Removed OpenID
Change-Id: Ie5f224655cd041ce1d5652d25ccdc9617f6ad764
diff --git a/full/Changes b/full/Changes
index 19a3635..29a7721 100644
--- a/full/Changes
+++ b/full/Changes
@@ -12,6 +12,11 @@
- Updated authorization services using Nimbus (#650)
- Fixed BlockingFilter by replacing javax.annotation.Priority
with jakarta.annotation.Priority (#659, #648)
+- Replaced javax.annotation with jakarta.annotation
+- Enabled legacy support for authorization POST request
+- Changed OAuth2 token request using Nimbus (#650)
+- Removed Apache Oltu API from token requests (#650)
+- Removed OpenID
# version 0.71
diff --git a/full/pom.xml b/full/pom.xml
index c58e24b..148c39e 100644
--- a/full/pom.xml
+++ b/full/pom.xml
@@ -801,14 +801,8 @@
<artifactId>org.apache.oltu.oauth2.client</artifactId>
<version>1.0.2</version>
</dependency>
- <!-- JWT -->
- <dependency>
- <groupId>com.nimbusds</groupId>
- <artifactId>nimbus-jose-jwt</artifactId>
- <version>9.31</version>
- </dependency>
- <!-- OpenId -->
+ <!-- Nimbus -->
<dependency>
<groupId>com.nimbusds</groupId>
<artifactId>oauth2-oidc-sdk</artifactId>
diff --git a/full/src/main/java/de/ids_mannheim/korap/config/Attributes.java b/full/src/main/java/de/ids_mannheim/korap/config/Attributes.java
index a3e2433..e2e4ed5 100644
--- a/full/src/main/java/de/ids_mannheim/korap/config/Attributes.java
+++ b/full/src/main/java/de/ids_mannheim/korap/config/Attributes.java
@@ -2,17 +2,14 @@
public class Attributes {
- // EM: openid auth_time
public static final String AUTHENTICATION_TIME = "auth_time";
public static final String DEFAULT_TIME_ZONE = "Europe/Berlin";
- // -- EM
public static final String AUTHORIZATION = "Authorization";
// moved to de.ids_mannheim.korap.config.AuthenticationScheme
// public static final String SESSION_AUTHENTICATION = "session_token";
// public static final String API_AUTHENTICATION = "api_token";
// public static final String OAUTH2_AUTHORIZATION = "bearer";
-// public static final String OPENID_AUTHENTICATION = "id_token";
// public static final String BASIC_AUTHENTICATION = "basic";
public static final String LOCATION = "location"; // location of Client: User.INTERN/EXTERN
diff --git a/full/src/main/java/de/ids_mannheim/korap/config/FullConfiguration.java b/full/src/main/java/de/ids_mannheim/korap/config/FullConfiguration.java
index a752399..a1ba12f 100644
--- a/full/src/main/java/de/ids_mannheim/korap/config/FullConfiguration.java
+++ b/full/src/main/java/de/ids_mannheim/korap/config/FullConfiguration.java
@@ -1,15 +1,7 @@
package de.ids_mannheim.korap.config;
-import java.io.File;
-import java.io.IOException;
-import java.io.InputStream;
import java.net.MalformedURLException;
-import java.net.URI;
-import java.net.URISyntaxException;
import java.net.URL;
-import java.nio.charset.Charset;
-import java.security.interfaces.RSAPrivateKey;
-import java.text.ParseException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
@@ -21,15 +13,8 @@
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
-import com.nimbusds.jose.JOSEException;
-import com.nimbusds.jose.jwk.JWK;
-import com.nimbusds.jose.jwk.JWKSet;
-import com.nimbusds.jose.jwk.RSAKey;
-import com.nimbusds.jose.util.IOUtils;
-
import de.ids_mannheim.korap.constant.AuthenticationMethod;
import de.ids_mannheim.korap.interfaces.EncryptionIface;
-import de.ids_mannheim.korap.oauth2.openid.OpenIdConfiguration;
import de.ids_mannheim.korap.utils.TimeUtils;
/**
@@ -70,7 +55,6 @@
private AuthenticationMethod OAuth2passwordAuthentication;
private String nativeClientHost;
- private Set<String> defaultAccessScopes;
private Set<String> clientCredentialsScopes;
private int maxAuthenticationAttempts;
@@ -83,12 +67,6 @@
private int maxNumberOfUserQueries;
private URL issuer;
- private URI issuerURI;
- private OpenIdConfiguration openidConfig;
-
- private RSAPrivateKey rsaPrivateKey;
- private JWKSet publicKeySet;
- private String rsaKeyId;
private String namedVCPath;
@@ -117,8 +95,6 @@
setSecurityConfiguration(properties);
setOAuth2Configuration(properties);
- setOpenIdConfiguration(properties);
- setRSAKeys(properties);
setNamedVCPath(properties.getProperty("krill.namedVC", ""));
@@ -133,14 +109,11 @@
properties.getProperty("max.user.persistent.queries", "20")));
}
- private void setSecurityConfiguration (Properties properties) {
+ private void setSecurityConfiguration (Properties properties) throws MalformedURLException {
setSecureHashAlgorithm(Enum.valueOf(EncryptionIface.Encryption.class,
properties.getProperty("security.secure.hash.algorithm",
"BCRYPT")));
- }
-
- private void setOpenIdConfiguration (Properties properties)
- throws URISyntaxException, MalformedURLException {
+
String issuerStr = properties.getProperty("security.jwt.issuer",
"https://korap.ids-mannheim.de");
@@ -148,99 +121,6 @@
issuerStr = "http://" + issuerStr;
}
setIssuer(new URL(issuerStr));
- setIssuerURI(issuer.toURI());
-
- issuerStr = issuerURI.toString();
-
- OpenIdConfiguration openidConfig = new OpenIdConfiguration();
- openidConfig.setIssuer(issuerStr);
- openidConfig.setJwks_uri(issuerStr + OpenIdConfiguration.JWKS_ENDPOINT);
- openidConfig.setRegistration_endpoint(
- issuerStr + OpenIdConfiguration.CLIENT_REGISTRATION_ENDPOINT);
- openidConfig.setAuthorization_endpoint(
- issuerStr + OpenIdConfiguration.AUTHORIZATION_ENDPOINT);
- openidConfig.setToken_endpoint(
- issuerStr + OpenIdConfiguration.TOKEN_ENDPOINT);
-
- String grantTypes = properties.getProperty("openid.grant.types", "");
- openidConfig.setGrant_types_supported(grantTypes.split(" "));
-
- String responseTypes =
- properties.getProperty("openid.response.types", "code");
- openidConfig.setResponse_types_supported(responseTypes.split(" "));
-
- String responseModes =
- properties.getProperty("openid.response.modes", "");
- openidConfig.setResponse_modes_supported(responseModes.split(" "));
-
- String clientAuthMethods =
- properties.getProperty("openid.client.auth.methods", "");
- openidConfig.setToken_endpoint_auth_methods_supported(
- clientAuthMethods.split(" "));
-
- String tokenSigningAlgorithms = properties
- .getProperty("openid.token.signing.algorithms", "RS256");
- openidConfig.setToken_endpoint_auth_signing_alg_values_supported(
- tokenSigningAlgorithms.split(" "));
-
- String subjectTypes =
- properties.getProperty("openid.subject.types", "public");
- openidConfig.setSubject_types_supported(subjectTypes.split(" "));
-
- String displayTypes =
- properties.getProperty("openid.display.types", "");
- openidConfig.setDisplay_values_supported(displayTypes.split(" "));
-
- String supportedScopes =
- properties.getProperty("openid.supported.scopes", "");
- openidConfig.setScopes_supported(supportedScopes.split(" "));
-
- String claimTypes =
- properties.getProperty("openid.claim.types", "normal");
- openidConfig.setClaim_types_supported(claimTypes.split(" "));
-
- String supportedClaims =
- properties.getProperty("openid.supported.claims", "");
- openidConfig.setClaims_supported(supportedClaims.split(" "));
-
- String claimLocales =
- properties.getProperty("openid.supported.claim.locales", "");
- openidConfig.setClaims_locales_supported(claimLocales.split(" "));
-
- String uiLocales = properties.getProperty("openid.ui.locales", "en");
- openidConfig.setUi_locales_supported(uiLocales.split(" "));
-
- boolean supportClaimParam = Boolean.getBoolean(
- properties.getProperty("openid.support.claim.param", "false"));
- openidConfig.setClaims_parameter_supported(supportClaimParam);
-
- openidConfig.setRequest_parameter_supported(false);
- openidConfig.setRequest_uri_parameter_supported(false);
- openidConfig.setRequire_request_uri_registration(false);
- openidConfig.setMutual_tls_sender_constrained_access_tokens(false);
-
- String privacyPolicy =
- properties.getProperty("openid.privacy.policy", "");
- openidConfig.setOp_policy_uri(privacyPolicy);
-
- String termOfService =
- properties.getProperty("openid.term.of.service", "");
- openidConfig.setOp_tos_uri(termOfService);
-
- String serviceDocURL = properties.getProperty("openid.service.doc", "");
- openidConfig.setService_documentation(serviceDocURL);
- this.setOpenidConfig(openidConfig);
- }
-
- private void setRSAKeys (Properties properties)
- throws IOException, ParseException, JOSEException {
- setRsaKeyId(properties.getProperty("rsa.key.id", ""));
-
- String rsaPublic = properties.getProperty("rsa.public", null);
- setPublicKeySet(rsaPublic);
-
- String rsaPrivate = properties.getProperty("rsa.private", null);
- setRsaPrivateKey(rsaPrivate);
}
private void setOAuth2Configuration (Properties properties) {
@@ -255,12 +135,6 @@
setMaxAuthenticationAttempts(Integer
.parseInt(properties.getProperty("oauth2.max.attempts", "1")));
- String scopes = properties.getProperty("oauth2.default.scopes",
- "openid preferred_username");
- Set<String> scopeSet =
- Arrays.stream(scopes.split(" ")).collect(Collectors.toSet());
- setDefaultAccessScopes(scopeSet);
-
String clientScopes = properties
.getProperty("oauth2.client.credentials.scopes", "client_info");
setClientCredentialsScopes(Arrays.stream(clientScopes.split(" "))
@@ -534,14 +408,6 @@
this.maxAuthenticationAttempts = maxAuthenticationAttempts;
}
- public Set<String> getDefaultAccessScopes () {
- return defaultAccessScopes;
- }
-
- public void setDefaultAccessScopes (Set<String> accessScopes) {
- this.defaultAccessScopes = accessScopes;
- }
-
public Set<String> getClientCredentialsScopes () {
return clientCredentialsScopes;
}
@@ -559,78 +425,6 @@
this.issuer = issuer;
}
- public URI getIssuerURI () {
- return issuerURI;
- }
-
- public void setIssuerURI (URI issuerURI) {
- this.issuerURI = issuerURI;
- }
-
- public JWKSet getPublicKeySet () {
- return publicKeySet;
- }
-
- public void setPublicKeySet (String rsaPublic)
- throws IOException, ParseException {
- if (rsaPublic == null || rsaPublic.isEmpty()) {
- return;
- }
-
- File rsaPublicFile = new File(rsaPublic);
- JWKSet jwkSet = null;
- InputStream is = null;
- if (rsaPublicFile.exists()) {
- jwkSet = JWKSet.load(rsaPublicFile);
- }
- else if ((is = getClass().getClassLoader()
- .getResourceAsStream(rsaPublic)) != null) {
- jwkSet = JWKSet.load(is);
- }
- this.publicKeySet = jwkSet;
- }
-
- public RSAPrivateKey getRsaPrivateKey () {
- return rsaPrivateKey;
- }
-
- public void setRsaPrivateKey (String rsaPrivate)
- throws IOException, ParseException, JOSEException {
- if (rsaPrivate == null || rsaPrivate.isEmpty()) {
- return;
- }
- File rsaPrivateFile = new File(rsaPrivate);
- String keyString = null;
- InputStream is = null;
- if (rsaPrivateFile.exists()) {
- keyString = IOUtils.readFileToString(rsaPrivateFile,
- Charset.forName("UTF-8"));
- }
- else if ((is = getClass().getClassLoader()
- .getResourceAsStream(rsaPrivate)) != null) {
- keyString = IOUtils.readInputStreamToString(is,
- Charset.forName("UTF-8"));
- }
- RSAKey rsaKey = (RSAKey) JWK.parse(keyString);
- this.rsaPrivateKey = (RSAPrivateKey) rsaKey.toPrivateKey();
- }
-
- public String getRsaKeyId () {
- return rsaKeyId;
- }
-
- public void setRsaKeyId (String rsaKeyId) {
- this.rsaKeyId = rsaKeyId;
- }
-
- public OpenIdConfiguration getOpenidConfig () {
- return openidConfig;
- }
-
- public void setOpenidConfig (OpenIdConfiguration openidConfig) {
- this.openidConfig = openidConfig;
- }
-
public int getAccessTokenExpiry () {
return accessTokenExpiry;
}
diff --git a/full/src/main/java/de/ids_mannheim/korap/config/Scopes.java b/full/src/main/java/de/ids_mannheim/korap/config/Scopes.java
index 20e5627..161d5f6 100644
--- a/full/src/main/java/de/ids_mannheim/korap/config/Scopes.java
+++ b/full/src/main/java/de/ids_mannheim/korap/config/Scopes.java
@@ -16,7 +16,7 @@
public class Scopes {
public enum Scope {
- openid, profile, email, queries, account, preferences, search
+ profile, email, queries, account, preferences, search
}
@@ -25,8 +25,6 @@
Attributes.ADDRESS, Attributes.PHONE, Attributes.GENDER,
Attributes.COUNTRY };
- private static final String[] OPENID_CONNECT = { Scope.profile.toString() };
-
private static final Enum[] SERVICE_DEFAULTS = { Scope.account,
Scope.preferences, Scope.search, Scope.queries };
diff --git a/full/src/main/java/de/ids_mannheim/korap/constant/OAuth2Scope.java b/full/src/main/java/de/ids_mannheim/korap/constant/OAuth2Scope.java
index 5055972..ee6a09b 100644
--- a/full/src/main/java/de/ids_mannheim/korap/constant/OAuth2Scope.java
+++ b/full/src/main/java/de/ids_mannheim/korap/constant/OAuth2Scope.java
@@ -11,7 +11,6 @@
@Deprecated
ADMIN,
- OPENID,
AUTHORIZE,
LIST_USER_CLIENT,
diff --git a/full/src/main/java/de/ids_mannheim/korap/constant/TokenType.java b/full/src/main/java/de/ids_mannheim/korap/constant/TokenType.java
index 76bac5b..bd4ad76 100644
--- a/full/src/main/java/de/ids_mannheim/korap/constant/TokenType.java
+++ b/full/src/main/java/de/ids_mannheim/korap/constant/TokenType.java
@@ -13,8 +13,6 @@
*/
public enum TokenType {
BASIC, API, SESSION,
- // openid token, e.g. within oauth2 response (json body)
- ID_TOKEN,
// OAuth2 access_token
BEARER,
// OAuth2 client
diff --git a/full/src/main/java/de/ids_mannheim/korap/exceptions/StatusCodes.java b/full/src/main/java/de/ids_mannheim/korap/exceptions/StatusCodes.java
index 8f16809..73f1c62 100644
--- a/full/src/main/java/de/ids_mannheim/korap/exceptions/StatusCodes.java
+++ b/full/src/main/java/de/ids_mannheim/korap/exceptions/StatusCodes.java
@@ -126,7 +126,7 @@
public static final int GROUP_DELETED = 1606;
/**
- * 1800 Oauth2 and OpenID
+ * 1800 Oauth2
*/
public static final int OAUTH2_SYSTEM_ERROR = 1800;
@@ -146,8 +146,6 @@
public static final int UNSUPPORTED_AUTHENTICATION_METHOD = 1812;
public static final int UNSUPPORTED_RESPONSE_TYPE = 1813;
- public static final int ID_TOKEN_CLAIM_ERROR = 1820;
- public static final int ID_TOKEN_SIGNING_FAILED = 1821;
public static final int USER_REAUTHENTICATION_REQUIRED = 1822;
public static final int INVALID_REFRESH_TOKEN_EXPIRY = 1830;
diff --git a/full/src/main/java/de/ids_mannheim/korap/oauth2/openid/OpenIdConfiguration.java b/full/src/main/java/de/ids_mannheim/korap/oauth2/openid/OpenIdConfiguration.java
deleted file mode 100644
index 499b214..0000000
--- a/full/src/main/java/de/ids_mannheim/korap/oauth2/openid/OpenIdConfiguration.java
+++ /dev/null
@@ -1,699 +0,0 @@
-package de.ids_mannheim.korap.oauth2.openid;
-
-import com.fasterxml.jackson.annotation.JsonInclude;
-import com.fasterxml.jackson.annotation.JsonInclude.Include;
-
-/**
- * Defines OpenID configuration.
- *
- * Note: some configuration such as display_values_supported and
- * ui_locales_supported are more relevant to KorAP user interface
- * component Kalamar.
- *
- * @see <a
- * href="https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata">OpenID
- * Provider Metadata</a>
- * @author margaretha
- *
- */
-@JsonInclude(Include.NON_EMPTY)
-public class OpenIdConfiguration {
-
- public final static String JWKS_ENDPOINT = "/oauth2/openid/jwks";
- public static final String CLIENT_REGISTRATION_ENDPOINT =
- "/oauth2/client/register";
- public static final String AUTHORIZATION_ENDPOINT =
- "/oauth2/openid/authorize";
- public static final String TOKEN_ENDPOINT = "/oauth2/openid/token";
-
- private String issuer;
- private String jwks_uri;
-
- private String authorization_endpoint;
- private String token_endpoint;
- private String userinfo_endpoint;
- private String registration_endpoint;
-
- // Additional endpoints
- private String introspection_endpoint;
- private String revocation_endpoint;
- private String end_session_endpoint;
-
- private String[] scopes_supported;
- private String[] response_types_supported;
- private String[] response_modes_supported;
- private String[] grant_types_supported;
-
- private String[] token_endpoint_auth_methods_supported;
- private String[] token_endpoint_auth_signing_alg_values_supported;
-
- private String[] id_token_signing_alg_values_supported;
- private String[] id_token_encryption_alg_values_supported;
- private String[] id_token_encryption_enc_values_supported;
-
- private String[] userinfo_signing_alg_values_supported;
- private String[] userinfo_encryption_alg_values_supported;
- private String[] userinfo_encryption_enc_values_supported;
-
- private String[] request_object_signing_alg_values_supported;
- private String[] request_object_encryption_alg_values_supported;
- private String[] request_object_encryption_enc_values_supported;
-
- private String[] subject_types_supported;
- private String[] acr_values_supported;
- private String[] display_values_supported;
- private String[] claim_types_supported;
- private String[] claims_supported;
- private String[] claims_locales_supported;
- private String[] ui_locales_supported;
-
- private boolean claims_parameter_supported = false;
- private boolean request_parameter_supported = false;
- private boolean request_uri_parameter_supported = true;
- private boolean require_request_uri_registration = false;
-
- private String op_policy_uri;
- private String op_tos_uri;
- private String service_documentation;
-
- private boolean mutual_tls_sender_constrained_access_tokens = false;
-
- // OAuth2.0 Discovery
- // List of Proof Key for Code Exchange (PKCE) code challenge
- // methods supported on by the authorization server
- // private String[] code_challenge_methods_supported;
-
- public String getIssuer () {
- return issuer;
- }
-
- /**
- * REQUIRED
- *
- * @param issuer
- * The server identifier, typically base-URL
- */
- public void setIssuer (String issuer) {
- this.issuer = issuer;
- }
-
- public String getJwks_uri () {
- return jwks_uri;
- }
-
- /**
- * REQUIRED
- *
- * @param jwks_uri
- * The public JWK set URL
- */
- public void setJwks_uri (String jwks_uri) {
- this.jwks_uri = jwks_uri;
- }
-
- public String getAuthorization_endpoint () {
- return authorization_endpoint;
- }
-
- /**
- * REQUIRED
- *
- * @param authorization_endpoint
- * The authorisation endpoint URL.
- */
- public void setAuthorization_endpoint (String authorization_endpoint) {
- this.authorization_endpoint = authorization_endpoint;
- }
-
- public String getToken_endpoint () {
- return token_endpoint;
- }
-
- /**
- * REQUIRED unless only the Implicit Flow is used.
- *
- * @param token_endpoint
- * The token endpoint URL.
- */
- public void setToken_endpoint (String token_endpoint) {
- this.token_endpoint = token_endpoint;
- }
-
- public String getUserinfo_endpoint () {
- return userinfo_endpoint;
- }
-
- /**
- * RECOMMENDED. The URL MUST use the https scheme.
- *
- * @param userinfo_endpoint
- * The OpenID Connect UserInfo endpoint URL.
- */
- public void setUserinfo_endpoint (String userinfo_endpoint) {
- this.userinfo_endpoint = userinfo_endpoint;
- }
-
- public String getRegistration_endpoint () {
- return registration_endpoint;
- }
-
- /**
- * RECOMMENDED
- *
- * @param registration_endpoint
- * The OAuth 2.0 / OpenID Connect client registration
- * endpoint
- * URL.
- */
- public void setRegistration_endpoint (String registration_endpoint) {
- this.registration_endpoint = registration_endpoint;
- }
-
- public String[] getScopes_supported () {
- return scopes_supported;
- }
-
- /**
- * RECOMMENDED
- *
- * @param scopes_supported
- * List of the supported scope values. Certain
- * values may be omitted for privacy reasons.
- */
- public void setScopes_supported (String[] scopes_supported) {
- this.scopes_supported = scopes_supported;
- }
-
- public String[] getResponse_types_supported () {
- return response_types_supported;
- }
-
- /**
- * REQUIRED
- *
- * @param response_types_supported
- * List of the supported response_type
- * values.
- */
- public void setResponse_types_supported (
- String[] response_types_supported) {
- this.response_types_supported = response_types_supported;
- }
-
- public String[] getResponse_modes_supported () {
- return response_modes_supported;
- }
-
- /**
- * OPTIONAL
- *
- * @param response_modes_supported
- * List of the supported response mode
- * values.
- */
- public void setResponse_modes_supported (
- String[] response_modes_supported) {
- this.response_modes_supported = response_modes_supported;
- }
-
- public String[] getGrant_types_supported () {
- return grant_types_supported;
- }
-
- /**
- * OPTIONAL
- *
- * @param grant_types_supported
- * List of the supported grant types.
- */
- public void setGrant_types_supported (String[] grant_types_supported) {
- this.grant_types_supported = grant_types_supported;
- }
-
- public String[] getAcr_values_supported () {
- return acr_values_supported;
- }
-
- /**
- * OPTIONAL
- *
- * @param acr_values_supported
- * List of the supported Authentication Context Class
- * References.
- */
- public void setAcr_values_supported (String[] acr_values_supported) {
- this.acr_values_supported = acr_values_supported;
- }
-
- public String[] getSubject_types_supported () {
- return subject_types_supported;
- }
-
- /**
- * REQUIRED
- *
- * @param subject_types_supported
- * List of the supported subject (end-user) identifier
- * types.
- */
- public void setSubject_types_supported (String[] subject_types_supported) {
- this.subject_types_supported = subject_types_supported;
- }
-
- public String[] getId_token_signing_alg_values_supported () {
- return id_token_signing_alg_values_supported;
- }
-
- /**
- * REQUIRED
- *
- * @param id_token_signing_alg_values_supported
- * List of the supported JWS algorithms for
- * the issued ID tokens to encode claims in a JWT.
- */
- public void setId_token_signing_alg_values_supported (
- String[] id_token_signing_alg_values_supported) {
- this.id_token_signing_alg_values_supported =
- id_token_signing_alg_values_supported;
- }
-
- public String[] getId_token_encryption_alg_values_supported () {
- return id_token_encryption_alg_values_supported;
- }
-
- /**
- * OPTIONAL
- *
- * @param id_token_encryption_alg_values_supported
- * List of the supported JWE algorithms for
- * the issued ID tokens to encode claims in a JWT.
- */
- public void setId_token_encryption_alg_values_supported (
- String[] id_token_encryption_alg_values_supported) {
- this.id_token_encryption_alg_values_supported =
- id_token_encryption_alg_values_supported;
- }
-
- public String[] getId_token_encryption_enc_values_supported () {
- return id_token_encryption_enc_values_supported;
- }
-
- /**
- * OPTIONAL
- *
- * @param id_token_encryption_enc_values_supported
- * List of the supported JWE encryption methods for
- * the issued ID tokens to encode claims in a JWT.
- */
- public void setId_token_encryption_enc_values_supported (
- String[] id_token_encryption_enc_values_supported) {
- this.id_token_encryption_enc_values_supported =
- id_token_encryption_enc_values_supported;
- }
-
- public String[] getUserinfo_signing_alg_values_supported () {
- return userinfo_signing_alg_values_supported;
- }
-
- /**
- * OPTIONAL
- *
- * @param userinfo_signing_alg_values_supported
- * List of the supported signing JWS algorithms for
- * encoding the claims in a JWT returned at the
- * UserInfo endpoint.
- */
- public void setUserinfo_signing_alg_values_supported (
- String[] userinfo_signing_alg_values_supported) {
- this.userinfo_signing_alg_values_supported =
- userinfo_signing_alg_values_supported;
- }
-
- public String[] getUserinfo_encryption_alg_values_supported () {
- return userinfo_encryption_alg_values_supported;
- }
-
- /**
- * OPTIONAL
- *
- * @param userinfo_encryption_alg_values_supported
- * List of the supported JWE encryption algorithms for
- * encoding the claims in a JWT returned at the
- * UserInfo endpoint.
- */
- public void setUserinfo_encryption_alg_values_supported (
- String[] userinfo_encryption_alg_values_supported) {
- this.userinfo_encryption_alg_values_supported =
- userinfo_encryption_alg_values_supported;
- }
-
- public String[] getUserinfo_encryption_enc_values_supported () {
- return userinfo_encryption_enc_values_supported;
- }
-
- /**
- * OPTIONAL
- *
- * @param userinfo_encryption_enc_values_supported
- * List of the supported JWE encryption methods for
- * encoding the claims in a JWT returned at the
- * UserInfo endpoint.
- */
- public void setUserinfo_encryption_enc_values_supported (
- String[] userinfo_encryption_enc_values_supported) {
- this.userinfo_encryption_enc_values_supported =
- userinfo_encryption_enc_values_supported;
- }
-
- public String[] getRequest_object_signing_alg_values_supported () {
- return request_object_signing_alg_values_supported;
- }
-
- /**
- * OPTIONAL
- *
- * @param request_object_signing_alg_values_supported
- * JSON array containing a list of supported JWS
- * signing algorithms (alg values) supported for
- * Request Objects
- */
- public void setRequest_object_signing_alg_values_supported (
- String[] request_object_signing_alg_values_supported) {
- this.request_object_signing_alg_values_supported =
- request_object_signing_alg_values_supported;
- }
-
- public String[] getRequest_object_encryption_alg_values_supported () {
- return request_object_encryption_alg_values_supported;
- }
-
- /**
- * OPTIONAL
- *
- * @param request_object_encryption_alg_values_supported
- * List of the supported JWE encryption algorithms for
- * OpenID Connect request objects
- */
- public void setRequest_object_encryption_alg_values_supported (
- String[] request_object_encryption_alg_values_supported) {
- this.request_object_encryption_alg_values_supported =
- request_object_encryption_alg_values_supported;
- }
-
- public String[] getRequest_object_encryption_enc_values_supported () {
- return request_object_encryption_enc_values_supported;
- }
-
- /**
- * OPTIONAL
- *
- * @param request_object_encryption_enc_values_supported
- * List of the supported JWE encryption methods for
- * OpenID Connect request objects, omitted or empty if
- * none.
- */
- public void setRequest_object_encryption_enc_values_supported (
- String[] request_object_encryption_enc_values_supported) {
- this.request_object_encryption_enc_values_supported =
- request_object_encryption_enc_values_supported;
- }
-
- public String[] getToken_endpoint_auth_methods_supported () {
- return token_endpoint_auth_methods_supported;
- }
-
- /**
- * OPTIONAL
- *
- * @param token_endpoint_auth_methods_supported
- * List of the supported client authentication methods
- * at the token endpoint.
- */
- public void setToken_endpoint_auth_methods_supported (
- String[] token_endpoint_auth_methods_supported) {
- this.token_endpoint_auth_methods_supported =
- token_endpoint_auth_methods_supported;
- }
-
- public String[] getToken_endpoint_auth_signing_alg_values_supported () {
- return token_endpoint_auth_signing_alg_values_supported;
- }
-
- /**
- * OPTIONAL
- *
- * @param token_endpoint_auth_signing_alg_values_supported
- * List of the supported JWS algorithms for JWT-based
- * client authentication at the token endpoint
- */
- public void setToken_endpoint_auth_signing_alg_values_supported (
- String[] token_endpoint_auth_signing_alg_values_supported) {
- this.token_endpoint_auth_signing_alg_values_supported =
- token_endpoint_auth_signing_alg_values_supported;
- }
-
- public String[] getDisplay_values_supported () {
- return display_values_supported;
- }
-
- /**
- * OPTIONAL
- *
- * @param display_values_supported
- * List of the supported display parameters.
- */
- public void setDisplay_values_supported (
- String[] display_values_supported) {
- this.display_values_supported = display_values_supported;
- }
-
- public String[] getClaim_types_supported () {
- return claim_types_supported;
- }
-
- /**
- * OPTIONAL
- *
- * @param claim_types_supported
- * List of the supported OpenID Connect claim types.
- */
- public void setClaim_types_supported (String[] claim_types_supported) {
- this.claim_types_supported = claim_types_supported;
- }
-
- public String[] getClaims_supported () {
- return claims_supported;
- }
-
- /**
- * RECOMMENDED
- *
- * @param claims_supported
- * List of the supported OpenID Connect claims.
- */
- public void setClaims_supported (String[] claims_supported) {
- this.claims_supported = claims_supported;
- }
-
- public String getService_documentation () {
- return service_documentation;
- }
-
- /**
- * OPTIONAL
- *
- * @param service_documentation
- * The service documentation URL
- */
- public void setService_documentation (String service_documentation) {
- this.service_documentation = service_documentation;
- }
-
- public String[] getClaims_locales_supported () {
- return claims_locales_supported;
- }
-
- /**
- * OPTIONAL
- *
- * @param claims_locales_supported
- * List of the supported OpenID Connect claims locales
- */
- public void setClaims_locales_supported (
- String[] claims_locales_supported) {
- this.claims_locales_supported = claims_locales_supported;
- }
-
- public String[] getUi_locales_supported () {
- return ui_locales_supported;
- }
-
- /**
- * OPTIONAL
- *
- * @param ui_locales_supported
- * List of the supported UI locales
- */
- public void setUi_locales_supported (String[] ui_locales_supported) {
- this.ui_locales_supported = ui_locales_supported;
- }
-
- public boolean isClaims_parameter_supported () {
- return claims_parameter_supported;
- }
-
- /**
- * OPTIONAL. Default false.
- *
- * @param claims_parameter_supported
- * Specifies whether the claims request parameter is
- * supported.
- */
- public void setClaims_parameter_supported (
- boolean claims_parameter_supported) {
- this.claims_parameter_supported = claims_parameter_supported;
- }
-
- public boolean isRequest_parameter_supported () {
- return request_parameter_supported;
- }
-
- /**
- * OPTIONAL. Default false.
- *
- * @param request_parameter_supported
- * Specifies whether the request parameter is
- * supported.
- */
- public void setRequest_parameter_supported (
- boolean request_parameter_supported) {
- this.request_parameter_supported = request_parameter_supported;
- }
-
- public boolean isRequest_uri_parameter_supported () {
- return request_uri_parameter_supported;
- }
-
- /**
- * OPTIONAL. Default true.
- *
- * @param request_uri_parameter_supported
- * Specifies whether the request_uri parameter is
- * supported.
- */
- public void setRequest_uri_parameter_supported (
- boolean request_uri_parameter_supported) {
- this.request_uri_parameter_supported = request_uri_parameter_supported;
- }
-
- public boolean isRequire_request_uri_registration () {
- return require_request_uri_registration;
- }
-
- /**
- * OPTIONAL. Default false.
- *
- * @param require_request_uri_registration
- * Specifies whether request URIs must be registered
- * for a client.
- */
- public void setRequire_request_uri_registration (
- boolean require_request_uri_registration) {
- this.require_request_uri_registration =
- require_request_uri_registration;
- }
-
- public String getOp_policy_uri () {
- return op_policy_uri;
- }
-
- /**
- * OPTIONAL. URL that the OpenID Provider provides to the person
- * registering the Client to read about the requirements on
- * how the client can use the data provided by the OpenID
- * Provider. The registration process SHOULD display this URL to
- * the person registering the Client if it is given.
- *
- * @param op_policy_uri
- * The privacy policy document URL, omitted if none.
- */
- public void setOp_policy_uri (String op_policy_uri) {
- this.op_policy_uri = op_policy_uri;
- }
-
- public String getOp_tos_uri () {
- return op_tos_uri;
- }
-
- /**
- * @param op_tos_uri
- * The terms of service document URL, omitted if none.
- */
- public void setOp_tos_uri (String op_tos_uri) {
- this.op_tos_uri = op_tos_uri;
- }
-
- public String getIntrospection_endpoint () {
- return introspection_endpoint;
- }
-
- /**
- * ADDITIONAL
- *
- * @param introspection_endpoint
- * The token introspection endpoint URL.
- */
- public void setIntrospection_endpoint (String introspection_endpoint) {
- this.introspection_endpoint = introspection_endpoint;
- }
-
- public String getRevocation_endpoint () {
- return revocation_endpoint;
- }
-
- /**
- * ADDITIONAL
- *
- * @param revocation_endpoint
- * The token revocation endpoint URL.
- */
- public void setRevocation_endpoint (String revocation_endpoint) {
- this.revocation_endpoint = revocation_endpoint;
- }
-
- public String getEnd_session_endpoint () {
- return end_session_endpoint;
- }
-
- /**
- * ADDITIONAL
- *
- * @param end_session_endpoint
- * The OpenID Connect logout endpoint URL, omitted if
- * disabled.
- */
- public void setEnd_session_endpoint (String end_session_endpoint) {
- this.end_session_endpoint = end_session_endpoint;
- }
-
- public boolean isMutual_tls_sender_constrained_access_tokens () {
- return mutual_tls_sender_constrained_access_tokens;
- }
-
- /**
- * OPTIONAL. Default false.
- *
- * @see <a
- * href="https://tools.ietf.org/id/draft-ietf-oauth-mtls-03.html#server_metadata">Mutual
- * TLS Profile for OAuth 2.0</a>
- * @param mutual_tls_sender_constrained_access_tokens
- * specifies whether issue of client X.509 certificate
- * bound access tokens is supported, omitted
- * implies no support.
- */
- public void setMutual_tls_sender_constrained_access_tokens (
- boolean mutual_tls_sender_constrained_access_tokens) {
- this.mutual_tls_sender_constrained_access_tokens =
- mutual_tls_sender_constrained_access_tokens;
- }
-}
diff --git a/full/src/main/java/de/ids_mannheim/korap/oauth2/openid/OpenIdHttpRequestWrapper.java b/full/src/main/java/de/ids_mannheim/korap/oauth2/openid/OpenIdHttpRequestWrapper.java
deleted file mode 100644
index 874f349..0000000
--- a/full/src/main/java/de/ids_mannheim/korap/oauth2/openid/OpenIdHttpRequestWrapper.java
+++ /dev/null
@@ -1,44 +0,0 @@
-package de.ids_mannheim.korap.oauth2.openid;
-
-import java.net.URL;
-import java.util.Enumeration;
-import java.util.Map;
-import java.util.List;
-
-import jakarta.servlet.http.HttpServletRequest;
-
-import com.nimbusds.oauth2.sdk.ParseException;
-import com.nimbusds.oauth2.sdk.http.HTTPRequest;
-
-/** A request wrapper based on HTTPRequest.
- *
- * @author margaretha
- *
- */
-public class OpenIdHttpRequestWrapper extends HTTPRequest {
-
- private Map<String, List<String>> params;
-
- public OpenIdHttpRequestWrapper (Method method, URL url) {
- super(method, url);
- }
-
- @Override
- public Map<String, List<String>> getQueryParameters () {
- return this.params;
- }
-
- public void toHttpRequest (HttpServletRequest servletRequest,
- Map<String, List<String>> map) throws ParseException {
-
- this.params = map;
- this.setClientIPAddress(servletRequest.getRemoteAddr());
- this.setContentType(servletRequest.getContentType());
-
- Enumeration<String> headerNames = servletRequest.getHeaderNames();
- while (headerNames.hasMoreElements()) {
- String name = headerNames.nextElement().toString();
- this.setHeader(name, servletRequest.getHeader(name));
- }
- }
-}
diff --git a/full/src/main/java/de/ids_mannheim/korap/oauth2/openid/service/JWKService.java b/full/src/main/java/de/ids_mannheim/korap/oauth2/openid/service/JWKService.java
deleted file mode 100644
index df9fb17..0000000
--- a/full/src/main/java/de/ids_mannheim/korap/oauth2/openid/service/JWKService.java
+++ /dev/null
@@ -1,84 +0,0 @@
-package de.ids_mannheim.korap.oauth2.openid.service;
-
-import java.io.FileOutputStream;
-import java.io.IOException;
-import java.io.OutputStreamWriter;
-import java.security.KeyPair;
-import java.security.KeyPairGenerator;
-import java.security.NoSuchAlgorithmException;
-import java.security.interfaces.RSAPrivateKey;
-import java.security.interfaces.RSAPublicKey;
-import java.util.UUID;
-
-import org.json.JSONObject;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.stereotype.Service;
-
-import com.nimbusds.jose.jwk.JWK;
-import com.nimbusds.jose.jwk.JWKSet;
-import com.nimbusds.jose.jwk.RSAKey;
-
-import de.ids_mannheim.korap.config.FullConfiguration;
-
-/** JWK services for generating key pair and key set.
- *
- * @author margaretha
- *
- */
-@Service
-public class JWKService {
-
- @Autowired
- private FullConfiguration config;
-
- public static void main (String[] args)
- throws NoSuchAlgorithmException, IOException {
- generateJWK();
- }
-
- public static void generateJWK ()
- throws NoSuchAlgorithmException, IOException {
- KeyPairGenerator gen = KeyPairGenerator.getInstance("RSA");
- gen.initialize(2048);
- KeyPair keyPair = gen.generateKeyPair();
-
- // Convert to JWK format
- JWK jwk = new RSAKey.Builder((RSAPublicKey) keyPair.getPublic())
- .privateKey((RSAPrivateKey) keyPair.getPrivate())
- .keyID(UUID.randomUUID().toString()).build();
-
- // write private key
- JSONObject json = new JSONObject(jwk.toJSONString());
- OutputStreamWriter writer = new OutputStreamWriter(
- new FileOutputStream("kustvakt_rsa.key"));
- writer.write(json.toString(2));
- writer.flush();
- writer.close();
-
- JWK publicJWK = jwk.toPublicJWK();
- JWKSet jwkSet = new JWKSet(publicJWK);
- json = new JSONObject(jwkSet.toString());
- // write public key
- writer = new OutputStreamWriter(
- new FileOutputStream("kustvakt_rsa_public.key"));
- writer.write(json.toString(2));
- writer.flush();
- writer.close();
- }
-
- /**
- * Generates indented JSON string representation of kustvakt
- * public keys
- *
- * @return json string of kustvakt public keys
- *
- * @see RFC 8017 regarding RSA specifications
- * @see RFC 7517 regarding JWK (Json Web Key) and JWK Set
- *
- */
- public String generatePublicKeySetJson () {
- JWKSet jwkSet = config.getPublicKeySet();
- JSONObject json = new JSONObject(jwkSet.toString());
- return json.toString(2);
- }
-}
diff --git a/full/src/main/java/de/ids_mannheim/korap/oauth2/openid/service/OpenIdAuthorizationService.java b/full/src/main/java/de/ids_mannheim/korap/oauth2/openid/service/OpenIdAuthorizationService.java
deleted file mode 100644
index d23b146..0000000
--- a/full/src/main/java/de/ids_mannheim/korap/oauth2/openid/service/OpenIdAuthorizationService.java
+++ /dev/null
@@ -1,236 +0,0 @@
-package de.ids_mannheim.korap.oauth2.openid.service;
-
-import java.net.URI;
-import java.net.URISyntaxException;
-import java.time.ZoneId;
-import java.time.ZonedDateTime;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-
-import org.apache.commons.validator.routines.UrlValidator;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.stereotype.Service;
-
-import com.nimbusds.oauth2.sdk.AuthorizationCode;
-import com.nimbusds.oauth2.sdk.AuthorizationRequest;
-import com.nimbusds.oauth2.sdk.AuthorizationSuccessResponse;
-import com.nimbusds.oauth2.sdk.ParseException;
-import com.nimbusds.oauth2.sdk.ResponseMode;
-import com.nimbusds.oauth2.sdk.ResponseType;
-import com.nimbusds.oauth2.sdk.Scope;
-import com.nimbusds.oauth2.sdk.id.State;
-import com.nimbusds.openid.connect.sdk.AuthenticationRequest;
-import com.nimbusds.openid.connect.sdk.AuthenticationSuccessResponse;
-import com.nimbusds.openid.connect.sdk.Nonce;
-
-import de.ids_mannheim.korap.config.Attributes;
-import de.ids_mannheim.korap.exceptions.KustvaktException;
-import de.ids_mannheim.korap.exceptions.StatusCodes;
-import de.ids_mannheim.korap.oauth2.constant.OAuth2Error;
-import de.ids_mannheim.korap.oauth2.entity.OAuth2Client;
-import de.ids_mannheim.korap.oauth2.service.OAuth2AuthorizationService;
-import jakarta.ws.rs.core.MultivaluedMap;
-
-/** Authorization service implementation using open id.
- *
- * @author margaretha
- *
- */
-@Service
-public class OpenIdAuthorizationService extends OAuth2AuthorizationService {
-
- @Autowired
- private UrlValidator redirectURIValidator;
-
- public void checkRedirectUriParam (Map<String, String> map)
- throws KustvaktException {
- if (map.containsKey("redirect_uri")) {
- String redirect_uri = map.get("redirect_uri");
- if (redirect_uri != null && !redirect_uri.isEmpty()) {
- if (!redirectURIValidator.isValid(redirect_uri)) {
- throw new KustvaktException(
- StatusCodes.INVALID_REDIRECT_URI,
- "Invalid redirect URI",
- OAuth2Error.INVALID_REQUEST);
- }
- return;
- }
- }
-
- throw new KustvaktException(StatusCodes.MISSING_REDIRECT_URI,
- "redirect_uri is required", OAuth2Error.INVALID_REQUEST);
- }
-
- public URI requestAuthorizationCode (MultivaluedMap<String, String> map,
- String username, boolean isAuthentication,
- ZonedDateTime authenticationTime)
- throws KustvaktException, ParseException {
-
- AuthorizationCode code = new AuthorizationCode();
- URI redirectUri = null;
-
- if (isAuthentication) {
- AuthenticationRequest authRequest = null;
- authRequest = AuthenticationRequest.parse((Map<String,List<String>>) map);
- redirectUri = handleAuthenticationRequest(authRequest, code,
- username, authenticationTime);
- return new AuthenticationSuccessResponse(redirectUri, code, null,
- null, authRequest.getState(), null, null).toURI();
- }
- else {
- AuthorizationRequest authzRequest = AuthorizationRequest.parse((Map<String,List<String>>) map);
- redirectUri = handleAuthorizationRequest(authzRequest, code,
- username, authenticationTime, null);
- return new AuthorizationSuccessResponse(redirectUri, code, null,
- authzRequest.getState(), null).toURI();
-
- }
- }
-
- private URI handleAuthorizationRequest (AuthorizationRequest authzRequest,
- AuthorizationCode code, String username,
- ZonedDateTime authenticationTime, String nonce)
- throws KustvaktException {
-
- URI redirectUri = authzRequest.getRedirectionURI();
- String redirectUriStr =
- (redirectUri != null) ? redirectUri.toString() : null;
-
- String clientId = authzRequest.getClientID().getValue();
- OAuth2Client client = clientService.authenticateClientId(clientId);
- URI verifiedRedirectUri = verifyRedirectUri(client, redirectUriStr);
-
- try {
- ResponseType responseType = authzRequest.getResponseType();
- checkResponseType(responseType.toString());
-
- Scope scope = authzRequest.getScope();
- Set<String> scopeSet = null;
- if (scope != null) {
- scopeSet = new HashSet<>(scope.toStringList());
- }
- createAuthorization(username, clientId, redirectUriStr, scopeSet,
- code.getValue(), authenticationTime, nonce);
- }
- catch (KustvaktException e) {
- e.setRedirectUri(redirectUri);
- throw e;
- }
-
- return redirectUri;
- }
-
-
- /**
- * Kustvakt does not support the following parameters:
- * <em>claims</em>, <em>requestURI</em>, <em>requestObject</em>,
- * <em>id_token_hint</em>, and ignores them if they are included
- * in an authentication request. Kustvakt provides minimum support
- * for <em>acr_values</em> by not throwing an error when it is
- * included in an authentication request.
- *
- * <p>Parameters related to user interface are also ignored,
- * namely <em>display</em>, <em>prompt</em>,
- * <em>ui_locales</em>, <em>login_hint</em>. However,
- * <em>display</em>, <em>prompt</em>, and <em>ui_locales</em>
- * must be supported by Kalamar. The minimum level of
- * support required for these parameters is simply that its use
- * must not result in an error.</p>
- *
- * <p>Some Authentication request parameters in addition to
- * OAuth2.0 authorization parameters according to OpenID connect
- * core 1.0 Specification:</p>
- *
- * <ul>
- *
- * <li>nonce</li>
- * <p> OPTIONAL. The value is passed through unmodified from the
- * Authentication Request to the ID Token.</p>
- *
- * <li>max_age</li>
- * <p>OPTIONAL. Maximum Authentication Age in seconds. If the
- * elapsed time is
- * greater than this value, the OpenID Provider MUST attempt
- * to actively re-authenticate the End-User. When max_age is used,
- * the ID Token returned MUST include an auth_time Claim
- * Value.</p>
- *
- * <li>claims</li>
- * <p>Support for the claims parameter is OPTIONAL. Should an OP
- * (openid provider) not support this parameter and an RP (relying
- * party /client) uses it, the OP SHOULD return a set of Claims to
- * the RP that it believes would be useful to the RP and the
- * End-User using whatever heuristics it believes are
- * appropriate.</p>
- *
- * </ul>
- *
- * @see "OpenID Connect Core 1.0 specification"
- *
- * @param authRequest
- * @param code
- * @param username
- * @param authenticationTime
- * @return
- * @throws KustvaktException
- */
- private URI handleAuthenticationRequest (AuthenticationRequest authRequest,
- AuthorizationCode code, String username,
- ZonedDateTime authenticationTime) throws KustvaktException {
- // TO DO: extra checking for authentication params?
-
- Nonce nonce = authRequest.getNonce();
- String nonceValue = null;
- if (nonce != null && !nonce.getValue().isEmpty()) {
- nonceValue = nonce.getValue();
- }
-
- checkMaxAge(authRequest.getMaxAge(), authenticationTime);
-
- AuthorizationRequest request = authRequest;
- return handleAuthorizationRequest(request, code, username,
- authenticationTime, nonceValue);
- }
-
- private void checkMaxAge (int maxAge, ZonedDateTime authenticationTime)
- throws KustvaktException {
- if (maxAge > 0) {
- ZonedDateTime now =
- ZonedDateTime.now(ZoneId.of(Attributes.DEFAULT_TIME_ZONE));
-
- if (authenticationTime.plusSeconds(maxAge).isBefore(now)) {
- throw new KustvaktException(
- StatusCodes.USER_REAUTHENTICATION_REQUIRED,
- "User reauthentication is required because the authentication "
- + "time is too old according to max_age");
- }
- }
- }
-
- @Override
- protected void checkResponseType (String responseType)
- throws KustvaktException {
- String[] types = responseType.split(" ");
- for (String type : types) {
- super.checkResponseType(type);
- }
- }
-
- public State retrieveState (Map<String, String> map) {
- String stateStr = map.get("state");
- if (stateStr != null && stateStr.isEmpty()) {
- return new State(stateStr);
- }
- return null;
- }
-
- public ResponseMode retrieveResponseMode (Map<String, String> map) {
- String str = map.get("response_mode");
- if (str != null && str.isEmpty()) {
- return new ResponseMode(str);
- }
- return null;
- }
-}
diff --git a/full/src/main/java/de/ids_mannheim/korap/oauth2/openid/service/OpenIdConfigService.java b/full/src/main/java/de/ids_mannheim/korap/oauth2/openid/service/OpenIdConfigService.java
deleted file mode 100644
index bcec0fa..0000000
--- a/full/src/main/java/de/ids_mannheim/korap/oauth2/openid/service/OpenIdConfigService.java
+++ /dev/null
@@ -1,22 +0,0 @@
-package de.ids_mannheim.korap.oauth2.openid.service;
-
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.stereotype.Service;
-
-import de.ids_mannheim.korap.config.FullConfiguration;
-import de.ids_mannheim.korap.oauth2.openid.OpenIdConfiguration;
-
-/**
- * @author margaretha
- *
- */
-@Service
-public class OpenIdConfigService {
-
- @Autowired
- private FullConfiguration config;
-
- public OpenIdConfiguration retrieveOpenIdConfigInfo () {
- return config.getOpenidConfig();
- }
-}
diff --git a/full/src/main/java/de/ids_mannheim/korap/oauth2/openid/service/OpenIdTokenService.java b/full/src/main/java/de/ids_mannheim/korap/oauth2/openid/service/OpenIdTokenService.java
deleted file mode 100644
index e92c2be..0000000
--- a/full/src/main/java/de/ids_mannheim/korap/oauth2/openid/service/OpenIdTokenService.java
+++ /dev/null
@@ -1,382 +0,0 @@
-package de.ids_mannheim.korap.oauth2.openid.service;
-
-import java.net.URI;
-import java.security.PrivateKey;
-import java.time.ZonedDateTime;
-import java.util.ArrayList;
-import java.util.Date;
-import java.util.HashSet;
-import java.util.Set;
-
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.stereotype.Service;
-
-import com.nimbusds.jose.JOSEException;
-import com.nimbusds.jose.JWSAlgorithm;
-import com.nimbusds.jose.JWSHeader;
-import com.nimbusds.jose.JWSSigner;
-import com.nimbusds.jose.crypto.RSASSASigner;
-import com.nimbusds.jwt.JWTClaimsSet;
-import com.nimbusds.jwt.SignedJWT;
-import com.nimbusds.oauth2.sdk.AccessTokenResponse;
-import com.nimbusds.oauth2.sdk.AuthorizationCodeGrant;
-import com.nimbusds.oauth2.sdk.AuthorizationGrant;
-import com.nimbusds.oauth2.sdk.GrantType;
-import com.nimbusds.oauth2.sdk.ParseException;
-import com.nimbusds.oauth2.sdk.ResourceOwnerPasswordCredentialsGrant;
-import com.nimbusds.oauth2.sdk.Scope;
-import com.nimbusds.oauth2.sdk.TokenRequest;
-import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
-import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
-import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
-import com.nimbusds.oauth2.sdk.auth.ClientSecretPost;
-import com.nimbusds.oauth2.sdk.id.Audience;
-import com.nimbusds.oauth2.sdk.id.ClientID;
-import com.nimbusds.oauth2.sdk.id.Issuer;
-import com.nimbusds.oauth2.sdk.id.Subject;
-import com.nimbusds.oauth2.sdk.token.AccessToken;
-import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
-import com.nimbusds.oauth2.sdk.token.RefreshToken;
-import com.nimbusds.oauth2.sdk.token.Tokens;
-import com.nimbusds.openid.connect.sdk.Nonce;
-import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
-import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
-import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
-
-import de.ids_mannheim.korap.exceptions.KustvaktException;
-import de.ids_mannheim.korap.exceptions.StatusCodes;
-import de.ids_mannheim.korap.oauth2.constant.OAuth2Error;
-import de.ids_mannheim.korap.oauth2.dao.AccessTokenDao;
-import de.ids_mannheim.korap.oauth2.dao.RefreshTokenDao;
-import de.ids_mannheim.korap.oauth2.entity.AccessScope;
-import de.ids_mannheim.korap.oauth2.entity.Authorization;
-import de.ids_mannheim.korap.oauth2.entity.OAuth2Client;
-import de.ids_mannheim.korap.oauth2.service.OAuth2TokenService;
-import de.ids_mannheim.korap.utils.TimeUtils;
-
-/**
- * Token service implementation using OpenId.
- *
- * ID Tokens MUST be signed using JWS and optionally both signed and
- * then encrypted using JWS [JWS] and JWE [JWE] respectively.
- *
- * ID Tokens MUST NOT use none as the alg value unless the Response
- * Type used returns no ID Token from the Authorization Endpoint (such
- * as when using the Authorization Code Flow) and the Client
- * explicitly requested the use of none at Registration time.
- *
- * ID Tokens SHOULD NOT use the JWS or JWE x5u, x5c, jku, or jwk
- * Header Parameter fields.
- *
- * @author margaretha
- *
- */
-//@Service
-public class OpenIdTokenService extends OAuth2TokenService {
-
- @Autowired
- private AccessTokenDao tokenDao;
- @Autowired
- private RefreshTokenDao refreshDao;
-
- public AccessTokenResponse requestAccessTokenWithOpenID (TokenRequest tokenRequest)
- throws KustvaktException {
- AuthorizationGrant grant = tokenRequest.getAuthorizationGrant();
- GrantType grantType = grant.getType();
- ClientAuthentication clientAuthentication =
- tokenRequest.getClientAuthentication();
- ClientID clientId = tokenRequest.getClientID();
-
- if (grantType.equals(GrantType.AUTHORIZATION_CODE)) {
- return requestAccessTokenWithAuthorizationCodeAndOpenID(grant,
- clientAuthentication, clientId);
- }
- else if (grantType.equals(GrantType.PASSWORD)) {
- ResourceOwnerPasswordCredentialsGrant passwordGrant =
- (ResourceOwnerPasswordCredentialsGrant) grant;
- return requestAccessTokenWithPasswordAndOpenID(passwordGrant.getUsername(),
- passwordGrant.getPassword().getValue(),
- tokenRequest.getScope(), clientAuthentication, clientId);
- }
- else if (grantType.equals(GrantType.CLIENT_CREDENTIALS)) {
-
- }
- else {
- throw new KustvaktException(StatusCodes.UNSUPPORTED_GRANT_TYPE,
- grantType + " is not supported.",
- OAuth2Error.UNSUPPORTED_GRANT_TYPE);
- }
- return null;
- }
-
- /**
- * Third party apps must not be allowed to use password grant.
- * MH: password grant is only allowed for trusted clients (korap
- * frontend)
- *
- * According to RFC 6749, client authentication is only required
- * for confidential clients and whenever client credentials are
- * provided. Moreover, client_id is optional for password grant,
- * but without it, the authentication server cannot check the
- * client type. To make sure that confidential clients
- * authenticate, client_id is made required (similar to
- * authorization code grant).
