expose ID Token and UserInfo to the AuthoritiesProvider and AuthoritiesMapper, both extensible

closes mitreid-connect#699 closes mitreid-connect#761

Author: jricher

openid-connect-client/src/main/java/org/mitre/openid/connect/client/NamedAdminAuthoritiesMapper.java

@@ -19,14 +19,19 @@
  */
 package org.mitre.openid.connect.client;
 
+import java.text.ParseException;
 import java.util.Collection;
 import java.util.HashSet;
 import java.util.Set;
 
+import org.mitre.openid.connect.model.UserInfo;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
-import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
-import org.springframework.security.core.authority.mapping.NullAuthoritiesMapper;
+
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.ReadOnlyJWTClaimsSet;
 
 /**
  * 
@@ -37,31 +42,36 @@
  * @author jricher
  * 
  */
-public class NamedAdminAuthoritiesMapper implements GrantedAuthoritiesMapper {
+public class NamedAdminAuthoritiesMapper implements OIDCAuthoritiesMapper {
 
+private static Logger logger = LoggerFactory.getLogger(NamedAdminAuthoritiesMapper.class);
+
 private static final SimpleGrantedAuthority ROLE_ADMIN = new SimpleGrantedAuthority("ROLE_ADMIN");
 private static final SimpleGrantedAuthority ROLE_USER = new SimpleGrantedAuthority("ROLE_USER");
 
 private Set<SubjectIssuerGrantedAuthority> admins = new HashSet<SubjectIssuerGrantedAuthority>();
 
-private GrantedAuthoritiesMapper chain = new NullAuthoritiesMapper();
-
 @Override
-public Collection<? extends GrantedAuthority> mapAuthorities(Collection<? extends GrantedAuthority> authorities) {
+public Collection<? extends GrantedAuthority> mapAuthorities(JWT idToken, UserInfo userInfo) {
 
 Set<GrantedAuthority> out = new HashSet<GrantedAuthority>();
-out.addAll(authorities);
+try {
+ReadOnlyJWTClaimsSet claims = idToken.getJWTClaimsSet();
+
+SubjectIssuerGrantedAuthority authority = new SubjectIssuerGrantedAuthority(claims.getSubject(), claims.getIssuer());
+out.add(authority);
 
-for (GrantedAuthority authority : authorities) {
 if (admins.contains(authority)) {
 out.add(ROLE_ADMIN);
 }
+
+// everybody's a user by default
+out.add(ROLE_USER);
+
+} catch (ParseException e) {
+logger.error("Unable to parse ID Token inside of authorities mapper (huh?)");
 }
-
-// everybody's a user by default
-out.add(ROLE_USER);
-
-return chain.mapAuthorities(out);
+return out;
 }
 
 /**
@@ -78,18 +88,4 @@ public void setAdmins(Set<SubjectIssuerGrantedAuthority> admins) {
 this.admins = admins;
 }
 
-/**
- * @return the chain
- */
-public GrantedAuthoritiesMapper getChain() {
-return chain;
-}
-
-/**
- * @param chain the chain to set
- */
-public void setChain(GrantedAuthoritiesMapper chain) {
-this.chain = chain;
-}
-
 }

openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationProvider.java

@@ -16,28 +16,34 @@
  *******************************************************************************/
 package org.mitre.openid.connect.client;
 
+import java.text.ParseException;
 import java.util.Collection;
 
 import org.mitre.openid.connect.model.OIDCAuthenticationToken;
 import org.mitre.openid.connect.model.UserInfo;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
-import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
+import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 
 import com.google.common.base.Strings;
-import com.google.common.collect.Lists;
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTParser;
 
 /**
  * @author nemonik
  * 
  */
 public class OIDCAuthenticationProvider implements AuthenticationProvider {
 
+private static Logger logger = LoggerFactory.getLogger(OIDCAuthenticationProvider.class);
+
 private UserInfoFetcher userInfoFetcher = new UserInfoFetcher();
 
