Skip to content
Projects
Groups
Snippets
Help
Loading...
Sign in
Toggle navigation
J
java-spring-oidc-example
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Commits
Issue Boards
Open sidebar
demo
java-spring-oidc-example
Commits
d9686558
Commit
d9686558
authored
Dec 12, 2018
by
Jasha Joachimsthal
Committed by
陈健
Sep 17, 2019
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
OAUTH-3147 Code style
parent
86e7c256
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
32 additions
and
30 deletions
+32
-30
LogoutController.java
src/main/java/com/onegini/oidc/LogoutController.java
+10
-8
JweDecrypterService.java
...java/com/onegini/oidc/encryption/JweDecrypterService.java
+10
-8
JweKeyGenerator.java
...ain/java/com/onegini/oidc/encryption/JweKeyGenerator.java
+6
-6
OpenIdWellKnownConfiguration.java
.../com/onegini/oidc/model/OpenIdWellKnownConfiguration.java
+0
-3
OpenIdConnectAuthenticationFilter.java
...gini/oidc/security/OpenIdConnectAuthenticationFilter.java
+6
-5
No files found.
src/main/java/com/onegini/oidc/LogoutController.java
View file @
d9686558
...
...
@@ -8,6 +8,7 @@ import javax.annotation.Resource;
import
javax.servlet.http.HttpServletRequest
;
import
javax.servlet.http.HttpServletResponse
;
import
org.apache.commons.lang3.StringUtils
;
import
org.springframework.security.core.Authentication
;
import
org.springframework.security.core.context.SecurityContextHolder
;
import
org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler
;
...
...
@@ -15,7 +16,6 @@ import org.springframework.security.web.authentication.preauth.PreAuthenticatedA
import
org.springframework.stereotype.Controller
;
import
org.springframework.util.LinkedMultiValueMap
;
import
org.springframework.util.MultiValueMap
;
import
org.springframework.util.StringUtils
;
import
org.springframework.web.bind.annotation.GetMapping
;
import
org.springframework.web.servlet.support.ServletUriComponentsBuilder
;
import
org.springframework.web.util.UriComponentsBuilder
;
...
...
@@ -28,25 +28,25 @@ import lombok.extern.slf4j.Slf4j;
@Slf4j
public
class
LogoutController
{
public
static
final
String
PAGE_LOGOUT
=
"/logout"
;
@SuppressWarnings
(
"squid:S1075"
)
private
static
final
String
PARAM_POST_LOGOUT_REDIRECT_URI
=
"post_logout_redirect_uri"
;
private
static
final
String
PARAM_ID_TOKEN_HINT
=
"id_token_hint"
;
private
static
final
String
PAGE_SIGNOUT_CALLBACK_OIDC
=
"/signout-callback-oidc"
;
private
static
final
String
REDIRECT_TO_INDEX
=
"redirect:/"
;
@Resource
private
OpenIdWellKnownConfiguration
openIdWellKnownConfiguration
;
@GetMapping
(
PAGE_LOGOUT
)
private
String
logout
(
final
HttpServletRequest
request
,
final
HttpServletResponse
response
,
final
Principal
principal
)
{
//
Save idToken
before authentication is cleared
//
Fetch UserInfo
before authentication is cleared
final
UserInfo
userInfo
=
getUserInfo
(
principal
);
endSessionInSpringSecurity
(
request
,
response
);
if
(
userInfo
!=
null
&&
StringUtils
.
hasLength
(
userInfo
.
getIdToken
()))
{
if
(
userInfo
!=
null
&&
StringUtils
.
isNotBlank
(
userInfo
.
getIdToken
()))
{
log
.
info
(
"Has idToken {}"
,
userInfo
.
getIdToken
());
final
String
endSessionEndpoint
=
openIdWellKnownConfiguration
.
getEndSessionEndpoint
();
if
(
StringUtils
.
hasLength
(
endSessionEndpoint
))
{
if
(
StringUtils
.
isNotBlank
(
endSessionEndpoint
))
{
return
endOpenIdSession
(
userInfo
,
endSessionEndpoint
);
}
}
...
...
