Added UserInfo.toJson method; added ScopeClaimTranslationService; rewrote UserInfoSerializer to use both

Author: aanganes

openid-connect-common/src/main/java/org/mitre/openid/connect/model/DefaultUserInfo.java

@@ -400,7 +400,50 @@ public String getBirthdate() {
 public void setBirthdate(String birthdate) {
 this.birthdate = birthdate;
 }
+
+@Override
+public JsonObject toJson() {
+JsonObject obj = new JsonObject();
+
+obj.addProperty("sub", this.getSub());
+
+obj.addProperty("name", this.getName());
+obj.addProperty("preferred_username", this.getPreferredUsername());
+obj.addProperty("given_name", this.getGivenName());
+obj.addProperty("family_name", this.getFamilyName());
+obj.addProperty("middle_name", this.getMiddleName());
+obj.addProperty("nickname", this.getNickname());
+obj.addProperty("profile", this.getProfile());
+obj.addProperty("picture", this.getPicture());
+obj.addProperty("website", this.getWebsite());
+obj.addProperty("gender", this.getGender());
+obj.addProperty("zone_info", this.getZoneinfo());
+obj.addProperty("locale", this.getLocale());
+obj.addProperty("updated_time", this.getUpdatedTime());
+obj.addProperty("birthdate", this.getBirthdate());
+
+obj.addProperty("email", this.getEmail());
+obj.addProperty("email_verified", this.getEmailVerified());
+
+obj.addProperty("phone_number", this.getPhoneNumber());
+obj.addProperty("phone_number_verified", this.getPhoneNumberVerified());
+
+if (this.getAddress() != null) {
 
+JsonObject addr = new JsonObject();
+addr.addProperty("formatted", this.getAddress().getFormatted());
+addr.addProperty("street_address", this.getAddress().getStreetAddress());
+addr.addProperty("locality", this.getAddress().getLocality());
+addr.addProperty("region", this.getAddress().getRegion());
+addr.addProperty("postal_code", this.getAddress().getPostalCode());
+addr.addProperty("country", this.getAddress().getCountry());
+
+obj.add("address", addr);
+}
+
+return obj;
+}
+
 /**
  * Parse a JsonObject into a UserInfo.
  * @param o

openid-connect-common/src/main/java/org/mitre/openid/connect/model/UserInfo.java

@@ -16,6 +16,8 @@
  ******************************************************************************/
 package org.mitre.openid.connect.model;
 
+import com.google.gson.JsonObject;
+
 
 public interface UserInfo {
 
@@ -222,4 +224,12 @@ public interface UserInfo {
  * @param birthdate
  */
 public abstract void setBirthdate(String birthdate);
+
+/**
+ * Serialize this UserInfo object to JSON
+ * 
+ * @return
+ */
+public abstract JsonObject toJson();
+
 }

openid-connect-common/src/main/java/org/mitre/openid/connect/service/ScopeClaimTranslationService.java

@@ -2,8 +2,10 @@
 
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 
 import com.google.common.collect.ArrayListMultimap;
+import com.google.common.collect.Lists;
 import com.google.common.collect.Maps;
 
 /**
@@ -77,6 +79,14 @@ public ScopeClaimTranslationService() {
 public List<String> getClaimsForScope(String scope) {
 return scopesToClaims.get(scope);
 }
+
+public List<String> getClaimsForScopeSet(Set<String> scopes) {
+List<String> result = Lists.newArrayList();
+for (String scope : scopes) {
+result.addAll(getClaimsForScope(scope));
+}
+return result;
+}
 
 public String getFieldNameForClaim(String claim) {
 return claimsToFields.get(claim);

openid-connect-common/src/main/java/org/mitre/openid/connect/view/UserInfoSerializer.java

@@ -1,174 +1,82 @@
 package org.mitre.openid.connect.view;
 
-import java.lang.reflect.Field;
-import java.lang.reflect.InvocationTargetException;
-import java.lang.reflect.Method;
+import java.util.List;
 import java.util.Map.Entry;
 import java.util.Set;
 
-import org.mitre.openid.connect.model.DefaultUserInfo;
 import org.mitre.openid.connect.model.UserInfo;
 import org.mitre.openid.connect.service.ScopeClaimTranslationService;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.util.ReflectionUtils;
 
-import com.google.common.base.CaseFormat;
-import com.google.common.collect.Sets;
 import com.google.gson.JsonElement;
 import com.google.gson.JsonObject;
 
 public class UserInfoSerializer {
 
-private static Logger logger = LoggerFactory.getLogger(UserInfoSerializer.class);
-
 private static ScopeClaimTranslationService translator = new ScopeClaimTranslationService();
 
