github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

added token_endpoint_auth_signing_alg, addresses #511 

affects #455
pull/516/head
Justin Richer 2013-09-26 11:11:09 -04:00
parent 0691c98183
commit 59da1960eb
11 changed files with 116 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
openid-connect-common/src/main/java/org/mitre/oauth2/model/ClientDetailsEntity.java
View File

@ -111,6 +111,8 @@ public class ClientDetailsEntity implements ClientDetails {
private JWEAlgorithmEmbed idTokenEncryptedResponseAlg = null; // id_token_encrypted_response_alg private JWEAlgorithmEmbed idTokenEncryptedResponseAlg = null; // id_token_encrypted_response_alg
private JWEEncryptionMethodEmbed idTokenEncryptedResponseEnc = null; // id_token_encrypted_response_enc private JWEEncryptionMethodEmbed idTokenEncryptedResponseEnc = null; // id_token_encrypted_response_enc
private JWSAlgorithmEmbed tokenEndpointAuthSigningAlg = null; // token_endpoint_auth_signing_alg
private Integer defaultMaxAge; // default_max_age private Integer defaultMaxAge; // default_max_age
private Boolean requireAuthTime; // require_auth_time private Boolean requireAuthTime; // require_auth_time
private Set<String> defaultACRvalues; // default_acr_values private Set<String> defaultACRvalues; // default_acr_values
@ -772,6 +774,17 @@ public class ClientDetailsEntity implements ClientDetails {
this.idTokenEncryptedResponseEnc = idTokenEncryptedResponseEnc; this.idTokenEncryptedResponseEnc = idTokenEncryptedResponseEnc;
} }
@Embedded
@AttributeOverrides({
@AttributeOverride(name = "algorithmName", column=@Column(name="token_endpoint_auth_signing_alg"))
})
public JWSAlgorithmEmbed getTokenEndpointAuthSigningAlgEmbed() {
return tokenEndpointAuthSigningAlg;
}
public void setTokenEndpointAuthSigningAlgEmbed(JWSAlgorithmEmbed tokenEndpointAuthSigningAlgEmbed) {
this.tokenEndpointAuthSigningAlg = tokenEndpointAuthSigningAlgEmbed;
}
// //
// Transient passthrough methods for JOSE elements // Transient passthrough methods for JOSE elements
@ -868,6 +881,21 @@ public class ClientDetailsEntity implements ClientDetails {
this.idTokenEncryptedResponseEnc = new JWEEncryptionMethodEmbed(idTokenEncryptedResponseEnc); this.idTokenEncryptedResponseEnc = new JWEEncryptionMethodEmbed(idTokenEncryptedResponseEnc);
} }
@Transient
public JWSAlgorithm getTokenEndpointAuthSigningAlg() {
if (tokenEndpointAuthSigningAlg != null) {
return tokenEndpointAuthSigningAlg.getAlgorithm();
} else {
return null;
}
}
public void setTokenEndpointAuthSigningAlg(JWSAlgorithm tokenEndpointAuthSigningAlg) {
this.tokenEndpointAuthSigningAlg = new JWSAlgorithmEmbed(tokenEndpointAuthSigningAlg);
}
// END Transient JOSE methods
@Basic @Basic
@Column(name="default_max_age") @Column(name="default_max_age")
public Integer getDefaultMaxAge() { public Integer getDefaultMaxAge() {

32
openid-connect-common/src/main/java/org/mitre/oauth2/model/RegisteredClient.java
View File

@ -799,6 +799,38 @@ public class RegisteredClient {
client.setIdTokenEncryptedResponseEnc(idTokenEncryptedResponseEnc); client.setIdTokenEncryptedResponseEnc(idTokenEncryptedResponseEnc);
} }
/**
* @return
* @see org.mitre.oauth2.model.ClientDetailsEntity#getTokenEndpointAuthSigningAlgEmbed()
*/
public JWSAlgorithmEmbed getTokenEndpointAuthSigningAlgEmbed() {
return client.getTokenEndpointAuthSigningAlgEmbed();
}
/**
* @param tokenEndpointAuthSigningAlgEmbed
* @see org.mitre.oauth2.model.ClientDetailsEntity#setTokenEndpointAuthSigningAlgEmbed(org.mitre.jose.JWSAlgorithmEmbed)
*/
public void setTokenEndpointAuthSigningAlgEmbed(JWSAlgorithmEmbed tokenEndpointAuthSigningAlgEmbed) {
client.setTokenEndpointAuthSigningAlgEmbed(tokenEndpointAuthSigningAlgEmbed);
}
/**
* @return
* @see org.mitre.oauth2.model.ClientDetailsEntity#getTokenEndpointAuthSigningAlg()
*/
public JWSAlgorithm getTokenEndpointAuthSigningAlg() {
return client.getTokenEndpointAuthSigningAlg();
}
/**
* @param tokenEndpointAuthSigningAlg
* @see org.mitre.oauth2.model.ClientDetailsEntity#setTokenEndpointAuthSigningAlg(com.nimbusds.jose.JWSAlgorithm)
*/
public void setTokenEndpointAuthSigningAlg(JWSAlgorithm tokenEndpointAuthSigningAlg) {
client.setTokenEndpointAuthSigningAlg(tokenEndpointAuthSigningAlg);
}
/** /**
* @return * @return
* @see org.mitre.oauth2.model.ClientDetailsEntity#getCreatedAt() * @see org.mitre.oauth2.model.ClientDetailsEntity#getCreatedAt()

3
openid-connect-common/src/main/java/org/mitre/openid/connect/ClientDetailsEntityJsonProcessor.java
View File

@ -111,6 +111,8 @@ public class ClientDetailsEntityJsonProcessor {
c.setIdTokenEncryptedResponseAlg(getAsJweAlgorithm(o, "id_token_encrypted_response_alg")); c.setIdTokenEncryptedResponseAlg(getAsJweAlgorithm(o, "id_token_encrypted_response_alg"));
c.setIdTokenEncryptedResponseEnc(getAsJweEncryptionMethod(o, "id_token_encrypted_response_enc")); c.setIdTokenEncryptedResponseEnc(getAsJweEncryptionMethod(o, "id_token_encrypted_response_enc"));
c.setTokenEndpointAuthSigningAlg(getAsJwsAlgorithm(o, "token_endpoint_auth_signing_alg"));
if (o.has("default_max_age")) { if (o.has("default_max_age")) {
if (o.get("default_max_age").isJsonPrimitive()) { if (o.get("default_max_age").isJsonPrimitive()) {
c.setDefaultMaxAge(o.get("default_max_age").getAsInt()); c.setDefaultMaxAge(o.get("default_max_age").getAsInt());
@ -220,6 +222,7 @@ public class ClientDetailsEntityJsonProcessor {
o.addProperty("id_token_signed_response_alg", c.getIdTokenSignedResponseAlg() != null ? c.getIdTokenSignedResponseAlg().getName() : null); o.addProperty("id_token_signed_response_alg", c.getIdTokenSignedResponseAlg() != null ? c.getIdTokenSignedResponseAlg().getName() : null);
o.addProperty("id_token_encrypted_response_alg", c.getIdTokenEncryptedResponseAlg() != null ? c.getIdTokenEncryptedResponseAlg().getName() : null); o.addProperty("id_token_encrypted_response_alg", c.getIdTokenEncryptedResponseAlg() != null ? c.getIdTokenEncryptedResponseAlg().getName() : null);
o.addProperty("id_token_encrypted_response_enc", c.getIdTokenEncryptedResponseEnc() != null ? c.getIdTokenEncryptedResponseEnc().getName() : null); o.addProperty("id_token_encrypted_response_enc", c.getIdTokenEncryptedResponseEnc() != null ? c.getIdTokenEncryptedResponseEnc().getName() : null);
o.addProperty("token_endpoint_auth_signing_alg", c.getTokenEndpointAuthSigningAlg() != null ? c.getTokenEndpointAuthSigningAlg().getName() : null);
o.addProperty("default_max_age", c.getDefaultMaxAge()); o.addProperty("default_max_age", c.getDefaultMaxAge());
o.addProperty("require_auth_time", c.getRequireAuthTime()); o.addProperty("require_auth_time", c.getRequireAuthTime());
o.add("default_acr_values", getAsArray(c.getDefaultACRvalues())); o.add("default_acr_values", getAsArray(c.getDefaultACRvalues()));

2
openid-connect-server-webapp/src/main/resources/db/tables/hsql_database_tables.sql
View File

@ -108,6 +108,8 @@ CREATE TABLE IF NOT EXISTS client_details (
id_token_encrypted_response_alg VARCHAR(256), id_token_encrypted_response_alg VARCHAR(256),
id_token_encrypted_response_enc VARCHAR(256), id_token_encrypted_response_enc VARCHAR(256),
token_endpoint_auth_signing_alg VARCHAR(256),
default_max_age BIGINT, default_max_age BIGINT,
require_auth_time BOOLEAN, require_auth_time BOOLEAN,
created_at TIMESTAMP, created_at TIMESTAMP,

2
openid-connect-server-webapp/src/main/resources/db/tables/mysql_database_tables.sql
View File

@ -108,6 +108,8 @@ CREATE TABLE IF NOT EXISTS client_details (
id_token_encrypted_response_alg VARCHAR(256), id_token_encrypted_response_alg VARCHAR(256),
id_token_encrypted_response_enc VARCHAR(256), id_token_encrypted_response_enc VARCHAR(256),
token_endpoint_auth_signing_alg VARCHAR(256),
default_max_age BIGINT, default_max_age BIGINT,
require_auth_time BOOLEAN, require_auth_time BOOLEAN,
created_at TIMESTAMP NULL, created_at TIMESTAMP NULL,

2
openid-connect-server-webapp/src/main/resources/db/upgrade/hsql_1.0-to-1.1_upgrade.sql
View File

@ -16,6 +16,8 @@ ALTER TABLE client_details ALTER COLUMN id_token_validity_seconds SET NOT NULL;
ALTER TABLE client_details ALTER COLUMN id_token_validity_seconds SET DEFAULT 600; ALTER TABLE client_details ALTER COLUMN id_token_validity_seconds SET DEFAULT 600;
ALTER TABLE client_details ADD COLUMN token_endpoint_auth_signing_alg VARCHAR(256);
ALTER TABLE system_scope ADD COLUMN structured BOOLEAN NOT NULL DEFAULT false; ALTER TABLE system_scope ADD COLUMN structured BOOLEAN NOT NULL DEFAULT false;
ALTER TABLE system_scope ADD COLUMN structured_param_description VARCHAR(256); ALTER TABLE system_scope ADD COLUMN structured_param_description VARCHAR(256);

2
openid-connect-server-webapp/src/main/resources/db/upgrade/mysql_1.0-to-1.1_upgrade.sql
View File

@ -14,6 +14,8 @@ ALTER TABLE authorization_code ADD COLUMN authentication LONGBLOB;
ALTER TABLE client_details MODIFY id_token_validity_seconds BIGINT NOT NULL DEFAULT 600; ALTER TABLE client_details MODIFY id_token_validity_seconds BIGINT NOT NULL DEFAULT 600;
ALTER TABLE client_details ADD COLUMN token_endpoint_auth_signing_alg VARCHAR(256);
ALTER TABLE system_scope ADD COLUMN structured BOOLEAN NOT NULL DEFAULT 0; ALTER TABLE system_scope ADD COLUMN structured BOOLEAN NOT NULL DEFAULT 0;
ALTER TABLE system_scope ADD COLUMN structured_param_description VARCHAR(256); ALTER TABLE system_scope ADD COLUMN structured_param_description VARCHAR(256);

