Merge remote branch 'origin/master'

2012-08-10 16:12:54 -04:00 · 2012-08-10 16:12:54 -04:00 · ae5e1ca859
parent 3f9e2cfa52 47ff885032
commit ae5e1ca859
6 changed files with 66 additions and 91 deletions
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/model/AuthenticationHolder.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/model/AuthenticationHolder.java
@ -1,6 +1,7 @@
 package org.mitre.oauth2.model;

 import javax.persistence.Basic;
+import javax.persistence.Column;
 import javax.persistence.Entity;
 import javax.persistence.FetchType;
 import javax.persistence.GeneratedValue;
@ -22,7 +23,7 @@ public class AuthenticationHolder {

 	private Long id;
 	
-	private Long owner_id;
+	private Long ownerId;
 	
 	private OAuth2Authentication authentication;
 	
@ -41,12 +42,13 @@ public class AuthenticationHolder {
 	}

 	@Basic
-	public Long getOwner_id() {
-		return owner_id;
+	@Column(name="owner_id")
+	public Long getOwnerId() {
+		return ownerId;
 	}

-	public void setOwner_id(Long owner_id) {
-		this.owner_id = owner_id;
+	public void setOwnerId(Long owner_id) {
+		this.ownerId = owner_id;
 	}

 	@Lob
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/model/ClientDetailsEntity.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/model/ClientDetailsEntity.java
@ -28,6 +28,8 @@ import javax.persistence.CollectionTable;
 import javax.persistence.Column;
 import javax.persistence.ElementCollection;
 import javax.persistence.Entity;
+import javax.persistence.EnumType;
+import javax.persistence.Enumerated;
 import javax.persistence.FetchType;
 import javax.persistence.GeneratedValue;
 import javax.persistence.GenerationType;
@ -55,15 +57,17 @@ import org.springframework.security.oauth2.provider.ClientDetails;
 })
 public class ClientDetailsEntity implements ClientDetails {

+    private static final long serialVersionUID = -1617727085733786296L;
+
 	private Long id;
 	
 	/** Our own fields **/
-	private String clientDescription = "";//this is ours
+	private String clientDescription = ""; // human-readable description
 	private Boolean allowRefresh = false; // do we allow refresh tokens for this client?
 	private Boolean allowMultipleAccessTokens = false; // do we allow multiple access tokens, or not?
 	private Boolean reuseRefreshToken = false; // do we let someone reuse a refresh token?
-	private Integer idTokenValiditySeconds = 0; //timeout for id tokens
-	private Boolean dynamicallyRegistered = false;
+	private Boolean dynamicallyRegistered = false; // was this client dynamically registered?
+	private Integer idTokenValiditySeconds; //timeout for id tokens
 	
 	/** Fields from ClientDetails interface **/
    private String clientId = "";
@ -447,7 +451,7 @@ public class ClientDetailsEntity implements ClientDetails {
     */
 	@ElementCollection(fetch = FetchType.EAGER)
 	@CollectionTable(
-			name="scope",
+			name="client_scope",
 			joinColumns=@JoinColumn(name="owner_id")
 	)
 	@Override
@ -588,7 +592,7 @@ public class ClientDetailsEntity implements ClientDetails {
 	


-	@Basic
+	@Enumerated(EnumType.STRING)
 	@Column(name="application_type")
 	public AppType getApplicationType() {
 		return applicationType;
@ -608,7 +612,7 @@ public class ClientDetailsEntity implements ClientDetails {
 		this.applicationName = applicationName;
 	}

-	@Basic
+	@Enumerated(EnumType.STRING)
 	@Column(name="token_endpoint_auth_type")
 	public AuthType getTokenEndpointAuthType() {
 		return tokenEndpointAuthType;
@ -712,7 +716,7 @@ public class ClientDetailsEntity implements ClientDetails {
 		this.sectorIdentifierUrl = sectorIdentifierUrl;
 	}

-	@Basic
+	@Enumerated(EnumType.STRING)
 	@Column(name="requre_signed_request_object")
 	public JwsAlgorithm getRequireSignedRequestObject() {
 		return requireSignedRequestObject;
@ -723,7 +727,7 @@ public class ClientDetailsEntity implements ClientDetails {
 		this.requireSignedRequestObject = requireSignedRequestObject;
 	}

-	@Basic
+	@Enumerated(EnumType.STRING)
 	@Column(name="user_info_signed_response_alg")
 	public JwsAlgorithm getUserInfoSignedResponseAlg() {
 		return userInfoSignedResponseAlg;
@ -733,7 +737,7 @@ public class ClientDetailsEntity implements ClientDetails {
 		this.userInfoSignedResponseAlg = userInfoSignedResponseAlg;
 	}

