completed rudimentary UMA authorization API.
Working: resource set registration, permission ticket creation, RPT creation from ticket Still missing: adding required claims to resource set, adding provided claims to permission ticketpull/708/merge
parent
e1769d1545
commit
7df31f1e87
|
@ -11,7 +11,9 @@ START TRANSACTION;
|
|||
--
|
||||
|
||||
INSERT INTO client_details_TEMP (client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection) VALUES
|
||||
('client', 'secret', 'Test Client', false, null, 3600, 600, true);
|
||||
('client', 'secret', 'Test Client', false, null, 3600, 600, true),
|
||||
('rs', 'secret', 'Test UMA RS', false, null, null, 600, false),
|
||||
('c', 'secret', 'Test UMA Client', false, null, null, 600, false);
|
||||
|
||||
INSERT INTO client_scope_TEMP (owner_id, scope) VALUES
|
||||
('client', 'openid'),
|
||||
|
@ -19,7 +21,9 @@ INSERT INTO client_scope_TEMP (owner_id, scope) VALUES
|
|||
('client', 'email'),
|
||||
('client', 'address'),
|
||||
('client', 'phone'),
|
||||
('client', 'offline_access');
|
||||
('client', 'offline_access'),
|
||||
('rs', 'uma_protection'),
|
||||
('c', 'uma_authorization');
|
||||
|
||||
INSERT INTO client_redirect_uri_TEMP (owner_id, redirect_uri) VALUES
|
||||
('client', 'http://localhost/'),
|
||||
|
@ -29,7 +33,11 @@ INSERT INTO client_grant_type_TEMP (owner_id, grant_type) VALUES
|
|||
('client', 'authorization_code'),
|
||||
('client', 'urn:ietf:params:oauth:grant_type:redelegate'),
|
||||
('client', 'implicit'),
|
||||
('client', 'refresh_token');
|
||||
('client', 'refresh_token'),
|
||||
('rs', 'authorization_code'),
|
||||
('rs', 'implicit'),
|
||||
('c', 'authorization_code'),
|
||||
('c', 'implicit');
|
||||
|
||||
--
|
||||
-- Merge the temporary clients safely into the database. This is a two-step process to keep clients from being created on every startup with a persistent store.
|
||||
|
|
|
@ -24,6 +24,7 @@ import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
|
|||
import org.mitre.oauth2.model.OAuth2RefreshTokenEntity;
|
||||
import org.mitre.oauth2.service.IntrospectionResultAssembler;
|
||||
import org.mitre.openid.connect.model.UserInfo;
|
||||
import org.mitre.uma.model.Permission;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
import org.springframework.security.oauth2.provider.OAuth2Authentication;
|
||||
|
@ -53,9 +54,26 @@ public class DefaultIntrospectionResultAssembler implements IntrospectionResultA
|
|||
|
||||
result.put(ACTIVE, true);
|
||||
|
||||
Set<String> scopes = Sets.intersection(authScopes, accessToken.getScope());
|
||||
|
||||
result.put(SCOPE, Joiner.on(SCOPE_SEPARATOR).join(scopes));
|
||||
if (accessToken.getPermissions() != null && !accessToken.getPermissions().isEmpty()) {
|
||||
|
||||
Set<Object> permissions = Sets.newHashSet();
|
||||
|
||||
for (Permission perm : accessToken.getPermissions()) {
|
||||
Map<String, Object> o = newLinkedHashMap();
|
||||
o.put("resource_set_id", perm.getResourceSet().getId().toString());
|
||||
Set<String> scopes = Sets.newHashSet(perm.getScopes());
|
||||
o.put("scopes", scopes);
|
||||
permissions.add(o);
|
||||
}
|
||||
|
||||
result.put("permissions", permissions);
|
||||
|
||||
} else {
|
||||
Set<String> scopes = Sets.intersection(authScopes, accessToken.getScope());
|
||||
|
||||
result.put(SCOPE, Joiner.on(SCOPE_SEPARATOR).join(scopes));
|
||||
|
||||
}
|
||||
|
||||
if (accessToken.getExpiration() != null) {
|
||||
try {
|
||||
|
|
|
@ -17,16 +17,22 @@
|
|||
|
||||
package org.mitre.uma.web;
|
||||
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
|
||||
import java.util.Collection;
|
||||
import java.util.HashSet;
|
||||
import java.util.Map;
|
||||
import java.util.UUID;
|
||||
|
||||
import org.mitre.jwt.signer.service.JWTSigningAndValidationService;
|
||||
import org.mitre.oauth2.model.AuthenticationHolderEntity;
|
||||
import org.mitre.oauth2.model.ClientDetailsEntity;
|
||||
import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
|
||||
import org.mitre.oauth2.repository.AuthenticationHolderRepository;
|
||||
import org.mitre.oauth2.repository.OAuth2TokenRepository;
|
||||
import org.mitre.oauth2.service.ClientDetailsEntityService;
|
||||
import org.mitre.oauth2.service.OAuth2TokenEntityService;
|
||||
import org.mitre.oauth2.service.SystemScopeService;
|
||||
import org.mitre.oauth2.web.AuthenticationUtilities;
|
||||
import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
|
||||
import org.mitre.openid.connect.service.OIDCTokenService;
|
||||
import org.mitre.openid.connect.view.HttpCodeView;
|
||||
import org.mitre.openid.connect.view.JsonEntityView;
|
||||
|
