if (c.getSource() != null) { return c.getSource(); } else { o.addProperty(CLIENT_ID, c.getClientId()); if (c.getClientSecret() != null) { o.addProperty(CLIENT_SECRET, c.getClientSecret()); if (c.getClientSecretExpiresAt() == null) { o.addProperty(CLIENT_SECRET_EXPIRES_AT, 0); // TODO: do we want to let secrets expire? } else { o.addProperty(CLIENT_SECRET_EXPIRES_AT, c.getClientSecretExpiresAt().getTime() / 1000L); if (c.getClientIdIssuedAt() != null) { o.addProperty(CLIENT_ID_ISSUED_AT, c.getClientIdIssuedAt().getTime() / 1000L); } else if (c.getCreatedAt() != null) { o.addProperty(CLIENT_ID_ISSUED_AT, c.getCreatedAt().getTime() / 1000L); if (c.getRegistrationAccessToken() != null) { o.addProperty(REGISTRATION_ACCESS_TOKEN, c.getRegistrationAccessToken()); if (c.getRegistrationClientUri() != null) { o.addProperty(REGISTRATION_CLIENT_URI, c.getRegistrationClientUri()); o.add(REDIRECT_URIS, getAsArray(c.getRedirectUris())); o.addProperty(CLIENT_NAME, c.getClientName()); o.addProperty(CLIENT_URI, c.getClientUri()); o.addProperty(LOGO_URI, c.getLogoUri());
public static RegisteredClient parseRegistered(JsonElement jsonEl) { if (jsonEl.isJsonObject()) { JsonObject o = jsonEl.getAsJsonObject(); ClientDetailsEntity c = parse(jsonEl); RegisteredClient rc = new RegisteredClient(c); // get any fields from the registration rc.setRegistrationAccessToken(getAsString(o, REGISTRATION_ACCESS_TOKEN)); rc.setRegistrationClientUri(getAsString(o, REGISTRATION_CLIENT_URI)); rc.setClientIdIssuedAt(getAsDate(o, CLIENT_ID_ISSUED_AT)); rc.setClientSecretExpiresAt(getAsDate(o, CLIENT_SECRET_EXPIRES_AT)); rc.setSource(o); return rc; } else { return null; } }
if (SECRET_BASIC.equals(clientConfig.getTokenEndpointAuthMethod())){ if (SECRET_JWT.equals(clientConfig.getTokenEndpointAuthMethod()) || PRIVATE_KEY.equals(clientConfig.getTokenEndpointAuthMethod())) { JWSAlgorithm alg = clientConfig.getTokenEndpointAuthSigningAlg(); if (SECRET_JWT.equals(clientConfig.getTokenEndpointAuthMethod()) && (JWSAlgorithm.HS256.equals(alg) || JWSAlgorithm.HS384.equals(alg) signer = symmetricCacheService.getSymmetricValidtor(clientConfig.getClient()); } else if (PRIVATE_KEY.equals(clientConfig.getTokenEndpointAuthMethod())) { claimsSet.issuer(clientConfig.getClientId()); claimsSet.subject(clientConfig.getClientId()); claimsSet.audience(Lists.newArrayList(serverConfig.getTokenEndpointUri())); claimsSet.jwtID(UUID.randomUUID().toString()); form.add("client_id", clientConfig.getClientId()); form.add("client_secret", clientConfig.getClientSecret()); Algorithm clientAlg = clientConfig.getIdTokenSignedResponseAlg(); jwtValidator = symmetricCacheService.getSymmetricValidtor(clientConfig.getClient()); } else { } else if (!idClaims.getAudience().contains(clientConfig.getClientId())) { throw new AuthenticationServiceException("Audience does not match, expected " + clientConfig.getClientId() + " got " + idClaims.getAudience());
@Override protected ClientHttpRequest createRequest(URI url, HttpMethod method) throws IOException { ClientHttpRequest httpRequest = super.createRequest(url, method); httpRequest.getHeaders().add("Authorization", String.format("Basic %s", Base64.encode(String.format("%s:%s", UriUtils.encodePathSegment(clientConfig.getClientId(), "UTF-8"), UriUtils.encodePathSegment(clientConfig.getClientSecret(), "UTF-8"))))); return httpRequest; } };
MultiValueMap<String, String> form = new LinkedMultiValueMap<>(); final String clientId = client.getClientId(); final String clientSecret = client.getClientSecret(); if (SECRET_BASIC.equals(client.getTokenEndpointAuthMethod())){
