more updates to track nimbus-jose-jwt classes and use them properly

openid-connect-server/src/main/java/org/mitre/oauth2/token/JwtAssertionTokenGranter.java

@@ -72,71 +72,64 @@ public class JwtAssertionTokenGranter extends AbstractTokenGranter {
 
 		    // it's an ID token, process it accordingly
 	    	
-	    	// TODO: make this use the idtoken class
+	    	try {
-	    	JWT idToken;
-            try {
-	            idToken = JWTParser.parse(incomingTokenValue);
-            } catch (ParseException e1) {
-	            // TODO Auto-generated catch block
-	            e1.printStackTrace();
-	            return null;
-            }
 	    	
-	    	OAuth2AccessTokenEntity accessToken = tokenServices.getAccessTokenForIdToken(incomingToken);
+		    	// TODO: make this use a more specific idtoken class
-	    	
+		    	JWT idToken = JWTParser.parse(incomingTokenValue);
-	    	if (accessToken != null) {
+		    	
-	    	
+		    	OAuth2AccessTokenEntity accessToken = tokenServices.getAccessTokenForIdToken(incomingToken);
-	    		//OAuth2AccessTokenEntity newIdToken = tokenServices.get
+		    	
-	    		
+		    	if (accessToken != null) {
-	    		OAuth2AccessTokenEntity newIdTokenEntity = new OAuth2AccessTokenEntity();
+		    	
-	    		
+		    		//OAuth2AccessTokenEntity newIdToken = tokenServices.get
-	    		// FIXME: we shouldn't have to roundtrip this through JSON to get it to copy all existing claims
+		    		
-	    		JWTClaimsSet claims;
+		    		OAuth2AccessTokenEntity newIdTokenEntity = new OAuth2AccessTokenEntity();
-                try {
+		    		
-	                claims = JWTClaimsSet.parse(idToken.getJWTClaimsSet().toJSONObject());
+		    		// copy over all existing claims
-                } catch (ParseException e1) {
+		    		JWTClaimsSet claims = new JWTClaimsSet(idToken.getJWTClaimsSet());
-	                // TODO Auto-generated catch block
+	
-	                e1.printStackTrace();
+		    		// update expiration and issued-at claims
-	                return null;
+					if (client.getIdTokenValiditySeconds() != null) {
-                }
+						Date expiration = new Date(System.currentTimeMillis() + (client.getIdTokenValiditySeconds() * 1000L));
-
+						claims.setExpirationTime(expiration);
-	    		// update expiration and issued-at claims
+						newIdTokenEntity.setExpiration(expiration);
-				if (client.getIdTokenValiditySeconds() != null) {
+					}
-					Date expiration = new Date(System.currentTimeMillis() + (client.getIdTokenValiditySeconds() * 1000L));
+					claims.setIssueTime(new Date());
-					claims.setExpirationTime(expiration);
+	
-					newIdTokenEntity.setExpiration(expiration);
+					
-				}
+					SignedJWT newIdToken = new SignedJWT((JWSHeader) idToken.getHeader(), claims);
-				claims.setIssueTime(new Date());
+					try {
-
+		                jwtService.signJwt(newIdToken);
-				
+	                } catch (NoSuchAlgorithmException e) {
-				SignedJWT newIdToken = new SignedJWT((JWSHeader) idToken.getHeader(), claims);
+		                // TODO Auto-generated catch block
-				try {
+		                e.printStackTrace();
-	                jwtService.signJwt(newIdToken);
+	                }
-                } catch (NoSuchAlgorithmException e) {
+					
-	                // TODO Auto-generated catch block
+					newIdTokenEntity.setJwt(newIdToken);
-	                e.printStackTrace();
+					newIdTokenEntity.setAuthenticationHolder(incomingToken.getAuthenticationHolder());
-                }
+					newIdTokenEntity.setScope(incomingToken.getScope());
-				
+					newIdTokenEntity.setClient(incomingToken.getClient());
-				newIdTokenEntity.setJwt(newIdToken);
+					
-				newIdTokenEntity.setAuthenticationHolder(incomingToken.getAuthenticationHolder());
+					newIdTokenEntity = tokenServices.saveAccessToken(newIdTokenEntity);
-				newIdTokenEntity.setScope(incomingToken.getScope());
+	
-				newIdTokenEntity.setClient(incomingToken.getClient());
+					// attach the ID token to the access token entity
-				
+					accessToken.setIdToken(newIdTokenEntity);
-				newIdTokenEntity = tokenServices.saveAccessToken(newIdTokenEntity);
+					accessToken = tokenServices.saveAccessToken(accessToken);
-
+					
-				// attach the ID token to the access token entity
+					// delete the old ID token
-				accessToken.setIdToken(newIdTokenEntity);
+					tokenServices.revokeAccessToken(incomingToken);
-				accessToken = tokenServices.saveAccessToken(accessToken);
+					
-				
+					return newIdTokenEntity;
-				// delete the old ID token
+		    		
-				tokenServices.revokeAccessToken(incomingToken);
+		    	}
-				
+	    	} catch (ParseException e) {
-				return newIdTokenEntity;
+	    		logger.warn("Couldn't parse id token", e);
-	    		
 	    	}
 	    	