- *
- * @param username
- * username, required
- * @param password
- * password, required
- * @param scope
- * scope, optional
- * @param clientAuthentication
- * @param clientId
- * @return
- * @throws KustvaktException
- */
- private AccessTokenResponse requestAccessTokenWithPasswordAndOpenID (String username,
- String password, Scope scope,
- ClientAuthentication clientAuthentication, ClientID clientId)
- throws KustvaktException {
-
- Set<String> scopeSet = null;
- if (scope != null) {
- scopeSet = new HashSet<String>();
- scopeSet.addAll(scope.toStringList());
- }
- else {
- scopeSet = config.getDefaultAccessScopes();
- scope = new Scope(scopeSet.toArray(new String[scopeSet.size()]));
- }
-
- ZonedDateTime authenticationTime;
- String clientIdStr = null;
- OAuth2Client client;
- if (clientAuthentication == null) {
- if (clientId == null) {
- throw new KustvaktException(StatusCodes.MISSING_PARAMETER,
- "Missing parameter: client_id",
- OAuth2Error.INVALID_REQUEST);
- }
- else {
- clientIdStr = clientId.getValue();
- client = clientService.authenticateClient(clientIdStr, null);
- }
- }
- else {
- String[] clientCredentials =
- extractClientCredentials(clientAuthentication);
- clientIdStr = clientCredentials[0];
- client = clientService.authenticateClient(clientCredentials[0],
- clientCredentials[1]);
- }
-
- if (!client.isSuper()) {
- throw new KustvaktException(StatusCodes.CLIENT_AUTHORIZATION_FAILED,
- "Password grant is not allowed for third party clients",
- OAuth2Error.UNAUTHORIZED_CLIENT);
- }
-
- authenticationTime = authenticateUser(username, password, scopeSet);
-
- AccessToken accessToken =
- new BearerAccessToken(config.getAccessTokenExpiry(), scope);
-
- RefreshToken refreshToken = new RefreshToken();
- Set<AccessScope> scopes = scopeService.convertToAccessScope(scopeSet);
- de.ids_mannheim.korap.oauth2.entity.RefreshToken rt =
- refreshDao.storeRefreshToken(refreshToken.getValue(), username,
- authenticationTime, client, scopes);
- tokenDao.storeAccessToken(accessToken.getValue(), rt, scopes, username,
- clientIdStr, authenticationTime);
-
- return createsAccessTokenResponse(accessToken, refreshToken, scope,
- clientIdStr, username, authenticationTime, null);
- }
-
- private AccessTokenResponse requestAccessTokenWithAuthorizationCodeAndOpenID (
- AuthorizationGrant grant, ClientAuthentication clientAuthentication,
- ClientID clientId) throws KustvaktException {
- AuthorizationCodeGrant codeGrant = (AuthorizationCodeGrant) grant;
- String authorizationCode = codeGrant.getAuthorizationCode().getValue();
- URI redirectionURI = codeGrant.getRedirectionURI();
- String redirectURI = null;
- if (redirectionURI != null) {
- redirectURI = redirectionURI.toString();
- }
-
- Authorization authorization = null;
- if (clientAuthentication == null) {
- if (clientId == null) {
- throw new KustvaktException(StatusCodes.MISSING_PARAMETER,
- "Missing parameter: client_id",
- OAuth2Error.INVALID_REQUEST);
- }
- else {
- authorization = retrieveAuthorization(authorizationCode,
- redirectURI, clientId.getValue(), null);
- }
- }
- else {
- String[] clientCredentials =
- extractClientCredentials(clientAuthentication);
- authorization = retrieveAuthorization(authorizationCode,
- redirectURI, clientCredentials[0], clientCredentials[1]);
- }
-
- return createsAccessTokenResponse(authorization);
-
- }
-
- private AccessTokenResponse createsAccessTokenResponse (
- Authorization authorization) throws KustvaktException {
- Set<AccessScope> scopes = authorization.getScopes();
- String[] scopeArray = scopes.stream().map(scope -> scope.toString())
- .toArray(String[]::new);
- Scope scope = new Scope(scopeArray);
- AccessToken accessToken =
- new BearerAccessToken(config.getAccessTokenExpiry(), scope);
- RefreshToken refreshToken = new RefreshToken();
- OAuth2Client client =
- clientService.retrieveClient(authorization.getClientId());
-
- de.ids_mannheim.korap.oauth2.entity.RefreshToken rt =
- refreshDao.storeRefreshToken(refreshToken.getValue(),
- authorization.getUserId(),
- authorization.getUserAuthenticationTime(),
- client, scopes);
-
- tokenDao.storeAccessToken(accessToken.getValue(), rt, scopes,
- authorization.getUserId(), authorization.getClientId(),
- authorization.getUserAuthenticationTime());
-
- return createsAccessTokenResponse(accessToken, refreshToken, scope,
- authorization.getClientId(), authorization.getUserId(),
- authorization.getUserAuthenticationTime(),
- authorization.getNonce());
- }
-
- private AccessTokenResponse createsAccessTokenResponse (
- AccessToken accessToken, RefreshToken refreshToken, Scope scope,
- String clientId, String userId,
- ZonedDateTime userAuthenticationTime, String nonce)
- throws KustvaktException {
-
- if (scope.contains("openid")) {
- JWTClaimsSet claims = createIdTokenClaims(clientId, userId,
- userAuthenticationTime, nonce);
- SignedJWT idToken = signIdToken(claims,
- // default
- new JWSHeader(JWSAlgorithm.RS256),
- config.getRsaPrivateKey());
- OIDCTokens tokens =
- new OIDCTokens(idToken, accessToken, refreshToken);
- return new OIDCTokenResponse(tokens);
- }
- else {
- Tokens tokens = new Tokens(accessToken, refreshToken);
- return new AccessTokenResponse(tokens);
- }
- }
-
- private String[] extractClientCredentials (
- ClientAuthentication clientAuthentication)
- throws KustvaktException {
-
- ClientAuthenticationMethod method = clientAuthentication.getMethod();
- String clientSecret;
- String clientId;
- if (method.equals(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)) {
- ClientSecretBasic basic = (ClientSecretBasic) clientAuthentication;
- clientSecret = basic.getClientSecret().getValue();
- clientId = basic.getClientID().getValue();
- }
- else if (method.equals(ClientAuthenticationMethod.CLIENT_SECRET_POST)) {
- ClientSecretPost post = (ClientSecretPost) clientAuthentication;
- clientSecret = post.getClientSecret().getValue();
- clientId = post.getClientID().getValue();
- }
- else {
- // client authentication method is not supported
- throw new KustvaktException(
- StatusCodes.UNSUPPORTED_AUTHENTICATION_METHOD,
- method.getValue() + " is not supported.",
- OAuth2Error.INVALID_CLIENT);
- }
- return new String[] { clientId, clientSecret };
- }
-
- private JWTClaimsSet createIdTokenClaims (String client_id, String username,
- ZonedDateTime authenticationTime, String nonce)
- throws KustvaktException {
- // A locally unique and never reassigned identifier within the
- // Issuer for the End-User
- Subject sub = new Subject(username);
- Issuer iss = new Issuer(config.getIssuerURI());
- Audience aud = new Audience(client_id);
- ArrayList<Audience> audList = new ArrayList<Audience>(1);
- audList.add(aud);
- Date iat = TimeUtils.getNow().toDate();
- Date exp =
- TimeUtils.getNow().plusSeconds(config.getTokenTTL()).toDate();
-
- IDTokenClaimsSet claims =
- new IDTokenClaimsSet(iss, sub, audList, exp, iat);
-
- Date authTime = Date.from(authenticationTime.toInstant());
- claims.setAuthenticationTime(authTime);
- if (nonce != null && !nonce.isEmpty()) {
- claims.setNonce(new Nonce(nonce));
- }
-
- try {
- return claims.toJWTClaimsSet();
- }
- catch (ParseException e) {
- throw new KustvaktException(StatusCodes.ID_TOKEN_CLAIM_ERROR,
- e.getMessage());
- }
- }
-
- /**
- * id token should be signed and additionally encrypted
- * according to keys and algorithms the client specified
- * during registration
- *
- * Currently supporting only:
- * default algorithm = RSA SHA-256 (RS256)
- *
- * @param jwtClaimsSet
- * id token claim set
- * @param jwsHeader
- * jws header
- * @param privateKey
- *
- * @return
- * @throws KustvaktException
- */
- private SignedJWT signIdToken (JWTClaimsSet jwtClaimsSet,
- JWSHeader jwsHeader, PrivateKey privateKey)
- throws KustvaktException {
-
- SignedJWT idToken = new SignedJWT(jwsHeader, jwtClaimsSet);
- JWSSigner signer = null;
- if (jwsHeader.getAlgorithm().equals(JWSAlgorithm.RS256)) {
- signer = new RSASSASigner(privateKey);
- }
- else {
- throw new KustvaktException(StatusCodes.ID_TOKEN_SIGNING_FAILED,
- "Unsupported algorithm "
- + jwsHeader.getAlgorithm().getName());
- }
-
- try {
- idToken.sign(signer);
- }
- catch (JOSEException e) {
- throw new KustvaktException(StatusCodes.ID_TOKEN_SIGNING_FAILED,
- e.getMessage());
- }
-
- return idToken;
- }
-}
diff --git a/full/src/main/java/de/ids_mannheim/korap/web/OpenIdResponseHandler.java b/full/src/main/java/de/ids_mannheim/korap/web/OpenIdResponseHandler.java
deleted file mode 100644
index 3c2f060..0000000
--- a/full/src/main/java/de/ids_mannheim/korap/web/OpenIdResponseHandler.java
+++ /dev/null
@@ -1,231 +0,0 @@
-package de.ids_mannheim.korap.web;
-
-import java.net.URI;
-import java.util.HashMap;
-import java.util.Map;
-
-import org.apache.http.HttpHeaders;
-import org.springframework.stereotype.Service;
-
-import com.nimbusds.oauth2.sdk.AccessTokenResponse;
-import com.nimbusds.oauth2.sdk.AuthorizationErrorResponse;
-import com.nimbusds.oauth2.sdk.ErrorObject;
-import com.nimbusds.oauth2.sdk.ParseException;
-import com.nimbusds.oauth2.sdk.ResponseMode;
-import com.nimbusds.oauth2.sdk.TokenErrorResponse;
-import com.nimbusds.oauth2.sdk.id.State;
-import com.nimbusds.oauth2.sdk.token.BearerTokenError;
-import com.nimbusds.openid.connect.sdk.AuthenticationErrorResponse;
-
-import de.ids_mannheim.korap.exceptions.KustvaktException;
-import de.ids_mannheim.korap.oauth2.constant.OAuth2Error;
-import jakarta.ws.rs.core.MediaType;
-import jakarta.ws.rs.core.Response;
-import jakarta.ws.rs.core.Response.ResponseBuilder;
-import jakarta.ws.rs.core.Response.Status;
-import net.minidev.json.JSONObject;
-
-/** Generates OpenId specific responses.
- *
- * @author margaretha
- *
- */
-@Service
-public class OpenIdResponseHandler extends KustvaktResponseHandler {
-
- final static Map<String, ErrorObject> errorObjectMap = new HashMap<>();
- {
- errorObjectMap.put(OAuth2Error.ACCESS_DENIED,
- com.nimbusds.oauth2.sdk.OAuth2Error.ACCESS_DENIED);
- errorObjectMap.put(OAuth2Error.INVALID_CLIENT,
- com.nimbusds.oauth2.sdk.OAuth2Error.INVALID_CLIENT);
- errorObjectMap.put(OAuth2Error.INVALID_GRANT,
- com.nimbusds.oauth2.sdk.OAuth2Error.INVALID_GRANT);
- errorObjectMap.put(OAuth2Error.INVALID_REQUEST,
- com.nimbusds.oauth2.sdk.OAuth2Error.INVALID_REQUEST);
- errorObjectMap.put(OAuth2Error.INVALID_SCOPE,
- com.nimbusds.oauth2.sdk.OAuth2Error.INVALID_SCOPE);
- errorObjectMap.put(OAuth2Error.SERVER_ERROR,
- com.nimbusds.oauth2.sdk.OAuth2Error.SERVER_ERROR);
- errorObjectMap.put(OAuth2Error.TEMPORARILY_UNAVAILABLE,
- com.nimbusds.oauth2.sdk.OAuth2Error.TEMPORARILY_UNAVAILABLE);
- errorObjectMap.put(OAuth2Error.UNAUTHORIZED_CLIENT,
- com.nimbusds.oauth2.sdk.OAuth2Error.UNAUTHORIZED_CLIENT);
- errorObjectMap.put(OAuth2Error.UNSUPPORTED_GRANT_TYPE,
- com.nimbusds.oauth2.sdk.OAuth2Error.UNSUPPORTED_GRANT_TYPE);
- errorObjectMap.put(OAuth2Error.UNSUPPORTED_RESPONSE_TYPE,
- com.nimbusds.oauth2.sdk.OAuth2Error.UNSUPPORTED_RESPONSE_TYPE);
- }
-
- final static Map<String, ErrorObject> tokenErrorObjectMap = new HashMap<>();
- {
- tokenErrorObjectMap.put(OAuth2Error.INSUFFICIENT_SCOPE,
- BearerTokenError.INSUFFICIENT_SCOPE);
- tokenErrorObjectMap.put(OAuth2Error.INVALID_TOKEN,
- BearerTokenError.INVALID_TOKEN);
- tokenErrorObjectMap.put(OAuth2Error.INVALID_REQUEST,
- BearerTokenError.INVALID_REQUEST);
- }
-
- /**
- * According to OpenID connect core 1.0 specification, all
- * authentication errors must be represented through
- * AuthenticationErrorResponse. Moreover, for authorization code
- * flow, the error response parameters must be added to the
- * redirect URI as query parameters, unless a different response
- * mode was specified.
- *
- * {@link AuthorizationErrorResponse} defines specific
- * {@link ErrorObject}s regarding OAUTH2 errors.
- * {@link AuthenticationErrorResponse} defines additional
- * ErrorObjects regarding OpenID connect authenticaition errors.
- *
- * @param e
- * a {@link KustvaktException}
- * @param isAuthentication
- * @param redirectURI
- * @param state
- * @param responseMode
- * @return a redirect uri with error response parameters as part
- * of query parameters
- */
- public Response createAuthorizationErrorResponse (KustvaktException e,
- boolean isAuthentication, URI redirectURI, State state,
- ResponseMode responseMode) {
-
- ErrorObject errorObject = createErrorObject(e);
- errorObject = errorObject.setDescription(e.getMessage());
- if (redirectURI == null) {
- // if (e.getStatusCode()
- // .equals(StatusCodes.USER_REAUTHENTICATION_REQUIRED)) {
- // return Response.status(HttpStatus.SC_UNAUTHORIZED)
- // .entity(e.getMessage()).build();
- // }
-
- return Response.status(errorObject.getHTTPStatusCode())
- .entity(errorObject.toJSONObject()).build();
- }
-
- URI uri = null;
- if (isAuthentication) {
- uri = new AuthenticationErrorResponse(redirectURI, errorObject,
- state, responseMode).toURI();
- }
- else {
- uri = new AuthorizationErrorResponse(redirectURI, errorObject,
- state, responseMode).toURI();
- }
-
- ResponseBuilder builder = Response.temporaryRedirect(uri)
- .type(MediaType.APPLICATION_FORM_URLENCODED);
- return builder.build();
- }
-
- private ErrorObject createErrorObject (KustvaktException e) {
- String errorCode = e.getEntity();
-
- ErrorObject errorObject = errorObjectMap.get(errorCode);
- if (errorObject == null) {
- if (errorCode != null && !errorCode.isEmpty()
- && !errorCode.equals("[]")) {
- errorObject = new ErrorObject(e.getEntity(), e.getMessage());
- }
- else {
- throw throwit(e);
- }
- }
- return errorObject;
- }
-
- public Response createErrorResponse (ParseException e, State state) {
- ErrorObject errorObject = e.getErrorObject();
- if (errorObject == null) {
- errorObject = com.nimbusds.oauth2.sdk.OAuth2Error.INVALID_REQUEST;
- if (e.getMessage() != null) {
- errorObject = errorObject.setDescription(e.getMessage());
- }
- }
-
- JSONObject json = errorObject.toJSONObject();
- if (state != null) {
- json.put("state", state.getValue());
- }
-
- return Response.status(errorObject.getHTTPStatusCode()).entity(json)
- .build();
-
- }
-
- public Response createTokenErrorResponse (KustvaktException e) {
-
- String errorCode = e.getEntity();
- ErrorObject errorObject = tokenErrorObjectMap.get(errorCode);
- if (errorObject == null) {
- errorObject = errorObjectMap.get(errorCode);
- if (errorCode != null && !errorCode.isEmpty()
- && !errorCode.equals("[]")) {
- errorObject = new ErrorObject(e.getEntity(), e.getMessage());
- }
- else {
- throw throwit(e);
- }
- }
-
- errorObject = errorObject.setDescription(e.getMessage());
- TokenErrorResponse errorResponse = new TokenErrorResponse(errorObject);
- Status status = determineErrorStatus(errorCode);
- return createResponse(errorResponse, status);
- }
-
- public Response createResponse (AccessTokenResponse tokenResponse,
- Status status) {
- String jsonString = tokenResponse.toJSONObject().toJSONString();
- return createResponse(status, jsonString);
- }
-
- public Response createResponse (TokenErrorResponse tokenResponse,
- Status status) {
- String jsonString = tokenResponse.toJSONObject().toJSONString();
- return createResponse(status, jsonString);
- }
-
- private Response createResponse (Status status, Object entity) {
- ResponseBuilder builder = Response.status(status);
- builder.entity(entity);
- builder.header(HttpHeaders.CACHE_CONTROL, "no-store");
- builder.header(HttpHeaders.PRAGMA, "no-store");
-
- if (status == Status.UNAUTHORIZED) {
- builder.header(HttpHeaders.WWW_AUTHENTICATE,
- "Basic realm=\"Kustvakt\"");
- }
- return builder.build();
- }
-
- private Status determineErrorStatus (String errorCode) {
- Status status = Status.BAD_REQUEST;
- if (errorCode.equals(OAuth2Error.INVALID_CLIENT)
- || errorCode.equals(OAuth2Error.UNAUTHORIZED_CLIENT)
- || errorCode.equals(OAuth2Error.INVALID_TOKEN)) {
- status = Status.UNAUTHORIZED;
- }
- else if (errorCode.equals(OAuth2Error.INVALID_GRANT)
- || errorCode.equals(OAuth2Error.INVALID_REQUEST)
- || errorCode.equals(OAuth2Error.INVALID_SCOPE)
- || errorCode.equals(OAuth2Error.UNSUPPORTED_GRANT_TYPE)
- || errorCode.equals(OAuth2Error.UNSUPPORTED_RESPONSE_TYPE)
- || errorCode.equals(OAuth2Error.ACCESS_DENIED)) {
- status = Status.BAD_REQUEST;
- }
- else if (errorCode.equals(OAuth2Error.INSUFFICIENT_SCOPE)) {
- status = Status.FORBIDDEN;
- }
- else if (errorCode.equals(OAuth2Error.SERVER_ERROR)) {
- status = Status.INTERNAL_SERVER_ERROR;
- }
- else if (errorCode.equals(OAuth2Error.TEMPORARILY_UNAVAILABLE)) {
- status = Status.SERVICE_UNAVAILABLE;
- }
- return status;
- }
-}
diff --git a/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuth2WithOpenIdController.java b/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuth2WithOpenIdController.java
deleted file mode 100644
index f2c60d2..0000000
--- a/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuth2WithOpenIdController.java
+++ /dev/null
@@ -1,242 +0,0 @@
-package de.ids_mannheim.korap.web.controller;
-
-import java.net.MalformedURLException;
-import java.net.URI;
-import java.net.URL;
-import java.time.ZonedDateTime;
-import java.util.List;
-import java.util.Map;
-
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.stereotype.Controller;
-
-import com.nimbusds.oauth2.sdk.AccessTokenResponse;
-import com.nimbusds.oauth2.sdk.ParseException;
-import com.nimbusds.oauth2.sdk.ResponseMode;
-import com.nimbusds.oauth2.sdk.TokenRequest;
-import com.nimbusds.oauth2.sdk.http.HTTPRequest.Method;
-import com.nimbusds.oauth2.sdk.id.State;
-
-import de.ids_mannheim.korap.constant.OAuth2Scope;
-import de.ids_mannheim.korap.exceptions.KustvaktException;
-import de.ids_mannheim.korap.oauth2.openid.OpenIdConfiguration;
-import de.ids_mannheim.korap.oauth2.openid.OpenIdHttpRequestWrapper;
-import de.ids_mannheim.korap.oauth2.openid.service.JWKService;
-import de.ids_mannheim.korap.oauth2.openid.service.OpenIdAuthorizationService;
-import de.ids_mannheim.korap.oauth2.openid.service.OpenIdConfigService;
-import de.ids_mannheim.korap.oauth2.openid.service.OpenIdTokenService;
-import de.ids_mannheim.korap.oauth2.service.OAuth2ScopeService;
-import de.ids_mannheim.korap.security.context.TokenContext;
-import de.ids_mannheim.korap.web.OpenIdResponseHandler;
-import de.ids_mannheim.korap.web.filter.APIVersionFilter;
-import de.ids_mannheim.korap.web.filter.AuthenticationFilter;
-import de.ids_mannheim.korap.web.filter.BlockingFilter;
-import de.ids_mannheim.korap.web.utils.MapUtils;
-import de.ids_mannheim.korap.web.utils.ResourceFilters;
-import jakarta.servlet.http.HttpServletRequest;
-import jakarta.ws.rs.Consumes;
-import jakarta.ws.rs.GET;
-import jakarta.ws.rs.POST;
-import jakarta.ws.rs.Path;
-import jakarta.ws.rs.Produces;
-import jakarta.ws.rs.core.Context;
-import jakarta.ws.rs.core.MediaType;
-import jakarta.ws.rs.core.MultivaluedMap;
-import jakarta.ws.rs.core.Response;
-import jakarta.ws.rs.core.Response.ResponseBuilder;
-import jakarta.ws.rs.core.Response.Status;
-import jakarta.ws.rs.core.SecurityContext;
-
-/** WARNING: Open ID is not maintained and used.
- *
- * Describes OAuth2 webAPI with OpenId Connect implementation, an
- * additional authentication protocol allowing clients to verify
- * user authentication data represented by ID tokens.
- *
- * @author margaretha
- *
- */
-@Deprecated
-@Controller
-@Path("{version}/oauth2/openid")
-@ResourceFilters({ APIVersionFilter.class })
-public class OAuth2WithOpenIdController {
-
- @Autowired
- private OpenIdAuthorizationService authzService;
- //@Autowired
- private OpenIdTokenService tokenService;
- @Autowired
- private JWKService jwkService;
- @Autowired
- private OpenIdConfigService configService;
- @Autowired
- private OAuth2ScopeService scopeService;
-
- @Autowired
- private OpenIdResponseHandler openIdResponseHandler;
-
- /**
- * Required parameters for OpenID authentication requests:
- *
- * <ul>
- * <li>scope: MUST contain "openid" for OpenID Connect
- * requests</li>
- * <li>response_type: only "code" is supported</li>
- * <li>client_id: client identifier given by Kustvakt during
- * client registration</li>
- * <li>redirect_uri: MUST match a pre-registered redirect uri
- * during client registration</li>
- * </ul>
- *
- * Other parameters:
- *
- * <ul>
- * <li>state (recommended): Opaque value used to maintain state
- * between the request and the callback.</li>
- * <li>response_mode (optional) : mechanism to be used for
- * returning parameters, only "query" is supported</li>
- * <li>nonce (optional): String value used to associate a Client
- * session with an ID Token,
- * and to mitigate replay attacks. </li>
- * <li>display (optional): specifies how the Authorization Server
- * displays the authentication and consent user interface
- * pages. Options: page (default), popup, touch, wap. This
- * parameter is more relevant for Kalamar. </li>
- * <li>prompt (optional): specifies if the Authorization Server
- * prompts the End-User for reauthentication and consent. Defined
- * values: none, login, consent, select_account </li>
- * <li>max_age (optional): maximum Authentication Age.</li>
- * <li>ui_locales (optional): preferred languages and scripts for
- * the user interface represented as a space-separated list of
- * BCP47 [RFC5646] </li>
- * <li>id_token_hint (optional): ID Token previously issued by the
- * Authorization Server being passed as a hint</li>
- * <li>login_hint (optional): hint to the Authorization Server
- * about the login identifier the End-User might use to log
- * in</li>
- * <li>acr_values (optional): requested Authentication Context
- * Class Reference values. </li>
- * </ul>
- *
- * @see "OpenID Connect Core 1.0 specification"
- *
- * @param request
- * @param context
- * @param form
- * @return a redirect to client redirect uri
- */
- @POST
- @Path("authorize")
- @ResourceFilters({ AuthenticationFilter.class, BlockingFilter.class })
- @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
- @Produces(MediaType.APPLICATION_JSON + ";charset=utf-8")
- public Response requestAuthorizationCode (
- @Context HttpServletRequest request,
- @Context SecurityContext context,
- MultivaluedMap<String, String> form) {
-
- TokenContext tokenContext = (TokenContext) context.getUserPrincipal();
- String username = tokenContext.getUsername();
- ZonedDateTime authTime = tokenContext.getAuthenticationTime();
-
- Map<String, String> map = MapUtils.toMap(form);
- State state = authzService.retrieveState(map);
- ResponseMode responseMode = authzService.retrieveResponseMode(map);
-
- boolean isAuthentication = false;
- if (map.containsKey("scope") && map.get("scope").contains("openid")) {
- isAuthentication = true;
- }
-
- URI uri = null;
- try {
- scopeService.verifyScope(tokenContext, OAuth2Scope.AUTHORIZE);
-
- if (isAuthentication) {
- authzService.checkRedirectUriParam(map);
- }
- uri = authzService.requestAuthorizationCode(form, username,
- isAuthentication, authTime);
- }
- catch (ParseException e) {
- return openIdResponseHandler.createErrorResponse(e, state);
- }
- catch (KustvaktException e) {
- return openIdResponseHandler.createAuthorizationErrorResponse(e,
- isAuthentication, e.getRedirectUri(), state, responseMode);
- }
-
- ResponseBuilder builder = Response.temporaryRedirect(uri);
- return builder.build();
- }
-
- @POST
- @Path("token")
- @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
- @Produces(MediaType.APPLICATION_JSON + ";charset=utf-8")
- public Response requestAccessToken (
- @Context HttpServletRequest servletRequest,
- MultivaluedMap<String, String> form) {
-
- Map<String, String> map = MapUtils.toMap(form);
- Method method = Method.valueOf(servletRequest.getMethod());
- URL url = null;
- try {
- url = new URL(servletRequest.getRequestURL().toString());
- }
- catch (MalformedURLException e) {
- // TODO Auto-generated catch block
- e.printStackTrace();
- }
-
- try {
- OpenIdHttpRequestWrapper httpRequest =
- new OpenIdHttpRequestWrapper(method, url);
- httpRequest.toHttpRequest(servletRequest, (Map<String, List<String>>) form);
-
- TokenRequest tokenRequest = TokenRequest.parse(httpRequest);
- AccessTokenResponse tokenResponse =
- tokenService.requestAccessTokenWithOpenID(tokenRequest);
- return openIdResponseHandler.createResponse(tokenResponse,
- Status.OK);
- }
- catch (ParseException e) {
- return openIdResponseHandler.createErrorResponse(e, null);
- }
- catch (KustvaktException e) {
- return openIdResponseHandler.createTokenErrorResponse(e);
- }
- }
-
- /**
- * Retrieves Kustvakt public keys of JWK (Json Web Key) set
- * format.