6
openid-connect-server-webapp/src/main/webapp/resources/js/client.js
View File

@ -63,6 +63,8 @@ var ClientModel = Backbone.Model.extend({
idTokenEncryptedResponseAlg:null, idTokenEncryptedResponseAlg:null,
idTokenEncryptedResponseEnc:null, idTokenEncryptedResponseEnc:null,
tokenEndpointAuthSigningAlg:null,
defaultMaxAge:60000, defaultMaxAge:60000,
requireAuthTime:false, requireAuthTime:false,
defaultACRvalues:null, defaultACRvalues:null,
@ -526,7 +528,8 @@ var ClientFormView = Backbone.View.extend({
userInfoEncryptedResponseEnc: this.defaultToNull($('#userInfoEncryptedResponseEnc select').val()), userInfoEncryptedResponseEnc: this.defaultToNull($('#userInfoEncryptedResponseEnc select').val()),
idTokenSignedResponseAlg: this.defaultToNull($('#idTokenSignedResponseAlg select').val()), idTokenSignedResponseAlg: this.defaultToNull($('#idTokenSignedResponseAlg select').val()),
idTokenEncryptedResponseAlg: this.defaultToNull($('#idTokenEncryptedResponseAlg select').val()), idTokenEncryptedResponseAlg: this.defaultToNull($('#idTokenEncryptedResponseAlg select').val()),
idTokenEncryptedResponseEnc: this.defaultToNull($('#idTokenEncryptedResponseEnc select').val()) idTokenEncryptedResponseEnc: this.defaultToNull($('#idTokenEncryptedResponseEnc select').val()),
tokenEndpointAuthSigningAlg: this.defaultToNull($('#tokenEndpointAuthSigningAlg select').val())
}; };
// post-validate // post-validate
@ -661,6 +664,7 @@ var ClientFormView = Backbone.View.extend({
this.disableUnsupportedJOSEItems(app.serverConfiguration.id_token_signing_alg_values_supported, '#idTokenSignedResponseAlg option'); this.disableUnsupportedJOSEItems(app.serverConfiguration.id_token_signing_alg_values_supported, '#idTokenSignedResponseAlg option');
this.disableUnsupportedJOSEItems(app.serverConfiguration.id_token_encryption_alg_values_supported, '#idTokenEncryptedResponseAlg option'); this.disableUnsupportedJOSEItems(app.serverConfiguration.id_token_encryption_alg_values_supported, '#idTokenEncryptedResponseAlg option');
this.disableUnsupportedJOSEItems(app.serverConfiguration.id_token_encryption_enc_values_supported, '#idTokenEncryptedResponseEnc option'); this.disableUnsupportedJOSEItems(app.serverConfiguration.id_token_encryption_enc_values_supported, '#idTokenEncryptedResponseEnc option');
this.disableUnsupportedJOSEItems(app.serverConfiguration.token_endpoint_auth_signing_alg_values_supported, '#tokenEndpointAuthSigningAlg option');
this.$('.nyi').clickover({ this.$('.nyi').clickover({
placement: 'right', placement: 'right',

4
openid-connect-server-webapp/src/main/webapp/resources/js/dynreg.js
View File

@ -287,7 +287,8 @@ var DynRegEditView = Backbone.View.extend({
userinfo_encrypted_response_enc: this.defaultToNull($('#userInfoEncryptedResponseEnc select').val()), userinfo_encrypted_response_enc: this.defaultToNull($('#userInfoEncryptedResponseEnc select').val()),
id_token_signed_response_alg: this.defaultToNull($('#idTokenSignedResponseAlg select').val()), id_token_signed_response_alg: this.defaultToNull($('#idTokenSignedResponseAlg select').val()),
id_token_encrypted_response_alg: this.defaultToNull($('#idTokenEncryptedResponseAlg select').val()), id_token_encrypted_response_alg: this.defaultToNull($('#idTokenEncryptedResponseAlg select').val()),
id_token_encrypted_response_enc: this.defaultToNull($('#idTokenEncryptedResponseEnc select').val()) id_token_encrypted_response_enc: this.defaultToNull($('#idTokenEncryptedResponseEnc select').val()),
token_endpoint_auth_signing_alg: this.defaultToNull($('#tokenEndpointAuthSigningAlg select').val())
}; };
// set all empty strings to nulls // set all empty strings to nulls
@ -394,6 +395,7 @@ var DynRegEditView = Backbone.View.extend({
this.disableUnsupportedJOSEItems(app.serverConfiguration.id_token_signing_alg_values_supported, '#idTokenSignedResponseAlg option'); this.disableUnsupportedJOSEItems(app.serverConfiguration.id_token_signing_alg_values_supported, '#idTokenSignedResponseAlg option');
this.disableUnsupportedJOSEItems(app.serverConfiguration.id_token_encryption_alg_values_supported, '#idTokenEncryptedResponseAlg option'); this.disableUnsupportedJOSEItems(app.serverConfiguration.id_token_encryption_alg_values_supported, '#idTokenEncryptedResponseAlg option');
this.disableUnsupportedJOSEItems(app.serverConfiguration.id_token_encryption_enc_values_supported, '#idTokenEncryptedResponseEnc option'); this.disableUnsupportedJOSEItems(app.serverConfiguration.id_token_encryption_enc_values_supported, '#idTokenEncryptedResponseEnc option');
this.disableUnsupportedJOSEItems(app.serverConfiguration.token_endpoint_auth_signing_alg_values_supported, '#tokenEndpointAuthSigningAlg option');
this.$('.nyi').clickover({ this.$('.nyi').clickover({
placement: 'right', placement: 'right',

19
openid-connect-server-webapp/src/main/webapp/resources/template/client.html
View File

