more updates to track nimbus-jose-jwt classes and use them properly
Justin Richer
parent
9a98d241e8
commit
4d725b88dd
|
|
@ -72,71 +72,64 @@ public class JwtAssertionTokenGranter extends AbstractTokenGranter {
|
|||
|
||||
// it's an ID token, process it accordingly
|
||||
|
||||
// TODO: make this use the idtoken class
|
||||
JWT idToken;
|
||||
try {
|
||||
idToken = JWTParser.parse(incomingTokenValue);
|
||||
} catch (ParseException e1) {
|
||||
// TODO Auto-generated catch block
|
||||
e1.printStackTrace();
|
||||
return null;
|
||||
}
|
||||
try {
|
||||
|
||||
OAuth2AccessTokenEntity accessToken = tokenServices.getAccessTokenForIdToken(incomingToken);
|
||||
|
||||
if (accessToken != null) {
|
||||
|
||||
//OAuth2AccessTokenEntity newIdToken = tokenServices.get
|
||||
|
||||
OAuth2AccessTokenEntity newIdTokenEntity = new OAuth2AccessTokenEntity();
|
||||
|
||||
// FIXME: we shouldn't have to roundtrip this through JSON to get it to copy all existing claims
|
||||
JWTClaimsSet claims;
|
||||
try {
|
||||
claims = JWTClaimsSet.parse(idToken.getJWTClaimsSet().toJSONObject());
|
||||
} catch (ParseException e1) {
|
||||
// TODO Auto-generated catch block
|
||||
e1.printStackTrace();
|
||||
return null;
|
||||
}
|
||||
|
||||
// update expiration and issued-at claims
|
||||
if (client.getIdTokenValiditySeconds() != null) {
|
||||
Date expiration = new Date(System.currentTimeMillis() + (client.getIdTokenValiditySeconds() * 1000L));
|
||||
claims.setExpirationTime(expiration);
|
||||
newIdTokenEntity.setExpiration(expiration);
|
||||
}
|
||||
claims.setIssueTime(new Date());
|
||||
|
||||
|
||||
SignedJWT newIdToken = new SignedJWT((JWSHeader) idToken.getHeader(), claims);
|
||||
try {
|
||||
jwtService.signJwt(newIdToken);
|
||||
} catch (NoSuchAlgorithmException e) {
|
||||
// TODO Auto-generated catch block
|
||||
e.printStackTrace();
|
||||
}
|
||||
|
||||
newIdTokenEntity.setJwt(newIdToken);
|
||||
newIdTokenEntity.setAuthenticationHolder(incomingToken.getAuthenticationHolder());
|
||||
newIdTokenEntity.setScope(incomingToken.getScope());
|
||||
newIdTokenEntity.setClient(incomingToken.getClient());
|
||||
|
||||
newIdTokenEntity = tokenServices.saveAccessToken(newIdTokenEntity);
|
||||
|
||||
// attach the ID token to the access token entity
|
||||
accessToken.setIdToken(newIdTokenEntity);
|
||||
accessToken = tokenServices.saveAccessToken(accessToken);
|
||||
|
||||
// delete the old ID token
|
||||
tokenServices.revokeAccessToken(incomingToken);
|
||||
|
||||
return newIdTokenEntity;
|
||||
|
||||
// TODO: make this use a more specific idtoken class
|
||||
JWT idToken = JWTParser.parse(incomingTokenValue);
|
||||
|
||||
OAuth2AccessTokenEntity accessToken = tokenServices.getAccessTokenForIdToken(incomingToken);
|
||||
|
||||
if (accessToken != null) {
|
||||
|
||||
//OAuth2AccessTokenEntity newIdToken = tokenServices.get
|
||||
|
||||
OAuth2AccessTokenEntity newIdTokenEntity = new OAuth2AccessTokenEntity();
|
||||
|
||||
// copy over all existing claims
|
||||
JWTClaimsSet claims = new JWTClaimsSet(idToken.getJWTClaimsSet());
|
||||
|
||||
// update expiration and issued-at claims
|
||||
if (client.getIdTokenValiditySeconds() != null) {
|
||||
Date expiration = new Date(System.currentTimeMillis() + (client.getIdTokenValiditySeconds() * 1000L));
|
||||
claims.setExpirationTime(expiration);
|
||||
newIdTokenEntity.setExpiration(expiration);
|
||||
}
|
||||
claims.setIssueTime(new Date());
|
||||
|
||||
|
||||
SignedJWT newIdToken = new SignedJWT((JWSHeader) idToken.getHeader(), claims);
|
||||
try {
|
||||
jwtService.signJwt(newIdToken);
|
||||
} catch (NoSuchAlgorithmException e) {
|
||||
// TODO Auto-generated catch block
|
||||
e.printStackTrace();
|
||||
}
|
||||
|
||||
newIdTokenEntity.setJwt(newIdToken);
|
||||
newIdTokenEntity.setAuthenticationHolder(incomingToken.getAuthenticationHolder());
|
||||
newIdTokenEntity.setScope(incomingToken.getScope());
|
||||
newIdTokenEntity.setClient(incomingToken.getClient());
|
||||
|
||||
newIdTokenEntity = tokenServices.saveAccessToken(newIdTokenEntity);
|
||||
|
||||
// attach the ID token to the access token entity
|
||||
accessToken.setIdToken(newIdTokenEntity);
|
||||
accessToken = tokenServices.saveAccessToken(accessToken);
|
||||
|
||||
// delete the old ID token
|
||||
tokenServices.revokeAccessToken(incomingToken);
|
||||
|
||||
return newIdTokenEntity;
|
||||
|
||||
}
|
||||
} catch (ParseException e) {
|
||||
logger.warn("Couldn't parse id token", e);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
// if we got down here, we didn't actually create any tokens, so return null
|
||||
|
||||
return null;
|
||||
|
||||
/*
|
||||
|
|
|
|||
|
|
@ -33,6 +33,7 @@ import org.springframework.stereotype.Component;
|
|||
|
||||
import com.google.common.base.Strings;
|
||||
import com.nimbusds.jose.JWSObject;
|
||||
import com.nimbusds.jose.util.JSONObjectUtils;
|
||||
|
||||
@Component("authorizationRequestManager")
|
||||
public class ConnectAuthorizationRequestManager implements AuthorizationRequestManager, InitializingBean {
|
||||
|
|
@ -172,52 +173,51 @@ public class ConnectAuthorizationRequestManager implements AuthorizationRequestM
|
|||
* we don't care
|
||||
*/
|
||||
|
||||
// FIXME: all of these are doing raw JSON parsing and don't guarantee good behavior vis a vis strings
|
||||
String responseTypes = (String) claims.get("response_type");
|
||||
String responseTypes = JSONObjectUtils.getString(claims, "response_type");
|
||||
if (responseTypes != null) {
|
||||
parameters.put("response_type", responseTypes);
|
||||
}
|
||||
|
||||
String clientId = (String) claims.get("client_id");
|
||||
String clientId = JSONObjectUtils.getString(claims, "client_id");
|
||||
if (clientId != null) {
|
||||
parameters.put("client_id", clientId);
|
||||
}
|
||||
|
||||
if (claims.get("redirect_uri") != null) {
|
||||
if (inputParams.containsKey("redirect_uri") == false) {
|
||||
parameters.put("redirect_uri", (String) claims.get("redirect_uri"));
|
||||
parameters.put("redirect_uri", JSONObjectUtils.getString(claims, "redirect_uri"));
|
||||
}
|
||||
}
|
||||
|
||||
String state = (String) claims.get("state");
|
||||
String state = JSONObjectUtils.getString(claims, "state");
|
||||
if(state != null) {
|
||||
if (inputParams.containsKey("state") == false) {
|
||||
parameters.put("state", state);
|
||||
}
|
||||
}
|
||||
|
||||
String nonce = (String) claims.get("nonce");
|
||||
String nonce = JSONObjectUtils.getString(claims, "nonce");
|
||||
if(nonce != null) {
|
||||
if (inputParams.containsKey("nonce") == false) {
|
||||
parameters.put("nonce", nonce);
|
||||
}
|
||||
}
|
||||
|
||||
String display = (String) claims.get("display");
|
||||
String display = JSONObjectUtils.getString(claims, "display");
|
||||
if (display != null) {
|
||||
if (inputParams.containsKey("display") == false) {
|
||||
parameters.put("display", display);
|
||||
}
|
||||
}
|
||||
|
||||
String prompt = (String) claims.get("prompt");
|
||||
String prompt = JSONObjectUtils.getString(claims, "prompt");
|
||||
if (prompt != null) {
|
||||
if (inputParams.containsKey("prompt") == false) {
|
||||
parameters.put("prompt", prompt);
|
||||
}
|
||||
}
|
||||
|
||||
String scope = (String) claims.get("scope");
|
||||
String scope = JSONObjectUtils.getString(claims, "scope");
|
||||
if (scope != null) {
|
||||
if (inputParams.containsKey("scope") == false) {
|
||||
parameters.put("scope", scope);
|
||||
|
|
|
|||
|
|
@ -126,11 +126,6 @@ public class JSONUserInfoView extends AbstractView {
|
|||
|
||||
JsonObject obj = new JsonObject();
|
||||
|
||||
//The "sub" claim must always be returned from this endpoint
|
||||
obj.addProperty("sub", ui.getSub());
|
||||
|
||||
//TODO: I think the following should be removed. "sub" replaces "user_id", and according
|
||||
//to the spec it must ALWAYS be returned from this endpoint.
|
||||
if (scope.contains("openid")) {
|
||||
obj.addProperty("sub", ui.getSub());
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue