added state value to jwt that gets passed as request object. certain methods from SECOAUTH use this
Mike Derryberry
Justin Richer
parent
3486ea28f1
commit
d93f5f18e5
|
|
@ -709,7 +709,7 @@ public class AbstractOIDCAuthenticationFilter extends
|
||||||
signers.put(serverConfig.getIssuer() + JwsAlgorithm.RS512.getJwaName(), signer512);
|
signers.put(serverConfig.getIssuer() + JwsAlgorithm.RS512.getJwaName(), signer512);
|
||||||
}
|
}
|
||||||
|
|
||||||
JwtSigningAndValidationService signingAndValidationService = new JwtSigningAndValidationServiceDefault(signers);
|
JwtSigningAndValidationService signingAndValidationService = new JwtSigningAndValidationServiceDefault(signers);
|
||||||
|
|
||||||
validationServices.put(serverConfig, signingAndValidationService);
|
validationServices.put(serverConfig, signingAndValidationService);
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -3,10 +3,11 @@ package org.mitre.openid.connect.server;
|
||||||
import java.io.UnsupportedEncodingException;
|
import java.io.UnsupportedEncodingException;
|
||||||
import java.net.URLEncoder;
|
import java.net.URLEncoder;
|
||||||
import java.security.Principal;
|
import java.security.Principal;
|
||||||
|
import java.util.Arrays;
|
||||||
|
import java.util.Collection;
|
||||||
import java.util.Date;
|
import java.util.Date;
|
||||||
import java.util.HashMap;
|
import java.util.HashSet;
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
import java.util.Set;
|
|
||||||
|
|
||||||
import org.mitre.jwt.model.Jwt;
|
import org.mitre.jwt.model.Jwt;
|
||||||
import org.mitre.jwt.model.JwtClaims;
|
import org.mitre.jwt.model.JwtClaims;
|
||||||
|
|
@ -20,7 +21,6 @@ import org.springframework.security.oauth2.common.exceptions.InvalidGrantExcepti
|
||||||
import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
|
import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
|
||||||
import org.springframework.security.oauth2.common.exceptions.UnapprovedClientAuthenticationException;
|
import org.springframework.security.oauth2.common.exceptions.UnapprovedClientAuthenticationException;
|
||||||
import org.springframework.security.oauth2.common.exceptions.UnsupportedGrantTypeException;
|
import org.springframework.security.oauth2.common.exceptions.UnsupportedGrantTypeException;
|
||||||
import org.springframework.security.oauth2.common.exceptions.UserDeniedAuthorizationException;
|
|
||||||
import org.springframework.security.oauth2.provider.AuthorizationRequest;
|
import org.springframework.security.oauth2.provider.AuthorizationRequest;
|
||||||
import org.springframework.security.oauth2.provider.ClientDetailsService;
|
import org.springframework.security.oauth2.provider.ClientDetailsService;
|
||||||
import org.springframework.security.oauth2.provider.approval.DefaultUserApprovalHandler;
|
import org.springframework.security.oauth2.provider.approval.DefaultUserApprovalHandler;
|
||||||
|
|
@ -33,9 +33,7 @@ import org.springframework.security.oauth2.provider.endpoint.DefaultRedirectReso
|
||||||
import org.springframework.security.oauth2.provider.endpoint.RedirectResolver;
|
import org.springframework.security.oauth2.provider.endpoint.RedirectResolver;
|
||||||
import org.springframework.stereotype.Controller;
|
import org.springframework.stereotype.Controller;
|
||||||
import org.springframework.util.ClassUtils;
|
import org.springframework.util.ClassUtils;
|
||||||
import org.springframework.web.bind.annotation.ModelAttribute;
|
|
||||||
import org.springframework.web.bind.annotation.RequestMapping;
|
import org.springframework.web.bind.annotation.RequestMapping;
|
||||||
import org.springframework.web.bind.annotation.RequestMethod;
|
|
||||||
import org.springframework.web.bind.annotation.RequestParam;
|
import org.springframework.web.bind.annotation.RequestParam;
|
||||||
import org.springframework.web.bind.annotation.SessionAttributes;
|
import org.springframework.web.bind.annotation.SessionAttributes;
|
||||||
import org.springframework.web.bind.support.SessionStatus;
|
import org.springframework.web.bind.support.SessionStatus;
|
||||||
|
|
@ -59,22 +57,20 @@ public class AuthorizationEndpointRequestObject extends AbstractEndpoint impleme
|
||||||
private String userApprovalPage = "forward:/oauth/confirm_access";
|
private String userApprovalPage = "forward:/oauth/confirm_access";
|
||||||
|
|
||||||
@RequestMapping(params = "response_type")
|
@RequestMapping(params = "response_type")
|
||||||
public ModelAndView getRequest(Map<String, Object> model, @RequestParam("request") String jwtString,
|
public ModelAndView authorizeRequestObject(Map<String, Object> model, @RequestParam("request") String jwtString,
|
||||||