@ -566,6 +566,25 @@
</div> </div>
</div> </div>
<div class="control-group" id="tokenEndpointAuthSigningAlg">
<label class="control-label">Token Endpoint Authentication Signing Algorithm</label>
<div class="controls">
<select>
<option value="default" <%=tokenEndpointAuthSigningAlg == null ? 'selected ' : ''%>>Use server default</option>
<option value="none" <%=tokenEndpointAuthSigningAlg == "none" ? 'selected' : ''%>>No digital signature</option>
<option value="HS256" <%=tokenEndpointAuthSigningAlg == "HS256" ? 'selected' : ''%>>HMAC using SHA-256 hash algorithm</option>
<option value="HS384" <%=tokenEndpointAuthSigningAlg == "HS384" ? 'selected' : ''%>>HMAC using SHA-384 hash algorithm</option>
<option value="HS512" <%=tokenEndpointAuthSigningAlg == "HS512" ? 'selected' : ''%>>HMAC using SHA-512 hash algorithm</option>
<option value="RS256" <%=tokenEndpointAuthSigningAlg == "RS256" ? 'selected' : ''%>>RSASSA using SHA-256 hash algorithm</option>
<option value="RS384" <%=tokenEndpointAuthSigningAlg == "RS384" ? 'selected' : ''%>>RSASSA using SHA-384 hash algorithm</option>
<option value="RS512" <%=tokenEndpointAuthSigningAlg == "RS512" ? 'selected' : ''%>>RSASSA using SHA-512 hash algorithm</option>
<option value="ES256" <%=tokenEndpointAuthSigningAlg == "ES256" ? 'selected' : ''%>>ECDSA using P-256 curve and SHA-256 hash algorithm</option>
<option value="ES384" <%=tokenEndpointAuthSigningAlg == "ES384" ? 'selected' : ''%>>ECDSA using P-384 curve and SHA-384 hash algorithm</option>
<option value="ES512" <%=tokenEndpointAuthSigningAlg == "ES512" ? 'selected' : ''%>>ECDSA using P-512 curve and SHA-512 hash algorithm</option>
</select>
</div>
</div>
</div> </div>
<div class="tab-pane" id="client-other-tab"> <div class="tab-pane" id="client-other-tab">

18
openid-connect-server-webapp/src/main/webapp/resources/template/dynreg.html
View File

@ -473,6 +473,24 @@
</div> </div>
</div> </div>
<div class="control-group" id="tokenEndpointAuthSigningAlg">
<label class="control-label">Token Endpoint Authentication Signing Algorithm</label>
<div class="controls">
<select>
<option value="default" <%=client.token_endpoint_auth_signing_alg == null ? 'selected ' : ''%>>Use server default</option>
<option value="none" <%=client.token_endpoint_auth_signing_alg == "none" ? 'selected' : ''%>>No digital signature</option>
<option value="HS256" <%=client.token_endpoint_auth_signing_alg == "HS256" ? 'selected' : ''%>>HMAC using SHA-256 hash algorithm</option>
<option value="HS384" <%=client.token_endpoint_auth_signing_alg == "HS384" ? 'selected' : ''%>>HMAC using SHA-384 hash algorithm</option>
<option value="HS512" <%=client.token_endpoint_auth_signing_alg == "HS512" ? 'selected' : ''%>>HMAC using SHA-512 hash algorithm</option>
<option value="RS256" <%=client.token_endpoint_auth_signing_alg == "RS256" ? 'selected' : ''%>>RSASSA using SHA-256 hash algorithm</option>
<option value="RS384" <%=client.token_endpoint_auth_signing_alg == "RS384" ? 'selected' : ''%>>RSASSA using SHA-384 hash algorithm</option>
<option value="RS512" <%=client.token_endpoint_auth_signing_alg == "RS512" ? 'selected' : ''%>>RSASSA using SHA-512 hash algorithm</option>
<option value="ES256" <%=client.token_endpoint_auth_signing_alg == "ES256" ? 'selected' : ''%>>ECDSA using P-256 curve and SHA-256 hash algorithm</option>
<option value="ES384" <%=client.token_endpoint_auth_signing_alg == "ES384" ? 'selected' : ''%>>ECDSA using P-384 curve and SHA-384 hash algorithm</option>
<option value="ES512" <%=client.token_endpoint_auth_signing_alg == "ES512" ? 'selected' : ''%>>ECDSA using P-512 curve and SHA-512 hash algorithm</option>
</select>
</div>
</div>
</div> </div>
<div class="tab-pane" id="client-other-tab"> <div class="tab-pane" id="client-other-tab">