@Override public void process(ClientAccessToken ct, ServerAccessToken st) { if (st.getResponseType() != null && OidcUtils.CODE_AT_RESPONSE_TYPE.equals(st.getResponseType()) && OAuthConstants.IMPLICIT_GRANT.equals(st.getGrantType())) { // token post-processing as part of the current hybrid (implicit) flow // so no id_token is returned now - however when the code gets exchanged later on // this filter will add id_token to the returned access token return; } // Only add an IdToken if the client has the "openid" scope if (ct.getApprovedScope() == null || !ct.getApprovedScope().contains(OidcUtils.OPENID_SCOPE)) { return; } String idToken = getProcessedIdToken(st); if (idToken != null) { ct.getParameters().put(OidcUtils.ID_TOKEN, idToken); } } private String getProcessedIdToken(ServerAccessToken st) {
@Override public void process(ClientAccessToken ct, ServerAccessToken st) { if (st.getResponseType() != null && OidcUtils.CODE_AT_RESPONSE_TYPE.equals(st.getResponseType()) && OAuthConstants.IMPLICIT_GRANT.equals(st.getGrantType())) { // token post-processing as part of the current hybrid (implicit) flow // so no id_token is returned now - however when the code gets exchanged later on // this filter will add id_token to the returned access token return; } // Only add an IdToken if the client has the "openid" scope if (ct.getApprovedScope() == null || !ct.getApprovedScope().contains(OidcUtils.OPENID_SCOPE)) { return; } String idToken = getProcessedIdToken(st); if (idToken != null) { ct.getParameters().put(OidcUtils.ID_TOKEN, idToken); } } private String getProcessedIdToken(ServerAccessToken st) {
protected StringBuilder prepareRedirectResponse(OAuthRedirectionState state, Client client, List<String> requestedScope, List<String> approvedScope, UserSubject userSubject, ServerAccessToken preAuthorizedToken) { ClientAccessToken clientToken = getClientAccessToken(state, client, requestedScope, approvedScope, userSubject, preAuthorizedToken); // return the token by appending it as a fragment parameter to the redirect URI StringBuilder sb = getUriWithFragment(state.getRedirectUri()); sb.append(OAuthConstants.ACCESS_TOKEN).append("=").append(clientToken.getTokenKey()); sb.append("&"); sb.append(OAuthConstants.ACCESS_TOKEN_TYPE).append("=").append(clientToken.getTokenType()); if (isWriteOptionalParameters()) { sb.append("&").append(OAuthConstants.ACCESS_TOKEN_EXPIRES_IN) .append("=").append(clientToken.getExpiresIn()); if (!StringUtils.isEmpty(clientToken.getApprovedScope())) { sb.append("&").append(OAuthConstants.SCOPE).append("=") .append(HttpUtils.queryEncode(clientToken.getApprovedScope())); } for (Map.Entry<String, String> entry : clientToken.getParameters().entrySet()) { sb.append("&").append(entry.getKey()).append("=").append(HttpUtils.queryEncode(entry.getValue())); } } if (clientToken.getRefreshToken() != null) { processRefreshToken(sb, clientToken.getRefreshToken()); } finalizeResponse(sb, state); return sb; }
protected StringBuilder prepareRedirectResponse(OAuthRedirectionState state, Client client, List<String> requestedScope, List<String> approvedScope, UserSubject userSubject, ServerAccessToken preAuthorizedToken) { ClientAccessToken clientToken = getClientAccessToken(state, client, requestedScope, approvedScope, userSubject, preAuthorizedToken); // return the token by appending it as a fragment parameter to the redirect URI StringBuilder sb = getUriWithFragment(state.getRedirectUri()); sb.append(OAuthConstants.ACCESS_TOKEN).append("=").append(clientToken.getTokenKey()); sb.append("&"); sb.append(OAuthConstants.ACCESS_TOKEN_TYPE).append("=").append(clientToken.getTokenType()); if (isWriteOptionalParameters()) { sb.append("&").append(OAuthConstants.ACCESS_TOKEN_EXPIRES_IN) .append("=").append(clientToken.getExpiresIn()); if (!StringUtils.isEmpty(clientToken.getApprovedScope())) { sb.append("&").append(OAuthConstants.SCOPE).append("=") .append(HttpUtils.queryEncode(clientToken.getApprovedScope())); } for (Map.Entry<String, String> entry : clientToken.getParameters().entrySet()) { sb.append("&").append(entry.getKey()).append("=").append(HttpUtils.queryEncode(entry.getValue())); } } if (clientToken.getRefreshToken() != null) { processRefreshToken(sb, clientToken.getRefreshToken()); } finalizeResponse(sb, state); return sb; }
private void writeAccessToken(ClientAccessToken obj, OutputStream os) throws IOException { StringBuilder sb = new StringBuilder(); sb.append("{"); appendJsonPair(sb, OAuthConstants.ACCESS_TOKEN, obj.getTokenKey()); sb.append(","); appendJsonPair(sb, OAuthConstants.ACCESS_TOKEN_TYPE, obj.getTokenType()); if (obj.getExpiresIn() != -1) { sb.append(","); appendJsonPair(sb, OAuthConstants.ACCESS_TOKEN_EXPIRES_IN, obj.getExpiresIn(), false); } if (obj.getApprovedScope() != null) { sb.append(","); appendJsonPair(sb, OAuthConstants.SCOPE, obj.getApprovedScope()); } if (obj.getRefreshToken() != null) { sb.append(","); appendJsonPair(sb, OAuthConstants.REFRESH_TOKEN, obj.getRefreshToken()); } Map<String, String> parameters = obj.getParameters(); for (Map.Entry<String, String> entry : parameters.entrySet()) { sb.append(","); appendJsonPair(sb, entry.getKey(), entry.getValue()); } sb.append("}"); String result = sb.toString(); os.write(result.getBytes(StandardCharsets.UTF_8)); os.flush(); }
private void writeAccessToken(ClientAccessToken obj, OutputStream os) throws IOException { StringBuilder sb = new StringBuilder(); sb.append("{"); appendJsonPair(sb, OAuthConstants.ACCESS_TOKEN, obj.getTokenKey()); sb.append(","); appendJsonPair(sb, OAuthConstants.ACCESS_TOKEN_TYPE, obj.getTokenType()); if (obj.getExpiresIn() != -1) { sb.append(","); appendJsonPair(sb, OAuthConstants.ACCESS_TOKEN_EXPIRES_IN, obj.getExpiresIn(), false); } if (obj.getApprovedScope() != null) { sb.append(","); appendJsonPair(sb, OAuthConstants.SCOPE, obj.getApprovedScope()); } if (obj.getRefreshToken() != null) { sb.append(","); appendJsonPair(sb, OAuthConstants.REFRESH_TOKEN, obj.getRefreshToken()); } Map<String, String> parameters = obj.getParameters(); for (Map.Entry<String, String> entry : parameters.entrySet()) { sb.append(","); appendJsonPair(sb, entry.getKey(), entry.getValue()); } sb.append("}"); String result = sb.toString(); os.write(result.getBytes(StandardCharsets.UTF_8)); os.flush(); }
@org.junit.Test public void testAuthorizationCodeFlowWithScope() throws Exception { URL busFile = OIDCFlowTest.class.getResource("client.xml"); String address = "https://localhost:" + port + "/services/"; WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), "alice", "security", busFile.toString()); // Save the Cookie for the second request... WebClient.getConfig(client).getRequestContext().put( org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); // Get Authorization Code String code = OAuth2TestUtils.getAuthorizationCode(client, "openid read_balance"); assertNotNull(code); // Now get the access token client = WebClient.create(address, OAuth2TestUtils.setupProviders(), "consumer-id", "this-is-a-secret", busFile.toString()); // Save the Cookie for the second request... WebClient.getConfig(client).getRequestContext().put( org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); ClientAccessToken accessToken = OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code); assertNotNull(accessToken.getTokenKey()); assertTrue(accessToken.getApprovedScope().contains("openid")); assertTrue(accessToken.getApprovedScope().contains("read_balance")); String idToken = accessToken.getParameters().get("id_token"); assertNotNull(idToken); validateIdToken(idToken, null); if (isAccessTokenInJWTFormat()) { validateAccessToken(accessToken.getTokenKey()); } }
@org.junit.Test public void testAuthorizationCodeOAuth() throws Exception { URL busFile = OIDCFlowTest.class.getResource("client.xml"); String address = "https://localhost:" + port + "/services/"; WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), "alice", "security", busFile.toString()); // Save the Cookie for the second request... WebClient.getConfig(client).getRequestContext().put( org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); // Get Authorization Code String code = OAuth2TestUtils.getAuthorizationCode(client, "read_balance"); assertNotNull(code); // Now get the access token client = WebClient.create(address, OAuth2TestUtils.setupProviders(), "consumer-id", "this-is-a-secret", busFile.toString()); // Save the Cookie for the second request... WebClient.getConfig(client).getRequestContext().put( org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); ClientAccessToken accessToken = OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code); assertNotNull(accessToken.getTokenKey()); // We should not have an IdToken here String idToken = accessToken.getParameters().get("id_token"); assertNull(idToken); assertFalse(accessToken.getApprovedScope().contains("openid")); if (isAccessTokenInJWTFormat()) { validateAccessToken(accessToken.getTokenKey()); } }
@org.junit.Test public void testAuthorizationCodeFlow() throws Exception { URL busFile = OIDCFlowTest.class.getResource("client.xml"); String address = "https://localhost:" + port + "/services/"; WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), "alice", "security", busFile.toString()); // Save the Cookie for the second request... WebClient.getConfig(client).getRequestContext().put( org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); // Get Authorization Code String code = OAuth2TestUtils.getAuthorizationCode(client, "openid"); assertNotNull(code); // Now get the access token client = WebClient.create(address, OAuth2TestUtils.setupProviders(), "consumer-id", "this-is-a-secret", busFile.toString()); // Save the Cookie for the second request... WebClient.getConfig(client).getRequestContext().put( org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); ClientAccessToken accessToken = OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code); assertNotNull(accessToken.getTokenKey()); assertTrue(accessToken.getApprovedScope().contains("openid")); String idToken = accessToken.getParameters().get("id_token"); assertNotNull(idToken); validateIdToken(idToken, null); if (isAccessTokenInJWTFormat()) { validateAccessToken(accessToken.getTokenKey()); } }
OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code); assertNotNull(accessToken.getTokenKey()); assertTrue(accessToken.getApprovedScope().contains("openid"));
OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code); assertNotNull(accessToken.getTokenKey()); assertTrue(accessToken.getApprovedScope().contains("openid"));
@org.junit.Test public void testAuthorizationCodeFlowWithState() throws Exception { URL busFile = OIDCFlowTest.class.getResource("client.xml"); String address = "https://localhost:" + port + "/services/"; WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), "alice", "security", busFile.toString()); // Save the Cookie for the second request... WebClient.getConfig(client).getRequestContext().put( org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); // Get Authorization Code String code = OAuth2TestUtils.getAuthorizationCode(client, "openid", "consumer-id", null, "123456789"); assertNotNull(code); // Now get the access token client = WebClient.create(address, OAuth2TestUtils.setupProviders(), "consumer-id", "this-is-a-secret", busFile.toString()); // Save the Cookie for the second request... WebClient.getConfig(client).getRequestContext().put( org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); ClientAccessToken accessToken = OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code); assertNotNull(accessToken.getTokenKey()); assertTrue(accessToken.getApprovedScope().contains("openid")); String idToken = accessToken.getParameters().get("id_token"); assertNotNull(idToken); validateIdToken(idToken, null); if (isAccessTokenInJWTFormat()) { validateAccessToken(accessToken.getTokenKey()); } }
@org.junit.Test public void testAuthorizationCodeFlowWithNonce() throws Exception { URL busFile = OIDCFlowTest.class.getResource("client.xml"); String address = "https://localhost:" + port + "/services/"; WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), "alice", "security", busFile.toString()); // Save the Cookie for the second request... WebClient.getConfig(client).getRequestContext().put( org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); // Get Authorization Code String code = OAuth2TestUtils.getAuthorizationCode(client, "openid", "consumer-id", "123456789", null); assertNotNull(code); // Now get the access token client = WebClient.create(address, OAuth2TestUtils.setupProviders(), "consumer-id", "this-is-a-secret", busFile.toString()); // Save the Cookie for the second request... WebClient.getConfig(client).getRequestContext().put( org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); ClientAccessToken accessToken = OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code); assertNotNull(accessToken.getTokenKey()); assertTrue(accessToken.getApprovedScope().contains("openid")); String idToken = accessToken.getParameters().get("id_token"); assertNotNull(idToken); validateIdToken(idToken, "123456789"); if (isAccessTokenInJWTFormat()) { validateAccessToken(accessToken.getTokenKey()); } }
OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code); assertNotNull(accessToken.getTokenKey()); assertTrue(accessToken.getApprovedScope().contains("openid"));
OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code); assertNotNull(accessToken.getTokenKey()); assertTrue(accessToken.getApprovedScope().contains("openid"));
assertTrue(accessToken.getApprovedScope().contains("read_balance")); assertEquals(tokenIntrospection.getUsername(), "alice"); assertEquals(tokenIntrospection.getClientId(), "consumer-id"); assertEquals(tokenIntrospection.getScope(), accessToken.getApprovedScope()); Long validity = tokenIntrospection.getExp() - tokenIntrospection.getIat(); assertTrue(validity == accessToken.getExpiresIn());
OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code); assertNotNull(accessToken.getTokenKey()); assertTrue(accessToken.getApprovedScope().contains("openid"));
assertEquals(tokenIntrospection.getUsername(), "alice"); assertEquals(tokenIntrospection.getClientId(), "consumer-id-aud"); assertEquals(tokenIntrospection.getScope(), accessToken.getApprovedScope()); Long validity = tokenIntrospection.getExp() - tokenIntrospection.getIat(); assertTrue(validity == accessToken.getExpiresIn());
OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code); assertNotNull(accessToken.getTokenKey()); assertTrue(accessToken.getApprovedScope().contains("openid")); assertNotNull(accessToken.getRefreshToken());
assertEquals(tokenIntrospection.getUsername(), "alice"); assertEquals(tokenIntrospection.getClientId(), "consumer-id"); assertEquals(tokenIntrospection.getScope(), accessToken.getApprovedScope()); Long validity = tokenIntrospection.getExp() - tokenIntrospection.getIat(); assertTrue(validity == accessToken.getExpiresIn());