aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib/src
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2015-07-17 09:19:34 +0200
committerThomas Lenz <tlenz@iaik.tugraz.at>2015-07-17 09:19:34 +0200
commit04a7d51aa7b1ba3909f05ae36b7e54e4dabe22e1 (patch)
treef4ebe6de0adbea7570b51c5aa7d6c000f7da9afd /id/server/idserverlib/src
parent98dbb23fa5dcd9518beb56fd2410667b385b5524 (diff)
downloadmoa-id-spss-04a7d51aa7b1ba3909f05ae36b7e54e4dabe22e1.tar.gz
moa-id-spss-04a7d51aa7b1ba3909f05ae36b7e54e4dabe22e1.tar.bz2
moa-id-spss-04a7d51aa7b1ba3909f05ae36b7e54e4dabe22e1.zip
add 'nonce' attribute to OpenID Connect protocol
Diffstat (limited to 'id/server/idserverlib/src')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Constants.java1
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java29
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdNonceAttribute.java57
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java6
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java20
5 files changed, 100 insertions, 13 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Constants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Constants.java
index 75501d812..b0736ff2e 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Constants.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Constants.java
@@ -48,6 +48,7 @@ public final class OAuth20Constants {
public static final String PARAM_RESPONSE_TYPE = "response_type";
public static final String PARAM_REDIRECT_URI = "redirect_uri";
public static final String PARAM_STATE = "state";
+ public static final String PARAM_NONCE = "nonce";
public static final String PARAM_GRANT_TYPE = "grant_type";
public static final String PARAM_GRANT_TYPE_VALUE_AUTHORIZATION_CODE = "authorization_code";
public static final String PARAM_CLIENT_ID = "client_id";
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java
index 583120a86..439d08e0b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java
@@ -30,6 +30,7 @@ import org.apache.commons.lang.StringUtils;
import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
import at.gv.egovernment.moa.id.data.IAuthData;
import at.gv.egovernment.moa.id.protocols.oauth20.Pair;
+import at.gv.egovernment.moa.id.protocols.oauth20.protocol.OAuth20AuthRequest;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.BPKAttributeBuilder;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.EIDAuthBlock;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.EIDCcsURL;
@@ -116,6 +117,7 @@ public final class OAuth20AttributeBuilder {
buildersOpenId.add(new OpenIdIssueInstantAttribute());
buildersOpenId.add(new OpenIdAuthenticationTimeAttribute());
buildersOpenId.add(new OpenIdAudiencesAttribute());
+ buildersOpenId.add(new OpenIdNonceAttribute());
// profile
buildersProfile.add(new ProfileGivenNameAttribute());
@@ -173,10 +175,18 @@ public final class OAuth20AttributeBuilder {
}
private static void addAttibutes(final List<IAttributeBuilder> builders, final JsonObject jsonObject,
- final OAAuthParameter oaParam, final IAuthData authData) {
+ final OAAuthParameter oaParam, final IAuthData authData, OAuth20AuthRequest oAuthRequest) {
for (IAttributeBuilder b : builders) {
try {
- Pair<String, JsonPrimitive> attribute = b.build(oaParam, authData, generator);
+ //TODO: better solution requires more refactoring :(
+ Pair<String, JsonPrimitive> attribute = null;
+ if (b instanceof OpenIdNonceAttribute) {
+ OpenIdNonceAttribute nonceBuilder = (OpenIdNonceAttribute) b;
+ attribute = nonceBuilder.build(oaParam, authData, oAuthRequest, generator);
+
+ } else
+ attribute = b.build(oaParam, authData, generator);
+
if (attribute != null && !StringUtils.isEmpty(attribute.getSecond().getAsString())) {
jsonObject.add(attribute.getFirst(), attribute.getSecond());
}
@@ -188,33 +198,34 @@ public final class OAuth20AttributeBuilder {
}
public static void addScopeOpenId(final JsonObject jsonObject,
- final OAAuthParameter oaParam, final IAuthData authData) {
- addAttibutes(buildersOpenId, jsonObject, oaParam, authData);
+ final OAAuthParameter oaParam, final IAuthData authData,
+ final OAuth20AuthRequest oAuthRequest) {
+ addAttibutes(buildersOpenId, jsonObject, oaParam, authData, oAuthRequest);
}
public static void addScopeProfile(final JsonObject jsonObject,
final OAAuthParameter oaParam, final IAuthData authData) {
- addAttibutes(buildersProfile, jsonObject, oaParam, authData);
+ addAttibutes(buildersProfile, jsonObject, oaParam, authData, null);
}
public static void addScopeEID(final JsonObject jsonObject,
final OAAuthParameter oaParam, final IAuthData authData) {
- addAttibutes(buildersEID, jsonObject, oaParam, authData);
+ addAttibutes(buildersEID, jsonObject, oaParam, authData, null);
}
public static void addScopeEIDGov(final JsonObject jsonObject,
final OAAuthParameter oaParam, final IAuthData authData) {
- addAttibutes(buildersEIDGov, jsonObject, oaParam, authData);
+ addAttibutes(buildersEIDGov, jsonObject, oaParam, authData, null);
}
public static void addScopeMandate(final JsonObject jsonObject,
final OAAuthParameter oaParam, final IAuthData authData) {
- addAttibutes(buildersMandate, jsonObject, oaParam, authData);
+ addAttibutes(buildersMandate, jsonObject, oaParam, authData, null);
}
public static void addScopeSTORK(final JsonObject jsonObject,
final OAAuthParameter oaParam, final IAuthData authData) {
- addAttibutes(buildersSTORK, jsonObject, oaParam, authData);
+ addAttibutes(buildersSTORK, jsonObject, oaParam, authData, null);
}
/**
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdNonceAttribute.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdNonceAttribute.java
new file mode 100644
index 000000000..6baa69b1e
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdNonceAttribute.java
@@ -0,0 +1,57 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.protocols.oauth20.attributes;
+
+import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
+import at.gv.egovernment.moa.id.data.IAuthData;
+import at.gv.egovernment.moa.id.protocols.oauth20.protocol.OAuth20AuthRequest;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeGenerator;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
+import at.gv.egovernment.moa.util.MiscUtil;
+
+public class OpenIdNonceAttribute implements IAttributeBuilder {
+
+ public String getName() {
+ return "nonce";
+ }
+
+ public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData,
+ IAttributeGenerator<ATT> g) throws AttributeException {
+ return g.buildStringAttribute(this.getName(), "", null);
+ }
+
+ public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, OAuth20AuthRequest oAuthRequest,
+ IAttributeGenerator<ATT> g) throws AttributeException {
+ if (MiscUtil.isNotEmpty(oAuthRequest.getNonce()))
+ return g.buildStringAttribute(this.getName(), "", oAuthRequest.getNonce());
+ else
+ return null;
+ }
+
+ public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) {
+ return g.buildEmptyAttribute(this.getName(), "");
+ }
+
+}
+
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java
index 2a0d3b30f..df12c7fa9 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java
@@ -52,6 +52,7 @@ import at.gv.egovernment.moa.id.protocols.oauth20.json.OAuthSigner;
import at.gv.egovernment.moa.id.storage.AssertionStorage;
import at.gv.egovernment.moa.id.util.Random;
import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
class OAuth20AuthAction implements IAction {
@@ -126,8 +127,7 @@ class OAuth20AuthAction implements IAction {
Map<String, Object> params = new HashMap<String, Object>();
params.put(OAuth20Constants.RESPONSE_ACCESS_TOKEN, accessToken);
params.put(OAuth20Constants.RESPONSE_TOKEN_TYPE, OAuth20Constants.RESPONSE_TOKEN_TYPE_VALUE_BEARER);
- params.put(OAuth20Constants.RESPONSE_EXPIRES_IN, OpenIdExpirationTimeAttribute.expirationTime);
-
+ params.put(OAuth20Constants.RESPONSE_EXPIRES_IN, OpenIdExpirationTimeAttribute.expirationTime);
// build id token and scope
Pair<String, String> pair = buildIdToken(auth20SessionObject.getScope(), oAuthRequest,
authData);
@@ -149,7 +149,7 @@ class OAuth20AuthAction implements IAction {
StringBuilder resultScopes = new StringBuilder();
// always fill with open id
- OAuth20AttributeBuilder.addScopeOpenId(token.getPayloadAsJsonObject(), oaParam, authData);
+ OAuth20AttributeBuilder.addScopeOpenId(token.getPayloadAsJsonObject(), oaParam, authData, oAuthRequest);
resultScopes.append("openId");
for (String s : scope.split(" ")) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java
index 03b5d98f9..b5baa6a05 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java
@@ -46,7 +46,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder;
import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder;
import at.gv.egovernment.moa.logging.Logger;
-class OAuth20AuthRequest extends OAuth20BaseRequest {
+public class OAuth20AuthRequest extends OAuth20BaseRequest {
private static final long serialVersionUID = 1L;
@@ -55,6 +55,7 @@ class OAuth20AuthRequest extends OAuth20BaseRequest {
private String redirectUri;
private String scope;
private String clientID;
+ private String nonce;
/**
* @return the responseType
@@ -131,6 +132,22 @@ class OAuth20AuthRequest extends OAuth20BaseRequest {
this.clientID = clientID;
}
+
+
+ /**
+ * @return the nonce
+ */
+ public String getNonce() {
+ return nonce;
+ }
+
+ /**
+ * @param nonce the nonce to set
+ */
+ public void setNonce(String nonce) {
+ this.nonce = nonce;
+ }
+
@Override
protected void populateSpecialParameters(HttpServletRequest request) throws OAuth20Exception {
this.setResponseType(this.getParam(request, OAuth20Constants.PARAM_RESPONSE_TYPE, true));
@@ -138,6 +155,7 @@ class OAuth20AuthRequest extends OAuth20BaseRequest {
this.setRedirectUri(this.getParam(request, OAuth20Constants.PARAM_REDIRECT_URI, true));
this.setClientID(this.getParam(request, OAuth20Constants.PARAM_CLIENT_ID, true));
this.setScope(this.getParam(request, OAuth20Constants.PARAM_SCOPE, false));
+ this.setNonce(this.getParam(request, OAuth20Constants.PARAM_NONCE, false));
// check for response type
if (!this.responseType.equals(OAuth20Constants.RESPONSE_CODE)) {