From 2d8a5763a31c97853a2288ca8c01c0092580948f Mon Sep 17 00:00:00 2001 From: Justin Richer Date: Fri, 10 Aug 2012 12:41:56 -0400 Subject: [PATCH 1/5] javafied auth holder class --- .../org/mitre/oauth2/model/AuthenticationHolder.java | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/model/AuthenticationHolder.java b/openid-connect-common/src/main/java/org/mitre/oauth2/model/AuthenticationHolder.java index c03845b45..8cd05d008 100644 --- a/openid-connect-common/src/main/java/org/mitre/oauth2/model/AuthenticationHolder.java +++ b/openid-connect-common/src/main/java/org/mitre/oauth2/model/AuthenticationHolder.java @@ -1,6 +1,7 @@ package org.mitre.oauth2.model; import javax.persistence.Basic; +import javax.persistence.Column; import javax.persistence.Entity; import javax.persistence.FetchType; import javax.persistence.GeneratedValue; @@ -22,7 +23,7 @@ public class AuthenticationHolder { private Long id; - private Long owner_id; + private Long ownerId; private OAuth2Authentication authentication; @@ -41,12 +42,13 @@ public class AuthenticationHolder { } @Basic - public Long getOwner_id() { - return owner_id; + @Column(name="owner_id") + public Long getOwnerId() { + return ownerId; } - public void setOwner_id(Long owner_id) { - this.owner_id = owner_id; + public void setOwnerId(Long owner_id) { + this.ownerId = owner_id; } @Lob From ed99bd36cf43666bea7064ae45b61da5d7a3abb8 Mon Sep 17 00:00:00 2001 From: Justin Richer Date: Fri, 10 Aug 2012 13:08:04 -0400 Subject: [PATCH 2/5] changed clientdetails entity to use @Enumerated, cleaned up .sql file foreign keys --- .../oauth2/model/ClientDetailsEntity.java | 32 ++++++++------- .../db/tables/database_tables.sql | 41 ++++++++++--------- 2 files changed, 39 insertions(+), 34 deletions(-) diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/model/ClientDetailsEntity.java b/openid-connect-common/src/main/java/org/mitre/oauth2/model/ClientDetailsEntity.java index ae7872b9c..8c8d451ec 100644 --- a/openid-connect-common/src/main/java/org/mitre/oauth2/model/ClientDetailsEntity.java +++ b/openid-connect-common/src/main/java/org/mitre/oauth2/model/ClientDetailsEntity.java @@ -28,6 +28,8 @@ import javax.persistence.CollectionTable; import javax.persistence.Column; import javax.persistence.ElementCollection; import javax.persistence.Entity; +import javax.persistence.EnumType; +import javax.persistence.Enumerated; import javax.persistence.FetchType; import javax.persistence.GeneratedValue; import javax.persistence.GenerationType; @@ -55,15 +57,17 @@ import org.springframework.security.oauth2.provider.ClientDetails; }) public class ClientDetailsEntity implements ClientDetails { + private static final long serialVersionUID = -1617727085733786296L; + private Long id; /** Our own fields **/ - private String clientDescription = "";//this is ours + private String clientDescription = ""; // human-readable description private Boolean allowRefresh = false; // do we allow refresh tokens for this client? private Boolean allowMultipleAccessTokens = false; // do we allow multiple access tokens, or not? private Boolean reuseRefreshToken = false; // do we let someone reuse a refresh token? - private Integer idTokenValiditySeconds = 0; //timeout for id tokens - private Boolean dynamicallyRegistered = false; + private Boolean dynamicallyRegistered = false; // was this client dynamically registered? + private Integer idTokenValiditySeconds; //timeout for id tokens /** Fields from ClientDetails interface **/ private String clientId = ""; @@ -588,7 +592,7 @@ public class ClientDetailsEntity implements ClientDetails { - @Basic + @Enumerated(EnumType.STRING) @Column(name="application_type") public AppType getApplicationType() { return applicationType; @@ -608,7 +612,7 @@ public class ClientDetailsEntity implements ClientDetails { this.applicationName = applicationName; } - @Basic + @Enumerated(EnumType.STRING) @Column(name="token_endpoint_auth_type") public