auth_time is now tracked, addresses #288

2013-08-14 15:39:41 -04:00 · 2013-08-14 15:39:41 -04:00 · 6c1e91b7e3
parent e88c6c4943
commit 6c1e91b7e3
3 changed files with 38 additions and 20 deletions
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java
@ -116,22 +116,11 @@ public class ConnectTokenEnhancer implements TokenEnhancer {
 			JWTClaimsSet idClaims = new JWTClaimsSet();


-			//
-			// FIXME: storing the auth time in the session doesn't actually work, because we need access to it from the token endpoint when the user isn't present
-			//
-
-			// get the auth time from the session
-			ServletRequestAttributes attr = (ServletRequestAttributes) RequestContextHolder.currentRequestAttributes();
-			if (attr != null) {
-				HttpSession session = attr.getRequest().getSession();
-				if (session != null) {
-					Date authTime = (Date) session.getAttribute(AuthenticationTimeStamper.AUTH_TIMESTAMP);
-					if (authTime != null) {
-						idClaims.setClaim("auth_time", authTime.getTime() / 1000);
-					}
-				}
+			if (authentication.getOAuth2Request().getExtensions().containsKey(AuthenticationTimeStamper.AUTH_TIMESTAMP)) {
+				Date authTime = (Date) authentication.getOAuth2Request().getExtensions().get(AuthenticationTimeStamper.AUTH_TIMESTAMP);
+				idClaims.setClaim("auth_time", authTime.getTime() / 1000);
 			}
-
+			
 			idClaims.setIssueTime(claims.getIssueTime());

 			if (client.getIdTokenValiditySeconds() != null) {
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/token/TofuUserApprovalHandler.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/token/TofuUserApprovalHandler.java
@ -22,10 +22,13 @@ import java.util.Date;
 import java.util.Map;
 import java.util.Set;

+import javax.servlet.http.HttpSession;
+
 import org.mitre.openid.connect.model.ApprovedSite;
 import org.mitre.openid.connect.model.WhitelistedSite;
 import org.mitre.openid.connect.service.ApprovedSiteService;
 import org.mitre.openid.connect.service.WhitelistedSiteService;
+import org.mitre.openid.connect.web.AuthenticationTimeStamper;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.oauth2.provider.AuthorizationRequest;
@ -33,6 +36,8 @@ import org.springframework.security.oauth2.provider.ClientDetails;
 import org.springframework.security.oauth2.provider.ClientDetailsService;
 import org.springframework.security.oauth2.provider.approval.UserApprovalHandler;
 import org.springframework.stereotype.Component;
+import org.springframework.web.context.request.RequestContextHolder;
+import org.springframework.web.context.request.ServletRequestAttributes;

 import com.google.common.base.Strings;
 import com.google.common.collect.Sets;
@ -138,6 +143,8 @@ public class TofuUserApprovalHandler implements UserApprovalHandler {
 						authorizationRequest.getExtensions().put("approved_site", ap.getId());
 						authorizationRequest.setApproved(true);
 						alreadyApproved = true;
+						
+						setAuthTime(authorizationRequest);
 					}
 				}
 			}
@ -150,6 +157,8 @@ public class TofuUserApprovalHandler implements UserApprovalHandler {
 					ApprovedSite newSite = approvedSiteService.createApprovedSite(clientId, userId, null, ws.getAllowedScopes(), ws);
 					authorizationRequest.getExtensions().put("approved_site", newSite.getId());
 					authorizationRequest.setApproved(true);
+					
+					setAuthTime(authorizationRequest);
 				}
 			}
 		}
@ -212,12 +221,35 @@ public class TofuUserApprovalHandler implements UserApprovalHandler {
 				ApprovedSite newSite = approvedSiteService.createApprovedSite(clientId, userId, timeout, allowedScopes, null);
 				authorizationRequest.getExtensions().put("approved_site", newSite.getId());
 			}
+			
+			setAuthTime(authorizationRequest);
+

 		}

 		return authorizationRequest;
 	}

+	/**
+	 * Get the auth time out of the current session and add it to the 
+	 * auth request in the extensions map.
+	 * 
+	 * @param authorizationRequest
+	 */
+	private void setAuthTime(AuthorizationRequest authorizationRequest) {
+		// Get the session auth time, if we have it, and store it in the request
+		ServletRequestAttributes attr = (ServletRequestAttributes) RequestContextHolder.currentRequestAttributes();
+		if (attr != null) {
+			HttpSession session = attr.getRequest().getSession();
+			if (session != null) {
+				Date authTime = (Date) session.getAttribute(AuthenticationTimeStamper.AUTH_TIMESTAMP);
+				if (authTime != null) {
+					authorizationRequest.getExtensions().put(AuthenticationTimeStamper.AUTH_TIMESTAMP, authTime);
+				}
+			}
+		}
+	}
+
 	/**
 	 * Check whether the requested scope set is a proper subset of the allowed scopes.
 	 * 
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/AuthenticationTimeStamper.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/AuthenticationTimeStamper.java
@ -49,15 +49,12 @@ public class AuthenticationTimeStamper extends SavedRequestAwareAuthenticationSu

 	/**
 	 * Set the timestamp on the session to mark when the authentication happened,
-	 * useful for calculating authentication age.
+	 * useful for calculating authentication age. This gets stored in the sesion
+	 * and can get pulled out by other components.
 	 */
 	@Override
 	public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {

-		//
-		// FIXME: storing the auth time in the session doesn't actually work because we need access to it from the token endpoint when the user isn't present
-		//
-
 		Date authTimestamp = new Date();

 		HttpSession session = request.getSession();