amit-natani
diff --git a/‎openid-connect-common/src/main/java/org/mitre/openid/connect/service/LoginHintExtracter.java‎
Lines changed: 32 additions & 0 deletions b/‎openid-connect-common/src/main/java/org/mitre/openid/connect/service/LoginHintExtracter.java‎
Lines changed: 32 additions & 0 deletions
diff --git a/‎openid-connect-server/src/main/java/org/mitre/openid/connect/filter/AuthorizationRequestFilter.java‎
Lines changed: 11 additions & 12 deletions b/‎openid-connect-server/src/main/java/org/mitre/openid/connect/filter/AuthorizationRequestFilter.java‎
Lines changed: 11 additions & 12 deletions
diff --git a/‎openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/MatchLoginHintsAgainstUsers.java‎
Lines changed: 59 additions & 0 deletions b/‎openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/MatchLoginHintsAgainstUsers.java‎
Lines changed: 59 additions & 0 deletions
diff --git a/‎openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/PassAllLoginHints.java‎
Lines changed: 38 additions & 0 deletions b/‎openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/PassAllLoginHints.java‎
Lines changed: 38 additions & 0 deletions
diff --git a/‎openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/RemoveLoginHintsWithHTTP.java‎
Lines changed: 48 additions & 0 deletions b/‎openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/RemoveLoginHintsWithHTTP.java‎
Lines changed: 48 additions & 0 deletions
@@ -0,0 +1,32 @@
+/*******************************************************************************
+ * Copyright 2015 The MITRE Corporation
+ * and the MIT Kerberos and Internet Trust Consortium
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *******************************************************************************/
+
+package org.mitre.openid.connect.service;
+
+/**
+ * @author jricher
+ *
+ */
+public interface LoginHintExtracter {
+
+/**
+ * @param loginHint
+ * @return
+ */
+public String extractHint(String loginHint);
+
+}
@@ -19,6 +19,8 @@
  */
 package org.mitre.openid.connect.filter;
 
+import static org.mitre.openid.connect.request.ConnectRequestParameters.*;
+
 import java.io.IOException;
 import java.net.URISyntaxException;
 import java.util.Date;
@@ -37,6 +39,8 @@
 import org.apache.http.client.utils.URIBuilder;
 import org.mitre.oauth2.model.ClientDetailsEntity;
 import org.mitre.oauth2.service.ClientDetailsEntityService;
+import org.mitre.openid.connect.service.LoginHintExtracter;
+import org.mitre.openid.connect.service.impl.RemoveLoginHintsWithHTTP;
 import org.mitre.openid.connect.web.AuthenticationTimeStamper;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -53,16 +57,6 @@
 import com.google.common.base.Splitter;
 import com.google.common.base.Strings;
 
-import static org.mitre.openid.connect.request.ConnectRequestParameters.ERROR;
-import static org.mitre.openid.connect.request.ConnectRequestParameters.LOGIN_HINT;
-import static org.mitre.openid.connect.request.ConnectRequestParameters.LOGIN_REQUIRED;
-import static org.mitre.openid.connect.request.ConnectRequestParameters.MAX_AGE;
-import static org.mitre.openid.connect.request.ConnectRequestParameters.PROMPT;
-import static org.mitre.openid.connect.request.ConnectRequestParameters.PROMPT_LOGIN;
-import static org.mitre.openid.connect.request.ConnectRequestParameters.PROMPT_NONE;
-import static org.mitre.openid.connect.request.ConnectRequestParameters.PROMPT_SEPARATOR;
-import static org.mitre.openid.connect.request.ConnectRequestParameters.STATE;
-
 /**
  * @author jricher
  *
@@ -87,6 +81,9 @@ public class AuthorizationRequestFilter extends GenericFilterBean {
 @Autowired
 private RedirectResolver redirectResolver;
 
+@Autowired(required = false)
+private LoginHintExtracter loginHintExtracter = new RemoveLoginHintsWithHTTP();
+
 /**
  * 
  */
@@ -115,8 +112,10 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
 }
 
 // save the login hint to the session
-if (authRequest.getExtensions().get(LOGIN_HINT) != null) {
-session.setAttribute(LOGIN_HINT, authRequest.getExtensions().get(LOGIN_HINT));
+// but first check to see if the login hint makes any sense
+String loginHint = loginHintExtracter.extractHint((String) authRequest.getExtensions().get(LOGIN_HINT));
+if (!Strings.isNullOrEmpty(loginHint)) {
+session.setAttribute(LOGIN_HINT, loginHint);
 } else {
 session.removeAttribute(LOGIN_HINT);
 }
 
@@ -0,0 +1,59 @@
+/*******************************************************************************
+ * Copyright 2015 The MITRE Corporation
+ * and the MIT Kerberos and Internet Trust Consortium
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *******************************************************************************/
+
+package org.mitre.openid.connect.service.impl;
+
+import org.mitre.openid.connect.model.UserInfo;
+import org.mitre.openid.connect.service.LoginHintExtracter;
+import org.mitre.openid.connect.service.UserInfoService;
+import org.springframework.beans.factory.annotation.Autowired;
+
+import com.google.common.base.Strings;
+
+/**
+ * Checks the login hint against the User Info collection, only populates it if a user is found.
+ * @author jricher
+ *
+ */
+public class MatchLoginHintsAgainstUsers implements LoginHintExtracter {
+
+@Autowired
+private UserInfoService userInfoService;
+
+/* (non-Javadoc)
+ * @see org.mitre.openid.connect.service.LoginHintTester#useHint(java.lang.String)
+ */
+@Override
+public String extractHint(String loginHint) {
+if (Strings.isNullOrEmpty(loginHint)) {
+return null;
+} else {
+UserInfo user = userInfoService.getByEmailAddress(loginHint);
+if (user == null) {
+user = userInfoService.getByUsername(loginHint);
+if (user == null) {
+return null;
+} else {
+return user.getPreferredUsername();
+}
+} else {
+return user.getPreferredUsername();
+}
+}
+}
+
+}
@@ -0,0 +1,38 @@
+/*******************************************************************************
+ * Copyright 2015 The MITRE Corporation
+ * and the MIT Kerberos and Internet Trust Consortium
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *******************************************************************************/
+
+package org.mitre.openid.connect.service.impl;
+
+import org.mitre.openid.connect.service.LoginHintExtracter;
+
+/**
+ * Sends all login hints through to the login page regardless of setup.
+ * 
+ * @author jricher
+ *
+ */
+public class PassAllLoginHints implements LoginHintExtracter {
+
+/* (non-Javadoc)
+ * @see org.mitre.openid.connect.service.LoginHintTester#useHint(java.lang.String)
+ */
+@Override
+public String extractHint(String loginHint) {
+return loginHint;
+}
+
+}
@@ -0,0 +1,48 @@
+/*******************************************************************************
+ * Copyright 2015 The MITRE Corporation
+ * and the MIT Kerberos and Internet Trust Consortium
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *******************************************************************************/
+
+package org.mitre.openid.connect.service.impl;
+
+import org.mitre.openid.connect.service.LoginHintExtracter;
+
+import com.google.common.base.Strings;
+
+/**
+ * Passes login hints that don't start with "http"
+ * 
+ * @author jricher
+ *
+ */
+public class RemoveLoginHintsWithHTTP implements LoginHintExtracter {
+
+/* (non-Javadoc)
+ * @see org.mitre.openid.connect.service.LoginHintTester#useHint(java.lang.String)
+ */
+@Override
+public String extractHint(String loginHint) {
+if (Strings.isNullOrEmpty(loginHint)) {
+return null;
+} else {
+if (loginHint.startsWith("http")) {
+return null;
+} else {
+return loginHint;
+}
+}
+}
+
+}