 	    }
 	    
+	    // if we got down here, we didn't actually create any tokens, so return null
+	    
 	    return null;
 
 	    /*

openid-connect-server/src/main/java/org/mitre/openid/connect/ConnectAuthorizationRequestManager.java

@@ -33,6 +33,7 @@ import org.springframework.stereotype.Component;
 
 import com.google.common.base.Strings;
 import com.nimbusds.jose.JWSObject;
+import com.nimbusds.jose.util.JSONObjectUtils;
 
 @Component("authorizationRequestManager")
 public class ConnectAuthorizationRequestManager implements AuthorizationRequestManager, InitializingBean {
@@ -172,52 +173,51 @@ public class ConnectAuthorizationRequestManager implements AuthorizationRequestM
 			 * 		we don't care
 			 */
 			
-			// FIXME: all of these are doing raw JSON parsing and don't guarantee good behavior vis a vis strings
+			String responseTypes = JSONObjectUtils.getString(claims, "response_type");
-			String responseTypes = (String) claims.get("response_type");
 			if (responseTypes != null) {
 				parameters.put("response_type", responseTypes);
 			}
 			
-			String clientId = (String) claims.get("client_id");
+			String clientId = JSONObjectUtils.getString(claims, "client_id");
 			if (clientId != null) {
 				parameters.put("client_id", clientId);
 			}
 			
 			if (claims.get("redirect_uri") != null) {
 				if (inputParams.containsKey("redirect_uri") == false) {
-					parameters.put("redirect_uri", (String) claims.get("redirect_uri"));
+					parameters.put("redirect_uri", JSONObjectUtils.getString(claims, "redirect_uri"));
 				}
 			}
 			
-			String state = (String) claims.get("state");
+			String state = JSONObjectUtils.getString(claims, "state");
 			if(state != null) {
 				if (inputParams.containsKey("state") == false) {
 					parameters.put("state", state);
 				}
 			}
 			
-			String nonce = (String) claims.get("nonce");
+			String nonce = JSONObjectUtils.getString(claims, "nonce");
 			if(nonce != null) {
 				if (inputParams.containsKey("nonce") == false) {
 					parameters.put("nonce", nonce);
 				}
 			}
 			
-			String display = (String) claims.get("display");
+			String display = JSONObjectUtils.getString(claims, "display");
 			if (display != null) {
 				if (inputParams.containsKey("display") == false) {
 					parameters.put("display", display);
 				}
 			}
 			
-			String prompt = (String) claims.get("prompt");
+			String prompt = JSONObjectUtils.getString(claims, "prompt");
 			if (prompt != null) {
 				if (inputParams.containsKey("prompt") == false) {
 					parameters.put("prompt", prompt);
 				}
 			}
 			
-			String scope = (String) claims.get("scope");
+			String scope = JSONObjectUtils.getString(claims, "scope");
 			if (scope != null) {
 				if (inputParams.containsKey("scope") == false) {
 					parameters.put("scope", scope);

openid-connect-server/src/main/java/org/mitre/openid/connect/view/JSONUserInfoView.java

@@ -126,11 +126,6 @@ public class JSONUserInfoView extends AbstractView {
 		
 		JsonObject obj = new JsonObject();
 		
-		//The "sub" claim must always be returned from this endpoint
-		obj.addProperty("sub", ui.getSub());
-		
-		//TODO: I think the following should be removed. "sub" replaces "user_id", and according
-		//to the spec it must ALWAYS be returned from this endpoint. 
 		if (scope.contains("openid")) {
 			obj.addProperty("sub", ui.getSub());
 		}