github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

updates to track Nimbus JOSE API changes to audience and date fields

pull/306/merge
Justin Richer 2013-02-21 12:01:29 -05:00
parent a184b79b06
commit 9a98d241e8
6 changed files with 50 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
openid-connect-client/src/main/java/org/mitre/openid/connect/client/AbstractOIDCAuthenticationFilter.java
View File

@ -24,6 +24,7 @@ import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.List;
@ -356,52 +357,47 @@ public class AbstractOIDCAuthenticationFilter extends
}
// check the issuer
if (idClaims.getIssuerClaim() == null) {
if (idClaims.getIssuer() == null) {
throw new AuthenticationServiceException("Id Token Issuer is null");
} else if (!idClaims.getIssuerClaim().equals(serverConfig.getIssuer())){
throw new AuthenticationServiceException("Issuers do not match, expected " + serverConfig.getIssuer() + " got " + idClaims.getIssuerClaim());
} else if (!idClaims.getIssuer().equals(serverConfig.getIssuer())){
throw new AuthenticationServiceException("Issuers do not match, expected " + serverConfig.getIssuer() + " got " + idClaims.getIssuer());
}
// check expiration
// FIXME: Nimbus Date Fields
/*
if (idClaims.getExpirationTimeClaim() == 0) {
if (idClaims.getExpirationTime() == null) {
throw new AuthenticationServiceException("Id Token does not have required expiration claim");
} else {
// it's not null, see if it's expired
Date now = new Date(System.currentTimeMillis() - (timeSkewAllowance * 1000));
if (now.after(new Date(idClaims.getExpirationTimeClaim()))) {
throw new AuthenticationServiceException("Id Token is expired: " + idClaims.getExpirationTimeClaim());
if (now.after(idClaims.getExpirationTime())) {
throw new AuthenticationServiceException("Id Token is expired: " + idClaims.getExpirationTime());
}
}
// check not before
// FIXME: Nimbus Date Fields
if (idClaims.getNotBefore() != null) {
if (idClaims.getNotBeforeTime() != null) {
Date now = new Date(System.currentTimeMillis() + (timeSkewAllowance * 1000));
if (now.before(idClaims.getNotBefore())){
throw new AuthenticationServiceException("Id Token not valid untill: " + idClaims.getNotBefore());
if (now.before(idClaims.getNotBeforeTime())){
throw new AuthenticationServiceException("Id Token not valid untill: " + idClaims.getNotBeforeTime());
}
}
// check issued at
if (idClaims.getIssuedAt() == null) {
if (idClaims.getIssueTime() == null) {
throw new AuthenticationServiceException("Id Token does not have required issued-at claim");
} else {
// since it's not null, see if it was issued in the future
Date now = new Date(System.currentTimeMillis() + (timeSkewAllowance * 1000));
if (now.before(idClaims.getIssuedAt())) {
throw new AuthenticationServiceException("Id Token was issued in the future: " + idClaims.getIssuedAt());
if (now.before(idClaims.getIssueTime())) {
throw new AuthenticationServiceException("Id Token was issued in the future: " + idClaims.getIssueTime());
}
}
*/
// check audience
// FIXME: Nimbus audience collection
if (idClaims.getAudienceClaim() == null) {
if (idClaims.getAudience() == null) {
throw new AuthenticationServiceException("Id token audience is null");
} else if (!Arrays.asList(idClaims.getAudienceClaim()).contains(serverConfig.getClientId())) {
throw new AuthenticationServiceException("Audience does not match, expected " + serverConfig.getClientId() + " got " + idClaims.getAudienceClaim());
} else if (!idClaims.getAudience().contains(serverConfig.getClientId())) {
throw new AuthenticationServiceException("Audience does not match, expected " + serverConfig.getClientId() + " got " + idClaims.getAudience());
}
// compare the nonce to our stored claim
@ -426,11 +422,11 @@ public class AbstractOIDCAuthenticationFilter extends
// pull the subject (user id) out as a claim on the id_token
String userId = idClaims.getSubjectClaim();
String userId = idClaims.getSubject();
// construct an OIDCAuthenticationToken and return a Authentication object w/the userId and the idToken
OIDCAuthenticationToken token = new OIDCAuthenticationToken(userId, idClaims.getIssuerClaim(), serverConfig, idTokenValue, accessTokenValue, refreshTokenValue);
OIDCAuthenticationToken token = new OIDCAuthenticationToken(userId, idClaims.getIssuer(), serverConfig, idTokenValue, accessTokenValue, refreshTokenValue);
Authentication authentication = this.getAuthenticationManager().authenticate(token);

