github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

added support for default max auth age and require auth time, made prompt filter only work on authorization endpoint

pull/604/head
Justin Richer 11 years ago
parent
5c6e75bd53
commit
89d55e3d33
2 changed files with 52 additions and 14 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 56
      openid-connect-server/src/main/java/org/mitre/openid/connect/filter/PromptFilter.java
  2. 10
      openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/DefaultOIDCTokenService.java

56
openid-connect-server/src/main/java/org/mitre/openid/connect/filter/PromptFilter.java
Unescape View File

@ -33,12 +33,16 @@ import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.mitre.oauth2.model.ClientDetailsEntity;
import org.mitre.oauth2.service.ClientDetailsEntityService;
import org.mitre.openid.connect.web.AuthenticationTimeStamper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
import org.springframework.security.oauth2.provider.AuthorizationRequest;
import org.springframework.security.oauth2.provider.OAuth2RequestFactory;
import org.springframework.stereotype.Component;
@ -62,6 +66,9 @@ public class PromptFilter extends GenericFilterBean {
@Autowired
private OAuth2RequestFactory authRequestFactory;
@Autowired
private ClientDetailsEntityService clientService;
/**
*
*/
@ -70,9 +77,25 @@ public class PromptFilter extends GenericFilterBean {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
// skip everything that's not an authorize URL
if (!request.getRequestURI().startsWith("/authorize")) {
chain.doFilter(req, res);
}
// we have to create our own auth request in order to get at all the parmeters appropriately
AuthorizationRequest authRequest = authRequestFactory.createAuthorizationRequest(createRequestMap(request.getParameterMap()));
ClientDetailsEntity client = null;
try {
client = clientService.loadClientByClientId(authRequest.getClientId());
} catch (InvalidClientException e) {
// no need to worry about this here, it would be caught elsewhere
} catch (IllegalArgumentException e) {
// no need to worry about this here, it would be caught elsewhere
}
if (authRequest.getExtensions().get("prompt") != null) {
// we have a "prompt" parameter
String prompt = (String)authRequest.getExtensions().get("prompt");
@ -125,21 +148,30 @@ public class PromptFilter extends GenericFilterBean {
chain.doFilter(req, res);
}
} else if (authRequest.getExtensions().get("max_age") != null) {
} else if (authRequest.getExtensions().get("max_age") != null ||
(client != null && client.getDefaultMaxAge() != null)) {
// default to the client's stored value, check the string parameter
Integer max = (client != null ? client.getDefaultMaxAge() : null);
String maxAge = (String) authRequest.getExtensions().get("max_age");
HttpSession session = request.getSession();
Date authTime = (Date) session.getAttribute(AuthenticationTimeStamper.AUTH_TIMESTAMP);
Date now = new Date();
if (authTime != null) {
Integer max = Integer.parseInt(maxAge);
long seconds = (now.getTime() - authTime.getTime()) / 1000;
if (seconds > max) {
// session is too old, log the user out and continue
SecurityContextHolder.getContext().setAuthentication(null);
if (maxAge != null) {
max = Integer.parseInt(maxAge);
}
if (max != null) {
HttpSession session = request.getSession();
Date authTime = (Date) session.getAttribute(AuthenticationTimeStamper.AUTH_TIMESTAMP);
Date now = new Date();
if (authTime != null) {
long seconds = (now.getTime() - authTime.getTime()) / 1000;
if (seconds > max) {
// session is too old, log the user out and continue
SecurityContextHolder.getContext().setAuthentication(null);
}
}
}
chain.doFilter(req, res);
} else {
// no prompt parameter, not our business

10
openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/DefaultOIDCTokenService.java
Unescape View File

@ -95,9 +95,15 @@ public class DefaultOIDCTokenService implements OIDCTokenService {
OAuth2AccessTokenEntity idTokenEntity = new OAuth2AccessTokenEntity();
JWTClaimsSet idClaims = new JWTClaimsSet();
if (request.getExtensions().containsKey(AuthenticationTimeStamper.AUTH_TIMESTAMP)) {
// if the auth time claim was explicitly requested OR if the client always wants the auth time, put it in
if (request.getExtensions().containsKey("max_age")
|| (request.getExtensions().containsKey("idtoken")) // TODO: parse the ID Token claims (#473) -- for now assume it could be in there
|| (client.getRequireAuthTime() != null && client.getRequireAuthTime())) {
Date authTime = (Date) request.getExtensions().get(AuthenticationTimeStamper.AUTH_TIMESTAMP);
idClaims.setClaim("auth_time", authTime.getTime() / 1000);
if (authTime != null) {
idClaims.setClaim("auth_time", authTime.getTime() / 1000);
}
}
idClaims.setIssueTime(issueTime);

Write Preview
Loading…
Cancel
Save