github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

added at_hash

pull/324/merge
Justin Richer 2013-04-15 17:12:47 -04:00
parent 3bb43f417a
commit 8e8e14c638
1 changed files with 49 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java
View File

@ -15,10 +15,17 @@
******************************************************************************/
package org.mitre.openid.connect.token;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import java.util.Date;
import java.util.Set;
import java.util.UUID;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import javax.servlet.http.HttpSession;
import org.mitre.jwt.signer.service.JwtSigningAndValidationService;
@ -31,6 +38,7 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.common.util.OAuth2Utils;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.token.TokenEnhancer;
import org.springframework.stereotype.Service;
@ -40,7 +48,9 @@ import org.springframework.web.context.request.ServletRequestAttributes;
import com.google.common.base.Strings;
import com.google.common.collect.Lists;
import com.google.common.collect.Sets;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.util.Base64URL;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
@ -80,7 +90,8 @@ public class ConnectTokenEnhancer implements TokenEnhancer {
// TODO: use client's default signing algorithm
SignedJWT signed = new SignedJWT(new JWSHeader(jwtService.getDefaultSigningAlgorithm()), claims);
JWSAlgorithm signingAlg = jwtService.getDefaultSigningAlgorithm();
SignedJWT signed = new SignedJWT(new JWSHeader(signingAlg), claims);
jwtService.signJwt(signed);
@ -132,7 +143,43 @@ public class ConnectTokenEnhancer implements TokenEnhancer {
idClaims.setCustomClaim("nonce", nonce);
}
SignedJWT idToken = new SignedJWT(new JWSHeader(jwtService.getDefaultSigningAlgorithm()), idClaims);
String responseType = authentication.getAuthorizationRequest().getAuthorizationParameters().get("response_type");
Set<String> responseTypes = OAuth2Utils.parseParameterList(responseType);
if (responseTypes.contains("token")) {
// calculate the token hash
// get the right algorithm size
// TODO: all this string parsing feels like a bad hack
String algName = signingAlg.getName();
Pattern re = Pattern.compile("^[HRE]S(\\d+)$");
Matcher match = re.matcher(algName);
if (match.matches()) {
String bits = match.group(1);
String hmacAlg = "HMACSHA" + bits;
try {
Mac mac = Mac.getInstance(hmacAlg);
mac.init(new SecretKeySpec(token.getJwt().serialize().getBytes(), hmacAlg));
byte[] at_hash_bytes = mac.doFinal();
byte[] at_hash_bytes_left = Arrays.copyOf(at_hash_bytes, at_hash_bytes.length / 2);
Base64URL at_hash = Base64URL.encode(at_hash_bytes_left);
idClaims.setClaim("at_hash", at_hash);
} catch (NoSuchAlgorithmException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (InvalidKeyException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
}
SignedJWT idToken = new SignedJWT(new JWSHeader(signingAlg), idClaims);
//TODO: check for client's preferred signer alg and use that