From 9691f02772bf390007b1267202661e8047cb54b4 Mon Sep 17 00:00:00 2001
From: Justin Richer <jricher@mit.edu>
Date: Fri, 11 Mar 2016 17:12:36 -0500
Subject: [PATCH] added audience parameter to parser, fixed token generator to
 match HEART spec

---
 .../request/ConnectOAuth2RequestFactory.java  |  7 ++++++-
 .../request/ConnectRequestParameters.java     |  3 +++
 .../connect/token/ConnectTokenEnhancer.java   | 20 ++++++++++++++-----
 3 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/request/ConnectOAuth2RequestFactory.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/request/ConnectOAuth2RequestFactory.java
index 4872d3d45..250f46fde 100644
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/request/ConnectOAuth2RequestFactory.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/request/ConnectOAuth2RequestFactory.java
@@ -17,7 +17,7 @@
 package org.mitre.openid.connect.request;
 
 
-import static org.mitre.openid.connect.request.ConnectRequestParameters.CLAIMS;
+import static org.mitre.openid.connect.request.ConnectRequestParameters.*;
 import static org.mitre.openid.connect.request.ConnectRequestParameters.CLIENT_ID;
 import static org.mitre.openid.connect.request.ConnectRequestParameters.DISPLAY;
 import static org.mitre.openid.connect.request.ConnectRequestParameters.LOGIN_HINT;
@@ -133,6 +133,11 @@ public class ConnectOAuth2RequestFactory extends DefaultOAuth2RequestFactory {
 			request.getExtensions().put(LOGIN_HINT, inputParams.get(LOGIN_HINT));
 		}
 
+		if (inputParams.containsKey(AUD)) {
+			request.getExtensions().put(AUD, inputParams.get(AUD));
+		}
+
+			
 		if (inputParams.containsKey(REQUEST)) {
 			request.getExtensions().put(REQUEST, inputParams.get(REQUEST));
 			processRequestObject(inputParams.get(REQUEST), request);
diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/request/ConnectRequestParameters.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/request/ConnectRequestParameters.java
index af02aed72..f0858423a 100644
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/request/ConnectRequestParameters.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/request/ConnectRequestParameters.java
@@ -43,5 +43,8 @@ public interface ConnectRequestParameters {
 	// responses
 	public String ERROR = "error";
 	public String LOGIN_REQUIRED = "login_required";
+	
+	// audience
+	public String AUD = "aud";
 
 }
diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java
index c8a382413..6a9b277f0 100644
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java
@@ -40,10 +40,12 @@ import org.springframework.security.oauth2.provider.OAuth2Request;
 import org.springframework.security.oauth2.provider.token.TokenEnhancer;
 import org.springframework.stereotype.Service;
 
+import com.google.common.base.Strings;
 import com.google.common.collect.Lists;
 import com.nimbusds.jose.JWSAlgorithm;
 import com.nimbusds.jose.JWSHeader;
 import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.jwt.JWTClaimsSet.Builder;
 import com.nimbusds.jwt.SignedJWT;
 
 @Service
@@ -88,13 +90,20 @@ public class ConnectTokenEnhancer implements TokenEnhancer {
 		String clientId = originalAuthRequest.getClientId();
 		ClientDetailsEntity client = clientService.loadClientByClientId(clientId);
 
-		JWTClaimsSet claims = new JWTClaimsSet.Builder()
-				.audience(Lists.newArrayList(clientId))
+		Builder builder = new JWTClaimsSet.Builder()
+				.claim("azp", clientId)
 				.issuer(configBean.getIssuer())
 				.issueTime(new Date())
 				.expirationTime(token.getExpiration())
-				.jwtID(UUID.randomUUID().toString()) // set a random NONCE in the middle of it
-				.build();
+				.subject(authentication.getName())
+				.jwtID(UUID.randomUUID().toString()); // set a random NONCE in the middle of it
+		
+		String audience = (String) authentication.getOAuth2Request().getExtensions().get("aud");
+		if (!Strings.isNullOrEmpty(audience)) {
+			builder.audience(Lists.newArrayList(audience));
+		}
+		
+		JWTClaimsSet claims = builder.build();
 
 		JWSAlgorithm signingAlg = jwtService.getDefaultSigningAlgorithm();
 		JWSHeader header = new JWSHeader(signingAlg, null, null, null, null, null, null, null, null, null,
@@ -161,5 +170,6 @@ public class ConnectTokenEnhancer implements TokenEnhancer {
 	public void setClientService(ClientDetailsEntityService clientService) {
 		this.clientService = clientService;
 	}
+	
 
-}
+}
\ No newline at end of file