use of org.apache.cxf.rs.security.oauth2.common.Client in project cxf by apache.
the class ModelEncryptionSupport method tokenizeServerToken.
private static String tokenizeServerToken(ServerAccessToken token) {
StringBuilder state = new StringBuilder();
// 0: key
state.append(tokenizeString(token.getTokenKey()));
// 1: type
state.append(SEP);
state.append(tokenizeString(token.getTokenType()));
// 2: expiresIn
state.append(SEP);
state.append(token.getExpiresIn());
// 3: issuedAt
state.append(SEP);
state.append(token.getIssuedAt());
// 4: client id
state.append(SEP);
state.append(tokenizeString(token.getClient().getClientId()));
// 5: refresh token
state.append(SEP);
state.append(tokenizeString(token.getRefreshToken()));
// 6: grant type
state.append(SEP);
state.append(tokenizeString(token.getGrantType()));
// 7: audience
state.append(SEP);
state.append(token.getAudiences().toString());
// 8: other parameters
state.append(SEP);
// {key=value, key=value}
state.append(token.getParameters().toString());
// 9: permissions
state.append(SEP);
if (token.getScopes().isEmpty()) {
state.append(' ');
} else {
for (OAuthPermission p : token.getScopes()) {
// 9.1
state.append(tokenizeString(p.getPermission()));
state.append('.');
// 9.2
state.append(tokenizeString(p.getDescription()));
state.append('.');
// 9.3
state.append(p.isDefaultPermission());
state.append('.');
// 9.4
state.append(p.getHttpVerbs().toString());
state.append('.');
// 9.5
state.append(p.getUris().toString());
}
}
state.append(SEP);
// 10: code verifier
state.append(tokenizeString(token.getClientCodeVerifier()));
state.append(SEP);
// 11: user subject
tokenizeUserSubject(state, token.getSubject());
// 13: extra properties
state.append(SEP);
// {key=value, key=value}
state.append(token.getExtraProperties().toString());
return state.toString();
}
use of org.apache.cxf.rs.security.oauth2.common.Client in project cxf by apache.
the class AbstractOAuthDataProvider method doRefreshAccessToken.
protected ServerAccessToken doRefreshAccessToken(Client client, RefreshToken oldRefreshToken, List<String> restrictedScopes) {
ServerAccessToken at = createNewAccessToken(client, oldRefreshToken.getSubject());
at.setAudiences(oldRefreshToken.getAudiences() != null ? new ArrayList<String>(oldRefreshToken.getAudiences()) : null);
at.setGrantType(oldRefreshToken.getGrantType());
at.setGrantCode(oldRefreshToken.getGrantCode());
at.setSubject(oldRefreshToken.getSubject());
at.setNonce(oldRefreshToken.getNonce());
at.setClientCodeVerifier(oldRefreshToken.getClientCodeVerifier());
at.getExtraProperties().putAll(oldRefreshToken.getExtraProperties());
if (restrictedScopes.isEmpty()) {
at.setScopes(oldRefreshToken.getScopes() != null ? new ArrayList<OAuthPermission>(oldRefreshToken.getScopes()) : null);
} else {
List<OAuthPermission> theNewScopes = convertScopeToPermissions(client, restrictedScopes);
if (oldRefreshToken.getScopes().containsAll(theNewScopes)) {
at.setScopes(theNewScopes);
} else {
throw new OAuthServiceException("Invalid scopes");
}
}
if (isUseJwtFormatForAccessTokens()) {
JwtClaims claims = createJwtAccessToken(at);
String jose = processJwtAccessToken(claims);
if (isPersistJwtEncoding()) {
at.setTokenKey(jose);
} else {
at.setEncodedToken(jose);
}
}
return at;
}
use of org.apache.cxf.rs.security.oauth2.common.Client in project cxf by apache.
the class AbstractOAuthDataProvider method createJwtAccessToken.
protected JwtClaims createJwtAccessToken(ServerAccessToken at) {
JwtClaims claims = new JwtClaims();
claims.setTokenId(at.getTokenKey());
// 'client_id' or 'cid', default client_id
String clientIdClaimName = JwtTokenUtils.getClaimName(OAuthConstants.CLIENT_ID, OAuthConstants.CLIENT_ID, getJwtAccessTokenClaimMap());
claims.setClaim(clientIdClaimName, at.getClient().getClientId());
claims.setIssuedAt(at.getIssuedAt());
if (at.getExpiresIn() > 0) {
claims.setExpiryTime(at.getIssuedAt() + at.getExpiresIn());
}
UserSubject userSubject = at.getSubject();
if (userSubject != null) {
if (userSubject.getId() != null) {
claims.setSubject(userSubject.getId());
}
// 'username' by default to be consistent with the token introspection response
final String usernameProp = "username";
String usernameClaimName = JwtTokenUtils.getClaimName(usernameProp, usernameProp, getJwtAccessTokenClaimMap());
claims.setClaim(usernameClaimName, userSubject.getLogin());
}
if (at.getIssuer() != null) {
claims.setIssuer(at.getIssuer());
}
if (!at.getScopes().isEmpty()) {
// rfc8693, section 4.2
claims.setClaim(OAuthConstants.SCOPE, OAuthUtils.convertListOfScopesToString(OAuthUtils.convertPermissionsToScopeList(at.getScopes())));
}
// OAuth2 resource indicators (resource server audience)
if (!at.getAudiences().isEmpty()) {
List<String> resourceAudiences = at.getAudiences();
if (resourceAudiences.size() == 1) {
claims.setAudience(resourceAudiences.get(0));
} else {
claims.setAudiences(resourceAudiences);
}
}
if (!at.getExtraProperties().isEmpty()) {
Map<String, String> actualExtraProps = new HashMap<>();
for (Map.Entry<String, String> entry : at.getExtraProperties().entrySet()) {
if (JoseConstants.HEADER_X509_THUMBPRINT_SHA256.equals(entry.getKey())) {
claims.setClaim(JwtConstants.CLAIM_CONFIRMATION, Collections.singletonMap(JoseConstants.HEADER_X509_THUMBPRINT_SHA256, entry.getValue()));
} else {
actualExtraProps.put(entry.getKey(), entry.getValue());
}
}
claims.setClaim("extra_properties", actualExtraProps);
}
// Can be used to check at RS/etc which grant was used to get this token issued
if (at.getGrantType() != null) {
claims.setClaim(OAuthConstants.GRANT_TYPE, at.getGrantType());
}
// code flow was used
if (at.getGrantCode() != null) {
claims.setClaim(OAuthConstants.AUTHORIZATION_CODE_GRANT, at.getGrantCode());
}
// to have a knowledge which client instance is using this token - might be handy at the RS/etc
if (at.getClientCodeVerifier() != null) {
claims.setClaim(OAuthConstants.AUTHORIZATION_CODE_VERIFIER, at.getClientCodeVerifier());
}
if (at.getNonce() != null) {
claims.setClaim(OAuthConstants.NONCE, at.getNonce());
}
return claims;
}
use of org.apache.cxf.rs.security.oauth2.common.Client in project cxf by apache.
the class AbstractOAuthDataProvider method removeClient.
@Override
public Client removeClient(String clientId) {
Client c = doGetClient(clientId);
removeClientTokens(c);
doRemoveClient(c);
return c;
}
use of org.apache.cxf.rs.security.oauth2.common.Client in project cxf by apache.
the class AbstractOAuthDataProvider method getClient.
@Override
public Client getClient(String clientId) {
Client client = doGetClient(clientId);
if (client != null) {
return client;
}
String grantType = getCurrentRequestedGrantType();
if (OAuthConstants.CLIENT_CREDENTIALS_GRANT.equals(grantType)) {
String clientSecret = getCurrentClientSecret();
if (clientSecret != null) {
return createClientCredentialsClient(clientId, clientSecret);
}
}
return null;
}
Aggregations