add 'nonce' attribute to OpenID Connect protocol

5 files changed, 100 insertions, 13 deletions

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Constants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Constants.java
index 75501d812..b0736ff2e 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Constants.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Constants.java
@@ -48,6 +48,7 @@ public final class OAuth20Constants {
 	public static final String PARAM_RESPONSE_TYPE = "response_type";
 	public static final String PARAM_REDIRECT_URI = "redirect_uri";
 	public static final String PARAM_STATE = "state";
+	public static final String PARAM_NONCE = "nonce";
 	public static final String PARAM_GRANT_TYPE = "grant_type";
 	public static final String PARAM_GRANT_TYPE_VALUE_AUTHORIZATION_CODE = "authorization_code";
 	public static final String PARAM_CLIENT_ID = "client_id";
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java
index 583120a86..439d08e0b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java
@@ -30,6 +30,7 @@ import org.apache.commons.lang.StringUtils;
 import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
 import at.gv.egovernment.moa.id.data.IAuthData;
 import at.gv.egovernment.moa.id.protocols.oauth20.Pair;
+import at.gv.egovernment.moa.id.protocols.oauth20.protocol.OAuth20AuthRequest;
 import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.BPKAttributeBuilder;
 import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.EIDAuthBlock;
 import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.EIDCcsURL;
@@ -116,6 +117,7 @@ public final class OAuth20AttributeBuilder {
 		buildersOpenId.add(new OpenIdIssueInstantAttribute());
 		buildersOpenId.add(new OpenIdAuthenticationTimeAttribute());
 		buildersOpenId.add(new OpenIdAudiencesAttribute());
+		buildersOpenId.add(new OpenIdNonceAttribute());
 		
 		// profile
 		buildersProfile.add(new ProfileGivenNameAttribute());
@@ -173,10 +175,18 @@ public final class OAuth20AttributeBuilder {
 	}
 	
 	private static void addAttibutes(final List<IAttributeBuilder> builders, final JsonObject jsonObject,
-			final OAAuthParameter oaParam, final IAuthData authData) {
+			final OAAuthParameter oaParam, final IAuthData authData, OAuth20AuthRequest oAuthRequest) {
 		for (IAttributeBuilder b : builders) {
 			try {
-				Pair<String, JsonPrimitive> attribute = b.build(oaParam, authData, generator);
+				//TODO: better solution requires more refactoring :(
+				Pair<String, JsonPrimitive> attribute = null;
+				if (b instanceof OpenIdNonceAttribute) {
+					OpenIdNonceAttribute nonceBuilder = (OpenIdNonceAttribute) b;
+					attribute = nonceBuilder.build(oaParam, authData, oAuthRequest, generator);
+					
+				} else				
+					attribute = b.build(oaParam, authData, generator);
+					
 				if (attribute != null && !StringUtils.isEmpty(attribute.getSecond().getAsString())) {
 					jsonObject.add(attribute.getFirst(), attribute.getSecond());
 				}
@@ -188,33 +198,34 @@ public final class OAuth20AttributeBuilder {
 	}
 	
 	public static void addScopeOpenId(final JsonObject jsonObject,
-			final OAAuthParameter oaParam, final IAuthData authData) {
-		addAttibutes(buildersOpenId, jsonObject, oaParam, authData);
+			final OAAuthParameter oaParam, final IAuthData authData, 
+			final OAuth20AuthRequest oAuthRequest) {
+		addAttibutes(buildersOpenId, jsonObject, oaParam, authData, oAuthRequest);
 	}
 	
 	public static void addScopeProfile(final JsonObject jsonObject,
 			final OAAuthParameter oaParam, final IAuthData authData) {
-		addAttibutes(buildersProfile, jsonObject, oaParam, authData);
+		addAttibutes(buildersProfile, jsonObject, oaParam, authData, null);
 	}
 	
 	public static void addScopeEID(final JsonObject jsonObject,
 			final OAAuthParameter oaParam, final IAuthData authData) {
-		addAttibutes(buildersEID, jsonObject, oaParam, authData);
+		addAttibutes(buildersEID, jsonObject, oaParam, authData, null);
 	}
 	
 	public static void addScopeEIDGov(final JsonObject jsonObject,
 			final OAAuthParameter oaParam, final IAuthData authData) {
-		addAttibutes(buildersEIDGov, jsonObject, oaParam, authData);
+		addAttibutes(buildersEIDGov, jsonObject, oaParam, authData, null);
 	}
 	
 	public static void addScopeMandate(final JsonObject jsonObject,
 			final OAAuthParameter oaParam, final IAuthData authData) {
-		addAttibutes(buildersMandate, jsonObject, oaParam, authData);
+		addAttibutes(buildersMandate, jsonObject, oaParam, authData, null);
 	}
 	
 	public static void addScopeSTORK(final JsonObject jsonObject,
 			final OAAuthParameter oaParam, final IAuthData authData) {
-		addAttibutes(buildersSTORK, jsonObject, oaParam, authData);
+		addAttibutes(buildersSTORK, jsonObject, oaParam, authData, null);
 	}
 
 	/**
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdNonceAttribute.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdNonceAttribute.java
new file mode 100644
index 000000000..6baa69b1e
--- /dev/null
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdNonceAttribute.java
@@ -0,0 +1,57 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.protocols.oauth20.attributes;
+
+import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
+import at.gv.egovernment.moa.id.data.IAuthData;
+import at.gv.egovernment.moa.id.protocols.oauth20.protocol.OAuth20AuthRequest;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeGenerator;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
+import at.gv.egovernment.moa.util.MiscUtil;
+
+public class OpenIdNonceAttribute implements IAttributeBuilder {
+	
+	public String getName() {
+		return "nonce";
+	}
+	
+	public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData,
+			IAttributeGenerator<ATT> g) throws AttributeException { 
+		return g.buildStringAttribute(this.getName(), "", null);
+	}
+	
+	public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, OAuth20AuthRequest oAuthRequest,
+			IAttributeGenerator<ATT> g) throws AttributeException { 
+		if (MiscUtil.isNotEmpty(oAuthRequest.getNonce()))
+			return g.buildStringAttribute(this.getName(), "", oAuthRequest.getNonce());
+		else
+			return null;
+	}
+	
+	public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) {
+		return g.buildEmptyAttribute(this.getName(), "");
+	}
+	
+}
+
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java
index 2a0d3b30f..df12c7fa9 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java
@@ -52,6 +52,7 @@ import at.gv.egovernment.moa.id.protocols.oauth20.json.OAuthSigner;
 import at.gv.egovernment.moa.id.storage.AssertionStorage;
 import at.gv.egovernment.moa.id.util.Random;
 import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
 
 class OAuth20AuthAction implements IAction {
 	
@@ -126,8 +127,7 @@ class OAuth20AuthAction implements IAction {
 		Map<String, Object> params = new HashMap<String, Object>();
 		params.put(OAuth20Constants.RESPONSE_ACCESS_TOKEN, accessToken);
 		params.put(OAuth20Constants.RESPONSE_TOKEN_TYPE, OAuth20Constants.RESPONSE_TOKEN_TYPE_VALUE_BEARER);
-		params.put(OAuth20Constants.RESPONSE_EXPIRES_IN, OpenIdExpirationTimeAttribute.expirationTime);
-		
+		params.put(OAuth20Constants.RESPONSE_EXPIRES_IN, OpenIdExpirationTimeAttribute.expirationTime);		
 		// build id token and scope
 		Pair<String, String> pair = buildIdToken(auth20SessionObject.getScope(), oAuthRequest,
 				authData);
@@ -149,7 +149,7 @@ class OAuth20AuthAction implements IAction {
 		
 		StringBuilder resultScopes = new StringBuilder();
 		// always fill with open id
-		OAuth20AttributeBuilder.addScopeOpenId(token.getPayloadAsJsonObject(), oaParam, authData);
+		OAuth20AttributeBuilder.addScopeOpenId(token.getPayloadAsJsonObject(), oaParam, authData, oAuthRequest);
 		resultScopes.append("openId");
 		
 		for (String s : scope.split(" ")) {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java
index 03b5d98f9..b5baa6a05 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java
@@ -46,7 +46,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder;
 import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder;
 import at.gv.egovernment.moa.logging.Logger;
 
-class OAuth20AuthRequest extends OAuth20BaseRequest {
+public class OAuth20AuthRequest extends OAuth20BaseRequest {
 	
 	private static final long serialVersionUID = 1L;
 	
@@ -55,6 +55,7 @@ class OAuth20AuthRequest extends OAuth20BaseRequest {
 	private String redirectUri;
 	private String scope;
 	private String clientID;
+	private String nonce;
 	
 	/**
 	 * @return the responseType
@@ -131,6 +132,22 @@ class OAuth20AuthRequest extends OAuth20BaseRequest {
 		this.clientID = clientID;
 	}
 	
+	
+	
+	/**
+	 * @return the nonce
+	 */
+	public String getNonce() {
+		return nonce;
+	}
+
+	/**
+	 * @param nonce the nonce to set
+	 */
+	public void setNonce(String nonce) {
+		this.nonce = nonce;
+	}
+
 	@Override
 	protected void populateSpecialParameters(HttpServletRequest request) throws OAuth20Exception {
 		this.setResponseType(this.getParam(request, OAuth20Constants.PARAM_RESPONSE_TYPE, true));
@@ -138,6 +155,7 @@ class OAuth20AuthRequest extends OAuth20BaseRequest {
 		this.setRedirectUri(this.getParam(request, OAuth20Constants.PARAM_REDIRECT_URI, true));
 		this.setClientID(this.getParam(request, OAuth20Constants.PARAM_CLIENT_ID, true));
 		this.setScope(this.getParam(request, OAuth20Constants.PARAM_SCOPE, false));
+		this.setNonce(this.getParam(request, OAuth20Constants.PARAM_NONCE, false));
 		
 		// check for response type
 		if (!this.responseType.equals(OAuth20Constants.RESPONSE_CODE)) {