@Override public String buildAuthRequestUrl(ServerConfiguration serverConfig, RegisteredClient clientConfig, String redirectUri, String nonce, String state, Map<String, String> options, String loginHint) { try { URIBuilder uriBuilder = new URIBuilder(serverConfig.getAuthorizationEndpointUri()); uriBuilder.addParameter("response_type", "code"); uriBuilder.addParameter("client_id", clientConfig.getClientId()); uriBuilder.addParameter("scope", Joiner.on(" ").join(clientConfig.getScope())); uriBuilder.addParameter("redirect_uri", redirectUri); uriBuilder.addParameter("nonce", nonce); uriBuilder.addParameter("state", state); // Optional parameters: for (Entry<String, String> option : options.entrySet()) { uriBuilder.addParameter(option.getKey(), option.getValue()); } // if there's a login hint, send it if (!Strings.isNullOrEmpty(loginHint)) { uriBuilder.addParameter("login_hint", loginHint); } return uriBuilder.build().toString(); } catch (URISyntaxException e) { throw new AuthenticationServiceException("Malformed Authorization Endpoint Uri", e); } }
@Override public void saveRegisteredClient(String issuer, RegisteredClient client) throws RollBackException, NonRollBackException { ClientDetail clientDetail = new ClientDetail(); clientDetail.setClientId(client.getClientId()); clientDetail.setClientSecret(client.getClientSecret()); clientDetail.setIssuer(issuer); Set<String> redirectUriSet = client.getRedirectUris(); if(redirectUriSet!=null&&!redirectUriSet.isEmpty()){ StringBuilder sb= new StringBuilder(); for (String scope : redirectUriSet) { sb.append(" "); sb.append(scope); } clientDetail.setRedirectUris(sb.substring(1)); } Set<String> scopeSet = client.getScope(); if(scopeSet!=null&&!scopeSet.isEmpty()){ StringBuilder sb= new StringBuilder(); for (String scope : scopeSet) { sb.append(" "); sb.append(scope); } clientDetail.setScope(sb.substring(1)); } save(clientDetail); }
claims.claim("client_id", clientConfig.getClientId()); claims.claim("scope", Joiner.on(" ").join(clientConfig.getScope())); JWSAlgorithm alg = clientConfig.getRequestObjectSigningAlg(); if (alg == null) { alg = signingAndValidationService.getDefaultSigningAlgorithm();
if (knownClient.getClientId() == null) { headers.set("Authorization", String.format("%s %s", OAuth2AccessToken.BEARER_TYPE, knownClient.getRegistrationAccessToken())); headers.setAccept(Lists.newArrayList(MediaType.APPLICATION_JSON)); String registered = restTemplate.exchange(knownClient.getRegistrationClientUri(), HttpMethod.GET, entity, String.class).getBody();
RegisteredClient registered = new RegisteredClient(client, token.getValue(), config.getIssuer() + "register/" + UriUtils.encodePathSegment(client.getClientId(), "UTF-8"));
public RegisteredClient mapRow(ResultSet rs, int num) throws SQLException { RegisteredClient registeredClient = new RegisteredClient(); registeredClient.setClientId(rs.getString("CLIENT_ID")); registeredClient.setClientSecret(rs.getString("CLIENT_SECRET")); String redirectUrisStr = rs.getString("REDIRECT_URIS"); if(redirectUrisStr!=null&&!"".equals(redirectUrisStr)){ Set<String> redirectUris = new HashSet<>(Arrays.asList(redirectUrisStr.split(" "))); registeredClient.setRedirectUris(redirectUris ); } String scopeStr = rs.getString("SCOPE"); if(scopeStr!=null&&!"".equals(scopeStr)){ Set<String> scope = new HashSet<>(Arrays.asList(scopeStr.split(" "))); registeredClient.setScope(scope ); } return registeredClient; }
if (clientConfig.getRegisteredRedirectUri() != null && clientConfig.getRegisteredRedirectUri().size() == 1) { redirectUri = Iterables.getOnlyElement(clientConfig.getRegisteredRedirectUri()); } else { if (clientConfig.getCodeChallengeMethod() != null) { String codeVerifier = createCodeVerifier(session); options.put("code_challenge_method", clientConfig.getCodeChallengeMethod().getName()); if (clientConfig.getCodeChallengeMethod().equals(PKCEAlgorithm.plain)) { options.put("code_challenge", codeVerifier); } else if (clientConfig.getCodeChallengeMethod().equals(PKCEAlgorithm.S256)) { try { MessageDigest digest = MessageDigest.getInstance("SHA-256");
MultiValueMap<String, String> form = new LinkedMultiValueMap<>(); final String clientId = client.getClientId(); final String clientSecret = client.getClientSecret(); if (SECRET_BASIC.equals(client.getTokenEndpointAuthMethod())){
claims.claim("client_id", clientConfig.getClientId()); claims.claim("scope", Joiner.on(" ").join(clientConfig.getScope()));
@Override protected ClientHttpRequest createRequest(URI url, HttpMethod method) throws IOException { ClientHttpRequest httpRequest = super.createRequest(url, method); httpRequest.getHeaders().add("Authorization", String.format("Basic %s", Base64.encode(String.format("%s:%s", UriUtils.encodePathSegment(clientConfig.getClientId(), "UTF-8"), UriUtils.encodePathSegment(clientConfig.getClientSecret(), "UTF-8"))))); return httpRequest; } };
claims.claim("client_id", clientConfig.getClientId()); claims.claim("scope", Joiner.on(" ").join(clientConfig.getScope())); JWSAlgorithm alg = clientConfig.getRequestObjectSigningAlg(); if (alg == null) { alg = signingAndValidationService.getDefaultSigningAlgorithm();
if (knownClient.getClientId() == null) { headers.set("Authorization", String.format("%s %s", OAuth2AccessToken.BEARER_TYPE, knownClient.getRegistrationAccessToken())); headers.setAccept(Lists.newArrayList(MediaType.APPLICATION_JSON)); String registered = restTemplate.exchange(knownClient.getRegistrationClientUri(), HttpMethod.GET, entity, String.class).getBody();
RegisteredClient registered = new RegisteredClient(client, token.getValue(), config.getIssuer() + "resource/" + UriUtils.encodePathSegment(client.getClientId(), "UTF-8"));
if (clientConfig.getRegisteredRedirectUri() != null && clientConfig.getRegisteredRedirectUri().size() == 1) { redirectUri = Iterables.getOnlyElement(clientConfig.getRegisteredRedirectUri()); } else { if (clientConfig.getCodeChallengeMethod() != null) { String codeVerifier = createCodeVerifier(session); options.put("code_challenge_method", clientConfig.getCodeChallengeMethod().getName()); if (clientConfig.getCodeChallengeMethod().equals(PKCEAlgorithm.plain)) { options.put("code_challenge", codeVerifier); } else if (clientConfig.getCodeChallengeMethod().equals(PKCEAlgorithm.S256)) { try { MessageDigest digest = MessageDigest.getInstance("SHA-256");
if (SECRET_BASIC.equals(clientConfig.getTokenEndpointAuthMethod())){ if (SECRET_JWT.equals(clientConfig.getTokenEndpointAuthMethod()) || PRIVATE_KEY.equals(clientConfig.getTokenEndpointAuthMethod())) { JWSAlgorithm alg = clientConfig.getTokenEndpointAuthSigningAlg(); if (SECRET_JWT.equals(clientConfig.getTokenEndpointAuthMethod()) && (alg.equals(JWSAlgorithm.HS256) || alg.equals(JWSAlgorithm.HS384) signer = symmetricCacheService.getSymmetricValidtor(clientConfig.getClient()); } else if (PRIVATE_KEY.equals(clientConfig.getTokenEndpointAuthMethod())) { claimsSet.issuer(clientConfig.getClientId()); claimsSet.subject(clientConfig.getClientId()); claimsSet.audience(Lists.newArrayList(serverConfig.getTokenEndpointUri())); claimsSet.jwtID(UUID.randomUUID().toString()); form.add("client_id", clientConfig.getClientId()); form.add("client_secret", clientConfig.getClientSecret()); Algorithm clientAlg = clientConfig.getIdTokenSignedResponseAlg(); jwtValidator = symmetricCacheService.getSymmetricValidtor(clientConfig.getClient()); } else { } else if (!idClaims.getAudience().contains(clientConfig.getClientId())) { throw new AuthenticationServiceException("Audience does not match, expected " + clientConfig.getClientId() + " got " + idClaims.getAudience());