try { writer.beginObject(); writer.name(CLIENT_ID).value(client.getClientId()); writer.name(RESOURCE_IDS); writeNullSafeArray(writer, client.getResourceIds()); writer.name(SECRET).value(client.getClientSecret()); writeNullSafeArray(writer, client.getScope()); for (GrantedAuthority authority : client.getAuthorities()) { writer.value(authority.getAuthority()); writer.name(ACCESS_TOKEN_VALIDITY_SECONDS).value(client.getAccessTokenValiditySeconds()); writer.name(REFRESH_TOKEN_VALIDITY_SECONDS).value(client.getRefreshTokenValiditySeconds()); writer.name(ID_TOKEN_VALIDITY_SECONDS).value(client.getIdTokenValiditySeconds()); writer.name(DEVICE_CODE_VALIDITY_SECONDS).value(client.getDeviceCodeValiditySeconds()); writer.name(REDIRECT_URIS); writeNullSafeArray(writer, client.getRedirectUris()); writer.name(CLAIMS_REDIRECT_URIS); writeNullSafeArray(writer, client.getClaimsRedirectUris()); writer.name(NAME).value(client.getClientName()); writer.name(URI).value(client.getClientUri()); writer.name(LOGO_URI).value(client.getLogoUri()); writer.name(CONTACTS); writeNullSafeArray(writer, client.getContacts()); writer.name(TOS_URI).value(client.getTosUri()); writer.name(TOKEN_ENDPOINT_AUTH_METHOD) .value((client.getTokenEndpointAuthMethod() != null) ? client.getTokenEndpointAuthMethod().getValue() : null);
@PrePersist @PreUpdate private void prePersist() { // make sure that ID tokens always time out, default to 5 minutes if (getIdTokenValiditySeconds() == null) { setIdTokenValiditySeconds(DEFAULT_ID_TOKEN_VALIDITY_SECONDS); } }
/** * Create a symmetric signing and validation service for the given client * * @param client * @return */ public JWTSigningAndValidationService getSymmetricValidtor(ClientDetailsEntity client) { if (client == null) { logger.error("Couldn't create symmetric validator for null client"); return null; } if (Strings.isNullOrEmpty(client.getClientSecret())) { logger.error("Couldn't create symmetric validator for client " + client.getClientId() + " without a client secret"); return null; } try { return validators.get(client.getClientSecret()); } catch (UncheckedExecutionException ue) { logger.error("Problem loading client validator", ue); return null; } catch (ExecutionException e) { logger.error("Problem loading client validator", e); return null; } }
@Override public DeviceCode createNewDeviceCode(Set<String> requestedScopes, ClientDetailsEntity client, Map<String, String> parameters) { // create a device code, should be big and random String deviceCode = UUID.randomUUID().toString(); // create a user code, should be random but small and typable, and always uppercase (lookup is case insensitive) String userCode = randomGenerator.generate().toUpperCase(); DeviceCode dc = new DeviceCode(deviceCode, userCode, requestedScopes, client.getClientId(), parameters); if (client.getDeviceCodeValiditySeconds() != null) { dc.setExpiration(new Date(System.currentTimeMillis() + client.getDeviceCodeValiditySeconds() * 1000L)); } dc.setApproved(false); return repository.save(dc); }
newClient.setClientId(null); newClient.setClientSecret(null); newClient.setGrantTypes(new HashSet<String>()); newClient.setResponseTypes(new HashSet<String>()); newClient.setRedirectUris(new HashSet<String>()); newClient.setAccessTokenValiditySeconds(0); newClient.setIdTokenValiditySeconds(0); newClient.setRefreshTokenValiditySeconds(0); newClient.setDefaultACRvalues(new HashSet<String>()); newClient.setDefaultMaxAge(null); newClient.setIdTokenEncryptedResponseAlg(null); newClient.setIdTokenEncryptedResponseEnc(null); newClient.setIdTokenSignedResponseAlg(null); newClient.setInitiateLoginUri(null); newClient.setPostLogoutRedirectUris(null); newClient.setRequestObjectSigningAlg(null); newClient.setRequireAuthTime(null); newClient.setReuseRefreshToken(false); newClient.setSectorIdentifierUri(null); newClient.setSubjectType(null); newClient.setUserInfoEncryptedResponseAlg(null); newClient.setUserInfoEncryptedResponseEnc(null); newClient.setUserInfoSignedResponseAlg(null); newClient.setDynamicallyRegistered(true);
&& oldClient.getClientId().equals(auth.getOAuth2Request().getClientId()) // the client passed in the URI matches the one in the auth && oldClient.getClientId().equals(newClient.getClientId()) // the client passed in the body matches the one in the URI ) { newClient.setClientSecret(oldClient.getClientSecret()); newClient.setAccessTokenValiditySeconds(oldClient.getAccessTokenValiditySeconds()); newClient.setIdTokenValiditySeconds(oldClient.getIdTokenValiditySeconds()); newClient.setRefreshTokenValiditySeconds(oldClient.getRefreshTokenValiditySeconds()); newClient.setDynamicallyRegistered(true); // it's still dynamically registered newClient.setAllowIntrospection(false); // dynamically registered clients can't do introspection -- use the resource registration instead newClient.setAuthorities(oldClient.getAuthorities()); newClient.setClientDescription(oldClient.getClientDescription()); newClient.setCreatedAt(oldClient.getCreatedAt()); newClient.setReuseRefreshToken(oldClient.isReuseRefreshToken()); RegisteredClient registered = new RegisteredClient(savedClient, token.getValue(), config.getIssuer() + "register/" + UriUtils.encodePathSegment(savedClient.getClientId(), "UTF-8"));
if (client.getIdTokenSignedResponseAlg() != null) { signingAlg = client.getIdTokenSignedResponseAlg(); || (client.getRequireAuthTime() != null && client.getRequireAuthTime())) { if (client.getIdTokenValiditySeconds() != null) { Date expiration = new Date(System.currentTimeMillis() + (client.getIdTokenValiditySeconds() * 1000L)); idClaims.expirationTime(expiration); idClaims.audience(Lists.newArrayList(client.getClientId())); if (client.getIdTokenEncryptedResponseAlg() != null && !client.getIdTokenEncryptedResponseAlg().equals(Algorithm.NONE) && client.getIdTokenEncryptedResponseEnc() != null && !client.getIdTokenEncryptedResponseEnc().equals(Algorithm.NONE) && (!Strings.isNullOrEmpty(client.getJwksUri()) || client.getJwks() != null)) { idToken = new EncryptedJWT(new JWEHeader(client.getIdTokenEncryptedResponseAlg(), client.getIdTokenEncryptedResponseEnc()), idClaims.build()); logger.error("Couldn't find encrypter for client: " + client.getClientId());
if (Strings.isNullOrEmpty(client.getClientId())) { client = clientService.generateClientId(client); if (client.getTokenEndpointAuthMethod() == null || client.getTokenEndpointAuthMethod().equals(AuthMethod.NONE)) { client.setClientSecret(null); } else if (client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_BASIC) || client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_POST) || client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_JWT)) { || Strings.isNullOrEmpty(client.getClientSecret())) { client = clientService.generateClientSecret(client); } else if (client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY)) { if (Strings.isNullOrEmpty(client.getJwksUri()) && client.getJwks() == null) { logger.error("tried to create client with private key auth but no private key"); m.addAttribute(HttpCodeView.CODE, HttpStatus.BAD_REQUEST); client.setClientSecret(null); client.setDynamicallyRegistered(false); Throwable databaseExceptionCause = cause.getCause(); if(databaseExceptionCause instanceof SQLIntegrityConstraintViolationException) { logger.error("apiAddClient failed; duplicate client id entry found: {}", client.getClientId()); m.addAttribute(HttpCodeView.CODE, HttpStatus.CONFLICT);
newClient.setClientId(null); newClient.setClientSecret(null); if (newClient.getTokenEndpointAuthMethod() == null) { newClient.setTokenEndpointAuthMethod(AuthMethod.SECRET_BASIC); if (newClient.getTokenEndpointAuthMethod() == AuthMethod.SECRET_BASIC || newClient.getTokenEndpointAuthMethod() == AuthMethod.SECRET_JWT || newClient.getTokenEndpointAuthMethod() == AuthMethod.SECRET_POST) { if (newClient.getGrantTypes().contains("authorization_code")) { newClient.setAccessTokenValiditySeconds((int)TimeUnit.HOURS.toSeconds(1)); // access tokens good for 1hr newClient.setIdTokenValiditySeconds((int)TimeUnit.MINUTES.toSeconds(5)); // id tokens good for 5min newClient.setRefreshTokenValiditySeconds((int)TimeUnit.HOURS.toSeconds(24)); // refresh tokens good for 24hr } else if (newClient.getGrantTypes().contains("implicit")) { newClient.setAccessTokenValiditySeconds((int)TimeUnit.MINUTES.toSeconds(15)); // access tokens good for 15min newClient.setIdTokenValiditySeconds((int)TimeUnit.MINUTES.toSeconds(5)); // id tokens good for 5min newClient.setRefreshTokenValiditySeconds(0); // no refresh tokens } else if (newClient.getGrantTypes().contains("client_credentials")) { newClient.setAccessTokenValiditySeconds((int)TimeUnit.HOURS.toSeconds(6)); // access tokens good for 6hr newClient.setIdTokenValiditySeconds(0); // no id tokens newClient.setRefreshTokenValiditySeconds(0); // no refresh tokens newClient.setAccessTokenValiditySeconds((int)TimeUnit.HOURS.toSeconds(1)); // access tokens good for 1hr newClient.setIdTokenValiditySeconds((int)TimeUnit.MINUTES.toSeconds(10)); // id tokens good for 10min newClient.setRefreshTokenValiditySeconds(null); // refresh tokens good until revoked newClient.setDynamicallyRegistered(true);
/** * @return * @see org.mitre.oauth2.model.ClientDetailsEntity#getClientId() */ public String getClientId() { return client.getClientId(); } /**
.audience(Lists.newArrayList(client.getClientId())) .issuer(config.getIssuer()) .issueTime(new Date()) if (client.getUserInfoEncryptedResponseAlg() != null && !client.getUserInfoEncryptedResponseAlg().equals(Algorithm.NONE) && client.getUserInfoEncryptedResponseEnc() != null && !client.getUserInfoEncryptedResponseEnc().equals(Algorithm.NONE) && (!Strings.isNullOrEmpty(client.getJwksUri()) || client.getJwks() != null)) { EncryptedJWT encrypted = new EncryptedJWT(new JWEHeader(client.getUserInfoEncryptedResponseAlg(), client.getUserInfoEncryptedResponseEnc()), claims); logger.error("Couldn't find encrypter for client: " + client.getClientId()); if (client.getUserInfoSignedResponseAlg() != null) { signingAlg = client.getUserInfoSignedResponseAlg(); // override with the client's preference if available
Integer count = statsService.getCountForClientId(client.getClientId()).getApprovedSiteCount(); model.put("count", count); if (client.getContacts() != null) { String contacts = Joiner.on(", ").join(client.getContacts()); model.put("contacts", contacts); if (count > 1 && client.getCreatedAt() != null && client.getCreatedAt().before(lastWeek)) { model.put("gras", true); } else {
if (!client.getClientId().equals(requestingClient.getClientId())) { tokenRepository.removeRefreshToken(refreshToken); throw new InvalidClientException("Client does not own the presented refresh token"); if (!client.isAllowRefresh()) { throw new InvalidClientException("Client does not allow refreshing access token!"); if (client.isClearAccessTokensOnRefresh()) { tokenRepository.clearAccessTokensForRefreshToken(refreshToken); if (client.getAccessTokenValiditySeconds() != null) { Date expiration = new Date(System.currentTimeMillis() + (client.getAccessTokenValiditySeconds() * 1000L)); token.setExpiration(expiration); if (client.isReuseRefreshToken()) {
if (client.getTokenEndpointAuthSigningAlg() != null && !client.getTokenEndpointAuthSigningAlg().equals(alg)) { throw new AuthenticationServiceException("Client's registered token endpoint signing algorithm (" + client.getTokenEndpointAuthSigningAlg() + ") does not match token's actual algorithm (" + alg.getName() + ")"); if (client.getTokenEndpointAuthMethod() == null || client.getTokenEndpointAuthMethod().equals(AuthMethod.NONE) || client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_BASIC) || client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_POST)) { } else if ((client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY) && (alg.equals(JWSAlgorithm.RS256) || alg.equals(JWSAlgorithm.RS384) || alg.equals(JWSAlgorithm.PS384) || alg.equals(JWSAlgorithm.PS512))) || (client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_JWT) && (alg.equals(JWSAlgorithm.HS256) || alg.equals(JWSAlgorithm.HS384) if (config.isHeartMode() && !client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY)) { throw new AuthenticationServiceException("[HEART mode] Invalid authentication method"); throw new AuthenticationServiceException("Unable to create signature validator for method " + client.getTokenEndpointAuthMethod() + " and algorithm " + alg); } else if (!jwtClaims.getIssuer().equals(client.getClientId())){ throw new AuthenticationServiceException("Issuers do not match, expected " + client.getClientId() + " got " + jwtClaims.getIssuer()); Set<GrantedAuthority> authorities = new HashSet<>(client.getAuthorities());
@Override public ClientDetailsEntity saveNewClient(ClientDetailsEntity client) { if (client.getId() != null) { // if it's not null, it's already been saved, this is an error throw new IllegalArgumentException("Tried to save a new client with an existing ID: " + client.getId()); if (client.getRegisteredRedirectUri() != null) { for (String uri : client.getRegisteredRedirectUri()) { if (blacklistedSiteService.isBlacklisted(uri)) { throw new IllegalArgumentException("Client URI is blacklisted: " + uri); if (Strings.isNullOrEmpty(client.getClientId())) { client = generateClientId(client); client.setCreatedAt(new Date());
authScopes.addAll(authClient.getScope()); authScopes.addAll(authClient.getScope()); || !authClient.isAllowIntrospection()) { logger.error("Client " + authClient.getClientId() + " is not allowed to call introspection endpoint"); model.addAttribute("code", HttpStatus.FORBIDDEN); return HttpCodeView.VIEWNAME; user = userInfoService.getByUsernameAndClientId(userName, tokenClient.getClientId()); user = userInfoService.getByUsernameAndClientId(userName, tokenClient.getClientId());
/** * Encrypt id token. * * @param client the client * @param idClaims the id claims */ private JWT encryptIdToken(final ClientDetailsEntity client, final JWTClaimsSet.Builder idClaims) { log.debug("Locating encrypter service for client {}", client.getClientId()); final JWTEncryptionAndDecryptionService encrypter = encrypters.getEncrypter(client); if (encrypter == null) { log.error("Couldn't find encrypter for client: {} ", client.getClientId()); return null; } log.debug("Found encrypter service for client {}.", client.getClientId()); final JWTClaimsSet claims = idClaims.build(); final EncryptedJWT idToken = new EncryptedJWT(new JWEHeader(client.getIdTokenEncryptedResponseAlg(), client.getIdTokenEncryptedResponseEnc()), claims); log.debug("Encrypting idToken with response alg {} and response encoding {} and claims {}", client.getIdTokenEncryptedResponseAlg(), client.getIdTokenEncryptedResponseEnc(), claims.getClaims().keySet()); encrypter.encryptJwt(idToken); return idToken; }
@PostConstruct public void bootstrap() { if (definedClients == null || definedClients.isEmpty()) { log.info("No OIDC clients are defined in the application context configuration."); return; } for (final ClientDetailsEntity client : definedClients) { try { log.debug("Attempting to save/update client id [{}] in the repository with redirectUris [{}]", client.getClientId(), client.getRedirectUris()); this.clientRepository.saveClient(client); log.info("Updated client id [{}] in the repository successfully", client.getClientId()); } catch (final Exception e) { log.warn("Could not update client id [{}] in the repository", client.getClientId(), e); } } } }
/** * Delete a client and all its associated tokens */ @Override public void deleteClient(ClientDetailsEntity client) throws InvalidClientException { if (clientRepository.getById(client.getId()) == null) { throw new InvalidClientException("Client with id " + client.getClientId() + " was not found"); } // clean out any tokens that this client had issued tokenRepository.clearTokensForClient(client); // clean out any approved sites for this client approvedSiteService.clearApprovedSitesForClient(client); // clear out any whitelisted sites for this client WhitelistedSite whitelistedSite = whitelistedSiteService.getByClientId(client.getClientId()); if (whitelistedSite != null) { whitelistedSiteService.remove(whitelistedSite); } // clear out resource sets registered for this client Collection<ResourceSet> resourceSets = resourceSetService.getAllForClient(client); for (ResourceSet rs : resourceSets) { resourceSetService.remove(rs); } // take care of the client itself clientRepository.deleteClient(client); statsService.resetCache(); }
Set<String> clientScopes = client.getScope(); request.setScope(clientScopes); if (request.getExtensions().get(MAX_AGE) == null && client.getDefaultMaxAge() != null) { request.getExtensions().put(MAX_AGE, client.getDefaultMaxAge().toString());