Commit 0024ad34 authored by Jasha Joachimsthal's avatar Jasha Joachimsthal Committed by 陈健

OAUTH-3231 Use term Discovery in all our products

parent 5cb3d12e
......@@ -56,7 +56,7 @@ onegini.oidc.idTokenEncryptionEnabled=true
## Run and test
Run the example via the Run configuration in IntelliJ or via the command line: `mvn spring-boot:run`. The Token Server needs to be accessible to start this
application since it connects to the well-known-configuration endpoint during start up.
application since it connects to the discovery endpoint during start up.
Go to [http://localhost:8080](http://localhost:8080)
......@@ -136,11 +136,11 @@ go wrong.
### Application fails to start
The RP can only start up when the Onegini Token Server is running. During the start up the RP tries to connect to the well-known-configuration endpoint of the
The RP can only start up when the Onegini Token Server is running. During the start up the RP tries to connect to the discovery endpoint of the
Onegini Token Server.
* Check that the Onegini Token Server is running
* Check that the property `onegini.oidc.issuer` points to the URL of that Onegini Token Server
* Check that the property `onegini.oidc.issuer` points to the base URL of that Onegini Token Server (e.g. http://localhost:7878/oauth)
### 401 - Unauthorized during login
......
......@@ -15,13 +15,13 @@ import org.springframework.web.bind.annotation.RestController;
import com.nimbusds.jose.JWEAlgorithm;
import com.onegini.oidc.encryption.JwkSetProvider;
import com.onegini.oidc.model.OpenIdWellKnownConfiguration;
import com.onegini.oidc.model.OpenIdDiscovery;
import net.minidev.json.JSONObject;
@RestController
@ConditionalOnProperty(value = "onegini.oidc.idTokenEncryptionEnabled", havingValue = "true")
public class JweWellKnownJwksController {
private static final String JWKS_KEYS_PATH = "/.well-known/jwks.json";
private static final String JWKS_KEYS_PATH = "/.well-known/jwks.json"; // NOSONAR
private static final JWEAlgorithm ASYMMETRIC_ENCRYPTION_ALGORITHM = ECDH_ES;
//Configure this value based on your key rotation plan. The server will cache this response based on this value. Keys should be persisted
//they are not changing at startup.
......@@ -30,7 +30,7 @@ public class JweWellKnownJwksController {
@Resource
private JwkSetProvider jwkSetProvider;
@Resource
private OpenIdWellKnownConfiguration openIdWellKnownConfiguration;
private OpenIdDiscovery openIdDiscovery;
@GetMapping(JWKS_KEYS_PATH)
public ResponseEntity<JSONObject> getJwks() {
......@@ -44,12 +44,12 @@ public class JweWellKnownJwksController {
}
private void validateAlgorithmSupport(final JWEAlgorithm jweAlgorithm) {
final boolean algorithmNotSupported = openIdWellKnownConfiguration.getIdTokenEncryptionAlgValuesSupported().stream()
final boolean algorithmNotSupported = openIdDiscovery.getIdTokenEncryptionAlgValuesSupported().stream()
.map(JWEAlgorithm::parse).noneMatch(alg -> alg.equals(jweAlgorithm));
if (algorithmNotSupported) {
throw new IllegalStateException("Algorithm is not supported by OP. Supported algorithms: " +
StringUtils.collectionToCommaDelimitedString(openIdWellKnownConfiguration.getIdTokenEncryptionAlgValuesSupported()));
StringUtils.collectionToCommaDelimitedString(openIdDiscovery.getIdTokenEncryptionAlgValuesSupported()));
}
}
......
......@@ -20,7 +20,7 @@ import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.servlet.support.ServletUriComponentsBuilder;
import org.springframework.web.util.UriComponentsBuilder;
import com.onegini.oidc.model.OpenIdWellKnownConfiguration;
import com.onegini.oidc.model.OpenIdDiscovery;
import com.onegini.oidc.model.UserInfo;
import lombok.extern.slf4j.Slf4j;
......@@ -34,7 +34,7 @@ public class LogoutController {
private static final String REDIRECT_TO_INDEX = "redirect:/";
@Resource
private OpenIdWellKnownConfiguration openIdWellKnownConfiguration;
private OpenIdDiscovery openIdDiscovery;
@GetMapping(PAGE_LOGOUT)
private String logout(final HttpServletRequest request, final HttpServletResponse response, final Principal principal) {
......@@ -45,7 +45,7 @@ public class LogoutController {
if (userInfo != null && StringUtils.isNotBlank(userInfo.getIdToken())) {
log.info("Has idToken {}", userInfo.getIdToken());
final String endSessionEndpoint = openIdWellKnownConfiguration.getEndSessionEndpoint();
final String endSessionEndpoint = openIdDiscovery.getEndSessionEndpoint();
if (StringUtils.isNotBlank(endSessionEndpoint)) {
return endOpenIdSession(userInfo, endSessionEndpoint);
}
......
......@@ -7,7 +7,7 @@ import lombok.NoArgsConstructor;
@Data
@NoArgsConstructor
public class OpenIdWellKnownConfiguration {
public class OpenIdDiscovery {
private String issuer;
private String authorizationEndpoint;
......
......@@ -19,13 +19,13 @@ import org.springframework.security.oauth2.config.annotation.web.configuration.E
import org.springframework.web.client.RestTemplate;
import com.onegini.oidc.config.ApplicationProperties;
import com.onegini.oidc.model.OpenIdWellKnownConfiguration;
import com.onegini.oidc.model.OpenIdDiscovery;
@Configuration
@EnableOAuth2Client
public class OAuth2Client {
private static final String WELL_KNOWN_CONFIG_PATH = "/.well-known/openid-configuration";
private static final String DISCOVERY_PATH = "/.well-known/openid-configuration"; //NOSONAR
@Resource
private ApplicationProperties applicationProperties;
......@@ -36,12 +36,12 @@ public class OAuth2Client {
private RestTemplate restTemplate;
@Bean
public OpenIdWellKnownConfiguration getOpenIdWellKnownConfiguration() {
return restTemplate.getForObject(applicationProperties.getIssuer() + WELL_KNOWN_CONFIG_PATH, OpenIdWellKnownConfiguration.class);
public OpenIdDiscovery getOpenIdDiscovery() {
return restTemplate.getForObject(applicationProperties.getIssuer() + DISCOVERY_PATH, OpenIdDiscovery.class);
}
@Bean
public OAuth2ProtectedResourceDetails protectedResourceDetails(final OpenIdWellKnownConfiguration configuration) {
public OAuth2ProtectedResourceDetails protectedResourceDetails(final OpenIdDiscovery configuration) {
//setup OAuth
final AuthorizationCodeResourceDetails conf = new AuthorizationCodeResourceDetails();
......@@ -58,7 +58,7 @@ public class OAuth2Client {
@Bean
@Scope(value = "session", proxyMode = ScopedProxyMode.INTERFACES)
public OAuth2RestOperations oAuth2RestOperations(final OpenIdWellKnownConfiguration configuration) {
public OAuth2RestOperations oAuth2RestOperations(final OpenIdDiscovery configuration) {
return new OAuth2RestTemplate(protectedResourceDetails(configuration), oAuth2ClientContext);
}
}
\ No newline at end of file
......@@ -19,7 +19,7 @@ import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.id.Issuer;
import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
import com.onegini.oidc.config.ApplicationProperties;
import com.onegini.oidc.model.OpenIdWellKnownConfiguration;
import com.onegini.oidc.model.OpenIdDiscovery;
/**
* This class is mostly just a wrapper around IDTokenValidator
......@@ -30,20 +30,20 @@ public class OpenIdTokenValidatorWrapper {
@Resource
private ApplicationProperties applicationProperties;
@Resource
private OpenIdWellKnownConfiguration openIdWellKnownConfiguration;
private OpenIdDiscovery openIdDiscovery;
void validateToken(final JWT idToken) {
// JWT header contains the signing algorithm
final JWSAlgorithm algorithm = (JWSAlgorithm) idToken.getHeader().getAlgorithm();
// Get JWK Source from the .well-known/openid-configuration endpoint of the OpenID Connect provider (Onegini Token Server)
final String jwksUri = openIdWellKnownConfiguration.getJwksUri();
final String jwksUri = openIdDiscovery.getJwksUri();
try {
final JWKSource<SecurityContext> jwkSource = new RemoteJWKSet<>(new URL(jwksUri));
final JWSKeySelector jwsKeySelector = new JWSVerificationKeySelector<>(algorithm, jwkSource);
final IDTokenValidator idTokenValidator = new IDTokenValidator(new Issuer(applicationProperties.getIssuer()),
new ClientID(applicationProperties.getClientId()), jwsKeySelector, null);
idTokenValidator.validate(idToken, null);
} catch (MalformedURLException e) {
} catch (final MalformedURLException e) {
throw new IllegalArgumentException("Unable to convert '" + jwksUri + "' to URL.", e);
} catch (final Exception e) {
throw new BadCredentialsException("idToken is not valid", e);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment