Examples of org.mitre.openid.connect.config.ServerConfiguration

• org.mitre.openid.connect.config.ServerConfiguration
  Container class for a client's view of a server's configuration @author nemonik, jricher

      if (Strings.isNullOrEmpty(issuer)) {
        logger.error("No issuer found: " + issuer);
        throw new AuthenticationServiceException("No issuer found: " + issuer);
      }

      ServerConfiguration serverConfig = servers.getServerConfiguration(issuer);
      if (serverConfig == null) {
        logger.error("No server configuration found for issuer: " + issuer);
        throw new AuthenticationServiceException("No server configuration found for issuer: " + issuer);
      }


      session.setAttribute(ISSUER_SESSION_VARIABLE, serverConfig.getIssuer());

      RegisteredClient clientConfig = clients.getClientConfiguration(serverConfig);
      if (clientConfig == null) {
        logger.error("No client configuration found for issuer: " + issuer);
        throw new AuthenticationServiceException("No client configuration found for issuer: " + issuer);

    // look up the issuer that we set out to talk to
    String issuer = getStoredSessionString(session, ISSUER_SESSION_VARIABLE);

    // pull the configurations based on that issuer
    ServerConfiguration serverConfig = servers.getServerConfiguration(issuer);
    final RegisteredClient clientConfig = clients.getClientConfiguration(serverConfig);

    MultiValueMap<String, String> form = new LinkedMultiValueMap<String, String>();
    form.add("grant_type", "authorization_code");
    form.add("code", authorizationCode);

    String redirectUri = getStoredSessionString(session, REDIRECT_URI_SESION_VARIABLE);
    if (redirectUri != null) {
      form.add("redirect_uri", redirectUri);
    }

    // Handle Token Endpoint interaction
    HttpClient httpClient = new SystemDefaultHttpClient();

    httpClient.getParams().setParameter("http.socket.timeout", new Integer(httpSocketTimeout));

    HttpComponentsClientHttpRequestFactory factory = new HttpComponentsClientHttpRequestFactory(httpClient);

    RestTemplate restTemplate;

    if (SECRET_BASIC.equals(clientConfig.getTokenEndpointAuthMethod())){
      // use BASIC auth if configured to do so
      restTemplate = new RestTemplate(factory) {

        @Override
        protected ClientHttpRequest createRequest(URI url, HttpMethod method) throws IOException {
          ClientHttpRequest httpRequest = super.createRequest(url, method);
          httpRequest.getHeaders().add("Authorization",
              String.format("Basic %s", Base64.encode(String.format("%s:%s", clientConfig.getClientId(), clientConfig.getClientSecret())) ));



          return httpRequest;
        }
      };
    } else {
      // we're not doing basic auth, figure out what other flavor we have
      restTemplate = new RestTemplate(factory);

      if (SECRET_JWT.equals(clientConfig.getTokenEndpointAuthMethod()) || PRIVATE_KEY.equals(clientConfig.getTokenEndpointAuthMethod())) {
        // do a symmetric secret signed JWT for auth


        JwtSigningAndValidationService signer = null;
        JWSAlgorithm alg = clientConfig.getTokenEndpointAuthSigningAlg();

        if (SECRET_JWT.equals(clientConfig.getTokenEndpointAuthMethod()) &&
            (alg.equals(JWSAlgorithm.HS256)
                || alg.equals(JWSAlgorithm.HS384)
                || alg.equals(JWSAlgorithm.HS512))) {

          // generate one based on client secret
          signer = symmetricCacheService.getSymmetricValidtor(clientConfig.getClient());

        } else if (PRIVATE_KEY.equals(clientConfig.getTokenEndpointAuthMethod())) {

          // needs to be wired in to the bean
          signer = authenticationSignerService;

          if (alg == null) {
            alg = authenticationSignerService.getDefaultSigningAlgorithm();
          }
        }

        if (signer == null) {
          throw new AuthenticationServiceException("Couldn't find required signer service for use with private key auth.");
        }

        JWTClaimsSet claimsSet = new JWTClaimsSet();

        claimsSet.setIssuer(clientConfig.getClientId());
        claimsSet.setSubject(clientConfig.getClientId());
        claimsSet.setAudience(Lists.newArrayList(serverConfig.getTokenEndpointUri()));

        // TODO: make this configurable
        Date exp = new Date(System.currentTimeMillis() + (60 * 1000)); // auth good for 60 seconds
        claimsSet.setExpirationTime(exp);

        Date now = new Date(System.currentTimeMillis());
        claimsSet.setIssueTime(now);
        claimsSet.setNotBeforeTime(now);