-	@Basic
+	@Enumerated(EnumType.STRING)
 	@Column(name="user_info_encrypted_response_alg")
 	public JweAlgorithms getUserInfoEncryptedResponseAlg() {
 		return userInfoEncryptedResponseAlg;
@ -744,7 +748,7 @@ public class ClientDetailsEntity implements ClientDetails {
 		this.userInfoEncryptedResponseAlg = userInfoEncryptedResponseAlg;
 	}

-	@Basic
+	@Enumerated(EnumType.STRING)
 	@Column(name="user_info_encrypted_response_enc")
 	public JweAlgorithms getUserInfoEncryptedResponseEnc() {
 		return userInfoEncryptedResponseEnc;
@ -755,7 +759,7 @@ public class ClientDetailsEntity implements ClientDetails {
 		this.userInfoEncryptedResponseEnc = userInfoEncryptedResponseEnc;
 	}

-	@Basic
+	@Enumerated(EnumType.STRING)
 	@Column(name="user_info_encrypted_response_int")
 	public JweAlgorithms getUserInfoEncryptedResponseInt() {
 		return userInfoEncryptedResponseInt;
@ -766,7 +770,7 @@ public class ClientDetailsEntity implements ClientDetails {
 		this.userInfoEncryptedResponseInt = userInfoEncryptedResponseInt;
 	}

-	@Basic
+	@Enumerated(EnumType.STRING)
 	@Column(name="id_token_signed_response_alg")
 	public JwsAlgorithm getIdTokenSignedResponseAlg() {
 		return idTokenSignedResponseAlg;
@ -776,7 +780,7 @@ public class ClientDetailsEntity implements ClientDetails {
 		this.idTokenSignedResponseAlg = idTokenSignedResponseAlg;
 	}

-	@Basic
+	@Enumerated(EnumType.STRING)
 	@Column(name="id_token_encrypted_response_alg")
 	public JweAlgorithms getIdTokenEncryptedResponseAlg() {
 		return idTokenEncryptedResponseAlg;
@ -787,7 +791,7 @@ public class ClientDetailsEntity implements ClientDetails {
 		this.idTokenEncryptedResponseAlg = idTokenEncryptedResponseAlg;
 	}

-	@Basic
+	@Enumerated(EnumType.STRING)
 	@Column(name="id_token_encrypted_response_enc")
 	public JweAlgorithms getIdTokenEncryptedReponseEnc() {
 		return idTokenEncryptedReponseEnc;
@ -798,7 +802,7 @@ public class ClientDetailsEntity implements ClientDetails {
 		this.idTokenEncryptedReponseEnc = idTokenEncryptedReponseEnc;
 	}

-	@Basic
+	@Enumerated(EnumType.STRING)
 	@Column(name="id_token_encrypted_response_int")
 	public JweAlgorithms getIdTokenEncryptedResponseInt() {
 		return idTokenEncryptedResponseInt;
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2AccessTokenEntity.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2AccessTokenEntity.java
@ -73,9 +73,6 @@ public class OAuth2AccessTokenEntity implements OAuth2AccessToken {
 	
 	private Jwt jwtValue; // JWT-encoded access token value
 	
-	//TODO should not need this
-	private String value;
-
 	private IdToken idToken; // JWT-encoded OpenID Connect IdToken
 	
 	private Date expiration;
@ -158,8 +155,7 @@ public class OAuth2AccessTokenEntity implements OAuth2AccessToken {
    @Basic
    @Column(name="token_value")
    public String getValue() {
-    	this.value = jwtValue.toString();
-	    return value;
+	    return jwtValue.toString();
    }

    /**
@ -169,7 +165,6 @@ public class OAuth2AccessTokenEntity implements OAuth2AccessToken {
     * @throws IllegalArgumentException if "value" is not a properly formatted JWT string
     */
    public void setValue(String value) {
-    	this.value = value;
    	setJwt(Jwt.parse(value));
    }

@ -215,7 +210,7 @@ public class OAuth2AccessTokenEntity implements OAuth2AccessToken {
    @ElementCollection(fetch=FetchType.EAGER)
    @CollectionTable(
    		joinColumns=@JoinColumn(name="owner_id"),
-    		name="scope"
+    		name="token_scope"
    )
    public Set<String> getScope() {
 	    return scope;
@ -281,7 +276,6 @@ public class OAuth2AccessTokenEntity implements OAuth2AccessToken {
 	 */
 	public void setJwt(Jwt jwt) {
 		this.jwtValue = jwt;
-		this.value = jwt.toString();
 	}