@RequestParam Map<String, String> parameters, SessionStatus sessionStatus, Principal principal) {
|
@RequestParam Map<String, String> parameters, SessionStatus sessionStatus, Principal principal) {
|
||||||
|
|
||||||
Jwt jwt = Jwt.parse(jwtString);
|
Jwt jwt = Jwt.parse(jwtString);
|
||||||
JwtClaims claims = jwt.getClaims();
|
JwtClaims claims = jwt.getClaims();
|
||||||
|
|
||||||
|
String clientId = claims.getClaimAsString("client_id");
|
||||||
|
String[] scopeString = new String[]{claims.getClaimAsString("scope")};
|
||||||
|
Collection<String> scope = new HashSet<String>(Arrays.asList(scopeString));
|
||||||
|
|
||||||
// Manually initialize auth request instead of using @ModelAttribute
|
// Manually initialize auth request instead of using @ModelAttribute
|
||||||
// to make sure it comes from request instead of the session
|
// to make sure it comes from request instead of the session
|
||||||
|
|
||||||
Map<String, String> jwtParameters = new HashMap<String, String>();
|
AuthorizationRequest authorizationRequest = new AuthorizationRequest(parameters, null, clientId, scope);
|
||||||
|
|
||||||
jwtParameters.put("client_id", claims.getClaimAsString("client_id"));
|
|
||||||
jwtParameters.put("redirect_uri", claims.getClaimAsString("redirect_uri"));
|
|
||||||
jwtParameters.put("scope", claims.getClaimAsString("scope"));
|
|
||||||
|
|
||||||
AuthorizationRequest authorizationRequest = new AuthorizationRequest(jwtParameters);
|
|
||||||
|
|
||||||
if (claims.getClaim("client_id") == null) {
|
if (claims.getClaim("client_id") == null) {
|
||||||
sessionStatus.setComplete();
|
sessionStatus.setComplete();
|
||||||
|
|
@ -87,7 +83,7 @@ public class AuthorizationEndpointRequestObject extends AbstractEndpoint impleme
|
||||||
"User must be authenticated with Spring Security before authorization can be completed.");
|
"User must be authenticated with Spring Security before authorization can be completed.");
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!claims.getClaim("response_type").equals("token") && !claims.getClaim("response_type").equals("code")) {
|
if (!authorizationRequest.getResponseTypes().contains("token") && !authorizationRequest.getResponseTypes().contains("code")) {
|
||||||
throw new UnsupportedGrantTypeException("Unsupported response types: " + claims.getClaim("response_type"));
|
throw new UnsupportedGrantTypeException("Unsupported response types: " + claims.getClaim("response_type"));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -118,45 +114,6 @@ public class AuthorizationEndpointRequestObject extends AbstractEndpoint impleme
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@RequestMapping(method = RequestMethod.POST, params = AuthorizationRequest.USER_OAUTH_APPROVAL)
|
|
||||||
public View approveOrDeny(@RequestParam Map<String, String> approvalParameters,
|
|
||||||
@ModelAttribute AuthorizationRequest authorizationRequest, SessionStatus sessionStatus, Principal principal) {
|
|
||||||
|
|
||||||
if (authorizationRequest.getClientId() == null) {
|
|
||||||
sessionStatus.setComplete();
|
|
||||||
throw new InvalidClientException("A client_id must be supplied.");
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!(principal instanceof Authentication)) {
|
|
||||||
sessionStatus.setComplete();
|
|
||||||
throw new InsufficientAuthenticationException(
|
|
||||||
"User must be authenticated with Spring Security before authorizing an access token.");
|
|
||||||
}
|
|
||||||
|
|
||||||
try {
|
|
||||||
Set<String> responseTypes = authorizationRequest.getResponseTypes();
|
|
||||||
|
|
||||||
authorizationRequest = authorizationRequest.addApprovalParameters(approvalParameters);
|
|
||||||
authorizationRequest = resolveRedirectUriAndCheckApproval(authorizationRequest, (Authentication) principal);
|
|
||||||
|
|
||||||
if (!authorizationRequest.isApproved()) {
|
|
||||||
return new RedirectView(getUnsuccessfulRedirect(authorizationRequest,
|
|
||||||
new UserDeniedAuthorizationException("User denied access"), responseTypes.contains("token")),
|
|
||||||
false);
|
|
||||||
}
|
|
||||||
|
|
||||||
if (responseTypes.contains("token")) {
|
|
||||||
return getImplicitGrantResponse(authorizationRequest).getView();
|
|
||||||
}
|
|
||||||
|
|
||||||
return getAuthorizationCodeResponse(authorizationRequest, (Authentication) principal);
|
|
||||||
}
|
|
||||||
finally {
|
|
||||||
sessionStatus.setComplete();
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
//
|
//
|
||||||
// TODO: Remove when possible
|
// TODO: Remove when possible
|
||||||
// COPIED FROM SECOAUTH AuthorizationEndpoint
|
// COPIED FROM SECOAUTH AuthorizationEndpoint
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue