github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

added ROLE_CLIENT to assertion client authentication, cleaned up roles on client secret authentication, closes #728, closes #401

pull/730/head
Justin Richer 2014-11-12 16:03:06 -10:00
parent 34afe21e8a
commit d87bdb2120
2 changed files with 17 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
openid-connect-common/src/main/java/org/mitre/oauth2/service/impl/DefaultClientUserDetailsService.java
View File

@ -18,8 +18,8 @@ package org.mitre.oauth2.service.impl;
import java.math.BigInteger; import java.math.BigInteger;
import java.security.SecureRandom; import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.Collection; import java.util.Collection;
import java.util.HashSet;
import org.mitre.oauth2.model.ClientDetailsEntity; import org.mitre.oauth2.model.ClientDetailsEntity;
import org.mitre.oauth2.model.ClientDetailsEntity.AuthMethod; import org.mitre.oauth2.model.ClientDetailsEntity.AuthMethod;
@ -44,6 +44,8 @@ import com.google.common.base.Strings;
@Service("clientUserDetailsService") @Service("clientUserDetailsService")
public class DefaultClientUserDetailsService implements UserDetailsService { public class DefaultClientUserDetailsService implements UserDetailsService {
private static GrantedAuthority ROLE_CLIENT = new SimpleGrantedAuthority("ROLE_CLIENT");
@Autowired @Autowired
private ClientDetailsEntityService clientDetailsService; private ClientDetailsEntityService clientDetailsService;
@ -70,14 +72,8 @@ public class DefaultClientUserDetailsService implements UserDetailsService {
boolean accountNonExpired = true; boolean accountNonExpired = true;
boolean credentialsNonExpired = true; boolean credentialsNonExpired = true;
boolean accountNonLocked = true; boolean accountNonLocked = true;
Collection<GrantedAuthority> authorities = client.getAuthorities(); Collection<GrantedAuthority> authorities = new HashSet<GrantedAuthority>(client.getAuthorities());
if (authorities == null || authorities.isEmpty()) { authorities.add(ROLE_CLIENT);
// automatically inject ROLE_CLIENT if none exists ...
// TODO: this should probably happen on the client service side instead to keep it in the real data model
authorities = new ArrayList<GrantedAuthority>();
GrantedAuthority roleClient = new SimpleGrantedAuthority("ROLE_CLIENT");
authorities.add(roleClient);
}
return new User(clientId, password, enabled, accountNonExpired, credentialsNonExpired, accountNonLocked, authorities); return new User(clientId, password, enabled, accountNonExpired, credentialsNonExpired, accountNonLocked, authorities);
} else { } else {

13
openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JwtBearerAuthenticationProvider.java
View File

@ -21,6 +21,8 @@ package org.mitre.openid.connect.assertion;
import java.text.ParseException; import java.text.ParseException;
import java.util.Date; import java.util.Date;
import java.util.HashSet;
import java.util.Set;
import org.mitre.jwt.signer.service.JwtSigningAndValidationService; import org.mitre.jwt.signer.service.JwtSigningAndValidationService;
import org.mitre.jwt.signer.service.impl.JWKSetCacheService; import org.mitre.jwt.signer.service.impl.JWKSetCacheService;
@ -36,6 +38,8 @@ import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.AuthenticationServiceException; import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.core.Authentication; import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.oauth2.common.exceptions.InvalidClientException; import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
@ -52,6 +56,8 @@ public class JwtBearerAuthenticationProvider implements AuthenticationProvider {
private static final Logger logger = LoggerFactory.getLogger(JwtBearerAuthenticationProvider.class); private static final Logger logger = LoggerFactory.getLogger(JwtBearerAuthenticationProvider.class);
private static final GrantedAuthority ROLE_CLIENT = new SimpleGrantedAuthority("ROLE_CLIENT");
// map of verifiers, load keys for clients // map of verifiers, load keys for clients
@Autowired @Autowired
private JWKSetCacheService validators; private JWKSetCacheService validators;
@ -182,7 +188,12 @@ public class JwtBearerAuthenticationProvider implements AuthenticationProvider {
} }
// IFF we managed to get all the way down here, the token is valid // IFF we managed to get all the way down here, the token is valid
return new JwtBearerAssertionAuthenticationToken(client.getClientId(), jwt, client.getAuthorities());
// add in the ROLE_CLIENT authority
Set<GrantedAuthority> authorities = new HashSet<>(client.getAuthorities());
authorities.add(ROLE_CLIENT);
return new JwtBearerAssertionAuthenticationToken(client.getClientId(), jwt, authorities);
} catch (InvalidClientException e) { } catch (InvalidClientException e) {
throw new UsernameNotFoundException("Could not find client: " + jwtAuth.getClientId()); throw new UsernameNotFoundException("Could not find client: " + jwtAuth.getClientId());