Commit 5b14ca78 authored by bimmel's avatar bimmel
Browse files

Add some OidcUserObjects

parent 1a0aa78f
/*******************************************************************************
* Copyright (c) 2014 Michael Simon.
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the GNU Public License v3.0
* which accompanies this distribution, and is available at
* http://www.gnu.org/licenses/gpl.html
*
* Contributors:
* Michael Simon - initial
******************************************************************************/
package edu.kit.scc.webreg.dao.jpa.oidc;
import java.io.Serializable;
import javax.enterprise.context.ApplicationScoped;
import javax.inject.Named;
import javax.persistence.NoResultException;
import javax.persistence.criteria.CriteriaBuilder;
import javax.persistence.criteria.CriteriaQuery;
import javax.persistence.criteria.Root;
import edu.kit.scc.webreg.dao.jpa.JpaBaseDao;
import edu.kit.scc.webreg.dao.oidc.OidcUserDao;
import edu.kit.scc.webreg.entity.oidc.OidcRpConfigurationEntity;
import edu.kit.scc.webreg.entity.oidc.OidcUserEntity;
import edu.kit.scc.webreg.entity.oidc.OidcUserEntity_;
@Named
@ApplicationScoped
public class JpaOidcUserDao extends JpaBaseDao<OidcUserEntity, Long> implements OidcUserDao, Serializable {
private static final long serialVersionUID = 1L;
@Override
public OidcUserEntity findByIssuerAndSub(OidcRpConfigurationEntity issuer, String subjectId) {
CriteriaBuilder builder = em.getCriteriaBuilder();
CriteriaQuery<OidcUserEntity> criteria = builder.createQuery(OidcUserEntity.class);
Root<OidcUserEntity> user = criteria.from(OidcUserEntity.class);
criteria.where(builder.and(
builder.equal(user.get(OidcUserEntity_.issuer), issuer),
builder.equal(user.get(OidcUserEntity_.subjectId), subjectId)
));
criteria.select(user);
criteria.distinct(true);
try {
return em.createQuery(criteria).getSingleResult();
}
catch (NoResultException e) {
return null;
}
}
@Override
public Class<OidcUserEntity> getEntityClass() {
return OidcUserEntity.class;
}
}
/*******************************************************************************
* Copyright (c) 2014 Michael Simon.
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the GNU Public License v3.0
* which accompanies this distribution, and is available at
* http://www.gnu.org/licenses/gpl.html
*
* Contributors:
* Michael Simon - initial
******************************************************************************/
package edu.kit.scc.webreg.dao.oidc;
import edu.kit.scc.webreg.dao.BaseDao;
import edu.kit.scc.webreg.entity.oidc.OidcRpConfigurationEntity;
import edu.kit.scc.webreg.entity.oidc.OidcUserEntity;
public interface OidcUserDao extends BaseDao<OidcUserEntity, Long> {
OidcUserEntity findByIssuerAndSub(OidcRpConfigurationEntity issuer, String subjectId);
}
package edu.kit.scc.webreg.entity.oidc;
import javax.persistence.Column;
import javax.persistence.Entity;
import javax.persistence.ManyToOne;
import edu.kit.scc.webreg.entity.UserEntity;
@Entity(name = "OidcUserEntity")
public class OidcUserEntity extends UserEntity {
private static final long serialVersionUID = 1L;
@Column(name = "subject_id", length = 1024)
private String subjectId;
@ManyToOne(targetEntity = OidcRpConfigurationEntity.class)
private OidcRpConfigurationEntity issuer;
public String getSubjectId() {
return subjectId;
}
public void setSubjectId(String subjectId) {
this.subjectId = subjectId;
}
public OidcRpConfigurationEntity getIssuer() {
return issuer;
}
public void setIssuer(OidcRpConfigurationEntity issuer) {
this.issuer = issuer;
}
}
package edu.kit.scc.webreg.entity.oidc;
import java.util.Date;
import javax.annotation.Generated;
import javax.persistence.metamodel.SetAttribute;
import javax.persistence.metamodel.SingularAttribute;
import javax.persistence.metamodel.StaticMetamodel;
import edu.kit.scc.webreg.entity.UserEntity;
@Generated(value = "org.hibernate.jpamodelgen.JPAMetaModelEntityProcessor")
@StaticMetamodel(OidcUserEntity.class)
public abstract class OidcUserEntity_ extends edu.kit.scc.webreg.entity.AbstractBaseEntity_ {
public static volatile SingularAttribute<OidcUserEntity, String> subjectId;
public static volatile SingularAttribute<UserEntity, Date> lastFailedUpdate;
public static volatile SetAttribute<UserEntity, String> emailAddresses;
public static volatile SingularAttribute<UserEntity, OidcRpConfigurationEntity> issuer;
}
......@@ -2,10 +2,12 @@ package edu.kit.scc.webreg.service.oidc.client;
import java.io.Serializable;
import javax.servlet.http.HttpServletResponse;
import edu.kit.scc.webreg.service.saml.exc.OidcAuthenticationException;
public interface OidcClientCallbackService extends Serializable {
void callback(String uri) throws OidcAuthenticationException;
void callback(String uri, HttpServletResponse response) throws OidcAuthenticationException;
}
......@@ -6,8 +6,10 @@ import java.net.URISyntaxException;
import javax.ejb.Stateless;
import javax.inject.Inject;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.MDC;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
......@@ -41,11 +43,17 @@ import com.nimbusds.openid.connect.sdk.op.OIDCProviderConfigurationRequest;
import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
import edu.kit.scc.webreg.bootstrap.ApplicationConfig;
import edu.kit.scc.webreg.dao.oidc.OidcRpConfigurationDao;
import edu.kit.scc.webreg.dao.oidc.OidcRpFlowStateDao;
import edu.kit.scc.webreg.dao.oidc.OidcUserDao;
import edu.kit.scc.webreg.drools.impl.KnowledgeSessionSingleton;
import edu.kit.scc.webreg.entity.SamlUserEntity;
import edu.kit.scc.webreg.entity.oidc.OidcRpConfigurationEntity;
import edu.kit.scc.webreg.entity.oidc.OidcRpFlowStateEntity;
import edu.kit.scc.webreg.entity.oidc.OidcUserEntity;
import edu.kit.scc.webreg.service.saml.exc.OidcAuthenticationException;
import edu.kit.scc.webreg.session.SessionManager;
@Stateless
public class OidcClientCallbackServiceImpl implements OidcClientCallbackService {
......@@ -64,8 +72,20 @@ public class OidcClientCallbackServiceImpl implements OidcClientCallbackService
@Inject
private OidcOpMetadataSingletonBean opMetadataBean;
@Inject
private OidcUserDao oidcUserDao;
@Inject
private KnowledgeSessionSingleton knowledgeSessionService;
@Inject
private ApplicationConfig appConfig;
@Inject
private SessionManager session;
@Override
public void callback(String uri) throws OidcAuthenticationException {
public void callback(String uri, HttpServletResponse httpServletResponse) throws OidcAuthenticationException {
try {
AuthorizationResponse response = AuthorizationResponse.parse(new URI(uri));
......@@ -114,8 +134,10 @@ public class OidcClientCallbackServiceImpl implements OidcClientCallbackService
JWSAlgorithm.RS256,
opMetadataBean.getJWKSetURI(rpConfig).toURL());
IDTokenClaimsSet claims;
try {
IDTokenClaimsSet claims = validator.validate(idToken, new Nonce(flowState.getNonce()));
claims = validator.validate(idToken, new Nonce(flowState.getNonce()));
logger.debug("Got signed claims verified from {}: {}", claims.getIssuer(), claims.getSubject());
} catch (BadJOSEException | JOSEException e) {
throw new OidcAuthenticationException("signature failed: " + e.getMessage());
......@@ -140,6 +162,26 @@ public class OidcClientCallbackServiceImpl implements OidcClientCallbackService
UserInfo userInfo = userInfoResponse.toSuccessResponse().getUserInfo();
logger.info("userinfo {}, {}, {}", userInfo.getSubject(), userInfo.getPreferredUsername(),
userInfo.getEmailAddress());
OidcUserEntity user = oidcUserDao.findByIssuerAndSub(rpConfig, claims.getSubject().getValue());
if (user != null) {
MDC.put("userId", "" + user.getId());
}
if (user == null) {
logger.info("New User detected, sending to register Page");
// Store OIDC Data temporarily in Session
logger.debug("Storing relevant Oidc data in session");
session.setSubjectId(claims.getSubject().getValue());
// TODO: setAttributeMap in Session with attributes from OIDC
httpServletResponse.sendRedirect("/register/register-oidc.xhtml");
return;
}
} catch (IOException | ParseException | URISyntaxException e) {
logger.warn("Oidc callback failed: {}", e.getMessage());
throw new OidcAuthenticationException(e);
......
......@@ -10,7 +10,6 @@ import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import com.nimbusds.oauth2.sdk.AuthorizationRequest;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.ResponseType;
import com.nimbusds.oauth2.sdk.Scope;
......@@ -18,6 +17,7 @@ import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.id.State;
import com.nimbusds.openid.connect.sdk.AuthenticationRequest;
import com.nimbusds.openid.connect.sdk.Nonce;
import com.nimbusds.openid.connect.sdk.OIDCScopeValue;
import edu.kit.scc.webreg.dao.oidc.OidcRpConfigurationDao;
import edu.kit.scc.webreg.dao.oidc.OidcRpFlowStateDao;
......@@ -55,7 +55,7 @@ public class OidcClientRedirectServiceImpl implements OidcClientRedirectService
URI authzEndpoint = opMetadataBean.getAuthorizationEndpointURI(rpConfig);
ClientID clientID = new ClientID(rpConfig.getClientId());
Scope scope = new Scope("openid", "profile", "email");
Scope scope = new Scope(OIDCScopeValue.OPENID, OIDCScopeValue.PROFILE, OIDCScopeValue.EMAIL);
URI callback = new URI(rpConfig.getCallbackUrl());
State state = new State();
Nonce nonce = new Nonce();
......
......@@ -50,6 +50,7 @@ public class SessionManager implements Serializable {
private Map<String, List<Object>> attributeMap;
private String persistentId;
private String subjectId;
private String originalRequestPath;
private String originalIdpEntityId;
......@@ -307,4 +308,12 @@ public class SessionManager implements Serializable {
public void setOidcRelyingPartyId(Long oidcRelyingPartyId) {
this.oidcRelyingPartyId = oidcRelyingPartyId;
}
public String getSubjectId() {
return subjectId;
}
public void setSubjectId(String subjectId) {
this.subjectId = subjectId;
}
}
......@@ -69,7 +69,7 @@ public class OidcClientCallbackHandlerServlet implements Servlet {
}
try {
callbackService.callback(requestURL.toString());
callbackService.callback(requestURL.toString(), response);
} catch (OidcAuthenticationException e) {
throw new ServletException("Problems encountered: " + e.getMessage());
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment