Example 1 with JwtSubClaimObject
use of org.xdi.oxauth.model.jwt.JwtSubClaimObject in project oxAuth by GluuFederation.
the class UserInfoRestWebServiceImpl method getJSonResponse.
/**
* Builds a JSon String with the response parameters.
*/
public String getJSonResponse(User user, AuthorizationGrant authorizationGrant, Collection<String> scopes) throws Exception {
JsonWebResponse jsonWebResponse = new JsonWebResponse();
// Claims
List<Scope> dynamicScopes = new ArrayList<Scope>();
for (String scopeName : scopes) {
org.xdi.oxauth.model.common.Scope scope = scopeService.getScopeByDisplayName(scopeName);
if ((scope != null) && (org.xdi.oxauth.model.common.ScopeType.DYNAMIC == scope.getScopeType())) {
dynamicScopes.add(scope);
continue;
}
Map<String, Object> claims = getClaims(user, scope);
if (scope.getIsOxAuthGroupClaims()) {
JwtSubClaimObject groupClaim = new JwtSubClaimObject();
groupClaim.setName(scope.getDisplayName());
for (Map.Entry<String, Object> entry : claims.entrySet()) {
String key = entry.getKey();
Object value = entry.getValue();
if (value instanceof List) {
groupClaim.setClaim(key, (List<String>) value);
} else {
groupClaim.setClaim(key, (String) value);
}
}
jsonWebResponse.getClaims().setClaim(scope.getDisplayName(), groupClaim);
} else {
for (Map.Entry<String, Object> entry : claims.entrySet()) {
String key = entry.getKey();
Object value = entry.getValue();
if (value instanceof List) {
jsonWebResponse.getClaims().setClaim(key, (List<String>) value);
} else {
jsonWebResponse.getClaims().setClaim(key, (String) value);
}
}
}
jsonWebResponse.getClaims().setSubjectIdentifier(authorizationGrant.getUser().getAttribute("inum"));
}
if (authorizationGrant.getJwtAuthorizationRequest() != null && authorizationGrant.getJwtAuthorizationRequest().getUserInfoMember() != null) {
for (Claim claim : authorizationGrant.getJwtAuthorizationRequest().getUserInfoMember().getClaims()) {
// ClaimValueType.OPTIONAL.equals(claim.getClaimValue().getClaimValueType());
boolean optional = true;
GluuAttribute gluuAttribute = attributeService.getByClaimName(claim.getName());
if (gluuAttribute != null) {
String ldapClaimName = gluuAttribute.getName();
Object attribute = user.getAttribute(ldapClaimName, optional);
if (attribute != null) {
if (attribute instanceof JSONArray) {
JSONArray jsonArray = (JSONArray) attribute;
List<String> values = new ArrayList<String>();
for (int i = 0; i < jsonArray.length(); i++) {
String value = jsonArray.optString(i);
if (value != null) {
values.add(value);
}
}
jsonWebResponse.getClaims().setClaim(claim.getName(), values);
} else {
String value = (String) attribute;
jsonWebResponse.getClaims().setClaim(claim.getName(), value);
}
}
}
}
}
// Check for Subject Identifier Type
if (authorizationGrant.getClient().getSubjectType() != null && SubjectType.fromString(authorizationGrant.getClient().getSubjectType()).equals(SubjectType.PAIRWISE)) {
String sectorIdentifierUri = null;
if (StringUtils.isNotBlank(authorizationGrant.getClient().getSectorIdentifierUri())) {
sectorIdentifierUri = authorizationGrant.getClient().getSectorIdentifierUri();
} else {
sectorIdentifierUri = authorizationGrant.getClient().getRedirectUris()[0];
}
String userInum = authorizationGrant.getUser().getAttribute("inum");
PairwiseIdentifier pairwiseIdentifier = pairwiseIdentifierService.findPairWiseIdentifier(userInum, sectorIdentifierUri);
if (pairwiseIdentifier == null) {
pairwiseIdentifier = new PairwiseIdentifier(sectorIdentifierUri);
pairwiseIdentifier.setId(UUID.randomUUID().toString());
pairwiseIdentifier.setDn(pairwiseIdentifierService.getDnForPairwiseIdentifier(pairwiseIdentifier.getId(), userInum));
pairwiseIdentifierService.addPairwiseIdentifier(userInum, pairwiseIdentifier);
}
jsonWebResponse.getClaims().setSubjectIdentifier(pairwiseIdentifier.getId());
} else {
String openidSubAttribute = appConfiguration.getOpenidSubAttribute();
jsonWebResponse.getClaims().setSubjectIdentifier(authorizationGrant.getUser().getAttribute(openidSubAttribute));
}
if ((dynamicScopes.size() > 0) && externalDynamicScopeService.isEnabled()) {
final UnmodifiableAuthorizationGrant unmodifiableAuthorizationGrant = new UnmodifiableAuthorizationGrant(authorizationGrant);
DynamicScopeExternalContext dynamicScopeContext = new DynamicScopeExternalContext(dynamicScopes, jsonWebResponse, unmodifiableAuthorizationGrant);
externalDynamicScopeService.executeExternalUpdateMethods(dynamicScopeContext);
}
return jsonWebResponse.toString();
}
Also used :
JsonWebResponse(org.xdi.oxauth.model.token.JsonWebResponse)
JSONArray(org.codehaus.jettison.json.JSONArray)
DynamicScopeExternalContext(org.xdi.oxauth.service.external.context.DynamicScopeExternalContext)
JwtSubClaimObject(org.xdi.oxauth.model.jwt.JwtSubClaimObject)
GluuAttribute(org.xdi.model.GluuAttribute)
PairwiseIdentifier(org.xdi.oxauth.model.ldap.PairwiseIdentifier)
org.xdi.oxauth.model.common(org.xdi.oxauth.model.common)
JwtSubClaimObject(org.xdi.oxauth.model.jwt.JwtSubClaimObject)
JSONObject(org.codehaus.jettison.json.JSONObject)
Claim(org.xdi.oxauth.model.authorize.Claim)
Example 2 with JwtSubClaimObject
use of org.xdi.oxauth.model.jwt.JwtSubClaimObject in project oxAuth by GluuFederation.
the class IdTokenFactory method generateSignedIdToken.
public Jwt generateSignedIdToken(IAuthorizationGrant authorizationGrant, String nonce, AuthorizationCode authorizationCode, AccessToken accessToken, Set<String> scopes, boolean includeIdTokenClaims) throws Exception {
JwtSigner jwtSigner = JwtSigner.newJwtSigner(appConfiguration, webKeysConfiguration, authorizationGrant.getClient());
Jwt jwt = jwtSigner.newJwt();
int lifeTime = appConfiguration.getIdTokenLifetime();
Calendar calendar = Calendar.getInstance();
Date issuedAt = calendar.getTime();
calendar.add(Calendar.SECOND, lifeTime);
Date expiration = calendar.getTime();
jwt.getClaims().setExpirationTime(expiration);
jwt.getClaims().setIssuedAt(issuedAt);
if (authorizationGrant.getAcrValues() != null) {
jwt.getClaims().setClaim(JwtClaimName.AUTHENTICATION_CONTEXT_CLASS_REFERENCE, authorizationGrant.getAcrValues());
setAmrClaim(jwt, authorizationGrant.getAcrValues());
}
if (StringUtils.isNotBlank(nonce)) {
jwt.getClaims().setClaim(JwtClaimName.NONCE, nonce);
}
if (authorizationGrant.getAuthenticationTime() != null) {
jwt.getClaims().setClaim(JwtClaimName.AUTHENTICATION_TIME, authorizationGrant.getAuthenticationTime());
}
if (authorizationCode != null) {
String codeHash = authorizationCode.getHash(jwtSigner.getSignatureAlgorithm());
jwt.getClaims().setClaim(JwtClaimName.CODE_HASH, codeHash);
}
if (accessToken != null) {
String accessTokenHash = accessToken.getHash(jwtSigner.getSignatureAlgorithm());
jwt.getClaims().setClaim(JwtClaimName.ACCESS_TOKEN_HASH, accessTokenHash);
}
jwt.getClaims().setClaim(JwtClaimName.OX_OPENID_CONNECT_VERSION, appConfiguration.getOxOpenIdConnectVersion());
List<org.xdi.oxauth.model.common.Scope> dynamicScopes = Lists.newArrayList();
if (includeIdTokenClaims) {
for (String scopeName : scopes) {
org.xdi.oxauth.model.common.Scope scope = scopeService.getScopeByDisplayName(scopeName);
if ((scope != null) && (org.xdi.oxauth.model.common.ScopeType.DYNAMIC == scope.getScopeType())) {
dynamicScopes.add(scope);
continue;
}
if (scope != null && scope.getOxAuthClaims() != null) {
if (scope.getIsOxAuthGroupClaims()) {
JwtSubClaimObject groupClaim = new JwtSubClaimObject();
groupClaim.setName(scope.getDisplayName());
for (String claimDn : scope.getOxAuthClaims()) {
GluuAttribute gluuAttribute = attributeService.getAttributeByDn(claimDn);
String claimName = gluuAttribute.getOxAuthClaimName();
String ldapName = gluuAttribute.getName();
String attributeValue;
if (StringUtils.isNotBlank(claimName) && StringUtils.isNotBlank(ldapName)) {
if (ldapName.equals("uid")) {
attributeValue = authorizationGrant.getUser().getUserId();
} else {
attributeValue = authorizationGrant.getUser().getAttribute(gluuAttribute.getName());
}
groupClaim.setClaim(claimName, attributeValue);
}
}
jwt.getClaims().setClaim(scope.getDisplayName(), groupClaim);
} else {
for (String claimDn : scope.getOxAuthClaims()) {
GluuAttribute gluuAttribute = attributeService.getAttributeByDn(claimDn);
String claimName = gluuAttribute.getOxAuthClaimName();
String ldapName = gluuAttribute.getName();
String attributeValue;
if (StringUtils.isNotBlank(claimName) && StringUtils.isNotBlank(ldapName)) {
if (ldapName.equals("uid")) {
attributeValue = authorizationGrant.getUser().getUserId();
} else {
attributeValue = authorizationGrant.getUser().getAttribute(gluuAttribute.getName());
}
jwt.getClaims().setClaim(claimName, attributeValue);
}
}
}
}
}
}
if (authorizationGrant.getJwtAuthorizationRequest() != null && authorizationGrant.getJwtAuthorizationRequest().getIdTokenMember() != null) {
for (Claim claim : authorizationGrant.getJwtAuthorizationRequest().getIdTokenMember().getClaims()) {
// ClaimValueType.OPTIONAL.equals(claim.getClaimValue().getClaimValueType());
boolean optional = true;
GluuAttribute gluuAttribute = attributeService.getByClaimName(claim.getName());
if (gluuAttribute != null) {
String ldapClaimName = gluuAttribute.getName();
Object attribute = authorizationGrant.getUser().getAttribute(ldapClaimName, optional);
if (attribute != null) {
if (attribute instanceof JSONArray) {
JSONArray jsonArray = (JSONArray) attribute;
List<String> values = new ArrayList<String>();
for (int i = 0; i < jsonArray.length(); i++) {
String value = jsonArray.optString(i);
if (value != null) {
values.add(value);
}
}
jwt.getClaims().setClaim(claim.getName(), values);
} else {
String value = (String) attribute;
jwt.getClaims().setClaim(claim.getName(), value);
}
}
}
}
}
// Check for Subject Identifier Type
if (authorizationGrant.getClient().getSubjectType() != null && SubjectType.fromString(authorizationGrant.getClient().getSubjectType()).equals(SubjectType.PAIRWISE)) {
String sectorIdentifierUri = null;
if (StringUtils.isNotBlank(authorizationGrant.getClient().getSectorIdentifierUri())) {
sectorIdentifierUri = authorizationGrant.getClient().getSectorIdentifierUri();
} else {
sectorIdentifierUri = authorizationGrant.getClient().getRedirectUris()[0];
}
String userInum = authorizationGrant.getUser().getAttribute("inum");
PairwiseIdentifier pairwiseIdentifier = pairwiseIdentifierService.findPairWiseIdentifier(userInum, sectorIdentifierUri);
if (pairwiseIdentifier == null) {
pairwiseIdentifier = new PairwiseIdentifier(sectorIdentifierUri);
pairwiseIdentifier.setId(UUID.randomUUID().toString());
pairwiseIdentifier.setDn(pairwiseIdentifierService.getDnForPairwiseIdentifier(pairwiseIdentifier.getId(), userInum));
pairwiseIdentifierService.addPairwiseIdentifier(userInum, pairwiseIdentifier);
}
jwt.getClaims().setSubjectIdentifier(pairwiseIdentifier.getId());
} else {
String openidSubAttribute = appConfiguration.getOpenidSubAttribute();
if (openidSubAttribute.equals("uid")) {
jwt.getClaims().setSubjectIdentifier(authorizationGrant.getUser().getUserId());
} else {
jwt.getClaims().setSubjectIdentifier(authorizationGrant.getUser().getAttribute(openidSubAttribute));
}
}
if ((dynamicScopes.size() > 0) && externalDynamicScopeService.isEnabled()) {
final UnmodifiableAuthorizationGrant unmodifiableAuthorizationGrant = new UnmodifiableAuthorizationGrant(authorizationGrant);
DynamicScopeExternalContext dynamicScopeContext = new DynamicScopeExternalContext(dynamicScopes, jwt, unmodifiableAuthorizationGrant);
externalDynamicScopeService.executeExternalUpdateMethods(dynamicScopeContext);
}
return jwtSigner.sign();
}
Also used :
PairwiseIdentifier(org.xdi.oxauth.model.ldap.PairwiseIdentifier)
org.xdi.oxauth.model.common(org.xdi.oxauth.model.common)
Jwt(org.xdi.oxauth.model.jwt.Jwt)
JSONArray(org.codehaus.jettison.json.JSONArray)
DynamicScopeExternalContext(org.xdi.oxauth.service.external.context.DynamicScopeExternalContext)
JwtSubClaimObject(org.xdi.oxauth.model.jwt.JwtSubClaimObject)
GluuAttribute(org.xdi.model.GluuAttribute)
JwtSubClaimObject(org.xdi.oxauth.model.jwt.JwtSubClaimObject)
JSONObject(org.codehaus.jettison.json.JSONObject)
Claim(org.xdi.oxauth.model.authorize.Claim)
Aggregations
JSONArray (org.codehaus.jettison.json.JSONArray)2
JSONObject (org.codehaus.jettison.json.JSONObject)2
GluuAttribute (org.xdi.model.GluuAttribute)2
Claim (org.xdi.oxauth.model.authorize.Claim)2
org.xdi.oxauth.model.common (org.xdi.oxauth.model.common)2
JwtSubClaimObject (org.xdi.oxauth.model.jwt.JwtSubClaimObject)2
PairwiseIdentifier (org.xdi.oxauth.model.ldap.PairwiseIdentifier)2
DynamicScopeExternalContext (org.xdi.oxauth.service.external.context.DynamicScopeExternalContext)2
Jwt (org.xdi.oxauth.model.jwt.Jwt)1
JsonWebResponse (org.xdi.oxauth.model.token.JsonWebResponse)1
