Commit Graph

1363 Commits (124a0353e5b35b9947a12a1d22068bd72fcaded2)

Author SHA1 Message Date
Justin Richer d317cf5024 added exception handling to device code creation step 2017-04-12 15:59:17 -04:00
Justin Richer cc0622edd0 internalized random string generation for device codes 2017-04-12 14:59:18 -04:00
Mark Janssen 903168a949 Decrease log level of trailing slash warning
Having an issuer without trailing slash configured is just fine, so
there is no reason to log a warning for this every time the discovery
endpoint is called.
2017-04-07 14:59:58 -04:00
Justin Richer 835a326627 allow polling of device codes, fixed UI for device code input 2017-03-27 14:39:40 -05:00
Justin Richer 32ce21b5cd automated code formatting and cleanup 2017-03-21 14:07:20 -04:00
Justin Richer 2a75535dce fix unit tests and downstream calls 2017-03-16 18:00:05 -04:00
Justin Richer a926a8f0ab cleaned up server-side stats service, UI now uses per-client calls 2017-03-16 17:31:26 -04:00
Justin Richer 256b79ae51 lazy load client stats in UI 2017-03-16 17:20:04 -04:00
Justin Richer 02928b048f added software ID and version to data API 2017-03-15 17:38:46 -04:00
Justin Richer 8406a89fd1 added device flow expiration 2017-03-14 17:40:30 -04:00
Justin Richer f54d44cd9d added device code to discovery, moved device endpoints 2017-03-14 17:40:30 -04:00
Justin Richer f915196c2e fix approval display 2017-03-14 17:40:29 -04:00
Justin Richer cbf5bf742b added messages for display pages, better error handling in user-facing pages 2017-03-14 17:40:29 -04:00
Justin Richer 153776ecb5 Don’t catch OAuth2 errors, let the framework handle them here 2017-03-14 17:40:28 -04:00
Justin Richer 44b24af466 database storage for device flow 2017-03-14 17:40:28 -04:00
Justin Richer 548dad4e29 added expiration to device codes 2017-03-14 17:40:27 -04:00
Justin Richer 9cb5377ce8 added device code validity seconds to client model 2017-03-14 17:40:27 -04:00
Justin Richer a5b4115169 functioning device code flow 2017-03-14 17:40:26 -04:00
Justin Richer 3326eee934 shell for device flow 2017-03-14 17:40:26 -04:00
Justin Richer c42fe57367 changed task operations to print out name of operation on run 2017-03-14 17:40:26 -04:00
Justin Richer 72fd3c2b99 added ID Token Validity Seconds to data import/export API 2017-03-11 15:36:45 -05:00
Justin Richer 98a4d56cdd made extraction function less side-effect-ful 2017-03-03 17:20:15 -05:00
Leonard Brünings 00ecd3dd22 Fix NPE if no claims are requested for the userinfo object
This happens if clients only requests id_token claims, or just send an empty claims parameter.

Change-Id: I8bd176ad271bda8a1e2f26b6221bd8e2d0a3ebfb
2017-03-03 16:09:51 -05:00
Justin Richer 141f4da7f1 added PKCE editing capabilities to UI 2017-02-20 15:40:16 -05:00
Justin Richer c79b6da9d9 Javascript files for UI functionality loaded from configuration bean 2017-02-17 17:34:03 -05:00
Justin Richer b176d4d77e cleaned up old endpoints 2017-02-16 18:24:21 -05:00
Justin Richer 8178af87f0 further modularized data import/export service 2017-02-16 18:24:05 -05:00
Justin Richer 52d2298f99 begin modularization of data import/export API 2017-02-15 11:51:32 -05:00
Justin Richer db50a88fe5 Happy New Year 2017 2017-01-17 17:09:14 -05:00
Justin Richer b17a7f43ae removed structured scopes 2017-01-17 17:06:04 -05:00
strangeweaver 46046b574a Implemented paged operations and used for database cleanup tasks. 2017-01-17 15:36:57 -05:00
strangeweaver 099211593c Fix high load performance issue in token expiration task 2017-01-17 15:36:57 -05:00
Justin Richer 91da3935f5 Made ID tokens ephemeral, made access token’s “additional information” extensible 2016-12-21 13:01:15 -05:00
Mikko Tommila 4f4c8de1c8 Fix JPA issues to allow using Hibernate 2016-12-09 15:15:50 -05:00
Justin Richer 22fa3605ef Patched unit tests, still needs updates for checking approved site to token mapping on data import/export 2016-12-09 12:56:06 -05:00
Justin Richer 55b1b00b73 Updated relationship between approved sites and access tokens, closes #874 2016-12-09 12:55:42 -05:00
Justin Richer d875d52be7 updated data import/export services for 1.3 2016-12-08 17:01:55 -05:00
HeXetic 7725fcfa2b createAuthorizationCode should be @Transactional
An Authentication should not exist without its matching AuthorizationCode, but typically an AuthorizationCode will have a foreign key on an Authentication, meaning it can't be saved first. This block should be wrapped in a transaction so that other DB clients (say, for example, clearExpiredAuthorizationCodes) don't see an inconsistent snapshot and then misbehave.
