|
|
@ -6,10 +6,9 @@ import static java.lang.System.Logger.Level.*; |
|
|
|
import static java.net.HttpURLConnection.HTTP_BAD_REQUEST; |
|
|
|
import static java.net.HttpURLConnection.HTTP_BAD_REQUEST; |
|
|
|
|
|
|
|
|
|
|
|
import com.sun.net.httpserver.HttpExchange; |
|
|
|
import com.sun.net.httpserver.HttpExchange; |
|
|
|
import de.srsoftware.oidc.api.Client; |
|
|
|
import de.srsoftware.oidc.api.*; |
|
|
|
import de.srsoftware.oidc.api.ClientService; |
|
|
|
|
|
|
|
import de.srsoftware.oidc.api.PathHandler; |
|
|
|
|
|
|
|
import java.io.IOException; |
|
|
|
import java.io.IOException; |
|
|
|
|
|
|
|
import java.net.URLDecoder; |
|
|
|
import java.nio.charset.StandardCharsets; |
|
|
|
import java.nio.charset.StandardCharsets; |
|
|
|
import java.util.*; |
|
|
|
import java.util.*; |
|
|
|
import java.util.stream.Collectors; |
|
|
|
import java.util.stream.Collectors; |
|
|
@ -22,9 +21,13 @@ import org.json.JSONObject; |
|
|
|
|
|
|
|
|
|
|
|
public class TokenController extends PathHandler { |
|
|
|
public class TokenController extends PathHandler { |
|
|
|
private final ClientService clients; |
|
|
|
private final ClientService clients; |
|
|
|
|
|
|
|
private final AuthorizationService authorizations; |
|
|
|
|
|
|
|
private final UserService users; |
|
|
|
|
|
|
|
|
|
|
|
public TokenController(ClientService clientService) { |
|
|
|
public TokenController(AuthorizationService authorizationService, ClientService clientService, UserService userService) { |
|
|
|
|
|
|
|
authorizations = authorizationService; |
|
|
|
clients = clientService; |
|
|
|
clients = clientService; |
|
|
|
|
|
|
|
users = userService; |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
private Map<String, String> deserialize(String body) { |
|
|
|
private Map<String, String> deserialize(String body) { |
|
|
@ -43,26 +46,30 @@ public class TokenController extends PathHandler { |
|
|
|
|
|
|
|
|
|
|
|
private boolean provideToken(HttpExchange ex) throws IOException { |
|
|
|
private boolean provideToken(HttpExchange ex) throws IOException { |
|
|
|
var map = deserialize(body(ex)); |
|
|
|
var map = deserialize(body(ex)); |
|
|
|
// TODO: check Authorization Code, → https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint
|
|
|
|
|
|
|
|
// TODO: check Redirect URL
|
|
|
|
|
|
|
|
LOG.log(DEBUG, "post data: {0}", map); |
|
|
|
|
|
|
|
LOG.log(WARNING, "{0}.provideToken(ex) not implemented!", getClass().getSimpleName()); |
|
|
|
|
|
|
|
var grantType = map.get(GRANT_TYPE); |
|
|
|
var grantType = map.get(GRANT_TYPE); |
|
|
|
if (!ATUH_CODE.equals(grantType)) sendContent(ex, HTTP_BAD_REQUEST, Map.of(ERROR, "unknown grant type", GRANT_TYPE, grantType)); |
|
|
|
if (!AUTH_CODE.equals(grantType)) return sendContent(ex, HTTP_BAD_REQUEST, Map.of(ERROR, "unknown grant type", GRANT_TYPE, grantType)); |
|
|
|
var optClient = Optional.ofNullable(map.get(CLIENT_ID)).flatMap(clients::getClient); |
|
|
|
|
|
|
|
if (optClient.isEmpty()) { |
|
|
|
var code = map.get(CODE); |
|
|
|
LOG.log(ERROR, "client not found"); |
|
|
|
var optAuthorization = authorizations.forCode(code); |
|
|
|
return sendEmptyResponse(HTTP_BAD_REQUEST, ex); |
|
|
|
if (optAuthorization.isEmpty()) return sendContent(ex, HTTP_BAD_REQUEST, Map.of(ERROR, "invalid auth code", CODE, code)); |
|
|
|
// TODO: send correct response
|
|
|
|
var authorization = optAuthorization.get(); |
|
|
|
} |
|
|
|
|
|
|
|
var secretFromClient = map.get(CLIENT_SECRET); |
|
|
|
var clientId = map.get(CLIENT_ID); |
|
|
|
|
|
|
|
if (!authorization.clientId().equals(clientId)) return sendContent(ex, HTTP_BAD_REQUEST, Map.of(ERROR, "invalid client id", CLIENT_ID, clientId)); |
|
|
|
|
|
|
|
var optClient = clients.getClient(clientId); |
|
|
|
|
|
|
|
if (optClient.isEmpty()) return sendContent(ex, HTTP_BAD_REQUEST, Map.of(ERROR, "unknown client", CLIENT_ID, clientId)); |
|
|
|
var client = optClient.get(); |
|
|
|
var client = optClient.get(); |
|
|
|
if (!client.secret().equals(secretFromClient)) { |
|
|
|
|
|
|
|
LOG.log(ERROR, "client secret mismatch"); |
|
|
|
var user = users.load(authorization.userId()); |
|
|
|
return sendEmptyResponse(HTTP_BAD_REQUEST, ex); |
|
|
|
if (user.isEmpty()) return sendContent(ex, 500, Map.of(ERROR, "User not found")); |
|
|
|
// TODO: send correct response
|
|
|
|
|
|
|
|
} |
|
|
|
var uri = URLDecoder.decode(map.get(REDIRECT_URI), StandardCharsets.UTF_8); |
|
|
|
String jwToken = createJWT(client); |
|
|
|
if (!client.redirectUris().contains(uri)) sendContent(ex, HTTP_BAD_REQUEST, Map.of(ERROR, "unknown redirect uri", REDIRECT_URI, uri)); |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
var secretFromClient = map.get(CLIENT_SECRET); |
|
|
|
|
|
|
|
if (!client.secret().equals(secretFromClient)) return sendContent(ex, HTTP_BAD_REQUEST, Map.of(ERROR, "client secret mismatch")); |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
String jwToken = createJWT(client, user.get()); |
|
|
|
ex.getResponseHeaders().add("Cache-Control", "no-store"); |
|
|
|
ex.getResponseHeaders().add("Cache-Control", "no-store"); |
|
|
|
JSONObject response = new JSONObject(); |
|
|
|
JSONObject response = new JSONObject(); |
|
|
|
response.put(ACCESS_TOKEN, UUID.randomUUID().toString()); // TODO: wofür genau wird der verwendet, was gilt es hier zu beachten
|
|
|
|
response.put(ACCESS_TOKEN, UUID.randomUUID().toString()); // TODO: wofür genau wird der verwendet, was gilt es hier zu beachten
|
|
|
@ -72,22 +79,12 @@ public class TokenController extends PathHandler { |
|
|
|
return sendContent(ex, response); |
|
|
|
return sendContent(ex, response); |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
private String createJWT(Client client) { |
|
|
|
private String createJWT(Client client, User user) { |
|
|
|
try { |
|
|
|
try { |
|
|
|
byte[] secretBytes = client.secret().getBytes(StandardCharsets.UTF_8); |
|
|
|
byte[] secretBytes = client.secret().getBytes(StandardCharsets.UTF_8); |
|
|
|
HmacKey hmacKey = new HmacKey(secretBytes); |
|
|
|
HmacKey hmacKey = new HmacKey(secretBytes); |
|
|
|
|
|
|
|
|
|
|
|
JwtClaims claims = new JwtClaims(); |
|
|
|
JwtClaims claims = getJwtClaims(user); |
|
|
|
claims.setIssuer("Issuer"); // who creates the token and signs it
|
|
|
|
|
|
|
|
claims.setAudience("Audience"); // to whom the token is intended to be sent
|
|
|
|
|
|
|
|
claims.setExpirationTimeMinutesInTheFuture(10); // time when the token will expire (10 minutes from now)
|
|
|
|
|
|
|
|
claims.setGeneratedJwtId(); // a unique identifier for the token
|
|
|
|
|
|
|
|
claims.setIssuedAtToNow(); // when the token was issued/created (now)
|
|
|
|
|
|
|
|
claims.setNotBeforeMinutesInThePast(2); // time before which the token is not yet valid (2 minutes ago)
|
|
|
|
|
|
|
|
claims.setSubject("subject"); // the subject/principal is whom the token is about
|
|
|
|
|
|
|
|
claims.setClaim("email", "mail@example.com"); // additional claims/attributes about the subject can be added
|
|
|
|
|
|
|
|
List<String> groups = Arrays.asList("group-one", "other-group", "group-three"); |
|
|
|
|
|
|
|
claims.setStringListClaim("groups", groups); // multi-valued claims work too and will end up as a JSON array
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// A JWT is a JWS and/or a JWE with JSON claims as the payload.
|
|
|
|
// A JWT is a JWS and/or a JWE with JSON claims as the payload.
|
|
|
|
// In this example it is a JWS so we create a JsonWebSignature object.
|
|
|
|
// In this example it is a JWS so we create a JsonWebSignature object.
|
|
|
@ -105,4 +102,16 @@ public class TokenController extends PathHandler { |
|
|
|
throw new RuntimeException(e); |
|
|
|
throw new RuntimeException(e); |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
private static JwtClaims getJwtClaims(User user) { |
|
|
|
|
|
|
|
JwtClaims claims = new JwtClaims(); |
|
|
|
|
|
|
|
claims.setIssuer(APP_NAME); // who creates the token and signs it
|
|
|
|
|
|
|
|
claims.setExpirationTimeMinutesInTheFuture(10); // time when the token will expire (10 minutes from now)
|
|
|
|
|
|
|
|
claims.setGeneratedJwtId(); // a unique identifier for the token
|
|
|
|
|
|
|
|
claims.setIssuedAtToNow(); // when the token was issued/created (now)
|
|
|
|
|
|
|
|
claims.setNotBeforeMinutesInThePast(2); // time before which the token is not yet valid (2 minutes ago)
|
|
|
|
|
|
|
|
claims.setSubject(user.uuid()); // the subject/principal is whom the token is about
|
|
|
|
|
|
|
|
claims.setClaim("email", user.email()); // additional claims/attributes about the subject can be added
|
|
|
|
|
|
|
|
return claims; |
|
|
|
|
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|