Made ID tokens ephemeral, made access token’s “additional information” extensible

Author: jricher

openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2AccessTokenEntity.java

@@ -69,7 +69,6 @@
 @NamedQuery(name = OAuth2AccessTokenEntity.QUERY_EXPIRED_BY_DATE, query = "select a from OAuth2AccessTokenEntity a where a.expiration <= :" + OAuth2AccessTokenEntity.PARAM_DATE),
 @NamedQuery(name = OAuth2AccessTokenEntity.QUERY_BY_REFRESH_TOKEN, query = "select a from OAuth2AccessTokenEntity a where a.refreshToken = :" + OAuth2AccessTokenEntity.PARAM_REFERSH_TOKEN),
 @NamedQuery(name = OAuth2AccessTokenEntity.QUERY_BY_CLIENT, query = "select a from OAuth2AccessTokenEntity a where a.client = :" + OAuth2AccessTokenEntity.PARAM_CLIENT),
-@NamedQuery(name = OAuth2AccessTokenEntity.QUERY_BY_ID_TOKEN, query = "select a from OAuth2AccessTokenEntity a where a.idToken = :" + OAuth2AccessTokenEntity.PARAM_ID_TOKEN),
 @NamedQuery(name = OAuth2AccessTokenEntity.QUERY_BY_TOKEN_VALUE, query = "select a from OAuth2AccessTokenEntity a where a.jwt = :" + OAuth2AccessTokenEntity.PARAM_TOKEN_VALUE),
 @NamedQuery(name = OAuth2AccessTokenEntity.QUERY_BY_APPROVED_SITE, query = "select a from OAuth2AccessTokenEntity a where a.approvedSite = :" + OAuth2AccessTokenEntity.PARAM_APPROVED_SITE),
 @NamedQuery(name = OAuth2AccessTokenEntity.QUERY_BY_RESOURCE_SET, query = "select a from OAuth2AccessTokenEntity a join a.permissions p where p.resourceSet.id = :" + OAuth2AccessTokenEntity.PARAM_RESOURCE_SET_ID)
@@ -82,15 +81,13 @@ public class OAuth2AccessTokenEntity implements OAuth2AccessToken {
 
 public static final String QUERY_BY_APPROVED_SITE = "OAuth2AccessTokenEntity.getByApprovedSite";
 public static final String QUERY_BY_TOKEN_VALUE = "OAuth2AccessTokenEntity.getByTokenValue";
-public static final String QUERY_BY_ID_TOKEN = "OAuth2AccessTokenEntity.getByIdToken";
 public static final String QUERY_BY_CLIENT = "OAuth2AccessTokenEntity.getByClient";
 public static final String QUERY_BY_REFRESH_TOKEN = "OAuth2AccessTokenEntity.getByRefreshToken";
 public static final String QUERY_EXPIRED_BY_DATE = "OAuth2AccessTokenEntity.getAllExpiredByDate";
 public static final String QUERY_ALL = "OAuth2AccessTokenEntity.getAll";
 public static final String QUERY_BY_RESOURCE_SET = "OAuth2AccessTokenEntity.getByResourceSet";
 
 public static final String PARAM_TOKEN_VALUE = "tokenValue";
-public static final String PARAM_ID_TOKEN = "idToken";
 public static final String PARAM_CLIENT = "client";
 public static final String PARAM_REFERSH_TOKEN = "refreshToken";
 public static final String PARAM_DATE = "date";
@@ -107,8 +104,6 @@ public class OAuth2AccessTokenEntity implements OAuth2AccessToken {
 
 private JWT jwtValue; // JWT-encoded access token value
 
-private OAuth2AccessTokenEntity idToken; // JWT-encoded OpenID Connect IdToken
-
 private Date expiration;
 
 private String tokenType = OAuth2AccessToken.BEARER_TYPE;
@@ -120,6 +115,8 @@ public class OAuth2AccessTokenEntity implements OAuth2AccessToken {
 private Set<Permission> permissions;
 
 private ApprovedSite approvedSite;
+
+private Map<String, Object> additionalInformation = new HashMap<>(); // ephemeral map of items to be added to the OAuth token response
 
 /**
  * Create a new, blank access token
@@ -146,16 +143,13 @@ public void setId(Long id) {
 }
 
 /**
- * Get all additional information to be sent to the serializer. Inserts a copy of the IdToken (in JWT String form).
+ * Get all additional information to be sent to the serializer as part of the token response.
+ * This map is not persisted to the database.
  */
 @Override
 @Transient
 public Map<String, Object> getAdditionalInformation() {
-Map<String, Object> map = new HashMap<>(); //super.getAdditionalInformation();
-if (getIdToken() != null) {
-map.put(ID_TOKEN_FIELD_NAME, getIdTokenString());
-}
-return map;
+return additionalInformation;
 }
 
 /**
@@ -262,34 +256,6 @@ public boolean isExpired() {
 return getExpiration() == null ? false : System.currentTimeMillis() > getExpiration().getTime();
 }
 
-/**
- * @return the idToken
- */
-@OneToOne(cascade=CascadeType.ALL, orphanRemoval=true) // one-to-one mapping for now
-@JoinColumn(name = "id_token_id")
-public OAuth2AccessTokenEntity getIdToken() {
-return idToken;
-}
-
-/**
- * @param idToken the idToken to set
- */
-public void setIdToken(OAuth2AccessTokenEntity idToken) {
-this.idToken = idToken;
-}
-
-/**
- * @return the idTokenString
- */
-@Transient
-public String getIdTokenString() {
-if (idToken != null) {
-return idToken.getValue(); // get the JWT string value of the id token entity
-} else {
-return null;
-}
-}
-
 /**
  * @return the jwtValue
  */
@@ -352,4 +318,15 @@ public ApprovedSite getApprovedSite() {
 public void setApprovedSite(ApprovedSite approvedSite) {
 this.approvedSite = approvedSite;
 }
+
+/**
+ * Add the ID Token to the additionalInformation map for a token response.
+ * @param idToken
+ */
+@Transient
+public void setIdToken(JWT idToken) {
+if (idToken != null) {
+additionalInformation.put(ID_TOKEN_FIELD_NAME, idToken.serialize());
+}
+}
 }

openid-connect-common/src/main/java/org/mitre/oauth2/repository/OAuth2TokenRepository.java

@@ -51,8 +51,6 @@ public interface OAuth2TokenRepository {
 
 public List<OAuth2RefreshTokenEntity> getRefreshTokensForClient(ClientDetailsEntity client);
 
-public OAuth2AccessTokenEntity getAccessTokenForIdToken(OAuth2AccessTokenEntity idToken);
-
 public Set<OAuth2AccessTokenEntity> getAllAccessTokens();
 
 public Set<OAuth2RefreshTokenEntity> getAllRefreshTokens();

openid-connect-common/src/main/java/org/mitre/oauth2/service/OAuth2TokenEntityService.java

@@ -50,12 +50,6 @@ public interface OAuth2TokenEntityService extends AuthorizationServerTokenServic
 @Override
 public OAuth2AccessTokenEntity getAccessToken(OAuth2Authentication authentication);
 
-/**
- * @param incomingToken
- * @return
- */
-public OAuth2AccessTokenEntity getAccessTokenForIdToken(OAuth2AccessTokenEntity idToken);
-
 public OAuth2AccessTokenEntity getAccessTokenById(Long id);
 
 public OAuth2RefreshTokenEntity getRefreshTokenById(Long id);

openid-connect-common/src/main/java/org/mitre/oauth2/service/SystemScopeService.java

@@ -33,15 +33,13 @@ public interface SystemScopeService {
 
 public static final String OFFLINE_ACCESS = "offline_access";
 public static final String OPENID_SCOPE = "openid";
-public static final String ID_TOKEN_SCOPE = "id-token"; // ID tokens are generated using this scope
 public static final String REGISTRATION_TOKEN_SCOPE = "registration-token"; // this scope manages dynamic client registrations
 public static final String RESOURCE_TOKEN_SCOPE = "resource-token"; // this scope manages client-style protected resources
 public static final String UMA_PROTECTION_SCOPE = "uma_protection";
 public static final String UMA_AUTHORIZATION_SCOPE = "uma_authorization";
 
 public static final Set<SystemScope> reservedScopes = 
 Sets.newHashSet(
-new SystemScope(ID_TOKEN_SCOPE),
 new SystemScope(REGISTRATION_TOKEN_SCOPE),
 new SystemScope(RESOURCE_TOKEN_SCOPE)
 );

openid-connect-common/src/main/java/org/mitre/openid/connect/service/OIDCTokenService.java

@@ -22,6 +22,8 @@
 import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
 import org.springframework.security.oauth2.provider.OAuth2Request;
 
+import com.nimbusds.jwt.JWT;
+
 /**
  * Service to create specialty OpenID Connect tokens.
  * 
@@ -41,7 +43,7 @@ public interface OIDCTokenService {
  * @param accessToken
  * @return
  */
-public OAuth2AccessTokenEntity createIdToken(
+public JWT createIdToken(
 ClientDetailsEntity client, OAuth2Request request, Date issueTime,
 String sub, OAuth2AccessTokenEntity accessToken);
 

openid-connect-server-webapp/src/main/resources/db/hsql/hsql_database_tables.sql

@@ -10,7 +10,6 @@ CREATE TABLE IF NOT EXISTS access_token (
 refresh_token_id BIGINT,
 client_id BIGINT,
 auth_holder_id BIGINT,
-id_token_id BIGINT,
 approved_site_id BIGINT
 );
 

openid-connect-server/src/main/java/org/mitre/oauth2/repository/impl/JpaOAuth2TokenRepository.java

@@ -97,13 +97,7 @@ public OAuth2AccessTokenEntity saveAccessToken(OAuth2AccessTokenEntity token) {
 public void removeAccessToken(OAuth2AccessTokenEntity accessToken) {
 OAuth2AccessTokenEntity found = getAccessTokenByValue(accessToken.getValue());
 if (found != null) {
-OAuth2AccessTokenEntity accessTokenForIdToken = getAccessTokenForIdToken(found);
-if (accessTokenForIdToken != null) {
-accessTokenForIdToken.setIdToken(null);
-JpaUtil.saveOrUpdate(accessTokenForIdToken.getId(), manager, accessTokenForIdToken);
-} else {
-manager.remove(found);
-}
+manager.remove(found);
 } else {
 throw new IllegalArgumentException("Access token not found: " + accessToken);
 }
@@ -193,17 +187,6 @@ public List<OAuth2RefreshTokenEntity> getRefreshTokensForClient(ClientDetailsEnt
 return refreshTokens;
 }
 
-/* (non-Javadoc)
- * @see org.mitre.oauth2.repository.OAuth2TokenRepository#getAccessTokenForIdToken(org.mitre.oauth2.model.OAuth2AccessTokenEntity)
- */
-@Override
-public OAuth2AccessTokenEntity getAccessTokenForIdToken(OAuth2AccessTokenEntity idToken) {
-TypedQuery<OAuth2AccessTokenEntity> queryA = manager.createNamedQuery(OAuth2AccessTokenEntity.QUERY_BY_ID_TOKEN, OAuth2AccessTokenEntity.class);
-queryA.setParameter(OAuth2AccessTokenEntity.PARAM_ID_TOKEN, idToken);
-List<OAuth2AccessTokenEntity> accessTokens = queryA.getResultList();
-return JpaUtil.getSingleResult(accessTokens);
-}
-
 @Override
 public Set<OAuth2AccessTokenEntity> getAllExpiredAccessTokens() {
 TypedQuery<OAuth2AccessTokenEntity> query = manager.createNamedQuery(OAuth2AccessTokenEntity.QUERY_EXPIRED_BY_DATE, OAuth2AccessTokenEntity.class);

openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java

@@ -263,7 +263,7 @@ public OAuth2AccessTokenEntity createAccessToken(OAuth2Authentication authentica
 
 OAuth2AccessTokenEntity enhancedToken = (OAuth2AccessTokenEntity) tokenEnhancer.enhance(token, authentication);
 
-OAuth2AccessTokenEntity savedToken = tokenRepository.saveAccessToken(enhancedToken);
+OAuth2AccessTokenEntity savedToken = saveAccessToken(enhancedToken);
 
 if (savedToken.getRefreshToken() != null) {
 tokenRepository.saveRefreshToken(savedToken.getRefreshToken()); // make sure we save any changes that might have been enhanced
@@ -542,7 +542,14 @@ private Collection<AuthenticationHolderEntity> getOrphanedAuthenticationHolders(
  */
 @Override
 public OAuth2AccessTokenEntity saveAccessToken(OAuth2AccessTokenEntity accessToken) {
-return tokenRepository.saveAccessToken(accessToken);
+OAuth2AccessTokenEntity newToken = tokenRepository.saveAccessToken(accessToken);
+
+// if the old token has any additional information for the return from the token endpoint, carry it through here after save
+if (accessToken.getAdditionalInformation() != null && !accessToken.getAdditionalInformation().isEmpty()) {
+newToken.getAdditionalInformation().putAll(accessToken.getAdditionalInformation());
+}
+
+return newToken;
 }
 
 /* (non-Javadoc)
@@ -567,15 +574,6 @@ public void setTokenEnhancer(TokenEnhancer tokenEnhancer) {
 this.tokenEnhancer = tokenEnhancer;
 }
 
-/* (non-Javadoc)
- * @see org.mitre.oauth2.service.OAuth2TokenEntityService#getAccessTokenForIdToken(org.mitre.oauth2.model.OAuth2AccessTokenEntity)
- */
-@Override
-public OAuth2AccessTokenEntity getAccessTokenForIdToken(OAuth2AccessTokenEntity idToken) {
-return tokenRepository.getAccessTokenForIdToken(idToken);
-}
-
-
 @Override
 public OAuth2AccessTokenEntity getRegistrationAccessTokenForClient(ClientDetailsEntity client) {
 List<OAuth2AccessTokenEntity> allTokens = getAccessTokensForClient(client);

openid-connect-server/src/main/java/org/mitre/oauth2/view/TokenApiView.java

@@ -84,7 +84,6 @@ public JsonElement serialize(OAuth2AccessTokenEntity src,
 
 o.addProperty("value", src.getValue());
 o.addProperty("id", src.getId());
-o.addProperty("idTokenId", src.getIdToken() != null ? src.getIdToken().getId() : null);
 o.addProperty("refreshTokenId", src.getRefreshToken() != null ? src.getRefreshToken().getId() : null);
 
 o.add("scopes", context.serialize(src.getScope()));

openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/DefaultOIDCTokenService.java

@@ -53,6 +53,7 @@
 import com.google.common.collect.Sets;
 import com.nimbusds.jose.Algorithm;
 import com.nimbusds.jose.JWEHeader;
+import com.nimbusds.jose.JWEObject;
 import com.nimbusds.jose.JWSAlgorithm;
 import com.nimbusds.jose.JWSHeader;
 import com.nimbusds.jose.util.Base64URL;
@@ -94,7 +95,7 @@ public class DefaultOIDCTokenService implements OIDCTokenService {
 private OAuth2TokenEntityService tokenService;
 
 @Override
-public OAuth2AccessTokenEntity createIdToken(ClientDetailsEntity client, OAuth2Request request, Date issueTime, String sub, OAuth2AccessTokenEntity accessToken) {
+public JWT createIdToken(ClientDetailsEntity client, OAuth2Request request, Date issueTime, String sub, OAuth2AccessTokenEntity accessToken) {
 
 JWSAlgorithm signingAlg = jwtService.getDefaultSigningAlgorithm();
 
@@ -103,7 +104,8 @@ public OAuth2AccessTokenEntity createIdToken(ClientDetailsEntity client, OAuth2R
 }
 
 
-OAuth2AccessTokenEntity idTokenEntity = new OAuth2AccessTokenEntity();
+JWT idToken = null;
+
 JWTClaimsSet.Builder idClaims = new JWTClaimsSet.Builder();
 
 // if the auth time claim was explicitly requested OR if the client always wants the auth time, put it in
@@ -128,7 +130,6 @@ public OAuth2AccessTokenEntity createIdToken(ClientDetailsEntity client, OAuth2R
 if (client.getIdTokenValiditySeconds() != null) {
 Date expiration = new Date(System.currentTimeMillis() + (client.getIdTokenValiditySeconds() * 1000L));
 idClaims.expirationTime(expiration);
-idTokenEntity.setExpiration(expiration);
 }
 
 idClaims.issuer(configBean.getIssuer());
@@ -157,20 +158,16 @@ public OAuth2AccessTokenEntity createIdToken(ClientDetailsEntity client, OAuth2R
 
 if (encrypter != null) {
 
-EncryptedJWT idToken = new EncryptedJWT(new JWEHeader(client.getIdTokenEncryptedResponseAlg(), client.getIdTokenEncryptedResponseEnc()), idClaims.build());
-
-encrypter.encryptJwt(idToken);
+idToken = new EncryptedJWT(new JWEHeader(client.getIdTokenEncryptedResponseAlg(), client.getIdTokenEncryptedResponseEnc()), idClaims.build());
 
-idTokenEntity.setJwt(idToken);
+encrypter.encryptJwt((JWEObject) idToken);
 
 } else {
 logger.error("Couldn't find encrypter for client: " + client.getClientId());
 }
 
 } else {
 
-JWT idToken;
-
 if (signingAlg.equals(Algorithm.NONE)) {
 // unsigned ID token
 idToken = new PlainJWT(idClaims.build());
@@ -206,20 +203,9 @@ public OAuth2AccessTokenEntity createIdToken(ClientDetailsEntity client, OAuth2R
 }
 }
 
-
-idTokenEntity.setJwt(idToken);
 }
 
-idTokenEntity.setAuthenticationHolder(accessToken.getAuthenticationHolder());
-
-// create a scope set with just the special "id-token" scope
-//Set<String> idScopes = new HashSet<String>(token.getScope()); // this would copy the original token's scopes in, we don't really want that
-Set<String> idScopes = Sets.newHashSet(SystemScopeService.ID_TOKEN_SCOPE);
-idTokenEntity.setScope(idScopes);
-
-idTokenEntity.setClient(accessToken.getClient());
-
-return idTokenEntity;
+return idToken;
 }
 
 /**