From d565382882adaad58774bf5b56397af9f1cc9f58 Mon Sep 17 00:00:00 2001 From: charlievans Date: Mon, 23 Sep 2019 13:25:29 +0200 Subject: [PATCH 01/12] - use encoded access token in responses where it is using accessToken.getID() - remove unused bean oauthAccessTokenResponseGenerator - pass encodedAccessToken to the id token generator service since running encoder twice will result in different strings if jwt (ZonedDateTime.now()) --- ...th20TokenAuthorizationResponseBuilder.java | 2 +- .../cas/ticket/IdTokenGeneratorService.java | 16 ++++--- .../cas/uma/UmaConfigurationContext.java | 2 + .../rpt/UmaIdTokenGeneratorService.java | 21 +++++---- ...uthorizationRequestEndpointController.java | 21 +++++++-- .../cas/config/CasOAuthConfiguration.java | 6 --- .../token/OidcIdTokenGeneratorService.java | 47 +++++++++---------- ...cClientRegistrationEndpointController.java | 16 ++++++- 8 files changed, 78 insertions(+), 53 deletions(-) diff --git a/support/cas-server-support-oauth-core-api/src/main/java/org/apereo/cas/support/oauth/web/response/callback/OAuth20TokenAuthorizationResponseBuilder.java b/support/cas-server-support-oauth-core-api/src/main/java/org/apereo/cas/support/oauth/web/response/callback/OAuth20TokenAuthorizationResponseBuilder.java index 8d0dc5b7619f..f48872c35e79 100644 --- a/support/cas-server-support-oauth-core-api/src/main/java/org/apereo/cas/support/oauth/web/response/callback/OAuth20TokenAuthorizationResponseBuilder.java +++ b/support/cas-server-support-oauth-core-api/src/main/java/org/apereo/cas/support/oauth/web/response/callback/OAuth20TokenAuthorizationResponseBuilder.java @@ -136,7 +136,7 @@ protected ModelAndView buildCallbackUrlResponseType(final AccessTokenRequestData LOGGER.debug("Redirecting to URL [{}]", url); val parameters = new LinkedHashMap(); - parameters.put(OAuth20Constants.ACCESS_TOKEN, accessToken.getId()); + parameters.put(OAuth20Constants.ACCESS_TOKEN, encodedAccessToken); if (refreshToken != null) { parameters.put(OAuth20Constants.REFRESH_TOKEN, refreshToken.getId()); } diff --git a/support/cas-server-support-oauth-core-api/src/main/java/org/apereo/cas/ticket/IdTokenGeneratorService.java b/support/cas-server-support-oauth-core-api/src/main/java/org/apereo/cas/ticket/IdTokenGeneratorService.java index 5aefc23a2dfb..47d81926a26f 100644 --- a/support/cas-server-support-oauth-core-api/src/main/java/org/apereo/cas/ticket/IdTokenGeneratorService.java +++ b/support/cas-server-support-oauth-core-api/src/main/java/org/apereo/cas/ticket/IdTokenGeneratorService.java @@ -18,17 +18,19 @@ public interface IdTokenGeneratorService { /** * Generate string. * - * @param request the request - * @param response the response - * @param accessTokenId the access token id - * @param timeoutInSeconds the timeoutInSeconds - * @param responseType the response type - * @param registeredService the registered service + * @param request the request + * @param response the response + * @param accessToken the access token + * @param encodedAccessToken the access token + * @param timeoutInSeconds the timeoutInSeconds + * @param responseType the response type + * @param registeredService the registered service * @return the string */ String generate(HttpServletRequest request, HttpServletResponse response, - AccessToken accessTokenId, + AccessToken accessToken, + String encodedAccessToken, long timeoutInSeconds, OAuth20ResponseTypes responseType, OAuthRegisteredService registeredService); diff --git a/support/cas-server-support-oauth-uma-core/src/main/java/org/apereo/cas/uma/UmaConfigurationContext.java b/support/cas-server-support-oauth-uma-core/src/main/java/org/apereo/cas/uma/UmaConfigurationContext.java index 9e8eeb7c02a4..b64252de18ae 100644 --- a/support/cas-server-support-oauth-uma-core/src/main/java/org/apereo/cas/uma/UmaConfigurationContext.java +++ b/support/cas-server-support-oauth-uma-core/src/main/java/org/apereo/cas/uma/UmaConfigurationContext.java @@ -6,6 +6,7 @@ import org.apereo.cas.ticket.IdTokenGeneratorService; import org.apereo.cas.ticket.OAuthTokenSigningAndEncryptionService; import org.apereo.cas.ticket.registry.TicketRegistry; +import org.apereo.cas.token.JwtBuilder; import org.apereo.cas.uma.claim.UmaResourceSetClaimPermissionExaminer; import org.apereo.cas.uma.ticket.permission.UmaPermissionTicketFactory; import org.apereo.cas.uma.ticket.resource.repository.ResourceSetRepository; @@ -32,6 +33,7 @@ public class UmaConfigurationContext { private final ServicesManager servicesManager; private final TicketRegistry ticketRegistry; private final OAuth20TokenGenerator accessTokenGenerator; + private final JwtBuilder accessTokenJwtBuilder; private final UmaPermissionTicketFactory umaPermissionTicketFactory; private final ResourceSetRepository umaResourceSetRepository; private final CasConfigurationProperties casProperties; diff --git a/support/cas-server-support-oauth-uma-core/src/main/java/org/apereo/cas/uma/ticket/rpt/UmaIdTokenGeneratorService.java b/support/cas-server-support-oauth-uma-core/src/main/java/org/apereo/cas/uma/ticket/rpt/UmaIdTokenGeneratorService.java index f72c59017f6e..0e4d0424e699 100644 --- a/support/cas-server-support-oauth-uma-core/src/main/java/org/apereo/cas/uma/ticket/rpt/UmaIdTokenGeneratorService.java +++ b/support/cas-server-support-oauth-uma-core/src/main/java/org/apereo/cas/uma/ticket/rpt/UmaIdTokenGeneratorService.java @@ -36,6 +36,7 @@ public UmaIdTokenGeneratorService(final OAuth20ConfigurationContext configuratio public String generate(final HttpServletRequest request, final HttpServletResponse response, final AccessToken accessToken, + final String encodedAccessToken, final long timeoutInSeconds, final OAuth20ResponseTypes responseType, final OAuthRegisteredService registeredService) { @@ -43,7 +44,7 @@ public String generate(final HttpServletRequest request, val context = new JEEContext(request, response, getConfigurationContext().getSessionStore()); LOGGER.debug("Attempting to produce claims for the rpt access token [{}]", accessToken); val authenticatedProfile = getAuthenticatedProfile(request, response); - val claims = buildJwtClaims(request, accessToken, timeoutInSeconds, + val claims = buildJwtClaims(request, accessToken, encodedAccessToken, timeoutInSeconds, registeredService, authenticatedProfile, context, responseType); return