        SignedJWT jwt = new SignedJWT(new JWSHeader(alg), claimsSet);

        signer.signJwt(jwt, alg);

        form.add("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer");
        form.add("client_assertion", jwt.serialize());
      } else {
        //Alternatively use form based auth
        form.add("client_id", clientConfig.getClientId());
        form.add("client_secret", clientConfig.getClientSecret());
      }

    }

    logger.debug("tokenEndpointURI = " + serverConfig.getTokenEndpointUri());
    logger.debug("form = " + form);

    String jsonString = null;

    try {
      jsonString = restTemplate.postForObject(serverConfig.getTokenEndpointUri(), form, String.class);
    } catch (HttpClientErrorException httpClientErrorException) {

      // Handle error

      logger.error("Token Endpoint error response:  "
          + httpClientErrorException.getStatusText() + " : "
          + httpClientErrorException.getMessage());

      throw new AuthenticationServiceException("Unable to obtain Access Token: " + httpClientErrorException.getMessage());
    }

    logger.debug("from TokenEndpoint jsonString = " + jsonString);

    JsonElement jsonRoot = new JsonParser().parse(jsonString);
    if (!jsonRoot.isJsonObject()) {
      throw new AuthenticationServiceException("Token Endpoint did not return a JSON object: " + jsonRoot);
    }

    JsonObject tokenResponse = jsonRoot.getAsJsonObject();

    if (tokenResponse.get("error") != null) {

      // Handle error

      String error = tokenResponse.get("error").getAsString();

      logger.error("Token Endpoint returned: " + error);

      throw new AuthenticationServiceException("Unable to obtain Access Token.  Token Endpoint returned: " + error);

    } else {

      // Extract the id_token to insert into the
      // OIDCAuthenticationToken

      // get out all the token strings
      String accessTokenValue = null;
      String idTokenValue = null;
      String refreshTokenValue = null;

      if (tokenResponse.has("access_token")) {
        accessTokenValue = tokenResponse.get("access_token").getAsString();
      } else {
        throw new AuthenticationServiceException("Token Endpoint did not return an access_token: " + jsonString);
      }

      if (tokenResponse.has("id_token")) {
        idTokenValue = tokenResponse.get("id_token").getAsString();
      } else {
        logger.error("Token Endpoint did not return an id_token");
        throw new AuthenticationServiceException("Token Endpoint did not return an id_token");
      }

      if (tokenResponse.has("refresh_token")) {
        refreshTokenValue = tokenResponse.get("refresh_token").getAsString();
      }

      try {
        JWT idToken = JWTParser.parse(idTokenValue);

        // validate our ID Token over a number of tests
        ReadOnlyJWTClaimsSet idClaims = idToken.getJWTClaimsSet();

        // check the signature
        JwtSigningAndValidationService jwtValidator = null;

        Algorithm tokenAlg = idToken.getHeader().getAlgorithm();

        Algorithm clientAlg = clientConfig.getIdTokenSignedResponseAlg();

        if (clientAlg != null) {
          if (!clientAlg.equals(tokenAlg)) {
            throw new AuthenticationServiceException("Token algorithm " + tokenAlg + " does not match expected algorithm " + clientAlg);
          }
        }

        if (idToken instanceof PlainJWT) {

          if (clientAlg == null) {
            throw new AuthenticationServiceException("Unsigned ID tokens can only be used if explicitly configured in client.");
          }

          if (tokenAlg != null && !tokenAlg.equals(JWSAlgorithm.NONE)) {
            throw new AuthenticationServiceException("Unsigned token received, expected signature with " + tokenAlg);
          }
        } else if (idToken instanceof SignedJWT) {

          SignedJWT signedIdToken = (SignedJWT)idToken;

          if (tokenAlg.equals(JWSAlgorithm.HS256)
            || tokenAlg.equals(JWSAlgorithm.HS384)
            || tokenAlg.equals(JWSAlgorithm.HS512)) {

            // generate one based on client secret
            jwtValidator = symmetricCacheService.getSymmetricValidtor(clientConfig.getClient());
          } else {
            // otherwise load from the server's public key
            jwtValidator = validationServices.getValidator(serverConfig.getJwksUri());
          }

          if (jwtValidator != null) {
            if(!jwtValidator.validateSignature(signedIdToken)) {
              throw new AuthenticationServiceException("Signature validation failed");
            }
          } else {
            logger.error("No validation service found. Skipping signature validation");
            throw new AuthenticationServiceException("Unable to find an appropriate signature validator for ID Token.");
          }
        } // TODO: encrypted id tokens

        // check the issuer
        if (idClaims.getIssuer() == null) {
          throw new AuthenticationServiceException("Id Token Issuer is null");
        } else if (!idClaims.getIssuer().equals(serverConfig.getIssuer())){
          throw new AuthenticationServiceException("Issuers do not match, expected " + serverConfig.getIssuer() + " got " + idClaims.getIssuer());
        }