-private GrantedAuthoritiesMapper authoritiesMapper = new NamedAdminAuthoritiesMapper();
+private OIDCAuthoritiesMapper authoritiesMapper = new NamedAdminAuthoritiesMapper();
 
 /*
  * (non-Javadoc)
@@ -46,8 +52,7 @@ public class OIDCAuthenticationProvider implements AuthenticationProvider {
  * authenticate(org.springframework.security.core.Authentication)
  */
 @Override
-public Authentication authenticate(final Authentication authentication)
-throws AuthenticationException {
+public Authentication authenticate(final Authentication authentication) throws AuthenticationException {
 
 if (!supports(authentication.getClass())) {
 return null;
@@ -56,33 +61,56 @@ public Authentication authenticate(final Authentication authentication)
 if (authentication instanceof OIDCAuthenticationToken) {
 
 OIDCAuthenticationToken token = (OIDCAuthenticationToken) authentication;
-
-Collection<SubjectIssuerGrantedAuthority> authorities = Lists.newArrayList(new SubjectIssuerGrantedAuthority(token.getSub(), token.getIssuer()));
-
-UserInfo userInfo = userInfoFetcher.loadUserInfo(token);
-
-if (userInfo == null) {
-// TODO: user Info not found -- error?
-} else {
-if (!Strings.isNullOrEmpty(userInfo.getSub()) && !userInfo.getSub().equals(token.getSub())) {
-// the userinfo came back and the user_id fields don't match what was in the id_token
-throw new UsernameNotFoundException("user_id mismatch between id_token and user_info call: " + token.getSub() + " / " + userInfo.getSub());
+
+try {
+
+// get the ID Token value out
+String idTokenString = token.getIdTokenValue();
+JWT idToken = JWTParser.parse(idTokenString);
+
+// load the user info if we can
+UserInfo userInfo = userInfoFetcher.loadUserInfo(token);
+
+if (userInfo == null) {
+// user info not found -- could be an error, could be fine 
+} else {
+// if we found userinfo, double check it
+if (!Strings.isNullOrEmpty(userInfo.getSub()) && !userInfo.getSub().equals(token.getSub())) {
+// the userinfo came back and the user_id fields don't match what was in the id_token
+throw new UsernameNotFoundException("user_id mismatch between id_token and user_info call: " + token.getSub() + " / " + userInfo.getSub());
+}
 }
+
+return createAuthenticationToken(token, authoritiesMapper.mapAuthorities(idToken, userInfo), userInfo);
+} catch (ParseException e) {
+logger.error("Unable to parse ID token in the token");
+return null;
 }
-
-return new OIDCAuthenticationToken(token.getSub(),
-token.getIssuer(),
-userInfo, authoritiesMapper.mapAuthorities(authorities),
-token.getIdTokenValue(), token.getAccessTokenValue(), token.getRefreshTokenValue());
 }
 
 return null;
 }
 
+/**
+ * Override this function to return a different kind of Authentication, processes the authorities differently,
+ * or do post-processing based on the UserInfo object.
+ * 
+ * @param token
+ * @param authorities
+ * @param userInfo
+ * @return
+ */
+protected Authentication createAuthenticationToken(OIDCAuthenticationToken token, Collection<? extends GrantedAuthority> authorities, UserInfo userInfo) {
+return new OIDCAuthenticationToken(token.getSub(),
+token.getIssuer(),
+userInfo, authorities,
+token.getIdTokenValue(), token.getAccessTokenValue(), token.getRefreshTokenValue());
+}
+
 /**
  * @param authoritiesMapper
  */
-public void setAuthoritiesMapper(GrantedAuthoritiesMapper authoritiesMapper) {
+public void setAuthoritiesMapper(OIDCAuthoritiesMapper authoritiesMapper) {
 this.authoritiesMapper = authoritiesMapper;
 }
 

openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthoritiesMapper.java

@@ -0,0 +1,40 @@
+/*******************************************************************************
+ * Copyright 2015 The MITRE Corporation
+ * and the MIT Kerberos and Internet Trust Consortium
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *******************************************************************************/
+
+package org.mitre.openid.connect.client;
+
+import java.util.Collection;
+
+import org.mitre.openid.connect.model.UserInfo;
+import org.springframework.security.core.GrantedAuthority;
+
+import com.nimbusds.jwt.JWT;
+
+/**
+ * @author jricher
+ *
+ */
+public interface OIDCAuthoritiesMapper {
+
+/**
+ * @param idToken the ID Token (parsed as a JWT, cannot be @null)
+ * @param userInfo userInfo of the current user (could be @null) 
+ * @return the set of authorities to map to this user
+ */
+Collection<? extends GrantedAuthority> mapAuthorities(JWT idToken, UserInfo userInfo);
+
+}

openid-connect-common/src/main/java/org/mitre/openid/connect/model/DefaultUserInfo.java

@@ -18,6 +18,7 @@
 
 import javax.persistence.Basic;
 import javax.persistence.Column;
+import javax.persistence.Convert;
 import javax.persistence.Entity;
 import javax.persistence.GeneratedValue;
 import javax.persistence.GenerationType;
@@ -28,6 +29,8 @@
 import javax.persistence.OneToOne;
 import javax.persistence.Table;
 
+import org.mitre.openid.connect.model.convert.JsonObjectStringConverter;
+
 import com.google.gson.JsonObject;
 
 @Entity
@@ -510,6 +513,9 @@ public static UserInfo fromJson(JsonObject obj) {
  * @return the jsonString
  */
 @Override
+@Basic
+@Column(name = "src")
+@Convert(converter = JsonObjectStringConverter.class)
 public JsonObject getSource() {
 return src;
 }

openid-connect-common/src/main/java/org/mitre/openid/connect/model/convert/JsonObjectStringConverter.java

@@ -0,0 +1,57 @@
+/*******************************************************************************
+ * Copyright 2015 The MITRE Corporation
+ * and the MIT Kerberos and Internet Trust Consortium
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *******************************************************************************/
+
+package org.mitre.openid.connect.model.convert;
+
+import javax.persistence.AttributeConverter;
+import javax.persistence.Converter;
+
+import com.google.common.base.Strings;
+import com.google.gson.JsonObject;
+import com.google.gson.JsonParser;
+
+/**
+ * @author jricher
+ *
+ */
+@Converter
+public class JsonObjectStringConverter implements AttributeConverter<JsonObject, String> {
+
+private JsonParser parser = new JsonParser();
+
+@Override
+public String convertToDatabaseColumn(JsonObject attribute) {
+if (attribute != null) {
+return attribute.toString();
+} else {
+return null;
+}
+}
+
+/* (non-Javadoc)
+ * @see javax.persistence.AttributeConverter#convertToEntityAttribute(java.lang.Object)
+ */
+@Override
+public JsonObject convertToEntityAttribute(String dbData) {
+if (!Strings.isNullOrEmpty(dbData)) {
+return parser.parse(dbData).getAsJsonObject();
+} else {
+return null;
+}
+}
+
+}

openid-connect-server-webapp/src/main/resources/db/tables/hsql_database_tables.sql

@@ -253,7 +253,8 @@ CREATE TABLE IF NOT EXISTS user_info (
 phone_number_verified BOOLEAN,
 address_id VARCHAR(256),
 updated_time VARCHAR(256),
-birthdate VARCHAR(256)
+birthdate VARCHAR(256),
+src VARCHAR(4096)
 );
 
 CREATE TABLE IF NOT EXISTS whitelisted_site (

openid-connect-server/src/main/java/org/mitre/openid/connect/filter/AuthorizationRequestFilter.java

@@ -110,7 +110,9 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
 ClientDetailsEntity client = null;
 
 authRequest = authRequestFactory.createAuthorizationRequest(createRequestMap(request.getParameterMap()));
-client = clientService.loadClientByClientId(authRequest.getClientId());
+if (!Strings.isNullOrEmpty(authRequest.getClientId())) {
+client = clientService.loadClientByClientId(authRequest.getClientId());
+}
 
 // save the login hint to the session
 if (authRequest.getExtensions().get(LOGIN_HINT) != null) {