Search in sources :

Example 46 with UserSubject

use of org.apache.cxf.rs.security.oauth2.common.UserSubject in project cxf by apache.

the class DirectAuthorizationService method authorize.

@POST
@Consumes("application/x-www-form-urlencoded")
@Produces("text/html")
public Response authorize(MultivaluedMap<String, String> params) {
    SecurityContext sc = getAndValidateSecurityContext(params);
    Client client = getClient(params);
    // Create a UserSubject representing the end user
    UserSubject userSubject = createUserSubject(sc, params);
    AccessTokenRegistration reg = new AccessTokenRegistration();
    reg.setClient(client);
    reg.setGrantType(OAuthConstants.DIRECT_TOKEN_GRANT);
    reg.setSubject(userSubject);
    String providedScope = params.getFirst(OAuthConstants.SCOPE);
    List<String> requestedScope = OAuthUtils.getRequestedScopes(client, providedScope, useAllClientScopes, partialMatchScopeValidation);
    reg.setRequestedScope(requestedScope);
    reg.setApprovedScope(requestedScope);
    ServerAccessToken token = getDataProvider().createAccessToken(reg);
    ClientAccessToken clientToken = OAuthUtils.toClientAccessToken(token, isWriteOptionalParameters());
    return Response.ok(clientToken).build();
}
Also used : ServerAccessToken(org.apache.cxf.rs.security.oauth2.common.ServerAccessToken) UserSubject(org.apache.cxf.rs.security.oauth2.common.UserSubject) ClientAccessToken(org.apache.cxf.rs.security.oauth2.common.ClientAccessToken) SecurityContext(org.apache.cxf.security.SecurityContext) Client(org.apache.cxf.rs.security.oauth2.common.Client) AccessTokenRegistration(org.apache.cxf.rs.security.oauth2.common.AccessTokenRegistration) POST(javax.ws.rs.POST) Consumes(javax.ws.rs.Consumes) Produces(javax.ws.rs.Produces)

Example 47 with UserSubject

use of org.apache.cxf.rs.security.oauth2.common.UserSubject in project cxf by apache.

the class DirectAuthorizationService method createUserSubject.

protected UserSubject createUserSubject(SecurityContext securityContext, MultivaluedMap<String, String> params) {
    UserSubject subject = null;
    if (subjectCreator != null) {
        subject = subjectCreator.createUserSubject(getMessageContext(), params);
        if (subject != null) {
            return subject;
        }
    }
    subject = getMessageContext().getContent(UserSubject.class);
    if (subject != null) {
        return subject;
    }
    return OAuthUtils.createSubject(securityContext);
}
Also used : UserSubject(org.apache.cxf.rs.security.oauth2.common.UserSubject)

Example 48 with UserSubject

use of org.apache.cxf.rs.security.oauth2.common.UserSubject in project cxf by apache.

the class ImplicitGrantService method createAuthorizationData.

@Override
protected OAuthAuthorizationData createAuthorizationData(Client client, MultivaluedMap<String, String> params, String redirectUri, UserSubject subject, List<OAuthPermission> requestedPerms, List<OAuthPermission> alreadyAuthorizedPerms, boolean authorizationCanBeSkipped) {
    OAuthAuthorizationData data = super.createAuthorizationData(client, params, redirectUri, subject, requestedPerms, alreadyAuthorizedPerms, authorizationCanBeSkipped);
    data.setImplicitFlow(true);
    return data;
}
Also used : OAuthAuthorizationData(org.apache.cxf.rs.security.oauth2.common.OAuthAuthorizationData)

Example 49 with UserSubject

use of org.apache.cxf.rs.security.oauth2.common.UserSubject in project cxf by apache.

the class RedirectionBasedGrantService method createAuthorizationData.

/**
 * Create the authorization challenge data
 */
protected OAuthAuthorizationData createAuthorizationData(Client client, MultivaluedMap<String, String> params, String redirectUri, UserSubject subject, List<OAuthPermission> requestedPerms, List<OAuthPermission> alreadyAuthorizedPerms, boolean authorizationCanBeSkipped) {
    OAuthAuthorizationData secData = new OAuthAuthorizationData();
    secData.setState(params.getFirst(OAuthConstants.STATE));
    secData.setRedirectUri(redirectUri);
    secData.setAudience(params.getFirst(OAuthConstants.CLIENT_AUDIENCE));
    secData.setNonce(params.getFirst(OAuthConstants.NONCE));
    secData.setClientId(client.getClientId());
    secData.setResponseType(params.getFirst(OAuthConstants.RESPONSE_TYPE));
    if (requestedPerms != null && !requestedPerms.isEmpty()) {
        StringBuilder builder = new StringBuilder();
        for (OAuthPermission perm : requestedPerms) {
            builder.append(perm.getPermission() + " ");
        }
        secData.setProposedScope(builder.toString().trim());
    }
    if (!authorizationCanBeSkipped) {
        secData.setPermissions(requestedPerms);
        secData.setAlreadyAuthorizedPermissions(alreadyAuthorizedPerms);
        secData.setHidePreauthorizedScopesInForm(hidePreauthorizedScopesInForm);
        secData.setApplicationName(client.getApplicationName());
        secData.setApplicationWebUri(client.getApplicationWebUri());
        secData.setApplicationDescription(client.getApplicationDescription());
        secData.setApplicationLogoUri(client.getApplicationLogoUri());
        secData.setApplicationCertificates(client.getApplicationCertificates());
        Map<String, String> extraProperties = client.getProperties();
        secData.setExtraApplicationProperties(extraProperties);
        secData.setApplicationRegisteredDynamically(client.isRegisteredDynamically());
        secData.setSupportSinglePageApplications(supportSinglePageApplications);
        String replyTo = getMessageContext().getUriInfo().getAbsolutePathBuilder().path("decision").build().toString();
        secData.setReplyTo(replyTo);
        personalizeData(secData, subject);
        addAuthenticityTokenToSession(secData, params, subject);
    }
    return secData;
}
Also used : OAuthPermission(org.apache.cxf.rs.security.oauth2.common.OAuthPermission) OAuthAuthorizationData(org.apache.cxf.rs.security.oauth2.common.OAuthAuthorizationData)

Example 50 with UserSubject

use of org.apache.cxf.rs.security.oauth2.common.UserSubject in project cxf by apache.

the class JwtTokenUtils method createAccessTokenFromJwt.

public static ServerAccessToken createAccessTokenFromJwt(JoseJwtConsumer consumer, String jose, ClientRegistrationProvider clientProvider, Map<String, String> claimsMap) {
    JwtClaims claims = consumer.getJwtToken(jose).getClaims();
    // 'client_id' or 'cid', default client_id
    String clientIdClaimName = JwtTokenUtils.getClaimName(OAuthConstants.CLIENT_ID, OAuthConstants.CLIENT_ID, claimsMap);
    String clientId = claims.getStringProperty(clientIdClaimName);
    Client c = clientProvider.getClient(clientId);
    long issuedAt = claims.getIssuedAt();
    long lifetime = claims.getExpiryTime() - issuedAt;
    BearerAccessToken at = new BearerAccessToken(c, jose, lifetime, issuedAt);
    List<String> audiences = claims.getAudiences();
    if (audiences != null && !audiences.isEmpty()) {
        at.setAudiences(claims.getAudiences());
    }
    String issuer = claims.getIssuer();
    if (issuer != null) {
        at.setIssuer(issuer);
    }
    Object scope = claims.getClaim(OAuthConstants.SCOPE);
    if (scope != null) {
        String[] scopes = scope instanceof String ? scope.toString().split(" ") : CastUtils.cast((List<?>) scope).toArray(new String[] {});
        List<OAuthPermission> perms = new LinkedList<OAuthPermission>();
        for (String s : scopes) {
            if (!StringUtils.isEmpty(s)) {
                perms.add(new OAuthPermission(s.trim()));
            }
        }
        at.setScopes(perms);
    }
    final String usernameProp = "username";
    String usernameClaimName = JwtTokenUtils.getClaimName(usernameProp, usernameProp, claimsMap);
    String username = claims.getStringProperty(usernameClaimName);
    String subject = claims.getSubject();
    if (username != null) {
        UserSubject userSubject = new UserSubject(username);
        if (subject != null) {
            userSubject.setId(subject);
        }
        at.setSubject(userSubject);
    } else if (subject != null) {
        at.setSubject(new UserSubject(subject));
    }
    String grantType = claims.getStringProperty(OAuthConstants.GRANT_TYPE);
    if (grantType != null) {
        at.setGrantType(grantType);
    }
    String grantCode = claims.getStringProperty(OAuthConstants.AUTHORIZATION_CODE_GRANT);
    if (grantCode != null) {
        at.setGrantCode(grantCode);
    }
    String codeVerifier = claims.getStringProperty(OAuthConstants.AUTHORIZATION_CODE_VERIFIER);
    if (codeVerifier != null) {
        at.setClientCodeVerifier(codeVerifier);
    }
    String nonce = claims.getStringProperty(OAuthConstants.NONCE);
    if (nonce != null) {
        at.setNonce(nonce);
    }
    Map<String, String> extraProperties = CastUtils.cast((Map<?, ?>) claims.getClaim("extra_properties"));
    if (extraProperties != null) {
        at.getExtraProperties().putAll(extraProperties);
        Map<String, Object> cnfClaim = CastUtils.cast((Map<?, ?>) claims.getClaim(JwtConstants.CLAIM_CONFIRMATION));
        if (cnfClaim != null) {
            Object certCnf = cnfClaim.get(JoseConstants.HEADER_X509_THUMBPRINT_SHA256);
            if (certCnf != null) {
                at.getExtraProperties().put(JoseConstants.HEADER_X509_THUMBPRINT_SHA256, certCnf.toString());
            }
        }
    }
    return at;
}
Also used : OAuthPermission(org.apache.cxf.rs.security.oauth2.common.OAuthPermission) JwtClaims(org.apache.cxf.rs.security.jose.jwt.JwtClaims) LinkedList(java.util.LinkedList) UserSubject(org.apache.cxf.rs.security.oauth2.common.UserSubject) BearerAccessToken(org.apache.cxf.rs.security.oauth2.tokens.bearer.BearerAccessToken) Client(org.apache.cxf.rs.security.oauth2.common.Client)

Aggregations

UserSubject (org.apache.cxf.rs.security.oauth2.common.UserSubject)29 Client (org.apache.cxf.rs.security.oauth2.common.Client)17 ServerAccessToken (org.apache.cxf.rs.security.oauth2.common.ServerAccessToken)10 OAuthServiceException (org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException)8 ArrayList (java.util.ArrayList)7 OAuthPermission (org.apache.cxf.rs.security.oauth2.common.OAuthPermission)7 AccessTokenRegistration (org.apache.cxf.rs.security.oauth2.common.AccessTokenRegistration)6 LinkedList (java.util.LinkedList)5 ServerAuthorizationCodeGrant (org.apache.cxf.rs.security.oauth2.grants.code.ServerAuthorizationCodeGrant)5 SecurityContext (org.apache.cxf.security.SecurityContext)5 ClientAccessToken (org.apache.cxf.rs.security.oauth2.common.ClientAccessToken)4 OAuthAuthorizationData (org.apache.cxf.rs.security.oauth2.common.OAuthAuthorizationData)4 Principal (java.security.Principal)3 Map (java.util.Map)3 Message (org.apache.cxf.message.Message)3 Test (org.junit.Test)3 ByteArrayInputStream (java.io.ByteArrayInputStream)2 IOException (java.io.IOException)2 Instant (java.time.Instant)2 HashMap (java.util.HashMap)2