5
openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java
View File

@ -124,12 +124,11 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
if (client.getRefreshTokenValiditySeconds() != null) {
Date expiration = new Date(System.currentTimeMillis() + (client.getRefreshTokenValiditySeconds() * 1000L));
refreshToken.setExpiration(expiration);
// FIXME: nimbus date fields
refreshClaims.setExpirationTimeClaim(expiration.getTime());
refreshClaims.setExpirationTime(expiration);
}
// set a random identifier
refreshClaims.setJWTIDClaim(UUID.randomUUID().toString());
refreshClaims.setJWTID(UUID.randomUUID().toString());
// TODO: add issuer fields, signature to JWT

6
openid-connect-server/src/main/java/org/mitre/oauth2/token/JwtAssertionTokenGranter.java
View File

@ -103,12 +103,10 @@ public class JwtAssertionTokenGranter extends AbstractTokenGranter {
// update expiration and issued-at claims
if (client.getIdTokenValiditySeconds() != null) {
Date expiration = new Date(System.currentTimeMillis() + (client.getIdTokenValiditySeconds() * 1000L));
// FIXME: Nimbus-JOSE Date fields
claims.setExpirationTimeClaim(expiration.getTime());
claims.setExpirationTime(expiration);
newIdTokenEntity.setExpiration(expiration);
}
// FIXME: Nimbus-JOSE Date fields
claims.setIssuedAtClaim(new Date().getTime());
claims.setIssueTime(new Date());
SignedJWT newIdToken = new SignedJWT((JWSHeader) idToken.getHeader(), claims);

36
openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JwtBearerAuthenticationProvider.java
View File

@ -6,7 +6,7 @@ package org.mitre.openid.connect.assertion;
import java.security.PublicKey;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.Arrays;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
@ -76,49 +76,45 @@ public class JwtBearerAuthenticationProvider implements AuthenticationProvider {
}
// check the issuer
if (jwtClaims.getIssuerClaim() == null) {
if (jwtClaims.getIssuer() == null) {
throw new AuthenticationServiceException("Assertion Token Issuer is null");
} else if (!jwtClaims.getIssuerClaim().equals(client.getClientId())){
throw new AuthenticationServiceException("Issuers do not match, expected " + client.getClientId() + " got " + jwtClaims.getIssuerClaim());
} else if (!jwtClaims.getIssuer().equals(client.getClientId())){
throw new AuthenticationServiceException("Issuers do not match, expected " + client.getClientId() + " got " + jwtClaims.getIssuer());
}
// check expiration
/*
* FIXME: re-institute date check for Nimbus
if (jwtClaims.getExpirationTimeClaim() == null) {
if (jwtClaims.getExpirationTime() == null) {
throw new AuthenticationServiceException("Assertion Token does not have required expiration claim");
} else {
// it's not null, see if it's expired
Date now = new Date(System.currentTimeMillis() - (timeSkewAllowance * 1000));
if (now.after(jwtClaims.getExpirationTimeClaim())) {
throw new AuthenticationServiceException("Assertion Token is expired: " + jwtClaims.getExpirationTimeClaim());
if (now.after(jwtClaims.getExpirationTime())) {
throw new AuthenticationServiceException("Assertion Token is expired: " + jwtClaims.getExpirationTime());
}
}
// check not before
if (jwtClaims.getNotBefore() != null) {
if (jwtClaims.getNotBeforeTime() != null) {
Date now = new Date(System.currentTimeMillis() + (timeSkewAllowance * 1000));
if (now.before(jwtClaims.getNotBefore())){
throw new AuthenticationServiceException("Assertion Token not valid untill: " + jwtClaims.getNotBefore());
if (now.before(jwtClaims.getNotBeforeTime())){
throw new AuthenticationServiceException("Assertion Token not valid untill: " + jwtClaims.getNotBeforeTime());
}
}
// check issued at
if (jwtClaims.getIssuedAt() != null) {
if (jwtClaims.getIssueTime() != null) {
// since it's not null, see if it was issued in the future
Date now = new Date(System.currentTimeMillis() + (timeSkewAllowance * 1000));
if (now.before(jwtClaims.getIssuedAt())) {
throw new AuthenticationServiceException("Assertion Token was issued in the future: " + jwtClaims.getIssuedAt());
if (now.before(jwtClaims.getIssueTime())) {
throw new AuthenticationServiceException("Assertion Token was issued in the future: " + jwtClaims.getIssueTime());
}
}
*/
// check audience
if (jwtClaims.getAudienceClaim() == null) {
if (jwtClaims.getAudience() == null) {
throw new AuthenticationServiceException("Assertion token audience is null");
} else if (!Arrays.asList(jwtClaims.getAudienceClaim()).contains(config.getIssuer())) { // FIXME: change back to list.contains() check after Nimbus update
throw new AuthenticationServiceException("Audience does not match, expected " + config.getIssuer() + " got " + jwtClaims.getAudienceClaim());
} else if (!jwtClaims.getAudience().contains(config.getIssuer())) {
throw new AuthenticationServiceException("Audience does not match, expected " + config.getIssuer() + " got " + jwtClaims.getAudience());
}
// IFF we managed to get all the way down here, the token is valid