- *
- * @return json string representation of the public keys
- *
- * @see "RFC 8017 regarding RSA specifications"
- * @see "RFC 7517 regarding JWK (Json Web Key) and JWK Set"
- */
- @GET
- @Path("jwks")
- @Produces(MediaType.APPLICATION_JSON + ";charset=utf-8")
- public String requestPublicKeys () {
- return jwkService.generatePublicKeySetJson();
- }
-
- /**
- * When supporting discovery, must be available at
- * {issuer_uri}/.well-known/openid-configuration
- *
- * @return
- *
- * @return
- */
- @GET
- @Path("config")
- @Produces(MediaType.APPLICATION_JSON + ";charset=utf-8")
- public OpenIdConfiguration requestOpenIdConfig () {
- return configService.retrieveOpenIdConfigInfo();
- }
-}
diff --git a/full/src/main/resources/default-config.xml b/full/src/main/resources/default-config.xml
index fa3ed22..3491bd3 100644
--- a/full/src/main/resources/default-config.xml
+++ b/full/src/main/resources/default-config.xml
@@ -248,14 +248,6 @@
<!-- authentication providers to use -->
- <!-- <bean id="openid_auth"
- class="de.ids_mannheim.korap.authentication.OpenIDconnectAuthentication">
- <constructor-arg type="de.ids_mannheim.korap.config.KustvaktConfiguration"
- ref="kustvakt_config" />
- <constructor-arg
- type="de.ids_mannheim.korap.interfaces.db.PersistenceClient" ref="kustvakt_db" />
- </bean> -->
-
<!-- <bean id="session_auth"
class="de.ids_mannheim.korap.authentication.SessionAuthentication">
<constructor-arg type="de.ids_mannheim.korap.config.KustvaktConfiguration"
@@ -270,7 +262,6 @@
<util:list id="kustvakt_authproviders"
value-type="de.ids_mannheim.korap.interfaces.AuthenticationIface">
<!-- <ref bean="session_auth" /> -->
- <!-- <ref bean="openid_auth" /> -->
<ref bean="oauth2_auth" />
</util:list>
diff --git a/full/src/test/java/de/ids_mannheim/korap/misc/ScopesTest.java b/full/src/test/java/de/ids_mannheim/korap/misc/ScopesTest.java
deleted file mode 100644
index 18f1cd1..0000000
--- a/full/src/test/java/de/ids_mannheim/korap/misc/ScopesTest.java
+++ /dev/null
@@ -1,20 +0,0 @@
-package de.ids_mannheim.korap.misc;
-import org.junit.Test;
-
-/**
- * @author hanl
- * @date 20/01/2016
- */
-public class ScopesTest {
-
- @Test
- public void testScopes () {
-
- }
-
-
- @Test
- public void testOpenIDScopes () {
-
- }
-}
diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2OpenIdControllerTest.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2OpenIdControllerTest.java
deleted file mode 100644
index bced504..0000000
--- a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2OpenIdControllerTest.java
+++ /dev/null
@@ -1,436 +0,0 @@
-package de.ids_mannheim.korap.web.controller;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertNotNull;
-import static org.junit.Assert.assertTrue;
-
-import java.net.URI;
-import java.security.NoSuchAlgorithmException;
-import java.security.spec.InvalidKeySpecException;
-import java.text.ParseException;
-import java.util.Date;
-
-import jakarta.ws.rs.core.Form;
-import jakarta.ws.rs.core.MediaType;
-
-import org.apache.http.entity.ContentType;
-import org.apache.oltu.oauth2.common.message.types.TokenType;
-import org.junit.Test;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.util.MultiValueMap;
-import org.springframework.web.util.UriComponentsBuilder;
-
-import com.fasterxml.jackson.databind.JsonNode;
-import com.google.common.net.HttpHeaders;
-import com.nimbusds.jose.JOSEException;
-import com.nimbusds.jose.JWSVerifier;
-import com.nimbusds.jose.crypto.RSASSAVerifier;
-import com.nimbusds.jose.jwk.JWKSet;
-import com.nimbusds.jose.jwk.RSAKey;
-import com.nimbusds.jwt.JWTClaimsSet;
-import com.nimbusds.jwt.SignedJWT;
-import com.nimbusds.oauth2.sdk.GrantType;
-import jakarta.ws.rs.ProcessingException;
-import jakarta.ws.rs.core.Response;
-import jakarta.ws.rs.client.Entity;
-
-import de.ids_mannheim.korap.authentication.http.HttpAuthorizationHandler;
-import de.ids_mannheim.korap.config.Attributes;
-import de.ids_mannheim.korap.config.FullConfiguration;
-import de.ids_mannheim.korap.config.SpringJerseyTest;
-import de.ids_mannheim.korap.exceptions.KustvaktException;
-import de.ids_mannheim.korap.oauth2.constant.OAuth2Error;
-import de.ids_mannheim.korap.utils.JsonUtils;
-
-// Open ID is not maintained and used.
-@Deprecated
-public class OAuth2OpenIdControllerTest extends SpringJerseyTest {
-
- @Autowired
- private FullConfiguration config;
-
- private String redirectUri =
- "https://korap.ids-mannheim.de/confidential/redirect";
- private String username = "dory";
-
- private Response sendAuthorizationRequest (
- Form form) throws KustvaktException {
- return target().path(API_VERSION).path("oauth2").path("openid").path("authorize")
- .request()
- .header(Attributes.AUTHORIZATION,
- HttpAuthorizationHandler
- .createBasicAuthorizationHeaderValue(username,
- "password"))
- .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
- .header(HttpHeaders.CONTENT_TYPE,
- ContentType.APPLICATION_FORM_URLENCODED)
- .post(Entity.form(form));
- }
-
- private Response sendTokenRequest (
- Form form) throws KustvaktException {
- return target().path(API_VERSION).path("oauth2").path("openid").path("token")
- .request()
- .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
- .header(HttpHeaders.CONTENT_TYPE,
- ContentType.APPLICATION_FORM_URLENCODED)
- .post(Entity.form(form));
- }
-
- @Test
- public void testRequestAuthorizationCode ()
- throws ProcessingException,
- KustvaktException {
-
- Form form = new Form();
- form.param("response_type", "code");
- form.param("client_id", "fCBbQkAyYzI4NzUxMg");
- form.param("scope", "search");
-
- //testRequestAuthorizationCodeMissingRedirectUri(form);
- //testRequestAuthorizationCodeInvalidRedirectUri(form);
-
- form.param("redirect_uri", redirectUri);
-
- testRequestAuthorizationCodeWithoutOpenID(form, redirectUri);
-
- form.param("state", "thisIsMyState");
-
- Response response = sendAuthorizationRequest(form);
- URI location = response.getLocation();
- assertEquals(redirectUri, location.getScheme() + "://"
- + location.getHost() + location.getPath());
-
- MultiValueMap<String, String> params =
- UriComponentsBuilder.fromUri(location).build().getQueryParams();
- assertNotNull(params.getFirst("code"));
- assertEquals("thisIsMyState", params.getFirst("state"));
- }
-
- private void testRequestAuthorizationCodeWithoutOpenID (
- Form form, String redirectUri)
- throws KustvaktException {
- Response response = sendAuthorizationRequest(form);
-
- URI location = response.getLocation();
- // System.out.println(location.toString());
- assertEquals(redirectUri, location.getScheme() + "://"
- + location.getHost() + location.getPath());
- }
-
- private void testRequestAuthorizationCodeMissingRedirectUri (
- Form form) throws KustvaktException {
- Response response = sendAuthorizationRequest(form);
- String entity = response.readEntity(String.class);
-System.out.println(entity);
- JsonNode node = JsonUtils.readTree(entity);
- assertEquals(OAuth2Error.INVALID_REQUEST, node.at("/error").asText());
- assertEquals("redirect_uri is required",
- node.at("/error_description").asText());
- }
-
- private void testRequestAuthorizationCodeInvalidRedirectUri (
- Form form) throws KustvaktException {
- form.param("redirect_uri", "blah");
- Response response = sendAuthorizationRequest(form);
- String entity = response.readEntity(String.class);
-
- JsonNode node = JsonUtils.readTree(entity);
- assertEquals(OAuth2Error.INVALID_REQUEST, node.at("/error").asText());
- assertEquals("Invalid redirect URI",
- node.at("/error_description").asText());
-
- form.asMap().remove("redirect_uri");
- }
-
- @Test
- public void testRequestAuthorizationCodeMissingClientID ()
- throws KustvaktException {
- Form form = new Form();
- form.param("scope", "openid");
- form.param("redirect_uri", redirectUri);
-
- // error response is represented in JSON because redirect URI
- // cannot be verified without client id
- // Besides client_id is a mandatory parameter in a normal
- // OAuth2 authorization request, thus it is checked first,
- // before redirect_uri. see
- // com.nimbusds.oauth2.sdk.AuthorizationRequest
-
- Response response = sendAuthorizationRequest(form);
- String entity = response.readEntity(String.class);
- JsonNode node = JsonUtils.readTree(entity);
- assertEquals(OAuth2Error.INVALID_REQUEST, node.at("/error").asText());
- assertEquals("Invalid request: Missing client_id parameter",
- node.at("/error_description").asText());
-
- }
-
- @Test
- public void testRequestAuthorizationCodeMissingResponseType ()
- throws KustvaktException {
- Form form = new Form();
- form.param("scope", "openid");
- form.param("redirect_uri", redirectUri);
- form.param("client_id", "blah");
-
- // client_id has not been verified yet
- // MUST NOT automatically redirect the user-agent to the
- // invalid redirection URI.
-
- Response response = sendAuthorizationRequest(form);
- String entity = response.readEntity(String.class);
- JsonNode node = JsonUtils.readTree(entity);
- assertEquals(OAuth2Error.INVALID_REQUEST, node.at("/error").asText());
- assertEquals("Invalid request: Missing response_type parameter",
- node.at("/error_description").asText());
- }
-
- private void testRequestAuthorizationCodeUnsupportedResponseType (
- Form form, String type)
- throws KustvaktException {
-
- Response response = sendAuthorizationRequest(form);
- URI location = response.getLocation();
- assertEquals(MediaType.APPLICATION_FORM_URLENCODED,
- response.getMediaType().toString());
-
- MultiValueMap<String, String> params =
- UriComponentsBuilder.fromUri(location).build().getQueryParams();
- assertEquals("invalid_request", params.getFirst("error"));
- assertEquals("unsupported+response_type%3A+" + type,
- params.getFirst("error_description"));
- }
-
- /**
- * We don't support implicit grant. Implicit grant allows
- * response_type:
- * <ul>
- * <li>id_token</li>
- * <li>id_token token</li>
- * </ul>
- *
- * @throws KustvaktException
- */
- @Test
- public void testRequestAuthorizationCodeUnsupportedImplicitFlow ()
- throws KustvaktException {
- Form form = new Form();
- form.param("scope", "openid");
- form.param("redirect_uri", redirectUri);
- form.param("response_type", "id_token");
- form.param("client_id", "fCBbQkAyYzI4NzUxMg");
- form.param("nonce", "nonce");
-
- testRequestAuthorizationCodeUnsupportedResponseType(form, "id_token");
-
- form.asMap().remove("response_type");
- form.param("response_type", "id_token token");
- testRequestAuthorizationCodeUnsupportedResponseType(form, "id_token");
- }
-
- /**
- * Hybrid flow is not supported. Hybrid flow allows
- * response_type:
- * <ul>
- * <li>code id_token</li>
- * <li>code token</li>
- * <li>code id_token token</li>
- * </ul>
- *
- * @throws KustvaktExceptiony);
- * assertTrue(signedJWT.verify(verifier));
- */
-
- @Test
- public void testRequestAuthorizationCodeUnsupportedHybridFlow ()
- throws KustvaktException {
- Form form = new Form();
- form.param("scope", "openid");
- form.param("redirect_uri", redirectUri);
- form.param("response_type", "code id_token");
- form.param("client_id", "fCBbQkAyYzI4NzUxMg");
- form.param("nonce", "nonce");
- testRequestAuthorizationCodeUnsupportedResponseType(form, "id_token");
-
- form.asMap().remove("response_type");
- form.param("response_type", "code token");
- testRequestAuthorizationCodeUnsupportedResponseType(form, "token");
- }
-
- @Test
- public void testRequestAccessTokenWithAuthorizationCode ()
- throws KustvaktException, ParseException, InvalidKeySpecException,
- NoSuchAlgorithmException, JOSEException {
- String client_id = "fCBbQkAyYzI4NzUxMg";
- String nonce = "thisIsMyNonce";
- Form form = new Form();
- form.param("response_type", "code");
- form.param("client_id", client_id);
- form.param("redirect_uri", redirectUri);
- form.param("scope", "openid");
- form.param("state", "thisIsMyState");
- form.param("nonce", nonce);
-
- Response response = sendAuthorizationRequest(form);
- URI location = response.getLocation();
- MultiValueMap<String, String> params =
- UriComponentsBuilder.fromUri(location).build().getQueryParams();
- assertEquals("thisIsMyState", params.getFirst("state"));
- String code = params.getFirst("code");
-
- Form tokenForm = new Form();
- testRequestAccessTokenMissingGrant(tokenForm);
- tokenForm.param("grant_type", "authorization_code");
- tokenForm.param("code", code);
- testRequestAccessTokenMissingClientId(tokenForm);
- tokenForm.param("client_id", client_id);
- testRequestAccessTokenMissingClientSecret(tokenForm);
- tokenForm.param("client_secret", "secret");
- tokenForm.param("redirect_uri", redirectUri);
-
- Response tokenResponse = sendTokenRequest(tokenForm);
- String entity = tokenResponse.readEntity(String.class);
-
- JsonNode node = JsonUtils.readTree(entity);
- assertNotNull(node.at("/access_token").asText());
- assertNotNull(node.at("/refresh_token").asText());
- assertEquals(TokenType.BEARER.toString(),
- node.at("/token_type").asText());
- assertNotNull(node.at("/expires_in").asText());
- String id_token = node.at("/id_token").asText();
- assertNotNull(id_token);
-
- verifyingIdToken(id_token, username, client_id, nonce);
- }
-
- private void testRequestAccessTokenMissingGrant (
- Form tokenForm) throws KustvaktException {
- Response response = sendTokenRequest(tokenForm);
- String entity = response.readEntity(String.class);
- JsonNode node = JsonUtils.readTree(entity);
- assertEquals(OAuth2Error.INVALID_REQUEST, node.at("/error").asText());
- assertEquals("Invalid request: Missing grant_type parameter",
- node.at("/error_description").asText());
- }
-
- private void testRequestAccessTokenMissingClientId (
- Form tokenForm) throws KustvaktException {
- Response response = sendTokenRequest(tokenForm);
- String entity = response.readEntity(String.class);
- JsonNode node = JsonUtils.readTree(entity);
- assertEquals(OAuth2Error.INVALID_REQUEST, node.at("/error").asText());
- assertEquals("Invalid request: Missing required client_id "
- + "parameter", node.at("/error_description").asText());
- }
-
- private void testRequestAccessTokenMissingClientSecret (
- Form tokenForm) throws KustvaktException {
- Response response = sendTokenRequest(tokenForm);
- String entity = response.readEntity(String.class);
- JsonNode node = JsonUtils.readTree(entity);
- assertEquals(OAuth2Error.INVALID_REQUEST, node.at("/error").asText());
- assertEquals("Missing parameter: client_secret",
- node.at("/error_description").asText());
- }
-
- private void verifyingIdToken (String id_token, String username,
- String client_id, String nonce) throws ParseException,
- InvalidKeySpecException, NoSuchAlgorithmException, JOSEException {
- JWKSet keySet = config.getPublicKeySet();
- RSAKey publicKey = (RSAKey) keySet.getKeyByKeyId(config.getRsaKeyId());
-
- SignedJWT signedJWT = SignedJWT.parse(id_token);
- JWSVerifier verifier = new RSASSAVerifier(publicKey);
- assertTrue(signedJWT.verify(verifier));
-
- JWTClaimsSet claimsSet = signedJWT.getJWTClaimsSet();
- assertEquals(client_id, claimsSet.getAudience().get(0));
- assertEquals(username, claimsSet.getSubject());
- assertEquals(config.getIssuerURI().toString(), claimsSet.getIssuer());
- assertTrue(new Date().before(claimsSet.getExpirationTime()));
- assertNotNull(claimsSet.getClaim(Attributes.AUTHENTICATION_TIME));
- assertEquals(nonce, claimsSet.getClaim("nonce"));
- }
-
- // no openid
- @Test
- public void testRequestAccessTokenWithPassword ()
- throws KustvaktException, ParseException, InvalidKeySpecException,
- NoSuchAlgorithmException, JOSEException {
- // public client
- String client_id = "8bIDtZnH6NvRkW2Fq";
- Form tokenForm = new Form();
- testRequestAccessTokenMissingGrant(tokenForm);
-
- tokenForm.param("grant_type", GrantType.PASSWORD.toString());
- testRequestAccessTokenMissingUsername(tokenForm);
-
- tokenForm.param("username", username);
- testRequestAccessTokenMissingPassword(tokenForm);
-
- tokenForm.param("password", "pass");
- tokenForm.param("client_id", client_id);
-
- Response tokenResponse = sendTokenRequest(tokenForm);
- String entity = tokenResponse.readEntity(String.class);
- JsonNode node = JsonUtils.readTree(entity);
-
- assertEquals(OAuth2Error.UNAUTHORIZED_CLIENT,
- node.at("/error").asText());
- assertEquals("Password grant is not allowed for third party clients",
- node.at("/error_description").asText());
- }
-
- private void testRequestAccessTokenMissingUsername (
- Form tokenForm) throws KustvaktException {
- Response response = sendTokenRequest(tokenForm);
- String entity = response.readEntity(String.class);
- JsonNode node = JsonUtils.readTree(entity);
- assertEquals(OAuth2Error.INVALID_REQUEST, node.at("/error").asText());
- assertEquals("Invalid request: Missing or empty username parameter",
- node.at("/error_description").asText());
- }
-
- private void testRequestAccessTokenMissingPassword (
- Form tokenForm) throws KustvaktException {
- Response response = sendTokenRequest(tokenForm);
- String entity = response.readEntity(String.class);
- JsonNode node = JsonUtils.readTree(entity);
- assertEquals(OAuth2Error.INVALID_REQUEST, node.at("/error").asText());
- assertEquals("Invalid request: Missing or empty password parameter",
- node.at("/error_description").asText());
- }
-
- @Test
- public void testPublicKeyAPI () throws KustvaktException {
- Response response = target().path(API_VERSION).path("oauth2").path("openid")
- .path("jwks")
- .request()
- .get();
- String entity = response.readEntity(String.class);
- JsonNode node = JsonUtils.readTree(entity);
- assertEquals(1, node.at("/keys").size());
- node = node.at("/keys/0");
- assertEquals("RSA", node.at("/kty").asText());
- assertEquals(config.getRsaKeyId(), node.at("/kid").asText());
- assertNotNull(node.at("/e").asText());
- assertNotNull(node.at("/n").asText());
- }
-
- @Test
- public void testOpenIDConfiguration () throws KustvaktException {
- Response response = target().path(API_VERSION).path("oauth2").path("openid")
- .path("config")
- .request()
- .get();
- String entity = response.readEntity(String.class);
- JsonNode node = JsonUtils.readTree(entity);
- assertNotNull(node.at("/issuer"));
- assertNotNull(node.at("/authorization_endpoint"));
- assertNotNull(node.at("/token_endpoint"));
- assertNotNull(node.at("/response_types_supported"));
- assertNotNull(node.at("/subject_types_supported"));
- assertNotNull(node.at("/id_token_signing_alg_values_supported"));
- }
-}
diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/TokenExpiryTest.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/TokenExpiryTest.java
index 9626116..0ebd7fb 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/controller/TokenExpiryTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/TokenExpiryTest.java
@@ -93,11 +93,11 @@
form.param("client_id", "fCBbQkAyYzI4NzUxMg");
form.param("redirect_uri",
"https://korap.ids-mannheim.de/confidential/redirect");
- form.param("scope", "openid");
+ form.param("scope", "search");
form.param("max_age", "1");
Response response =
- target().path(API_VERSION).path("oauth2").path("openid").path("authorize")
+ target().path(API_VERSION).path("oauth2").path("authorize")
.request()
.header(Attributes.AUTHORIZATION, "Bearer " + token)
.header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
diff --git a/full/src/test/resources/kustvakt-test.conf b/full/src/test/resources/kustvakt-test.conf
index 893d04b..913e2ed 100644
--- a/full/src/test/resources/kustvakt-test.conf
+++ b/full/src/test/resources/kustvakt-test.conf
@@ -91,29 +91,6 @@
oauth2.initial.super.client=true
-# OpenId
-# multiple values are separated by space
-openid.grant.types = authorization_code
-openid.response.types = code
-openid.response.modes = query
-openid.client.auth.methods = client_secret_basic client_secret_post
-openid.token.signing.algorithms = RS256
-openid.subject.types = public
-openid.display.types = page
-openid.supported.scopes = openid email auth_time
-openid.support.claim.param = false
-openid.claim.types = normal
-openid.supported.claims = iss sub aud exp iat
-openid.ui.locales = en
-#openid.privacy.policy =
-#openid.term.of.service =
-openid.service.doc = https://github.com/KorAP/Kustvakt/wiki
-
-# JWK
-# must be set for openid
-rsa.private = kustvakt_rsa.key
-rsa.public = kustvakt_rsa_public.key
-rsa.key.id = 74caa3a9-217c-49e6-94e9-2368fdd02c35
# see SecureRandom Number Generation Algorithms
# optional
diff --git a/full/src/test/resources/kustvakt_rsa.key b/full/src/test/resources/kustvakt_rsa.key
deleted file mode 100644
index 1db25e9..0000000
--- a/full/src/test/resources/kustvakt_rsa.key
+++ /dev/null
@@ -1,12 +0,0 @@
-{
- "p": "y7t3f2VRo5TN3IsCjshSWWwe4H1-Xd7iBbtPS_fmBeaVDbLr-05LsGRJxXzKheMJ5DwBzhvWAlCig5uSJG3Gk4i0LgLY5YO33shb9qqqEnF54ZkJbiqxSs5l_dggzZgYB5z0riVl2VA3yfNm1qJIE2eipBouUjBEXMOEtJlOrFc",
- "kty": "RSA",
- "q": "v4HHIpOddl_78fVQgvZCsINygpLuniJ3sVShLhX7LnCU0Eb4TMK_Fyz9_JPb3YFvEoPpQw3kfnAhkOBTATTpXzg_dNtR6eQfvDJfHl9R6FuSoVTJoNAO_rqEpKzQOGXl4ohBxVjhXcbEo6GEVp4pZAeXMM8D02IWfvGbJd0Yw0k",
- "d": "OJFnms4n3ajWKvK26aOh_r8JGgQwbQNIXpx8UqFnc_EB4nzxcLns8-FGKa9Vg3VMAs8cFC4iM9evx1084yqsCeSKgwiV5ZVQkwnp35Gd5BslZxuH8kCdR1mL5y0V0RMwgW-W1ry_YtdhBSIze8XCJXB7udNk7bviiJylEm8OouyxAq-5uUy_qMWYk-mtDSpmPW9SfFf91c6P7-ataDFcd_zxFotd1UwXDVDaPfUnxpOA6Jh1WsvIFhX4IzETuUG8n5C-j6FrK_YlU7U-zFzzF8qWTthQVj5l7A0zOGmq6OC9mv_xtnSc6z9I-HklWFXa8eDsc2JasYqJY8CmTDSy8Q",
- "e": "AQAB",
- "kid": "74caa3a9-217c-49e6-94e9-2368fdd02c35",
- "qi": "Iv8_jAuCTdU7xZ1GXK0Zaql3Azu1-qXiZseod9urLFFZK6OvxrhH0BexG_P1tRikUfEUQiyqNVCU544Z0Y0AdDbgb5aEYNa3Bkb5WAHHXsLDtzXSsxgvR4Pzg3PhT3HTrLkgTlWy9g0u7bwfhb-KTRszcw4SyFXz9o62xJLPJZo",
- "dp": "pA8_qHhHqMoAiNPsaFyKa_Y0WyTTqPX93w26SnvDYQcRCqoFfCbNrqrj-UOHtw9gfMmRzo795HlYlVCm--zmlxHjvpWOYiyS2bVQ0S8Xq6hztKbPQEbi5FGXMjZkHAuZdi__nWkCPmBpvJfkPX0LO40eHLX0jTzPIEBWUjSOdRs",
- "dq": "GtnydumlqWRZ6hoQWNx4i1FS6_X4GRoSGD4af2C7oE5Ov0lEJVck_fXkAtcke9FbJohyW2GGSSglvK-HU-L8WcqEMzlRKe8_d97EMXkB_gdg7tf5kV-6yoKSeJh2dYHsErAyMJ5-suxcw-iwqohwm0LpMwHDso7NQq1TqKJwh2k",
- "n": "mGgmGYIN06ibCh98nsXp0a77xRQNnB9rKpRGKm41tVi0zLQWqmEdDh2CmrMiOOxTJFSlAuAVkwK-KVQZ5Men5dJvRyTwZPtBWSJZk32Znj3VshFloSQlQU-g3oh3c2htP03EDtBLmecZMI-OUV1hRCvrRUrS-qF24CJ-rheFsCmpSievEJDQqTTfXcbAG2DdRQJHWb3y1iyNojB_mV1H2Gztg9DGEZarloqXoTFeDcxs7SpZJqAWCWTJQk8n6Ye79SfGMNrzaaqN9aHx__6FU-GFdZexlWE0CemQcfx_hTEkCTa2EsGgI_GETQIjeCZRB29x91E3AlWVvEgA591pzw"
-}
\ No newline at end of file
diff --git a/full/src/test/resources/kustvakt_rsa_public.key b/full/src/test/resources/kustvakt_rsa_public.key
deleted file mode 100644
index 28c2fad..0000000
--- a/full/src/test/resources/kustvakt_rsa_public.key
+++ /dev/null
@@ -1,6 +0,0 @@
-{"keys": [{
- "kty": "RSA",
- "e": "AQAB",
- "kid": "74caa3a9-217c-49e6-94e9-2368fdd02c35",
- "n": "mGgmGYIN06ibCh98nsXp0a77xRQNnB9rKpRGKm41tVi0zLQWqmEdDh2CmrMiOOxTJFSlAuAVkwK-KVQZ5Men5dJvRyTwZPtBWSJZk32Znj3VshFloSQlQU-g3oh3c2htP03EDtBLmecZMI-OUV1hRCvrRUrS-qF24CJ-rheFsCmpSievEJDQqTTfXcbAG2DdRQJHWb3y1iyNojB_mV1H2Gztg9DGEZarloqXoTFeDcxs7SpZJqAWCWTJQk8n6Ye79SfGMNrzaaqN9aHx__6FU-GFdZexlWE0CemQcfx_hTEkCTa2EsGgI_GETQIjeCZRB29x91E3AlWVvEgA591pzw"
-}]}
\ No newline at end of file
diff --git a/full/src/test/resources/test-config.xml b/full/src/test/resources/test-config.xml
index 2c16410..57501d3 100644
--- a/full/src/test/resources/test-config.xml
+++ b/full/src/test/resources/test-config.xml
@@ -229,14 +229,6 @@
</bean>
<!-- authentication providers to use -->
- <!-- <bean id="openid_auth"
- class="de.ids_mannheim.korap.authentication.OpenIDconnectAuthentication">
- <constructor-arg type="de.ids_mannheim.korap.config.KustvaktConfiguration"
- ref="kustvakt_config" />
- <constructor-arg
- type="de.ids_mannheim.korap.interfaces.db.PersistenceClient" ref="kustvakt_db" />
- </bean> -->
-
<bean id="basic_auth"
class="de.ids_mannheim.korap.authentication.BasicAuthentication" />
@@ -257,7 +249,6 @@
value-type="de.ids_mannheim.korap.interfaces.AuthenticationIface">
<ref bean="basic_auth" />
<ref bean="session_auth" />
- <!-- <ref bean="openid_auth" /> -->
<ref bean="oauth2_auth" />
</util:list>