login hints now handled in a slightly smarter (and more pluggable) manner, closes #851

openid-connect-common/src/main/java/org/mitre/openid/connect/service/LoginHintExtracter.java

@@ -0,0 +1,32 @@
+/*******************************************************************************
+ * Copyright 2015 The MITRE Corporation
+ *   and the MIT Kerberos and Internet Trust Consortium
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *******************************************************************************/
+
+package org.mitre.openid.connect.service;
+
+/**
+ * @author jricher
+ *
+ */
+public interface LoginHintExtracter {
+
+	/**
+	 * @param loginHint
+	 * @return
+	 */
+	public String extractHint(String loginHint);
+
+}

openid-connect-server/src/main/java/org/mitre/openid/connect/filter/AuthorizationRequestFilter.java

@@ -19,6 +19,8 @@
  */
 package org.mitre.openid.connect.filter;
 
+import static org.mitre.openid.connect.request.ConnectRequestParameters.*;
+
 import java.io.IOException;
 import java.net.URISyntaxException;
 import java.util.Date;
@@ -37,6 +39,8 @@ import javax.servlet.http.HttpSession;
 import org.apache.http.client.utils.URIBuilder;
 import org.mitre.oauth2.model.ClientDetailsEntity;
 import org.mitre.oauth2.service.ClientDetailsEntityService;
+import org.mitre.openid.connect.service.LoginHintExtracter;
+import org.mitre.openid.connect.service.impl.RemoveLoginHintsWithHTTP;
 import org.mitre.openid.connect.web.AuthenticationTimeStamper;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -53,16 +57,6 @@ import org.springframework.web.filter.GenericFilterBean;
 import com.google.common.base.Splitter;
 import com.google.common.base.Strings;
 
-import static org.mitre.openid.connect.request.ConnectRequestParameters.ERROR;
-import static org.mitre.openid.connect.request.ConnectRequestParameters.LOGIN_HINT;
-import static org.mitre.openid.connect.request.ConnectRequestParameters.LOGIN_REQUIRED;
-import static org.mitre.openid.connect.request.ConnectRequestParameters.MAX_AGE;
-import static org.mitre.openid.connect.request.ConnectRequestParameters.PROMPT;
-import static org.mitre.openid.connect.request.ConnectRequestParameters.PROMPT_LOGIN;
-import static org.mitre.openid.connect.request.ConnectRequestParameters.PROMPT_NONE;
-import static org.mitre.openid.connect.request.ConnectRequestParameters.PROMPT_SEPARATOR;
-import static org.mitre.openid.connect.request.ConnectRequestParameters.STATE;
-
 /**
  * @author jricher
  *
@@ -87,6 +81,9 @@ public class AuthorizationRequestFilter extends GenericFilterBean {
 	@Autowired
 	private RedirectResolver redirectResolver;
 
+	@Autowired(required = false)
+	private LoginHintExtracter loginHintExtracter = new RemoveLoginHintsWithHTTP();
+
 	/**
 	 * 
 	 */
@@ -115,8 +112,10 @@ public class AuthorizationRequestFilter extends GenericFilterBean {
 			}
 
 			// save the login hint to the session
-			if (authRequest.getExtensions().get(LOGIN_HINT) != null) {
-				session.setAttribute(LOGIN_HINT, authRequest.getExtensions().get(LOGIN_HINT));
+			// but first check to see if the login hint makes any sense
+			String loginHint = loginHintExtracter.extractHint((String) authRequest.getExtensions().get(LOGIN_HINT));
+			if (!Strings.isNullOrEmpty(loginHint)) {
+				session.setAttribute(LOGIN_HINT, loginHint);
 			} else {
 				session.removeAttribute(LOGIN_HINT);
 			}

openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/MatchLoginHintsAgainstUsers.java

@@ -0,0 +1,59 @@
+/*******************************************************************************
+ * Copyright 2015 The MITRE Corporation
+ *   and the MIT Kerberos and Internet Trust Consortium
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *******************************************************************************/
+
+package org.mitre.openid.connect.service.impl;
+
+import org.mitre.openid.connect.model.UserInfo;
+import org.mitre.openid.connect.service.LoginHintExtracter;
+import org.mitre.openid.connect.service.UserInfoService;
+import org.springframework.beans.factory.annotation.Autowired;
+
+import com.google.common.base.Strings;
+
+/**
+ * Checks the login hint against the User Info collection, only populates it if a user is found.
+ * @author jricher
+ *
+ */
+public class MatchLoginHintsAgainstUsers implements LoginHintExtracter {
+
+	@Autowired
+	private UserInfoService userInfoService;
+	
+	/* (non-Javadoc)
+	 * @see org.mitre.openid.connect.service.LoginHintTester#useHint(java.lang.String)
+	 */
+	@Override
+	public String extractHint(String loginHint) {
+		if (Strings.isNullOrEmpty(loginHint)) {
+			return null;
+		} else {
+			UserInfo user = userInfoService.getByEmailAddress(loginHint);
+			if (user == null) {
+				user = userInfoService.getByUsername(loginHint);
+				if (user == null) {
+					return null;
+				} else {
+					return user.getPreferredUsername();
+				}
+			} else {
+				return user.getPreferredUsername();
+			}
+		}
+	}
+
+}

openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/PassAllLoginHints.java

@@ -0,0 +1,38 @@
+/*******************************************************************************
+ * Copyright 2015 The MITRE Corporation
+ *   and the MIT Kerberos and Internet Trust Consortium
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *******************************************************************************/
+
+package org.mitre.openid.connect.service.impl;
+
+import org.mitre.openid.connect.service.LoginHintExtracter;
+
+/**
+ * Sends all login hints through to the login page regardless of setup.
+ * 
+ * @author jricher
+ *
+ */
+public class PassAllLoginHints implements LoginHintExtracter {
+
+	/* (non-Javadoc)
+	 * @see org.mitre.openid.connect.service.LoginHintTester#useHint(java.lang.String)
+	 */
+	@Override
+	public String extractHint(String loginHint) {
+		return loginHint;
+	}
+
+}

openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/RemoveLoginHintsWithHTTP.java

@@ -0,0 +1,48 @@
+/*******************************************************************************
+ * Copyright 2015 The MITRE Corporation
+ *   and the MIT Kerberos and Internet Trust Consortium
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *******************************************************************************/
+
+package org.mitre.openid.connect.service.impl;
+
+import org.mitre.openid.connect.service.LoginHintExtracter;
+
+import com.google.common.base.Strings;
+
+/**
+ * Passes login hints that don't start with "http"
+ * 
+ * @author jricher
+ *
+ */
+public class RemoveLoginHintsWithHTTP implements LoginHintExtracter {
+
+	/* (non-Javadoc)
+	 * @see org.mitre.openid.connect.service.LoginHintTester#useHint(java.lang.String)
+	 */
+	@Override
+	public String extractHint(String loginHint) {
+		if (Strings.isNullOrEmpty(loginHint)) {
+			return null;
+		} else {
+			if (loginHint.startsWith("http")) {
+				return null;
+			} else {
+				return loginHint;
+			}
+		}
+	}
+
+}