split client's auth token into pending and authorized classes

openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationFilter.java

@@ -44,7 +44,7 @@ import org.mitre.openid.connect.client.service.IssuerService;
 import org.mitre.openid.connect.client.service.ServerConfigurationService;
 import org.mitre.openid.connect.client.service.impl.StaticAuthRequestOptionsService;
 import org.mitre.openid.connect.config.ServerConfiguration;
-import org.mitre.openid.connect.model.OIDCAuthenticationToken;
+import org.mitre.openid.connect.model.PendingOIDCAuthenticationToken;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpMethod;
 import org.springframework.http.client.ClientHttpRequest;
@@ -578,14 +578,12 @@ public class OIDCAuthenticationFilter extends AbstractAuthenticationProcessingFi
 									+ "ID Token to the session " + NONCE_SESSION_VARIABLE + " failed. Expected " + storedNonce + " got " + nonce + ".");
 				}
 
-				// pull the subject (user id) out as a claim on the id_token
-
-				String userId = idClaims.getSubject();
-
-				// construct an OIDCAuthenticationToken and return a Authentication object w/the userId and the idToken
-
-				OIDCAuthenticationToken token = new OIDCAuthenticationToken(userId, idClaims.getIssuer(), serverConfig, idToken, accessTokenValue, refreshTokenValue);
+				// construct an PendingOIDCAuthenticationToken and return a Authentication object w/the userId and the idToken
 
+				PendingOIDCAuthenticationToken token = new PendingOIDCAuthenticationToken(idClaims.getSubject(), idClaims.getIssuer(), 
+						serverConfig, 
+						idToken, accessTokenValue, refreshTokenValue);
+				
 				Authentication authentication = this.getAuthenticationManager().authenticate(token);
 
 				return authentication;

openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationProvider.java

@@ -16,10 +16,10 @@
  *******************************************************************************/
 package org.mitre.openid.connect.client;
 
-import java.text.ParseException;
 import java.util.Collection;
 
 import org.mitre.openid.connect.model.OIDCAuthenticationToken;
+import org.mitre.openid.connect.model.PendingOIDCAuthenticationToken;
 import org.mitre.openid.connect.model.UserInfo;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -31,10 +31,9 @@ import org.springframework.security.core.userdetails.UsernameNotFoundException;
 
 import com.google.common.base.Strings;
 import com.nimbusds.jwt.JWT;
-import com.nimbusds.jwt.JWTParser;
 
 /**
- * @author nemonik
+ * @author nemonik, Justin Richer
  * 
  */
 public class OIDCAuthenticationProvider implements AuthenticationProvider {
@@ -58,9 +57,9 @@ public class OIDCAuthenticationProvider implements AuthenticationProvider {
 			return null;
 		}
 
-		if (authentication instanceof OIDCAuthenticationToken) {
+		if (authentication instanceof PendingOIDCAuthenticationToken) {
 
-			OIDCAuthenticationToken token = (OIDCAuthenticationToken) authentication;
+			PendingOIDCAuthenticationToken token = (PendingOIDCAuthenticationToken) authentication;
 			
 			// get the ID Token value out
 			JWT idToken = token.getIdToken();
@@ -93,7 +92,7 @@ public class OIDCAuthenticationProvider implements AuthenticationProvider {
 	 * @param userInfo
 	 * @return
 	 */
-	protected Authentication createAuthenticationToken(OIDCAuthenticationToken token, Collection<? extends GrantedAuthority> authorities, UserInfo userInfo) {
+	protected Authentication createAuthenticationToken(PendingOIDCAuthenticationToken token, Collection<? extends GrantedAuthority> authorities, UserInfo userInfo) {
 		return new OIDCAuthenticationToken(token.getSub(),
 				token.getIssuer(),
 				userInfo, authorities,
@@ -116,6 +115,6 @@ public class OIDCAuthenticationProvider implements AuthenticationProvider {
 	 */
 	@Override
 	public boolean supports(Class<?> authentication) {
-		return OIDCAuthenticationToken.class.isAssignableFrom(authentication);
+		return PendingOIDCAuthenticationToken.class.isAssignableFrom(authentication);
 	}
 }

openid-connect-client/src/main/java/org/mitre/openid/connect/client/UserInfoFetcher.java

@@ -25,7 +25,7 @@ import org.apache.http.impl.client.HttpClientBuilder;
 import org.mitre.openid.connect.config.ServerConfiguration;
 import org.mitre.openid.connect.config.ServerConfiguration.UserInfoTokenMethod;
 import org.mitre.openid.connect.model.DefaultUserInfo;
-import org.mitre.openid.connect.model.OIDCAuthenticationToken;
+import org.mitre.openid.connect.model.PendingOIDCAuthenticationToken;
 import org.mitre.openid.connect.model.UserInfo;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -52,7 +52,7 @@ public class UserInfoFetcher {
 	 */
 	private static final Logger logger = LoggerFactory.getLogger(UserInfoFetcher.class);
 
-	public UserInfo loadUserInfo(final OIDCAuthenticationToken token) {
+	public UserInfo loadUserInfo(final PendingOIDCAuthenticationToken token) {
 
 		ServerConfiguration serverConfiguration = token.getServerConfiguration();
 

openid-connect-common/src/main/java/org/mitre/openid/connect/model/OIDCAuthenticationToken.java

@@ -20,10 +20,8 @@ import java.io.IOException;
 import java.io.ObjectInputStream;
 import java.io.ObjectOutputStream;
 import java.text.ParseException;
-import java.util.ArrayList;
 import java.util.Collection;
 
-import org.mitre.openid.connect.config.ServerConfiguration;
 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.core.GrantedAuthority;
 
@@ -47,7 +45,6 @@ public class OIDCAuthenticationToken extends AbstractAuthenticationToken {
 	private final String issuer; // issuer URL (parsed from the id token)
 	private final String sub; // user id (parsed from the id token)
 
-	private final transient ServerConfiguration serverConfiguration; // server configuration used to fulfill this token, don't serialize it
 	private final UserInfo userInfo; // user info container
 
 	/**
@@ -75,40 +72,9 @@ public class OIDCAuthenticationToken extends AbstractAuthenticationToken {
 		this.accessTokenValue = accessTokenValue;
 		this.refreshTokenValue = refreshTokenValue;
 
-		this.serverConfiguration = null; // we don't need a server config anymore
-
 		setAuthenticated(true);
 	}
 
-	/**
-	 * Constructs OIDCAuthenticationToken for use as a data shuttle from the filter to the auth provider.
-	 * 
-	 * Set to not-authenticated.
-	 * 
-	 * Constructs a Principal out of the subject and issuer.
-	 * @param sub
-	 * @param idToken
-	 */
-	public OIDCAuthenticationToken(String subject, String issuer,
-			ServerConfiguration serverConfiguration,
-			JWT idToken, String accessTokenValue, String refreshTokenValue) {
-
-		super(new ArrayList<GrantedAuthority>(0));
-
-		this.principal = ImmutableMap.of("sub", subject, "iss", issuer);
-		this.sub = subject;
-		this.issuer = issuer;
-		this.idToken = idToken;
-		this.accessTokenValue = accessTokenValue;
-		this.refreshTokenValue = refreshTokenValue;
-
-		this.userInfo = null; // we don't have a UserInfo yet
-
-		this.serverConfiguration = serverConfiguration;
-
-
-		setAuthenticated(false);
-	}
 
 	/*
 	 * (non-Javadoc)
@@ -153,13 +119,6 @@ public class OIDCAuthenticationToken extends AbstractAuthenticationToken {
 		return refreshTokenValue;
 	}
 
-	/**
-	 * @return the serverConfiguration
-	 */
-	public ServerConfiguration getServerConfiguration() {
-		return serverConfiguration;
-	}
-
 	/**
 	 * @return the issuer
 	 */

openid-connect-common/src/main/java/org/mitre/openid/connect/model/PendingOIDCAuthenticationToken.java

@@ -0,0 +1,157 @@
+/*******************************************************************************
+ * Copyright 2015 The MITRE Corporation
+ *   and the MIT Kerberos and Internet Trust Consortium
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *******************************************************************************/
+
+package org.mitre.openid.connect.model;
+
+import java.io.IOException;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
+import java.text.ParseException;
+import java.util.ArrayList;
+
+import org.mitre.openid.connect.config.ServerConfiguration;
+import org.springframework.security.authentication.AbstractAuthenticationToken;
+import org.springframework.security.core.GrantedAuthority;
+
+import com.google.common.collect.ImmutableMap;
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTParser;
+
+/**
+ * AuthenticationToken for use as a data shuttle from the filter to the auth provider.
+ * 
+ * @author jricher
+ *
+ */
+public class PendingOIDCAuthenticationToken extends AbstractAuthenticationToken {
+
+	private static final long serialVersionUID = 22100073066377804L;
+
+	private final ImmutableMap<String, String> principal;
+	private final String accessTokenValue; // string representation of the access token
+	private final String refreshTokenValue; // string representation of the refresh token
+	private transient JWT idToken; // this needs a custom serializer
+	private final String issuer; // issuer URL (parsed from the id token)
+	private final String sub; // user id (parsed from the id token)
+
+	private final transient ServerConfiguration serverConfiguration; // server configuration used to fulfill this token, don't serialize it
+
+	/**
+	 * Constructs OIDCAuthenticationToken for use as a data shuttle from the filter to the auth provider.
+	 * 
+	 * Set to not-authenticated.
+	 * 
+	 * Constructs a Principal out of the subject and issuer.
+	 * @param sub
+	 * @param idToken
+	 */
+	public PendingOIDCAuthenticationToken (String subject, String issuer,
+			ServerConfiguration serverConfiguration,
+			JWT idToken, String accessTokenValue, String refreshTokenValue) {
+
+		super(new ArrayList<GrantedAuthority>(0));
+
+		this.principal = ImmutableMap.of("sub", subject, "iss", issuer);
+		this.sub = subject;
+		this.issuer = issuer;
+		this.idToken = idToken;
+		this.accessTokenValue = accessTokenValue;
+		this.refreshTokenValue = refreshTokenValue;
+
+		this.serverConfiguration = serverConfiguration;
+
+
+		setAuthenticated(false);
+	}
+
+	/*
+	 * (non-Javadoc)
+	 * 
+	 * @see org.springframework.security.core.Authentication#getCredentials()
+	 */
+	@Override
+	public Object getCredentials() {
+		return accessTokenValue;
+	}
+
+	/**
+	 * Get the principal of this object, an immutable map of the subject and issuer.
+	 */
+	@Override
+	public Object getPrincipal() {
+		return principal;
+	}
+
+	public String getSub() {
+		return sub;
+	}
+
+	/**
+	 * @return the idTokenValue
+	 */
+	public JWT getIdToken() {
+		return idToken;
+	}
+
+	/**
+	 * @return the accessTokenValue
+	 */
+	public String getAccessTokenValue() {
+		return accessTokenValue;
+	}
+
+	/**
+	 * @return the refreshTokenValue
+	 */
+	public String getRefreshTokenValue() {
+		return refreshTokenValue;
+	}
+
+	/**
+	 * @return the serverConfiguration
+	 */
+	public ServerConfiguration getServerConfiguration() {
+		return serverConfiguration;
+	}
+
+	/**
+	 * @return the issuer
+	 */
+	public String getIssuer() {
+		return issuer;
+	}
+
+	/*
+	 * Custom serialization to handle the JSON object
+	 */
+    private void writeObject(ObjectOutputStream out) throws IOException {
+    	out.defaultWriteObject();
+    	if (idToken == null) {
+    		out.writeObject(null);
+    	} else {
+    		out.writeObject(idToken.serialize());
+    	}
+    }
+    private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException, ParseException {
+    	in.defaultReadObject();
+    	Object o = in.readObject();
+    	if (o != null) {
+    		idToken = JWTParser.parse((String)o);
+    	}
+    }
+
+}