2
openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JwtBearerClientAssertionTokenEndpointFilter.java
View File

@ -50,7 +50,7 @@ public class JwtBearerClientAssertionTokenEndpointFilter extends ClientCredentia
try {
JWT jwt = JWTParser.parse(assertion);
String clientId = jwt.getJWTClaimsSet().getSubjectClaim();
String clientId = jwt.getJWTClaimsSet().getSubject();
Authentication authRequest = new JwtBearerAssertionAuthenticationToken(clientId, jwt);

27
openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java
View File

@ -34,6 +34,7 @@ import org.springframework.security.oauth2.provider.token.TokenEnhancer;
import org.springframework.stereotype.Service;
import com.google.common.base.Strings;
import com.google.common.collect.Lists;
import com.google.common.collect.Sets;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jwt.JWTClaimsSet;
@ -62,18 +63,15 @@ public class ConnectTokenEnhancer implements TokenEnhancer {
JWTClaimsSet claims = new JWTClaimsSet();
// FIXME: Nimbus should do collections
claims.setAudienceClaim(new String[] {clientId});
claims.setAudience(Lists.newArrayList(clientId));
claims.setIssuerClaim(configBean.getIssuer());
claims.setIssuer(configBean.getIssuer());
// FIXME: Nimbus Dates
claims.setIssuedAtClaim(new Date().getTime());
claims.setIssueTime(new Date());
// FIXME: Nimbus dates
claims.setExpirationTimeClaim(token.getExpiration().getTime());
claims.setExpirationTime(token.getExpiration());
claims.setJWTIDClaim(UUID.randomUUID().toString()); // set a random NONCE in the middle of it
claims.setJWTID(UUID.randomUUID().toString()); // set a random NONCE in the middle of it
SignedJWT signed = new SignedJWT(new JWSHeader(configBean.getDefaultSigningAlgorithm()), claims);
@ -106,22 +104,19 @@ public class ConnectTokenEnhancer implements TokenEnhancer {
idClaims.setCustomClaim("auth_time", new Date().getTime());
// FIXME: nimbus date fields
idClaims.setIssuedAtClaim(new Date().getTime());
idClaims.setIssueTime(new Date());
ClientDetailsEntity client = clientService.loadClientByClientId(clientId);
if (client.getIdTokenValiditySeconds() != null) {
Date expiration = new Date(System.currentTimeMillis() + (client.getIdTokenValiditySeconds() * 1000L));
// FIXME: nimbus date fields
idClaims.setExpirationTimeClaim(expiration.getTime());
idClaims.setExpirationTime(expiration);
idTokenEntity.setExpiration(expiration);
}
idClaims.setIssuerClaim(configBean.getIssuer());
idClaims.setSubjectClaim(userId);
// FIXME: Nimbus audience as collection
idClaims.setAudienceClaim(new String[] { clientId });
idClaims.setIssuer(configBean.getIssuer());
idClaims.setSubject(userId);
idClaims.setAudience(Lists.newArrayList(clientId));
String nonce = authentication.getAuthorizationRequest().getAuthorizationParameters().get("nonce");