diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/token/JwtAssertionTokenGranter.java b/openid-connect-server/src/main/java/org/mitre/oauth2/token/JwtAssertionTokenGranter.java index 06df5331f..8e7a6268d 100644 --- a/openid-connect-server/src/main/java/org/mitre/oauth2/token/JwtAssertionTokenGranter.java +++ b/openid-connect-server/src/main/java/org/mitre/oauth2/token/JwtAssertionTokenGranter.java @@ -72,71 +72,64 @@ public class JwtAssertionTokenGranter extends AbstractTokenGranter { // it's an ID token, process it accordingly - // TODO: make this use the idtoken class - JWT idToken; - try { - idToken = JWTParser.parse(incomingTokenValue); - } catch (ParseException e1) { - // TODO Auto-generated catch block - e1.printStackTrace(); - return null; - } + try { - OAuth2AccessTokenEntity accessToken = tokenServices.getAccessTokenForIdToken(incomingToken); - - if (accessToken != null) { - - //OAuth2AccessTokenEntity newIdToken = tokenServices.get - - OAuth2AccessTokenEntity newIdTokenEntity = new OAuth2AccessTokenEntity(); - - // FIXME: we shouldn't have to roundtrip this through JSON to get it to copy all existing claims - JWTClaimsSet claims; - try { - claims = JWTClaimsSet.parse(idToken.getJWTClaimsSet().toJSONObject()); - } catch (ParseException e1) { - // TODO Auto-generated catch block - e1.printStackTrace(); - return null; - } - - // update expiration and issued-at claims - if (client.getIdTokenValiditySeconds() != null) { - Date expiration = new Date(System.currentTimeMillis() + (client.getIdTokenValiditySeconds() * 1000L)); - claims.setExpirationTime(expiration); - newIdTokenEntity.setExpiration(expiration); - } - claims.setIssueTime(new Date()); - - - SignedJWT newIdToken = new SignedJWT((JWSHeader) idToken.getHeader(), claims); - try { - jwtService.signJwt(newIdToken); - } catch (NoSuchAlgorithmException e) { - // TODO Auto-generated catch block - e.printStackTrace(); - } - - newIdTokenEntity.setJwt(newIdToken); - newIdTokenEntity.setAuthenticationHolder(incomingToken.getAuthenticationHolder()); - newIdTokenEntity.setScope(incomingToken.getScope()); - newIdTokenEntity.setClient(incomingToken.getClient()); - - newIdTokenEntity = tokenServices.saveAccessToken(newIdTokenEntity); - - // attach the ID token to the access token entity - accessToken.setIdToken(newIdTokenEntity); - accessToken = tokenServices.saveAccessToken(accessToken); - - // delete the old ID token - tokenServices.revokeAccessToken(incomingToken); - - return newIdTokenEntity; - + // TODO: make this use a more specific idtoken class + JWT idToken = JWTParser.parse(incomingTokenValue); + + OAuth2AccessTokenEntity accessToken = tokenServices.getAccessTokenForIdToken(incomingToken); + + if (accessToken != null) { + + //OAuth2AccessTokenEntity newIdToken = tokenServices.get + + OAuth2AccessTokenEntity newIdTokenEntity = new OAuth2AccessTokenEntity(); + + // copy over all existing claims + JWTClaimsSet claims = new JWTClaimsSet(idToken.getJWTClaimsSet()); + + // update expiration and issued-at claims + if (client.getIdTokenValiditySeconds() != null) { + Date expiration = new Date(System.currentTimeMillis() + (client.getIdTokenValiditySeconds() * 1000L)); + claims.setExpirationTime(expiration); + newIdTokenEntity.setExpiration(expiration); + } + claims.setIssueTime(new Date()); + + + SignedJWT newIdToken = new SignedJWT((JWSHeader) idToken.getHeader(), claims); + try { + jwtService.signJwt(newIdToken); + } catch (NoSuchAlgorithmException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } + + newIdTokenEntity.setJwt(newIdToken); + newIdTokenEntity.setAuthenticationHolder(incomingToken.getAuthenticationHolder()); + newIdTokenEntity.setScope(incomingToken.getScope()); + newIdTokenEntity.setClient(incomingToken.getClient()); + + newIdTokenEntity = tokenServices.saveAccessToken(newIdTokenEntity); + + // attach the ID token to the access token entity + accessToken.setIdToken(newIdTokenEntity); + accessToken = tokenServices.saveAccessToken(accessToken); + + // delete the old ID token + tokenServices.revokeAccessToken(incomingToken); + + return newIdTokenEntity; + + } + } catch (ParseException e) { + logger.warn("Couldn't parse id token", e); } } + // if we got down here, we didn't actually create any tokens, so return null + return null; /* diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/ConnectAuthorizationRequestManager.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/ConnectAuthorizationRequestManager.java index 387f6dca0..cfd29fd38 100644 --- a/openid-connect-server/src/main/java/org/mitre/openid/connect/ConnectAuthorizationRequestManager.java +++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/ConnectAuthorizationRequestManager.java @@ -33,6 +33,7 @@ import org.springframework.stereotype.Component; import com.google.common.base.Strings; import com.nimbusds.jose.JWSObject; +import com.nimbusds.jose.util.JSONObjectUtils; @Component("authorizationRequestManager") public class ConnectAuthorizationRequestManager implements AuthorizationRequestManager, InitializingBean { @@ -172,52 +173,51 @@ public class ConnectAuthorizationRequestManager implements AuthorizationRequestM * we don't care */ - // FIXME: all of these are doing raw JSON parsing and don't guarantee good behavior vis a vis strings - String responseTypes = (String) claims.get("response_type"); + String responseTypes = JSONObjectUtils.getString(claims, "response_type"); if (responseTypes != null) { parameters.put("response_type", responseTypes); } - String clientId = (String) claims.get("client_id"); + String clientId = JSONObjectUtils.getString(claims, "client_id"); if (clientId != null) { parameters.put("client_id", clientId); } if (claims.get("redirect_uri") != null) { if (inputParams.containsKey("redirect_uri") == false) { - parameters.put("redirect_uri", (String) claims.get("redirect_uri")); + parameters.put("redirect_uri", JSONObjectUtils.getString(claims, "redirect_uri")); } } - String state = (String) claims.get("state"); + String state = JSONObjectUtils.getString(claims, "state"); if(state != null) { if (inputParams.containsKey("state") == false) { parameters.put("state", state); } } - String nonce = (String) claims.get("nonce"); + String nonce = JSONObjectUtils.getString(claims, "nonce"); if(nonce != null) { if (inputParams.containsKey("nonce") == false) { parameters.put("nonce", nonce); } } - String display = (String) claims.get("display"); + String display = JSONObjectUtils.getString(claims, "display"); if (display != null) { if (inputParams.containsKey("display") == false) { parameters.put("display", display); } } - String prompt = (String) claims.get("prompt"); + String prompt = JSONObjectUtils.getString(claims, "prompt"); if (prompt != null) { if (inputParams.containsKey("prompt") == false) { parameters.put("prompt", prompt); } } - String scope = (String) claims.get("scope"); + String scope = JSONObjectUtils.getString(claims, "scope"); if (scope != null) { if (inputParams.containsKey("scope") == false) { parameters.put("scope", scope); diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/view/JSONUserInfoView.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/view/JSONUserInfoView.java index c3645ec71..eac1e3fc3 100644 --- a/openid-connect-server/src/main/java/org/mitre/openid/connect/view/JSONUserInfoView.java +++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/view/JSONUserInfoView.java @@ -126,11 +126,6 @@ public class JSONUserInfoView extends AbstractView { JsonObject obj = new JsonObject(); - //The "sub" claim must always be returned from this endpoint - obj.addProperty("sub", ui.getSub()); - - //TODO: I think the following should be removed. "sub" replaces "user_id", and according - //to the spec it must ALWAYS be returned from this endpoint. if (scope.contains("openid")) { obj.addProperty("sub", ui.getSub()); }