diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java index 276f9b61b..3b5f446a8 100644 --- a/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java +++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java @@ -116,22 +116,11 @@ public class ConnectTokenEnhancer implements TokenEnhancer { JWTClaimsSet idClaims = new JWTClaimsSet(); - // - // FIXME: storing the auth time in the session doesn't actually work, because we need access to it from the token endpoint when the user isn't present - // - - // get the auth time from the session - ServletRequestAttributes attr = (ServletRequestAttributes) RequestContextHolder.currentRequestAttributes(); - if (attr != null) { - HttpSession session = attr.getRequest().getSession(); - if (session != null) { - Date authTime = (Date) session.getAttribute(AuthenticationTimeStamper.AUTH_TIMESTAMP); - if (authTime != null) { - idClaims.setClaim("auth_time", authTime.getTime() / 1000); - } - } + if (authentication.getOAuth2Request().getExtensions().containsKey(AuthenticationTimeStamper.AUTH_TIMESTAMP)) { + Date authTime = (Date) authentication.getOAuth2Request().getExtensions().get(AuthenticationTimeStamper.AUTH_TIMESTAMP); + idClaims.setClaim("auth_time", authTime.getTime() / 1000); } - + idClaims.setIssueTime(claims.getIssueTime()); if (client.getIdTokenValiditySeconds() != null) { diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/token/TofuUserApprovalHandler.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/token/TofuUserApprovalHandler.java index 38023e13f..b7ee9d0d8 100644 --- a/openid-connect-server/src/main/java/org/mitre/openid/connect/token/TofuUserApprovalHandler.java +++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/token/TofuUserApprovalHandler.java @@ -22,10 +22,13 @@ import java.util.Date; import java.util.Map; import java.util.Set; +import javax.servlet.http.HttpSession; + import org.mitre.openid.connect.model.ApprovedSite; import org.mitre.openid.connect.model.WhitelistedSite; import org.mitre.openid.connect.service.ApprovedSiteService; import org.mitre.openid.connect.service.WhitelistedSiteService; +import org.mitre.openid.connect.web.AuthenticationTimeStamper; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.core.Authentication; import org.springframework.security.oauth2.provider.AuthorizationRequest; @@ -33,6 +36,8 @@ import org.springframework.security.oauth2.provider.ClientDetails; import org.springframework.security.oauth2.provider.ClientDetailsService; import org.springframework.security.oauth2.provider.approval.UserApprovalHandler; import org.springframework.stereotype.Component; +import org.springframework.web.context.request.RequestContextHolder; +import org.springframework.web.context.request.ServletRequestAttributes; import com.google.common.base.Strings; import com.google.common.collect.Sets; @@ -138,6 +143,8 @@ public class TofuUserApprovalHandler implements UserApprovalHandler { authorizationRequest.getExtensions().put("approved_site", ap.getId()); authorizationRequest.setApproved(true); alreadyApproved = true; + + setAuthTime(authorizationRequest); } } } @@ -150,6 +157,8 @@ public class TofuUserApprovalHandler implements UserApprovalHandler { ApprovedSite newSite = approvedSiteService.createApprovedSite(clientId, userId, null, ws.getAllowedScopes(), ws); authorizationRequest.getExtensions().put("approved_site", newSite.getId()); authorizationRequest.setApproved(true); + + setAuthTime(authorizationRequest); } } } @@ -212,12 +221,35 @@ public class TofuUserApprovalHandler implements UserApprovalHandler { ApprovedSite newSite = approvedSiteService.createApprovedSite(clientId, userId, timeout, allowedScopes, null); authorizationRequest.getExtensions().put("approved_site", newSite.getId()); } + + setAuthTime(authorizationRequest); + } return authorizationRequest; } + /** + * Get the auth time out of the current session and add it to the + * auth request in the extensions map. + * + * @param authorizationRequest + */ + private void setAuthTime(AuthorizationRequest authorizationRequest) { + // Get the session auth time, if we have it, and store it in the request + ServletRequestAttributes attr = (ServletRequestAttributes) RequestContextHolder.currentRequestAttributes(); + if (attr != null) { + HttpSession session = attr.getRequest().getSession(); + if (session != null) { + Date authTime = (Date) session.getAttribute(AuthenticationTimeStamper.AUTH_TIMESTAMP); + if (authTime != null) { + authorizationRequest.getExtensions().put(AuthenticationTimeStamper.AUTH_TIMESTAMP, authTime); + } + } + } + } + /** * Check whether the requested scope set is a proper subset of the allowed scopes. * diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/AuthenticationTimeStamper.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/AuthenticationTimeStamper.java index c67009f8a..4c990ee45 100644 --- a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/AuthenticationTimeStamper.java +++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/AuthenticationTimeStamper.java @@ -49,15 +49,12 @@ public class AuthenticationTimeStamper extends SavedRequestAwareAuthenticationSu /** * Set the timestamp on the session to mark when the authentication happened, - * useful for calculating authentication age. + * useful for calculating authentication age. This gets stored in the sesion + * and can get pulled out by other components. */ @Override public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException { - // - // FIXME: storing the auth time in the session doesn't actually work because we need access to it from the token endpoint when the user isn't present - // - Date authTimestamp = new Date(); HttpSession session = request.getSession();