Added amr claim to OIDC tokens.

[#120392373] https://www.pivotaltracker.com/story/show/120392373

Signed-off-by: Jeremy Coffield <jcoffield@pivotal.io>

model/src/main/java/org/cloudfoundry/identity/uaa/oauth/token/ClaimConstants.java

@@ -50,4 +50,5 @@ public class ClaimConstants {
     public static final String USER_ATTRIBUTES = "user_attributes";
     public static final String REVOCABLE = "revocable";
     public static final String EXTERNAL_ATTR = "ext_attr";
+    public static final String AMR = "amr";
 }

model/src/main/java/org/cloudfoundry/identity/uaa/provider/ExternalIdentityProviderDefinition.java

@@ -27,7 +27,7 @@ public class ExternalIdentityProviderDefinition extends AbstractIdentityProvider
     public static final String FAMILY_NAME_ATTRIBUTE_NAME = "family_name"; //can be a string
     public static final String PHONE_NUMBER_ATTRIBUTE_NAME = "phone_number"; //can be a string
     public static final String USER_ATTRIBUTE_PREFIX = "user.attribute.";
-    public static final String USER_NAME_ATTRIBUTE_PREFIX = "user_name";
+    public static final String USER_NAME_ATTRIBUTE_NAME = "user_name";
 
     public static final String EXTERNAL_GROUPS_WHITELIST = "externalGroupsWhitelist";
     public static final String ATTRIBUTE_MAPPINGS = "attributeMappings";

server/src/main/java/org/cloudfoundry/identity/uaa/authentication/UaaAuthentication.java

@@ -46,6 +46,7 @@ public class UaaAuthentication implements Authentication, Serializable {
     private long expiresAt = -1l;
     private Set<String> externalGroups;
     private Map<String, List<String>> userAttributes;
+    private Set<String> authenticationMethods;
 
     //This is used when UAA acts as a SAML IdP
     @JsonIgnore
@@ -211,4 +212,11 @@ public void setSamlMessageContext(SAMLMessageContext samlMessageContext) {
         this.samlMessageContext = samlMessageContext;
     }
 
+    public Set<String> getAuthenticationMethods() {
+        return authenticationMethods;
+    }
+
+    public void setAuthenticationMethods(Set<String> authenticationMethods) {
+        this.authenticationMethods = authenticationMethods;
+    }
 }

server/src/main/java/org/cloudfoundry/identity/uaa/authentication/manager/AuthzAuthenticationManager.java

@@ -46,6 +46,7 @@
 import org.springframework.security.crypto.password.PasswordEncoder;
 
 import java.util.Calendar;
+import java.util.Collections;
 import java.util.Locale;
 
 /**
@@ -123,11 +124,13 @@ public Authentication authenticate(Authentication req) throws AuthenticationExce
                     }
                 }
 
-                Authentication success = new UaaAuthentication(
+                UaaAuthentication success = new UaaAuthentication(
                         new UaaPrincipal(user),
                         user.getAuthorities(),
                         (UaaAuthenticationDetails) req.getDetails());
 
+                success.setAuthenticationMethods(Collections.singleton("pwd"));
+
                 publish(new UserAuthenticationSuccessEvent(user, success));
 
                 return success;

server/src/main/java/org/cloudfoundry/identity/uaa/authentication/manager/ExternalLoginAuthenticationManager.java

@@ -51,8 +51,9 @@
 import java.util.HashSet;
 import java.util.LinkedList;
 import java.util.List;
+import java.util.Set;
 
-public class ExternalLoginAuthenticationManager implements AuthenticationManager, ApplicationEventPublisherAware, BeanNameAware {
+public class ExternalLoginAuthenticationManager<ExternalAuthenticationDetails> implements AuthenticationManager, ApplicationEventPublisherAware, BeanNameAware {
 
     protected final Log logger = LogFactory.getLog(getClass());
 
@@ -90,7 +91,8 @@ public UaaUserDatabase getUserDatabase() {
 
     @Override
     public Authentication authenticate(Authentication request) throws AuthenticationException {
-        UaaUser userFromRequest = getUser(request);
+        ExternalAuthenticationDetails authenticationData = getExternalAuthenticationDetails(request);
+        UaaUser userFromRequest = getUser(request, authenticationData);
         if (userFromRequest == null) {
             return null;
         }
@@ -119,20 +121,31 @@ public Authentication authenticate(Authentication request) throws Authentication
         //user is authenticated and exists in UAA
         UaaUser user = userAuthenticated(request, userFromRequest, userFromDb);
 
-        UaaAuthenticationDetails uaaAuthenticationDetails = null;
+        UaaAuthenticationDetails uaaAuthenticationDetails;
         if (request.getDetails() instanceof UaaAuthenticationDetails) {
             uaaAuthenticationDetails = (UaaAuthenticationDetails) request.getDetails();
         } else {
             uaaAuthenticationDetails = UaaAuthenticationDetails.UNKNOWN;
         }
         UaaAuthentication success = new UaaAuthentication(new UaaPrincipal(user), user.getAuthorities(), uaaAuthenticationDetails);
+        populateAuthenticationAttributes(success, request, authenticationData);
+        publish(new UserAuthenticationSuccessEvent(user, success));
+        return success;
+    }
+
+    protected void populateAuthenticationAttributes(UaaAuthentication authentication, Authentication request, ExternalAuthenticationDetails authenticationData) {
         if (request.getPrincipal() instanceof UserDetails) {
             UserDetails userDetails = (UserDetails) request.getPrincipal();
-            success.setUserAttributes(getUserAttributes(userDetails));
-            success.setExternalGroups(new HashSet<>(getExternalUserAuthorities(userDetails)));
+            authentication.setUserAttributes(getUserAttributes(userDetails));
+            authentication.setExternalGroups(new HashSet<>(getExternalUserAuthorities(userDetails)));
         }
-        publish(new UserAuthenticationSuccessEvent(user, success));
-        return success;
+        Set<String> amr = new HashSet<>();
+        amr.add("ext");
+        authentication.setAuthenticationMethods(amr);
+    }
+
+    protected ExternalAuthenticationDetails getExternalAuthenticationDetails(Authentication authentication) {
+        return null;
     }
 
     protected boolean isAddNewShadowUser() {
@@ -157,7 +170,7 @@ protected UaaUser userAuthenticated(Authentication request, UaaUser userFromRequ
         return userFromDb;
     }
 
-    protected UaaUser getUser(Authentication request) {
+    protected UaaUser getUser(Authentication request, ExternalAuthenticationDetails authDetails) {
         UserDetails userDetails;
         if (request.getPrincipal() instanceof UserDetails) {
             userDetails = (UserDetails) request.getPrincipal();

server/src/main/java/org/cloudfoundry/identity/uaa/authentication/manager/LdapLoginAuthenticationManager.java

@@ -15,6 +15,8 @@
 
 package org.cloudfoundry.identity.uaa.authentication.manager;
 
+import org.apache.commons.lang.StringUtils;
+import org.cloudfoundry.identity.uaa.authentication.UaaAuthentication;
 import org.cloudfoundry.identity.uaa.provider.ldap.ExtendedLdapUserDetails;
 import org.cloudfoundry.identity.uaa.provider.LdapIdentityProviderDefinition;
 import org.cloudfoundry.identity.uaa.provider.ldap.extension.LdapAuthority;
@@ -47,6 +49,12 @@ public void setProvisioning(IdentityProviderProvisioning provisioning) {
         this.provisioning = provisioning;
     }
 
+    @Override
+    protected void populateAuthenticationAttributes(UaaAuthentication authentication, Authentication request, Object authenticationData) {
+        super.populateAuthenticationAttributes(authentication, request, authenticationData);
+        authentication.getAuthenticationMethods().add("pwd");
+    }
+
     @Override
     protected MultiValueMap<String, String> getUserAttributes(UserDetails request) {
         MultiValueMap<String, String> result = super.getUserAttributes(request);

server/src/main/java/org/cloudfoundry/identity/uaa/oauth/UaaTokenServices.java

@@ -92,6 +92,7 @@
 import java.util.UUID;
 
 import static org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants.ADDITIONAL_AZ_ATTR;
+import static org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants.AMR;
 import static org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants.AUD;
 import static org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants.AUTHORITIES;
 import static org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants.AUTH_TIME;
@@ -324,7 +325,7 @@ public OAuth2AccessToken refreshAccessToken(String refreshTokenValue, TokenReque
                 false,
                 null,  //TODO populate response types
                 null,
-                revocable);
+                revocable, null);
 
         DefaultExpiringOAuth2RefreshToken expiringRefreshToken = new DefaultExpiringOAuth2RefreshToken(refreshTokenValue, new Date(refreshTokenExpireDate));
         return persistRevocableToken(accessTokenId, refreshTokenId, accessToken, expiringRefreshToken, clientId, user.getId(), opaque, revocable);
@@ -395,7 +396,7 @@ private CompositeAccessToken createAccessToken(String tokenId,
                                                    boolean forceIdTokenCreation,
                                                    Set<String> externalGroupsForIdToken,
                                                    Map<String, List<String>> userAttributesForIdToken,
-                                                   boolean revocable) throws AuthenticationException {
+                                                   boolean revocable, Set<String> authenticationMethods) throws AuthenticationException {
         CompositeAccessToken accessToken = new CompositeAccessToken(tokenId);
         accessToken.setExpiration(new Date(System.currentTimeMillis() + (validitySeconds * 1000L)));
         accessToken.setRefreshToken(refreshToken == null ? null : new DefaultOAuth2RefreshToken(refreshToken));
@@ -443,7 +444,7 @@ private CompositeAccessToken createAccessToken(String tokenId,
         String token = JwtHelper.encode(content, KeyInfo.getActiveKey().getSigner()).getEncoded();
         // This setter copies the value and returns. Don't change.
         accessToken.setValue(token);
-        populateIdToken(accessToken, jwtAccessToken, requestedScopes, responseTypes, clientId, forceIdTokenCreation, externalGroupsForIdToken, user, userAttributesForIdToken);
+        populateIdToken(accessToken, jwtAccessToken, requestedScopes, responseTypes, clientId, forceIdTokenCreation, externalGroupsForIdToken, user, userAttributesForIdToken, authenticationMethods);
         publish(new TokenIssuedEvent(accessToken, SecurityContextHolder.getContext().getAuthentication()));
 
         return accessToken;
@@ -457,7 +458,7 @@ private void populateIdToken(CompositeAccessToken token,
                                  boolean forceIdTokenCreation,
                                  Set<String> externalGroupsForIdToken,
                                  UaaUser user,
-                                 Map<String,List<String>> userAttributesForIdToken) {
+                                 Map<String, List<String>> userAttributesForIdToken, Set<String> authenticationMethods) {
         if (forceIdTokenCreation || (scopes.contains("openid") && responseTypes.contains(CompositeAccessToken.ID_TOKEN))) {
             try {
                 Map<String, Object> clone = new HashMap<>(accessTokenValues);
@@ -468,6 +469,9 @@ private void populateIdToken(CompositeAccessToken token,
                         idTokenScopes.add(sc);
                     }
                 }
+                if (authenticationMethods != null) {
+                    clone.put(AMR, authenticationMethods);
+                }
                 clone.put(SCOPE, idTokenScopes);
                 clone.put(AUD, new HashSet(Arrays.asList(aud)));
 
@@ -582,6 +586,7 @@ public OAuth2AccessToken createAccessToken(OAuth2Authentication authentication)
         UaaUser user = null;
         boolean wasIdTokenRequestedThroughAuthCodeScopeParameter = false;
         Collection<GrantedAuthority> clientScopes = null;
+        Set<String> authenticationMethods = null;
         // Clients should really by different kinds of users
         if (authentication.isClientOnly()) {
             ClientDetails client = clientDetailsService.loadClientByClientId(authentication.getName());
@@ -591,6 +596,7 @@ public OAuth2AccessToken createAccessToken(OAuth2Authentication authentication)
             user = userDatabase.retrieveUserById(userId);
             if (authentication.getUserAuthentication() instanceof UaaAuthentication) {
                 userAuthenticationTime = new Date(((UaaAuthentication)authentication.getUserAuthentication()).getAuthenticatedTime());
+                authenticationMethods = ((UaaAuthentication) authentication.getUserAuthentication()).getAuthenticationMethods();
             }
         }
 
@@ -670,7 +676,8 @@ public OAuth2AccessToken createAccessToken(OAuth2Authentication authentication)
                 wasIdTokenRequestedThroughAuthCodeScopeParameter,
                 externalGroupsForIdToken,
                 userAttributesForIdToken,
-                revocable);
+                revocable,
+                authenticationMethods);
 
         return persistRevocableToken(tokenId, refreshTokenId, accessToken, refreshToken, clientId, userId, opaque, revocable);
     }

server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/XOAuthAuthenticationManager.java

@@ -15,6 +15,7 @@
 
 import com.fasterxml.jackson.core.type.TypeReference;
 import org.apache.commons.codec.binary.Base64;
+import org.cloudfoundry.identity.uaa.authentication.UaaAuthentication;
 import org.cloudfoundry.identity.uaa.authentication.manager.ExternalGroupAuthorizationEvent;
 import org.cloudfoundry.identity.uaa.authentication.manager.ExternalLoginAuthenticationManager;
 import org.cloudfoundry.identity.uaa.authentication.manager.InvitedUserAuthenticatedEvent;
@@ -62,11 +63,11 @@
 
 import static org.cloudfoundry.identity.uaa.oauth.token.CompositeAccessToken.ID_TOKEN;
 import static org.cloudfoundry.identity.uaa.provider.ExternalIdentityProviderDefinition.GROUP_ATTRIBUTE_NAME;
-import static org.cloudfoundry.identity.uaa.provider.ExternalIdentityProviderDefinition.USER_NAME_ATTRIBUTE_PREFIX;
+import static org.cloudfoundry.identity.uaa.provider.ExternalIdentityProviderDefinition.USER_NAME_ATTRIBUTE_NAME;
 import static org.cloudfoundry.identity.uaa.util.TokenValidation.validate;
 import static org.cloudfoundry.identity.uaa.util.UaaHttpRequestUtils.getNoValidatingClientHttpRequestFactory;
 
-public class XOAuthAuthenticationManager extends ExternalLoginAuthenticationManager {
+public class XOAuthAuthenticationManager extends ExternalLoginAuthenticationManager<XOAuthAuthenticationManager.AuthenticationData> {
 
     private RestTemplate restTemplate = new RestTemplate();
     private IdentityProviderProvisioning providerProvisioning;
@@ -76,51 +77,83 @@ public XOAuthAuthenticationManager(IdentityProviderProvisioning providerProvisio
     }
 
     @Override
-    protected UaaUser getUser(Authentication request) {
-        XOAuthCodeToken codeToken = (XOAuthCodeToken) request;
+    protected AuthenticationData getExternalAuthenticationDetails(Authentication authentication) {
+
+        XOAuthCodeToken codeToken = (XOAuthCodeToken) authentication;
         setOrigin(codeToken.getOrigin());
         IdentityProvider provider = providerProvisioning.retrieveByOrigin(getOrigin(), IdentityZoneHolder.get().getId());
 
         if (provider != null && provider.getConfig() instanceof AbstractXOAuthIdentityProviderDefinition) {
+            AuthenticationData authenticationData = new AuthenticationData();
+
             AbstractXOAuthIdentityProviderDefinition config = (AbstractXOAuthIdentityProviderDefinition) provider.getConfig();
             Map<String, Object> claims = getClaimsFromToken(codeToken, config);
+
             if (claims == null) {
                 return null;
             }
+            authenticationData.setClaims(claims);
 
             Map<String, Object> attributeMappings = config.getAttributeMappings();
 