@ -35,11 +41,14 @@ import org.mitre.uma.model.Claim;
|
|||
import org.mitre.uma.model.PermissionTicket;
|
||||
import org.mitre.uma.model.ResourceSet;
|
||||
import org.mitre.uma.service.PermissionService;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.http.HttpStatus;
|
||||
import org.springframework.http.ResponseEntity;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
|
||||
import org.springframework.security.oauth2.provider.OAuth2Authentication;
|
||||
import org.springframework.security.oauth2.provider.error.WebResponseExceptionTranslator;
|
||||
import org.springframework.stereotype.Controller;
|
||||
import org.springframework.ui.Model;
|
||||
|
@ -49,11 +58,18 @@ import org.springframework.web.bind.annotation.RequestBody;
|
|||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
|
||||
import com.google.common.collect.ImmutableMap;
|
||||
import com.google.common.collect.Lists;
|
||||
import com.google.common.collect.Sets;
|
||||
import com.google.gson.JsonArray;
|
||||
import com.google.gson.JsonElement;
|
||||
import com.google.gson.JsonObject;
|
||||
import com.google.gson.JsonParser;
|
||||
import com.google.gson.JsonPrimitive;
|
||||
import com.nimbusds.jose.JWSAlgorithm;
|
||||
import com.nimbusds.jose.JWSHeader;
|
||||
import com.nimbusds.jwt.JWTClaimsSet;
|
||||
import com.nimbusds.jwt.SignedJWT;
|
||||
|
||||
/**
|
||||
* @author jricher
|
||||
|
@ -77,6 +93,14 @@ public class AuthorizationRequestEndpoint {
|
|||
|
||||
@Autowired
|
||||
private OIDCTokenService oidcTokenService;
|
||||
|
||||
/////// TODO: TEMPORARY
|
||||
@Autowired private AuthenticationHolderRepository authenticationHolderRepository;
|
||||
@Autowired private OAuth2TokenRepository tokenRepository;
|
||||
@Autowired private ClientDetailsEntityService clientService;
|
||||
@Autowired private ConfigurationPropertiesBean configBean;
|
||||
@Autowired private JWTSigningAndValidationService jwtService;
|
||||
////////
|
||||
|
||||
@Autowired
|
||||
private WebResponseExceptionTranslator providerExceptionHandler;
|
||||
|
@ -136,10 +160,45 @@ public class AuthorizationRequestEndpoint {
|
|||
|
||||
if (claimsUnmatched.isEmpty()) {
|
||||
// we matched all the claims, create and return the token
|
||||
//OAuth2AccessTokenEntity accessToken = oidcTokenService.createPermissionedToken(auth, perm);
|
||||
|
||||
// PUNT!
|
||||
return JsonErrorView.VIEWNAME;
|
||||
|
||||
// TODO: move this whole mess to the OIDCTokenService
|
||||
|
||||
OAuth2Authentication o2auth = (OAuth2Authentication) auth;
|
||||
|
||||
OAuth2AccessTokenEntity token = new OAuth2AccessTokenEntity();
|
||||
AuthenticationHolderEntity authHolder = new AuthenticationHolderEntity();
|
||||
authHolder.setAuthentication(o2auth);
|
||||
authHolder = authenticationHolderRepository.save(authHolder);
|
||||
|
||||
token.setAuthenticationHolder(authHolder);
|
||||
|
||||
ClientDetailsEntity client = clientService.loadClientByClientId(o2auth.getOAuth2Request().getClientId());
|
||||
token.setClient(client);
|
||||
|
||||
token.setPermissions(Sets.newHashSet(ticket.getPermission()));
|
||||
|
||||
|
||||
JWTClaimsSet claims = new JWTClaimsSet();
|
||||
|
||||
claims.setAudience(Lists.newArrayList(ticket.getPermission().getResourceSet().getId().toString()));
|
||||
claims.setIssuer(configBean.getIssuer());
|
||||
claims.setJWTID(UUID.randomUUID().toString());
|
||||
|
||||
JWSAlgorithm signingAlgorithm = jwtService.getDefaultSigningAlgorithm();
|
||||
SignedJWT signed = new SignedJWT(new JWSHeader(signingAlgorithm), claims);
|
||||
|
||||
jwtService.signJwt(signed);
|
||||
|
||||
token.setJwt(signed);
|
||||
|
||||
tokenService.saveAccessToken(token);
|
||||
|
||||
Map<String, String> entity = ImmutableMap.of("rpt", token.getValue());
|
||||
|
||||
m.addAttribute(JsonEntityView.ENTITY, entity);
|
||||
|
||||
return JsonEntityView.VIEWNAME;
|
||||
|
||||
} else {
|
||||
|
||||
|
|
|
@ -124,6 +124,21 @@ public class ResourceSetRegistrationEndpoint {
|
|||
|
||||
ResourceSet saved = resourceSetService.saveNew(rs);
|
||||
|
||||
///////
|
||||
// TODO: REMOVE
|
||||
///////
|
||||
/*
|
||||
Claim c = new Claim();
|
||||
c.setName("email");
|
||||
c.setValue("bob@bob.com");
|
||||
c.setIssuer(Sets.newHashSet("https://bob.com/"));
|
||||
saved.setClaimsRequired(Sets.newHashSet(c));
|
||||
saved = resourceSetService.update(saved, saved);
|
||||
*/
|
||||
///////
|
||||
/// END: REMOVE
|
||||
///////
|
||||
|
||||
m.addAttribute("code", HttpStatus.CREATED);
|
||||
m.addAttribute("entity", saved);
|
||||
m.addAttribute("location", config.getIssuer() + URL + "/" + rs.getId());
|
||||
|
|
Loading…
Reference in New Issue