StephanRichter/LightOidc
1
0
Fork 0
Code Issues Pull Requests Actions Projects Releases Wiki Activity

moved nonce from client to auhtorization

Browse Source 
Signed-off-by: Stephan Richter <s.richter@srsoftware.de>
This commit is contained in:
Stephan Richter
2024-09-16 23:28:38 +02:00
parent 79de646bf7
commit f737c1dc50
8 changed files with 48 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
de.srsoftware.oidc.backend/src/main/java/de/srsoftware/oidc/backend/ClientController.java
View File

@@ -73,13 +73,14 @@ public class ClientController extends Controller {
var redirect = json.getString(REDIRECT_URI);
if (!client.redirectUris().contains(redirect)) authorizationError(ex, INVALID_REDIRECT_URI, "unknown redirect uri: %s".formatted(redirect), state);
client.nonce(json.has(NONCE) ? json.getString(NONCE) : null);
if (json.has(AUTHORZED)) { // user did consent
var authorized = json.getJSONObject(AUTHORZED);
var days = authorized.getInt("days");
var list = new ArrayList<String>();
authorized.getJSONArray("scopes").forEach(scope -> list.add(scope.toString()));
authorizations.authorize(user.uuid(), client.id(), list, Instant.now().plus(days, ChronoUnit.DAYS));
var nonce = json.has(NONCE) ? json.getString(NONCE) : null;
authorizations.authorize(user.uuid(), client.id(), list, nonce, Instant.now().plus(days, ChronoUnit.DAYS));
}
var authResult = authorizations.getAuthorization(user.uuid(), client.id(), scopes);

10
de.srsoftware.oidc.backend/src/main/java/de/srsoftware/oidc/backend/TokenController.java
View File

@@ -115,7 +115,7 @@ public class TokenController extends PathHandler {
var user = optUser.get();
var accessToken = users.accessToken(user);
String jwToken = createJWT(client, user, accessToken);
String jwToken = createJWT(client, user, accessToken, authorization.nonce());
ex.getResponseHeaders().add("Cache-Control", "no-store");
JSONObject response = new JSONObject();
response.put(ACCESS_TOKEN, accessToken.id());
@@ -126,13 +126,13 @@ public class TokenController extends PathHandler {
return sendContent(ex, response);
}
private String createJWT(Client client, User user, AccessToken accessToken) {
private String createJWT(Client client, User user, AccessToken accessToken, String nonce) {
try {
PublicJsonWebKey key = keyManager.getKey();
var algo = key.getAlgorithm();
var atHash = this.atHash(algo, accessToken);
key.setUse("sig");
JwtClaims claims = createIdTokenClaims(user, client, atHash);
JwtClaims claims = createIdTokenClaims(user, client, atHash, nonce);
// A JWT is a JWS and/or a JWE with JSON claims as the payload.
// In this example it is a JWS so we create a JsonWebSignature object.
@@ -167,7 +167,7 @@ public class TokenController extends PathHandler {
}
}
private JwtClaims createIdTokenClaims(User user, Client client, String atHash) {
private JwtClaims createIdTokenClaims(User user, Client client, String atHash, String nonce) {
JwtClaims claims = new JwtClaims();
// required claims:
@@ -179,7 +179,7 @@ public class TokenController extends PathHandler {
claims.setClaim(AT_HASH, atHash);
claims.setClaim(CLIENT_ID, client.id());
claims.setClaim(EMAIL, user.email()); // additional claims/attributes about the subject can be added
client.nonce().ifPresent(nonce -> claims.setClaim(NONCE, nonce));
if (nonce != null) claims.setClaim(NONCE, nonce);
claims.setGeneratedJwtId(); // a unique identifier for the token
return claims;
}