diff options
| author | Thomas Lenz <tlenz@iaik.tugraz.at> | 2015-07-17 09:19:34 +0200 | 
|---|---|---|
| committer | Thomas Lenz <tlenz@iaik.tugraz.at> | 2015-07-17 09:19:34 +0200 | 
| commit | 04a7d51aa7b1ba3909f05ae36b7e54e4dabe22e1 (patch) | |
| tree | f4ebe6de0adbea7570b51c5aa7d6c000f7da9afd | |
| parent | 98dbb23fa5dcd9518beb56fd2410667b385b5524 (diff) | |
| download | moa-id-spss-04a7d51aa7b1ba3909f05ae36b7e54e4dabe22e1.tar.gz moa-id-spss-04a7d51aa7b1ba3909f05ae36b7e54e4dabe22e1.tar.bz2 moa-id-spss-04a7d51aa7b1ba3909f05ae36b7e54e4dabe22e1.zip | |
add 'nonce' attribute to OpenID Connect protocol
5 files changed, 100 insertions, 13 deletions
| diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Constants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Constants.java index 75501d812..b0736ff2e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Constants.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Constants.java @@ -48,6 +48,7 @@ public final class OAuth20Constants {  	public static final String PARAM_RESPONSE_TYPE = "response_type";  	public static final String PARAM_REDIRECT_URI = "redirect_uri";  	public static final String PARAM_STATE = "state"; +	public static final String PARAM_NONCE = "nonce";  	public static final String PARAM_GRANT_TYPE = "grant_type";  	public static final String PARAM_GRANT_TYPE_VALUE_AUTHORIZATION_CODE = "authorization_code";  	public static final String PARAM_CLIENT_ID = "client_id"; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java index 583120a86..439d08e0b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java @@ -30,6 +30,7 @@ import org.apache.commons.lang.StringUtils;  import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;  import at.gv.egovernment.moa.id.data.IAuthData;  import at.gv.egovernment.moa.id.protocols.oauth20.Pair; +import at.gv.egovernment.moa.id.protocols.oauth20.protocol.OAuth20AuthRequest;  import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.BPKAttributeBuilder;  import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.EIDAuthBlock;  import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.EIDCcsURL; @@ -116,6 +117,7 @@ public final class OAuth20AttributeBuilder {  		buildersOpenId.add(new OpenIdIssueInstantAttribute());  		buildersOpenId.add(new OpenIdAuthenticationTimeAttribute());  		buildersOpenId.add(new OpenIdAudiencesAttribute()); +		buildersOpenId.add(new OpenIdNonceAttribute());  		// profile  		buildersProfile.add(new ProfileGivenNameAttribute()); @@ -173,10 +175,18 @@ public final class OAuth20AttributeBuilder {  	}  	private static void addAttibutes(final List<IAttributeBuilder> builders, final JsonObject jsonObject, -			final OAAuthParameter oaParam, final IAuthData authData) { +			final OAAuthParameter oaParam, final IAuthData authData, OAuth20AuthRequest oAuthRequest) {  		for (IAttributeBuilder b : builders) {  			try { -				Pair<String, JsonPrimitive> attribute = b.build(oaParam, authData, generator); +				//TODO: better solution requires more refactoring :( +				Pair<String, JsonPrimitive> attribute = null; +				if (b instanceof OpenIdNonceAttribute) { +					OpenIdNonceAttribute nonceBuilder = (OpenIdNonceAttribute) b; +					attribute = nonceBuilder.build(oaParam, authData, oAuthRequest, generator); +					 +				} else				 +					attribute = b.build(oaParam, authData, generator); +					  				if (attribute != null && !StringUtils.isEmpty(attribute.getSecond().getAsString())) {  					jsonObject.add(attribute.getFirst(), attribute.getSecond());  				} @@ -188,33 +198,34 @@ public final class OAuth20AttributeBuilder {  	}  	public static void addScopeOpenId(final JsonObject jsonObject, -			final OAAuthParameter oaParam, final IAuthData authData) { -		addAttibutes(buildersOpenId, jsonObject, oaParam, authData); +			final OAAuthParameter oaParam, final IAuthData authData,  +			final OAuth20AuthRequest oAuthRequest) { +		addAttibutes(buildersOpenId, jsonObject, oaParam, authData, oAuthRequest);  	}  	public static void addScopeProfile(final JsonObject jsonObject,  			final OAAuthParameter oaParam, final IAuthData authData) { -		addAttibutes(buildersProfile, jsonObject, oaParam, authData); +		addAttibutes(buildersProfile, jsonObject, oaParam, authData, null);  	}  	public static void addScopeEID(final JsonObject jsonObject,  			final OAAuthParameter oaParam, final IAuthData authData) { -		addAttibutes(buildersEID, jsonObject, oaParam, authData); +		addAttibutes(buildersEID, jsonObject, oaParam, authData, null);  	}  	public static void addScopeEIDGov(final JsonObject jsonObject,  			final OAAuthParameter oaParam, final IAuthData authData) { -		addAttibutes(buildersEIDGov, jsonObject, oaParam, authData); +		addAttibutes(buildersEIDGov, jsonObject, oaParam, authData, null);  	}  	public static void addScopeMandate(final JsonObject jsonObject,  			final OAAuthParameter oaParam, final IAuthData authData) { -		addAttibutes(buildersMandate, jsonObject, oaParam, authData); +		addAttibutes(buildersMandate, jsonObject, oaParam, authData, null);  	}  	public static void addScopeSTORK(final JsonObject jsonObject,  			final OAAuthParameter oaParam, final IAuthData authData) { -		addAttibutes(buildersSTORK, jsonObject, oaParam, authData); +		addAttibutes(buildersSTORK, jsonObject, oaParam, authData, null);  	}  	/** diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdNonceAttribute.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdNonceAttribute.java new file mode 100644 index 000000000..6baa69b1e --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdNonceAttribute.java @@ -0,0 +1,57 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.protocols.oauth20.attributes; + +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.protocols.oauth20.protocol.OAuth20AuthRequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeGenerator; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; +import at.gv.egovernment.moa.util.MiscUtil; + +public class OpenIdNonceAttribute implements IAttributeBuilder { +	 +	public String getName() { +		return "nonce"; +	} +	 +	public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, +			IAttributeGenerator<ATT> g) throws AttributeException {  +		return g.buildStringAttribute(this.getName(), "", null); +	} +	 +	public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, OAuth20AuthRequest oAuthRequest, +			IAttributeGenerator<ATT> g) throws AttributeException {  +		if (MiscUtil.isNotEmpty(oAuthRequest.getNonce())) +			return g.buildStringAttribute(this.getName(), "", oAuthRequest.getNonce()); +		else +			return null; +	} +	 +	public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) { +		return g.buildEmptyAttribute(this.getName(), ""); +	} +	 +} + diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java index 2a0d3b30f..df12c7fa9 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java @@ -52,6 +52,7 @@ import at.gv.egovernment.moa.id.protocols.oauth20.json.OAuthSigner;  import at.gv.egovernment.moa.id.storage.AssertionStorage;  import at.gv.egovernment.moa.id.util.Random;  import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil;  class OAuth20AuthAction implements IAction { @@ -126,8 +127,7 @@ class OAuth20AuthAction implements IAction {  		Map<String, Object> params = new HashMap<String, Object>();  		params.put(OAuth20Constants.RESPONSE_ACCESS_TOKEN, accessToken);  		params.put(OAuth20Constants.RESPONSE_TOKEN_TYPE, OAuth20Constants.RESPONSE_TOKEN_TYPE_VALUE_BEARER); -		params.put(OAuth20Constants.RESPONSE_EXPIRES_IN, OpenIdExpirationTimeAttribute.expirationTime); -		 +		params.put(OAuth20Constants.RESPONSE_EXPIRES_IN, OpenIdExpirationTimeAttribute.expirationTime);		  		// build id token and scope  		Pair<String, String> pair = buildIdToken(auth20SessionObject.getScope(), oAuthRequest,  				authData); @@ -149,7 +149,7 @@ class OAuth20AuthAction implements IAction {  		StringBuilder resultScopes = new StringBuilder();  		// always fill with open id -		OAuth20AttributeBuilder.addScopeOpenId(token.getPayloadAsJsonObject(), oaParam, authData); +		OAuth20AttributeBuilder.addScopeOpenId(token.getPayloadAsJsonObject(), oaParam, authData, oAuthRequest);  		resultScopes.append("openId");  		for (String s : scope.split(" ")) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java index 03b5d98f9..b5baa6a05 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java @@ -46,7 +46,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder;  import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder;  import at.gv.egovernment.moa.logging.Logger; -class OAuth20AuthRequest extends OAuth20BaseRequest { +public class OAuth20AuthRequest extends OAuth20BaseRequest {  	private static final long serialVersionUID = 1L; @@ -55,6 +55,7 @@ class OAuth20AuthRequest extends OAuth20BaseRequest {  	private String redirectUri;  	private String scope;  	private String clientID; +	private String nonce;  	/**  	 * @return the responseType @@ -131,6 +132,22 @@ class OAuth20AuthRequest extends OAuth20BaseRequest {  		this.clientID = clientID;  	} +	 +	 +	/** +	 * @return the nonce +	 */ +	public String getNonce() { +		return nonce; +	} + +	/** +	 * @param nonce the nonce to set +	 */ +	public void setNonce(String nonce) { +		this.nonce = nonce; +	} +  	@Override  	protected void populateSpecialParameters(HttpServletRequest request) throws OAuth20Exception {  		this.setResponseType(this.getParam(request, OAuth20Constants.PARAM_RESPONSE_TYPE, true)); @@ -138,6 +155,7 @@ class OAuth20AuthRequest extends OAuth20BaseRequest {  		this.setRedirectUri(this.getParam(request, OAuth20Constants.PARAM_REDIRECT_URI, true));  		this.setClientID(this.getParam(request, OAuth20Constants.PARAM_CLIENT_ID, true));  		this.setScope(this.getParam(request, OAuth20Constants.PARAM_SCOPE, false)); +		this.setNonce(this.getParam(request, OAuth20Constants.PARAM_NONCE, false));  		// check for response type  		if (!this.responseType.equals(OAuth20Constants.RESPONSE_CODE)) { | 
