Commit 6722dbf6 authored by michael.simon's avatar michael.simon
Browse files

Try to make some oidc token options configurable

parent bf0cd43d
package edu.kit.scc.webreg.entity.oidc;
import java.util.Map;
import javax.persistence.Column;
import javax.persistence.ElementCollection;
import javax.persistence.Entity;
import javax.persistence.JoinTable;
import javax.persistence.ManyToOne;
import javax.persistence.MapKeyColumn;
import javax.persistence.Table;
import edu.kit.scc.webreg.entity.AbstractBaseEntity;
......@@ -25,6 +30,12 @@ public class OidcClientConfigurationEntity extends AbstractBaseEntity {
@ManyToOne(targetEntity = OidcOpConfigurationEntity.class)
private OidcOpConfigurationEntity opConfiguration;
@ElementCollection
@JoinTable(name = "oidc_client_generic_store")
@MapKeyColumn(name = "key_data", length = 128)
@Column(name = "value_data", length = 2048)
private Map<String, String> genericStore;
public String getName() {
return name;
}
......@@ -56,4 +67,12 @@ public class OidcClientConfigurationEntity extends AbstractBaseEntity {
public void setDisplayName(String displayName) {
this.displayName = displayName;
}
public Map<String, String> getGenericStore() {
return genericStore;
}
public void setGenericStore(Map<String, String> genericStore) {
this.genericStore = genericStore;
}
}
......@@ -48,9 +48,12 @@ public class OidcFlowStateEntity extends AbstractBaseEntity {
@Column(name = "redirect_uri", length = 1024)
private String redirectUri;
@Column(name = "access_token", length = 256)
@Column(name = "access_token", length = 4096)
private String accessToken;
@Column(name = "refresh_token", length = 4096)
private String refreshToken;
@Column(name = "access_token_type", length = 32)
private String accessTokenType;
......@@ -160,4 +163,12 @@ public class OidcFlowStateEntity extends AbstractBaseEntity {
public void setIdentity(IdentityEntity identity) {
this.identity = identity;
}
public String getRefreshToken() {
return refreshToken;
}
public void setRefreshToken(String refreshToken) {
this.refreshToken = refreshToken;
}
}
......@@ -20,6 +20,7 @@ import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.crypto.RSASSASigner;
......@@ -28,6 +29,7 @@ import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
import com.nimbusds.oauth2.sdk.token.RefreshToken;
import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
import com.nimbusds.openid.connect.sdk.claims.UserInfo;
import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
......@@ -315,7 +317,7 @@ public class OidcOpLoginImpl implements OidcOpLogin {
claimsBuilder.expirationTime(new Date(System.currentTimeMillis() + (60L * 60L * 1000L)))
.issuer("https://" + opConfig.getHost() + "/oidc/realms/" + opConfig.getRealm())
.claim("nonce", flowState.getNonce())
.audience(flowState.getClientConfiguration().getName())
.audience(clientConfig.getName())
.issueTime(new Date())
.subject(user.getEppn())
.build();
......@@ -347,30 +349,50 @@ public class OidcOpLoginImpl implements OidcOpLogin {
JWTClaimsSet claims = claimsBuilder.build();
logger.debug("claims before signing: " + claims.toJSONObject());
SignedJWT jwt;
try {
//MACSigner macSigner = new MACSigner(clientConfig.getSecret());
PrivateKey privateKey = cryptoHelper.getPrivateKey(opConfig.getPrivateKey());
X509Certificate certificate = cryptoHelper.getCertificate(opConfig.getCertificate());
JWK jwk = JWK.parse(certificate);
JWSHeader header;
RSASSASigner rsaSigner = new RSASSASigner(privateKey);
JWSHeader header = new JWSHeader.Builder(JWSAlgorithm.RS256).jwk(jwk).keyID(jwk.getKeyID()).build();
if (clientConfig.getGenericStore().containsKey("short_id_token_header") &&
clientConfig.getGenericStore().get("short_id_token_header").equalsIgnoreCase("true")) {
header = new JWSHeader.Builder(JWSAlgorithm.RS256).type(JOSEObjectType.JWT).keyID(jwk.getKeyID()).build();
}
else {
header = new JWSHeader.Builder(JWSAlgorithm.RS256).jwk(jwk).type(JOSEObjectType.JWT).keyID(jwk.getKeyID()).build();
}
jwt = new SignedJWT(header, claims);
jwt.sign(rsaSigner);
} catch (JOSEException | IOException e) {
throw new OidcAuthenticationException(e);
}
BearerAccessToken bat;
if (clientConfig.getGenericStore().containsKey("long_access_token") &&
clientConfig.getGenericStore().get("long_access_token").equalsIgnoreCase("true")) {
bat = new BearerAccessToken(jwt.serialize(), 3600, new Scope(opConfig.getHost()));
}
else {
bat = new BearerAccessToken(3600, new Scope(opConfig.getHost()));
}
BearerAccessToken bat = new BearerAccessToken(3600, new Scope(opConfig.getHost()));
OIDCTokens tokens = new OIDCTokens(jwt, bat, null);
RefreshToken refreshToken = new RefreshToken();
OIDCTokens tokens = new OIDCTokens(jwt, bat, refreshToken);
OIDCTokenResponse tokenResponse = new OIDCTokenResponse(tokens);
logger.debug("tokenResponse: " + tokenResponse.toJSONObject());
flowState.setAccessToken(bat.getValue());
flowState.setAccessTokenType("Bearer");
flowState.setRefreshToken(refreshToken.getValue());
flowState.setValidUntil(new Date(System.currentTimeMillis() + bat.getLifetime()));
return tokenResponse.toJSONObject();
......
......@@ -25,7 +25,6 @@ import edu.kit.scc.webreg.entity.oidc.OidcOpConfigurationEntity;
import edu.kit.scc.webreg.service.oidc.OidcOpConfigurationService;
import edu.kit.scc.webreg.service.saml.CryptoHelper;
import edu.kit.scc.webreg.service.saml.exc.OidcAuthenticationException;
import net.minidev.json.JSONObject;
@Path("/realms")
public class OidcCertsController {
......@@ -42,7 +41,7 @@ public class OidcCertsController {
@GET
@Path("/{realm}/protocol/openid-connect/certs")
@Produces(MediaType.APPLICATION_JSON)
public JSONObject auth(@PathParam("realm") String realm, @Context HttpServletRequest request, @Context HttpServletResponse response)
public String auth(@PathParam("realm") String realm, @Context HttpServletRequest request, @Context HttpServletResponse response)
throws IOException, OidcAuthenticationException {
try {
......@@ -68,7 +67,8 @@ public class OidcCertsController {
JWKSet jwkSet = new JWKSet(jwkList);
return jwkSet.toJSONObject(true);
return jwkSet.toString(true);
//return jwkSet.toJSONObject(true);
} catch (JOSEException e) {
throw new OidcAuthenticationException(e);
}
......
package edu.kit.scc.webreg.oauth;
import java.util.Enumeration;
import java.util.stream.Collectors;
import javax.inject.Inject;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
......
......@@ -159,7 +159,7 @@
<dependency>
<groupId>com.nimbusds</groupId>
<artifactId>oauth2-oidc-sdk</artifactId>
<version>8.25</version>
<version>9.2.2</version>
</dependency>
</dependencies>
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment