OAUTH-3231 Use term Discovery in all our products

0024ad34 · Jasha Joachimsthal · 陈健 · 5cb3d12e · 0024ad34 · 0024ad34
Commit 0024ad34 authored Feb 26, 2019 by Jasha Joachimsthal Committed by 陈健 Sep 17, 2019
6 changed files
--- a/README.md
+++ b/README.md
@@ -56,7 +56,7 @@ onegini.oidc.idTokenEncryptionEnabled=true

 ## Run and test
 Run the example via the Run configuration in IntelliJ or via the command line: `mvn spring-boot:run`. The Token Server needs to be accessible to start this 
-application since it connects to the well-known-configuration endpoint during start up.
+application since it connects to the discovery endpoint during start up.

 Go to [http://localhost:8080](http://localhost:8080) 

@@ -136,11 +136,11 @@ go wrong.

 ### Application fails to start

-The RP can only start up when the Onegini Token Server is running. During the start up the RP tries to connect to the well-known-configuration endpoint of the
+The RP can only start up when the Onegini Token Server is running. During the start up the RP tries to connect to the discovery endpoint of the
 Onegini Token Server.

 * Check that the Onegini Token Server is running
-* Check that the property `onegini.oidc.issuer` points to the URL of that Onegini Token Server
+* Check that the property `onegini.oidc.issuer` points to the base URL of that Onegini Token Server (e.g. http://localhost:7878/oauth)

 ### 401 - Unauthorized during login


--- a/src/main/java/com/onegini/oidc/JweWellKnownJwksController.java
+++ b/src/main/java/com/onegini/oidc/JweWellKnownJwksController.java
@@ -15,13 +15,13 @@ import org.springframework.web.bind.annotation.RestController;

 import com.nimbusds.jose.JWEAlgorithm;
 import com.onegini.oidc.encryption.JwkSetProvider;
-import com.onegini.oidc.model.OpenIdWellKnownConfiguration;
+import com.onegini.oidc.model.OpenIdDiscovery;
 import net.minidev.json.JSONObject;

 @RestController
 @ConditionalOnProperty(value = "onegini.oidc.idTokenEncryptionEnabled", havingValue = "true")
 public class JweWellKnownJwksController {
-  private static final String JWKS_KEYS_PATH = "/.well-known/jwks.json";
+  private static final String JWKS_KEYS_PATH = "/.well-known/jwks.json"; // NOSONAR
  private static final JWEAlgorithm ASYMMETRIC_ENCRYPTION_ALGORITHM = ECDH_ES;
  //Configure this value based on your key rotation plan. The server will cache this response based on this value. Keys should be persisted
  //they are not changing at startup.
@@ -30,7 +30,7 @@ public class JweWellKnownJwksController {
  @Resource
  private JwkSetProvider jwkSetProvider;
  @Resource
-  private OpenIdWellKnownConfiguration openIdWellKnownConfiguration;
+  private OpenIdDiscovery openIdDiscovery;

  @GetMapping(JWKS_KEYS_PATH)
  public ResponseEntity<JSONObject> getJwks() {
@@ -44,12 +44,12 @@ public class JweWellKnownJwksController {
  }

  private void validateAlgorithmSupport(final JWEAlgorithm jweAlgorithm) {
-    final boolean algorithmNotSupported = openIdWellKnownConfiguration.getIdTokenEncryptionAlgValuesSupported().stream()
+    final boolean algorithmNotSupported = openIdDiscovery.getIdTokenEncryptionAlgValuesSupported().stream()
        .map(JWEAlgorithm::parse).noneMatch(alg -> alg.equals(jweAlgorithm));

    if (algorithmNotSupported) {
      throw new IllegalStateException("Algorithm is not supported by OP. Supported algorithms: " +
-          StringUtils.collectionToCommaDelimitedString(openIdWellKnownConfiguration.getIdTokenEncryptionAlgValuesSupported()));
+          StringUtils.collectionToCommaDelimitedString(openIdDiscovery.getIdTokenEncryptionAlgValuesSupported()));
    }
  }


--- a/src/main/java/com/onegini/oidc/LogoutController.java
+++ b/src/main/java/com/onegini/oidc/LogoutController.java
@@ -20,7 +20,7 @@ import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.servlet.support.ServletUriComponentsBuilder;
 import org.springframework.web.util.UriComponentsBuilder;

-import com.onegini.oidc.model.OpenIdWellKnownConfiguration;
+import com.onegini.oidc.model.OpenIdDiscovery;
 import com.onegini.oidc.model.UserInfo;
 import lombok.extern.slf4j.Slf4j;

@@ -34,7 +34,7 @@ public class LogoutController {
  private static final String REDIRECT_TO_INDEX = "redirect:/";

  @Resource
-  private OpenIdWellKnownConfiguration openIdWellKnownConfiguration;
+  private OpenIdDiscovery openIdDiscovery;

  @GetMapping(PAGE_LOGOUT)
  private String logout(final HttpServletRequest request, final HttpServletResponse response, final Principal principal) {
@@ -45,7 +45,7 @@ public class LogoutController {

    if (userInfo != null && StringUtils.isNotBlank(userInfo.getIdToken())) {
      log.info("Has idToken {}", userInfo.getIdToken());
-      final String endSessionEndpoint = openIdWellKnownConfiguration.getEndSessionEndpoint();
+      final String endSessionEndpoint = openIdDiscovery.getEndSessionEndpoint();
      if (StringUtils.isNotBlank(endSessionEndpoint)) {
        return endOpenIdSession(userInfo, endSessionEndpoint);
      }

--- a/src/main/java/com/onegini/oidc/model/OpenIdWellKnownConfiguration.java
+++ b/src/main/java/com/onegini/oidc/model/OpenIdWellKnownConfiguration.java
@@ -7,7 +7,7 @@ import lombok.NoArgsConstructor;

 @Data
 @NoArgsConstructor
-public class OpenIdWellKnownConfiguration {
+public class OpenIdDiscovery {

  private String issuer;
  private String authorizationEndpoint;

--- a/src/main/java/com/onegini/oidc/security/OAuth2Client.java
+++ b/src/main/java/com/onegini/oidc/security/OAuth2Client.java
@@ -19,13 +19,13 @@ import org.springframework.security.oauth2.config.annotation.web.configuration.E
 import org.springframework.web.client.RestTemplate;

 import com.onegini.oidc.config.ApplicationProperties;
-import com.onegini.oidc.model.OpenIdWellKnownConfiguration;
+import com.onegini.oidc.model.OpenIdDiscovery;

 @Configuration
 @EnableOAuth2Client
 public class OAuth2Client {

-  private static final String WELL_KNOWN_CONFIG_PATH = "/.well-known/openid-configuration";
+  private static final String DISCOVERY_PATH = "/.well-known/openid-configuration"; //NOSONAR

  @Resource
  private ApplicationProperties applicationProperties;
@@ -36,12 +36,12 @@ public class OAuth2Client {
  private RestTemplate restTemplate;

  @Bean
-  public OpenIdWellKnownConfiguration getOpenIdWellKnownConfiguration() {
-    return restTemplate.getForObject(applicationProperties.getIssuer() + WELL_KNOWN_CONFIG_PATH, OpenIdWellKnownConfiguration.class);
+  public OpenIdDiscovery getOpenIdDiscovery() {
+    return restTemplate.getForObject(applicationProperties.getIssuer() + DISCOVERY_PATH, OpenIdDiscovery.class);
  }

  @Bean
-  public OAuth2ProtectedResourceDetails protectedResourceDetails(final OpenIdWellKnownConfiguration configuration) {
+  public OAuth2ProtectedResourceDetails protectedResourceDetails(final OpenIdDiscovery configuration) {

    //setup OAuth
    final AuthorizationCodeResourceDetails conf = new AuthorizationCodeResourceDetails();
@@ -58,7 +58,7 @@ public class OAuth2Client {

  @Bean
  @Scope(value = "session", proxyMode = ScopedProxyMode.INTERFACES)
-  public OAuth2RestOperations oAuth2RestOperations(final OpenIdWellKnownConfiguration configuration) {
+  public OAuth2RestOperations oAuth2RestOperations(final OpenIdDiscovery configuration) {
    return new OAuth2RestTemplate(protectedResourceDetails(configuration), oAuth2ClientContext);
  }
 }
\ No newline at end of file
--- a/src/main/java/com/onegini/oidc/security/OpenIdTokenValidatorWrapper.java
+++ b/src/main/java/com/onegini/oidc/security/OpenIdTokenValidatorWrapper.java
@@ -19,7 +19,7 @@ import com.nimbusds.oauth2.sdk.id.ClientID;
 import com.nimbusds.oauth2.sdk.id.Issuer;
 import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
 import com.onegini.oidc.config.ApplicationProperties;
-import com.onegini.oidc.model.OpenIdWellKnownConfiguration;
+import com.onegini.oidc.model.OpenIdDiscovery;

 /**
 * This class is mostly just a wrapper around IDTokenValidator
@@ -30,20 +30,20 @@ public class OpenIdTokenValidatorWrapper {
  @Resource
  private ApplicationProperties applicationProperties;
  @Resource
-  private OpenIdWellKnownConfiguration openIdWellKnownConfiguration;
+  private OpenIdDiscovery openIdDiscovery;

  void validateToken(final JWT idToken) {
    // JWT header contains the signing algorithm
    final JWSAlgorithm algorithm = (JWSAlgorithm) idToken.getHeader().getAlgorithm();
    // Get JWK Source from the .well-known/openid-configuration endpoint of the OpenID Connect provider (Onegini Token Server)
-    final String jwksUri = openIdWellKnownConfiguration.getJwksUri();
+    final String jwksUri = openIdDiscovery.getJwksUri();
    try {
      final JWKSource<SecurityContext> jwkSource = new RemoteJWKSet<>(new URL(jwksUri));
      final JWSKeySelector jwsKeySelector = new JWSVerificationKeySelector<>(algorithm, jwkSource);
      final IDTokenValidator idTokenValidator = new IDTokenValidator(new Issuer(applicationProperties.getIssuer()),
          new ClientID(applicationProperties.getClientId()), jwsKeySelector, null);
      idTokenValidator.validate(idToken, null);
-    } catch (MalformedURLException e) {
+    } catch (final MalformedURLException e) {
      throw new IllegalArgumentException("Unable to convert '" + jwksUri + "' to URL.", e);
    } catch (final Exception e) {
      throw new BadCredentialsException("idToken is not valid", e);