Example 6 with UserSubject
use of org.apache.cxf.rs.security.oauth2.common.UserSubject in project cxf by apache.
the class AbstractOAuthDataProvider method createJwtAccessToken.
protected JwtClaims createJwtAccessToken(ServerAccessToken at) {
JwtClaims claims = new JwtClaims();
claims.setTokenId(at.getTokenKey());
// 'client_id' or 'cid', default client_id
String clientIdClaimName = JwtTokenUtils.getClaimName(OAuthConstants.CLIENT_ID, OAuthConstants.CLIENT_ID, getJwtAccessTokenClaimMap());
claims.setClaim(clientIdClaimName, at.getClient().getClientId());
claims.setIssuedAt(at.getIssuedAt());
if (at.getExpiresIn() > 0) {
claims.setExpiryTime(at.getIssuedAt() + at.getExpiresIn());
}
UserSubject userSubject = at.getSubject();
if (userSubject != null) {
if (userSubject.getId() != null) {
claims.setSubject(userSubject.getId());
}
// 'username' by default to be consistent with the token introspection response
final String usernameProp = "username";
String usernameClaimName = JwtTokenUtils.getClaimName(usernameProp, usernameProp, getJwtAccessTokenClaimMap());
claims.setClaim(usernameClaimName, userSubject.getLogin());
}
if (at.getIssuer() != null) {
claims.setIssuer(at.getIssuer());
}
if (!at.getScopes().isEmpty()) {
claims.setClaim(OAuthConstants.SCOPE, OAuthUtils.convertPermissionsToScopeList(at.getScopes()));
}
// OAuth2 resource indicators (resource server audience)
if (!at.getAudiences().isEmpty()) {
List<String> resourceAudiences = at.getAudiences();
if (resourceAudiences.size() == 1) {
claims.setAudience(resourceAudiences.get(0));
} else {
claims.setAudiences(resourceAudiences);
}
}
if (!at.getExtraProperties().isEmpty()) {
Map<String, String> actualExtraProps = new HashMap<String, String>();
for (Map.Entry<String, String> entry : at.getExtraProperties().entrySet()) {
if (JoseConstants.HEADER_X509_THUMBPRINT_SHA256.equals(entry.getKey())) {
claims.setClaim(JwtConstants.CLAIM_CONFIRMATION, Collections.singletonMap(JoseConstants.HEADER_X509_THUMBPRINT_SHA256, entry.getValue()));
} else {
actualExtraProps.put(entry.getKey(), entry.getValue());
}
}
claims.setClaim("extra_properties", actualExtraProps);
}
// Can be used to check at RS/etc which grant was used to get this token issued
if (at.getGrantType() != null) {
claims.setClaim(OAuthConstants.GRANT_TYPE, at.getGrantType());
}
// code flow was used
if (at.getGrantCode() != null) {
claims.setClaim(OAuthConstants.AUTHORIZATION_CODE_GRANT, at.getGrantCode());
}
// to have a knowledge which client instance is using this token - might be handy at the RS/etc
if (at.getClientCodeVerifier() != null) {
claims.setClaim(OAuthConstants.AUTHORIZATION_CODE_VERIFIER, at.getClientCodeVerifier());
}
if (at.getNonce() != null) {
claims.setClaim(OAuthConstants.NONCE, at.getNonce());
}
return claims;
}
Also used :
UserSubject(org.apache.cxf.rs.security.oauth2.common.UserSubject)
JwtClaims(org.apache.cxf.rs.security.jose.jwt.JwtClaims)
HashMap(java.util.HashMap)
HashMap(java.util.HashMap)
MultivaluedMap(javax.ws.rs.core.MultivaluedMap)
Map(java.util.Map)
Example 7 with UserSubject
use of org.apache.cxf.rs.security.oauth2.common.UserSubject in project cxf by apache.
the class DefaultEHCacheOAuthDataProvider method getAccessTokens.
@Override
public List<ServerAccessToken> getAccessTokens(Client c, UserSubject sub) {
List<String> keys = CastUtils.cast(accessTokenCache.getKeys());
List<ServerAccessToken> tokens = new ArrayList<>(keys.size());
for (String key : keys) {
ServerAccessToken token = getAccessToken(key);
if (isTokenMatched(token, c, sub)) {
tokens.add(token);
}
}
return tokens;
}
Also used :
ServerAccessToken(org.apache.cxf.rs.security.oauth2.common.ServerAccessToken)
ArrayList(java.util.ArrayList)
Example 8 with UserSubject
use of org.apache.cxf.rs.security.oauth2.common.UserSubject in project cxf by apache.
the class DefaultEHCacheOAuthDataProvider method getRefreshTokens.
@Override
public List<RefreshToken> getRefreshTokens(Client c, UserSubject sub) {
List<String> keys = CastUtils.cast(refreshTokenCache.getKeys());
List<RefreshToken> tokens = new ArrayList<>(keys.size());
for (String key : keys) {
RefreshToken token = getRefreshToken(key);
if (isTokenMatched(token, c, sub)) {
tokens.add(token);
}
}
return tokens;
}
Also used :
RefreshToken(org.apache.cxf.rs.security.oauth2.tokens.refresh.RefreshToken)
ArrayList(java.util.ArrayList)
Example 9 with UserSubject
use of org.apache.cxf.rs.security.oauth2.common.UserSubject in project cxf by apache.
the class AuthorizationCodeGrantService method createCodeRegistration.
protected AuthorizationCodeRegistration createCodeRegistration(OAuthRedirectionState state, Client client, List<String> requestedScope, List<String> approvedScope, UserSubject userSubject, ServerAccessToken preauthorizedToken) {
AuthorizationCodeRegistration codeReg = new AuthorizationCodeRegistration();
codeReg.setPreauthorizedTokenAvailable(preauthorizedToken != null);
codeReg.setClient(client);
codeReg.setRedirectUri(state.getRedirectUri());
codeReg.setRequestedScope(requestedScope);
codeReg.setResponseType(state.getResponseType());
codeReg.setApprovedScope(getApprovedScope(requestedScope, approvedScope));
codeReg.setSubject(userSubject);
codeReg.setAudience(state.getAudience());
codeReg.setNonce(state.getNonce());
codeReg.setClientCodeChallenge(state.getClientCodeChallenge());
codeReg.getExtraProperties().putAll(state.getExtraProperties());
return codeReg;
}
Also used :
AuthorizationCodeRegistration(org.apache.cxf.rs.security.oauth2.grants.code.AuthorizationCodeRegistration)
Example 10 with UserSubject
use of org.apache.cxf.rs.security.oauth2.common.UserSubject in project cxf by apache.
the class AuthorizationCodeGrantService method getGrantRepresentation.
public ServerAuthorizationCodeGrant getGrantRepresentation(OAuthRedirectionState state, Client client, List<String> requestedScope, List<String> approvedScope, UserSubject userSubject, ServerAccessToken preauthorizedToken) {
AuthorizationCodeRegistration codeReg = createCodeRegistration(state, client, requestedScope, approvedScope, userSubject, preauthorizedToken);
ServerAuthorizationCodeGrant grant = ((AuthorizationCodeDataProvider) getDataProvider()).createCodeGrant(codeReg);
if (grant.getExpiresIn() > RECOMMENDED_CODE_EXPIRY_TIME_SECS) {
LOG.warning("Code expiry time exceeds 10 minutes");
}
return grant;
}
Also used :
AuthorizationCodeRegistration(org.apache.cxf.rs.security.oauth2.grants.code.AuthorizationCodeRegistration)
AuthorizationCodeDataProvider(org.apache.cxf.rs.security.oauth2.grants.code.AuthorizationCodeDataProvider)
ServerAuthorizationCodeGrant(org.apache.cxf.rs.security.oauth2.grants.code.ServerAuthorizationCodeGrant)
Aggregations
UserSubject (org.apache.cxf.rs.security.oauth2.common.UserSubject)29
Client (org.apache.cxf.rs.security.oauth2.common.Client)17
ServerAccessToken (org.apache.cxf.rs.security.oauth2.common.ServerAccessToken)10
OAuthServiceException (org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException)8
ArrayList (java.util.ArrayList)7
OAuthPermission (org.apache.cxf.rs.security.oauth2.common.OAuthPermission)7
AccessTokenRegistration (org.apache.cxf.rs.security.oauth2.common.AccessTokenRegistration)6
LinkedList (java.util.LinkedList)5
ServerAuthorizationCodeGrant (org.apache.cxf.rs.security.oauth2.grants.code.ServerAuthorizationCodeGrant)5
SecurityContext (org.apache.cxf.security.SecurityContext)5
ClientAccessToken (org.apache.cxf.rs.security.oauth2.common.ClientAccessToken)4
OAuthAuthorizationData (org.apache.cxf.rs.security.oauth2.common.OAuthAuthorizationData)4
Principal (java.security.Principal)3
Map (java.util.Map)3
Message (org.apache.cxf.message.Message)3
Test (org.junit.Test)3
ByteArrayInputStream (java.io.ByteArrayInputStream)2
IOException (java.io.IOException)2
Instant (java.time.Instant)2
HashMap (java.util.HashMap)2