 	@Override
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2RefreshTokenEntity.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2RefreshTokenEntity.java
@ -64,14 +64,9 @@ public class OAuth2RefreshTokenEntity implements OAuth2RefreshToken {
 	//JWT-encoded representation of this access token entity
 	private Jwt jwt;
 	
-	//TOOD: shouldn't need this
-	private String value;
-	
 	// our refresh tokens might expire
 	private Date expiration;

-	private  Set<String> scope; // we save the scope issued to the refresh token so that we can reissue a new access token	
-	
 	/**
 	 * 
 	 */
@ -102,7 +97,7 @@ public class OAuth2RefreshTokenEntity implements OAuth2RefreshToken {
     * @return the authentication
     */
 	@ManyToOne
-	@JoinColumn(name = "owner_id")
+	@JoinColumn(name = "auth_holder_id")
    public AuthenticationHolder getAuthenticationHolder() {
    	return authenticationHolder;
    }
@ -120,8 +115,7 @@ public class OAuth2RefreshTokenEntity implements OAuth2RefreshToken {
    @Basic
    @Column(name="token_value")
    public String getValue() {
-    	value = jwt.toString();
-	    return value;
+	    return jwt.toString();
    }

    /**
@ -130,7 +124,6 @@ public class OAuth2RefreshTokenEntity implements OAuth2RefreshToken {
     * @throws IllegalArgumentException if the value is not a valid JWT string
     */
    public void setValue(String value) {
-    	this.value = value;
 	    setJwt(Jwt.parse(value));
    }

@ -173,25 +166,6 @@ public class OAuth2RefreshTokenEntity implements OAuth2RefreshToken {
    	this.client = client;
    }

-	/**
-     * @return the scope
-     */
-	@ElementCollection(fetch = FetchType.EAGER)
-	@CollectionTable(
-			joinColumns=@JoinColumn(name="owner_id"),
-			name="scope"
-	)
-    public Set<String> getScope() {
-    	return scope;
-    }
-
-	/**
-     * @param scope the scope to set
-     */
-    public void setScope(Set<String> scope) {
-    	this.scope = scope;
-    }
-    
    /**
     * Get the JWT object directly
     * @return the jwt
@ -206,7 +180,6 @@ public class OAuth2RefreshTokenEntity implements OAuth2RefreshToken {
     */
    public void setJwt(Jwt jwt) {
    	this.jwt = jwt;
-    	this.value = jwt.toString();
    }
    
 }
--- a/openid-connect-server/db/tables/database_tables.sql
+++ b/openid-connect-server/db/tables/database_tables.sql
@ -3,9 +3,9 @@ CREATE TABLE access_token (
 	token_value VARCHAR(4096),
 	expiration TIMESTAMP,
 	token_type VARCHAR(256),
-	refresh_token_id VARCHAR(256),
+	refresh_token_id BIGINT,
 	client_id VARCHAR(256),
-	auth_holder_id VARCHAR(256),
+	auth_holder_id BIGINT,
 	id_token_string VARCHAR(4096)
 );

@ -20,33 +20,33 @@ CREATE TABLE address (
 );

 CREATE TABLE allowed_scope (
-	owner_id VARCHAR(256), 
+	owner_id BIGINT, 
 	allowed_scope VARCHAR(256)
 );

 CREATE TABLE approved_site (
 	id BIGINT AUTO_INCREMENT PRIMARY KEY,
-	user_id VARCHAR(256),
-	client_id VARCHAR(256),
-	creation_date DATE,
-	access_date DATE,
-	timeout_date DATE,
+	user_id VARCHAR(4096),
+	client_id VARCHAR(4096),
+	creation_date TIMESTAMP,
+	access_date TIMESTAMP,
+	timeout_date TIMESTAMP,
 	whitelisted_site_id VARCHAR(256)
 );

 CREATE TABLE authentication_holder (
 	id BIGINT AUTO_INCREMENT PRIMARY KEY,
-	owner_id VARCHAR(256),
+	owner_id BIGINT,
 	authentication LONGBLOB
 );

 CREATE TABLE authority (
-	owner_id VARCHAR(4096),
+	owner_id BIGINT,
 	authority LONGBLOB
 );

 CREATE TABLE authorized_grant_type (
-	owner_id VARCHAR(256),
+	owner_id BIGINT,
 	authorized_grant_type VARCHAR(2000)
 );

