Skip to content

Commit

Permalink
Introduce TokenValidation class for fluent validation of JWT tokens
Browse files Browse the repository at this point in the history 
[#116470151] https://www.pivotaltracker.com/story/show/116470151

Signed-off-by: Madhura Bhave <mbhave@pivotal.io>
  • Loading branch information
Jeremy Coffield authored and pivotal committed Apr 5, 2016
1 parent 56d374b commit 297e398
Show file tree
Hide file tree
Showing 7 changed files with 667 additions and 65 deletions.
31 changes: 4 additions & 27 deletions server/src/main/java/org/cloudfoundry/identity/uaa/oauth/UaaTokenServices.java
View file
Expand Up @@ -83,7 +83,6 @@
import java.util.HashSet; import java.util.HashSet;
import java.util.LinkedHashMap; import java.util.LinkedHashMap;
import java.util.LinkedHashSet; import java.util.LinkedHashSet;
import java.util.LinkedList;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import java.util.Set; import java.util.Set;
Expand All @@ -110,8 +109,6 @@ public class UaaTokenServices implements AuthorizationServerTokenServices, Resou


private String issuer = null; private String issuer = null;


private String tokenEndpoint = null;

private Set<String> defaultUserAuthorities = new HashSet<String>(); private Set<String> defaultUserAuthorities = new HashSet<String>();


private ApprovalStore approvalStore = null; private ApprovalStore approvalStore = null;
Expand Down Expand Up @@ -223,7 +220,7 @@ public OAuth2AccessToken refreshAccessToken(String refreshTokenValue, TokenReque


String revocableHashSignature = (String)claims.get(REVOCATION_SIGNATURE); String revocableHashSignature = (String)claims.get(REVOCATION_SIGNATURE);
if (StringUtils.hasText(revocableHashSignature)) { if (StringUtils.hasText(revocableHashSignature)) {
String newRevocableHashSignature = getRevocableTokenSignature(client, user); String newRevocableHashSignature = UaaTokenUtils.getRevocableTokenSignature(client, user);
if (!revocableHashSignature.equals(newRevocableHashSignature)) { if (!revocableHashSignature.equals(newRevocableHashSignature)) {
throw new TokenRevokedException(refreshTokenValue); throw new TokenRevokedException(refreshTokenValue);
} }
Expand Down Expand Up @@ -522,7 +519,7 @@ public OAuth2AccessToken createAccessToken(OAuth2Authentication authentication)
} }


ClientDetails client = clientDetailsService.loadClientByClientId(authentication.getOAuth2Request().getClientId()); ClientDetails client = clientDetailsService.loadClientByClientId(authentication.getOAuth2Request().getClientId());
String revocableHashSignature = getRevocableTokenSignature(client, user); String revocableHashSignature = UaaTokenUtils.getRevocableTokenSignature(client, user);


OAuth2RefreshToken refreshToken = createRefreshToken(authentication, revocableHashSignature); OAuth2RefreshToken refreshToken = createRefreshToken(authentication, revocableHashSignature);


Expand Down Expand Up @@ -672,26 +669,6 @@ private ExpiringOAuth2RefreshToken createRefreshToken(OAuth2Authentication authe
return refreshToken; return refreshToken;
} }


protected String getRevocableTokenSignature(ClientDetails client, UaaUser user) {
String[] salts = new String[] {
client.getClientId(),
client.getClientSecret(),
(String)client.getAdditionalInformation().get(ClientConstants.TOKEN_SALT),
user == null ? null : user.getId(),
user == null ? null : user.getPassword(),
user == null ? null : user.getSalt(),
user == null ? null : user.getEmail(),
user == null ? null : user.getUsername(),
};
List<String> saltlist = new LinkedList<>();
for (String s : salts) {
if (s!=null) {
saltlist.add(s);
}
}
return UaaTokenUtils.getRevocationHash(saltlist);
}

protected String getUserId(OAuth2Authentication authentication) { protected String getUserId(OAuth2Authentication authentication) {
return Origin.getUserId(authentication.getUserAuthentication()); return Origin.getUserId(authentication.getUserAuthentication());
} }
Expand Down Expand Up @@ -981,7 +958,7 @@ private Set<String> getAutoApprovedScopes(Object grantType, Collection<String> t
} }


// retain only the requested scopes // retain only the requested scopes
return UaaTokenUtils.instance().retainAutoApprovedScopes(tokenScopes, autoApprovedScopes); return UaaTokenUtils.retainAutoApprovedScopes(tokenScopes, autoApprovedScopes);
} }


private Map<String, Object> getClaimsForToken(String token) { private Map<String, Object> getClaimsForToken(String token) {
Expand Down Expand Up @@ -1039,7 +1016,7 @@ private Map<String, Object> getClaimsForToken(String token) {
user = userDatabase.retrieveUserById(userId); user = userDatabase.retrieveUserById(userId);
} catch (UsernameNotFoundException x) { } catch (UsernameNotFoundException x) {
} }
if (signature != null && !signature.equals(getRevocableTokenSignature(client, user))) { if (signature != null && !signature.equals(UaaTokenUtils.getRevocableTokenSignature(client, user))) {
throw new TokenRevokedException(token); throw new TokenRevokedException(token);
} }
} }
Expand Down
2 changes: 1 addition & 1 deletion ...er/src/main/java/org/cloudfoundry/identity/uaa/oauth/UserManagedAuthzApprovalHandler.java
View file
Expand Up @@ -203,7 +203,7 @@ public boolean isApproved(AuthorizationRequest authorizationRequest, Authenticat
} }


protected Set<String> retainAutoApprovedScopes(Collection<String> requestedScopes, Set<String> autoApprovedScopes) { protected Set<String> retainAutoApprovedScopes(Collection<String> requestedScopes, Set<String> autoApprovedScopes) {
return UaaTokenUtils.instance().retainAutoApprovedScopes(requestedScopes, autoApprovedScopes); return UaaTokenUtils.retainAutoApprovedScopes(requestedScopes, autoApprovedScopes);
} }


protected String getUserId(Authentication authentication) { protected String getUserId(Authentication authentication) {
Expand Down

0 comments on commit 297e398

Please sign in to comment.