diff --git a/de.srsoftware.oidc.app/src/main/java/de/srsoftware/oidc/app/Application.java b/de.srsoftware.oidc.app/src/main/java/de/srsoftware/oidc/app/Application.java index 0342348..a163862 100644 --- a/de.srsoftware.oidc.app/src/main/java/de/srsoftware/oidc/app/Application.java +++ b/de.srsoftware.oidc.app/src/main/java/de/srsoftware/oidc/app/Application.java @@ -78,7 +78,7 @@ public class Application { new Forward(INDEX).bindPath(ROOT).on(server); new WellKnownController().bindPath(WELL_KNOWN, "/realms/oidc" + WELL_KNOWN).on(server); new UserController(mailConfig, sessionService, userService, staticPages).bindPath(API_USER).on(server); - var tokenControllerConfig = new TokenController.Configuration("https://lightoidc.srsoftware.de", 10); // TODO configure or derive from hostname + var tokenControllerConfig = new TokenController.Configuration( 10); new TokenController(authService, clientService, keyManager, userService, tokenControllerConfig).bindPath(API_TOKEN).on(server); new ClientController(authService, clientService, sessionService, userService).bindPath(API_CLIENT).on(server); new KeyStoreController(keyStore).bindPath(JWKS).on(server); diff --git a/de.srsoftware.oidc.backend/src/main/java/de/srsoftware/oidc/backend/TokenController.java b/de.srsoftware.oidc.backend/src/main/java/de/srsoftware/oidc/backend/TokenController.java index f5f8f83..f9da058 100644 --- a/de.srsoftware.oidc.backend/src/main/java/de/srsoftware/oidc/backend/TokenController.java +++ b/de.srsoftware.oidc.backend/src/main/java/de/srsoftware/oidc/backend/TokenController.java @@ -27,7 +27,7 @@ import org.jose4j.lang.JoseException; import org.json.JSONObject; public class TokenController extends PathHandler { - public record Configuration(String issuer, int tokenExpirationMinutes) { + public record Configuration(int tokenExpirationMinutes) { } private final ClientService clients; private final AuthorizationService authorizations; @@ -115,7 +115,8 @@ public class TokenController extends PathHandler { var user = optUser.get(); var accessToken = users.accessToken(user); - String jwToken = createJWT(client, user, accessToken); + var issuer = "https://"+hostname(ex); + String jwToken = createJWT(client, user, accessToken, issuer); ex.getResponseHeaders().add("Cache-Control", "no-store"); JSONObject response = new JSONObject(); response.put(ACCESS_TOKEN, accessToken.id()); @@ -126,13 +127,13 @@ public class TokenController extends PathHandler { return sendContent(ex, response); } - private String createJWT(Client client, User user, AccessToken accessToken) { + private String createJWT(Client client, User user, AccessToken accessToken, String issuer) { try { PublicJsonWebKey key = keyManager.getKey(); var algo = key.getAlgorithm(); var atHash = this.atHash(algo, accessToken); key.setUse("sig"); - JwtClaims claims = createIdTokenClaims(user, client, atHash); + JwtClaims claims = createIdTokenClaims(user, client, atHash, issuer); // A JWT is a JWS and/or a JWE with JSON claims as the payload. // In this example it is a JWS so we create a JsonWebSignature object. @@ -167,12 +168,12 @@ public class TokenController extends PathHandler { } } - private JwtClaims createIdTokenClaims(User user, Client client, String atHash) { + private JwtClaims createIdTokenClaims(User user, Client client, String atHash, String issuer) { var optNonce = authorizations.consumeNonce(user.uuid(), client.id()); JwtClaims claims = new JwtClaims(); // required claims: - claims.setIssuer(config.issuer); // who creates the token and signs it + claims.setIssuer(issuer); // who creates the token and signs it claims.setSubject(user.uuid()); // the subject/principal is whom the token is about claims.setAudience(client.id()); claims.setExpirationTimeMinutesInTheFuture(config.tokenExpirationMinutes); // time when the token will expire (10 minutes from now)