From 42a9b67f5e9dbb337718fc76c3f183963da4116c Mon Sep 17 00:00:00 2001 From: Mike Derryberry Date: Thu, 19 Jul 2012 15:09:33 -0400 Subject: [PATCH] updated signed request filter to create jwt from parameters, sign it, create url for request, and send a redirect --- .../AbstractOIDCAuthenticationFilter.java | 3 +- .../client/OIDCSignedRequestFilter.java | 91 ++++++++++++++----- 2 files changed, 69 insertions(+), 25 deletions(-) diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/AbstractOIDCAuthenticationFilter.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/AbstractOIDCAuthenticationFilter.java index 799d78e90..df61a2122 100644 --- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/AbstractOIDCAuthenticationFilter.java +++ b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/AbstractOIDCAuthenticationFilter.java @@ -426,7 +426,7 @@ public class AbstractOIDCAuthenticationFilter extends logger.debug("tokenEndpointURI = " + serverConfig.getTokenEndpointURI()); logger.debug("form = " + form); } -; + String jsonString = null; try { @@ -716,7 +716,6 @@ public class AbstractOIDCAuthenticationFilter extends return signingAndValidationService; } else { - // if we can't build a validation service, return null return null; } } diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCSignedRequestFilter.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCSignedRequestFilter.java index 29abd7fa3..cbe4d83ca 100644 --- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCSignedRequestFilter.java +++ b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCSignedRequestFilter.java @@ -1,12 +1,21 @@ package org.mitre.openid.connect.client; import java.io.IOException; +import java.security.NoSuchAlgorithmException; +import java.util.HashMap; +import java.util.Map; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.commons.lang.StringUtils; +import org.mitre.jwt.model.Jwt; +import org.mitre.jwt.model.JwtClaims; +import org.mitre.jwt.model.JwtHeader; +import org.mitre.jwt.signer.JwsAlgorithm; +import org.mitre.jwt.signer.impl.HmacSigner; +import org.mitre.jwt.signer.impl.RsaSigner; import org.mitre.openid.connect.config.OIDCServerConfiguration; import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; @@ -16,21 +25,12 @@ public class OIDCSignedRequestFilter extends AbstractOIDCAuthenticationFilter { protected OIDCServerConfiguration oidcServerConfig; - /** - * OpenIdConnectSignedRequestFilter constructor - */ protected OIDCSignedRequestFilter() { super(); oidcServerConfig = new OIDCServerConfiguration(); } - /* - * (non-Javadoc) - * - * @see org.mitre.openid.connect.client.AbstractOIDCAuthenticationFilter# - * afterPropertiesSet() - */ @Override public void afterPropertiesSet() { super.afterPropertiesSet(); @@ -49,14 +49,9 @@ public class OIDCSignedRequestFilter extends AbstractOIDCAuthenticationFilter { Assert.notNull(oidcServerConfig.getClientSecret(), "A Client Secret must be supplied"); } - - /* - * (non-Javadoc) - * - * @see org.mitre.openid.connect.client.AbstractOIDCAuthenticationFilter# - * attemptAuthentication(javax.servlet.http.HttpServletRequest, - * javax.servlet.http.HttpServletResponse) - */ + + //SCREW WITH THIS... + //rather than sending over parameters, make request object and send that. @Override public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, @@ -79,13 +74,67 @@ public class OIDCSignedRequestFilter extends AbstractOIDCAuthenticationFilter { e.printStackTrace(); } - } else { - + } else if (StringUtils.isNotBlank(request.getParameter("token"))) { + handleAuthorizationRequest(request, response, oidcServerConfig); + } return null; } + + @Override + public void handleAuthorizationRequest(HttpServletRequest request, HttpServletResponse response, + OIDCServerConfiguration serverConfiguration) throws IOException { + + if(StringUtils.isNotBlank(request.getParameter("token"))) { + + Jwt jwt = new Jwt(); + JwtHeader header = jwt.getHeader(); + JwtClaims claims = jwt.getClaims(); + + //set parameters to JwtHeader + header.setAlgorithm(JwsAlgorithm.getByName(SIGNING_ALGORITHM).toString()); + + //set parameters to JwtClaims + claims.setClaim("response_type", "token"); + claims.setClaim("client_id", serverConfiguration.getClientId()); + claims.setClaim("scope", scope); + claims.setClaim("redirect_uri", AbstractOIDCAuthenticationFilter.buildRedirectURI(request, null)); + claims.setClaim("nonce", NONCE_SIGNATURE_COOKIE_NAME); + + if(header.getAlgorithm().equals("RS256") || header.getAlgorithm().equals("RS384") || header.getAlgorithm().equals("RS512")) { + RsaSigner jwtSigner = new RsaSigner(); + try { + jwt = jwtSigner.sign(jwt); + } catch (NoSuchAlgorithmException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } + } else if(header.getAlgorithm().equals("HS256") || header.getAlgorithm().equals("HS384") || header.getAlgorithm().equals("HS512")) { + HmacSigner jwtSigner = new HmacSigner(); + try { + jwt = jwtSigner.sign(jwt); + } catch (NoSuchAlgorithmException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } + } else { + throw new IllegalArgumentException(header.getAlgorithm() + " is not a valid signing algorithm."); + } + + Map urlVariables = new HashMap(); + + urlVariables.put("request", jwt.toString()); + + String authRequest = AbstractOIDCAuthenticationFilter.buildURL(serverConfiguration.getAuthorizationEndpointURI(), urlVariables); + + logger.debug("Auth Request: " + authRequest); + + response.sendRedirect(authRequest); + } + + } public void setAuthorizationEndpointURI(String authorizationEndpointURI) { oidcServerConfig.setAuthorizationEndpointURI(authorizationEndpointURI); @@ -123,10 +172,6 @@ public class OIDCSignedRequestFilter extends AbstractOIDCAuthenticationFilter { oidcServerConfig.setJwkSigningUrl(jwkSigningUrl); } - /** - * @param issuer - * @see org.mitre.openid.connect.config.OIDCServerConfiguration#setIssuer(java.lang.String) - */ public void setIssuer(String issuer) { oidcServerConfig.setIssuer(issuer); }