use of org.apache.cxf.rs.security.oauth2.grants.code.DigestCodeVerifier in project cxf by apache.
the class OIDCFlowTest method testAuthorizationCodeFlowWithPKCE.
@org.junit.Test
public void testAuthorizationCodeFlowWithPKCE() throws Exception {
String address = "https://localhost:" + port + "/services/";
WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), "alice", "security", null);
// Save the Cookie for the second request...
WebClient.getConfig(client).getRequestContext().put(org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE);
// Get Authorization Code
AuthorizationCodeParameters parameters = new AuthorizationCodeParameters();
parameters.setConsumerId("consumer-id");
parameters.setScope(OidcUtils.OPENID_SCOPE);
parameters.setResponseType(OAuthConstants.CODE_RESPONSE_TYPE);
parameters.setPath("authorize/");
String codeVerifier = Base64UrlUtility.encode(CryptoUtils.generateSecureRandomBytes(32));
CodeVerifierTransformer transformer = new DigestCodeVerifier();
parameters.setCodeChallenge(transformer.transformCodeVerifier(codeVerifier));
parameters.setCodeChallengeMethod(transformer.getChallengeMethod());
String location = OAuth2TestUtils.getLocation(client, parameters);
String code = OAuth2TestUtils.getSubstring(location, "code");
assertNotNull(code);
// Now get the access token
client = WebClient.create(address, "consumer-id", "this-is-a-secret", null);
ClientAccessToken accessToken = OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code, "consumer-id", null, codeVerifier);
assertNotNull(accessToken.getTokenKey());
if (isAccessTokenInJWTFormat()) {
validateAccessToken(accessToken.getTokenKey());
}
}
use of org.apache.cxf.rs.security.oauth2.grants.code.DigestCodeVerifier in project meecrowave by apache.
the class OAuth2Configurer method preCompute.
// TODO: still some missing configuration for jwt etc to add/wire from OAuth2Options
@PostConstruct
private void preCompute() {
configuration = builder.getExtension(OAuth2Options.class);
final Function<JwtClaims, JwtClaims> customizeClaims = configuration.isUseJwtFormatForAccessTokens() ? claims -> {
if (claims.getIssuer() == null) {
claims.setIssuer(configuration.getJwtIssuer());
}
return claims;
} : identity();
AbstractOAuthDataProvider provider;
switch(configuration.getProvider().toLowerCase(ENGLISH)) {
case "jpa":
{
if (!configuration.isAuthorizationCodeSupport()) {
// else use code impl
final JPAOAuthDataProvider jpaProvider = new JPAOAuthDataProvider() {
@Override
protected JwtClaims createJwtAccessToken(final ServerAccessToken at) {
return customizeClaims.apply(super.createJwtAccessToken(at));
}
@Override
protected ServerAccessToken createNewAccessToken(final Client client, final UserSubject userSub) {
final ServerAccessToken token = super.createNewAccessToken(client, userSub);
forwardClaims(client, userSub, token);
return token;
}
};
jpaProvider.setEntityManagerFactory(JPAAdapter.createEntityManagerFactory(configuration));
provider = jpaProvider;
break;
}
}
case "jpa-code":
{
final JPACodeDataProvider jpaProvider = new JPACodeDataProvider() {
@Override
protected JwtClaims createJwtAccessToken(final ServerAccessToken at) {
return customizeClaims.apply(super.createJwtAccessToken(at));
}
@Override
protected ServerAccessToken createNewAccessToken(final Client client, final UserSubject userSub) {
final ServerAccessToken token = super.createNewAccessToken(client, userSub);
forwardClaims(client, userSub, token);
return token;
}
};
jpaProvider.setEntityManagerFactory(JPAAdapter.createEntityManagerFactory(configuration));
provider = jpaProvider;
break;
}
case "jcache":
if (!configuration.isAuthorizationCodeSupport()) {
// else use code impl
jCacheConfigurer.doSetup(configuration);
try {
provider = new JCacheOAuthDataProvider(configuration.getJcacheConfigUri(), bus, configuration.isJcacheStoreJwtKeyOnly()) {
@Override
protected JwtClaims createJwtAccessToken(final ServerAccessToken at) {
return customizeClaims.apply(super.createJwtAccessToken(at));
}
@Override
protected ServerAccessToken createNewAccessToken(final Client client, final UserSubject userSub) {
final ServerAccessToken token = super.createNewAccessToken(client, userSub);
forwardClaims(client, userSub, token);
return token;
}
};
} catch (final Exception e) {
throw new IllegalStateException(e);
}
break;
}
case "jcache-code":
jCacheConfigurer.doSetup(configuration);
try {
provider = new JCacheCodeDataProvider(configuration, bus) {
@Override
protected JwtClaims createJwtAccessToken(final ServerAccessToken at) {
return customizeClaims.apply(super.createJwtAccessToken(at));
}
@Override
protected ServerAccessToken createNewAccessToken(final Client client, final UserSubject userSub) {
final ServerAccessToken token = super.createNewAccessToken(client, userSub);
forwardClaims(client, userSub, token);
return token;
}
};
} catch (final Exception e) {
throw new IllegalStateException(e);
}
break;
case "encrypted":
if (!configuration.isAuthorizationCodeSupport()) {
// else use code impl
provider = new DefaultEncryptingOAuthDataProvider(new SecretKeySpec(configuration.getEncryptedKey().getBytes(StandardCharsets.UTF_8), configuration.getEncryptedAlgo())) {
@Override
protected JwtClaims createJwtAccessToken(final ServerAccessToken at) {
return customizeClaims.apply(super.createJwtAccessToken(at));
}
@Override
protected ServerAccessToken createNewAccessToken(final Client client, final UserSubject userSub) {
final ServerAccessToken token = super.createNewAccessToken(client, userSub);
forwardClaims(client, userSub, token);
return token;
}
};
break;
}
case "encrypted-code":
provider = new DefaultEncryptingCodeDataProvider(new SecretKeySpec(configuration.getEncryptedKey().getBytes(StandardCharsets.UTF_8), configuration.getEncryptedAlgo())) {
@Override
protected JwtClaims createJwtAccessToken(final ServerAccessToken at) {
return customizeClaims.apply(super.createJwtAccessToken(at));
}
@Override
protected ServerAccessToken createNewAccessToken(final Client client, final UserSubject userSub) {
final ServerAccessToken token = super.createNewAccessToken(client, userSub);
forwardClaims(client, userSub, token);
return token;
}
};
break;
default:
throw new IllegalArgumentException("Unsupported oauth2 provider: " + configuration.getProvider());
}
final RefreshTokenGrantHandler refreshTokenGrantHandler = new RefreshTokenGrantHandler() {
@Override
public ServerAccessToken createAccessToken(final Client client, final MultivaluedMap<String, String> params) throws OAuthServiceException {
final ServerAccessToken accessToken = super.createAccessToken(client, params);
forwardClaims(client, accessToken.getSubject(), accessToken);
return accessToken;
}
};
refreshTokenGrantHandler.setDataProvider(provider);
refreshTokenGrantHandler.setUseAllClientScopes(configuration.isUseAllClientScopes());
refreshTokenGrantHandler.setPartialMatchScopeValidation(configuration.isPartialMatchScopeValidation());
final ResourceOwnerLoginHandler loginHandler = configuration.isJaas() ? new JAASResourceOwnerLoginHandler() {
@Override
public UserSubject createSubject(final Client client, final String name, final String password) {
final UserSubject subject = super.createSubject(client, name, password);
forwardRolesAsClaims(subject);
return subject;
}
} : (client, name, password) -> {
try {
request.login(name, password);
try {
final Principal pcp = request.getUserPrincipal();
return doCreateUserSubject(pcp);
} finally {
request.logout();
}
} catch (final ServletException e) {
throw new AuthenticationException(e.getMessage());
}
};
final List<AccessTokenGrantHandler> handlers = new ArrayList<>();
handlers.add(refreshTokenGrantHandler);
handlers.add(new ClientCredentialsGrantHandler() {
@Override
protected ServerAccessToken doCreateAccessToken(final Client client, final UserSubject subject, final String requestedGrant, final List<String> requestedScopes, final List<String> audiences) {
final ServerAccessToken serverAccessToken = super.doCreateAccessToken(client, subject, requestedGrant, requestedScopes, audiences);
forwardClaims(client, subject, serverAccessToken);
return serverAccessToken;
}
});
handlers.add(new ResourceOwnerGrantHandler() {
{
setLoginHandler(loginHandler);
}
@Override
protected ServerAccessToken doCreateAccessToken(final Client client, final UserSubject subject, final String requestedGrant, final List<String> requestedScopes, final List<String> audiences) {
final ServerAccessToken serverAccessToken = super.doCreateAccessToken(client, subject, requestedGrant, requestedScopes, audiences);
forwardClaims(client, subject, serverAccessToken);
return serverAccessToken;
}
});
handlers.add(new AuthorizationCodeGrantHandler() {
@Override
public ServerAccessToken createAccessToken(final Client client, final MultivaluedMap<String, String> params) throws OAuthServiceException {
if (configuration.isUseS256CodeChallenge()) {
setCodeVerifierTransformer(new DigestCodeVerifier());
}
return super.createAccessToken(client, params);
}
@Override
protected ServerAccessToken doCreateAccessToken(final Client client, final UserSubject subject, final String requestedGrant, final List<String> requestedScopes, final List<String> audiences) {
final ServerAccessToken serverAccessToken = super.doCreateAccessToken(client, subject, requestedGrant, requestedScopes, audiences);
forwardClaims(client, subject, serverAccessToken);
return serverAccessToken;
}
});
handlers.add(new JwtBearerGrantHandler() {
@Override
protected ServerAccessToken doCreateAccessToken(final Client client, final UserSubject subject, final String requestedGrant, final List<String> requestedScopes, final List<String> audiences) {
final ServerAccessToken serverAccessToken = super.doCreateAccessToken(client, subject, requestedGrant, requestedScopes, audiences);
forwardClaims(client, subject, serverAccessToken);
return serverAccessToken;
}
});
provider.setUseJwtFormatForAccessTokens(configuration.isUseJwtFormatForAccessTokens());
provider.setAccessTokenLifetime(configuration.getAccessTokenLifetime());
provider.setRefreshTokenLifetime(configuration.getRefreshTokenLifetime());
provider.setRecycleRefreshTokens(configuration.isRecycleRefreshTokens());
provider.setSupportPreauthorizedTokens(configuration.isSupportPreauthorizedTokens());
ofNullable(configuration.getRequiredScopes()).map(s -> asList(s.split(","))).ifPresent(provider::setRequiredScopes);
ofNullable(configuration.getDefaultScopes()).map(s -> asList(s.split(","))).ifPresent(provider::setDefaultScopes);
ofNullable(configuration.getInvisibleToClientScopes()).map(s -> asList(s.split(","))).ifPresent(provider::setInvisibleToClientScopes);
ofNullable(configuration.getJwtAccessTokenClaimMap()).map(s -> new Properties() {
{
try {
load(new StringReader(s));
} catch (IOException e) {
throw new IllegalArgumentException("Bad claim map configuration, use properties syntax");
}
}
}).ifPresent(m -> provider.setJwtAccessTokenClaimMap(new HashMap<>(Map.class.cast(m))));
final OAuthDataProvider dataProvider;
if (configuration.isRefreshToken()) {
dataProvider = new RefreshTokenEnabledProvider(provider);
if (provider.getInvisibleToClientScopes() == null) {
provider.setInvisibleToClientScopes(new ArrayList<>());
}
provider.getInvisibleToClientScopes().add(OAuthConstants.REFRESH_TOKEN_SCOPE);
} else {
dataProvider = provider;
}
handlers.stream().filter(AbstractGrantHandler.class::isInstance).forEach(h -> {
final AbstractGrantHandler handler = AbstractGrantHandler.class.cast(h);
handler.setDataProvider(dataProvider);
handler.setCanSupportPublicClients(configuration.isCanSupportPublicClients());
handler.setPartialMatchScopeValidation(configuration.isPartialMatchScopeValidation());
});
abstractTokenServiceConsumer = s -> {
// this is used @RequestScoped so ensure it is not slow for no reason
s.setCanSupportPublicClients(configuration.isCanSupportPublicClients());
s.setBlockUnsecureRequests(configuration.isBlockUnsecureRequests());
s.setWriteCustomErrors(configuration.isWriteCustomErrors());
s.setWriteOptionalParameters(configuration.isWriteOptionalParameters());
s.setDataProvider(dataProvider);
};
tokenServiceConsumer = s -> {
// this is used @RequestScoped so ensure it is not slow for no reason
abstractTokenServiceConsumer.accept(s);
s.setGrantHandlers(handlers);
};
final List<String> noConsentScopes = ofNullable(configuration.getScopesRequiringNoConsent()).map(s -> asList(s.split(","))).orElse(null);
// we prefix them oauth2.cxf. but otherwise it is the plain cxf config
securityProperties = ofNullable(builder.getProperties()).map(Properties::stringPropertyNames).orElse(emptySet()).stream().filter(s -> s.startsWith("oauth2.cxf.rs.security.")).collect(toMap(s -> s.substring("oauth2.cxf.".length()), s -> builder.getProperties().getProperty(s)));
final JoseSessionTokenProvider sessionAuthenticityTokenProvider = new JoseSessionTokenProvider() {
@Override
public String createSessionToken(final MessageContext mc, final MultivaluedMap<String, String> params, final UserSubject subject, final OAuthRedirectionState secData) {
// CXF-8368
secData.setClientCodeChallenge(params.getFirst(OAuthConstants.AUTHORIZATION_CODE_CHALLENGE));
return super.createSessionToken(mc, params, subject, secData);
}
};
sessionAuthenticityTokenProvider.setMaxDefaultSessionInterval(configuration.getMaxDefaultSessionInterval());
// TODO: other configs
redirectionBasedGrantServiceConsumer = s -> {
s.setDataProvider(dataProvider);
s.setBlockUnsecureRequests(configuration.isBlockUnsecureRequests());
s.setWriteOptionalParameters(configuration.isWriteOptionalParameters());
s.setUseAllClientScopes(configuration.isUseAllClientScopes());
s.setPartialMatchScopeValidation(configuration.isPartialMatchScopeValidation());
s.setUseRegisteredRedirectUriIfPossible(configuration.isUseRegisteredRedirectUriIfPossible());
s.setMaxDefaultSessionInterval(configuration.getMaxDefaultSessionInterval());
s.setMatchRedirectUriWithApplicationUri(configuration.isMatchRedirectUriWithApplicationUri());
s.setScopesRequiringNoConsent(noConsentScopes);
s.setSessionAuthenticityTokenProvider(sessionAuthenticityTokenProvider);
s.setCanSupportPublicClients(configuration.isCanSupportPublicClients());
};
}
Aggregations