From 9a98d241e88e78a7f55de1b2633da2ee67afae8a Mon Sep 17 00:00:00 2001 From: Justin Richer Date: Thu, 21 Feb 2013 12:01:29 -0500 Subject: [PATCH] updates to track Nimbus JOSE API changes to audience and date fields --- .../AbstractOIDCAuthenticationFilter.java | 40 +++++++++---------- .../DefaultOAuth2ProviderTokenService.java | 5 +-- .../token/JwtAssertionTokenGranter.java | 6 +-- .../JwtBearerAuthenticationProvider.java | 36 ++++++++--------- ...rerClientAssertionTokenEndpointFilter.java | 2 +- .../connect/token/ConnectTokenEnhancer.java | 27 +++++-------- 6 files changed, 50 insertions(+), 66 deletions(-) diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/AbstractOIDCAuthenticationFilter.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/AbstractOIDCAuthenticationFilter.java index 3f638a6d2..0e312749b 100644 --- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/AbstractOIDCAuthenticationFilter.java +++ b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/AbstractOIDCAuthenticationFilter.java @@ -24,6 +24,7 @@ import java.security.interfaces.RSAPublicKey; import java.text.ParseException; import java.util.ArrayList; import java.util.Arrays; +import java.util.Date; import java.util.Enumeration; import java.util.HashMap; import java.util.List; @@ -356,52 +357,47 @@ public class AbstractOIDCAuthenticationFilter extends } // check the issuer - if (idClaims.getIssuerClaim() == null) { + if (idClaims.getIssuer() == null) { throw new AuthenticationServiceException("Id Token Issuer is null"); - } else if (!idClaims.getIssuerClaim().equals(serverConfig.getIssuer())){ - throw new AuthenticationServiceException("Issuers do not match, expected " + serverConfig.getIssuer() + " got " + idClaims.getIssuerClaim()); + } else if (!idClaims.getIssuer().equals(serverConfig.getIssuer())){ + throw new AuthenticationServiceException("Issuers do not match, expected " + serverConfig.getIssuer() + " got " + idClaims.getIssuer()); } // check expiration - // FIXME: Nimbus Date Fields - /* - if (idClaims.getExpirationTimeClaim() == 0) { + if (idClaims.getExpirationTime() == null) { throw new AuthenticationServiceException("Id Token does not have required expiration claim"); } else { // it's not null, see if it's expired Date now = new Date(System.currentTimeMillis() - (timeSkewAllowance * 1000)); - if (now.after(new Date(idClaims.getExpirationTimeClaim()))) { - throw new AuthenticationServiceException("Id Token is expired: " + idClaims.getExpirationTimeClaim()); + if (now.after(idClaims.getExpirationTime())) { + throw new AuthenticationServiceException("Id Token is expired: " + idClaims.getExpirationTime()); } } // check not before - // FIXME: Nimbus Date Fields - if (idClaims.getNotBefore() != null) { + if (idClaims.getNotBeforeTime() != null) { Date now = new Date(System.currentTimeMillis() + (timeSkewAllowance * 1000)); - if (now.before(idClaims.getNotBefore())){ - throw new AuthenticationServiceException("Id Token not valid untill: " + idClaims.getNotBefore()); + if (now.before(idClaims.getNotBeforeTime())){ + throw new AuthenticationServiceException("Id Token not valid untill: " + idClaims.getNotBeforeTime()); } } // check issued at - if (idClaims.getIssuedAt() == null) { + if (idClaims.getIssueTime() == null) { throw new AuthenticationServiceException("Id Token does not have required issued-at claim"); } else { // since it's not null, see if it was issued in the future Date now = new Date(System.currentTimeMillis() + (timeSkewAllowance * 1000)); - if (now.before(idClaims.getIssuedAt())) { - throw new AuthenticationServiceException("Id Token was issued in the future: " + idClaims.getIssuedAt()); + if (now.before(idClaims.getIssueTime())) { + throw new AuthenticationServiceException("Id Token was issued in the future: " + idClaims.getIssueTime()); } } - */ // check audience - // FIXME: Nimbus audience collection - if (idClaims.getAudienceClaim() == null) { + if (idClaims.getAudience() == null) { throw new AuthenticationServiceException("Id token audience is null"); - } else if (!Arrays.asList(idClaims.getAudienceClaim()).contains(serverConfig.getClientId())) { - throw new AuthenticationServiceException("Audience does not match, expected " + serverConfig.getClientId() + " got " + idClaims.getAudienceClaim()); + } else if (!idClaims.getAudience().contains(serverConfig.getClientId())) { + throw new AuthenticationServiceException("Audience does not match, expected " + serverConfig.getClientId() + " got " + idClaims.getAudience()); } // compare the nonce to our stored claim @@ -426,11 +422,11 @@ public class AbstractOIDCAuthenticationFilter extends // pull the subject (user id) out as a claim on the id_token - String userId = idClaims.getSubjectClaim(); + String userId = idClaims.getSubject(); // construct an OIDCAuthenticationToken and