@@ -70,10 +70,11 @@ public class LogoutController {
private
void
endSessionInSpringSecurity
(
final
HttpServletRequest
request
,
final
HttpServletResponse
response
)
{
final
Authentication
auth
=
SecurityContextHolder
.
getContext
().
getAuthentication
();
if
(
auth
!=
null
)
{
log
.
info
(
"End user session in Spring Security"
);
new
SecurityContextLogoutHandler
().
logout
(
request
,
response
,
auth
);
if
(
auth
==
null
)
{
return
;
}
log
.
info
(
"End user session in Spring Security"
);
new
SecurityContextLogoutHandler
().
logout
(
request
,
response
,
auth
);
}
private
String
endOpenIdSession
(
final
UserInfo
userInfo
,
final
String
endSessionEndpoint
)
{
...
...
@@ -81,6 +82,7 @@ public class LogoutController {
final
String
postLogoutRedirectUri
=
ServletUriComponentsBuilder
.
fromCurrentContextPath
().
path
(
PAGE_SIGNOUT_CALLBACK_OIDC
).
build
().
toUriString
();
requestParameters
.
add
(
PARAM_POST_LOGOUT_REDIRECT_URI
,
postLogoutRedirectUri
);
// Token Server doesn't know how to decode the token id and it doesn't store encoded token id so passing that won't help to detect which session should be logged out.
if
(!
userInfo
.
isEncryptionEnabled
())
{
requestParameters
.
add
(
PARAM_ID_TOKEN_HINT
,
userInfo
.
getIdToken
());
...
...
src/main/java/com/onegini/oidc/encryption/JweDecrypterService.java
View file @
d9686558
...
...
@@ -35,8 +35,7 @@ public class JweDecrypterService {
try
{
jweObject
.
decrypt
(
decrypter
);
return
jweObject
.
getPayload
().
toSignedJWT
();
}
catch
(
JOSEException
e
)
{
log
.
error
(
"Could not decrypt the JWT"
);
}
catch
(
final
JOSEException
e
)
{
throw
new
IllegalStateException
(
"Could not decrypt the JWT"
,
e
);
}
}
...
...
@@ -50,12 +49,14 @@ public class JweDecrypterService {
private
JWK
getRelevantKey
(
final
JWEObject
jweObject
)
{
final
JWKSet
privateJWKS
=
jwkSetProvider
.
getPrivateJWKS
(
jweObject
.
getHeader
().
getAlgorithm
());
final
JWK
relevantKey
=
privateJWKS
.
getKeyByKeyId
(
jweObject
.
getHeader
().
getKeyID
());
if
(
relevantKey
!=
null
)
{
return
relevantKey
;
if
(
relevantKey
==
null
)
{
//The Server may have cached the JWKSet response and when this app was restarted, it generated new keys which would not match
log
.
debug
(
"Could not match the keyId with any of the private keys provided."
);
throw
new
IllegalArgumentException
(
"JWK set does not contain a relevant JWK."
);
}
//The Server may have cached the JWKSet response and when this app was restarted, it generated new keys which would not match
log
.
error
(
"Could not match the keyId with any of the private keys provided."
);
throw
new
IllegalArgumentException
(
"JWK set does not contain a relevant JWK."
);
return
relevantKey
;
}
private
JWEDecrypter
getDecrypter
(
final
JWK
jwk
)
{
...
...
@@ -63,7 +64,8 @@ public class JweDecrypterService {
try
{
if
(
KeyType
.
RSA
.
equals
(
keyType
))
{
return
new
RSADecrypter
((
RSAKey
)
jwk
);
}
else
if
(
KeyType
.
EC
.
equals
(
keyType
))
{
}
if
(
KeyType
.
EC
.
equals
(
keyType
))
{
return
new
ECDHDecrypter
((
ECKey
)
jwk
);
}
throw
new
IllegalStateException
(
String
.
format
(
"Unsupported KeyType (%s)"
,
jwk
.
getKeyType
()));
...
...
src/main/java/com/onegini/oidc/encryption/JweKeyGenerator.java
View file @
d9686558
...
...
@@ -27,23 +27,23 @@ import lombok.extern.slf4j.Slf4j;
@Slf4j
class
JweKeyGenerator
{
private
static
final
int
RSA_KEYSIZE
=
2048
;
private
static
final
int
RSA_KEY
_
SIZE
=
2048
;
JWK
generateKey
(
final
JWEAlgorithm
jweAlgorithm
)
{
if
(
JWEAlgorithm
.
