List of usage examples for org.springframework.security.oauth2.provider OAuth2Request getExtensions
public Map<String, Serializable> getExtensions()
From source file:org.mitre.oauth2.model.AuthenticationHolderEntity.java
public void setAuthentication(OAuth2Authentication authentication) { // pull apart the request and save its bits OAuth2Request o2Request = authentication.getOAuth2Request(); setAuthorities(o2Request.getAuthorities()); setClientId(o2Request.getClientId()); setExtensions(o2Request.getExtensions()); setRedirectUri(o2Request.getRedirectUri()); setRequestParameters(o2Request.getRequestParameters()); setResourceIds(o2Request.getResourceIds()); setResponseTypes(o2Request.getResponseTypes()); setScope(o2Request.getScope()); setApproved(o2Request.isApproved()); if (authentication.getUserAuthentication() != null) { this.userAuth = new SavedUserAuthentication(authentication.getUserAuthentication()); } else {//from w w w. jav a2s.c om this.userAuth = null; } }
From source file:com.epam.reportportal.auth.TokenServicesFacade.java
public OAuth2AccessToken createToken(ReportPortalClient client, String username, Authentication userAuthentication, Map<String, Serializable> extensionParams) { //@formatter:off ClientDetails clientDetails = clientDetailsService.loadClientByClientId(client.name()); OAuth2Request oAuth2Request = oAuth2RequestFactory .createOAuth2Request(clientDetails, oAuth2RequestFactory.createTokenRequest( ImmutableMap.<String, String>builder().put("client_id", client.name()) .put("username", username).put("grant", "password").build(), clientDetails)); oAuth2Request.getExtensions().putAll(extensionParams); //@formatter:on return tokenServices.createAccessToken(new OAuth2Authentication(oAuth2Request, userAuthentication)); }
From source file:net.shibboleth.idp.oidc.client.userinfo.authn.ShibbolethAcrAwareTokenService.java
/** * Calculate nonce claim.//from ww w . j a va 2s . c o m * * @param request the request * @param idClaims the id claims */ private void calculateNonceClaim(final OAuth2Request request, final JWTClaimsSet.Builder idClaims) { final String nonce = (String) request.getExtensions().get(ConnectRequestParameters.NONCE); if (!Strings.isNullOrEmpty(nonce)) { idClaims.claim(ConnectRequestParameters.NONCE, nonce); log.debug("{} is set to {}", ConnectRequestParameters.NONCE, nonce); } }
From source file:net.shibboleth.idp.oidc.client.userinfo.authn.ShibbolethAcrAwareTokenService.java
/** * Calculate auth time claim.//from www. j av a 2s.c om * * @param request the request * @param idClaims the id claims */ private void calculateAuthTimeClaim(final OAuth2Request request, final JWTClaimsSet.Builder idClaims) { final long authTime = Long.parseLong(request.getExtensions().get(OIDCConstants.AUTH_TIME).toString()) / 1000; log.debug("Request contains {} extension. {} set to {}", ConnectRequestParameters.MAX_AGE, OIDCConstants.AUTH_TIME, authTime); idClaims.claim(OIDCConstants.AUTH_TIME, authTime); }
From source file:org.mitre.oauth2.service.impl.DefaultOAuth2ProviderTokenService.java
@Override public OAuth2AccessTokenEntity createAccessToken(OAuth2Authentication authentication) throws AuthenticationException, InvalidClientException { if (authentication != null && authentication.getOAuth2Request() != null) { // look up our client OAuth2Request clientAuth = authentication.getOAuth2Request(); ClientDetailsEntity client = clientDetailsService.loadClientByClientId(clientAuth.getClientId()); if (client == null) { throw new InvalidClientException("Client not found: " + clientAuth.getClientId()); }/*from w w w. j ava 2 s .co m*/ OAuth2AccessTokenEntity token = new OAuth2AccessTokenEntity();//accessTokenFactory.createNewAccessToken(); // attach the client token.setClient(client); // inherit the scope from the auth, but make a new set so it is //not unmodifiable. Unmodifiables don't play nicely with Eclipselink, which //wants to use the clone operation. Set<SystemScope> scopes = scopeService.fromStrings(clientAuth.getScope()); // remove any of the special system scopes scopes = scopeService.removeReservedScopes(scopes); token.setScope(scopeService.toStrings(scopes)); // make it expire if necessary if (client.getAccessTokenValiditySeconds() != null && client.getAccessTokenValiditySeconds() > 0) { Date expiration = new Date( System.currentTimeMillis() + (client.getAccessTokenValiditySeconds() * 1000L)); token.setExpiration(expiration); } // attach the authorization so that we can look it up later AuthenticationHolderEntity authHolder = new AuthenticationHolderEntity(); authHolder.setAuthentication(authentication); authHolder = authenticationHolderRepository.save(authHolder); token.setAuthenticationHolder(authHolder); // attach a refresh token, if this client is allowed to request them and the user gets the offline scope if (client.isAllowRefresh() && token.getScope().contains(SystemScopeService.OFFLINE_ACCESS)) { OAuth2RefreshTokenEntity savedRefreshToken = createRefreshToken(client, authHolder); token.setRefreshToken(savedRefreshToken); } OAuth2AccessTokenEntity enhancedToken = (OAuth2AccessTokenEntity) tokenEnhancer.enhance(token, authentication); OAuth2AccessTokenEntity savedToken = tokenRepository.saveAccessToken(enhancedToken); //Add approved site reference, if any OAuth2Request originalAuthRequest = authHolder.getAuthentication().getOAuth2Request(); if (originalAuthRequest.getExtensions() != null && originalAuthRequest.getExtensions().containsKey("approved_site")) { Long apId = Long.parseLong((String) originalAuthRequest.getExtensions().get("approved_site")); ApprovedSite ap = approvedSiteService.getById(apId); Set<OAuth2AccessTokenEntity> apTokens = ap.getApprovedAccessTokens(); apTokens.add(savedToken); ap.setApprovedAccessTokens(apTokens); approvedSiteService.save(ap); } if (savedToken.getRefreshToken() != null) { tokenRepository.saveRefreshToken(savedToken.getRefreshToken()); // make sure we save any changes that might have been enhanced } return savedToken; } throw new AuthenticationCredentialsNotFoundException("No authentication credentials found"); }
From source file:org.mitre.openid.connect.service.impl.DefaultOIDCTokenService.java
@Override public OAuth2AccessTokenEntity createIdToken(ClientDetailsEntity client, OAuth2Request request, Date issueTime, String sub, OAuth2AccessTokenEntity accessToken) { JWSAlgorithm signingAlg = jwtService.getDefaultSigningAlgorithm(); if (client.getIdTokenSignedResponseAlg() != null) { signingAlg = client.getIdTokenSignedResponseAlg(); }/*from www . j a v a 2 s. c o m*/ OAuth2AccessTokenEntity idTokenEntity = new OAuth2AccessTokenEntity(); JWTClaimsSet.Builder idClaims = new JWTClaimsSet.Builder(); // if the auth time claim was explicitly requested OR if the client always wants the auth time, put it in if (request.getExtensions().containsKey("max_age") || (request.getExtensions().containsKey("idtoken")) // TODO: parse the ID Token claims (#473) -- for now assume it could be in there || (client.getRequireAuthTime() != null && client.getRequireAuthTime())) { if (request.getExtensions().get(AuthenticationTimeStamper.AUTH_TIMESTAMP) != null) { Long authTimestamp = Long .parseLong((String) request.getExtensions().get(AuthenticationTimeStamper.AUTH_TIMESTAMP)); if (authTimestamp != null) { idClaims.claim("auth_time", authTimestamp / 1000L); } } else { // we couldn't find the timestamp! logger.warn( "Unable to find authentication timestamp! There is likely something wrong with the configuration."); } } idClaims.issueTime(issueTime); if (client.getIdTokenValiditySeconds() != null) { Date expiration = new Date(System.currentTimeMillis() + (client.getIdTokenValiditySeconds() * 1000L)); idClaims.expirationTime(expiration); idTokenEntity.setExpiration(expiration); } idClaims.issuer(configBean.getIssuer()); idClaims.subject(sub); idClaims.audience(Lists.newArrayList(client.getClientId())); idClaims.jwtID(UUID.randomUUID().toString()); // set a random NONCE in the middle of it String nonce = (String) request.getExtensions().get("nonce"); if (!Strings.isNullOrEmpty(nonce)) { idClaims.claim("nonce", nonce); } Set<String> responseTypes = request.getResponseTypes(); if (responseTypes.contains("token")) { // calculate the token hash Base64URL at_hash = IdTokenHashUtils.getAccessTokenHash(signingAlg, accessToken); idClaims.claim("at_hash", at_hash); } if (client.getIdTokenEncryptedResponseAlg() != null && !client.getIdTokenEncryptedResponseAlg().equals(Algorithm.NONE) && client.getIdTokenEncryptedResponseEnc() != null && !client.getIdTokenEncryptedResponseEnc().equals(Algorithm.NONE) && (!Strings.isNullOrEmpty(client.getJwksUri()) || client.getJwks() != null)) { JWTEncryptionAndDecryptionService encrypter = encrypters.getEncrypter(client); if (encrypter != null) { EncryptedJWT idToken = new EncryptedJWT(new JWEHeader(client.getIdTokenEncryptedResponseAlg(), client.getIdTokenEncryptedResponseEnc()), idClaims.build()); encrypter.encryptJwt(idToken); idTokenEntity.setJwt(idToken); } else { logger.error("Couldn't find encrypter for client: " + client.getClientId()); } } else { JWT idToken; if (signingAlg.equals(Algorithm.NONE)) { // unsigned ID token idToken = new PlainJWT(idClaims.build()); } else { // signed ID token if (signingAlg.equals(JWSAlgorithm.HS256) || signingAlg.equals(JWSAlgorithm.HS384) || signingAlg.equals(JWSAlgorithm.HS512)) { JWSHeader header = new JWSHeader(signingAlg, null, null, null, null, null, null, null, null, null, jwtService.getDefaultSignerKeyId(), null, null); idToken = new SignedJWT(header, idClaims.build()); JWTSigningAndValidationService signer = symmetricCacheService.getSymmetricValidtor(client); // sign it with the client's secret signer.signJwt((SignedJWT) idToken); } else { idClaims.claim("kid", jwtService.getDefaultSignerKeyId()); JWSHeader header = new JWSHeader(signingAlg, null, null, null, null, null, null, null, null, null, jwtService.getDefaultSignerKeyId(), null, null); idToken = new SignedJWT(header, idClaims.build()); // sign it with the server's key jwtService.signJwt((SignedJWT) idToken); } } idTokenEntity.setJwt(idToken); } idTokenEntity.setAuthenticationHolder(accessToken.getAuthenticationHolder()); // create a scope set with just the special "id-token" scope //Set<String> idScopes = new HashSet<String>(token.getScope()); // this would copy the original token's scopes in, we don't really want that Set<String> idScopes = Sets.newHashSet(SystemScopeService.ID_TOKEN_SCOPE); idTokenEntity.setScope(idScopes); idTokenEntity.setClient(accessToken.getClient()); return idTokenEntity; }
From source file:net.shibboleth.idp.oidc.client.userinfo.authn.ShibbolethAcrAwareTokenService.java
@Override public OAuth2AccessTokenEntity createIdToken(final ClientDetailsEntity client, final OAuth2Request request, final Date issueTime, final String sub, final OAuth2AccessTokenEntity accessToken) { JWSAlgorithm signingAlg = jwtService.getDefaultSigningAlgorithm(); if (client.getIdTokenSignedResponseAlg() != null) { signingAlg = client.getIdTokenSignedResponseAlg(); }// ww w .ja va 2 s .c om final OAuth2AccessTokenEntity idTokenEntity = new OAuth2AccessTokenEntity(); final JWTClaimsSet.Builder idClaims = new JWTClaimsSet.Builder(); log.debug("Request {} extension {}", ConnectRequestParameters.MAX_AGE, request.getExtensions().get(ConnectRequestParameters.MAX_AGE)); log.debug("Request {} extension {}", OIDCConstants.ID_TOKEN, request.getExtensions().get(OIDCConstants.ID_TOKEN)); log.debug("Client require authN time {}", client.getRequireAuthTime()); calculateAuthTimeClaim(request, idClaims); idClaims.issueTime(issueTime); calculateAmrAndAcrClaims(accessToken, idClaims); calculateExpirationClaim(client, idTokenEntity, idClaims); idClaims.issuer(configBean.getIssuer()); log.debug("issuer is set to {}", configBean.getIssuer()); idClaims.subject(sub); log.debug("sub is set to {}", sub); idClaims.audience(Lists.newArrayList(client.getClientId())); log.debug("audience is set to {}", client.getClientId()); final String jwtId = UUID.randomUUID().toString(); idClaims.jwtID(jwtId); log.debug("JWT id is set to {}", jwtId); calculateNonceClaim(request, idClaims); final Set<String> responseTypes = request.getResponseTypes(); calculateAtHashClaim(accessToken, signingAlg, idClaims, responseTypes); if (client.getIdTokenEncryptedResponseAlg() != null && !client.getIdTokenEncryptedResponseAlg().equals(Algorithm.NONE) && client.getIdTokenEncryptedResponseEnc() != null && !client.getIdTokenEncryptedResponseEnc().equals(Algorithm.NONE) && (!Strings.isNullOrEmpty(client.getJwksUri()) || client.getJwks() != null)) { encryptIdToken(client, idTokenEntity, idClaims); } else { signIdToken(client, signingAlg, idTokenEntity, idClaims); } log.debug("Mapping the idToken to the authentication of client {}", accessToken.getAuthenticationHolder().getClientId()); idTokenEntity.setAuthenticationHolder(accessToken.getAuthenticationHolder()); // create a scope set with just the special "id-token" scope final Set<String> idScopes = Sets.newHashSet(SystemScopeService.ID_TOKEN_SCOPE); idTokenEntity.setScope(idScopes); log.debug("Configured scopes for the idToken scope {} are {}", SystemScopeService.ID_TOKEN_SCOPE, idScopes); idTokenEntity.setClient(accessToken.getClient()); return idTokenEntity; }