From a38dc0ce29ad94a1d717d105c9d755d35d21430d Mon Sep 17 00:00:00 2001
From: Justin Richer <jricher@mitre.org>
Date: Tue, 19 Jun 2012 16:24:50 -0400
Subject: [PATCH 1/3] added crypto configuration file

---
 openid-connect-server/.springBeans            |  1 +
 .../main/webapp/WEB-INF/spring-servlet.xml    | 27 +------------------
 2 files changed, 2 insertions(+), 26 deletions(-)

diff --git a/openid-connect-server/.springBeans b/openid-connect-server/.springBeans
index d54509e13..3a424e222 100644
--- a/openid-connect-server/.springBeans
+++ b/openid-connect-server/.springBeans
@@ -11,6 +11,7 @@
 		<config>src/main/webapp/WEB-INF/server-config.xml</config>
 		<config>src/main/webapp/WEB-INF/local-config.xml</config>
 		<config>src/main/webapp/WEB-INF/data-context.xml</config>
+		<config>src/main/webapp/WEB-INF/crypto-config.xml</config>
 	</configs>
 	<configSets>
 	</configSets>
diff --git a/openid-connect-server/src/main/webapp/WEB-INF/spring-servlet.xml b/openid-connect-server/src/main/webapp/WEB-INF/spring-servlet.xml
index b2963f76b..f47359107 100644
--- a/openid-connect-server/src/main/webapp/WEB-INF/spring-servlet.xml
+++ b/openid-connect-server/src/main/webapp/WEB-INF/spring-servlet.xml
@@ -133,32 +133,7 @@
 
 	<!-- Crypto -->
 
-	<bean id="defaultKeystore" class="org.mitre.jwt.signer.service.impl.KeyStore">
-		<constructor-arg name="location" value="classpath:keystore.jks" />
-		<constructor-arg name="password" value="changeit" />
-	</bean>
-
-	<bean id="defaultsignerService"
-		class="org.mitre.jwt.signer.service.impl.JwtSigningAndValidationServiceDefault">
-		<property name="signers">
-			<map>
-				<entry key="rsa1">
-					<bean id="rsaSigner" class="org.mitre.jwt.signer.impl.RsaSigner">
-						<property name="algorithm" value="RS256" />
-						<property name="keystore" ref="defaultKeystore" />
-						<property name="alias" value="rsa" />
-						<property name="password" value="changeit" />
-					</bean>
-				</entry>
-				<entry key="hmac1">
-					<bean id="hmacSigner" class="org.mitre.jwt.signer.impl.HmacSigner">
-						<property name="algorithm" value="HS256" />
-						<property name="passphrase" value="changeit" />
-					</bean>
-				</entry>
-			</map>
-		</property>
-	</bean>
+	<import resource="crypto-config.xml" />
 
 	<!-- End Crypto -->
 

From 94256d95a10c7e0b30fe5dc2a88aa966bb576cb8 Mon Sep 17 00:00:00 2001
From: Justin Richer <jricher@mitre.org>
Date: Tue, 19 Jun 2012 16:25:13 -0400
Subject: [PATCH 2/3] added crypto configuration file

---
 .../src/main/webapp/WEB-INF/crypto-config.xml | 33 +++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 openid-connect-server/src/main/webapp/WEB-INF/crypto-config.xml

diff --git a/openid-connect-server/src/main/webapp/WEB-INF/crypto-config.xml b/openid-connect-server/src/main/webapp/WEB-INF/crypto-config.xml
new file mode 100644
index 000000000..5b77a3eef
--- /dev/null
+++ b/openid-connect-server/src/main/webapp/WEB-INF/crypto-config.xml
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<bean id="defaultKeystore" class="org.mitre.jwt.signer.service.impl.KeyStore">
+		<constructor-arg name="location" value="classpath:keystore.jks" />
+		<constructor-arg name="password" value="changeit" />
+	</bean>
+
+	<bean id="defaultsignerService"
+		class="org.mitre.jwt.signer.service.impl.JwtSigningAndValidationServiceDefault">
+		<property name="signers">
+			<map>
+				<entry key="rsa1">
+					<bean id="rsaSigner" class="org.mitre.jwt.signer.impl.RsaSigner">
+						<property name="algorithm" value="RS256" />
+						<property name="keystore" ref="defaultKeystore" />
+						<property name="alias" value="rsa" />
+						<property name="password" value="changeit" />
+					</bean>
+				</entry>
+				<entry key="hmac1">
+					<bean id="hmacSigner" class="org.mitre.jwt.signer.impl.HmacSigner">
+						<property name="algorithm" value="HS256" />
+						<property name="passphrase" value="changeit" />
+					</bean>
+				</entry>
+			</map>
+		</property>
+	</bean>
+
+</beans>

From 488f01cada683efe60f61e78d5bf3df652305035 Mon Sep 17 00:00:00 2001
From: nemonik <github.com@nemonik.com>
Date: Tue, 19 Jun 2012 18:14:51 -0400
Subject: [PATCH 3/3] existence of nonce claim check added

---
 .../client/AbstractOIDCAuthenticationFilter.java     | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/AbstractOIDCAuthenticationFilter.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/AbstractOIDCAuthenticationFilter.java
index bd017a9f3..e91ea9cb8 100644
--- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/AbstractOIDCAuthenticationFilter.java
+++ b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/AbstractOIDCAuthenticationFilter.java
@@ -522,8 +522,18 @@ public class AbstractOIDCAuthenticationFilter extends
 			// Read the paragraph describing "nonce". Required w/ implicit flow.
 			//
 			
-			String nonce = idToken.getClaims().getNonce();
+			//String nonce = idToken.getClaims().getClaimAsString("nonce");
 
+			String nonce = idToken.getClaims().getNonce();
+			
+			if (StringUtils.isBlank(nonce)) {
+				
+				logger.error("ID token did not contain a nonce claim.");
+
+				throw new AuthenticationServiceException(
+						"ID token did not contain a nonce claim.");
+			}
+			
 			Cookie nonceSignatureCookie = WebUtils.getCookie(request,
 					NONCE_SIGNATURE_COOKIE_NAME);