Browse Source

bugfix: deriving issuer from hostname

Signed-off-by: Stephan Richter <s.richter@srsoftware.de>
main
Stephan Richter 1 month ago
parent
commit
1a5a137329
  1. 2
      de.srsoftware.oidc.app/src/main/java/de/srsoftware/oidc/app/Application.java
  2. 13
      de.srsoftware.oidc.backend/src/main/java/de/srsoftware/oidc/backend/TokenController.java

2
de.srsoftware.oidc.app/src/main/java/de/srsoftware/oidc/app/Application.java

@ -78,7 +78,7 @@ public class Application {
new Forward(INDEX).bindPath(ROOT).on(server); new Forward(INDEX).bindPath(ROOT).on(server);
new WellKnownController().bindPath(WELL_KNOWN, "/realms/oidc" + WELL_KNOWN).on(server); new WellKnownController().bindPath(WELL_KNOWN, "/realms/oidc" + WELL_KNOWN).on(server);
new UserController(mailConfig, sessionService, userService, staticPages).bindPath(API_USER).on(server); new UserController(mailConfig, sessionService, userService, staticPages).bindPath(API_USER).on(server);
var tokenControllerConfig = new TokenController.Configuration("https://lightoidc.srsoftware.de", 10); // TODO configure or derive from hostname var tokenControllerConfig = new TokenController.Configuration( 10);
new TokenController(authService, clientService, keyManager, userService, tokenControllerConfig).bindPath(API_TOKEN).on(server); new TokenController(authService, clientService, keyManager, userService, tokenControllerConfig).bindPath(API_TOKEN).on(server);
new ClientController(authService, clientService, sessionService, userService).bindPath(API_CLIENT).on(server); new ClientController(authService, clientService, sessionService, userService).bindPath(API_CLIENT).on(server);
new KeyStoreController(keyStore).bindPath(JWKS).on(server); new KeyStoreController(keyStore).bindPath(JWKS).on(server);

13
de.srsoftware.oidc.backend/src/main/java/de/srsoftware/oidc/backend/TokenController.java

@ -27,7 +27,7 @@ import org.jose4j.lang.JoseException;
import org.json.JSONObject; import org.json.JSONObject;
public class TokenController extends PathHandler { public class TokenController extends PathHandler {
public record Configuration(String issuer, int tokenExpirationMinutes) { public record Configuration(int tokenExpirationMinutes) {
} }
private final ClientService clients; private final ClientService clients;
private final AuthorizationService authorizations; private final AuthorizationService authorizations;
@ -115,7 +115,8 @@ public class TokenController extends PathHandler {
var user = optUser.get(); var user = optUser.get();
var accessToken = users.accessToken(user); var accessToken = users.accessToken(user);
String jwToken = createJWT(client, user, accessToken); var issuer = "https://"+hostname(ex);
String jwToken = createJWT(client, user, accessToken, issuer);
ex.getResponseHeaders().add("Cache-Control", "no-store"); ex.getResponseHeaders().add("Cache-Control", "no-store");
JSONObject response = new JSONObject(); JSONObject response = new JSONObject();
response.put(ACCESS_TOKEN, accessToken.id()); response.put(ACCESS_TOKEN, accessToken.id());
@ -126,13 +127,13 @@ public class TokenController extends PathHandler {
return sendContent(ex, response); return sendContent(ex, response);
} }
private String createJWT(Client client, User user, AccessToken accessToken) { private String createJWT(Client client, User user, AccessToken accessToken, String issuer) {
try { try {
PublicJsonWebKey key = keyManager.getKey(); PublicJsonWebKey key = keyManager.getKey();
var algo = key.getAlgorithm(); var algo = key.getAlgorithm();
var atHash = this.atHash(algo, accessToken); var atHash = this.atHash(algo, accessToken);
key.setUse("sig"); key.setUse("sig");
JwtClaims claims = createIdTokenClaims(user, client, atHash); JwtClaims claims = createIdTokenClaims(user, client, atHash, issuer);
// A JWT is a JWS and/or a JWE with JSON claims as the payload. // A JWT is a JWS and/or a JWE with JSON claims as the payload.
// In this example it is a JWS so we create a JsonWebSignature object. // In this example it is a JWS so we create a JsonWebSignature object.
@ -167,12 +168,12 @@ public class TokenController extends PathHandler {
} }
} }
private JwtClaims createIdTokenClaims(User user, Client client, String atHash) { private JwtClaims createIdTokenClaims(User user, Client client, String atHash, String issuer) {
var optNonce = authorizations.consumeNonce(user.uuid(), client.id()); var optNonce = authorizations.consumeNonce(user.uuid(), client.id());
JwtClaims claims = new JwtClaims(); JwtClaims claims = new JwtClaims();
// required claims: // required claims:
claims.setIssuer(config.issuer); // who creates the token and signs it claims.setIssuer(issuer); // who creates the token and signs it
claims.setSubject(user.uuid()); // the subject/principal is whom the token is about claims.setSubject(user.uuid()); // the subject/principal is whom the token is about
claims.setAudience(client.id()); claims.setAudience(client.id());
claims.setExpirationTimeMinutesInTheFuture(config.tokenExpirationMinutes); // time when the token will expire (10 minutes from now) claims.setExpirationTimeMinutesInTheFuture(config.tokenExpirationMinutes); // time when the token will expire (10 minutes from now)

Loading…
Cancel
Save