Family
.
RSA
.
contains
(
jweAlgorithm
))
{
return
generateRSAKey
(
jweAlgorithm
);
}
else
if
(
JWEAlgorithm
.
Family
.
ECDH_ES
.
contains
(
jweAlgorithm
))
{
}
if
(
JWEAlgorithm
.
Family
.
ECDH_ES
.
contains
(
jweAlgorithm
))
{
return
generateECKey
(
jweAlgorithm
);
}
else
{
log
.
error
(
"Unsupported Algorithm ({})"
,
jweAlgorithm
);
return
null
;
}
log
.
error
(
"Unsupported Algorithm ({})"
,
jweAlgorithm
);
return
null
;
}
private
JWK
generateRSAKey
(
final
JWEAlgorithm
jweAlgorithm
)
{
try
{
final
KeyPairGenerator
gen
=
KeyPairGenerator
.
getInstance
(
RSA
.
getValue
());
gen
.
initialize
(
RSA_KEYSIZE
);
gen
.
initialize
(
RSA_KEY
_
SIZE
);
final
KeyPair
keyPair
=
gen
.
generateKeyPair
();
return
new
RSAKey
.
Builder
((
RSAPublicKey
)
keyPair
.
getPublic
())
...
...
src/main/java/com/onegini/oidc/model/OpenIdWellKnownConfiguration.java
View file @
d9686558
...
...
@@ -3,12 +3,9 @@ package com.onegini.oidc.model;
import
java.util.Collection
;
import
lombok.Data
;
import
lombok.EqualsAndHashCode
;
import
lombok.NoArgsConstructor
;
@Data
@EqualsAndHashCode
@NoArgsConstructor
public
class
OpenIdWellKnownConfiguration
{
...
...
src/main/java/com/onegini/oidc/security/OpenIdConnectAuthenticationFilter.java
View file @
d9686558
...
...
@@ -90,7 +90,7 @@ public class OpenIdConnectAuthenticationFilter extends AbstractAuthenticationPro
}
private
TokenDetails
getTokenDetails
(
final
JWT
jwt
)
{
JWTClaimsSet
claimsSet
;
final
JWTClaimsSet
claimsSet
;
try
{
//If we support only signed JWT or encrypted JWT we can include only adequate part of code
if
(
jwt
instanceof
SignedJWT
)
{
...
...
@@ -112,7 +112,7 @@ public class OpenIdConnectAuthenticationFilter extends AbstractAuthenticationPro
private
UserInfo
createUserInfo
(
final
JWTClaimsSet
jwtClaimsSet
,
final
JWT
jwt
)
{
Object
name
=
jwtClaimsSet
.
getClaim
(
"name"
);
String
idToken
;
final
String
idToken
;
String
encryptedIdToken
=
null
;
if
(
jwt
instanceof
EncryptedJWT
)
{
final
EncryptedJWT
encryptedJWT
=
(
EncryptedJWT
)
jwt
;
...
...
@@ -130,9 +130,10 @@ public class OpenIdConnectAuthenticationFilter extends AbstractAuthenticationPro
private
void
validateEncryptionConfigurationMatchesServer
(
final
JWT
jwt
)
{
if
(
applicationProperties
.
isIdTokenEncryptionEnabled
()
&&
!(
jwt
instanceof
EncryptedJWT
))
{
throw
new
IllegalStateException
(
"Server did not return an EncryptedJWT but encryption was enabled. Check your server side configuration"
);
}
else
if
(!
applicationProperties
.
isIdTokenEncryptionEnabled
()
&&
jwt
instanceof
EncryptedJWT
)
{
throw
new
IllegalStateException
(
"Server returned an EncryptedJWT but encryption was not enabled. Check your server side configuration."
);
throw
new
IllegalStateException
(
"Server did not return an Encrypted JWT but encryption was enabled. Check your server side configuration"
);
}
if
(!
applicationProperties
.
isIdTokenEncryptionEnabled
()
&&
jwt
instanceof
EncryptedJWT
)
{
throw
new
IllegalStateException
(
"Server returned an Encrypted JWT but encryption was not enabled. Check your server side configuration."
);
}
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment