Implemented openid authentication for authorization code request.
Change-Id: I1f93d20315d1da6573a98d92515d5e4ed979fbed
diff --git a/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuth2Controller.java b/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuth2Controller.java
index ae53294..4b2e19e 100644
--- a/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuth2Controller.java
+++ b/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuth2Controller.java
@@ -26,7 +26,7 @@
import de.ids_mannheim.korap.exceptions.KustvaktException;
import de.ids_mannheim.korap.oauth2.OAuth2AuthorizationRequest;
-import de.ids_mannheim.korap.oauth2.service.OAuth2AuthorizationService;
+import de.ids_mannheim.korap.oauth2.oltu.service.OltuAuthorizationService;
import de.ids_mannheim.korap.oauth2.service.OAuth2TokenService;
import de.ids_mannheim.korap.security.context.TokenContext;
import de.ids_mannheim.korap.web.OAuth2ResponseHandler;
@@ -43,7 +43,7 @@
@Autowired
private OAuth2TokenService oAuth2Service;
@Autowired
- private OAuth2AuthorizationService authorizationService;
+ private OltuAuthorizationService authorizationService;
/**
* Requests an authorization code.
@@ -84,10 +84,9 @@
new FormRequestWrapper(request, form);
OAuth2AuthorizationRequest authzRequest =
new OAuth2AuthorizationRequest(requestWithForm);
- OAuthResponse authResponse =
- authorizationService.requestAuthorizationCode(
- requestWithForm, authzRequest, username);
- return responseHandler.sendRedirect(authResponse.getLocationUri());
+ String uri = authorizationService.requestAuthorizationCode(
+ requestWithForm, authzRequest, username);
+ return responseHandler.sendRedirect(uri);
}
catch (OAuthSystemException e) {
throw responseHandler.throwit(e);
@@ -182,14 +181,15 @@
throw responseHandler.throwit(e);
}
}
-
-// @POST
-// @Path("revoke")
-// @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
-// @Produces(MediaType.APPLICATION_JSON + ";charset=utf-8")
-// public Response revokeAccessToken (@Context HttpServletRequest request,
-// @FormParam("grant_type") String grantType,
-// MultivaluedMap<String, String> form) {
-// return null;
-// }
+
+ // @POST
+ // @Path("revoke")
+ // @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
+ // @Produces(MediaType.APPLICATION_JSON + ";charset=utf-8")
+ // public Response revokeAccessToken (@Context HttpServletRequest
+ // request,
+ // @FormParam("grant_type") String grantType,
+ // MultivaluedMap<String, String> form) {
+ // return null;
+ // }
}
diff --git a/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuth2WithOpenIdController.java b/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuth2WithOpenIdController.java
new file mode 100644
index 0000000..c87516f
--- /dev/null
+++ b/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuth2WithOpenIdController.java
@@ -0,0 +1,116 @@
+package de.ids_mannheim.korap.web.controller;
+
+import java.net.URI;
+import java.util.Map;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.ws.rs.Consumes;
+import javax.ws.rs.POST;
+import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.MultivaluedMap;
+import javax.ws.rs.core.Response;
+import javax.ws.rs.core.Response.ResponseBuilder;
+import javax.ws.rs.core.SecurityContext;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Controller;
+
+import com.nimbusds.oauth2.sdk.ParseException;
+import com.nimbusds.openid.connect.sdk.AuthenticationRequest;
+import com.sun.jersey.spi.container.ResourceFilters;
+
+import de.ids_mannheim.korap.exceptions.KustvaktException;
+import de.ids_mannheim.korap.oauth2.openid.service.OpenIdAuthorizationService;
+import de.ids_mannheim.korap.security.context.TokenContext;
+import de.ids_mannheim.korap.web.filter.AuthenticationFilter;
+import de.ids_mannheim.korap.web.filter.BlockingFilter;
+import de.ids_mannheim.korap.web.utils.MapUtils;
+
+@Controller
+@Path("/oauth2/openid")
+public class OAuth2WithOpenIdController {
+
+ @Autowired
+ private OpenIdAuthorizationService authzService;
+
+ /**
+ * Required parameters for OpenID authentication requests:
+ *
+ * <ul>
+ * <li>scope: MUST contain "openid" for OpenID Connect
+ * requests,</li>
+ * <li>response_type,</li>
+ * <li>client_id,</li>
+ * <li>redirect_uri: MUST match a pre-registered redirect uri
+ * during client registration.</li>
+ * </ul>
+ *
+ * Other parameters:
+ *
+ * <ul>
+ * <li>state (recommended): Opaque value used to maintain state between the request and the
+ * callback.</li>
+ * <li>response_mode (optional) : mechanism to be used for returning parameters</li>
+ * <li>nonce (optional): String value used to associate a Client session with an ID Token,
+ * and to mitigate replay attacks. </li>
+ * <li>display (optional): specifies how the Authorization Server displays the authentication
+ * and consent user interface pages</li>
+ * <li>prompt (optional): specifies if the Authorization Server prompts the End-User
+ * for reauthentication and consent. Defined values: none, login, consent, select_account </li>
+ * <li>max_age (optional): maximum Authentication Age.</li>
+ * <li>ui_locales (optional): preferred languages and scripts for the user interface
+ * represented as a space-separated list of BCP47 [RFC5646] </li>
+ * <li>id_token_hint (optional): ID Token previously issued by the Authorization Server
+ * being passed as a hint</li>
+ * <li>login_hint (optional): hint to the Authorization Server about the login identifier
+ * the End-User might use to log in</li>
+ * <li>acr_values (optional): requested Authentication Context Class Reference values. </li>
+ * </ul>
+ *
+ * @see OpenID Connect Core 1.0 specification
+ *
+ * @param request
+ * @param context
+ * @param form
+ * @return a redirect to client redirect uri
+ */
+ @POST
+ @Path("authorize")
+ @ResourceFilters({ AuthenticationFilter.class, BlockingFilter.class })
+ @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
+ @Produces(MediaType.APPLICATION_JSON + ";charset=utf-8")
+ public Response requestAuthorizationCode (
+ @Context HttpServletRequest request,
+ @Context SecurityContext context,
+ MultivaluedMap<String, String> form) {
+
+ Map<String, String> map = MapUtils.toMap(form);
+ AuthenticationRequest authRequest = null;
+ try {
+ authRequest = AuthenticationRequest.parse(map);
+ }
+ catch (ParseException e) {
+ // TODO Auto-generated catch block
+ e.printStackTrace();
+ return null;
+ }
+
+ TokenContext tokenContext = (TokenContext) context.getUserPrincipal();
+ String username = tokenContext.getUsername();
+
+ URI uri = null;
+ try {
+ uri = authzService.requestAuthorizationCode(authRequest, username);
+ // System.out.println(uri.toString());
+ }
+ catch (KustvaktException e) {
+ // TODO Auto-generated catch block
+ e.printStackTrace();
+ }
+ ResponseBuilder builder = Response.temporaryRedirect(uri);
+ return builder.build();
+ }
+}
diff --git a/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuthClientController.java b/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuthClientController.java
index d272f73..cb00c12 100644
--- a/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuthClientController.java
+++ b/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuthClientController.java
@@ -33,8 +33,10 @@
import de.ids_mannheim.korap.web.utils.FormRequestWrapper;
-/** Defines controllers for OAuth2 clients, namely applications attempting
- * to access users' resources.
+/**
+ * Defines controllers for OAuth2 clients, namely applications
+ * attempting
+ * to access users' resources.
*
* @author margaretha
*
@@ -48,20 +50,29 @@
@Autowired
private OAuth2ResponseHandler responseHandler;
- /** Registers a client application. Before starting an OAuth process,
- * client applications have to be registered first. Only registered
- * users are allowed to register client applications. After registration,
- * the client will receive a client_id and a client_secret, if the client
- * is confidential (capable of storing the client_secret), that are needed
+ /**
+ * Registers a client application. Before starting an OAuth
+ * process,
+ * client applications have to be registered first. Only
+ * registered
+ * users are allowed to register client applications. After
+ * registration,
+ * the client will receive a client_id and a client_secret, if the
+ * client
+ * is confidential (capable of storing the client_secret), that
+ * are needed
* in the authorization process.
*
* From RFC 6749:
- * The authorization server SHOULD document the size of any identifier
+ * The authorization server SHOULD document the size of any
+ * identifier
* it issues.
*
* @param context
- * @param clientJson a JSON object describing the client
- * @return client_id and client_secret if the client type is confidential
+ * @param clientJson
+ * a JSON object describing the client
+ * @return client_id and client_secret if the client type is
+ * confidential
*
* @see OAuth2ClientJson
*/
@@ -85,11 +96,13 @@
}
- /** Deregisters a public client via owner authentication.
+ /**
+ * Deregisters a public client via owner authentication.
*
*
* @param securityContext
- * @param clientId the client id
+ * @param clientId
+ * the client id
* @return HTTP Response OK if successful.
*/
@DELETE
@@ -112,7 +125,8 @@
}
- /** Deregisters confidential clients. Clients must authenticate.
+ /**
+ * Deregisters confidential clients. Clients must authenticate.
*
* @param securityContext
* @param request
@@ -130,7 +144,8 @@
OAuthRequest oAuthRequest = new OAuth2DeregisterClientRequest(
new FormRequestWrapper(request, form));
- clientService.deregisterConfidentialClient(oAuthRequest);
+ clientService.deregisterConfidentialClient(
+ oAuthRequest.getClientId(), oAuthRequest.getClientSecret());
return Response.ok().build();
}
catch (KustvaktException e) {