return a Authentication object w/the userId and the idToken - OIDCAuthenticationToken token = new OIDCAuthenticationToken(userId, idClaims.getIssuerClaim(), serverConfig, idTokenValue, accessTokenValue, refreshTokenValue); + OIDCAuthenticationToken token = new OIDCAuthenticationToken(userId, idClaims.getIssuer(), serverConfig, idTokenValue, accessTokenValue, refreshTokenValue); Authentication authentication = this.getAuthenticationManager().authenticate(token); diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java index 86b07f475..6dfb448ac 100644 --- a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java +++ b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java @@ -124,12 +124,11 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi if (client.getRefreshTokenValiditySeconds() != null) { Date expiration = new Date(System.currentTimeMillis() + (client.getRefreshTokenValiditySeconds() * 1000L)); refreshToken.setExpiration(expiration); - // FIXME: nimbus date fields - refreshClaims.setExpirationTimeClaim(expiration.getTime()); + refreshClaims.setExpirationTime(expiration); } // set a random identifier - refreshClaims.setJWTIDClaim(UUID.randomUUID().toString()); + refreshClaims.setJWTID(UUID.randomUUID().toString()); // TODO: add issuer fields, signature to JWT diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/token/JwtAssertionTokenGranter.java b/openid-connect-server/src/main/java/org/mitre/oauth2/token/JwtAssertionTokenGranter.java index f386050bc..06df5331f 100644 --- a/openid-connect-server/src/main/java/org/mitre/oauth2/token/JwtAssertionTokenGranter.java +++ b/openid-connect-server/src/main/java/org/mitre/oauth2/token/JwtAssertionTokenGranter.java @@ -103,12 +103,10 @@ public class JwtAssertionTokenGranter extends AbstractTokenGranter { // update expiration and issued-at claims if (client.getIdTokenValiditySeconds() != null) { Date expiration = new Date(System.currentTimeMillis() + (client.getIdTokenValiditySeconds() * 1000L)); - // FIXME: Nimbus-JOSE Date fields - claims.setExpirationTimeClaim(expiration.getTime()); + claims.setExpirationTime(expiration); newIdTokenEntity.setExpiration(expiration); } - // FIXME: Nimbus-JOSE Date fields - claims.setIssuedAtClaim(new Date().getTime()); + claims.setIssueTime(new Date()); SignedJWT newIdToken = new SignedJWT((JWSHeader) idToken.getHeader(), claims); diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JwtBearerAuthenticationProvider.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JwtBearerAuthenticationProvider.java index 7dc632adc..92b76de95 100644 --- a/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JwtBearerAuthenticationProvider.java +++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JwtBearerAuthenticationProvider.java @@ -6,7 +6,7 @@ package org.mitre.openid.connect.assertion; import java.security.PublicKey; import java.security.interfaces.RSAPublicKey; import java.text.ParseException; -import java.util.Arrays; +import java.util.Date; import java.util.HashMap; import java.util.Map; @@ -76,49 +76,45 @@ public class JwtBearerAuthenticationProvider implements AuthenticationProvider { } // check the issuer - if (jwtClaims.getIssuerClaim() == null) { + if (jwtClaims.getIssuer() == null) { throw new AuthenticationServiceException("Assertion Token Issuer is null"); - } else if (!jwtClaims.getIssuerClaim().equals(client.getClientId())){ - throw new AuthenticationServiceException("Issuers do not match, expected " + client.getClientId() + " got " + jwtClaims.getIssuerClaim()); + } else if (!jwtClaims.getIssuer().equals(client.getClientId())){ + throw new AuthenticationServiceException("Issuers do not match, expected " + client.getClientId() + " got " + jwtClaims.getIssuer()); } // check expiration - /* - * FIXME: re-institute date check for Nimbus - if (jwtClaims.getExpirationTimeClaim() == null) { + if (jwtClaims.getExpirationTime() == null) { throw new AuthenticationServiceException("Assertion Token does not have required expiration claim"); } else { // it's not null, see if it's expired Date now = new Date(System.currentTimeMillis() - (timeSkewAllowance * 1000)); - if (now.after(jwtClaims.getExpirationTimeClaim())) { - throw new AuthenticationServiceException("Assertion Token is expired: " + jwtClaims.getExpirationTimeClaim()); + if (now.after(jwtClaims.getExpirationTime())) { + throw new AuthenticationServiceException("Assertion Token is expired: " + jwtClaims.getExpirationTime()); } } // check not before - if (jwtClaims.getNotBefore() != null) { + if (jwtClaims.getNotBeforeTime() != null) { Date now = new Date(System.currentTimeMillis() + (timeSkewAllowance * 1000)); - if (now.before(jwtClaims.getNotBefore())){ - throw new AuthenticationServiceException("Assertion Token not valid untill: " + jwtClaims.getNotBefore()); + if (now.before(jwtClaims.getNotBeforeTime())){ + throw new AuthenticationServiceException("Assertion Token not valid untill: " + jwtClaims.getNotBeforeTime()); } } // check issued at - if (jwtClaims.getIssuedAt() != null) { + if (jwtClaims.getIssueTime() != null) { // since it's not null, see if it was issued in the future Date now = new Date(System.currentTimeMillis() + (timeSkewAllowance * 1000)); - if (now.before(jwtClaims.getIssuedAt())) { - throw new AuthenticationServiceException("Assertion Token was issued in the future: " + jwtClaims.getIssuedAt()); + if (now.before(jwtClaims.getIssueTime())) { + throw new AuthenticationServiceException("Assertion Token was issued in the future: " + jwtClaims.getIssueTime()); } } - */ - // check audience - if (jwtClaims.getAudienceClaim() == null) { + if (jwtClaims.getAudience() == null) { throw new AuthenticationServiceException("Assertion token audience is null"); - } else if (!Arrays.asList(jwtClaims.getAudienceClaim()).contains(config.getIssuer())) { // FIXME: change back to list.contains() check after Nimbus update - throw new AuthenticationServiceException("Audience does not match, expected " + config.getIssuer() + " got " + jwtClaims.getAudienceClaim()); + } else if (!jwtClaims.getAudience().contains(config.getIssuer())) { + throw new AuthenticationServiceException("Audience does not match, expected " + config.getIssuer() + " got " + jwtClaims.getAudience()); } // IFF we managed to get all the way down here, the token is valid diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JwtBearerClientAssertionTokenEndpointFilter.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JwtBearerClientAssertionTokenEndpointFilter.java index 6ca141cd7..2d1e5ecd9 100644 --- a/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JwtBearerClientAssertionTokenEndpointFilter.java +++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JwtBearerClientAssertionTokenEndpointFilter.java @@ -50,7 +50,7 @@ public class JwtBearerClientAssertionTokenEndpointFilter extends ClientCredentia try { JWT jwt = JWTParser.parse(assertion); - String clientId = jwt.getJWTClaimsSet().getSubjectClaim(); + String clientId = jwt.getJWTClaimsSet().getSubject(); Authentication authRequest = new JwtBearerAssertionAuthenticationToken(clientId, jwt); diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java index 6f33b931a..8694105f3 100644 --- a/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java +++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java @@ -34,6 +34,7 @@ import org.springframework.security.oauth2.provider.token.TokenEnhancer; import org.springframework.stereotype.Service; import com.google.common.base.Strings; +import com.google.common.collect.Lists; import com.google.common.collect.Sets; import com.nimbusds.jose.JWSHeader; import com.nimbusds.jwt.JWTClaimsSet; @@ -62,18 +63,15 @@ public class ConnectTokenEnhancer implements TokenEnhancer { JWTClaimsSet claims = new JWTClaimsSet(); - // FIXME: Nimbus should do collections - claims.setAudienceClaim(new String[] {clientId}); + claims.setAudience(Lists.newArrayList(clientId)); - claims.setIssuerClaim(configBean.getIssuer()); + claims.setIssuer(configBean.getIssuer()); - // FIXME: Nimbus Dates - claims.setIssuedAtClaim(new Date().getTime()); + claims.setIssueTime(new Date()); - // FIXME: Nimbus dates - claims.setExpirationTimeClaim(token.getExpiration().getTime()); + claims.setExpirationTime(token.getExpiration()); - claims.setJWTIDClaim(UUID.randomUUID().toString()); // set a random NONCE in the middle of it + claims.setJWTID(UUID.randomUUID().toString()); // set a random NONCE in the middle of it SignedJWT signed = new SignedJWT(new JWSHeader(configBean.getDefaultSigningAlgorithm()), claims); @@ -106,22 +104,19 @@ public class ConnectTokenEnhancer implements TokenEnhancer { idClaims.setCustomClaim("auth_time", new Date().getTime()); - // FIXME: nimbus date fields - idClaims.setIssuedAtClaim(new Date().getTime()); + idClaims.setIssueTime(new Date()); ClientDetailsEntity client = clientService.loadClientByClientId(clientId); if (client.getIdTokenValiditySeconds() != null) { Date expiration = new Date(System.currentTimeMillis() + (client.getIdTokenValiditySeconds() * 1000L)); - // FIXME: nimbus date fields - idClaims.setExpirationTimeClaim(expiration.getTime()); + idClaims.setExpirationTime(expiration); idTokenEntity.setExpiration(expiration); } - idClaims.setIssuerClaim(configBean.getIssuer()); - idClaims.setSubjectClaim(userId); - // FIXME: Nimbus audience as collection - idClaims.setAudienceClaim(new String[] { clientId }); + idClaims.setIssuer(configBean.getIssuer()); + idClaims.setSubject(userId); + idClaims.setAudience(Lists.newArrayList(clientId)); String nonce = authentication.getAuthorizationRequest().getAuthorizationParameters().get("nonce");