2016-12-02 16:29:48 -05:00
Julian Schlichtholz c3d0c18af5 make HttpClient configurable, closes #1071 2016-12-02 16:23:55 -05:00
Sofia Ang bb6bb81dbc Add new tests which asserts that `user_id` should not be present in the introspection response if there's no user authentication available 2016-12-02 16:08:32 -05:00
Sofia Ang 52da5e769a Fix test by returning a new OAuth2Authentication instead of mocking it 2016-12-02 16:08:32 -05:00
Sofia Ang b2fab9642e Fix such that `user_id` is only added if user authentication is available
OAuth2Authentication#getPrincipal() used by OAuth2Authentication#getName() defaults to the client id if user authentication is not available.
Prior to this fix, an introspection of a client-only access token would result to the user_id also being the client_id. This causes problems when this
introspection result is converted into an OAuth2Authentication by a resource server's IntrospectingTokenService -- the user_id is populated with
the client_id and so OAuth2Authentication's userAuthentication is populated falsely.
2016-12-02 16:08:32 -05:00
Nicolas Liampotis dea6044e77 Set the encoding of the UserInfo response body to UTF-8
See http://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse
2016-12-02 14:44:55 -05:00
Justin Richer af7c1f7d45 added PKCE support to discovery endpoint 2016-07-27 20:31:27 -04:00
Justin Richer ba0d0aab0b use parameter constants for extensions maps in token service 2016-07-24 17:46:04 -04:00
Justin Richer ac0cafe7b3 parse and process PKCE requests 2016-07-24 17:45:43 -04:00
Justin Richer 57208ac35d added software statements to client API 2016-07-24 16:12:56 -04:00
Justin Richer d89257380f make client assertion auth work again 2016-07-24 15:28:51 -04:00
Justin Richer f9e4d75a4a use JWT bearer assertion token for assertion processing 2016-07-24 14:55:45 -04:00
Justin Richer bd9932d56f added assertion processor to token endpoint 2016-07-22 15:31:00 -04:00
Justin Richer a5a12b2f1f added assertion validation engine 2016-07-22 13:47:20 -04:00
Justin Richer fa63993896 added software statement to client model, added processor to dynamic registration parser 2016-07-21 16:55:46 -04:00
Justin Richer a951a22bf8 explicitly use language and country codes for locale resolution 2016-07-14 18:29:37 -04:00
XIAO XI LIU b8cc0a82b3 fix issue #1061: auto-detect locale country code 2016-07-14 18:29:37 -04:00
Justin Richer 7177854416 inverted boolean for #1033 2016-07-08 13:00:26 -04:00
Justin Richer 39bae3a160 make the client auth URL matcher use an existing matcher instead of custom code 2016-07-08 11:42:35 -04:00
Justin Richer 01892b6f47 use a request matcher on authorization request filter, closes #1033 2016-07-08 11:00:01 -04:00
Trung Nguyen ecb4a9ed53 Check that the underlying cause of the PersistenceException is caused by a duplicate entry. 2016-07-07 16:45:36 -04:00
Trung Nguyen 6fb26856a7 Make apiAddClient in the client api return a HttpStatus.Conflict if you try to create a client with a used client id.
This fixes a bug where if you try to create a client with a client id that is already in use, you get an empty error message. Instead, now you get a message that tells you that the client couldn't be created because the client id is already in use.
2016-07-07 16:45:36 -04:00
Leonard Brünings 8e71107f9b Fix NPE when checking claim extension, Simplify always true expressions 2016-07-07 16:35:50 -04:00
Fredrik Jönsson 8f81278332 We really should specify an encoding here and not depend on the
servers default encoding, shouldn't we? It becomes ISO-8859-1
otherwise in Tomcat as per the Servlet specification.
2016-07-07 16:33:24 -04:00
Justin Richer 89316cbab1 fixed default token lifetimes for heart mode 2016-03-18 22:02:28 -04:00
Justin Richer 9691f02772 added audience parameter to parser, fixed token generator to match HEART spec 2016-03-11 17:12:36 -05:00
Justin Richer 49a8848648 count really weird URIs as "custom scheme" 2016-03-10 12:50:47 -05:00
Justin Richer d75bba218d forbid password grant type in HEART mode 2016-03-10 12:30:48 -05:00
Justin Richer 699e9bff39 testing for multiple classes of redirect URIs 2016-02-24 16:34:58 -05:00
Justin Richer 38710bd3d2 unit tests for HEART mode 2016-02-24 15:33:52 -05:00
Justin Richer 74ea42851b added check for HEART mode consistency 2016-02-24 13:09:58 -05:00
Justin Richer 028265faa6 pulled scope values to externalized strings 2016-02-24 13:09:39 -05:00
Justin Richer 5bccb602d8 always perform strict redirect URI matches in HEART mode 2016-02-24 13:09:00 -05:00
Justin Richer 51e3513307 disallow client secret JWT authentication in HEART mode 2016-02-24 13:07:14 -05:00
Justin Richer 183a599126 fixed OIDC discovery relation URL 2016-01-29 17:17:35 -05:00
Justin Richer 61433cc23a deepen webfinger, endpoint is looser
closes #1008
2016-01-29 15:38:17 -05:00
Misagh Moayyed 3d14b0d128 rename zone_info claim to zoneinfo 2016-01-21 15:52:59 -05:00
Justin Richer 7badfe1d17 Happy new year 2016! 2016-01-21 15:50:37 -05:00
Justin Richer d1033b693f added privacy-preserving client logo cache 2015-12-21 15:51:39 -05:00
Justin Richer aa878cc3cf pulled checks for expired tokens into utility functions 2015-12-18 11:22:50 -05:00
Justin Richer 698feb49cd check access token expiration on read. closes #983 2015-12-16 22:46:42 -05:00
Justin Richer 7f464c496b changed copyright to new consortium name 2015-12-16 14:51:12 -05:00
Justin Richer ea77bf2a19 quieted approved site cleanup 2015-12-02 16:51:55 -05:00
Justin Richer 1ed3e2c47a quieted logging on database cleanup tasks when no expired elements are found 2015-11-25 15:55:16 -05:00
Justin Richer fcfc620d51 updated client API with more useful errors, removed unused service reference 2015-11-25 15:42:09 -05:00
Justin Richer 2496dc114c allow language system to be loaded from multiple files. closes #817 closes #876 2015-11-24 20:33:55 -05:00
Justin Richer e255fc1a10 change default behavior of message source, closes #964 2015-11-24 20:33:54 -05:00
Cosmin Cojocar 7b34a666d9 Make the dual client support configurable 2015-11-24 12:10:27 -05:00
Cosmin Cojocar a80953a2d4 Allow both flows authorization code and client credentials. This scenario might be found when the same client supports user authentication as well as service to service authentication. Such a client is trusted (whitelisted). 2015-11-24 12:10:27 -05:00
Mark Janssen dce80d488b Clean up ScopeClaimTranslationService
`getFieldNameForClaim` method is never used.
2015-11-23 21:35:16 -05:00
Justin Richer 96f4d5e8a8 fixed use of wrong constant, closes #940 2015-10-13 18:08:56 -04:00
Justin Richer c9358f348a added transactional annotations, finally closes #926 addresses #862 2015-10-13 16:59:11 -04:00
Justin Richer e1e892377f added cleaner for duplicate refresh tokens 2015-10-13 15:38:07 -04:00
Justin Richer 542afca459 cleans duplicate access tokens from DB before other cleanup happens 2015-10-13 15:33:23 -04:00
Justin Richer ebb4f2c3d4 Upgraded to nimbus 4.2, closes #934 2015-10-13 04:40:01 -04:00
Justin Richer c67611e975 added qualifier name to persistence unit and transaction manager, closes #883 2015-10-12 21:15:30 -04:00
Justin Richer d280ca40a4 login hints now handled in a slightly smarter (and more pluggable) manner, closes #851 2015-10-12 20:04:02 -04:00
Mark Janssen b5c298e0ca Remove legacy CSRF protection for approve page
Instead, we rely on the Spring Security CSRF protection, like we already do for the login page. Additionally, we remove the authentication check in`isApproved`, because this is already done by Spring Security (and if not, we have bigger problems to worry about).
2015-10-09 17:09:46 +02:00
Justin Richer 4063f7f94f user info endpoint response uses correct client algorithms, addresses #921 2015-10-02 18:48:11 -04:00
Justin Richer acb3d03052 added 'kid' to all signed tokens, closes #899 2015-10-01 18:54:38 -04:00
Justin Richer d3f8ff2855 added JTI to ID tokens, closes #900 2015-10-01 17:24:47 -04:00
Justin Richer 9822748209 grabbed additional places that mention updated_time/updated_at 2015-10-01 15:53:21 -04:00
Sarah Squire 31ea96ce27 Update DefaultOIDCTokenService.java
fixed typo
2015-10-01 15:34:01 -04:00