gCubeSystem
/
oidc-library
16
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Compare commits

base: gCubeSystem:master
Branches Tags
gCubeSystem:master
gCubeSystem:r5.17.1
gCubeSystem:v1.3.2
gCubeSystem:r5.13.0
gCubeSystem:v1.3.1
gCubeSystem:r5.4.0
gCubeSystem:v1.3.0
gCubeSystem:r5.2.0
gCubeSystem:v1.2.1
gCubeSystem:r5.0.0
gCubeSystem:v1.2.0
..
compare: gCubeSystem:v1.3.1
Branches Tags
gCubeSystem:master
gCubeSystem:r5.17.1
gCubeSystem:v1.3.2
gCubeSystem:r5.13.0
gCubeSystem:v1.3.1
gCubeSystem:r5.4.0
gCubeSystem:v1.3.0
gCubeSystem:r5.2.0
gCubeSystem:v1.2.1
gCubeSystem:r5.0.0
gCubeSystem:v1.2.0

No commits in common. "master" and "v1.3.1" have entirely different histories.
master ... v1.3.1

9 changed files with 34 additions and 270 deletions
Show Stats Expand all files Collapse all files

30
.classpath
View File

@ -3,27 +3,12 @@
<classpathentry excluding="**" kind="src" output="target/classes" path="src/main/resources">
<attributes>
<attribute name="maven.pomderived" value="true"/>
<attribute name="optional" value="true"/>
</attributes>
</classpathentry>
<classpathentry excluding="**" kind="src" output="target/test-classes" path="src/test/resources">
<attributes>
<attribute name="maven.pomderived" value="true"/>
<attribute name="test" value="true"/>
<attribute name="maven.pomderived" value="true"/>
<attribute name="optional" value="true"/>
</attributes>
</classpathentry>
<classpathentry kind="src" output="target/classes" path="src/main/java">
<attributes>
<attribute name="optional" value="true"/>
<attribute name="maven.pomderived" value="true"/>
</attributes>
</classpathentry>
<classpathentry kind="src" output="target/test-classes" path="src/test/java">
<attributes>
<attribute name="test" value="true"/>
<attribute name="optional" value="true"/>
<attribute name="maven.pomderived" value="true"/>
</attributes>
</classpathentry>
<classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER/org.eclipse.jdt.internal.debug.ui.launcher.StandardVMType/JavaSE-1.8">
@ -37,5 +22,18 @@
<attribute name="org.eclipse.jst.component.nondependency" value=""/>
</attributes>
</classpathentry>
<classpathentry kind="src" output="target/classes" path="src/main/java">
<attributes>
<attribute name="optional" value="true"/>
<attribute name="maven.pomderived" value="true"/>
</attributes>
</classpathentry>
<classpathentry kind="src" output="target/test-classes" path="src/test/java">
<attributes>
<attribute name="optional" value="true"/>
<attribute name="maven.pomderived" value="true"/>
<attribute name="test" value="true"/>
</attributes>
</classpathentry>
<classpathentry kind="output" path="target/classes"/>
</classpath>

2
.settings/org.eclipse.jdt.core.prefs
View File

@ -6,6 +6,6 @@ org.eclipse.jdt.core.compiler.problem.assertIdentifier=error
org.eclipse.jdt.core.compiler.problem.enablePreviewFeatures=disabled
org.eclipse.jdt.core.compiler.problem.enumIdentifier=error
org.eclipse.jdt.core.compiler.problem.forbiddenReference=warning
org.eclipse.jdt.core.compiler.problem.reportPreviewFeatures=warning
org.eclipse.jdt.core.compiler.problem.reportPreviewFeatures=ignore
org.eclipse.jdt.core.compiler.release=disabled
org.eclipse.jdt.core.compiler.source=1.8

8
.settings/org.eclipse.wst.common.component
View File

@ -1,14 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?><project-modules id="moduleCoreId" project-version="1.5.0">
<wb-module deploy-name="oidc-library">
<wb-resource deploy-path="/" source-path="/src/main/resources"/>
<wb-resource deploy-path="/" source-path="/src/main/java"/>
</wb-module>
</project-modules>

2
.settings/org.eclipse.wst.common.project.facet.core.xml
View File

@ -1,5 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?>
<faceted-project>
<installed facet="jst.utility" version="1.0"/>
<installed facet="java" version="1.8"/>
<installed facet="jst.utility" version="1.0"/>
</faceted-project>

24
CHANGELOG.md
View File

@ -2,26 +2,16 @@ This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm
# Changelog for "oidc-library"
## [v1.3.3]
- Added JSON parsed instance of the refresh token to `JWTToken` class, the getter and methods to checks its presence and expiration
## [v1.3.1]
Added `Catalogue-Manager` and `Catalogue-Moderator` roles to the enum (#23623)
## [v1.3.2] - 2024-05-08
- Header X-D4Science-Context in query exchange and refresh
- Token exchange (#27099)
- PerformQueryTokenWithPOST accepts also optional headers
- PerformURLEncodedPOSTSendData accepts also optional headers
- Moved from `maven-portal-bom` to `gcube-bom`
## [v1.3.0]
Added method to retrieve UMA token by using `clientId` and `clientSecret` in a specific `audience` (aka context) that can now be provided in both encoded and not encoded form (starts with "/" check is performed).
## [v1.3.1] - 2022-07-07
- Added `Catalogue-Manager` and `Catalogue-Moderator` roles to the enum (#23623)
## [v1.3.0] - 2021-06-24
- Added method to retrieve UMA token by using `clientId` and `clientSecret` in a specific `audience` (aka context) that can now be provided in both encoded and not encoded form (starts with "/" check is performed).
## [v1.2.1] - 2021-04-12
## [v1.2.1]
- "Data-Editor" role added (#20896), some logs changed to debug level
## [v1.2.0] - 2021-01-27
## [v1.2.0]
- Site is now comparable. Added JTI value getter and essentials info dump in JWT. Revised get avatar helper.
## [v1.1.1]
@ -30,5 +20,5 @@ This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm
## [v1.1.0]
- Added avatar configuration and retrieve helper methods (#19726)
## [v1.0.0]
## [v1.0.0-SNAPSHOT]
- First release (#19225) (#19226) (#19227)

18
pom.xml
View File

@ -7,20 +7,20 @@
<parent>
<artifactId>maven-parent</artifactId>
<groupId>org.gcube.tools</groupId>
<version>1.2.0</version>
<version>1.1.0</version>
<relativePath />
</parent>
<groupId>org.gcube.common</groupId>
<artifactId>oidc-library</artifactId>
<version>1.3.3</version>
<version>1.3.1</version>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.gcube.distribution</groupId>
<artifactId>gcube-bom</artifactId>
<version>2.4.1</version>
<artifactId>maven-portal-bom</artifactId>
<version>3.6.4</version>
<type>pom</type>
<scope>import</scope>
</dependency>
@ -33,14 +33,6 @@
<url>https://code-repo.d4science.org/gCubeSystem/${project.artifactId}</url>
</scm>
<properties>
<java.version>8</java.version>
<maven.compiler.source>${java.version}</maven.compiler.source>
<maven.compiler.target>${java.version}</maven.compiler.target>
<slf4j-log4j12.version>1.6.4</slf4j-log4j12.version>
<log4j.version>1.2.16</log4j.version>
</properties>
<dependencies>
<dependency>
@ -56,14 +48,12 @@
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
<version>${slf4j-log4j12.version}</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>${log4j.version}</version>
<scope>test</scope>
</dependency>

26
src/main/java/org/gcube/oidc/rest/JWTToken.java
View File

@ -28,7 +28,6 @@ public class JWTToken implements Serializable {
private String raw;
private JSONObject tokens;
private JSONObject payload;
private JSONObject refreshToken;
public static JWTToken fromString(String tokenString) {
if (tokenString == null) {
@ -51,11 +50,6 @@ public class JWTToken implements Serializable {
tokens = (JSONObject) new JSONParser().parse(this.raw);
String[] parts = getAccessTokenString().split("\\.");
payload = (JSONObject) new JSONParser().parse(new String(Base64.getDecoder().decode(parts[1])));
String refreshTokenString = getRefreshTokenString();
if (refreshTokenString != null) {
refreshToken = (JSONObject) new JSONParser()
.parse(new String(Base64.getDecoder().decode(refreshTokenString.split("\\.")[1])));
}
}
public String getRaw() {
@ -87,14 +81,6 @@ public class JWTToken implements Serializable {
return payload;
}
public boolean hasRefreshToken() {
return refreshToken != null;
}
public JSONObject getRefreshToken() {
return refreshToken;
}
public String getAzp() {
return (String) getPayload().get("azp");
}
@ -103,18 +89,10 @@ public class JWTToken implements Serializable {
return (Long) getPayload().get("exp");
}
public Long getRefreshTokenExp() {
return hasRefreshToken() ? (Long) getRefreshToken().get("exp") : 0;
}
public Date getExpAsDate() {
return new Date(getExp() * 1000);
}
public Date getRefreshTokenExpAsDate() {
return new Date(getRefreshTokenExp() * 1000);
}
public Calendar getExpAsCalendar() {
Calendar cal = Calendar.getInstance();
cal.setTime(getExpAsDate());
@ -125,10 +103,6 @@ public class JWTToken implements Serializable {
return new Date().after(getExpAsDate());
}
public boolean isRefreshTokenExpired() {
return new Date().after(getRefreshTokenExpAsDate());
}
public List<String> getAud() {
List<String> audienceStrings = new ArrayList<>();
Object audience = getPayload().get("aud");

191
src/main/java/org/gcube/oidc/rest/OpenIdConnectRESTHelper.java
View File

@ -71,23 +71,6 @@ public class OpenIdConnectRESTHelper {
public static JWTToken queryClientToken(String clientId, String clientSecret, URL tokenURL)
throws OpenIdConnectRESTHelperException {
return queryClientToken(clientId, clientSecret, tokenURL, null);
}
/**
* Queries from the OIDC server an OIDC access token, by using provided clientId and client secret.
*
* @param clientId the client id
* @param clientSecret the client secret
* @param tokenUrl the token endpoint {@link URL} of the OIDC server
* @param extraHeaders extra HTTP headers to add to the request (e.g. <code>X-D4Science-Context</code> custom header), may be <code>null</code>
* @return the issued token
* @throws OpenIdConnectRESTHelperException if an error occurs (also an unauthorized call), inspect the exception for details
*/
public static JWTToken queryClientToken(String clientId, String clientSecret, URL tokenURL,
Map<String, String> extraHeaders)
throws OpenIdConnectRESTHelperException {
Map<String, List<String>> params = new HashMap<>();
params.put("grant_type", Arrays.asList("client_credentials"));
try {
@ -100,41 +83,28 @@ public class OpenIdConnectRESTHelper {
} catch (UnsupportedEncodingException e) {
logger.error("Cannot URL encode 'client_secret'", e);
}
return performQueryTokenWithPOST(tokenURL, null, params, extraHeaders);
return performQueryTokenWithPOST(tokenURL, null, params);
}
public static JWTToken queryToken(String clientId, URL tokenURL, String code, String scope,
String redirectURI) throws Exception {
return queryToken(clientId, tokenURL, code, scope, redirectURI, null);
}
public static JWTToken queryToken(String clientId, URL tokenURL, String code, String scope,
String redirectURI, Map<String, String> extraHeaders) throws Exception {
Map<String, List<String>> params = new HashMap<>();
params.put("client_id", Arrays.asList(URLEncoder.encode(clientId, "UTF-8")));
params.put("grant_type", Arrays.asList("authorization_code"));
params.put("scope", Arrays.asList(URLEncoder.encode(scope, "UTF-8")));
params.put("code", Arrays.asList(URLEncoder.encode(code, "UTF-8")));
params.put("redirect_uri", Arrays.asList(URLEncoder.encode(redirectURI, "UTF-8")));
return performQueryTokenWithPOST(tokenURL, null, params, extraHeaders);
return performQueryTokenWithPOST(tokenURL, null, params);
}
protected static JWTToken performQueryTokenWithPOST(URL tokenURL, String authorization,
Map<String, List<String>> params) throws OpenIdConnectRESTHelperException {
return performQueryTokenWithPOST(tokenURL, authorization, params, null);
}
protected static JWTToken performQueryTokenWithPOST(URL tokenURL, String authorization,
Map<String, List<String>> params, Map<String, String> headers) throws OpenIdConnectRESTHelperException {
logger.debug("Querying access token from OIDC server with URL: {}", tokenURL);
StringBuilder sb;
try {
HttpURLConnection httpURLConnection = performURLEncodedPOSTSendData(tokenURL, params, authorization,
headers);
HttpURLConnection httpURLConnection = performURLEncodedPOSTSendData(tokenURL, params, authorization);
sb = new StringBuilder();
int httpResultCode = httpURLConnection.getResponseCode();
@ -174,12 +144,6 @@ public class OpenIdConnectRESTHelper {
protected static HttpURLConnection performURLEncodedPOSTSendData(URL url, Map<String, List<String>> params,
String authorization) throws IOException, ProtocolException, UnsupportedEncodingException {
return performURLEncodedPOSTSendData(url, params, authorization, null);
}
protected static HttpURLConnection performURLEncodedPOSTSendData(URL url, Map<String, List<String>> params,
String authorization, Map<String, String> headers)
throws IOException, ProtocolException, UnsupportedEncodingException {
HttpURLConnection con = (HttpURLConnection) url.openConnection();
con.setRequestMethod("POST");
@ -191,12 +155,6 @@ public class OpenIdConnectRESTHelper {
logger.debug("Adding authorization header as: {}", authorization);
con.setRequestProperty("Authorization", authorization);
}
if (headers != null) {
for (String key : headers.keySet()) {
con.setRequestProperty(key, headers.get(key));
}
}
OutputStream os = con.getOutputStream();
String queryString = mapToQueryString(params);
@ -213,7 +171,7 @@ public class OpenIdConnectRESTHelper {
* @param tokenUrl the token endpoint {@link URL} of the OIDC server
* @param clientId the client id
* @param clientSecret the client secret
* @param audience the audience (context) where to request the issuing of the token (URLEncoded or not)
* @param audience the audience (context) where to request the issuing of the ticket
* @param permissions a list of permissions, can be <code>null</code>
* @return the issued token
* @throws OpenIdConnectRESTHelperException if an error occurs (also an unauthorized call), inspect the exception for details
