diff --git a/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/IntrospectingTokenService.java b/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/IntrospectingTokenService.java index 96b1e494e..8d8b49307 100644 --- a/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/IntrospectingTokenService.java +++ b/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/IntrospectingTokenService.java @@ -23,7 +23,6 @@ import java.util.Map; import org.slf4j.LoggerFactory; import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; -import org.springframework.security.core.authority.AuthorityUtils; import org.springframework.security.oauth2.common.OAuth2AccessToken; import org.springframework.security.oauth2.provider.AuthorizationRequest; import org.springframework.security.oauth2.provider.OAuth2Authentication; @@ -50,6 +49,7 @@ public class IntrospectingTokenService implements ResourceServerTokenServices { private String clientId; private String clientSecret; private IntrospectionUrlProvider introspectionUrlProvider; + private IntrospectionAuthorityGranter introspectionAuthorityGranter = new SimpleIntrospectionAuthorityGranter(); // Inner class to store in the hash map private class TokenCacheObject { @@ -117,7 +117,7 @@ public class IntrospectingTokenService implements ResourceServerTokenServices { // create a default authentication object with authority ROLE_API private Authentication createAuthentication(JsonObject token) { // TODO: make role/authority configurable somehow - return new PreAuthenticatedAuthenticationToken(token.get("sub").getAsString(), null, AuthorityUtils.createAuthorityList("ROLE_API")); + return new PreAuthenticatedAuthenticationToken(token.get("sub").getAsString(), token, introspectionAuthorityGranter.getAuthorities(token)); } private OAuth2AccessToken createAccessToken(final JsonObject token, final String tokenString) { diff --git a/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/IntrospectionAuthorityGranter.java b/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/IntrospectionAuthorityGranter.java new file mode 100644 index 000000000..286846ca0 --- /dev/null +++ b/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/IntrospectionAuthorityGranter.java @@ -0,0 +1,20 @@ +/** + * + */ +package org.mitre.oauth2.introspectingfilter; + +import java.util.List; + +import org.springframework.security.core.GrantedAuthority; + +import com.google.gson.JsonObject; + +/** + * @author jricher + * + */ +public interface IntrospectionAuthorityGranter { + + public List getAuthorities(JsonObject introspectionResponse); + +} diff --git a/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/JWTParsingIntrospectionUrlProvider.java b/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/JWTParsingIntrospectionUrlProvider.java index c6d5eb621..187c26447 100644 --- a/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/JWTParsingIntrospectionUrlProvider.java +++ b/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/JWTParsingIntrospectionUrlProvider.java @@ -4,6 +4,8 @@ package org.mitre.oauth2.introspectingfilter; import java.text.ParseException; +import java.util.HashSet; +import java.util.Set; import org.mitre.openid.connect.client.service.ServerConfigurationService; import org.mitre.openid.connect.config.ServerConfiguration; @@ -50,6 +52,9 @@ public class JWTParsingIntrospectionUrlProvider implements IntrospectionUrlProvi String issuer = jwt.getJWTClaimsSet().getIssuer(); if (!Strings.isNullOrEmpty(issuer)) { + + + ServerConfiguration server = serverConfigurationService.getServerConfiguration(issuer); if (server != null) { if (!Strings.isNullOrEmpty(server.getIntrospectionEndpointUri())) { diff --git a/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/SimpleIntrospectionAuthorityGranter.java b/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/SimpleIntrospectionAuthorityGranter.java new file mode 100644 index 000000000..da9da9472 --- /dev/null +++ b/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/SimpleIntrospectionAuthorityGranter.java @@ -0,0 +1,46 @@ +/** + * + */ +package org.mitre.oauth2.introspectingfilter; + +import java.util.List; + +import org.springframework.security.core.GrantedAuthority; +import org.springframework.security.core.authority.AuthorityUtils; + +import com.google.gson.JsonObject; + +/** + * + * Grants the same set of authorities no matter what's passed in. + * + * @author jricher + * + */ +public class SimpleIntrospectionAuthorityGranter implements IntrospectionAuthorityGranter { + + private List authorities = AuthorityUtils.createAuthorityList("ROLE_API"); + + /* (non-Javadoc) + * @see org.mitre.oauth2.introspectingfilter.IntrospectionAuthorityGranter#getAuthorities(net.minidev.json.JSONObject) + */ + @Override + public List getAuthorities(JsonObject introspectionResponse) { + return authorities; + } + + /** + * @return the authorities + */ + public List getAuthorities() { + return authorities; + } + + /** + * @param authorities the authorities to set + */ + public void setAuthorities(List authorities) { + this.authorities = authorities; + } + +}