        // check expiration
        if (idClaims.getExpirationTime() == null) {
          throw new AuthenticationServiceException("Id Token does not have required expiration claim");

    @Override
    public ServerConfiguration load(String issuer) throws Exception {
      RestTemplate restTemplate = new RestTemplate(httpFactory);

      // data holder
      ServerConfiguration conf = new ServerConfiguration();

      // construct the well-known URI
      String url = issuer + "/.well-known/openid-configuration";

      // fetch the value
      String jsonString = restTemplate.getForObject(url, String.class);

      JsonElement parsed = parser.parse(jsonString);
      if (parsed.isJsonObject()) {

        JsonObject o = parsed.getAsJsonObject();

        // sanity checks
        if (!o.has("issuer")) {
          throw new IllegalStateException("Returned object did not have an 'issuer' field");
        }

        if (!issuer.equals(o.get("issuer").getAsString())) {
          logger.info("Issuer used for discover was " + issuer + " but final issuer is " + o.get("issuer").getAsString());
        }

        conf.setIssuer(o.get("issuer").getAsString());


        conf.setAuthorizationEndpointUri(getAsString(o, "authorization_endpoint"));
        conf.setTokenEndpointUri(getAsString(o, "token_endpoint"));
        conf.setJwksUri(getAsString(o, "jwks_uri"));
        conf.setUserInfoUri(getAsString(o, "userinfo_endpoint"));
        conf.setRegistrationEndpointUri(getAsString(o, "registration_endpoint"));
        conf.setIntrospectionEndpointUri(getAsString(o, "introspection_endpoint"));
        conf.setAcrValuesSupported(getAsStringList(o, "acr_values_supported"));
        conf.setCheckSessionIframe(getAsString(o, "check_session_iframe"));
        conf.setClaimsLocalesSupported(getAsStringList(o, "claims_locales_supported"));
        conf.setClaimsParameterSupported(getAsBoolean(o, "claims_parameter_supported"));
        conf.setClaimsSupported(getAsStringList(o, "claims_supported"));
        conf.setDisplayValuesSupported(getAsStringList(o, "display_values_supported"));
        conf.setEndSessionEndpoint(getAsString(o, "end_session_endpoint"));
        conf.setGrantTypesSupported(getAsStringList(o, "grant_types_supported"));
        conf.setIdTokenSigningAlgValuesSupported(getAsJwsAlgorithmList(o, "id_token_signing_alg_values_supported"));
        conf.setIdTokenEncryptionAlgValuesSupported(getAsJweAlgorithmList(o, "id_token_encryption_alg_values_supported"));
        conf.setIdTokenEncryptionEncValuesSupported(getAsEncryptionMethodList(o, "id_token_encryption_enc_values_supported"));
        conf.setOpPolicyUri(getAsString(o, "op_policy_uri"));
        conf.setOpTosUri(getAsString(o, "op_tos_uri"));
        conf.setRequestObjectEncryptionAlgValuesSupported(getAsJweAlgorithmList(o, "request_object_encryption_alg_values_supported"));
        conf.setRequestObjectEncryptionEncValuesSupported(getAsEncryptionMethodList(o, "request_object_encryption_enc_values_supported"));
        conf.setRequestObjectSigningAlgValuesSupported(getAsJwsAlgorithmList(o, "request_object_signing_alg_values_supported"));
        conf.setRequestParameterSupported(getAsBoolean(o, "request_parameter_supported"));
        conf.setRequestUriParameterSupported(getAsBoolean(o, "request_uri_parameter_supported"));
        conf.setResponseTypesSupported(getAsStringList(o, "response_types_supported"));
        conf.setScopesSupported(getAsStringList(o, "scopes_supported"));
        conf.setSubjectTypesSupported(getAsStringList(o, "subject_types_supported"));
        conf.setServiceDocumentation(getAsString(o, "service_documentation"));
        conf.setTokenEndpointAuthMethodsSupported(getAsStringList(o, "token_endpoint_auth_methods"));
        conf.setTokenEndpointAuthSigningAlgValuesSupported(getAsJwsAlgorithmList(o, "token_endpoint_auth_signing_alg_values_supported"));
        conf.setUiLocalesSupported(getAsStringList(o, "ui_locales_supported"));
        conf.setUserinfoEncryptionAlgValuesSupported(getAsJweAlgorithmList(o, "userinfo_encryption_alg_values_supported"));
        conf.setUserinfoEncryptionEncValuesSupported(getAsEncryptionMethodList(o, "userinfo_encryption_enc_values_supported"));
        conf.setUserinfoSigningAlgValuesSupported(getAsJwsAlgorithmList(o, "userinfo_signing_alg_values_supported"));

        return conf;
      } else {
        throw new IllegalStateException("Couldn't parse server discovery results for " + url);
      }