@ -221,28 +179,9 @@ public class OpenIdConnectRESTHelper {
public static JWTToken queryUMAToken(URL tokenUrl, String clientId, String clientSecret, String audience,
List<String> permissions) throws OpenIdConnectRESTHelperException {
return queryUMAToken(tokenUrl, clientId, clientSecret, audience, permissions, null);
}
/**
* Queries from the OIDC server an UMA token, by using provided clientId and client secret for the given audience
* (context), in URLEncoded form or not, and optionally a list of permissions.
*
* @param tokenUrl the token endpoint {@link URL} of the OIDC server
* @param clientId the client id
* @param clientSecret the client secret
* @param audience the audience (context) where to request the issuing of the token (URLEncoded or not)
* @param permissions a list of permissions, can be <code>null</code>
* @param extraHeaders extra HTTP headers to add to the request (e.g. <code>X-D4Science-Context</code> custom header), may be <code>null</code>
* @return the issued token
* @throws OpenIdConnectRESTHelperException if an error occurs (also an unauthorized call), inspect the exception for details
*/
public static JWTToken queryUMAToken(URL tokenUrl, String clientId, String clientSecret, String audience,
List<String> permissions, Map<String, String> extraHeaders) throws OpenIdConnectRESTHelperException {
return queryUMAToken(tokenUrl,
"Basic " + Base64.getEncoder().encodeToString((clientId + ":" + clientSecret).getBytes()),
audience, permissions, extraHeaders);
audience, permissions);
}
/**
@ -251,7 +190,7 @@ public class OpenIdConnectRESTHelper {
*
* @param tokenUrl the token endpoint {@link URL} of the OIDC server
* @param authorization the auth token (the access token URLEncoded by the "Bearer " string)
* @param audience the audience (context) where to request the issuing of the token (URLEncoded or not)
* @param audience the audience (context) where to request the issuing of the ticket (URLEncoded)
* @param permissions a list of permissions, can be <code>null</code>
* @return the issued token
* @throws OpenIdConnectRESTHelperException if an error occurs (also an unauthorized call), inspect the exception for details
@ -259,24 +198,6 @@ public class OpenIdConnectRESTHelper {
public static JWTToken queryUMAToken(URL tokenUrl, String authorization, String audience,
List<String> permissions) throws OpenIdConnectRESTHelperException {
return queryUMAToken(tokenUrl, authorization, audience, permissions, null);
}
/**
* Queries from the OIDC server an UMA token, by using provided access token, for the given audience (context),
* in URLEncoded form or not, and optionally a list of permissions.
*
* @param tokenUrl the token endpoint {@link URL} of the OIDC server
* @param authorization the auth token (the access token URLEncoded by the "Bearer " string)
* @param audience the audience (context) where to request the issuing of the token (URLEncoded or not)
* @param permissions a list of permissions, can be <code>null</code>
* @param extraHeaders extra HTTP headers to add to the request (e.g. <code>X-D4Science-Context</code> custom header), may be <code>null</code>
* @return the issued token
* @throws OpenIdConnectRESTHelperException if an error occurs (also an unauthorized call), inspect the exception for details
*/
public static JWTToken queryUMAToken(URL tokenUrl, String authorization, String audience,
List<String> permissions, Map<String, String> extraHeaders) throws OpenIdConnectRESTHelperException {
Map<String, List<String>> params = new HashMap<>();
params.put("grant_type", Arrays.asList("urn:ietf:params:oauth:grant-type:uma-ticket"));
if (audience.startsWith("/")) {
@ -302,104 +223,7 @@ public class OpenIdConnectRESTHelper {
}
}).collect(Collectors.toList()));
}
return performQueryTokenWithPOST(tokenUrl, authorization, params, extraHeaders);
}
/**
* Queries from the OIDC server an exchanged token by using provided access token, optionally for the given audience (context)
* in URLEncoded form or not.
*
* @param tokenUrl the token endpoint {@link URL} of the OIDC server
* @param authorization the auth token (the access token URLEncoded by the "Bearer " string)
* @param audience the audience (context) where to request the issuing of the token (URLEncoded or not), may be <code>null</code>
* @param clientId the client id
* @param clientSecret the client secret
* @param extraHeaders extra HTTP headers to add to the request (e.g. <code>X-D4Science-Context</code> custom header), may be <code>null</code>
* @return the issued token
* @throws OpenIdConnectRESTHelperException if an error occurs (also an unauthorized call), inspect the exception for details
*/
public static JWTToken queryExchangeToken(URL tokenUrl, String authorization, String audience, String client_id,
String client_secret, Map<String, String> extraHeaders) throws OpenIdConnectRESTHelperException {
return queryExchangeToken(tokenUrl, authorization, audience, client_id, client_secret,
"urn:ietf:params:oauth:token-type:access_token", null, extraHeaders);
}
/**
* Queries from the OIDC server an exchanged token by using provided access token, optionally for the given audience (context)
* in URLEncoded form or not.
*
* @param tokenUrl the token endpoint {@link URL} of the OIDC server
* @param authorization the auth token (the access token URLEncoded by the "Bearer " string)
* @param audience the audience (context) where to request the issuing of the token (URLEncoded or not), may be <code>null</code>
* @param clientId the client id
* @param clientSecret the client secret
* @param withRefreshToken request also the refresh token (forced to <code>true</code> for offline requests)
* @param offline request a refresh token of offline type (TYP claim)
* @param extraHeaders extra HTTP headers to add to the request (e.g. <code>X-D4Science-Context</code> custom header), may be <code>null</code>
* @return the issued token
* @throws OpenIdConnectRESTHelperException if an error occurs (also an unauthorized call), inspect the exception for details
*/
public static JWTToken queryExchangeToken(URL tokenUrl, String authorization, String audience, String clientId,
String clientSecret, boolean withRefreshToken, boolean offline, Map<String, String> extraHeaders)
throws OpenIdConnectRESTHelperException {
return queryExchangeToken(tokenUrl, authorization, audience, clientId, clientSecret,
withRefreshToken || offline ? "urn:ietf:params:oauth:token-type:refresh_token"
: "urn:ietf:params:oauth:token-type:access_token",
offline ? "offline_access" : null, extraHeaders);
}
/**
* Queries from the OIDC server an exchanged token by using provided access token, optionally for the given audience (context)
* in URLEncoded form or not.
*
* @param tokenUrl the token endpoint {@link URL} of the OIDC server
* @param authorization the auth token (the access token URLEncoded by the "Bearer " string)
* @param audience the audience (context) where to request the issuing of the token (URLEncoded or not), may be <code>null</code>
* @param clientId the client id
* @param clientSecret the client secret
* @param requestedTokenType the requested token type (e.g. <code>urn:ietf:params:oauth:token-type:refresh_token</code> for refresh token)
* @param scope the optional scope to request (e.g. <code>offline_access</code> for an offline token)
* @param extraHeaders extra HTTP headers to add to the request (e.g. <code>X-D4Science-Context</code> custom header), may be <code>null</code>
* @return the issued token
* @throws OpenIdConnectRESTHelperException if an error occurs (also an unauthorized call), inspect the exception for details
*/
public static JWTToken queryExchangeToken(URL tokenUrl, String authorization, String audience, String clientId,
String clientSecret, String requestedTokenType, String scope, Map<String, String> extraHeaders)
throws OpenIdConnectRESTHelperException {
logger.info("Querying exchange token for context: " + audience);
Map<String, List<String>> params = new HashMap<>();
params.put("subject_token", Arrays.asList(authorization));
params.put("client_id", Arrays.asList(clientId));
params.put("client_secret", Arrays.asList(clientSecret));
params.put("grant_type", Arrays.asList("urn:ietf:params:oauth:grant-type:token-exchange"));
params.put("subject_token_type", Arrays.asList("urn:ietf:params:oauth:token-type:access_token"));
params.put("requested_token_type", Arrays.asList(requestedTokenType));
if (scope != null) {
params.put("scope", Arrays.asList(scope));
}
if (audience != null) {
if (audience.startsWith("/")) {
try {
logger.trace("Audience was provided in non URL encoded form, encoding it");
audience = URLEncoder.encode(audience, "UTF-8");
} catch (UnsupportedEncodingException e) {
logger.error("Cannot URL encode 'audience'", e);
}
}
try {
params.put("audience", Arrays.asList(URLEncoder.encode(audience, "UTF-8")));
} catch (UnsupportedEncodingException e) {
logger.error("Cannot URL encode 'audience'", e);
}
}
return performQueryTokenWithPOST(tokenUrl, null, params, extraHeaders);
return performQueryTokenWithPOST(tokenUrl, authorization, params);
}
/**
@ -425,7 +249,6 @@ public class OpenIdConnectRESTHelper {
*/
public static JWTToken refreshToken(URL tokenURL, String clientId, JWTToken token)
throws OpenIdConnectRESTHelperException {
return refreshToken(tokenURL, clientId, null, token);
}

3
src/test/java/org/gcube/oidc/rest/JWTTokenTest.java
View File

@ -18,9 +18,6 @@ public class JWTTokenTest {
Assert.assertNotNull(token.getAccessTokenString());
Assert.assertNotNull(token.getSub());
Assert.assertNotNull(token.getExp());
Assert.assertTrue(token.isExpired());
Assert.assertNotNull(token.getRefreshToken());
Assert.assertTrue(token.isRefreshTokenExpired());
}
}