encodeAndFinalizeToken(claims, registeredService, accessToken); @@ -52,17 +53,19 @@ public String generate(final HttpServletRequest request, /** * Build jwt claims jwt claims. * - * @param request the request - * @param accessTokenId the access token id - * @param timeoutInSeconds the timeout in seconds - * @param service the service - * @param profile the profile - * @param context the context - * @param responseType the response type + * @param request the request + * @param accessToken the access token + * @param encodedAccessToken the encoded acccess token + * @param timeoutInSeconds the timeout in seconds + * @param service the service + * @param profile the profile + * @param context the context + * @param responseType the response type * @return the jwt claims */ protected JwtClaims buildJwtClaims(final HttpServletRequest request, - final AccessToken accessTokenId, + final AccessToken accessToken, + final String encodedAccessToken, final long timeoutInSeconds, final OAuthRegisteredService service, final UserProfile profile, diff --git a/support/cas-server-support-oauth-uma-core/src/main/java/org/apereo/cas/uma/web/controllers/authz/UmaAuthorizationRequestEndpointController.java b/support/cas-server-support-oauth-uma-core/src/main/java/org/apereo/cas/uma/web/controllers/authz/UmaAuthorizationRequestEndpointController.java index 5452bbd72cc3..f1f8713acde8 100644 --- a/support/cas-server-support-oauth-uma-core/src/main/java/org/apereo/cas/uma/web/controllers/authz/UmaAuthorizationRequestEndpointController.java +++ b/support/cas-server-support-oauth-uma-core/src/main/java/org/apereo/cas/uma/web/controllers/authz/UmaAuthorizationRequestEndpointController.java @@ -6,7 +6,9 @@ import org.apereo.cas.support.oauth.OAuth20ResponseTypes; import org.apereo.cas.support.oauth.util.OAuth20Utils; import org.apereo.cas.support.oauth.web.response.accesstoken.ext.AccessTokenRequestDataHolder; +import org.apereo.cas.support.oauth.web.response.accesstoken.response.OAuth20JwtAccessTokenEncoder; import org.apereo.cas.ticket.accesstoken.AccessToken; +import org.apereo.cas.token.JwtBuilder; import org.apereo.cas.uma.UmaConfigurationContext; import org.apereo.cas.uma.claim.UmaResourceSetClaimPermissionResult; import org.apereo.cas.uma.ticket.permission.UmaPermissionTicket; @@ -42,8 +44,11 @@ @Slf4j @Controller("umaAuthorizationRequestEndpointController") public class UmaAuthorizationRequestEndpointController extends BaseUmaEndpointController { + private final JwtBuilder accessTokenJwtBuilder; + public UmaAuthorizationRequestEndpointController(final UmaConfigurationContext umaConfigurationContext) { super(umaConfigurationContext); + this.accessTokenJwtBuilder = umaConfigurationContext.getAccessTokenJwtBuilder(); } /** @@ -185,19 +190,29 @@ protected ResponseEntity generateRequestingPartyToken(final HttpServletRequest r } val accessToken = result.getAccessToken().get(); + + val encodedAccessToken = OAuth20JwtAccessTokenEncoder.builder() + .accessToken(accessToken) + .registeredService(holder.getRegisteredService()) + .service(holder.getService()) + .accessTokenJwtBuilder(accessTokenJwtBuilder) + .build() + .encode(); + val timeout = Beans.newDuration(getUmaConfigurationContext().getCasProperties() .getAuthn().getUma().getRequestingPartyToken().getMaxTimeToLiveInSeconds()).getSeconds(); request.setAttribute(UmaPermissionTicket.class.getName(), permissionTicket); request.setAttribute(ResourceSet.class.getName(), resourceSet); - val idToken = getUmaConfigurationContext().getRequestingPartyTokenGenerator().generate(request, response, accessToken, - timeout, OAuth20ResponseTypes.CODE, registeredService); + val idToken = getUmaConfigurationContext().getRequestingPartyTokenGenerator().generate(request, response, + accessToken, encodedAccessToken, timeout, OAuth20ResponseTypes.CODE, registeredService); accessToken.setIdToken(idToken); getUmaConfigurationContext().getTicketRegistry().updateTicket(accessToken); if (StringUtils.isNotBlank(umaRequest.getRpt())) { getUmaConfigurationContext().getTicketRegistry().deleteTicket(umaRequest.getRpt()); } - val model = CollectionUtils.wrap("rpt", accessToken.getId(), "code", HttpStatus.CREATED); + + val model = CollectionUtils.wrap("rpt", encodedAccessToken, "code", HttpStatus.CREATED); return new ResponseEntity<>(model, HttpStatus.OK); } } diff --git a/support/cas-server-support-oauth/src/main/java/org/apereo/cas/config/CasOAuthConfiguration.java b/support/cas-server-support-oauth/src/main/java/org/apereo/cas/config/CasOAuthConfiguration.java index fb4a6eaad491..645f020ff30d 100644 --- a/support/cas-server-support-oauth/src/main/java/org/apereo/cas/config/CasOAuthConfiguration.java +++ b/support/cas-server-support-oauth/src/main/java/org/apereo/cas/config/CasOAuthConfiguration.java @@ -342,12 +342,6 @@ public Authenticator oAuthAccessTokenAuthenticator() { return new OAuth20AccessTokenAuthenticator(ticketRegistry.getObject()); } - @ConditionalOnMissingBean(name = "oauthAccessTokenResponseGenerator") - @Bean - public OAuth20AccessTokenResponseGenerator oauthAccessTokenResponseGenerator() { - return new OAuth20DefaultAccessTokenResponseGenerator(accessTokenJwtBuilder()); - } - @Bean @RefreshScope @ConditionalOnMissingBean(name = "defaultAccessTokenFactory") diff --git a/support/cas-server-support-oidc-core-api/src/main/java/org/apereo/cas/oidc/token/OidcIdTokenGeneratorService.java b/support/cas-server-support-oidc-core-api/src/main/java/org/apereo/cas/oidc/token/OidcIdTokenGeneratorService.java index 0600aac3d827..da582a3df845 100644 --- a/support/cas-server-support-oidc-core-api/src/main/java/org/apereo/cas/oidc/token/OidcIdTokenGeneratorService.java +++ b/support/cas-server-support-oidc-core-api/src/main/java/org/apereo/cas/oidc/token/OidcIdTokenGeneratorService.java @@ -8,7 +8,6 @@ import org.apereo.cas.support.oauth.services.OAuthRegisteredService; import org.apereo.cas.support.oauth.web.endpoints.OAuth20ConfigurationContext; import org.apereo.cas.support.oauth.web.response.accesstoken.OAuth20AccessTokenAtHashGenerator; -import org.apereo.cas.support.oauth.web.response.accesstoken.response.OAuth20JwtAccessTokenEncoder; import org.apereo.cas.ticket.BaseIdTokenGeneratorService; import org.apereo.cas.ticket.TicketGrantingTicket; import org.apereo.cas.ticket.accesstoken.AccessToken; @@ -46,6 +45,7 @@ public OidcIdTokenGeneratorService(final OAuth20ConfigurationContext configurati public String generate(final HttpServletRequest request, final HttpServletResponse response, final AccessToken accessToken, + final String encodedAccessToken, final long timeoutInSeconds, final OAuth20ResponseTypes responseType, final OAuthRegisteredService registeredService) { @@ -58,7 +58,7 @@ public String generate(final HttpServletRequest request, val context = new JEEContext(request, response, getConfigurationContext().getSessionStore()); LOGGER.trace("Attempting to produce claims for the id token [{}]", accessToken); val authenticatedProfile = getAuthenticatedProfile(request, response); - val claims = buildJwtClaims(request, accessToken, timeoutInSeconds, + val claims = buildJwtClaims(request, accessToken, encodedAccessToken, timeoutInSeconds, oidcRegisteredService, authenticatedProfile, context, responseType); return encodeAndFinalizeToken(claims, oidcRegisteredService, accessToken); @@ -68,36 +68,38 @@ public String generate(final HttpServletRequest request, /** * Produce claims as jwt. * - * @param request the request - * @param accessTokenId the access token id - * @param timeoutInSeconds the timeoutInSeconds - * @param service the service - * @param profile the user profile - * @param context the context - * @param responseType the response type + * @param request the request + * @param accessToken the access token + * @param encodedAccessToken the encoded access token + * @param timeoutInSeconds the timeoutInSeconds + * @param service the service + * @param profile the user profile + * @param context the context + * @param responseType the response type * @return the jwt claims */ protected JwtClaims buildJwtClaims(final HttpServletRequest request, - final AccessToken accessTokenId, + final AccessToken accessToken, + final String encodedAccessToken, final long timeoutInSeconds, final OidcRegisteredService service, final UserProfile profile, final JEEContext context, final OAuth20ResponseTypes responseType) { - val authentication = accessTokenId.getAuthentication(); + val authentication = accessToken.getAuthentication(); val principal = this.getConfigurationContext().getProfileScopeToAttributesFilter() - .filter(accessTokenId.getService(), authentication.getPrincipal(), service, context, accessTokenId); + .filter(accessToken.getService(), authentication.getPrincipal(), service, context, accessToken); val oidc = getConfigurationContext().getCasProperties().getAuthn().getOidc(); val claims = new JwtClaims(); - val jwtId = getJwtId(accessTokenId.getTicketGrantingTicket()); + val jwtId = getJwtId(accessToken.getTicketGrantingTicket()); claims.setJwtId(jwtId); claims.setIssuer(oidc.getIssuer()); - claims.setAudience(accessTokenId.getClientId()); + claims.setAudience(accessToken.getClientId()); val expirationDate = NumericDate.now(); expirationDate.addSeconds(timeoutInSeconds); @@ -125,7 +127,7 @@ protected JwtClaims buildJwtClaims(final HttpServletRequest request, if (attributes.containsKey(OAuth20Constants.NONCE)) { claims.setClaim(OAuth20Constants.NONCE, attributes.get(OAuth20Constants.NONCE).get(0)); } - generateAccessTokenHash(accessTokenId, service, claims); + generateAccessTokenHash(encodedAccessToken, service, claims); LOGGER.trace("Comparing principal attributes [{}] with supported claims [{}]", principal.getAttributes(), oidc.getClaims()); @@ -185,20 +187,13 @@ protected String getJwtId(final TicketGrantingTicket tgt) { /** * Generate access token hash string. * - * @param accessToken the access token id - * @param registeredService the service - * @param claims the claims + * @param encodedAccessToken the access token id + * @param registeredService the service + * @param claims the claims */ - protected void generateAccessTokenHash(final AccessToken accessToken, + protected void generateAccessTokenHash(final String encodedAccessToken, final OidcRegisteredService registeredService, final JwtClaims claims) { - val encodedAccessToken = OAuth20JwtAccessTokenEncoder.builder() - .accessToken(accessToken) - .registeredService(registeredService) - .service(accessToken.getService()) - .accessTokenJwtBuilder(getConfigurationContext().getAccessTokenJwtBuilder()) - .build() - .encode(); claims.setClaim(OAuth20Constants.ACCESS_TOKEN, encodedAccessToken); val alg = getConfigurationContext().getIdTokenSigningAndEncryptionService().getJsonWebKeySigningAlgorithm(registeredService); diff --git a/support/cas-server-support-oidc-core-api/src/main/java/org/apereo/cas/oidc/web/controllers/dynareg/OidcDynamicClientRegistrationEndpointController.java b/support/cas-server-support-oidc-core-api/src/main/java/org/apereo/cas/oidc/web/controllers/dynareg/OidcDynamicClientRegistrationEndpointController.java index 0cde8e2585ee..d369ee4c2d2c 100644 --- a/support/cas-server-support-oidc-core-api/src/main/java/org/apereo/cas/oidc/web/controllers/dynareg/OidcDynamicClientRegistrationEndpointController.java +++ b/support/cas-server-support-oidc-core-api/src/main/java/org/apereo/cas/oidc/web/controllers/dynareg/OidcDynamicClientRegistrationEndpointController.java @@ -13,7 +13,9 @@ import org.apereo.cas.support.oauth.util.OAuth20Utils; import org.apereo.cas.support.oauth.web.endpoints.BaseOAuth20Controller; import org.apereo.cas.support.oauth.web.endpoints.OAuth20ConfigurationContext; +import org.apereo.cas.support.oauth.web.response.accesstoken.response.OAuth20JwtAccessTokenEncoder; import org.apereo.cas.ticket.accesstoken.AccessToken; +import org.apereo.cas.token.JwtBuilder; import org.apereo.cas.util.HttpUtils; import org.apereo.cas.util.RandomUtils; @@ -51,8 +53,11 @@ public class OidcDynamicClientRegistrationEndpointController extends BaseOAuth20 private static final int GENERATED_CLIENT_NAME_LENGTH = 8; + private final JwtBuilder accessTokenJwtBuilder; + public OidcDynamicClientRegistrationEndpointController(final OAuth20ConfigurationContext oAuthConfigurationContext) { super(oAuthConfigurationContext); + this.accessTokenJwtBuilder = oAuthConfigurationContext.getAccessTokenJwtBuilder(); } /** @@ -149,7 +154,16 @@ public ResponseEntity handleRequestInternal(@RequestBody final String jsonInput, val clientResponse = OidcClientRegistrationUtils.getClientRegistrationResponse(registeredService, prefix); val accessToken = generateRegistrationAccessToken(request, response, registeredService, registrationRequest); - clientResponse.setRegistrationAccessToken(accessToken.getId()); + + val encodedAccessToken = OAuth20JwtAccessTokenEncoder.builder() + .accessToken(accessToken) + .registeredService(registeredService) + .service(accessToken.getService()) + .accessTokenJwtBuilder(accessTokenJwtBuilder) + .build() + .encode(); + + clientResponse.setRegistrationAccessToken(encodedAccessToken); registeredService.setScopes(supportedScopes); val processedScopes = new LinkedHashSet(supportedScopes); From 0722a022319700495ba640f633b522f47f5caac7 Mon Sep 17 00:00:00 2001 From: charlievans Date: Mon, 23 Sep 2019 13:50:39 +0200 Subject: [PATCH 02/12] fix parameter javadocs and use oAuthConfigurationContext. getAccessTokenJwtBuilder in /register oidc. --- .../java/org/apereo/cas/ticket/IdTokenGeneratorService.java | 2 +- .../apereo/cas/oidc/token/OidcIdTokenGeneratorService.java | 2 +- .../OidcDynamicClientRegistrationEndpointController.java | 6 +----- 3 files changed, 3 insertions(+), 7 deletions(-) diff --git a/support/cas-server-support-oauth-core-api/src/main/java/org/apereo/cas/ticket/IdTokenGeneratorService.java b/support/cas-server-support-oauth-core-api/src/main/java/org/apereo/cas/ticket/IdTokenGeneratorService.java index 47d81926a26f..36e8f6ce7f44 100644 --- a/support/cas-server-support-oauth-core-api/src/main/java/org/apereo/cas/ticket/IdTokenGeneratorService.java +++ b/support/cas-server-support-oauth-core-api/src/main/java/org/apereo/cas/ticket/IdTokenGeneratorService.java @@ -21,7 +21,7 @@ public interface IdTokenGeneratorService { * @param request the request * @param response the response * @param accessToken the access token - * @param encodedAccessToken the access token + * @param encodedAccessToken the encoded access token * @param timeoutInSeconds the timeoutInSeconds * @param responseType the response type * @param registeredService the registered service diff --git a/support/cas-server-support-oidc-core-api/src/main/java/org/apereo/cas/oidc/token/OidcIdTokenGeneratorService.java b/support/cas-server-support-oidc-core-api/src/main/java/org/apereo/cas/oidc/token/OidcIdTokenGeneratorService.java index da582a3df845..ef79191e3f3e 100644 --- a/support/cas-server-support-oidc-core-api/src/main/java/org/apereo/cas/oidc/token/OidcIdTokenGeneratorService.java +++ b/support/cas-server-support-oidc-core-api/src/main/java/org/apereo/cas/oidc/token/OidcIdTokenGeneratorService.java @@ -187,7 +187,7 @@ protected String getJwtId(final TicketGrantingTicket tgt) { /** * Generate access token hash string. * - * @param encodedAccessToken the access token id + * @param encodedAccessToken the encoded access token * @param registeredService the service * @param claims the claims */ diff --git a/support/cas-server-support-oidc-core-api/src/main/java/org/apereo/cas/oidc/web/controllers/dynareg/OidcDynamicClientRegistrationEndpointController.java b/support/cas-server-support-oidc-core-api/src/main/java/org/apereo/cas/oidc/web/controllers/dynareg/OidcDynamicClientRegistrationEndpointController.java index d369ee4c2d2c..de66695953ce 100644 --- a/support/cas-server-support-oidc-core-api/src/main/java/org/apereo/cas/oidc/web/controllers/dynareg/OidcDynamicClientRegistrationEndpointController.java +++ b/support/cas-server-support-oidc-core-api/src/main/java/org/apereo/cas/oidc/web/controllers/dynareg/OidcDynamicClientRegistrationEndpointController.java @@ -15,7 +15,6 @@ import org.apereo.cas.support.oauth.web.endpoints.OAuth20ConfigurationContext; import org.apereo.cas.support.oauth.web.response.accesstoken.response.OAuth20JwtAccessTokenEncoder; import org.apereo.cas.ticket.accesstoken.AccessToken; -import org.apereo.cas.token.JwtBuilder; import org.apereo.cas.util.HttpUtils; import org.apereo.cas.util.RandomUtils; @@ -53,11 +52,8 @@ public class OidcDynamicClientRegistrationEndpointController extends BaseOAuth20 private static final int GENERATED_CLIENT_NAME_LENGTH = 8; - private final JwtBuilder accessTokenJwtBuilder; - public OidcDynamicClientRegistrationEndpointController(final OAuth20ConfigurationContext oAuthConfigurationContext) { super(oAuthConfigurationContext); - this.accessTokenJwtBuilder = oAuthConfigurationContext.getAccessTokenJwtBuilder(); } /** @@ -159,7 +155,7 @@ public ResponseEntity handleRequestInternal(@RequestBody final String jsonInput, .accessToken(accessToken) .registeredService(registeredService) .service(accessToken.getService()) - .accessTokenJwtBuilder(accessTokenJwtBuilder) + .accessTokenJwtBuilder(getOAuthConfigurationContext().getAccessTokenJwtBuilder()) .build() .encode(); From ae6d391fd41e5683445ad1fd52dd11cae5790c73 Mon Sep 17 00:00:00 2001 From: charlievans Date: Mon, 23 Sep 2019 13:54:01 +0200 Subject: [PATCH 03/12] remove jwtbuilder field from UmaAuthorizationRequestEndpointController --- .../authz/UmaAuthorizationRequestEndpointController.java | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/support/cas-server-support-oauth-uma-core/src/main/java/org/apereo/cas/uma/web/controllers/authz/UmaAuthorizationRequestEndpointController.java b/support/cas-server-support-oauth-uma-core/src/main/java/org/apereo/cas/uma/web/controllers/authz/UmaAuthorizationRequestEndpointController.java index f1f8713acde8..4183fb45399f 100644 --- a/support/cas-server-support-oauth-uma-core/src/main/java/org/apereo/cas/uma/web/controllers/authz/UmaAuthorizationRequestEndpointController.java +++ b/support/cas-server-support-oauth-uma-core/src/main/java/org/apereo/cas/uma/web/controllers/authz/UmaAuthorizationRequestEndpointController.java @@ -8,7 +8,6 @@ import org.apereo.cas.support.oauth.web.response.accesstoken.ext.AccessTokenRequestDataHolder; import org.apereo.cas.support.oauth.web.response.accesstoken.response.OAuth20JwtAccessTokenEncoder; import org.apereo.cas.ticket.accesstoken.AccessToken; -import org.apereo.cas.token.JwtBuilder; import org.apereo.cas.uma.UmaConfigurationContext; import org.apereo.cas.uma.claim.UmaResourceSetClaimPermissionResult; import org.apereo.cas.uma.ticket.permission.UmaPermissionTicket; @@ -44,11 +43,9 @@ @Slf4j @Controller("umaAuthorizationRequestEndpointController") public class UmaAuthorizationRequestEndpointController extends BaseUmaEndpointController { - private final JwtBuilder accessTokenJwtBuilder; public