diff --git a/openid-connect-common/.classpath b/openid-connect-common/.classpath
index 74d8d97f5..1b28ee5d7 100644
--- a/openid-connect-common/.classpath
+++ b/openid-connect-common/.classpath
@@ -1,18 +1,11 @@
-
-
-
+
-
-
-
-
-
diff --git a/openid-connect-server/src/main/java/org/mitre/jwt/signer/AbstractJwtSigner.java b/openid-connect-server/src/main/java/org/mitre/jwt/signer/AbstractJwtSigner.java
index 963622f87..7c69ced7f 100644
--- a/openid-connect-server/src/main/java/org/mitre/jwt/signer/AbstractJwtSigner.java
+++ b/openid-connect-server/src/main/java/org/mitre/jwt/signer/AbstractJwtSigner.java
@@ -33,9 +33,13 @@ public abstract class AbstractJwtSigner implements JwtSigner {
/**
* Ensures that the 'alg' of the given JWT matches the {@link #algorithm} of this signer
+ * and signs the jwt.
+ *
+ * @param jwt the jwt to sign
+ * @return the signed jwt
*/
@Override
- public void sign(Jwt jwt) {
+ public Jwt sign(Jwt jwt) {
if (!Objects.equal(algorithm, jwt.getHeader().getAlgorithm())) {
// algorithm type doesn't match
// TODO: should this be an error or should we just fix it in the incoming jwt?
@@ -45,7 +49,9 @@ public abstract class AbstractJwtSigner implements JwtSigner {
String sig = generateSignature(jwt.getSignatureBase());
- jwt.setSignature(sig);
+ jwt.setSignature(sig);
+
+ return jwt;
}
/* (non-Javadoc)
diff --git a/openid-connect-server/src/main/java/org/mitre/jwt/signer/JwtSigner.java b/openid-connect-server/src/main/java/org/mitre/jwt/signer/JwtSigner.java
index 53307d3db..1ab37ef6b 100644
--- a/openid-connect-server/src/main/java/org/mitre/jwt/signer/JwtSigner.java
+++ b/openid-connect-server/src/main/java/org/mitre/jwt/signer/JwtSigner.java
@@ -4,7 +4,7 @@ import org.mitre.jwt.model.Jwt;
public interface JwtSigner {
- public void sign(Jwt jwt);
+ public Jwt sign(Jwt jwt);
public boolean verify(String jwtString);
diff --git a/openid-connect-server/src/main/java/org/mitre/jwt/signer/service/JwtSigningAndValidationService.java b/openid-connect-server/src/main/java/org/mitre/jwt/signer/service/JwtSigningAndValidationService.java
index cb0bb8f1e..624327f41 100644
--- a/openid-connect-server/src/main/java/org/mitre/jwt/signer/service/JwtSigningAndValidationService.java
+++ b/openid-connect-server/src/main/java/org/mitre/jwt/signer/service/JwtSigningAndValidationService.java
@@ -45,4 +45,28 @@ public interface JwtSigningAndValidationService {
* @return true if the signature is valid, false if not
*/
public boolean validateSignature(String jwtString);
+
+ /**
+ * Called to sign a jwt for a client that hasn't registered a preferred signing algorithm.
+ * Use the default algorithm to sign.
+ *
+ * @param jwt the jwt to sign
+ * @return the signed jwt
+ */
+ public Jwt signJwt(Jwt jwt);
+
+ /**
+ * Sign a jwt using the selected algorithm. The algorithm is selected using the String parameter values specified
+ * in the JWT spec, section 6. I.E., "HS256" means HMAC with SHA-256 and corresponds to our HmacSigner class.