-            String email = (String) claims.get("email");
-
+            String userNameAttributePrefix = (String) attributeMappings.get(USER_NAME_ATTRIBUTE_NAME);
             String username;
-            String userNameAttributePrefix = (String) attributeMappings.get(USER_NAME_ATTRIBUTE_PREFIX);
             if (StringUtils.hasText(userNameAttributePrefix)) {
                 username = (String) claims.get(userNameAttributePrefix);
             } else {
                 username = (String) claims.get("preferred_username");
             }
 
+            authenticationData.setUsername(username);
+
+            authenticationData.setAuthorities(extractXOAuthUserAuthorities(attributeMappings, claims));
+
+            return authenticationData;
+        }
+
+        return null;
+    }
+
+    @Override
+    protected void populateAuthenticationAttributes(UaaAuthentication authentication, Authentication request, AuthenticationData authenticationData) {
+        super.populateAuthenticationAttributes(authentication, request, authenticationData);
+
+        Map<String, Object> claims = authenticationData.getClaims();
+        if (claims != null) {
+            if(claims.get("amr") != null) {
+                authentication.getAuthenticationMethods().addAll((Collection<String>) claims.get("amr"));
+            }
+        }
+    }
+
+    @Override
+    protected UaaUser getUser(Authentication request, AuthenticationData authenticationData) {
+        if (authenticationData != null) {
+
+            Map<String, Object> claims = authenticationData.getClaims();
+            String username = authenticationData.getUsername();
+            String email = (String) claims.get("email");
             if (email == null) {
                 email = generateEmailIfNull(username);
             }
 
             return new UaaUser(
-                new UaaUserPrototype()
-                    .withEmail(email)
-                    .withGivenName((String) claims.get("given_name"))
-                    .withFamilyName((String) claims.get("family_name"))
-                    .withPhoneNumber((String) claims.get("phone_number"))
-                    .withModified(new Date())
-                    .withUsername(username)
-                    .withPassword("")
-                    .withAuthorities(extractXOAuthUserAuthorities(attributeMappings, claims))
-                    .withCreated(new Date())
-                    .withOrigin(getOrigin())
-                    .withExternalId(null)
-                    .withVerified(true)
-                    .withZoneId(IdentityZoneHolder.get().getId())
-                    .withSalt(null)
-                    .withPasswordLastModified(null));
+              new UaaUserPrototype()
+                .withEmail(email)
+                .withGivenName((String) claims.get("given_name"))
+                .withFamilyName((String) claims.get("family_name"))
+                .withPhoneNumber((String) claims.get("phone_number"))
+                .withModified(new Date())
+                .withUsername(username)
+                .withPassword("")
+                .withAuthorities(authenticationData.getAuthorities())
+                .withCreated(new Date())
+                .withOrigin(getOrigin())
+                .withExternalId(null)
+                .withVerified(true)
+                .withZoneId(IdentityZoneHolder.get().getId())
+                .withSalt(null)
+                .withPasswordLastModified(null));
         }
         return null;
     }
@@ -286,4 +319,36 @@ private String getClientAuthHeader(AbstractXOAuthIdentityProviderDefinition conf
         String clientAuth = new String(Base64.encodeBase64((config.getRelyingPartyId() + ":" + config.getRelyingPartySecret()).getBytes()));
         return "Basic " + clientAuth;
     }
+
+    protected static class AuthenticationData {
+
+        private Map<String, Object> claims;
+        private String username;
+        private List<? extends GrantedAuthority> authorities;
+
+        public void setClaims(Map<String,Object> claims) {
+            this.claims = claims;
+        }
+
+        public Map<String, Object> getClaims() {
+            return claims;
+        }
+
+        public void setUsername(String username) {
+            this.username = username;
+        }
+
+        public String getUsername() {
+            return username;
+        }
+
+
+        public List<? extends GrantedAuthority> getAuthorities() {
+            return authorities;
+        }
+
+        public void setAuthorities(List<? extends GrantedAuthority> authorities) {
+            this.authorities = authorities;
+        }
+    }
 }