UmaAuthorizationRequestEndpointController(final UmaConfigurationContext umaConfigurationContext) { super(umaConfigurationContext); - this.accessTokenJwtBuilder = umaConfigurationContext.getAccessTokenJwtBuilder(); } /** @@ -195,7 +192,7 @@ protected ResponseEntity generateRequestingPartyToken(final HttpServletRequest r .accessToken(accessToken) .registeredService(holder.getRegisteredService()) .service(holder.getService()) - .accessTokenJwtBuilder(accessTokenJwtBuilder) + .accessTokenJwtBuilder(getUmaConfigurationContext().getAccessTokenJwtBuilder()) .build() .encode(); From cd27a07631c23658597935928a9c4d7f37819368 Mon Sep 17 00:00:00 2001 From: charlievans Date: Tue, 24 Sep 2019 11:29:11 +0200 Subject: [PATCH 04/12] do not add access token claim to id token --- .../org/apereo/cas/oidc/token/OidcIdTokenGeneratorService.java | 1 - 1 file changed, 1 deletion(-) diff --git a/support/cas-server-support-oidc-core-api/src/main/java/org/apereo/cas/oidc/token/OidcIdTokenGeneratorService.java b/support/cas-server-support-oidc-core-api/src/main/java/org/apereo/cas/oidc/token/OidcIdTokenGeneratorService.java index ef79191e3f3e..976b8994766f 100644 --- a/support/cas-server-support-oidc-core-api/src/main/java/org/apereo/cas/oidc/token/OidcIdTokenGeneratorService.java +++ b/support/cas-server-support-oidc-core-api/src/main/java/org/apereo/cas/oidc/token/OidcIdTokenGeneratorService.java @@ -195,7 +195,6 @@ protected void generateAccessTokenHash(final String encodedAccessToken, final OidcRegisteredService registeredService, final JwtClaims claims) { - claims.setClaim(OAuth20Constants.ACCESS_TOKEN, encodedAccessToken); val alg = getConfigurationContext().getIdTokenSigningAndEncryptionService().getJsonWebKeySigningAlgorithm(registeredService); val hash = OAuth20AccessTokenAtHashGenerator.builder() .accessTokenId(encodedAccessToken) From 2fa2e670e269c71874f70b9d6f6f037daf930466 Mon Sep 17 00:00:00 2001 From: charlievans Date: Thu, 10 Oct 2019 13:48:10 +0200 Subject: [PATCH 05/12] do not put encodedAccessToken in token generator service since cannot easily get it out in OidcAccessTokenResponseGenerator. Instead make encoder use a fixed date --- .../OAuth20JwtAccessTokenEncoder.java | 5 +---- .../cas/ticket/IdTokenGeneratorService.java | 14 ++++++------- .../rpt/UmaIdTokenGeneratorService.java | 19 ++++++++---------- .../token/OidcIdTokenGeneratorService.java | 20 ++++++++++++------- 4 files changed, 28 insertions(+), 30 deletions(-) diff --git a/support/cas-server-support-oauth-core-api/src/main/java/org/apereo/cas/support/oauth/web/response/accesstoken/response/OAuth20JwtAccessTokenEncoder.java b/support/cas-server-support-oauth-core-api/src/main/java/org/apereo/cas/support/oauth/web/response/accesstoken/response/OAuth20JwtAccessTokenEncoder.java index 840db4d6bd4a..7367e207af58 100644 --- a/support/cas-server-support-oauth-core-api/src/main/java/org/apereo/cas/support/oauth/web/response/accesstoken/response/OAuth20JwtAccessTokenEncoder.java +++ b/support/cas-server-support-oauth-core-api/src/main/java/org/apereo/cas/support/oauth/web/response/accesstoken/response/OAuth20JwtAccessTokenEncoder.java @@ -11,9 +11,6 @@ import lombok.Getter; import lombok.val; -import java.time.ZoneOffset; -import java.time.ZonedDateTime; - /** * This is {@link OAuth20JwtAccessTokenEncoder}. * @@ -32,7 +29,7 @@ public String encode() { val oAuthRegisteredService = OAuthRegisteredService.class.cast(this.registeredService); val authentication = accessToken.getAuthentication(); if (oAuthRegisteredService != null && oAuthRegisteredService.isJwtAccessToken()) { - val dt = ZonedDateTime.now(ZoneOffset.UTC).plusSeconds(accessToken.getExpirationPolicy().getTimeToLive()); + val dt = authentication.getAuthenticationDate().plusSeconds(accessToken.getExpirationPolicy().getTimeToLive()); val builder = JwtBuilder.JwtRequest.builder(); val request = builder diff --git a/support/cas-server-support-oauth-core-api/src/main/java/org/apereo/cas/ticket/IdTokenGeneratorService.java b/support/cas-server-support-oauth-core-api/src/main/java/org/apereo/cas/ticket/IdTokenGeneratorService.java index 36e8f6ce7f44..0934251ddfc4 100644 --- a/support/cas-server-support-oauth-core-api/src/main/java/org/apereo/cas/ticket/IdTokenGeneratorService.java +++ b/support/cas-server-support-oauth-core-api/src/main/java/org/apereo/cas/ticket/IdTokenGeneratorService.java @@ -18,19 +18,17 @@ public interface IdTokenGeneratorService { /** * Generate string. * - * @param request the request - * @param response the response - * @param accessToken the access token - * @param encodedAccessToken the encoded access token - * @param timeoutInSeconds the timeoutInSeconds - * @param responseType the response type - * @param registeredService the registered service + * @param request the request + * @param response the response + * @param accessToken the access token + * @param timeoutInSeconds the timeoutInSeconds + * @param responseType the response type + * @param registeredService the registered service * @return the string */ String generate(HttpServletRequest request, HttpServletResponse response, AccessToken accessToken, - String encodedAccessToken, long timeoutInSeconds, OAuth20ResponseTypes responseType, OAuthRegisteredService registeredService); diff --git a/support/cas-server-support-oauth-uma-core/src/main/java/org/apereo/cas/uma/ticket/rpt/UmaIdTokenGeneratorService.java b/support/cas-server-support-oauth-uma-core/src/main/java/org/apereo/cas/uma/ticket/rpt/UmaIdTokenGeneratorService.java index 0e4d0424e699..bdf50844cd88 100644 --- a/support/cas-server-support-oauth-uma-core/src/main/java/org/apereo/cas/uma/ticket/rpt/UmaIdTokenGeneratorService.java +++ b/support/cas-server-support-oauth-uma-core/src/main/java/org/apereo/cas/uma/ticket/rpt/UmaIdTokenGeneratorService.java @@ -36,7 +36,6 @@ public UmaIdTokenGeneratorService(final OAuth20ConfigurationContext configuratio public String generate(final HttpServletRequest request, final HttpServletResponse response, final AccessToken accessToken, - final String encodedAccessToken, final long timeoutInSeconds, final OAuth20ResponseTypes responseType, final OAuthRegisteredService registeredService) { @@ -44,7 +43,7 @@ public String generate(final HttpServletRequest request, val context = new JEEContext(request, response, getConfigurationContext().getSessionStore()); LOGGER.debug("Attempting to produce claims for the rpt access token [{}]", accessToken); val authenticatedProfile = getAuthenticatedProfile(request, response); - val claims = buildJwtClaims(request, accessToken, encodedAccessToken, timeoutInSeconds, + val claims = buildJwtClaims(request, accessToken, timeoutInSeconds, registeredService, authenticatedProfile, context, responseType); return encodeAndFinalizeToken(claims, registeredService, accessToken); @@ -53,19 +52,17 @@ public String generate(final HttpServletRequest request, /** * Build jwt claims jwt claims. * - * @param request the request - * @param accessToken the access token - * @param encodedAccessToken the encoded acccess token - * @param timeoutInSeconds the timeout in seconds - * @param service the service - * @param profile the profile - * @param context the context - * @param responseType the response type + * @param request the request + * @param accessToken the access token + * @param timeoutInSeconds the timeout in seconds + * @param service the service + * @param profile the profile + * @param context the context + * @param responseType the response type * @return the jwt claims */ protected JwtClaims buildJwtClaims(final HttpServletRequest request, final AccessToken accessToken, - final String encodedAccessToken, final long timeoutInSeconds, final OAuthRegisteredService service, final UserProfile profile, diff --git a/support/cas-server-support-oidc-core-api/src/main/java/org/apereo/cas/oidc/token/OidcIdTokenGeneratorService.java b/support/cas-server-support-oidc-core-api/src/main/java/org/apereo/cas/oidc/token/OidcIdTokenGeneratorService.java index 976b8994766f..d34960960c73 100644 --- a/support/cas-server-support-oidc-core-api/src/main/java/org/apereo/cas/oidc/token/OidcIdTokenGeneratorService.java +++ b/support/cas-server-support-oidc-core-api/src/main/java/org/apereo/cas/oidc/token/OidcIdTokenGeneratorService.java @@ -8,6 +8,7 @@ import org.apereo.cas.support.oauth.services.OAuthRegisteredService; import org.apereo.cas.support.oauth.web.endpoints.OAuth20ConfigurationContext; import org.apereo.cas.support.oauth.web.response.accesstoken.OAuth20AccessTokenAtHashGenerator; +import org.apereo.cas.support.oauth.web.response.accesstoken.response.OAuth20JwtAccessTokenEncoder; import org.apereo.cas.ticket.BaseIdTokenGeneratorService; import org.apereo.cas.ticket.TicketGrantingTicket; import org.apereo.cas.ticket.accesstoken.AccessToken; @@ -45,7 +46,6 @@ public OidcIdTokenGeneratorService(final OAuth20ConfigurationContext configurati public String generate(final HttpServletRequest request, final HttpServletResponse response, final AccessToken accessToken, - final String encodedAccessToken, final long timeoutInSeconds, final OAuth20ResponseTypes responseType, final OAuthRegisteredService registeredService) { @@ -58,7 +58,7 @@ public String generate(final HttpServletRequest request, val context = new JEEContext(request, response, getConfigurationContext().getSessionStore()); LOGGER.trace("Attempting to produce claims for the id token [{}]", accessToken); val authenticatedProfile = getAuthenticatedProfile(request, response); - val claims = buildJwtClaims(request, accessToken, encodedAccessToken, timeoutInSeconds, + val claims = buildJwtClaims(request, accessToken, timeoutInSeconds, oidcRegisteredService, authenticatedProfile, context, responseType); return encodeAndFinalizeToken(claims, oidcRegisteredService, accessToken); @@ -70,7 +70,6 @@ public String generate(final HttpServletRequest request, * * @param request the request * @param accessToken the access token - * @param encodedAccessToken the encoded access token * @param timeoutInSeconds the timeoutInSeconds * @param service the service * @param profile the user profile @@ -80,7 +79,6 @@ public String generate(final HttpServletRequest request, */ protected JwtClaims buildJwtClaims(final HttpServletRequest request, final AccessToken accessToken, - final String encodedAccessToken, final long timeoutInSeconds, final OidcRegisteredService service, final UserProfile profile, @@ -127,7 +125,7 @@ protected JwtClaims buildJwtClaims(final HttpServletRequest request, if (attributes.containsKey(OAuth20Constants.NONCE)) { claims.setClaim(OAuth20Constants.NONCE, attributes.get(OAuth20Constants.NONCE).get(0)); } - generateAccessTokenHash(encodedAccessToken, service, claims); + generateAccessTokenHash(accessToken, service, claims); LOGGER.trace("Comparing principal attributes [{}] with supported claims [{}]", principal.getAttributes(), oidc.getClaims()); @@ -187,14 +185,22 @@ protected String getJwtId(final TicketGrantingTicket tgt) { /** * Generate access token hash string. * - * @param encodedAccessToken the encoded access token + * @param accessToken the access token * @param registeredService the service * @param claims the claims */ - protected void generateAccessTokenHash(final String encodedAccessToken, + protected void generateAccessTokenHash(final AccessToken accessToken, final OidcRegisteredService registeredService, final JwtClaims claims) { + val encodedAccessToken = OAuth20JwtAccessTokenEncoder.builder() + .accessToken(accessToken) + .registeredService(registeredService) + .service(accessToken.getService()) + .accessTokenJwtBuilder(getConfigurationContext().getAccessTokenJwtBuilder()) + .build() + .encode(); + val alg = getConfigurationContext().getIdTokenSigningAndEncryptionService().getJsonWebKeySigningAlgorithm(registeredService); val hash = OAuth20AccessTokenAtHashGenerator.builder() .accessTokenId(encodedAccessToken) From cc7bde39dc84e7f91bb15557a8c1f29e3a82f754 Mon Sep 17 00:00:00 2001 From: charlievans Date: Thu, 10 Oct 2019 13:49:58 +0200 Subject: [PATCH 06/12] remove unused encodedAccessToken in uma --- .../authz/UmaAuthorizationRequestEndpointController.