Example 16 with ServerAccessToken
use of org.apache.cxf.rs.security.oauth2.common.ServerAccessToken in project cxf by apache.
the class AbstractOAuthDataProvider method doRefreshAccessToken.
protected ServerAccessToken doRefreshAccessToken(Client client, RefreshToken oldRefreshToken, List<String> restrictedScopes) {
ServerAccessToken at = createNewAccessToken(client, oldRefreshToken.getSubject());
at.setAudiences(oldRefreshToken.getAudiences() != null ? new ArrayList<String>(oldRefreshToken.getAudiences()) : null);
at.setGrantType(oldRefreshToken.getGrantType());
at.setGrantCode(oldRefreshToken.getGrantCode());
at.setSubject(oldRefreshToken.getSubject());
at.setNonce(oldRefreshToken.getNonce());
at.setClientCodeVerifier(oldRefreshToken.getClientCodeVerifier());
at.getExtraProperties().putAll(oldRefreshToken.getExtraProperties());
if (restrictedScopes.isEmpty()) {
at.setScopes(oldRefreshToken.getScopes() != null ? new ArrayList<OAuthPermission>(oldRefreshToken.getScopes()) : null);
} else {
List<OAuthPermission> theNewScopes = convertScopeToPermissions(client, restrictedScopes);
if (oldRefreshToken.getScopes().containsAll(theNewScopes)) {
at.setScopes(theNewScopes);
} else {
throw new OAuthServiceException("Invalid scopes");
}
}
if (isUseJwtFormatForAccessTokens()) {
JwtClaims claims = createJwtAccessToken(at);
String jose = processJwtAccessToken(claims);
if (isPersistJwtEncoding()) {
at.setTokenKey(jose);
} else {
at.setEncodedToken(jose);
}
}
return at;
}
Also used :
OAuthPermission(org.apache.cxf.rs.security.oauth2.common.OAuthPermission)
ServerAccessToken(org.apache.cxf.rs.security.oauth2.common.ServerAccessToken)
JwtClaims(org.apache.cxf.rs.security.jose.jwt.JwtClaims)
ArrayList(java.util.ArrayList)
Example 17 with ServerAccessToken
use of org.apache.cxf.rs.security.oauth2.common.ServerAccessToken in project cxf by apache.
the class AbstractOAuthDataProvider method createJwtAccessToken.
protected JwtClaims createJwtAccessToken(ServerAccessToken at) {
JwtClaims claims = new JwtClaims();
claims.setTokenId(at.getTokenKey());
// 'client_id' or 'cid', default client_id
String clientIdClaimName = JwtTokenUtils.getClaimName(OAuthConstants.CLIENT_ID, OAuthConstants.CLIENT_ID, getJwtAccessTokenClaimMap());
claims.setClaim(clientIdClaimName, at.getClient().getClientId());
claims.setIssuedAt(at.getIssuedAt());
if (at.getExpiresIn() > 0) {
claims.setExpiryTime(at.getIssuedAt() + at.getExpiresIn());
}
UserSubject userSubject = at.getSubject();
if (userSubject != null) {
if (userSubject.getId() != null) {
claims.setSubject(userSubject.getId());
}
// 'username' by default to be consistent with the token introspection response
final String usernameProp = "username";
String usernameClaimName = JwtTokenUtils.getClaimName(usernameProp, usernameProp, getJwtAccessTokenClaimMap());
claims.setClaim(usernameClaimName, userSubject.getLogin());
}
if (at.getIssuer() != null) {
claims.setIssuer(at.getIssuer());
}
if (!at.getScopes().isEmpty()) {
// rfc8693, section 4.2
claims.setClaim(OAuthConstants.SCOPE, OAuthUtils.convertListOfScopesToString(OAuthUtils.convertPermissionsToScopeList(at.getScopes())));
}
// OAuth2 resource indicators (resource server audience)
if (!at.getAudiences().isEmpty()) {
List<String> resourceAudiences = at.getAudiences();
if (resourceAudiences.size() == 1) {
claims.setAudience(resourceAudiences.get(0));
} else {
claims.setAudiences(resourceAudiences);
}
}
if (!at.getExtraProperties().isEmpty()) {
Map<String, String> actualExtraProps = new HashMap<>();
for (Map.Entry<String, String> entry : at.getExtraProperties().entrySet()) {
if (JoseConstants.HEADER_X509_THUMBPRINT_SHA256.equals(entry.getKey())) {
claims.setClaim(JwtConstants.CLAIM_CONFIRMATION, Collections.singletonMap(JoseConstants.HEADER_X509_THUMBPRINT_SHA256, entry.getValue()));
} else {
actualExtraProps.put(entry.getKey(), entry.getValue());
}
}
claims.setClaim("extra_properties", actualExtraProps);
}
// Can be used to check at RS/etc which grant was used to get this token issued
if (at.getGrantType() != null) {
claims.setClaim(OAuthConstants.GRANT_TYPE, at.getGrantType());
}
// code flow was used
if (at.getGrantCode() != null) {
claims.setClaim(OAuthConstants.AUTHORIZATION_CODE_GRANT, at.getGrantCode());
}
// to have a knowledge which client instance is using this token - might be handy at the RS/etc
if (at.getClientCodeVerifier() != null) {
claims.setClaim(OAuthConstants.AUTHORIZATION_CODE_VERIFIER, at.getClientCodeVerifier());
}
if (at.getNonce() != null) {
claims.setClaim(OAuthConstants.NONCE, at.getNonce());
}
return claims;
}
Also used :
UserSubject(org.apache.cxf.rs.security.oauth2.common.UserSubject)
JwtClaims(org.apache.cxf.rs.security.jose.jwt.JwtClaims)
HashMap(java.util.HashMap)
HashMap(java.util.HashMap)
MultivaluedMap(javax.ws.rs.core.MultivaluedMap)
Map(java.util.Map)
Example 18 with ServerAccessToken
use of org.apache.cxf.rs.security.oauth2.common.ServerAccessToken in project cxf by apache.
the class AbstractOAuthDataProvider method doCreateAccessToken.
protected ServerAccessToken doCreateAccessToken(AccessTokenRegistration atReg) {
ServerAccessToken at = createNewAccessToken(atReg.getClient(), atReg.getSubject());
at.setAudiences(atReg.getAudiences());
at.setGrantType(atReg.getGrantType());
List<String> theScopes = atReg.getApprovedScope();
List<OAuthPermission> thePermissions = convertScopeToPermissions(atReg.getClient(), theScopes);
at.setScopes(thePermissions);
at.setSubject(atReg.getSubject());
at.setClientCodeVerifier(atReg.getClientCodeVerifier());
at.setNonce(atReg.getNonce());
at.setResponseType(atReg.getResponseType());
at.setGrantCode(atReg.getGrantCode());
at.getExtraProperties().putAll(atReg.getExtraProperties());
if (messageContext != null) {
String certCnf = (String) messageContext.get(JoseConstants.HEADER_X509_THUMBPRINT_SHA256);
if (certCnf != null) {
// At a later stage we will likely introduce a dedicated Confirmation bean (as it is used in POP etc)
at.getExtraProperties().put(JoseConstants.HEADER_X509_THUMBPRINT_SHA256, certCnf);
}
}
if (isUseJwtFormatForAccessTokens()) {
JwtClaims claims = createJwtAccessToken(at);
String jose = processJwtAccessToken(claims);
if (isPersistJwtEncoding()) {
at.setTokenKey(jose);
} else {
at.setEncodedToken(jose);
}
}
return at;
}
Also used :
OAuthPermission(org.apache.cxf.rs.security.oauth2.common.OAuthPermission)
ServerAccessToken(org.apache.cxf.rs.security.oauth2.common.ServerAccessToken)
JwtClaims(org.apache.cxf.rs.security.jose.jwt.JwtClaims)
Example 19 with ServerAccessToken
use of org.apache.cxf.rs.security.oauth2.common.ServerAccessToken in project cxf by apache.
the class RefreshTokenGrantHandler method createAccessToken.
public ServerAccessToken createAccessToken(Client client, MultivaluedMap<String, String> params) throws OAuthServiceException {
String refreshToken = params.getFirst(OAuthConstants.REFRESH_TOKEN);
List<String> requestedScopes = OAuthUtils.getRequestedScopes(client, params.getFirst(OAuthConstants.SCOPE), useAllClientScopes, partialMatchScopeValidation, false);
final ServerAccessToken st = dataProvider.refreshAccessToken(client, refreshToken, requestedScopes);
st.setGrantType(OAuthConstants.REFRESH_TOKEN_GRANT);
return st;
}
Also used :
ServerAccessToken(org.apache.cxf.rs.security.oauth2.common.ServerAccessToken)
Example 20 with ServerAccessToken
use of org.apache.cxf.rs.security.oauth2.common.ServerAccessToken in project cxf by apache.
the class JwtBearerGrantHandler method createAccessToken.
@Override
public ServerAccessToken createAccessToken(Client client, MultivaluedMap<String, String> params) throws OAuthServiceException {
String assertion = params.getFirst(Constants.CLIENT_GRANT_ASSERTION_PARAM);
if (assertion == null) {
throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
}
try {
JwsJwtCompactConsumer jwsReader = getJwsReader(assertion);
JwtToken jwtToken = jwsReader.getJwtToken();
validateSignature(new JwsHeaders(jwtToken.getJwsHeaders()), jwsReader.getUnsignedEncodedSequence(), jwsReader.getDecodedSignature());
validateClaims(client, jwtToken.getClaims());
UserSubject grantSubject = new UserSubject(jwtToken.getClaims().getSubject());
return doCreateAccessToken(client, grantSubject, Constants.JWT_BEARER_GRANT, OAuthUtils.parseScope(params.getFirst(OAuthConstants.SCOPE)));
} catch (OAuthServiceException ex) {
throw ex;
} catch (Exception ex) {
throw new OAuthServiceException(OAuthConstants.INVALID_GRANT, ex);
}
}
Also used :
JwtToken(org.apache.cxf.rs.security.jose.jwt.JwtToken)
JwsHeaders(org.apache.cxf.rs.security.jose.jws.JwsHeaders)
UserSubject(org.apache.cxf.rs.security.oauth2.common.UserSubject)
OAuthServiceException(org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException)
JwsJwtCompactConsumer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer)
OAuthServiceException(org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException)
Aggregations
ServerAccessToken (org.apache.cxf.rs.security.oauth2.common.ServerAccessToken)54
AccessTokenRegistration (org.apache.cxf.rs.security.oauth2.common.AccessTokenRegistration)24
Client (org.apache.cxf.rs.security.oauth2.common.Client)24
Test (org.junit.Test)21
OAuthPermission (org.apache.cxf.rs.security.oauth2.common.OAuthPermission)15
RefreshToken (org.apache.cxf.rs.security.oauth2.tokens.refresh.RefreshToken)15
UserSubject (org.apache.cxf.rs.security.oauth2.common.UserSubject)12
OAuthServiceException (org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException)11
BearerAccessToken (org.apache.cxf.rs.security.oauth2.tokens.bearer.BearerAccessToken)7
ClientAccessToken (org.apache.cxf.rs.security.oauth2.common.ClientAccessToken)6
ServerAuthorizationCodeGrant (org.apache.cxf.rs.security.oauth2.grants.code.ServerAuthorizationCodeGrant)6
JoseJwtConsumer (org.apache.cxf.rs.security.jose.jwt.JoseJwtConsumer)5
JwtClaims (org.apache.cxf.rs.security.jose.jwt.JwtClaims)5
ArrayList (java.util.ArrayList)4
ByteArrayInputStream (java.io.ByteArrayInputStream)3
LinkedList (java.util.LinkedList)3
Map (java.util.Map)3
JwtToken (org.apache.cxf.rs.security.jose.jwt.JwtToken)3
Ignore (org.junit.Ignore)3
ByteArrayOutputStream (java.io.ByteArrayOutputStream)2
