use of org.apereo.cas.services.OidcRegisteredService in project cas by apereo.
the class OidcIdTokenGeneratorService method produceIdTokenClaims.
/**
* Produce id token claims jwt claims.
*
* @param request the request
* @param accessTokenId the access token id
* @param timeout the timeout
* @param service the service
* @param profile the user profile
* @param context the context
* @param responseType the response type
* @return the jwt claims
*/
protected JwtClaims produceIdTokenClaims(final HttpServletRequest request, final AccessToken accessTokenId, final long timeout, final OidcRegisteredService service, final UserProfile profile, final J2EContext context, final OAuth20ResponseTypes responseType) {
final Authentication authentication = accessTokenId.getAuthentication();
final Principal principal = authentication.getPrincipal();
final JwtClaims claims = new JwtClaims();
claims.setJwtId(UUID.randomUUID().toString());
claims.setIssuer(this.issuer);
claims.setAudience(service.getClientId());
final NumericDate expirationDate = NumericDate.now();
expirationDate.addSeconds(timeout);
claims.setExpirationTime(expirationDate);
claims.setIssuedAtToNow();
claims.setNotBeforeMinutesInThePast(this.skew);
claims.setSubject(principal.getId());
if (authentication.getAttributes().containsKey(casProperties.getAuthn().getMfa().getAuthenticationContextAttribute())) {
final Collection<Object> val = CollectionUtils.toCollection(authentication.getAttributes().get(casProperties.getAuthn().getMfa().getAuthenticationContextAttribute()));
claims.setStringClaim(OidcConstants.ACR, val.iterator().next().toString());
}
if (authentication.getAttributes().containsKey(AuthenticationHandler.SUCCESSFUL_AUTHENTICATION_HANDLERS)) {
final Collection<Object> val = CollectionUtils.toCollection(authentication.getAttributes().get(AuthenticationHandler.SUCCESSFUL_AUTHENTICATION_HANDLERS));
claims.setStringListClaim(OidcConstants.AMR, val.toArray(new String[] {}));
}
claims.setClaim(OAuthConstants.STATE, authentication.getAttributes().get(OAuthConstants.STATE));
claims.setClaim(OAuthConstants.NONCE, authentication.getAttributes().get(OAuthConstants.NONCE));
claims.setClaim(OidcConstants.CLAIM_AT_HASH, generateAccessTokenHash(accessTokenId, service));
principal.getAttributes().entrySet().stream().filter(entry -> casProperties.getAuthn().getOidc().getClaims().contains(entry.getKey())).forEach(entry -> claims.setClaim(entry.getKey(), entry.getValue()));
if (!claims.hasClaim(OidcConstants.CLAIM_PREFERRED_USERNAME)) {
claims.setClaim(OidcConstants.CLAIM_PREFERRED_USERNAME, profile.getId());
}
return claims;
}
use of org.apereo.cas.services.OidcRegisteredService in project cas by apereo.
the class OidcConfiguration method oidcServiceJsonWebKeystoreCache.
@Bean
public LoadingCache<OidcRegisteredService, Optional<RsaJsonWebKey>> oidcServiceJsonWebKeystoreCache() {
final OidcProperties oidc = casProperties.getAuthn().getOidc();
final LoadingCache<OidcRegisteredService, Optional<RsaJsonWebKey>> cache = CacheBuilder.newBuilder().maximumSize(1).expireAfterWrite(oidc.getJwksCacheInMinutes(), TimeUnit.MINUTES).build(oidcServiceJsonWebKeystoreCacheLoader());
return cache;
}
use of org.apereo.cas.services.OidcRegisteredService in project cas by apereo.
the class OidcConsentApprovalViewResolver method prepareApprovalViewModel.
@Override
protected void prepareApprovalViewModel(final Map<String, Object> model, final J2EContext ctx, final OAuthRegisteredService svc) {
super.prepareApprovalViewModel(model, ctx, svc);
final OidcRegisteredService oidcRegisteredService = (OidcRegisteredService) svc;
model.put("dynamic", oidcRegisteredService.isDynamicallyRegistered());
model.put("dynamicTime", oidcRegisteredService.getDynamicRegistrationDateTime());
final Set<String> supportedScopes = new HashSet<>(casProperties.getAuthn().getOidc().getScopes());
supportedScopes.retainAll(oidcRegisteredService.getScopes());
supportedScopes.retainAll(OAuthUtils.getRequestedScopes(ctx));
model.put("scopes", supportedScopes);
}
use of org.apereo.cas.services.OidcRegisteredService in project cas by apereo.
the class OidcAuthorizeEndpointController method buildCallbackUrlForImplicitTokenResponseType.
private String buildCallbackUrlForImplicitTokenResponseType(final J2EContext context, final Authentication authentication, final Service service, final String redirectUri, final String clientId, final OAuth20ResponseTypes responseType) {
try {
final AccessToken accessToken = generateAccessToken(service, authentication, context);
LOGGER.debug("Generated OAuth access token: [{}]", accessToken);
final OidcRegisteredService oidcService = (OidcRegisteredService) OAuthUtils.getRegisteredOAuthService(this.getServicesManager(), clientId);
final long timeout = casProperties.getTicket().getTgt().getTimeToKillInSeconds();
final String idToken = this.idTokenGenerator.generate(context.getRequest(), context.getResponse(), accessToken, timeout, responseType, oidcService);
LOGGER.debug("Generated id token [{}]", idToken);
final List<NameValuePair> params = new ArrayList<>();
params.add(new BasicNameValuePair(OidcConstants.ID_TOKEN, idToken));
return buildCallbackUrlResponseType(authentication, service, redirectUri, accessToken, params);
} catch (final Exception e) {
throw Throwables.propagate(e);
}
}
use of org.apereo.cas.services.OidcRegisteredService in project cas by apereo.
the class OidcJwksEndpointController method handleRequestInternal.
/**
* Handle request for jwk set.
*
* @param request the request
* @param response the response
* @param model the model
* @return the jwk set
* @throws Exception the exception
*/
@GetMapping(value = '/' + OidcConstants.BASE_OIDC_URL + '/' + OidcConstants.JWKS_URL, produces = MediaType.APPLICATION_JSON_VALUE)
public ResponseEntity<String> handleRequestInternal(final HttpServletRequest request, final HttpServletResponse response, final Model model) throws Exception {
Assert.notNull(this.jwksFile, "JWKS file cannot be undefined or null.");
try {
final String jsonJwks = IOUtils.toString(this.jwksFile.getInputStream(), StandardCharsets.UTF_8);
final JsonWebKeySet jsonWebKeySet = new JsonWebKeySet(jsonJwks);
getServicesManager().getAllServices().stream().filter(s -> s instanceof OidcRegisteredService && StringUtils.isNotBlank(((OidcRegisteredService) s).getJwks())).forEach(Unchecked.consumer(s -> {
final OidcRegisteredService service = (OidcRegisteredService) s;
final Resource resource = this.resourceLoader.getResource(service.getJwks());
final JsonWebKeySet set = new JsonWebKeySet(IOUtils.toString(resource.getInputStream(), StandardCharsets.UTF_8));
set.getJsonWebKeys().forEach(jsonWebKeySet::addJsonWebKey);
}));
final String body = jsonWebKeySet.toJson(JsonWebKey.OutputControlLevel.PUBLIC_ONLY);
response.setContentType(MediaType.APPLICATION_JSON_VALUE);
return new ResponseEntity<>(body, HttpStatus.OK);
} catch (final Exception e) {
LOGGER.error(e.getMessage(), e);
return new ResponseEntity<>(e.getMessage(), HttpStatus.BAD_REQUEST);
}
}
Aggregations