first working version

Signed-off-by: Stephan Richter <s.richter@srsoftware.de>
2024-08-03 00:47:53 +02:00
parent 928e6d23cb
commit 93f6c2d603
15 changed files with 202 additions and 34 deletions
--- a/de.srsoftware.oidc.backend/build.gradle
+++ b/de.srsoftware.oidc.backend/build.gradle
@@ -15,6 +15,7 @@ dependencies {
    implementation project(':de.srsoftware.cookies')
    implementation project(':de.srsoftware.oidc.api')
    implementation project(':de.srsoftware.logging')
+    implementation project(':de.srsoftware.utils')
    implementation 'org.json:json:20240303'
    implementation 'org.bitbucket.b_c:jose4j:0.9.6'
 }
--- a/de.srsoftware.oidc.backend/src/main/java/de/srsoftware/oidc/backend/ClientController.java
+++ b/de.srsoftware.oidc.backend/src/main/java/de/srsoftware/oidc/backend/ClientController.java
@@ -40,9 +40,10 @@ public class ClientController extends Controller {
 		var optClient = clients.getClient(clientId);
 		if (optClient.isEmpty()) return badRequest(ex, Map.of(CAUSE, "unknown client", CLIENT_ID, clientId));
 		var client = optClient.get();
-
 		if (!client.redirectUris().contains(redirect)) return badRequest(ex, Map.of(CAUSE, "unknown redirect uri", REDIRECT_URI, redirect));

+		client.nonce(json.has(NONCE) ? json.getString(NONCE) : null);
+
 		if (!authorizations.isAuthorized(client, session.user())) {
 			if (json.has(DAYS)) {
 				var days       = json.getInt(DAYS);
--- a/de.srsoftware.oidc.backend/src/main/java/de/srsoftware/oidc/backend/KeyStoreController.java
+++ b/de.srsoftware.oidc.backend/src/main/java/de/srsoftware/oidc/backend/KeyStoreController.java
@@ -2,9 +2,14 @@
 package de.srsoftware.oidc.backend;

 import com.sun.net.httpserver.HttpExchange;
+import de.srsoftware.oidc.api.KeyManager;
 import de.srsoftware.oidc.api.KeyStorage;
 import de.srsoftware.oidc.api.PathHandler;
 import java.io.IOException;
+import org.jose4j.jwk.JsonWebKey;
+import org.jose4j.jwk.PublicJsonWebKey;
+import org.json.JSONArray;
+import org.json.JSONObject;

 public class KeyStoreController extends PathHandler {
 	private final KeyStorage keyStore;
@@ -15,6 +20,26 @@ public class KeyStoreController extends PathHandler {

 	@Override
 	public boolean doGet(String path, HttpExchange ex) throws IOException {
-		return super.doGet(path, ex);
+		switch (path) {
+			case "/":
+				return jwksJson(ex);
+		}
+		return notFound(ex);
+	}
+
+	private boolean jwksJson(HttpExchange ex) throws IOException {
+		JSONArray arr = new JSONArray();
+		for (var keyId : keyStore.listKeys()) try {
+				PublicJsonWebKey key     = keyStore.load(keyId);
+				String	 keyJson = key.toJson(JsonWebKey.OutputControlLevel.PUBLIC_ONLY);
+				arr.put(new JSONObject(keyJson));
+			} catch (IOException e) {
+				throw new RuntimeException(e);
+			} catch (KeyManager.KeyCreationException e) {
+				throw new RuntimeException(e);
+			}
+		JSONObject result = new JSONObject();
+		result.put("keys", arr);
+		return sendContent(ex, result);
 	}
 }
--- a/de.srsoftware.oidc.backend/src/main/java/de/srsoftware/oidc/backend/TokenController.java
+++ b/de.srsoftware.oidc.backend/src/main/java/de/srsoftware/oidc/backend/TokenController.java
@@ -2,6 +2,7 @@
 package de.srsoftware.oidc.backend;

 import static de.srsoftware.oidc.api.Constants.*;
+import static de.srsoftware.utils.Optionals.optional;
 import static java.lang.System.Logger.Level.*;
 import static java.net.HttpURLConnection.HTTP_BAD_REQUEST;

@@ -15,7 +16,6 @@ import java.util.stream.Collectors;
 import org.jose4j.jwk.PublicJsonWebKey;
 import org.jose4j.jws.JsonWebSignature;
 import org.jose4j.jwt.JwtClaims;
-import org.jose4j.jwt.MalformedClaimException;
 import org.jose4j.lang.JoseException;
 import org.json.JSONObject;

@@ -70,13 +70,27 @@ public class TokenController extends PathHandler {
 		var uri = URLDecoder.decode(map.get(REDIRECT_URI), StandardCharsets.UTF_8);
 		if (!client.redirectUris().contains(uri)) sendContent(ex, HTTP_BAD_REQUEST, Map.of(ERROR, "unknown redirect uri", REDIRECT_URI, uri));

-		var secretFromClient = URLDecoder.decode(map.get(CLIENT_SECRET));
-		if (secretFromClient != null && !client.secret().equals(secretFromClient)) return sendContent(ex, HTTP_BAD_REQUEST, Map.of(ERROR, "client secret mismatch"));
-
+		if (client.secret() != null) {
+			String clientSecret = optional(ex.getRequestHeaders().get(AUTHORIZATION))
+				          .map(list -> list.get(0))
+				          .filter(s -> s.startsWith("Basic "))
+				          .map(s -> s.substring(6))
+				          .map(s -> Base64.getDecoder().decode(s))
+				          .map(bytes -> new String(bytes, StandardCharsets.UTF_8))
+				          .filter(s -> s.startsWith("%s:".formatted(client.id())))
+				          .map(s -> s.substring(client.id().length() + 1).trim())
+				          .map(s -> {
+					          System.err.println(s);
+					          return s;
+				          })
+				          .orElseGet(() -> map.get(CLIENT_SECRET));
+			if (clientSecret == null) return sendContent(ex, HTTP_BAD_REQUEST, Map.of(ERROR, "client secret missing"));
+			if (!client.secret().equals(clientSecret)) return sendContent(ex, HTTP_BAD_REQUEST, Map.of(ERROR, "client secret mismatch"));
+		}
 		String jwToken = createJWT(client, user.get());
 		ex.getResponseHeaders().add("Cache-Control", "no-store");
 		JSONObject response = new JSONObject();
-		response.put(ACCESS_TOKEN, UUID.randomUUID().toString());  // TODO: wofür genau wird der verwendet, was gilt es hier zu beachten
+		response.put(ACCESS_TOKEN, users.accessToken(user.get()));
 		response.put(TOKEN_TYPE, BEARER);
 		response.put(EXPIRES_IN, 3600);
 		response.put(ID_TOKEN, jwToken);
@@ -87,7 +101,7 @@ public class TokenController extends PathHandler {
 	private String createJWT(Client client, User user) {
 		try {
 			PublicJsonWebKey key = keyManager.getKey();
-
+			key.setUse("sig");
 			JwtClaims claims = getJwtClaims(user, client);

 			// A JWT is a JWS and/or a JWE with JSON claims as the payload.
@@ -99,6 +113,7 @@ public class TokenController extends PathHandler {
 			jws.setKey(key.getPrivateKey());
 			jws.setKeyIdHeaderValue(key.getKeyId());
 			jws.setAlgorithmHeaderValue(key.getAlgorithm());
+
 			return jws.getCompactSerialization();
 		} catch (JoseException | KeyManager.KeyCreationException | IOException e) {
 			throw new RuntimeException(e);
@@ -115,17 +130,7 @@ public class TokenController extends PathHandler {
 		claims.setIssuer("https://lightoidc.srsoftware.de");  // who creates the token and signs it
 		claims.setGeneratedJwtId();		      // a unique identifier for the token
 		claims.setSubject(user.uuid());		      // the subject/principal is whom the token is about
-
-		// die nachfolgenden Claims sind nur Spielerei, ich habe versucht, das System mit Umbrella zum Laufen zu bekommen
-		claims.setClaim("scope", "openid");
-		claims.setStringListClaim("amr", "pwd");
-		claims.setClaim("at_hash", Base64.getEncoder().encodeToString("Test".getBytes(StandardCharsets.UTF_8)));
-		claims.setClaim("azp", client.id());
-		claims.setClaim("email_verified", true);
-		try {
-			claims.setClaim("rat", claims.getIssuedAt().getValue());
-		} catch (MalformedClaimException e) {
-		}
+		client.nonce().ifPresent(nonce -> claims.setClaim(NONCE, nonce));
 		return claims;
 	}
 }
--- a/de.srsoftware.oidc.backend/src/main/java/de/srsoftware/oidc/backend/UserController.java
+++ b/de.srsoftware.oidc.backend/src/main/java/de/srsoftware/oidc/backend/UserController.java
@@ -8,7 +8,9 @@ import com.sun.net.httpserver.HttpExchange;
 import de.srsoftware.cookies.SessionToken;
 import de.srsoftware.oidc.api.*;
 import java.io.IOException;
+import java.util.Map;
 import java.util.Optional;
+import org.json.JSONObject;

 public class UserController extends Controller {
 	private final UserService users;
@@ -20,6 +22,10 @@ public class UserController extends Controller {

 	@Override
 	public boolean doGet(String path, HttpExchange ex) throws IOException {
+		switch (path) {
+			case "/info":
+				return userInfo(ex);
+		}
 		var optSession = getSession(ex);
 		if (optSession.isEmpty()) return sendEmptyResponse(HTTP_UNAUTHORIZED, ex);

@@ -33,6 +39,14 @@ public class UserController extends Controller {
 		return notFound(ex);
 	}

+	private boolean userInfo(HttpExchange ex) throws IOException {
+		var optUser = getBearer(ex).flatMap(users::forToken);
+		if (optUser.isEmpty()) return sendEmptyResponse(HTTP_UNAUTHORIZED, ex);
+		var user = optUser.get();
+		var map = Map.of("sub",user.uuid(),"email",user.email());
+		return sendContent(ex, new JSONObject(map));
+	}
+

 	@Override
 	public boolean doPost(String path, HttpExchange ex) throws IOException {
--- a/de.srsoftware.oidc.backend/src/main/java/de/srsoftware/oidc/backend/WellKnownController.java
+++ b/de.srsoftware.oidc.backend/src/main/java/de/srsoftware/oidc/backend/WellKnownController.java
@@ -19,6 +19,6 @@ public class WellKnownController extends PathHandler {

 	private boolean openidConfig(HttpExchange ex) throws IOException {
 		var host = hostname(ex);
-		return sendContent(ex, Map.of("token_endpoint", host + "/api/token", "authorization_endpoint", host + "/web/authorization.html", "userinfo_endpoint", host + "/api/userinfo", "jwks_uri", host + "/api/jwks", "issuer", "https://lightoidc.srsoftware.de"));
+		return sendContent(ex, Map.of("token_endpoint", host + "/api/token", "authorization_endpoint", host + "/web/authorization.html", "userinfo_endpoint", host + "/api/user/info", "jwks_uri", host + "/api/jwks.json", "issuer", "https://lightoidc.srsoftware.de"));
 	}
 }