,4 +21,22 @@ Managing OAuth clients: +Modules +------- + +The project uses a multi-level Maven and git repository sutrcture. The main project is split into the following modules: + + - openid-connect-common: common classes, service and repository interfaces, and model code. Also includes full JWT library. + - openid-connect-server: IdP/server implementation, includes implementations of services and repositories for use by server. + - openid-connect-client: RP/client implementation, built around spring security filters. + - spring-security-oauth: Git submodule that points to the Spring Security OAuth Git repository. Will be removed once a reliable milestone is reached upstream (see note above). + + + +Maven War Overlay +----------------- + +One of the best ways to build a custom deployment of this system is to use the Maven War Overlay mechanism. In essence, you make a new Maven project with a "war" disposition and make it depend on the openid-connect-server module with the Maven Overlay plugin configured. Any files in your new project will be built and injected into the war from the other project. This action will also overwrite any existing files. + +For instance, to overwrite the data source configuration in the main server war file, create a file named src/main/webapp/WEB-INF/data-context.xml that contains the dataSource bean. This file will completely replace the one that's in the originally built war. diff --git a/openid-connect-server/.settings/org.eclipse.wst.common.component b/openid-connect-server/.settings/org.eclipse.wst.common.component index 7becf4b04..5b4c881f0 100644 --- a/openid-connect-server/.settings/org.eclipse.wst.common.component +++ b/openid-connect-server/.settings/org.eclipse.wst.common.component @@ -5,10 +5,10 @@ - + uses - + uses From e95528a08d00852b2ae45cd06016c0dfac9b35b0 Mon Sep 17 00:00:00 2001 From: Justin Richer Date: Tue, 5 Jun 2012 10:11:24 -0400 Subject: [PATCH 02/12] added implementation to stub to read an access token by value --- .../oauth2/service/impl/DefaultOAuth2ProviderTokenService.java | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java index b1d450743..16aba6c91 100644 --- a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java +++ b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java @@ -343,8 +343,7 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi @Override public OAuth2AccessToken readAccessToken(String accessToken) { - // TODO Auto-generated method stub - return null; + return tokenRepository.getAccessTokenByValue(accessToken); } /* (non-Javadoc) From 27219c066d76484124afee99fd0c6aadf60391d2 Mon Sep 17 00:00:00 2001 From: Justin Richer Date: Tue, 5 Jun 2012 10:18:26 -0400 Subject: [PATCH 03/12] refactored our service to reflect upstream --- .../service/OAuth2TokenEntityService.java | 2 +- .../DefaultOAuth2ProviderTokenService.java | 26 ++++++++++++------- 2 files changed, 18 insertions(+), 10 deletions(-) diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/service/OAuth2TokenEntityService.java b/openid-connect-common/src/main/java/org/mitre/oauth2/service/OAuth2TokenEntityService.java index 3a37f02a1..a37352348 100644 --- a/openid-connect-common/src/main/java/org/mitre/oauth2/service/OAuth2TokenEntityService.java +++ b/openid-connect-common/src/main/java/org/mitre/oauth2/service/OAuth2TokenEntityService.java @@ -25,7 +25,7 @@ import org.springframework.security.oauth2.provider.token.ResourceServerTokenSer public interface OAuth2TokenEntityService extends AuthorizationServerTokenServices, ResourceServerTokenServices { - public OAuth2AccessTokenEntity getAccessToken(String accessTokenValue); + public OAuth2AccessTokenEntity readAccessToken(String accessTokenValue); public OAuth2RefreshTokenEntity getRefreshToken(String refreshTokenValue); diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java index 16aba6c91..18f0f6c45 100644 --- a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java +++ b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java @@ -222,8 +222,11 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi } + /** + * Get an access token from its token value. + */ @Override - public OAuth2AccessTokenEntity getAccessToken(String accessTokenValue) throws AuthenticationException { + public OAuth2AccessTokenEntity readAccessToken(String accessTokenValue) throws AuthenticationException { OAuth2AccessTokenEntity accessToken = tokenRepository.getAccessTokenByValue(accessTokenValue); if (accessToken == null) { throw new InvalidTokenException("Access token for value " + accessTokenValue + " was not found"); @@ -233,6 +236,9 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi } } + /** + * Get an access token by its authentication object. + */ @Override public OAuth2AccessTokenEntity getAccessToken(OAuth2Authentication authentication) { @@ -241,6 +247,9 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi return accessToken; } + /** + * Get a refresh token by its token value. + */ @Override public OAuth2RefreshTokenEntity getRefreshToken(String refreshTokenValue) throws AuthenticationException { OAuth2RefreshTokenEntity refreshToken = tokenRepository.getRefreshTokenByValue(refreshTokenValue); @@ -252,12 +261,18 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi } } + /** + * Revoke a refresh token and all access tokens issued to it. + */ @Override public void revokeRefreshToken(OAuth2RefreshTokenEntity refreshToken) { tokenRepository.clearAccessTokensForRefreshToken(refreshToken); tokenRepository.removeRefreshToken(refreshToken); } + /** + * Revoke an access token. + */ @Override public void revokeAccessToken(OAuth2AccessTokenEntity accessToken) { tokenRepository.removeAccessToken(accessToken); @@ -341,11 +356,6 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi } } - @Override - public OAuth2AccessToken readAccessToken(String accessToken) { - return tokenRepository.getAccessTokenByValue(accessToken); - } - /* (non-Javadoc) * @see org.mitre.oauth2.service.OAuth2TokenEntityService#saveAccessToken(org.mitre.oauth2.model.OAuth2AccessTokenEntity) */ @@ -360,8 +370,6 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi @Override public OAuth2RefreshTokenEntity saveRefreshToken(OAuth2RefreshTokenEntity refreshToken) { return tokenRepository.saveRefreshToken(refreshToken); - } - - + } } From 5c72d8b95fd8384311adc9513cc892c794cb5b9d Mon Sep 17 00:00:00 2001 From: Justin Richer Date: Tue, 5 Jun 2012 11:24:11 -0400 Subject: [PATCH 04/12] revocation endpoint cleanup, still needs views --- .../service/OAuth2TokenEntityService.java | 3 ++ .../oauth2/web/IntrospectionEndpoint.java | 2 +- .../mitre/oauth2/web/RevocationEndpoint.java | 28 ++++++++++++++----- 3 files changed, 25 insertions(+), 8 deletions(-) diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/service/OAuth2TokenEntityService.java b/openid-connect-common/src/main/java/org/mitre/oauth2/service/OAuth2TokenEntityService.java index a37352348..8b0dc9786 100644 --- a/openid-connect-common/src/main/java/org/mitre/oauth2/service/OAuth2TokenEntityService.java +++ b/openid-connect-common/src/main/java/org/mitre/oauth2/service/OAuth2TokenEntityService.java @@ -20,6 +20,7 @@ import java.util.List; import org.mitre.oauth2.model.ClientDetailsEntity; import org.mitre.oauth2.model.OAuth2AccessTokenEntity; import org.mitre.oauth2.model.OAuth2RefreshTokenEntity; +import org.springframework.security.oauth2.provider.OAuth2Authentication; import org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices; import org.springframework.security.oauth2.provider.token.ResourceServerTokenServices; @@ -43,4 +44,6 @@ public interface OAuth2TokenEntityService extends AuthorizationServerTokenServic public OAuth2RefreshTokenEntity saveRefreshToken(OAuth2RefreshTokenEntity refreshToken); + public OAuth2AccessTokenEntity getAccessToken(OAuth2Authentication authentication); + } diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/web/IntrospectionEndpoint.java b/openid-connect-server/src/main/java/org/mitre/oauth2/web/IntrospectionEndpoint.java index 036ea3e90..265bd634d 100644 --- a/openid-connect-server/src/main/java/org/mitre/oauth2/web/IntrospectionEndpoint.java +++ b/openid-connect-server/src/main/java/org/mitre/oauth2/web/IntrospectionEndpoint.java @@ -41,7 +41,7 @@ public class IntrospectionEndpoint { @RequestMapping("/oauth/verify") public ModelAndView verify(@RequestParam("token") String tokenValue, ModelAndView modelAndView) { - OAuth2AccessTokenEntity token = tokenServices.getAccessToken(tokenValue); + OAuth2AccessTokenEntity token = tokenServices.readAccessToken(tokenValue); if (token == null) { // if it's not a valid token, we'll print a 404 diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/web/RevocationEndpoint.java b/openid-connect-server/src/main/java/org/mitre/oauth2/web/RevocationEndpoint.java index cbb607e80..d0da044e2 100644 --- a/openid-connect-server/src/main/java/org/mitre/oauth2/web/RevocationEndpoint.java +++ b/openid-connect-server/src/main/java/org/mitre/oauth2/web/RevocationEndpoint.java @@ -15,6 +15,8 @@ ******************************************************************************/ package org.mitre.oauth2.web; +import java.security.Principal; + import org.mitre.oauth2.exception.PermissionDeniedException; import org.mitre.oauth2.model.OAuth2AccessTokenEntity; import org.mitre.oauth2.model.OAuth2RefreshTokenEntity; @@ -47,23 +49,35 @@ public class RevocationEndpoint { // TODO @PreAuthorize("hasRole('ROLE_ADMIN') or hasRole('ROLE_CLIENT')") @RequestMapping("/oauth/revoke") - public ModelAndView revoke(@RequestParam("token") String tokenValue, + public ModelAndView revoke(@RequestParam("token") String tokenValue, Principal principal, ModelAndView modelAndView) { - OAuth2RefreshTokenEntity refreshToken = tokenServices.getRefreshToken(tokenValue); - OAuth2AccessTokenEntity accessToken = tokenServices.getAccessToken(tokenValue); + + OAuth2RefreshTokenEntity refreshToken = null; + OAuth2AccessTokenEntity accessToken = null; + try { + refreshToken = tokenServices.getRefreshToken(tokenValue); + } catch (InvalidTokenException e) { + // it's OK if either of these tokens are bad + } + try { + accessToken = tokenServices.readAccessToken(tokenValue); + } catch (InvalidTokenException e) { + // it's OK if either of these tokens are bad + } + if (refreshToken == null && accessToken == null) { // TODO: this should throw a 400 with a JSON error code throw new InvalidTokenException("Invalid OAuth token: " + tokenValue); } - // TODO: there should be a way to do this in SPEL, right? - Authentication auth = SecurityContextHolder.getContext().getAuthentication(); - if (auth instanceof OAuth2Authentication) { + if (principal instanceof OAuth2Authentication) { + OAuth2AccessTokenEntity tok = tokenServices.getAccessToken((OAuth2Authentication) principal); + // we've got a client acting on its own behalf, not an admin //ClientAuthentication clientAuth = (ClientAuthenticationToken) ((OAuth2Authentication) auth).getClientAuthentication(); - AuthorizationRequest clientAuth = ((OAuth2Authentication) auth).getAuthorizationRequest(); + AuthorizationRequest clientAuth = ((OAuth2Authentication) principal).getAuthorizationRequest(); if (refreshToken != null) { if (!refreshToken.getClient().getClientId().equals(clientAuth.getClientId())) { From 8e33a1730770c7f33dc77c55f79bf0108cb0155a Mon Sep 17 00:00:00 2001 From: Justin Richer Date: Tue, 5 Jun 2012 11:32:51 -0400 Subject: [PATCH 05/12] moved DB schema files up a few levels, fixed test context to point to new locations --- .../webapp => }/db/tables/accesstoken.sql | 0 .../main/webapp => }/db/tables/address.sql | 0 .../webapp => }/db/tables/approvedsite.sql | 0 .../webapp => }/db/tables/authorities.sql | 0 .../webapp => }/db/tables/clientdetails.sql | 0 .../{src/main/webapp => }/db/tables/event.sql | 0 .../main/webapp => }/db/tables/granttypes.sql | 0 .../main/webapp => }/db/tables/idtoken.sql | 0 .../webapp => }/db/tables/idtokenclaims.sql | 0 .../webapp => }/db/tables/redirect_uris.sql | 0 .../webapp => }/db/tables/refreshtoken.sql | 0 .../webapp => }/db/tables/resource_ids.sql | 0 .../{src/main/webapp => }/db/tables/scope.sql | 0 .../main/webapp => }/db/tables/userinfo.sql | 0 .../webapp => }/db/tables/whitelistedsite.sql | 0 .../src/test/resources/test-context.xml | 26 +++++++++---------- 16 files changed, 13 insertions(+), 13 deletions(-) rename openid-connect-server/{src/main/webapp => }/db/tables/accesstoken.sql (100%) rename openid-connect-server/{src/main/webapp => }/db/tables/address.sql (100%) rename openid-connect-server/{src/main/webapp => }/db/tables/approvedsite.sql (100%) rename openid-connect-server/{src/main/webapp => }/db/tables/authorities.sql (100%) rename openid-connect-server/{src/main/webapp => }/db/tables/clientdetails.sql (100%) rename openid-connect-server/{src/main/webapp => }/db/tables/event.sql (100%) rename openid-connect-server/{src/main/webapp => }/db/tables/granttypes.sql (100%) rename openid-connect-server/{src/main/webapp => }/db/tables/idtoken.sql (100%) rename openid-connect-server/{src/main/webapp => }/db/tables/idtokenclaims.sql (100%) rename openid-connect-server/{src/main/webapp => }/db/tables/redirect_uris.sql (100%) rename openid-connect-server/{src/main/webapp => }/db/tables/refreshtoken.sql (100%) rename openid-connect-server/{src/main/webapp => }/db/tables/resource_ids.sql (100%) rename openid-connect-server/{src/main/webapp => }/db/tables/scope.sql (100%) rename openid-connect-server/{src/main/webapp => }/db/tables/userinfo.sql (100%) rename openid-connect-server/{src/main/webapp => }/db/tables/whitelistedsite.sql (100%) diff --git a/openid-connect-server/src/main/webapp/db/tables/accesstoken.sql b/openid-connect-server/db/tables/accesstoken.sql similarity index 100% rename from openid-connect-server/src/main/webapp/db/tables/accesstoken.sql rename to openid-connect-server/db/tables/accesstoken.sql diff --git a/openid-connect-server/src/main/webapp/db/tables/address.sql b/openid-connect-server/db/tables/address.sql similarity index 100% rename from openid-connect-server/src/main/webapp/db/tables/address.sql rename to openid-connect-server/db/tables/address.sql diff --git a/openid-connect-server/src/main/webapp/db/tables/approvedsite.sql b/openid-connect-server/db/tables/approvedsite.sql similarity index 100% rename from openid-connect-server/src/main/webapp/db/tables/approvedsite.sql rename to openid-connect-server/db/tables/approvedsite.sql diff --git a/openid-connect-server/src/main/webapp/db/tables/authorities.sql b/openid-connect-server/db/tables/authorities.sql similarity index 100% rename from openid-connect-server/src/main/webapp/db/tables/authorities.sql rename to openid-connect-server/db/tables/authorities.sql diff --git a/openid-connect-server/src/main/webapp/db/tables/clientdetails.sql b/openid-connect-server/db/tables/clientdetails.sql similarity index 100% rename from openid-connect-server/src/main/webapp/db/tables/clientdetails.sql rename to openid-connect-server/db/tables/clientdetails.sql diff --git a/openid-connect-server/src/main/webapp/db/tables/event.sql b/openid-connect-server/db/tables/event.sql similarity index 100% rename from openid-connect-server/src/main/webapp/db/tables/event.sql rename to openid-connect-server/db/tables/event.sql diff --git a/openid-connect-server/src/main/webapp/db/tables/granttypes.sql b/openid-connect-server/db/tables/granttypes.sql similarity index 100% rename from openid-connect-server/src/main/webapp/db/tables/granttypes.sql rename to openid-connect-server/db/tables/granttypes.sql diff --git a/openid-connect-server/src/main/webapp/db/tables/idtoken.sql b/openid-connect-server/db/tables/idtoken.sql similarity index 100% rename from openid-connect-server/src/main/webapp/db/tables/idtoken.sql rename to openid-connect-server/db/tables/idtoken.sql diff --git a/openid-connect-server/src/main/webapp/db/tables/idtokenclaims.sql b/openid-connect-server/db/tables/idtokenclaims.sql similarity index 100% rename from openid-connect-server/src/main/webapp/db/tables/idtokenclaims.sql rename to openid-connect-server/db/tables/idtokenclaims.sql diff --git a/openid-connect-server/src/main/webapp/db/tables/redirect_uris.sql b/openid-connect-server/db/tables/redirect_uris.sql similarity index 100% rename from openid-connect-server/src/main/webapp/db/tables/redirect_uris.sql rename to openid-connect-server/db/tables/redirect_uris.sql diff --git a/openid-connect-server/src/main/webapp/db/tables/refreshtoken.sql b/openid-connect-server/db/tables/refreshtoken.sql similarity index 100% rename from openid-connect-server/src/main/webapp/db/tables/refreshtoken.sql rename to openid-connect-server/db/tables/refreshtoken.sql diff --git a/openid-connect-server/src/main/webapp/db/tables/resource_ids.sql b/openid-connect-server/db/tables/resource_ids.sql similarity index 100% rename from openid-connect-server/src/main/webapp/db/tables/resource_ids.sql rename to openid-connect-server/db/tables/resource_ids.sql diff --git a/openid-connect-server/src/main/webapp/db/tables/scope.sql b/openid-connect-server/db/tables/scope.sql similarity index 100% rename from openid-connect-server/src/main/webapp/db/tables/scope.sql rename to openid-connect-server/db/tables/scope.sql diff --git a/openid-connect-server/src/main/webapp/db/tables/userinfo.sql b/openid-connect-server/db/tables/userinfo.sql similarity index 100% rename from openid-connect-server/src/main/webapp/db/tables/userinfo.sql rename to openid-connect-server/db/tables/userinfo.sql diff --git a/openid-connect-server/src/main/webapp/db/tables/whitelistedsite.sql b/openid-connect-server/db/tables/whitelistedsite.sql similarity index 100% rename from openid-connect-server/src/main/webapp/db/tables/whitelistedsite.sql rename to openid-connect-server/db/tables/whitelistedsite.sql diff --git a/openid-connect-server/src/test/resources/test-context.xml b/openid-connect-server/src/test/resources/test-context.xml index 84142e3c9..d9a6435a6 100644 --- a/openid-connect-server/src/test/resources/test-context.xml +++ b/openid-connect-server/src/test/resources/test-context.xml @@ -12,19 +12,19 @@ - file:src/main/webapp/db/tables/accesstoken.sql - file:src/main/webapp/db/tables/address.sql - file:src/main/webapp/db/tables/approvedsite.sql - file:src/main/webapp/db/tables/authorities.sql - file:src/main/webapp/db/tables/clientdetails.sql - file:src/main/webapp/db/tables/event.sql - file:src/main/webapp/db/tables/granttypes.sql - file:src/main/webapp/db/tables/idtoken.sql - file:src/main/webapp/db/tables/idtokenclaims.sql - file:src/main/webapp/db/tables/refreshtoken.sql - file:src/main/webapp/db/tables/scope.sql - file:src/main/webapp/db/tables/userinfo.sql - file:src/main/webapp/db/tables/whitelistedsite.sql + file:db/tables/accesstoken.sql + file:db/tables/address.sql + file:db/tables/approvedsite.sql + file:db/tables/authorities.sql + file:db/tables/clientdetails.sql + file:db/tables/event.sql + file:db/tables/granttypes.sql + file:db/tables/idtoken.sql + file:db/tables/idtokenclaims.sql + file:db/tables/refreshtoken.sql + file:db/tables/scope.sql + file:db/tables/userinfo.sql + file:db/tables/whitelistedsite.sql classpath:test-data.sql From 46cd08071d4c8cb944b0bb7443551204f50c943f Mon Sep 17 00:00:00 2001 From: Justin Richer Date: Tue, 5 Jun 2012 11:45:06 -0400 Subject: [PATCH 06/12] cleaned up sql table references to redirect uris, see #48 --- openid-connect-server/db/tables/clientdetails.sql | 1 - openid-connect-server/db/tables/redirect_uris.sql | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/openid-connect-server/db/tables/clientdetails.sql b/openid-connect-server/db/tables/clientdetails.sql index 0bf73e434..73caed442 100644 --- a/openid-connect-server/db/tables/clientdetails.sql +++ b/openid-connect-server/db/tables/clientdetails.sql @@ -1,7 +1,6 @@ CREATE TABLE clientdetails ( clientId VARCHAR(256), clientSecret VARCHAR(2000), - registeredRedirectUri VARCHAR(2000), clientName VARCHAR(256), clientDescription VARCHAR(2000), allowRefresh TINYINT, diff --git a/openid-connect-server/db/tables/redirect_uris.sql b/openid-connect-server/db/tables/redirect_uris.sql index 6b4f81936..08d3c0126 100644 --- a/openid-connect-server/db/tables/redirect_uris.sql +++ b/openid-connect-server/db/tables/redirect_uris.sql @@ -1,4 +1,4 @@ CREATE TABLE redirect_uris ( owner_id VARCHAR(256), - registeredRedirectUri VARCHAR(256) + registeredRedirectUri VARCHAR(2000) ); \ No newline at end of file From d424f44b8c1274e9d074a3eae69917848682a04c Mon Sep 17 00:00:00 2001 From: Michael Jett Date: Tue, 5 Jun 2012 13:08:55 -0400 Subject: [PATCH 07/12] Removing some whitespace --- .../src/main/webapp/WEB-INF/views/oauth/approve.jsp | 2 -- 1 file changed, 2 deletions(-) diff --git a/openid-connect-server/src/main/webapp/WEB-INF/views/oauth/approve.jsp b/openid-connect-server/src/main/webapp/WEB-INF/views/oauth/approve.jsp index 41f568461..d18c07e47 100644 --- a/openid-connect-server/src/main/webapp/WEB-INF/views/oauth/approve.jsp +++ b/openid-connect-server/src/main/webapp/WEB-INF/views/oauth/approve.jsp @@ -42,10 +42,8 @@
Check me out - Check me out -
From 3b4e95ac10c3ff3b9e7c5b9505a5cf2e2434739b Mon Sep 17 00:00:00 2001 From: Michael Jett Date: Tue, 5 Jun 2012 15:52:09 -0400 Subject: [PATCH 08/12] Approval page updates --- .../webapp/WEB-INF/views/oauth/approve.jsp | 60 +++++++++++++++---- 1 file changed, 47 insertions(+), 13 deletions(-) diff --git a/openid-connect-server/src/main/webapp/WEB-INF/views/oauth/approve.jsp b/openid-connect-server/src/main/webapp/WEB-INF/views/oauth/approve.jsp index d18c07e47..7c39fc0cc 100644 --- a/openid-connect-server/src/main/webapp/WEB-INF/views/oauth/approve.jsp +++ b/openid-connect-server/src/main/webapp/WEB-INF/views/oauth/approve.jsp @@ -21,14 +21,56 @@ -
-

Please Confirm!

+
+

Approve New Site

-

I hereby authorize "" to access my protected resources.

+
+
+
Do you authorize + " + + + + + + + " to sign you into their site + using your identity? + more information +

+

+

+
+
+
+ Access to: + + basic profile information + + email address + + address + + phone number + + offline access +
+
+ +
-
@@ -39,16 +81,8 @@
-
- - Check me out - - Check me out -
+
- From e44697cef94e724f65dd00a7eed752695a855b2d Mon Sep 17 00:00:00 2001 From: Justin Richer Date: Tue, 5 Jun 2012 16:07:19 -0400 Subject: [PATCH 09/12] updated JWK display to latest, closes #58 --- ...JwtSigningAndValidationServiceDefault.java | 16 ++-- .../openid/connect/view/JwkKeyListView.java | 82 ++++++++----------- .../connect/web/JsonWebKeyEndpoint.java | 16 ++-- 3 files changed, 52 insertions(+), 62 deletions(-) diff --git a/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/JwtSigningAndValidationServiceDefault.java b/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/JwtSigningAndValidationServiceDefault.java index 2237e19ac..3120b605a 100644 --- a/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/JwtSigningAndValidationServiceDefault.java +++ b/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/JwtSigningAndValidationServiceDefault.java @@ -89,20 +89,18 @@ public class JwtSigningAndValidationServiceDefault implements Map map = new HashMap(); - PublicKey publicKey; - - for (JwtSigner signer : signers.values()) { + for (String signerId : signers.keySet()) { + JwtSigner signer = signers.get(signerId); + if (signer instanceof RsaSigner) { - publicKey = ((RsaSigner) signer).getPublicKey(); + RsaSigner rsa = (RsaSigner)signer; + + PublicKey publicKey = rsa.getPublicKey(); if (publicKey != null) { - // what's the index of this map for? - map.put(((RSAPublicKey) publicKey).getModulus() - .toString(16).toUpperCase() - + ((RSAPublicKey) publicKey).getPublicExponent() - .toString(16).toUpperCase(), publicKey); + map.put(signerId, publicKey); } } diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/view/JwkKeyListView.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/view/JwkKeyListView.java index 1900c301f..c8088f159 100644 --- a/openid-connect-server/src/main/java/org/mitre/openid/connect/view/JwkKeyListView.java +++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/view/JwkKeyListView.java @@ -33,10 +33,12 @@ import org.apache.commons.codec.binary.Base64; import org.springframework.validation.BeanPropertyBindingResult; import org.springframework.web.servlet.view.AbstractView; +import com.google.common.collect.BiMap; import com.google.gson.ExclusionStrategy; import com.google.gson.FieldAttributes; import com.google.gson.Gson; import com.google.gson.GsonBuilder; +import com.google.gson.JsonArray; import com.google.gson.JsonElement; import com.google.gson.JsonObject; import com.google.gson.JsonSerializationContext; @@ -67,50 +69,6 @@ public class JwkKeyListView extends AbstractView { return false; } - }) - .registerTypeHierarchyAdapter(PublicKey.class, new JsonSerializer() { - - @Override - public JsonElement serialize(PublicKey src, Type typeOfSrc, JsonSerializationContext context) { - - - if (src instanceof RSAPublicKey) { - - RSAPublicKey rsa = (RSAPublicKey)src; - - - BigInteger mod = rsa.getModulus(); - BigInteger exp = rsa.getPublicExponent(); - - String m64 = Base64.encodeBase64URLSafeString(mod.toByteArray()); - String e64 = Base64.encodeBase64URLSafeString(exp.toByteArray()); - - JsonObject o = new JsonObject(); - - o.addProperty("use", "sig"); - o.addProperty("alg", "RSA"); - o.addProperty("mod", m64); - o.addProperty("exp", e64); - // TODO: get the key ID from the map - return o; - } else if (src instanceof ECPublicKey) { - - @SuppressWarnings("unused") - ECPublicKey ec = (ECPublicKey)src; - - // TODO: serialize the EC - - return null; - - } else { - - // skip this class ... we shouldn't have any keys in here that aren't encodable by this serializer - return null; - } - - - } - }) .create(); @@ -119,10 +77,38 @@ public class JwkKeyListView extends AbstractView { Writer out = response.getWriter(); - Object obj = model.get("entity"); - if (obj == null) { - obj = model; - } + BiMap keyMap = (BiMap) model.get("keys"); + + JsonObject obj = new JsonObject(); + JsonArray keys = new JsonArray(); + obj.add("keys", keys); + + for (String keyId : keyMap.keySet()) { + + PublicKey src = keyMap.get(keyId); + + if (src instanceof RSAPublicKey) { + + RSAPublicKey rsa = (RSAPublicKey)src; + + + BigInteger mod = rsa.getModulus(); + BigInteger exp = rsa.getPublicExponent(); + + String m64 = Base64.encodeBase64URLSafeString(mod.toByteArray()); + String e64 = Base64.encodeBase64URLSafeString(exp.toByteArray()); + + JsonObject o = new JsonObject(); + + o.addProperty("use", "sig"); // since we don't do encryption yet + o.addProperty("alg", "RSA"); // we know this is RSA + o.addProperty("mod", m64); + o.addProperty("exp", e64); + o.addProperty("kid", keyId); + + keys.add(o); + } + } gson.toJson(obj, out); diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/JsonWebKeyEndpoint.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/JsonWebKeyEndpoint.java index 1fb1112f8..938c46858 100644 --- a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/JsonWebKeyEndpoint.java +++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/JsonWebKeyEndpoint.java @@ -27,6 +27,10 @@ import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.servlet.ModelAndView; +import com.google.common.collect.BiMap; +import com.google.common.collect.HashBiMap; +import com.google.common.collect.Maps; + @Controller public class JsonWebKeyEndpoint { @@ -36,14 +40,16 @@ public class JsonWebKeyEndpoint { @RequestMapping("/jwk") public ModelAndView getJwk() { - Collection keys = jwtService.getAllPublicKeys().values(); + // get all public keys for display + // map from key id to public key for that signer + Map keys = jwtService.getAllPublicKeys(); + + // put them into a bidirectional map to get at key IDs + BiMap biKeys = HashBiMap.create(keys); // TODO: check if keys are empty, return a 404 here or just an empty list? - Map jwk = new HashMap(); - jwk.put("jwk", keys); - - return new ModelAndView("jwkKeyList", "entity", jwk); + return new ModelAndView("jwkKeyList", "keys", biKeys); } } From fbdccdb78e87b77c4bcd0311bc560f7a9c63b96b Mon Sep 17 00:00:00 2001 From: Justin Richer Date: Tue, 5 Jun 2012 16:32:49 -0400 Subject: [PATCH 10/12] added Xrd support (fixes #63), updated configuration locations (fixes #47) --- .../org/mitre/swd/view/XrdJsonResponse.java | 90 +++++++++++++++++++ .../swd/web/SimpleWebDiscoveryEndpoint.java | 38 +++++--- .../main/webapp/WEB-INF/spring-servlet.xml | 3 + 3 files changed, 121 insertions(+), 10 deletions(-) create mode 100644 openid-connect-server/src/main/java/org/mitre/swd/view/XrdJsonResponse.java diff --git a/openid-connect-server/src/main/java/org/mitre/swd/view/XrdJsonResponse.java b/openid-connect-server/src/main/java/org/mitre/swd/view/XrdJsonResponse.java new file mode 100644 index 000000000..5f2a69c7b --- /dev/null +++ b/openid-connect-server/src/main/java/org/mitre/swd/view/XrdJsonResponse.java @@ -0,0 +1,90 @@ +/******************************************************************************* + * Copyright 2012 The MITRE Corporation + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + ******************************************************************************/ +/** + * + */ +package org.mitre.swd.view; + +import java.io.Writer; +import java.util.Map; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.springframework.validation.BeanPropertyBindingResult; +import org.springframework.web.servlet.view.AbstractView; + +import com.google.gson.ExclusionStrategy; +import com.google.gson.FieldAttributes; +import com.google.gson.Gson; +import com.google.gson.GsonBuilder; +import com.google.gson.JsonArray; +import com.google.gson.JsonObject; + +/** + * @author jricher + * + */ +public class XrdJsonResponse extends AbstractView { + + /* (non-Javadoc) + * @see org.springframework.web.servlet.view.AbstractView#renderMergedOutputModel(java.util.Map, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) + */ + @Override + protected void renderMergedOutputModel(Map model, HttpServletRequest request, HttpServletResponse response) throws Exception { + Gson gson = new GsonBuilder().setExclusionStrategies(new ExclusionStrategy() { + + @Override + public boolean shouldSkipField(FieldAttributes f) { + return false; + } + + @Override + public boolean shouldSkipClass(Class clazz) { + // skip the JPA binding wrapper + if (clazz.equals(BeanPropertyBindingResult.class)) { + return true; + } else { + return false; + } + } + + }) + .create(); + + response.setContentType("application/json"); + + Writer out = response.getWriter(); + + Map links = (Map) model.get("links"); + + JsonObject obj = new JsonObject(); + JsonArray linksList = new JsonArray(); + obj.add("links", linksList); + + // map of "rel" -> "link" values + for (Map.Entry link : links.entrySet()) { + JsonObject l = new JsonObject(); + l.addProperty("rel", link.getKey()); + l.addProperty("link", link.getValue()); + + linksList.add(l); + } + + gson.toJson(obj, out); + } + +} diff --git a/openid-connect-server/src/main/java/org/mitre/swd/web/SimpleWebDiscoveryEndpoint.java b/openid-connect-server/src/main/java/org/mitre/swd/web/SimpleWebDiscoveryEndpoint.java index e20af27ff..9019d0515 100644 --- a/openid-connect-server/src/main/java/org/mitre/swd/web/SimpleWebDiscoveryEndpoint.java +++ b/openid-connect-server/src/main/java/org/mitre/swd/web/SimpleWebDiscoveryEndpoint.java @@ -20,7 +20,9 @@ import java.util.Map; import javax.servlet.http.HttpServletRequest; +import org.mitre.openid.connect.config.ConfigurationPropertiesBean; import org.mitre.util.Utility; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestParam; @@ -31,11 +33,14 @@ import com.google.common.collect.Lists; @Controller public class SimpleWebDiscoveryEndpoint { + @Autowired + ConfigurationPropertiesBean config; + @RequestMapping(value="/.well-known/simple-web-discovery", params={"principal", "service=http://openid.net/specs/connect/1.0/issuer"}) - public ModelAndView openIdConnectIssuerDiscovery(@RequestParam("principal") String principal, ModelAndView modelAndView, HttpServletRequest request) { + public ModelAndView openIdConnectIssuerDiscovery(@RequestParam("principal") String principal, ModelAndView modelAndView) { - String baseUrl = Utility.findBaseUrl(request); + String baseUrl = config.getIssuer(); // look up user, see if they're local // if so, return this server @@ -51,11 +56,24 @@ public class SimpleWebDiscoveryEndpoint { return modelAndView; } + @RequestMapping(value="/.well-known/host-meta", + params={"resource", "rel=http://openid.net/specs/connect/1.0/issuer"}) + public ModelAndView xrdDiscovery(@RequestParam("resource") String resource, ModelAndView modelAndView) { + + Map relMap = new HashMap(); + relMap.put("http://openid.net/specs/connect/1.0/issuer", config.getIssuer()); + + modelAndView.getModel().put("links", relMap); + + modelAndView.setViewName("jsonXrdResponseView"); + + return modelAndView; + } @RequestMapping("/.well-known/openid-configuration") - public ModelAndView providerConfiguration(ModelAndView modelAndView, HttpServletRequest request) { + public ModelAndView providerConfiguration(ModelAndView modelAndView) { - String baseUrl = Utility.findBaseUrl(request); + String baseUrl = config.getIssuer(); /* * version string Version of the provider response. "3.0" is the default. @@ -84,15 +102,15 @@ public class SimpleWebDiscoveryEndpoint { Map m = new HashMap(); m.put("version", "3.0"); m.put("issuer", baseUrl); - m.put("authorization_endpoint", baseUrl + "/authorize"); - m.put("token_endpoint", baseUrl + "/oauth"); + m.put("authorization_endpoint", baseUrl + "/openidconnect/auth"); + m.put("token_endpoint", baseUrl + "/openidconnect/token"); m.put("userinfo_endpoint", baseUrl + "/userinfo"); m.put("check_id_endpoint", baseUrl + "/checkid"); - m.put("refresh_session_endpoint", baseUrl + "/refresh_session"); - m.put("end_session_endpoint", baseUrl + "/end_session"); + //m.put("refresh_session_endpoint", baseUrl + "/refresh_session"); + //m.put("end_session_endpoint", baseUrl + "/end_session"); m.put("jwk_url", baseUrl + "/jwk"); - m.put("registration_endpoint", baseUrl + "/register_client"); - m.put("scopes_supported", Lists.newArrayList("openid")); + //m.put("registration_endpoint", baseUrl + "/register_client"); + m.put("scopes_supported", Lists.newArrayList("openid", "email", "profile", "address", "phone")); m.put("response_types_supported", Lists.newArrayList("code")); diff --git a/openid-connect-server/src/main/webapp/WEB-INF/spring-servlet.xml b/openid-connect-server/src/main/webapp/WEB-INF/spring-servlet.xml index 03faf3cb1..adea116a6 100644 --- a/openid-connect-server/src/main/webapp/WEB-INF/spring-servlet.xml +++ b/openid-connect-server/src/main/webapp/WEB-INF/spring-servlet.xml @@ -190,8 +190,11 @@ + + + From 7df2663e00bf5526cc9f2eddd7001c535f8e8802 Mon Sep 17 00:00:00 2001 From: Justin Richer Date: Tue, 5 Jun 2012 16:36:11 -0400 Subject: [PATCH 11/12] added final slashification of configuration URLs --- .../swd/web/SimpleWebDiscoveryEndpoint.java | 22 +++++++++++-------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/openid-connect-server/src/main/java/org/mitre/swd/web/SimpleWebDiscoveryEndpoint.java b/openid-connect-server/src/main/java/org/mitre/swd/web/SimpleWebDiscoveryEndpoint.java index 9019d0515..eb9599d68 100644 --- a/openid-connect-server/src/main/java/org/mitre/swd/web/SimpleWebDiscoveryEndpoint.java +++ b/openid-connect-server/src/main/java/org/mitre/swd/web/SimpleWebDiscoveryEndpoint.java @@ -73,11 +73,9 @@ public class SimpleWebDiscoveryEndpoint { @RequestMapping("/.well-known/openid-configuration") public ModelAndView providerConfiguration(ModelAndView modelAndView) { - String baseUrl = config.getIssuer(); - /* * version string Version of the provider response. "3.0" is the default. - * issuer string The https: URL with no path component that the OP asserts as its Issuer Identifier + * issuer string The https: URL that the OP asserts as its Issuer Identifier * authorization_endpoint string URL of the OP's Authentication and Authorization Endpoint [OpenID.Messages] * token_endpoint string URL of the OP's OAuth 2.0 Token Endpoint [OpenID.Messages] * userinfo_endpoint string URL of the OP's UserInfo Endpoint [OpenID.Messages] @@ -99,16 +97,22 @@ public class SimpleWebDiscoveryEndpoint { * token_endpoint_auth_types_supported array A JSON array containing a list of authentication types supported by this Token Endpoint. The options are client_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in Section 2.2.1 of OpenID Connect Messages 1.0 [OpenID.Messages]. Other Authentication types may be defined by extension. If unspecified or omitted, the default is client_secret_basic HTTP Basic Authentication Scheme as specified in section 2.3.1 of OAuth 2.0 [OAuth2.0]. * token_endpoint_auth_algs_supported array A JSON array containing a list of the JWS [JWS] signing algorithms supported by the Token Endpoint for the private_key_jwt method to encode the JWT [JWT]. Servers SHOULD support RS256. */ + String baseUrl = config.getIssuer(); + + if (!baseUrl.endsWith("/")) { + baseUrl = baseUrl.concat("/"); + } + Map m = new HashMap(); m.put("version", "3.0"); - m.put("issuer", baseUrl); - m.put("authorization_endpoint", baseUrl + "/openidconnect/auth"); - m.put("token_endpoint", baseUrl + "/openidconnect/token"); - m.put("userinfo_endpoint", baseUrl + "/userinfo"); - m.put("check_id_endpoint", baseUrl + "/checkid"); + m.put("issuer", config.getIssuer()); + m.put("authorization_endpoint", baseUrl + "openidconnect/auth"); + m.put("token_endpoint", baseUrl + "openidconnect/token"); + m.put("userinfo_endpoint", baseUrl + "userinfo"); + m.put("check_id_endpoint", baseUrl + "checkid"); //m.put("refresh_session_endpoint", baseUrl + "/refresh_session"); //m.put("end_session_endpoint", baseUrl + "/end_session"); - m.put("jwk_url", baseUrl + "/jwk"); + m.put("jwk_url", baseUrl + "jwk"); //m.put("registration_endpoint", baseUrl + "/register_client"); m.put("scopes_supported", Lists.newArrayList("openid", "email", "profile", "address", "phone")); m.put("response_types_supported", Lists.newArrayList("code")); From c3cffe1eac6f9aa3f299219f656ff430abb543ea Mon Sep 17 00:00:00 2001 From: Justin Richer Date: Tue, 5 Jun 2012 16:42:26 -0400 Subject: [PATCH 12/12] cleaned up bad config file --- .../.settings/org.eclipse.wst.common.component | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openid-connect-server/.settings/org.eclipse.wst.common.component b/openid-connect-server/.settings/org.eclipse.wst.common.component index 5b4c881f0..7becf4b04 100644 --- a/openid-connect-server/.settings/org.eclipse.wst.common.component +++ b/openid-connect-server/.settings/org.eclipse.wst.common.component @@ -5,10 +5,10 @@ - + uses - + uses