AuthType getTokenEndpointAuthType() { return tokenEndpointAuthType; @@ -712,7 +716,7 @@ public class ClientDetailsEntity implements ClientDetails { this.sectorIdentifierUrl = sectorIdentifierUrl; } - @Basic + @Enumerated(EnumType.STRING) @Column(name="requre_signed_request_object") public JwsAlgorithm getRequireSignedRequestObject() { return requireSignedRequestObject; @@ -723,7 +727,7 @@ public class ClientDetailsEntity implements ClientDetails { this.requireSignedRequestObject = requireSignedRequestObject; } - @Basic + @Enumerated(EnumType.STRING) @Column(name="user_info_signed_response_alg") public JwsAlgorithm getUserInfoSignedResponseAlg() { return userInfoSignedResponseAlg; @@ -733,7 +737,7 @@ public class ClientDetailsEntity implements ClientDetails { this.userInfoSignedResponseAlg = userInfoSignedResponseAlg; } - @Basic + @Enumerated(EnumType.STRING) @Column(name="user_info_encrypted_response_alg") public JweAlgorithms getUserInfoEncryptedResponseAlg() { return userInfoEncryptedResponseAlg; @@ -744,7 +748,7 @@ public class ClientDetailsEntity implements ClientDetails { this.userInfoEncryptedResponseAlg = userInfoEncryptedResponseAlg; } - @Basic + @Enumerated(EnumType.STRING) @Column(name="user_info_encrypted_response_enc") public JweAlgorithms getUserInfoEncryptedResponseEnc() { return userInfoEncryptedResponseEnc; @@ -755,7 +759,7 @@ public class ClientDetailsEntity implements ClientDetails { this.userInfoEncryptedResponseEnc = userInfoEncryptedResponseEnc; } - @Basic + @Enumerated(EnumType.STRING) @Column(name="user_info_encrypted_response_int") public JweAlgorithms getUserInfoEncryptedResponseInt() { return userInfoEncryptedResponseInt; @@ -766,7 +770,7 @@ public class ClientDetailsEntity implements ClientDetails { this.userInfoEncryptedResponseInt = userInfoEncryptedResponseInt; } - @Basic + @Enumerated(EnumType.STRING) @Column(name="id_token_signed_response_alg") public JwsAlgorithm getIdTokenSignedResponseAlg() { return idTokenSignedResponseAlg; @@ -776,7 +780,7 @@ public class ClientDetailsEntity implements ClientDetails { this.idTokenSignedResponseAlg = idTokenSignedResponseAlg; } - @Basic + @Enumerated(EnumType.STRING) @Column(name="id_token_encrypted_response_alg") public JweAlgorithms getIdTokenEncryptedResponseAlg() { return idTokenEncryptedResponseAlg; @@ -787,7 +791,7 @@ public class ClientDetailsEntity implements ClientDetails { this.idTokenEncryptedResponseAlg = idTokenEncryptedResponseAlg; } - @Basic + @Enumerated(EnumType.STRING) @Column(name="id_token_encrypted_response_enc") public JweAlgorithms getIdTokenEncryptedReponseEnc() { return idTokenEncryptedReponseEnc; @@ -798,7 +802,7 @@ public class ClientDetailsEntity implements ClientDetails { this.idTokenEncryptedReponseEnc = idTokenEncryptedReponseEnc; } - @Basic + @Enumerated(EnumType.STRING) @Column(name="id_token_encrypted_response_int") public JweAlgorithms getIdTokenEncryptedResponseInt() { return idTokenEncryptedResponseInt; diff --git a/openid-connect-server/db/tables/database_tables.sql b/openid-connect-server/db/tables/database_tables.sql index 4167e4ba6..26845a788 100644 --- a/openid-connect-server/db/tables/database_tables.sql +++ b/openid-connect-server/db/tables/database_tables.sql @@ -3,9 +3,9 @@ CREATE TABLE access_token ( token_value VARCHAR(4096), expiration TIMESTAMP, token_type VARCHAR(256), - refresh_token_id VARCHAR(256), + refresh_token_id BIGINT, client_id VARCHAR(256), - auth_holder_id VARCHAR(256), + auth_holder_id BIGINT, id_token_string VARCHAR(4096) ); @@ -20,14 +20,14 @@ CREATE TABLE address ( ); CREATE TABLE allowed_scope ( - owner_id VARCHAR(256), + owner_id BIGINT, allowed_scope VARCHAR(256) ); CREATE TABLE approved_site ( id BIGINT AUTO_INCREMENT PRIMARY KEY, - user_id VARCHAR(256), - client_id VARCHAR(256), + user_id VARCHAR(4096), + client_id VARCHAR(4096), creation_date DATE, access_date DATE, timeout_date DATE, @@ -36,17 +36,17 @@ CREATE TABLE approved_site ( CREATE TABLE authentication_holder ( id BIGINT AUTO_INCREMENT PRIMARY KEY, - owner_id VARCHAR(256), + owner_id BIGINT, authentication LONGBLOB ); CREATE TABLE authority ( - owner_id VARCHAR(4096), + owner_id BIGINT, authority LONGBLOB ); CREATE TABLE authorized_grant_type ( - owner_id VARCHAR(256), + owner_id BIGINT, authorized_grant_type VARCHAR(2000) ); @@ -56,11 +56,11 @@ CREATE TABLE client_details ( allow_refresh TINYINT, allow_multiple_access_tokens TINYINT, reuse_refresh_tokens TINYINT, - id_token_validity_seconds BIGINT, dynamically_registered TINYINT, + id_token_validity_seconds BIGINT, client_id VARCHAR(256), - client_secret VARCHAR(2000), + client_secret VARCHAR(2048), access_token_validity_seconds BIGINT, refresh_token_validity_seconds BIGINT, @@ -69,13 +69,13 @@ CREATE TABLE client_details ( token_endpoint_auth_type VARCHAR(256), user_id_type VARCHAR(256), - logo_url VARCHAR(256), - policy_url VARCHAR(256), - jwk_url VARCHAR(256), - jwk_encryption_url VARCHAR(256), - x509_url VARCHAR(256), - x509_encryption_url VARCHAR(256), - sector_identifier_url VARCHAR(256), + logo_url VARCHAR(2048), + policy_url VARCHAR(2048), + jwk_url VARCHAR(2048), + jwk_encryption_url VARCHAR(2048), + x509_url VARCHAR(2048), + x509_encryption_url VARCHAR(2048), + sector_identifier_url VARCHAR(2048), requre_signed_request_object VARCHAR(256), @@ -95,7 +95,7 @@ CREATE TABLE client_details ( ); CREATE TABLE contact ( - owner_id VARCHAR(256), + owner_id BIGINT, contact VARCHAR(256) ); @@ -114,14 +114,15 @@ CREATE TABLE idtokenclaims ( ); CREATE TABLE redirect_uri ( - owner_id VARCHAR(256), - redirect_uri VARCHAR(2000) + owner_id BIGINT, + redirect_uri VARCHAR(2048) ); CREATE TABLE refresh_token ( id BIGINT AUTO_INCREMENT PRIMARY KEY, token_value VARCHAR(4096), expiration TIMESTAMP, + auth_holder_id BIGINT, client_id VARCHAR(256) ); From bb7d6b2e94bcdef00ca7f16b667e1e1af5f54f02 Mon Sep 17 00:00:00 2001 From: Justin Richer Date: Fri, 10 Aug 2012 13:37:26 -0400 Subject: [PATCH 3/5] split scopes table --- .../oauth2/model/ClientDetailsEntity.java | 2 +- .../oauth2/model/OAuth2AccessTokenEntity.java | 2 +- .../model/OAuth2RefreshTokenEntity.java | 21 ------------------- .../db/tables/database_tables.sql | 7 ++++++- .../DefaultOAuth2ProviderTokenService.java | 16 ++++++-------- 5 files changed, 14 insertions(+), 34 deletions(-) diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/model/ClientDetailsEntity.java b/openid-connect-common/src/main/java/org/mitre/oauth2/model/ClientDetailsEntity.java index 8c8d451ec..d81d724bc 100644 --- a/openid-connect-common/src/main/java/org/mitre/oauth2/model/ClientDetailsEntity.java +++ b/openid-connect-common/src/main/java/org/mitre/oauth2/model/ClientDetailsEntity.java @@ -451,7 +451,7 @@ public class ClientDetailsEntity implements ClientDetails { */ @ElementCollection(fetch = FetchType.EAGER) @CollectionTable( - name="scope", + name="client_scope", joinColumns=@JoinColumn(name="owner_id") ) @Override diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2AccessTokenEntity.java b/openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2AccessTokenEntity.java index ccad27ea8..67c818060 100644 --- a/openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2AccessTokenEntity.java +++ b/openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2AccessTokenEntity.java @@ -215,7 +215,7 @@ public class OAuth2AccessTokenEntity implements OAuth2AccessToken { @ElementCollection(fetch=FetchType.EAGER) @CollectionTable( joinColumns=@JoinColumn(name="owner_id"), - name="scope" + name="token_scope" ) public Set getScope() { return scope; diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2RefreshTokenEntity.java b/openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2RefreshTokenEntity.java index 4e30692d5..0187445d0 100644 --- a/openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2RefreshTokenEntity.java +++ b/openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2RefreshTokenEntity.java @@ -70,8 +70,6 @@ public class OAuth2RefreshTokenEntity implements OAuth2RefreshToken { // our refresh tokens might expire private Date expiration; - private Set scope; // we save the scope issued to the refresh token so that we can reissue a new access token - /** * */ @@ -173,25 +171,6 @@ public class OAuth2RefreshTokenEntity implements OAuth2RefreshToken { this.client = client; } - /** - * @return the scope - */ - @ElementCollection(fetch = FetchType.EAGER) - @CollectionTable( - joinColumns=@JoinColumn(name="owner_id"), - name="scope" - ) - public Set getScope() { - return scope; - } - - /** - * @param scope the scope to set - */ - public void setScope(Set scope) { - this.scope = scope; - } - /** * Get the JWT object directly * @return the jwt diff --git a/openid-connect-server/db/tables/database_tables.sql b/openid-connect-server/db/tables/database_tables.sql index 26845a788..32799c4a6 100644 --- a/openid-connect-server/db/tables/database_tables.sql +++ b/openid-connect-server/db/tables/database_tables.sql @@ -131,7 +131,12 @@ CREATE TABLE resource_id ( resource_id VARCHAR(256) ); -CREATE TABLE scope ( +CREATE TABLE client_scope ( + owner_id VARCHAR(4096), + scope VARCHAR(2048) +); + +CREATE TABLE token_scope ( owner_id VARCHAR(4096), scope VARCHAR(2048) ); diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java index bd167aa67..0cebd577b 100644 --- a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java +++ b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java @@ -111,12 +111,6 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi Date expiration = new Date(System.currentTimeMillis() + (client.getRefreshTokenValiditySeconds() * 1000L)); refreshToken.setExpiration(expiration); } - - // save our scopes so that we can reuse them later for more auth tokens - // TODO: save the auth instead of the just the scope? - if (client.isScoped()) { - refreshToken.setScope(token.getScope()); - } //Add the authentication refreshToken.setAuthenticationHolder(authHolder); @@ -173,20 +167,22 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi OAuth2AccessTokenEntity token = new OAuth2AccessTokenEntity(); + // get the stored scopes from the authentication holder's authorization request; these are the scopes associated with the refresh token + Set refreshScopes = refreshToken.getAuthenticationHolder().getAuthentication().getAuthorizationRequest().getScope(); if (scope != null && !scope.isEmpty()) { - // ensure a proper subset of scopes - if (refreshToken.getScope() != null && refreshToken.getScope().containsAll(scope)) { + // ensure a proper subset of scopes + if (refreshScopes != null && refreshScopes.containsAll(scope)) { // set the scope of the new access token if requested token.setScope(scope); } else { // up-scoping is not allowed // (TODO: should this throw InvalidScopeException? For now just pass through) - token.setScope(refreshToken.getScope()); + token.setScope(refreshScopes); } } else { // otherwise inherit the scope of the refresh token (if it's there -- this can return a null scope set) - token.setScope(refreshToken.getScope()); + token.setScope(refreshScopes); } token.setClient(client); From 74a40fc97321f74795f1ade0fef01357f801d21a Mon Sep 17 00:00:00 2001 From: Justin Richer Date: Fri, 10 Aug 2012 13:44:31 -0400 Subject: [PATCH 4/5] changed auth holder reference, moved dates to timestamps --- .../org/mitre/oauth2/model/OAuth2RefreshTokenEntity.java | 2 +- openid-connect-server/db/tables/database_tables.sql | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2RefreshTokenEntity.java b/openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2RefreshTokenEntity.java index 0187445d0..4813bcabf 100644 --- a/openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2RefreshTokenEntity.java +++ b/openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2RefreshTokenEntity.java @@ -100,7 +100,7 @@ public class OAuth2RefreshTokenEntity implements OAuth2RefreshToken { * @return the authentication */ @ManyToOne - @JoinColumn(name = "owner_id") + @JoinColumn(name = "auth_holder_id") public AuthenticationHolder getAuthenticationHolder() { return authenticationHolder; } diff --git a/openid-connect-server/db/tables/database_tables.sql b/openid-connect-server/db/tables/database_tables.sql index 32799c4a6..ebf1e825d 100644 --- a/openid-connect-server/db/tables/database_tables.sql +++ b/openid-connect-server/db/tables/database_tables.sql @@ -28,9 +28,9 @@ CREATE TABLE approved_site ( id BIGINT AUTO_INCREMENT PRIMARY KEY, user_id VARCHAR(4096), client_id VARCHAR(4096), - creation_date DATE, - access_date DATE, - timeout_date DATE, + creation_date TIMESTAMP, + access_date TIMESTAMP, + timeout_date TIMESTAMP, whitelisted_site_id VARCHAR(256) ); From 47ff885032776323afa20f122c6c1647c1f94959 Mon Sep 17 00:00:00 2001 From: Justin Richer Date: Fri, 10 Aug 2012 14:26:03 -0400 Subject: [PATCH 5/5] removed unnecessary cached token values --- .../org/mitre/oauth2/model/OAuth2AccessTokenEntity.java | 8 +------- .../org/mitre/oauth2/model/OAuth2RefreshTokenEntity.java | 8 +------- 2 files changed, 2 insertions(+), 14 deletions(-) diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2AccessTokenEntity.java b/openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2AccessTokenEntity.java index 67c818060..45c712dc7 100644 --- a/openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2AccessTokenEntity.java +++ b/openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2AccessTokenEntity.java @@ -73,9 +73,6 @@ public class OAuth2AccessTokenEntity implements OAuth2AccessToken { private Jwt jwtValue; // JWT-encoded access token value - //TODO should not need this - private String value; - private IdToken idToken; // JWT-encoded OpenID Connect IdToken private Date expiration; @@ -158,8 +155,7 @@ public class OAuth2AccessTokenEntity implements OAuth2AccessToken { @Basic @Column(name="token_value") public String getValue() { - this.value = jwtValue.toString(); - return value; + return jwtValue.toString(); } /** @@ -169,7 +165,6 @@ public class OAuth2AccessTokenEntity implements OAuth2AccessToken { * @throws IllegalArgumentException if "value" is not a properly formatted JWT string */ public void setValue(String value) { - this.value = value; setJwt(Jwt.parse(value)); } @@ -281,7 +276,6 @@ public class OAuth2AccessTokenEntity implements OAuth2AccessToken { */ public void setJwt(Jwt jwt) { this.jwtValue = jwt; - this.value = jwt.toString(); } @Override diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2RefreshTokenEntity.java b/openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2RefreshTokenEntity.java index 4813bcabf..90595f108 100644 --- a/openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2RefreshTokenEntity.java +++ b/openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2RefreshTokenEntity.java @@ -64,9 +64,6 @@ public class OAuth2RefreshTokenEntity implements OAuth2RefreshToken { //JWT-encoded representation of this access token entity private Jwt jwt; - //TOOD: shouldn't need this - private String value; - // our refresh tokens might expire private Date expiration; @@ -118,8 +115,7 @@ public class OAuth2RefreshTokenEntity implements OAuth2RefreshToken { @Basic @Column(name="token_value") public String getValue() { - value = jwt.toString(); - return value; + return jwt.toString(); } /** @@ -128,7 +124,6 @@ public class OAuth2RefreshTokenEntity implements OAuth2RefreshToken { * @throws IllegalArgumentException if the value is not a valid JWT string */ public void setValue(String value) { - this.value = value; setJwt(Jwt.parse(value)); } @@ -185,7 +180,6 @@ public class OAuth2RefreshTokenEntity implements OAuth2RefreshToken { */ public void setJwt(Jwt jwt) { this.jwt = jwt; - this.value = jwt.toString(); } }