inject claims from OIDC auth token into permission ticket
Justin Richer
parent
98cd5ba27d
commit
eb49d9624c
|
|
@ -17,14 +17,31 @@
|
|||
|
||||
package org.mitre.uma.web;
|
||||
|
||||
import java.util.Set;
|
||||
|
||||
import org.mitre.oauth2.model.ClientDetailsEntity;
|
||||
import org.mitre.oauth2.service.ClientDetailsEntityService;
|
||||
import org.mitre.openid.connect.model.OIDCAuthenticationToken;
|
||||
import org.mitre.openid.connect.model.UserInfo;
|
||||
import org.mitre.openid.connect.view.HttpCodeView;
|
||||
import org.mitre.openid.connect.view.JsonErrorView;
|
||||
import org.mitre.uma.model.Claim;
|
||||
import org.mitre.uma.model.PermissionTicket;
|
||||
import org.mitre.uma.service.PermissionService;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.http.HttpStatus;
|
||||
import org.springframework.security.access.prepost.PreAuthorize;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.stereotype.Controller;
|
||||
import org.springframework.ui.Model;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.util.UriComponentsBuilder;
|
||||
|
||||
import com.google.common.base.Strings;
|
||||
import com.google.common.collect.Sets;
|
||||
|
||||
/**
|
||||
*
|
||||
|
|
@ -37,18 +54,78 @@ import org.springframework.web.bind.annotation.RequestParam;
|
|||
@PreAuthorize("hasRole('ROLE_EXTERNAL_USER')")
|
||||
@RequestMapping("/" + ClaimsCollectionEndpoint.URL)
|
||||
public class ClaimsCollectionEndpoint {
|
||||
// Logger for this class
|
||||
private static final Logger logger = LoggerFactory.getLogger(ClaimsCollectionEndpoint.class);
|
||||
|
||||
public static final String URL = "rqp_claims";
|
||||
|
||||
@Autowired
|
||||
private ClientDetailsEntityService clientService;
|
||||
|
||||
@Autowired
|
||||
private PermissionService permissionService;
|
||||
|
||||
|
||||
@RequestMapping(method = RequestMethod.GET)
|
||||
public String collectClaims(@RequestParam("client_id") String clientId, @RequestParam("redirect_uri") String redirectUri,
|
||||
@RequestParam("ticket") String ticket, @RequestParam("state") String state,
|
||||
Model m, Authentication auth) {
|
||||
public String collectClaims(@RequestParam("client_id") String clientId, @RequestParam(value = "redirect_uri", required = false) String redirectUri,
|
||||
@RequestParam("ticket") String ticketValue, @RequestParam(value = "state", required = false) String state,
|
||||
Model m, OIDCAuthenticationToken auth) {
|
||||
|
||||
|
||||
ClientDetailsEntity client = clientService.loadClientByClientId(clientId);
|
||||
|
||||
PermissionTicket ticket = permissionService.getByTicket(ticketValue);
|
||||
|
||||
return JsonErrorView.VIEWNAME;
|
||||
if (client == null || ticket == null) {
|
||||
logger.info("Client or ticket not found: " + clientId + " :: " + ticketValue);
|
||||
m.addAttribute(HttpCodeView.CODE, HttpStatus.NOT_FOUND);
|
||||
return HttpCodeView.VIEWNAME;
|
||||
}
|
||||
|
||||
// we've got a client and ticket, let's attach the claims that we have from the token and userinfo
|
||||
|
||||
// subject
|
||||
Set<Claim> claimsSupplied = Sets.newHashSet(ticket.getClaimsSupplied());
|
||||
|
||||
String issuer = auth.getIssuer();
|
||||
UserInfo userInfo = auth.getUserInfo();
|
||||
|
||||
claimsSupplied.add(mkClaim(issuer, "sub", auth.getSub()));
|
||||
claimsSupplied.add(mkClaim(issuer, "email", userInfo.getEmail()));
|
||||
claimsSupplied.add(mkClaim(issuer, "phone_number", auth.getUserInfo().getPhoneNumber()));
|
||||
claimsSupplied.add(mkClaim(issuer, "preferred_username", auth.getUserInfo().getPreferredUsername()));
|
||||
claimsSupplied.add(mkClaim(issuer, "profile", auth.getUserInfo().getProfile()));
|
||||
|
||||
ticket.setClaimsSupplied(claimsSupplied);
|
||||
|
||||
PermissionTicket updatedTicket = permissionService.updateTicket(ticket);
|
||||
|
||||
if (Strings.isNullOrEmpty(redirectUri)) {
|
||||
if (client.getRedirectUris().size() == 1) {
|
||||
redirectUri = client.getRedirectUris().iterator().next(); // get the first (and only) redirect URI to use here
|
||||
logger.info("No redirect URI passed in, using registered value: " + redirectUri);
|
||||
}
|
||||
}
|
||||
|
||||
UriComponentsBuilder template = UriComponentsBuilder.fromUriString(redirectUri);
|
||||
template.queryParam("authorization_state", "claims_submitted");
|
||||
if (!Strings.isNullOrEmpty(state)) {
|
||||
template.queryParam("state", state);
|
||||
}
|
||||
|
||||
String uriString = template.toUriString();
|
||||
logger.info("Redirecting to " + uriString);
|
||||
|
||||
return "redirect:" + uriString;
|
||||
}
|
||||
|
||||
|
||||
private Claim mkClaim(String issuer, String name, String value) {
|
||||
Claim c = new Claim();
|
||||
c.setIssuer(Sets.newHashSet(issuer));
|
||||
c.setName(name);
|
||||
c.setValue(value);
|
||||
return c;
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue