use of org.apache.cxf.rs.security.oidc.common.IdToken in project cxf by apache.
the class OidcClientCodeRequestFilter method createTokenContext.
@Override
protected ClientTokenContext createTokenContext(ContainerRequestContext rc, ClientAccessToken at, MultivaluedMap<String, String> requestParams, MultivaluedMap<String, String> state) {
if (rc.getSecurityContext() instanceof OidcSecurityContext) {
return ((OidcSecurityContext) rc.getSecurityContext()).getOidcContext();
}
OidcClientTokenContextImpl ctx = new OidcClientTokenContextImpl();
if (at != null) {
if (idTokenReader == null) {
throw new OAuthServiceException(OAuthConstants.SERVER_ERROR);
}
IdToken idToken = idTokenReader.getIdToken(at, requestParams.getFirst(OAuthConstants.AUTHORIZATION_CODE_VALUE), getConsumer());
// Validate the properties set up at the redirection time.
validateIdToken(idToken, state);
ctx.setIdToken(idToken);
if (userInfoClient != null) {
ctx.setUserInfo(userInfoClient.getUserInfo(at, ctx.getIdToken(), getConsumer()));
}
OidcSecurityContext oidcSecCtx = new OidcSecurityContext(ctx);
oidcSecCtx.setRoleClaim(roleClaim);
rc.setSecurityContext(oidcSecCtx);
}
return ctx;
}
use of org.apache.cxf.rs.security.oidc.common.IdToken in project cxf by apache.
the class OidcIdTokenRequestFilter method filter.
@Override
public void filter(ContainerRequestContext requestContext) throws IOException {
MultivaluedMap<String, String> form = toFormData(requestContext);
String idTokenParamValue = form.getFirst(tokenFormParameter);
if (idTokenParamValue == null) {
requestContext.abortWith(Response.status(401).build());
return;
}
IdToken idToken = idTokenReader.getIdToken(idTokenParamValue, consumer);
JAXRSUtils.getCurrentMessage().setContent(IdToken.class, idToken);
OidcSecurityContext oidcSecCtx = new OidcSecurityContext(idToken);
oidcSecCtx.setRoleClaim(roleClaim);
requestContext.setSecurityContext(oidcSecCtx);
}
use of org.apache.cxf.rs.security.oidc.common.IdToken in project cxf by apache.
the class OidcImplicitService method getProcessedIdToken.
private String getProcessedIdToken(OAuthRedirectionState state, UserSubject subject, List<String> scopes) {
if (subject.getProperties().containsKey(OidcUtils.ID_TOKEN)) {
return subject.getProperties().get(OidcUtils.ID_TOKEN);
} else if (idTokenProvider != null) {
IdToken idToken = idTokenProvider.getIdToken(state.getClientId(), subject, scopes);
return processIdToken(state, idToken);
} else if (subject instanceof OidcUserSubject) {
OidcUserSubject sub = (OidcUserSubject) subject;
IdToken idToken = new IdToken(sub.getIdToken());
idToken.setAudience(state.getClientId());
idToken.setAuthorizedParty(state.getClientId());
return processIdToken(state, idToken);
} else {
return null;
}
}
use of org.apache.cxf.rs.security.oidc.common.IdToken in project cxf by apache.
the class OidcInvoker method validateRefreshedToken.
@Override
protected void validateRefreshedToken(ClientTokenContext tokenContext, ClientAccessToken refreshedToken) {
if (refreshedToken.getParameters().containsKey(OidcUtils.ID_TOKEN)) {
IdToken newIdToken = idTokenReader.getIdToken(refreshedToken, getConsumer());
OidcClientTokenContextImpl oidcContext = (OidcClientTokenContextImpl) tokenContext;
IdToken currentIdToken = oidcContext.getIdToken();
if (!newIdToken.getIssuer().equals(currentIdToken.getIssuer())) {
throw new OAuthServiceException("Invalid id token issuer");
}
if (!newIdToken.getSubject().equals(currentIdToken.getSubject())) {
throw new OAuthServiceException("Invalid id token subject");
}
if (!newIdToken.getAudiences().containsAll(currentIdToken.getAudiences())) {
throw new OAuthServiceException("Invalid id token audience(s)");
}
Long newAuthTime = newIdToken.getAuthenticationTime();
if (newAuthTime != null && !newAuthTime.equals(currentIdToken.getAuthenticationTime())) {
throw new OAuthServiceException("Invalid id token auth_time");
}
String newAzp = newIdToken.getAuthorizedParty();
String origAzp = currentIdToken.getAuthorizedParty();
if (newAzp != null && origAzp == null || newAzp == null && origAzp != null || newAzp != null && origAzp != null && !newAzp.equals(origAzp)) {
throw new OAuthServiceException("Invalid id token authorized party");
}
Long newIssuedTime = newIdToken.getIssuedAt();
Long origIssuedTime = currentIdToken.getIssuedAt();
if (newIssuedTime < origIssuedTime) {
throw new OAuthServiceException("Invalid id token issued time");
}
oidcContext.setIdToken(newIdToken);
}
}
use of org.apache.cxf.rs.security.oidc.common.IdToken in project testcases by coheigea.
the class IdTokenProviderImpl method getIdToken.
@Override
public IdToken getIdToken(String clientId, UserSubject authenticatedUser, List<String> scopes) {
IdToken token = new IdToken();
Calendar cal = Calendar.getInstance();
cal.add(Calendar.SECOND, 60);
token.setExpiryTime(cal.getTimeInMillis() / 1000L);
token.setIssuedAt(new Date().getTime() / 1000L);
token.setAudience(clientId);
token.setSubject(authenticatedUser.getLogin());
token.setIssuer("OIDC IdP");
return token;
}
Aggregations