use JWT bearer assertion token for assertion processing

openid-connect-server/src/main/java/org/mitre/oauth2/token/JWTAssertionTokenGranter.java

@@ -20,24 +20,17 @@
 package org.mitre.oauth2.token;
 
 import java.text.ParseException;
-import java.util.Date;
-import java.util.UUID;
 
 import org.mitre.jwt.assertion.AssertionValidator;
 import org.mitre.jwt.signer.service.JWTSigningAndValidationService;
 import org.mitre.oauth2.assertion.AssertionOAuth2RequestFactory;
-import org.mitre.oauth2.model.ClientDetailsEntity;
-import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
 import org.mitre.oauth2.service.ClientDetailsEntityService;
 import org.mitre.oauth2.service.OAuth2TokenEntityService;
-import org.mitre.oauth2.service.SystemScopeService;
+import org.mitre.openid.connect.assertion.JWTBearerAssertionAuthenticationToken;
 import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
-import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.core.AuthenticationException;
-import org.springframework.security.oauth2.common.OAuth2AccessToken;
-import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
 import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
 import org.springframework.security.oauth2.provider.ClientDetails;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
@@ -46,11 +39,8 @@ import org.springframework.security.oauth2.provider.TokenRequest;
 import org.springframework.security.oauth2.provider.token.AbstractTokenGranter;
 import org.springframework.stereotype.Component;
 
-import com.nimbusds.jose.JWSHeader;
 import com.nimbusds.jwt.JWT;
-import com.nimbusds.jwt.JWTClaimsSet;
 import com.nimbusds.jwt.JWTParser;
-import com.nimbusds.jwt.SignedJWT;
 
 /**
  * @author jricher
@@ -97,7 +87,8 @@ public class JWTAssertionTokenGranter extends AbstractTokenGranter {
 				
 				// our validator says it's OK, time to make a token from it
 				// the real work happens in the assertion factory and the token services
-				return new OAuth2Authentication(assertionFactory.createOAuth2Request(client, tokenRequest, assertion), null);
+				return new OAuth2Authentication(assertionFactory.createOAuth2Request(client, tokenRequest, assertion),
+						new JWTBearerAssertionAuthenticationToken(assertion, client.getAuthorities()));
 				
 			} else {
 				logger.warn("Incoming assertion did not pass validator, rejecting");

openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JWTBearerAssertionAuthenticationToken.java

@@ -19,6 +19,7 @@
  */
 package org.mitre.openid.connect.assertion;
 
+import java.text.ParseException;
 import java.util.Collection;
 
 import org.springframework.security.authentication.AbstractAuthenticationToken;
@@ -36,30 +37,27 @@ public class JWTBearerAssertionAuthenticationToken extends AbstractAuthenticatio
 	 * 
 	 */
 	private static final long serialVersionUID = -3138213539914074617L;
-	private String clientId;
 	private JWT jwt;
 
 	/**
-	 * Create an unauthenticated token with the given client ID and jwt
-	 * @param clientId
+	 * Create an unauthenticated token with the given subject and jwt
+	 * @param subject
 	 * @param jwt
 	 */
-	public JWTBearerAssertionAuthenticationToken(String clientId, JWT jwt) {
+	public JWTBearerAssertionAuthenticationToken(JWT jwt) {
 		super(null);
-		this.clientId = clientId;
 		this.jwt = jwt;
 		setAuthenticated(false);
 	}
 
 	/**
 	 * Create an authenticated token with the given clientID, jwt, and authorities set
-	 * @param clientId
+	 * @param subject
 	 * @param jwt
 	 * @param authorities
 	 */
-	public JWTBearerAssertionAuthenticationToken(String clientId, JWT jwt, Collection<? extends GrantedAuthority> authorities) {
+	public JWTBearerAssertionAuthenticationToken(JWT jwt, Collection<? extends GrantedAuthority> authorities) {
 		super(authorities);
-		this.clientId = clientId;
 		this.jwt = jwt;
 		setAuthenticated(true);
 	}
@@ -77,21 +75,11 @@ public class JWTBearerAssertionAuthenticationToken extends AbstractAuthenticatio
 	 */
 	@Override
 	public Object getPrincipal() {
-		return clientId;
-	}
-
-	/**
-	 * @return the clientId
-	 */
-	public String getClientId() {
-		return clientId;
-	}
-
-	/**
-	 * @param clientId the clientId to set
-	 */
-	public void setClientId(String clientId) {
-		this.clientId = clientId;
+		try {
+			return jwt.getJWTClaimsSet().getSubject();
+		} catch (ParseException e) {
+			return null;
+		}
 	}
 
 	/**

openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JWTBearerAuthenticationProvider.java

@@ -85,7 +85,7 @@ public class JWTBearerAuthenticationProvider implements AuthenticationProvider {
 
 
 		try {
-			ClientDetailsEntity client = clientService.loadClientByClientId(jwtAuth.getClientId());
+			ClientDetailsEntity client = clientService.loadClientByClientId(jwtAuth.getName());
 
 			JWT jwt = jwtAuth.getJwt();
 			JWTClaimsSet jwtClaims = jwt.getJWTClaimsSet();
@@ -191,10 +191,10 @@ public class JWTBearerAuthenticationProvider implements AuthenticationProvider {
 			Set<GrantedAuthority> authorities = new HashSet<>(client.getAuthorities());
 			authorities.add(ROLE_CLIENT);
 
-			return new JWTBearerAssertionAuthenticationToken(client.getClientId(), jwt, authorities);
+			return new JWTBearerAssertionAuthenticationToken(jwt, authorities);
 
 		} catch (InvalidClientException e) {
-			throw new UsernameNotFoundException("Could not find client: " + jwtAuth.getClientId());
+			throw new UsernameNotFoundException("Could not find client: " + jwtAuth.getName());
 		} catch (ParseException e) {
 
 			logger.error("Failure during authentication, error was: ", e);

openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JWTBearerClientAssertionTokenEndpointFilter.java

@@ -95,7 +95,7 @@ public class JWTBearerClientAssertionTokenEndpointFilter extends AbstractAuthent
 
 			String clientId = jwt.getJWTClaimsSet().getSubject();
 
-			Authentication authRequest = new JWTBearerAssertionAuthenticationToken(clientId, jwt);
+			Authentication authRequest = new JWTBearerAssertionAuthenticationToken(jwt);
 
 			return this.getAuthenticationManager().authenticate(authRequest);
 		} catch (ParseException e) {