From f9e4d75a4afc5871a9456ba45ff5f3943634375d Mon Sep 17 00:00:00 2001 From: Justin Richer Date: Sun, 24 Jul 2016 14:55:45 -0400 Subject: [PATCH] use JWT bearer assertion token for assertion processing --- .../token/JWTAssertionTokenGranter.java | 15 ++------ ...JWTBearerAssertionAuthenticationToken.java | 34 ++++++------------- .../JWTBearerAuthenticationProvider.java | 6 ++-- ...rerClientAssertionTokenEndpointFilter.java | 2 +- 4 files changed, 18 insertions(+), 39 deletions(-) diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/token/JWTAssertionTokenGranter.java b/openid-connect-server/src/main/java/org/mitre/oauth2/token/JWTAssertionTokenGranter.java index 0efc01802..997def63e 100644 --- a/openid-connect-server/src/main/java/org/mitre/oauth2/token/JWTAssertionTokenGranter.java +++ b/openid-connect-server/src/main/java/org/mitre/oauth2/token/JWTAssertionTokenGranter.java @@ -20,24 +20,17 @@ package org.mitre.oauth2.token; import java.text.ParseException; -import java.util.Date; -import java.util.UUID; import org.mitre.jwt.assertion.AssertionValidator; import org.mitre.jwt.signer.service.JWTSigningAndValidationService; import org.mitre.oauth2.assertion.AssertionOAuth2RequestFactory; -import org.mitre.oauth2.model.ClientDetailsEntity; -import org.mitre.oauth2.model.OAuth2AccessTokenEntity; import org.mitre.oauth2.service.ClientDetailsEntityService; import org.mitre.oauth2.service.OAuth2TokenEntityService; -import org.mitre.oauth2.service.SystemScopeService; +import org.mitre.openid.connect.assertion.JWTBearerAssertionAuthenticationToken; import org.mitre.openid.connect.config.ConfigurationPropertiesBean; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; -import org.springframework.security.authentication.BadCredentialsException; import org.springframework.security.core.AuthenticationException; -import org.springframework.security.oauth2.common.OAuth2AccessToken; -import org.springframework.security.oauth2.common.exceptions.InvalidClientException; import org.springframework.security.oauth2.common.exceptions.InvalidTokenException; import org.springframework.security.oauth2.provider.ClientDetails; import org.springframework.security.oauth2.provider.OAuth2Authentication; @@ -46,11 +39,8 @@ import org.springframework.security.oauth2.provider.TokenRequest; import org.springframework.security.oauth2.provider.token.AbstractTokenGranter; import org.springframework.stereotype.Component; -import com.nimbusds.jose.JWSHeader; import com.nimbusds.jwt.JWT; -import com.nimbusds.jwt.JWTClaimsSet; import com.nimbusds.jwt.JWTParser; -import com.nimbusds.jwt.SignedJWT; /** * @author jricher @@ -97,7 +87,8 @@ public class JWTAssertionTokenGranter extends AbstractTokenGranter { // our validator says it's OK, time to make a token from it // the real work happens in the assertion factory and the token services - return new OAuth2Authentication(assertionFactory.createOAuth2Request(client, tokenRequest, assertion), null); + return new OAuth2Authentication(assertionFactory.createOAuth2Request(client, tokenRequest, assertion), + new JWTBearerAssertionAuthenticationToken(assertion, client.getAuthorities())); } else { logger.warn("Incoming assertion did not pass validator, rejecting"); diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JWTBearerAssertionAuthenticationToken.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JWTBearerAssertionAuthenticationToken.java index 0bea33042..94b1e6c19 100644 --- a/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JWTBearerAssertionAuthenticationToken.java +++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JWTBearerAssertionAuthenticationToken.java @@ -19,6 +19,7 @@ */ package org.mitre.openid.connect.assertion; +import java.text.ParseException; import java.util.Collection; import org.springframework.security.authentication.AbstractAuthenticationToken; @@ -36,30 +37,27 @@ public class JWTBearerAssertionAuthenticationToken extends AbstractAuthenticatio * */ private static final long serialVersionUID = -3138213539914074617L; - private String clientId; private JWT jwt; /** - * Create an unauthenticated token with the given client ID and jwt - * @param clientId + * Create an unauthenticated token with the given subject and jwt + * @param subject * @param jwt */ - public JWTBearerAssertionAuthenticationToken(String clientId, JWT jwt) { + public JWTBearerAssertionAuthenticationToken(JWT jwt) { super(null); - this.clientId = clientId; this.jwt = jwt; setAuthenticated(false); } /** * Create an authenticated token with the given clientID, jwt, and authorities set - * @param clientId + * @param subject * @param jwt * @param authorities */ - public JWTBearerAssertionAuthenticationToken(String clientId, JWT jwt, Collection authorities) { + public JWTBearerAssertionAuthenticationToken(JWT jwt, Collection authorities) { super(authorities); - this.clientId = clientId; this.jwt = jwt; setAuthenticated(true); } @@ -77,21 +75,11 @@ public class JWTBearerAssertionAuthenticationToken extends AbstractAuthenticatio */ @Override public Object getPrincipal() { - return clientId; - } - - /** - * @return the clientId - */ - public String getClientId() { - return clientId; - } - - /** - * @param clientId the clientId to set - */ - public void setClientId(String clientId) { - this.clientId = clientId; + try { + return jwt.getJWTClaimsSet().getSubject(); + } catch (ParseException e) { + return null; + } } /** diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JWTBearerAuthenticationProvider.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JWTBearerAuthenticationProvider.java index c2c1304d4..a66dfafc0 100644 --- a/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JWTBearerAuthenticationProvider.java +++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JWTBearerAuthenticationProvider.java @@ -85,7 +85,7 @@ public class JWTBearerAuthenticationProvider implements AuthenticationProvider { try { - ClientDetailsEntity client = clientService.loadClientByClientId(jwtAuth.getClientId()); + ClientDetailsEntity client = clientService.loadClientByClientId(jwtAuth.getName()); JWT jwt = jwtAuth.getJwt(); JWTClaimsSet jwtClaims = jwt.getJWTClaimsSet(); @@ -191,10 +191,10 @@ public class JWTBearerAuthenticationProvider implements AuthenticationProvider { Set authorities = new HashSet<>(client.getAuthorities()); authorities.add(ROLE_CLIENT); - return new JWTBearerAssertionAuthenticationToken(client.getClientId(), jwt, authorities); + return new JWTBearerAssertionAuthenticationToken(jwt, authorities); } catch (InvalidClientException e) { - throw new UsernameNotFoundException("Could not find client: " + jwtAuth.getClientId()); + throw new UsernameNotFoundException("Could not find client: " + jwtAuth.getName()); } catch (ParseException e) { logger.error("Failure during authentication, error was: ", e); diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JWTBearerClientAssertionTokenEndpointFilter.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JWTBearerClientAssertionTokenEndpointFilter.java index a00717bb4..601da3de9 100644 --- a/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JWTBearerClientAssertionTokenEndpointFilter.java +++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JWTBearerClientAssertionTokenEndpointFilter.java @@ -95,7 +95,7 @@ public class JWTBearerClientAssertionTokenEndpointFilter extends AbstractAuthent String clientId = jwt.getJWTClaimsSet().getSubject(); - Authentication authRequest = new JWTBearerAssertionAuthenticationToken(clientId, jwt); + Authentication authRequest = new JWTBearerAssertionAuthenticationToken(jwt); return this.getAuthenticationManager().authenticate(authRequest); } catch (ParseException e) {