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/support/cas-server-support-oauth-uma-core/src/main/java/org/apereo/cas/uma/web/controllers/authz/UmaAuthorizationRequestEndpointController.java b/support/cas-server-support-oauth-uma-core/src/main/java/org/apereo/cas/uma/web/controllers/authz/UmaAuthorizationRequestEndpointController.java index 4183fb45399f..c1a62217697d 100644 --- a/support/cas-server-support-oauth-uma-core/src/main/java/org/apereo/cas/uma/web/controllers/authz/UmaAuthorizationRequestEndpointController.java +++ b/support/cas-server-support-oauth-uma-core/src/main/java/org/apereo/cas/uma/web/controllers/authz/UmaAuthorizationRequestEndpointController.java @@ -201,7 +201,7 @@ protected ResponseEntity generateRequestingPartyToken(final HttpServletRequest r request.setAttribute(UmaPermissionTicket.class.getName(), permissionTicket); request.setAttribute(ResourceSet.class.getName(), resourceSet); val idToken = getUmaConfigurationContext().getRequestingPartyTokenGenerator().generate(request, response, - accessToken, encodedAccessToken, timeout, OAuth20ResponseTypes.CODE, registeredService); + accessToken, timeout, OAuth20ResponseTypes.CODE, registeredService); accessToken.setIdToken(idToken); getUmaConfigurationContext().getTicketRegistry().updateTicket(accessToken); From 20d6eacf053c4316735fb5326516d466fb39e05b Mon Sep 17 00:00:00 2001 From: charlievans Date: Thu, 10 Oct 2019 13:50:42 +0200 Subject: [PATCH 07/12] put indentations back --- .../oidc/token/OidcIdTokenGeneratorService.java | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/support/cas-server-support-oidc-core-api/src/main/java/org/apereo/cas/oidc/token/OidcIdTokenGeneratorService.java b/support/cas-server-support-oidc-core-api/src/main/java/org/apereo/cas/oidc/token/OidcIdTokenGeneratorService.java index d34960960c73..5299366eed59 100644 --- a/support/cas-server-support-oidc-core-api/src/main/java/org/apereo/cas/oidc/token/OidcIdTokenGeneratorService.java +++ b/support/cas-server-support-oidc-core-api/src/main/java/org/apereo/cas/oidc/token/OidcIdTokenGeneratorService.java @@ -68,13 +68,13 @@ public String generate(final HttpServletRequest request, /** * Produce claims as jwt. * - * @param request the request - * @param accessToken the access token - * @param timeoutInSeconds the timeoutInSeconds - * @param service the service - * @param profile the user profile - * @param context the context - * @param responseType the response type + * @param request the request + * @param accessToken the access token + * @param timeoutInSeconds the timeoutInSeconds + * @param service the service + * @param profile the user profile + * @param context the context + * @param responseType the response type * @return the jwt claims */ protected JwtClaims buildJwtClaims(final HttpServletRequest request, From fd26668a3f45888258d781d1249d68eb40e4ceb5 Mon Sep 17 00:00:00 2001 From: charlievans Date: Thu, 10 Oct 2019 13:51:08 +0200 Subject: [PATCH 08/12] put indentations back --- .../apereo/cas/oidc/token/OidcIdTokenGeneratorService.java | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/support/cas-server-support-oidc-core-api/src/main/java/org/apereo/cas/oidc/token/OidcIdTokenGeneratorService.java b/support/cas-server-support-oidc-core-api/src/main/java/org/apereo/cas/oidc/token/OidcIdTokenGeneratorService.java index 5299366eed59..b089799222b7 100644 --- a/support/cas-server-support-oidc-core-api/src/main/java/org/apereo/cas/oidc/token/OidcIdTokenGeneratorService.java +++ b/support/cas-server-support-oidc-core-api/src/main/java/org/apereo/cas/oidc/token/OidcIdTokenGeneratorService.java @@ -185,9 +185,9 @@ protected String getJwtId(final TicketGrantingTicket tgt) { /** * Generate access token hash string. * - * @param accessToken the access token - * @param registeredService the service - * @param claims the claims + * @param accessToken the access token + * @param registeredService the service + * @param claims the claims */ protected void generateAccessTokenHash(final AccessToken accessToken, final OidcRegisteredService registeredService, From 0f295f69a4a1240ae9bb4f183ada222e5e2a84b3 Mon Sep 17 00:00:00 2001 From: charlievans Date: Thu, 10 Oct 2019 13:52:00 +0200 Subject: [PATCH 09/12] put indentations back --- .../cas/oidc/token/OidcIdTokenGeneratorService.java | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/support/cas-server-support-oidc-core-api/src/main/java/org/apereo/cas/oidc/token/OidcIdTokenGeneratorService.java b/support/cas-server-support-oidc-core-api/src/main/java/org/apereo/cas/oidc/token/OidcIdTokenGeneratorService.java index b089799222b7..9b439273b827 100644 --- a/support/cas-server-support-oidc-core-api/src/main/java/org/apereo/cas/oidc/token/OidcIdTokenGeneratorService.java +++ b/support/cas-server-support-oidc-core-api/src/main/java/org/apereo/cas/oidc/token/OidcIdTokenGeneratorService.java @@ -194,12 +194,12 @@ protected void generateAccessTokenHash(final AccessToken accessToken, final JwtClaims claims) { val encodedAccessToken = OAuth20JwtAccessTokenEncoder.builder() - .accessToken(accessToken) - .registeredService(registeredService) - .service(accessToken.getService()) - .accessTokenJwtBuilder(getConfigurationContext().getAccessTokenJwtBuilder()) - .build() - .encode(); + .accessToken(accessToken) + .registeredService(registeredService) + .service(accessToken.getService()) + .accessTokenJwtBuilder(getConfigurationContext().getAccessTokenJwtBuilder()) + .build() + .encode(); val alg = getConfigurationContext().getIdTokenSigningAndEncryptionService().getJsonWebKeySigningAlgorithm(registeredService); val hash = OAuth20AccessTokenAtHashGenerator.builder() From 38e6710b9607e70060184706a135657bf15d1d4c Mon Sep 17 00:00:00 2001 From: charlievans Date: Thu, 10 Oct 2019 13:52:39 +0200 Subject: [PATCH 10/12] remove space --- .../org/apereo/cas/oidc/token/OidcIdTokenGeneratorService.java | 1 - 1 file changed, 1 deletion(-) diff --git a/support/cas-server-support-oidc-core-api/src/main/java/org/apereo/cas/oidc/token/OidcIdTokenGeneratorService.java b/support/cas-server-support-oidc-core-api/src/main/java/org/apereo/cas/oidc/token/OidcIdTokenGeneratorService.java index 9b439273b827..60bc08d6ccfa 100644 --- a/support/cas-server-support-oidc-core-api/src/main/java/org/apereo/cas/oidc/token/OidcIdTokenGeneratorService.java +++ b/support/cas-server-support-oidc-core-api/src/main/java/org/apereo/cas/oidc/token/OidcIdTokenGeneratorService.java @@ -192,7 +192,6 @@ protected String getJwtId(final TicketGrantingTicket tgt) { protected void generateAccessTokenHash(final AccessToken accessToken, final OidcRegisteredService registeredService, final JwtClaims claims) { - val encodedAccessToken = OAuth20JwtAccessTokenEncoder.builder() .accessToken(accessToken) .registeredService(registeredService) From 053d3c78fe2177e70f9a872719d25ed4f3a53d18 Mon Sep 17 00:00:00 2001 From: charlievans Date: Fri, 11 Oct 2019 10:50:51 +0200 Subject: [PATCH 11/12] remove - from build.sh --- ci/build.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/build.sh b/ci/build.sh index 521c0676d91b..2cc7df45f796 100755 --- a/ci/build.sh +++ b/ci/build.sh @@ -20,7 +20,7 @@ fi gradle="./gradlew $@" gradleBuild="" -gradleBuildOptions="--build-cache --configure-on-demand --no-daemon - " +gradleBuildOptions="--build-cache --configure-on-demand --no-daemon " echo -e "***********************************************" echo -e "Gradle build started at `date`" From 2b5451db3afaf9625d767e08c0c0bb91bdf614f4 Mon Sep 17 00:00:00 2001 From: charlievans Date: Mon, 14 Oct 2019 11:15:34 +0200 Subject: [PATCH 12/12] fix test --- .../OAuth20AccessTokenAtHashGenerator.java | 4 ++-- .../cas/oidc/token/OidcIdTokenGeneratorService.java | 2 +- .../java/org/apereo/cas/oidc/AbstractOidcTests.java | 5 +++++ .../oidc/token/OidcIdTokenGeneratorServiceTests.java | 11 +++++++++-- 4 files changed, 17 insertions(+), 5 deletions(-) diff --git a/support/cas-server-support-oauth-core-api/src/main/java/org/apereo/cas/support/oauth/web/response/accesstoken/OAuth20AccessTokenAtHashGenerator.java b/support/cas-server-support-oauth-core-api/src/main/java/org/apereo/cas/support/oauth/web/response/accesstoken/OAuth20AccessTokenAtHashGenerator.java index aaf2ed0d9e5e..5af7e8b017d3 100644 --- a/support/cas-server-support-oauth-core-api/src/main/java/org/apereo/cas/support/oauth/web/response/accesstoken/OAuth20AccessTokenAtHashGenerator.java +++ b/support/cas-server-support-oauth-core-api/src/main/java/org/apereo/cas/support/oauth/web/response/accesstoken/OAuth20AccessTokenAtHashGenerator.java @@ -24,7 +24,7 @@ @Getter @Slf4j public class OAuth20AccessTokenAtHashGenerator { - private final String accessTokenId; + private final String encodedAccessToken; private final String algorithm; private final RegisteredService registeredService; @@ -35,7 +35,7 @@ public class OAuth20AccessTokenAtHashGenerator { */ public String generate() { val alg = determineSigningHashAlgorithm(); - val tokenBytes = accessTokenId.getBytes(StandardCharsets.UTF_8); + val tokenBytes = encodedAccessToken.getBytes(StandardCharsets.UTF_8); if (AlgorithmIdentifiers.NONE.equalsIgnoreCase(alg)) { LOGGER.debug("Signing algorithm specified by service [{}] is unspecified", registeredService.getServiceId()); return EncodingUtils.encodeUrlSafeBase64(tokenBytes); diff --git a/support/cas-server-support-oidc-core-api/src/main/java/org/apereo/cas/oidc/token/OidcIdTokenGeneratorService.java b/support/cas-server-support-oidc-core-api/src/main/java/org/apereo/cas/oidc/token/OidcIdTokenGeneratorService.java index 60bc08d6ccfa..49e7e07a9f34 100644 --- a/support/cas-server-support-oidc-core-api/src/main/java/org/apereo/cas/oidc/token/OidcIdTokenGeneratorService.java +++ b/support/cas-server-support-oidc-core-api/src/main/java/org/apereo/cas/oidc/token/OidcIdTokenGeneratorService.java @@ -202,7 +202,7 @@ protected void generateAccessTokenHash(final AccessToken accessToken, val alg = getConfigurationContext().getIdTokenSigningAndEncryptionService().getJsonWebKeySigningAlgorithm(registeredService); val hash = OAuth20AccessTokenAtHashGenerator.builder() - .accessTokenId(encodedAccessToken) + .encodedAccessToken(encodedAccessToken) .algorithm(alg) .registeredService(registeredService) .build() diff --git a/support/cas-server-support-oidc/src/test/java/org/apereo/cas/oidc/AbstractOidcTests.java b/support/cas-server-support-oidc/src/test/java/org/apereo/cas/oidc/AbstractOidcTests.java index 8937e9b677c4..d8a3be9af6c0 100644 --- a/support/cas-server-support-oidc/src/test/java/org/apereo/cas/oidc/AbstractOidcTests.java +++ b/support/cas-server-support-oidc/src/test/java/org/apereo/cas/oidc/AbstractOidcTests.java @@ -54,6 +54,7 @@ import org.apereo.cas.ticket.expiration.NeverExpiresExpirationPolicy; import org.apereo.cas.ticket.refreshtoken.RefreshToken; import org.apereo.cas.ticket.registry.TicketRegistry; +import org.apereo.cas.token.JwtBuilder; import org.apereo.cas.util.CollectionUtils; import org.apereo.cas.util.RandomUtils; import org.apereo.cas.web.config.CasCookieConfiguration; @@ -215,6 +216,10 @@ public abstract class AbstractOidcTests { @Qualifier("oidcIdTokenGenerator") protected IdTokenGeneratorService oidcIdTokenGenerator; + @Autowired + @Qualifier("accessTokenJwtBuilder") + protected JwtBuilder accessTokenJwtBuilder; + protected static OidcRegisteredService getOidcRegisteredService() { return getOidcRegisteredService(true, true); } diff --git a/support/cas-server-support-oidc/src/test/java/org/apereo/cas/oidc/token/OidcIdTokenGeneratorServiceTests.java b/support/cas-server-support-oidc/src/test/java/org/apereo/cas/oidc/token/OidcIdTokenGeneratorServiceTests.java index 5484387ab3a6..42de150d4740 100644 --- a/support/cas-server-support-oidc/src/test/java/org/apereo/cas/oidc/token/OidcIdTokenGeneratorServiceTests.java +++ b/support/cas-server-support-oidc/src/test/java/org/apereo/cas/oidc/token/OidcIdTokenGeneratorServiceTests.java @@ -9,6 +9,7 @@ import org.apereo.cas.support.oauth.OAuth20ResponseTypes; import org.apereo.cas.support.oauth.util.OAuth20Utils; import org.apereo.cas.support.oauth.web.response.accesstoken.OAuth20AccessTokenAtHashGenerator; +import org.apereo.cas.support.oauth.web.response.accesstoken.response.OAuth20JwtAccessTokenEncoder; import org.apereo.cas.ticket.TicketGrantingTicket; import org.apereo.cas.ticket.accesstoken.AccessToken; import org.apereo.cas.util.CollectionUtils; @@ -164,9 +165,15 @@ public void verifyAccessTokenAsJwt() throws Exception { assertNotNull(claims); assertTrue(claims.hasClaim(OidcConstants.CLAIM_AT_HASH)); val hash = claims.getClaimValue(OidcConstants.CLAIM_AT_HASH, String.class); - val at = claims.getClaimValue(OAuth20Constants.ACCESS_TOKEN, String.class); + val encodedAccessToken = OAuth20JwtAccessTokenEncoder.builder() + .accessToken(accessToken) + .registeredService(registeredService) + .service(accessToken.getService()) + .accessTokenJwtBuilder(accessTokenJwtBuilder) + .build() + .encode(); val newHash = OAuth20AccessTokenAtHashGenerator.builder() - .accessTokenId(at) + .encodedAccessToken(encodedAccessToken) .registeredService(registeredService) .algorithm(registeredService.getIdTokenSigningAlg()) .build()