|
|
|
|
@ -1,12 +1,21 @@
|
|
|
|
|
package org.mitre.openid.connect.client; |
|
|
|
|
|
|
|
|
|
import java.io.IOException; |
|
|
|
|
import java.security.NoSuchAlgorithmException; |
|
|
|
|
import java.util.HashMap; |
|
|
|
|
import java.util.Map; |
|
|
|
|
|
|
|
|
|
import javax.servlet.ServletException; |
|
|
|
|
import javax.servlet.http.HttpServletRequest; |
|
|
|
|
import javax.servlet.http.HttpServletResponse; |
|
|
|
|
|
|
|
|
|
import org.apache.commons.lang.StringUtils; |
|
|
|
|
import org.mitre.jwt.model.Jwt; |
|
|
|
|
import org.mitre.jwt.model.JwtClaims; |
|
|
|
|
import org.mitre.jwt.model.JwtHeader; |
|
|
|
|
import org.mitre.jwt.signer.JwsAlgorithm; |
|
|
|
|
import org.mitre.jwt.signer.impl.HmacSigner; |
|
|
|
|
import org.mitre.jwt.signer.impl.RsaSigner; |
|
|
|
|
import org.mitre.openid.connect.config.OIDCServerConfiguration; |
|
|
|
|
import org.springframework.security.core.Authentication; |
|
|
|
|
import org.springframework.security.core.AuthenticationException; |
|
|
|
|
@ -16,21 +25,12 @@ public class OIDCSignedRequestFilter extends AbstractOIDCAuthenticationFilter {
|
|
|
|
|
|
|
|
|
|
protected OIDCServerConfiguration oidcServerConfig; |
|
|
|
|
|
|
|
|
|
/** |
|
|
|
|
* OpenIdConnectSignedRequestFilter constructor |
|
|
|
|
*/ |
|
|
|
|
protected OIDCSignedRequestFilter() { |
|
|
|
|
super(); |
|
|
|
|
|
|
|
|
|
oidcServerConfig = new OIDCServerConfiguration(); |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
/* |
|
|
|
|
* (non-Javadoc) |
|
|
|
|
* |
|
|
|
|
* @see org.mitre.openid.connect.client.AbstractOIDCAuthenticationFilter# |
|
|
|
|
* afterPropertiesSet() |
|
|
|
|
*/ |
|
|
|
|
@Override |
|
|
|
|
public void afterPropertiesSet() { |
|
|
|
|
super.afterPropertiesSet(); |
|
|
|
|
@ -49,14 +49,9 @@ public class OIDCSignedRequestFilter extends AbstractOIDCAuthenticationFilter {
|
|
|
|
|
Assert.notNull(oidcServerConfig.getClientSecret(), |
|
|
|
|
"A Client Secret must be supplied"); |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
/* |
|
|
|
|
* (non-Javadoc) |
|
|
|
|
* |
|
|
|
|
* @see org.mitre.openid.connect.client.AbstractOIDCAuthenticationFilter# |
|
|
|
|
* attemptAuthentication(javax.servlet.http.HttpServletRequest, |
|
|
|
|
* javax.servlet.http.HttpServletResponse) |
|
|
|
|
*/ |
|
|
|
|
|
|
|
|
|
//SCREW WITH THIS...
|
|
|
|
|
//rather than sending over parameters, make request object and send that.
|
|
|
|
|
@Override |
|
|
|
|
public Authentication attemptAuthentication(HttpServletRequest request, |
|
|
|
|
HttpServletResponse response) throws AuthenticationException, |
|
|
|
|
@ -79,13 +74,67 @@ public class OIDCSignedRequestFilter extends AbstractOIDCAuthenticationFilter {
|
|
|
|
|
e.printStackTrace(); |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
} else { |
|
|
|
|
|
|
|
|
|
} else if (StringUtils.isNotBlank(request.getParameter("token"))) { |
|
|
|
|
|
|
|
|
|
handleAuthorizationRequest(request, response, oidcServerConfig); |
|
|
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
return null; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
@Override |
|
|
|
|
public void handleAuthorizationRequest(HttpServletRequest request, HttpServletResponse response, |
|
|
|
|
OIDCServerConfiguration serverConfiguration) throws IOException { |
|
|
|
|
|
|
|
|
|
if(StringUtils.isNotBlank(request.getParameter("token"))) { |
|
|
|
|
|
|
|
|
|
Jwt jwt = new Jwt(); |
|
|
|
|
JwtHeader header = jwt.getHeader(); |
|
|
|
|
JwtClaims claims = jwt.getClaims(); |
|
|
|
|
|
|
|
|
|
//set parameters to JwtHeader
|
|
|
|
|
header.setAlgorithm(JwsAlgorithm.getByName(SIGNING_ALGORITHM).toString()); |
|
|
|
|
|
|
|
|
|
//set parameters to JwtClaims
|
|
|
|
|
claims.setClaim("response_type", "token"); |
|
|
|
|
claims.setClaim("client_id", serverConfiguration.getClientId()); |
|
|
|
|
claims.setClaim("scope", scope); |
|
|
|
|
claims.setClaim("redirect_uri", AbstractOIDCAuthenticationFilter.buildRedirectURI(request, null)); |
|
|
|
|
claims.setClaim("nonce", NONCE_SIGNATURE_COOKIE_NAME); |
|
|
|
|
|
|
|
|
|
if(header.getAlgorithm().equals("RS256") || header.getAlgorithm().equals("RS384") || header.getAlgorithm().equals("RS512")) { |
|
|
|
|
RsaSigner jwtSigner = new RsaSigner(); |
|
|
|
|
try { |
|
|
|
|
jwt = jwtSigner.sign(jwt); |
|
|
|
|
} catch (NoSuchAlgorithmException e) { |
|
|
|
|
// TODO Auto-generated catch block
|
|
|
|
|
e.printStackTrace(); |
|
|
|
|
} |
|
|
|
|
} else if(header.getAlgorithm().equals("HS256") || header.getAlgorithm().equals("HS384") || header.getAlgorithm().equals("HS512")) { |
|
|
|
|
HmacSigner jwtSigner = new HmacSigner(); |
|
|
|
|
try { |
|
|
|
|
jwt = jwtSigner.sign(jwt); |
|
|
|
|
} catch (NoSuchAlgorithmException e) { |
|
|
|
|
// TODO Auto-generated catch block
|
|
|
|
|
e.printStackTrace(); |
|
|
|
|
} |
|
|
|
|
} else { |
|
|
|
|
throw new IllegalArgumentException(header.getAlgorithm() + " is not a valid signing algorithm."); |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
Map<String, String> urlVariables = new HashMap<String, String>(); |
|
|
|
|
|
|
|
|
|
urlVariables.put("request", jwt.toString()); |
|
|
|
|
|
|
|
|
|
String authRequest = AbstractOIDCAuthenticationFilter.buildURL(serverConfiguration.getAuthorizationEndpointURI(), urlVariables); |
|
|
|
|
|
|
|
|
|
logger.debug("Auth Request: " + authRequest); |
|
|
|
|
|
|
|
|
|
response.sendRedirect(authRequest); |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
public void setAuthorizationEndpointURI(String authorizationEndpointURI) { |
|
|
|
|
oidcServerConfig.setAuthorizationEndpointURI(authorizationEndpointURI); |
|
|
|
|
@ -123,10 +172,6 @@ public class OIDCSignedRequestFilter extends AbstractOIDCAuthenticationFilter {
|
|
|
|
|
oidcServerConfig.setJwkSigningUrl(jwkSigningUrl); |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
/** |
|
|
|
|
* @param issuer |
|
|
|
|
* @see org.mitre.openid.connect.config.OIDCServerConfiguration#setIssuer(java.lang.String) |
|
|
|
|
*/ |
|
|
|
|
public void setIssuer(String issuer) { |
|
|
|
|
oidcServerConfig.setIssuer(issuer); |
|
|
|
|
} |
|
|
|
|
|
Mike Derryberry
13 years ago
committed by