@ -56,11 +56,11 @@ CREATE TABLE client_details (
 	allow_refresh TINYINT,
 	allow_multiple_access_tokens TINYINT,
 	reuse_refresh_tokens TINYINT,
-	id_token_validity_seconds BIGINT,
 	dynamically_registered TINYINT,
+	id_token_validity_seconds BIGINT,
 	
 	client_id VARCHAR(256),
-	client_secret VARCHAR(2000),
+	client_secret VARCHAR(2048),
 	access_token_validity_seconds BIGINT,
 	refresh_token_validity_seconds BIGINT,
 	
@ -69,13 +69,13 @@ CREATE TABLE client_details (
 	token_endpoint_auth_type VARCHAR(256),
 	user_id_type VARCHAR(256),
 	
-	logo_url VARCHAR(256),
-	policy_url VARCHAR(256),
-	jwk_url VARCHAR(256),
-	jwk_encryption_url VARCHAR(256),
-	x509_url VARCHAR(256),
-	x509_encryption_url VARCHAR(256),
-	sector_identifier_url VARCHAR(256),
+	logo_url VARCHAR(2048),
+	policy_url VARCHAR(2048),
+	jwk_url VARCHAR(2048),
+	jwk_encryption_url VARCHAR(2048),
+	x509_url VARCHAR(2048),
+	x509_encryption_url VARCHAR(2048),
+	sector_identifier_url VARCHAR(2048),
 	
 	requre_signed_request_object VARCHAR(256),
 	
@ -95,7 +95,7 @@ CREATE TABLE client_details (
 );

 CREATE TABLE contact (
-	owner_id VARCHAR(256),
+	owner_id BIGINT,
 	contact VARCHAR(256)
 );

@ -114,14 +114,15 @@ CREATE TABLE idtokenclaims (
 );

 CREATE TABLE redirect_uri (
-	owner_id VARCHAR(256), 
-	redirect_uri VARCHAR(2000) 
+	owner_id BIGINT, 
+	redirect_uri VARCHAR(2048) 
 );

 CREATE TABLE refresh_token (
 	id BIGINT AUTO_INCREMENT PRIMARY KEY,
 	token_value VARCHAR(4096),
 	expiration TIMESTAMP,
+	auth_holder_id BIGINT,
 	client_id VARCHAR(256)
 );

@ -130,7 +131,12 @@ CREATE TABLE resource_id (
 	resource_id VARCHAR(256) 
 );

-CREATE TABLE scope (
+CREATE TABLE client_scope (
+	owner_id VARCHAR(4096),
+	scope VARCHAR(2048)
+);
+
+CREATE TABLE token_scope (
 	owner_id VARCHAR(4096),
 	scope VARCHAR(2048)
 );
--- a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java
+++ b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java
@ -111,12 +111,6 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
 		    		Date expiration = new Date(System.currentTimeMillis() + (client.getRefreshTokenValiditySeconds() * 1000L));
 		    		refreshToken.setExpiration(expiration);
 	    		}
-	    		
-	    		// save our scopes so that we can reuse them later for more auth tokens
-	    		// TODO: save the auth instead of the just the scope?
-			    if (client.isScoped()) {
-			    	refreshToken.setScope(token.getScope());
-			    }

 			    //Add the authentication
 			    refreshToken.setAuthenticationHolder(authHolder);
@ -173,20 +167,22 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi

 		OAuth2AccessTokenEntity token = new OAuth2AccessTokenEntity(); 

+		// get the stored scopes from the authentication holder's authorization request; these are the scopes associated with the refresh token
+		Set<String> refreshScopes = refreshToken.getAuthenticationHolder().getAuthentication().getAuthorizationRequest().getScope();
 		
 		if (scope != null && !scope.isEmpty()) { 
-			// ensure a proper subset of scopes 
-			if (refreshToken.getScope() != null && refreshToken.getScope().containsAll(scope)) {
+			// ensure a proper subset of scopes
+			if (refreshScopes != null && refreshScopes.containsAll(scope)) {
 				// set the scope of the new access token if requested
 				token.setScope(scope);
 			} else {
 				// up-scoping is not allowed
 				// (TODO: should this throw InvalidScopeException? For now just pass through)
-				token.setScope(refreshToken.getScope());
+				token.setScope(refreshScopes);
 			}
 		} else {
 			// otherwise inherit the scope of the refresh token (if it's there -- this can return a null scope set)
-			token.setScope(refreshToken.getScope());
+			token.setScope(refreshScopes);
 		}
 	    
    	token.setClient(client);