+ *
+ * @param jwt the jwt to sign
+ * @param alg the name of the algorithm to use, as specified in JWS s.6
+ * @return the signed jwt
+ */
+ //TODO: implement later; only need signJwt(Jwt jwt) for now
+ //public Jwt signJwt(Jwt jwt, String alg);
+
+ /**
+ * TODO: method to sign a jwt using a specified algorithm and a key id
+ */
}
diff --git a/openid-connect-server/src/main/java/org/mitre/jwt/signer/service/impl/JwtSigningAndValidationServiceDefault.java b/openid-connect-server/src/main/java/org/mitre/jwt/signer/service/impl/JwtSigningAndValidationServiceDefault.java
index 4168a8f00..782b247d5 100644
--- a/openid-connect-server/src/main/java/org/mitre/jwt/signer/service/impl/JwtSigningAndValidationServiceDefault.java
+++ b/openid-connect-server/src/main/java/org/mitre/jwt/signer/service/impl/JwtSigningAndValidationServiceDefault.java
@@ -15,11 +15,15 @@ import org.mitre.jwt.signer.JwtSigner;
import org.mitre.jwt.signer.impl.EcdsaSigner;
import org.mitre.jwt.signer.impl.RsaSigner;
import org.mitre.jwt.signer.service.JwtSigningAndValidationService;
+import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
import org.springframework.beans.factory.InitializingBean;
+import org.springframework.beans.factory.annotation.Autowired;
public class JwtSigningAndValidationServiceDefault implements
JwtSigningAndValidationService, InitializingBean {
+ @Autowired
+ private ConfigurationPropertiesBean configBean;
private List signers = new ArrayList();
@@ -153,7 +157,9 @@ public class JwtSigningAndValidationServiceDefault implements
@Override
public boolean validateIssuedJwt(Jwt jwt, String expectedIssuer) {
- if (jwt.getClaims().getIssuer() == expectedIssuer)
+ String iss = jwt.getClaims().getIssuer();
+
+ if (iss.equals(expectedIssuer))
return true;
return false;
@@ -176,4 +182,29 @@ public class JwtSigningAndValidationServiceDefault implements
return false;
}
+
+ @Override
+ public Jwt signJwt(Jwt jwt) {
+ String signerId = configBean.getDefaultJwtSigner();
+
+ //JwtSigner signer = map.get(signerId);
+
+ //signer.sign(jwt);
+
+ return null;
+ }
+
+ /**
+ * @return the configBean
+ */
+ public ConfigurationPropertiesBean getConfigBean() {
+ return configBean;
+ }
+
+ /**
+ * @param configBean the configBean to set
+ */
+ public void setConfigBean(ConfigurationPropertiesBean configBean) {
+ this.configBean = configBean;
+ }
}
diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/config/ConfigurationPropertiesBean.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/config/ConfigurationPropertiesBean.java
new file mode 100644
index 000000000..2fb276e4a
--- /dev/null
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/config/ConfigurationPropertiesBean.java
@@ -0,0 +1,45 @@
+package org.mitre.openid.connect.config;
+
+
+/**
+ * Bean to hold configuration information that must be injected into various parts
+ * of our application. Set all of the properties here, and autowire a reference
+ * to this bean if you need access to any configuration properties.
+ *
+ * @author AANGANES
+ *
+ */
+public class ConfigurationPropertiesBean {
+
+ private String issuer;
+
+ private String defaultJwtSigner;
+
+ public ConfigurationPropertiesBean() {
+ }
+
+ /**
+ * @return the defaultJwtSigner
+ */
+ public String getDefaultJwtSigner() {
+ return defaultJwtSigner;
+ }
+
+ public void setDefaultJwtSigner(String signer) {
+ defaultJwtSigner = signer;
+ }
+
+ /**
+ * @return the baseUrl
+ */
+ public String getIssuer() {
+ return issuer;
+ }
+
+ /**
+ * @param iss the issuer to set
+ */
+ public void setIssuer(String iss) {
+ issuer = iss;
+ }
+}
diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectAuthCodeTokenGranter.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectAuthCodeTokenGranter.java
index 15adc4f4c..fe4b11073 100644
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectAuthCodeTokenGranter.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectAuthCodeTokenGranter.java
@@ -7,9 +7,11 @@ import java.util.Date;
import java.util.Map;
import java.util.Set;
+import org.mitre.jwt.signer.service.JwtSigningAndValidationService;
import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
import org.mitre.oauth2.service.OAuth2TokenEntityService;
import org.mitre.oauth2.service.impl.DefaultOAuth2ProviderTokenService;
+import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
import org.mitre.openid.connect.model.IdToken;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.Authentication;
@@ -48,7 +50,8 @@ public class ConnectAuthCodeTokenGranter implements TokenGranter {
@Autowired
private ClientCredentialsChecker clientCredentialsChecker;
- private String issuer;
+ @Autowired
+ private ConfigurationPropertiesBean configBean;
//TODO: Do we need to modify/update this?
@Autowired
@@ -57,6 +60,9 @@ public class ConnectAuthCodeTokenGranter implements TokenGranter {
@Autowired
private IdTokenGeneratorService idTokenService;
+ @Autowired
+ private JwtSigningAndValidationService jwtService;
+
/**
* Default empty constructor
*/
@@ -141,7 +147,7 @@ public class ConnectAuthCodeTokenGranter implements TokenGranter {
//TODO: need to get base url, but Utility.findBaseUrl() needs access to a request object, which we don't have
//See github issue #1
- token.getJwt().getClaims().setIssuer(issuer);
+ token.getJwt().getClaims().setIssuer(configBean.getIssuer());
token.getJwt().getClaims().setIssuedAt(new Date());
// handle expiration
@@ -155,17 +161,23 @@ public class ConnectAuthCodeTokenGranter implements TokenGranter {
if (authorizationRequest.getScope().contains("openid")) {
String userId = userAuth.getName();
-
- //TODO: need to get base url, but Utility.findBaseUrl() needs access to a request object, which we don't have
- //See github issue #1
- IdToken idToken = idTokenService.generateIdToken(userId, issuer);
+
+ IdToken idToken = idTokenService.generateIdToken(userId, configBean.getIssuer());
idToken.getClaims().setAudience(clientId);
idToken.getClaims().setIssuedAt(new Date());
+ idToken.getClaims().setIssuer(configBean.getIssuer());
// TODO: expiration? other fields?
+ //Sign
+
+ //TODO: check client to see if they have a preferred alg, attempt to use that
+
+ //TODO: uncomment line below once RsaSigner bean has been set up and added to the configBean
+ //idToken = (IdToken) jwtService.signJwt(idToken);
+
token.setIdToken(idToken);
}
-
+
tokenServices.saveAccessToken(token);
return token;
@@ -207,18 +219,28 @@ public class ConnectAuthCodeTokenGranter implements TokenGranter {
this.tokenServices = tokenServices;
}
- /**
- * @return the issuer
- */
- public String getIssuer() {
- return issuer;
- }
+ public ConfigurationPropertiesBean getConfigBean() {
+ return configBean;
+ }
- /**
- * @param issuer the issuer to set
- */
- public void setIssuer(String issuer) {
- this.issuer = issuer;
- }
+ public void setConfigBean(ConfigurationPropertiesBean configBean) {
+ this.configBean = configBean;
+ }
+
+ public IdTokenGeneratorService getIdTokenService() {
+ return idTokenService;
+ }
+
+ public void setIdTokenService(IdTokenGeneratorService idTokenService) {
+ this.idTokenService = idTokenService;
+ }
+
+ public JwtSigningAndValidationService getJwtService() {
+ return jwtService;
+ }
+
+ public void setJwtService(JwtSigningAndValidationService jwtService) {
+ this.jwtService = jwtService;
+ }
}
diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/CheckIDEndpoint.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/CheckIDEndpoint.java
index 15859f91f..6ba3f4600 100644
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/CheckIDEndpoint.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/CheckIDEndpoint.java
@@ -3,6 +3,7 @@ package org.mitre.openid.connect.web;
import javax.servlet.http.HttpServletRequest;
import org.mitre.jwt.signer.service.JwtSigningAndValidationService;
+import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
import org.mitre.openid.connect.exception.ExpiredTokenException;
import org.mitre.openid.connect.exception.InvalidJwtIssuerException;
import org.mitre.openid.connect.exception.InvalidJwtSignatureException;
@@ -20,6 +21,9 @@ public class CheckIDEndpoint {
@Autowired
JwtSigningAndValidationService jwtSignerService;
+ @Autowired
+ private ConfigurationPropertiesBean configBean;
+
@RequestMapping("/checkid")
public ModelAndView checkID(@RequestParam("id_token") String tokenString, ModelAndView mav, HttpServletRequest request) {
@@ -38,11 +42,27 @@ public class CheckIDEndpoint {
}
// check the issuer (sanity check)
- if (!jwtSignerService.validateIssuedJwt(token, Utility.findBaseUrl(request))) {
+ if (!jwtSignerService.validateIssuedJwt(token, configBean.getIssuer())) {
throw new InvalidJwtIssuerException(); // TODO: create a view for this exception
}
return new ModelAndView("jsonIdTokenView", "checkId", token); // TODO: create a view for this
}
+
+ public JwtSigningAndValidationService getJwtSignerService() {
+ return jwtSignerService;
+ }
+
+ public void setJwtSignerService(JwtSigningAndValidationService jwtSignerService) {
+ this.jwtSignerService = jwtSignerService;
+ }
+
+ public ConfigurationPropertiesBean getConfigBean() {
+ return configBean;
+ }
+
+ public void setConfigBean(ConfigurationPropertiesBean configBean) {
+ this.configBean = configBean;
+ }
}
diff --git a/openid-connect-server/src/main/webapp/WEB-INF/spring/appServlet/servlet-context.xml b/openid-connect-server/src/main/webapp/WEB-INF/spring/appServlet/servlet-context.xml
index 9082ee533..663d2fef9 100644
--- a/openid-connect-server/src/main/webapp/WEB-INF/spring/appServlet/servlet-context.xml
+++ b/openid-connect-server/src/main/webapp/WEB-INF/spring/appServlet/servlet-context.xml
@@ -41,8 +41,8 @@
-
-
+
+
@@ -53,8 +53,5 @@
-
-
-
-
+
diff --git a/openid-connect-server/src/main/webapp/WEB-INF/spring/application-context.xml b/openid-connect-server/src/main/webapp/WEB-INF/spring/application-context.xml
index 95e027b4a..3cdc1a74e 100644
--- a/openid-connect-server/src/main/webapp/WEB-INF/spring/application-context.xml
+++ b/openid-connect-server/src/main/webapp/WEB-INF/spring/application-context.xml
@@ -80,6 +80,16 @@
+
+
+
+
+
+
+
+
+
+