 /**
- * Build a JSON response according to the request object received.
- * 
- * Claims requested in requestObj.userinfo.claims are added to any
- * claims corresponding to requested scopes, if any.
+ * Filter the UserInfo object by scope, using our ScopeClaimTranslationService to determine
+ * which claims are allowed for each given scope.
  * 
- * @param ui
- * @param scope
- * @param requestObj
- * @param claimsRequest the claims request parameter object.
- * @return
+ * @param ui the UserInfo to filter
+ * @param scope the allowed scopes to filter by
+ * @return the filtered JsonObject result
  */
-public static JsonObject toJsonFromRequestObj(UserInfo ui, Set<String> scope, JsonObject requestObj, JsonObject claimsRequest) {
-
-JsonObject obj = toJson(ui, scope);
-
-//Process list of requested claims out of the request object
-JsonElement claims = requestObj.get("claims");
-if (claims == null || !claims.isJsonObject()) {
-return obj;
-}
-
-JsonElement userinfo = claims.getAsJsonObject().get("userinfo");
-if (userinfo == null || !userinfo.isJsonObject()) {
-return obj;
-}
+public static JsonObject filterByScope(UserInfo ui, Set<String> scope) {
 
-// Filter claims from the request object with the claims from the claims request parameter, if it exists
+JsonObject uiJson = ui.toJson();
+List<String> filteredClaims = translator.getClaimsForScopeSet(scope);
+JsonObject result = new JsonObject();
 
-// Doing the set intersection manually because the claim entries may be referring to
-// the same claim but have different 'individual claim values', causing the Entry<> to be unequal, 
-// which doesn't allow the use of the more compact Sets.intersection() type method.
-Set<Entry<String, JsonElement>> requestClaimsSet = Sets.newHashSet();
-if (claimsRequest != null) {
-
-for (Entry<String, JsonElement> entry : userinfo.getAsJsonObject().entrySet()) {
-if (claimsRequest.has(entry.getKey())) {
-requestClaimsSet.add(entry);
-}
+for (String claim : filteredClaims) {
+if (uiJson.has(claim)) {
+result.add(claim, uiJson.get(claim));
 }
-
 }
 
-//TODO: is there a way to use bean processors to do bean.getfield(name)?
-//Method reflection is OK, but need a service to translate scopes into claim names => field names
-
-
-
-// TODO: this method is likely to be fragile if the data model changes at all
-
-//For each claim found, add it if not already present
-for (Entry<String, JsonElement> i : requestClaimsSet) {
-String claimName = i.getKey();
-if (!obj.has(claimName)) {
-String value = "";
-
-String fieldName = translator.getFieldNameForClaim(claimName);
-Field field = ReflectionUtils.findField(DefaultUserInfo.class, fieldName);
-
-Object val = ReflectionUtils.getField(field, userinfo);
-
-//TODO:how to convert val to a String? Most claims can be converted directly; address is compound
-
-
-//Process claim names to go from "claim_name" to "ClaimName"
-String camelClaimName = CaseFormat.LOWER_UNDERSCORE.to(CaseFormat.UPPER_CAMEL, claimName);
-//Now we have "getClaimName"
-String methodName = "get" + camelClaimName;
-Method getter = null;
-try {
-getter = ui.getClass().getMethod(methodName);
-value = (String) getter.invoke(ui);
-obj.addProperty(claimName, value);
-} catch (SecurityException e) {
-logger.error("SecurityException in UserInfoView.java: ", e);
-} catch (NoSuchMethodException e) {
-logger.error("NoSuchMethodException in UserInfoView.java: ", e);
-} catch (IllegalArgumentException e) {
-logger.error("IllegalArgumentException in UserInfoView.java: ", e);
-} catch (IllegalAccessException e) {
-logger.error("IllegalAccessException in UserInfoView.java: ", e);
-} catch (InvocationTargetException e) {
-logger.error("InvocationTargetException in UserInfoView.java: ", e);
-}
-}
-}
-return obj;
+return result;
 }
 
-public static JsonObject toJson(UserInfo ui, Set<String> scope) {
-
-JsonObject obj = new JsonObject();
-
-//TODO: This is a hack: the UserInfoInterceptor should use a serializer from this class, but it doesn't
-//have access to a scope set. It wants to just serialize whatever fields are present?
-if (scope == null) {
-Set<String> allScopes = Sets.newHashSet("openid", "profile", "email", "phone", "address");
-scope = allScopes;
-}
-
-if (scope.contains("openid")) {
-obj.addProperty("sub", ui.getSub());
-}
-
-if (scope.contains("profile")) {
-obj.addProperty("name", ui.getName());
-obj.addProperty("preferred_username", ui.getPreferredUsername());
-obj.addProperty("given_name", ui.getGivenName());
-obj.addProperty("family_name", ui.getFamilyName());
-obj.addProperty("middle_name", ui.getMiddleName());
-obj.addProperty("nickname", ui.getNickname());
-obj.addProperty("profile", ui.getProfile());
-obj.addProperty("picture", ui.getPicture());
-obj.addProperty("website", ui.getWebsite());
-obj.addProperty("gender", ui.getGender());
-obj.addProperty("zone_info", ui.getZoneinfo());
-obj.addProperty("locale", ui.getLocale());
-obj.addProperty("updated_time", ui.getUpdatedTime());
-obj.addProperty("birthdate", ui.getBirthdate());
-}
+/**
+ * Build a JSON response according to the request object received.
+ * 
+ * Claims requested in requestObj.userinfo.claims are added to any
+ * claims corresponding to requested scopes, if any.
+ * 
+ * @param ui the UserInfo to filter
+ * @param scope the allowed scopes to filter by
+ * @param authorizedClaims the claims authorized by the client or user
+ * @param requestedClaims the claims requested in the RequestObject
+ * @return the filtered JsonObject result
+ */
+public static JsonObject toJsonFromRequestObj(UserInfo ui, Set<String> scope, JsonObject authorizedClaims, JsonObject requestedClaims) {
 
-if (scope.contains("email")) {
-obj.addProperty("email", ui.getEmail());
-obj.addProperty("email_verified", ui.getEmailVerified());
+// Only proceed if we have both requested claims and authorized claims list. Otherwise just return
+// the scope-filtered claim set.
+if (requestedClaims == null || authorizedClaims == null) {
+return filterByScope(ui, scope);
 }
-
-if (scope.contains("phone")) {
-obj.addProperty("phone_number", ui.getPhoneNumber());
-obj.addProperty("phone_number_verified", ui.getPhoneNumberVerified());
+
+// get the base object
+JsonObject obj = ui.toJson();
+
+List<String> allowedByScope = translator.getClaimsForScopeSet(scope);
+JsonObject userinfoAuthorized = authorizedClaims.getAsJsonObject().get("userinfo").getAsJsonObject();
+JsonObject userinfoRequested = requestedClaims.getAsJsonObject().get("userinfo").getAsJsonObject();
+
+if (userinfoAuthorized == null || !userinfoAuthorized.isJsonObject()) {
+return obj;
 }
 
-if (scope.contains("address") && ui.getAddress() != null) {
-
-JsonObject addr = new JsonObject();
-addr.addProperty("formatted", ui.getAddress().getFormatted());
-addr.addProperty("street_address", ui.getAddress().getStreetAddress());
-addr.addProperty("locality", ui.getAddress().getLocality());
-addr.addProperty("region", ui.getAddress().getRegion());
-addr.addProperty("postal_code", ui.getAddress().getPostalCode());
-addr.addProperty("country", ui.getAddress().getCountry());
-
-obj.add("address", addr);
+// Filter claims by performing a manual intersection of claims that are allowed by the given scope, requested, and authorized.
+// We cannot use Sets.intersection() or similar because Entry<> objects will evaluate to being unequal if their values are
+// different, whereas we are only interested in matching the Entry<>'s key values.
+JsonObject result = new JsonObject();
+for (Entry<String, JsonElement> entry : userinfoAuthorized.getAsJsonObject().entrySet()) {
+if (userinfoRequested.has(entry.getKey()) && allowedByScope.contains(entry.getKey())) {
+result.add(entry.getKey(), entry.getValue());
+}
 }
-
-return obj;
+return result;
 }
-
 }

openid-connect-common/src/main/java/org/mitre/openid/connect/web/UserInfoInterceptor.java

@@ -28,7 +28,6 @@
 import org.mitre.openid.connect.model.OIDCAuthenticationToken;
 import org.mitre.openid.connect.model.UserInfo;
 import org.mitre.openid.connect.service.UserInfoService;
-import org.mitre.openid.connect.view.UserInfoSerializer;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
@@ -84,7 +83,7 @@ public void postHandle(HttpServletRequest request, HttpServletResponse response,
 // if they're logging into this server from a remote OIDC server, pass through their user info
 OIDCAuthenticationToken oidc = (OIDCAuthenticationToken) p;
 modelAndView.addObject("userInfo", oidc.getUserInfo());
-modelAndView.addObject("userInfoJson", UserInfoSerializer.toJson(oidc.getUserInfo(), null));
+modelAndView.addObject("userInfoJson", oidc.getUserInfo().toJson());
 } else {
 if (p != null && p.getName() != null) { // don't bother checking if we don't have a principal
 
@@ -94,7 +93,7 @@ public void postHandle(HttpServletRequest request, HttpServletResponse response,
 // if we have one, inject it so views can use it
 if (user != null) {
 modelAndView.addObject("userInfo", user);
-modelAndView.addObject("userInfoJson", UserInfoSerializer.toJson(user, null));
+modelAndView.addObject("userInfoJson", user.toJson());
 }
 }
 }