fixed introspection problems

martin-kuba · martin-kuba · commit b4ee1afbcebd · 2020-08-31T16:54:12.000+02:00
diff --git a/pom.xml b/pom.xml
@@ -6,11 +6,10 @@
 		<groupId>org.springframework.boot</groupId>
 		<artifactId>spring-boot-starter-parent</artifactId>
 		<version>2.3.3.RELEASE</version>
-		<relativePath/> <!-- lookup parent from repository -->
 	</parent>
 	<groupId>cz.metacentrum</groupId>
 	<artifactId>fake_oidc</artifactId>
-	<version>0.0.2-SNAPSHOT</version>
+	<version>1.0</version>
 	<name>fake_oidc</name>
 	<description>Fake OpenId Connect Authorization Server</description>
 
diff --git a/src/main/java/cz/metacentrum/fake_oidc/FakeOidcServerProperties.java b/src/main/java/cz/metacentrum/fake_oidc/FakeOidcServerProperties.java
@@ -28,7 +28,7 @@ public void setTokenExpirationSeconds(long tokenExpirationSeconds) {
 
     @Override
     public String toString() {
-        return "FakeOidcProperties{" +
+        return "FakeOidcServerProperties{" +
                 "user=" + user +
                 ", tokenExpirationSeconds=" + tokenExpirationSeconds +
                 '}';
diff --git a/src/main/java/cz/metacentrum/fake_oidc/OidcController.java b/src/main/java/cz/metacentrum/fake_oidc/OidcController.java
@@ -39,14 +39,16 @@
 import java.util.Collections;
 import java.util.Date;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.LinkedHashMap;
 import java.util.Map;
+import java.util.Set;
 import java.util.UUID;
 
 /**
- * Run with "mvn spring-boot:run".
- * <p>
- * Provides OIDC metadata. See the spec at https://openid.net/specs/openid-connect-discovery-1_0.html
+ * Implementation of all necessary OIDC endpoints.
+ *
+ * @author Martin Kuba makub@ics.muni.cz
  */
 @RestController
 public class OidcController {
@@ -64,10 +66,13 @@ public class OidcController {
     private JWKSet publicJWKSet;
     private JWSHeader jwsHeader;
 
-    private Map<String, AccessTokenInfo> accessTokens = new HashMap<>();
+    private final Map<String, AccessTokenInfo> accessTokens = new HashMap<>();
 
-    @Autowired
-    private FakeOidcServerProperties serverProperties;
+    private final FakeOidcServerProperties serverProperties;
+
+    public OidcController(@Autowired FakeOidcServerProperties serverProperties) {
+        this.serverProperties = serverProperties;
+    }
 
     @PostConstruct
     public void init() throws IOException, ParseException, JOSEException {
@@ -80,6 +85,9 @@ public void init() throws IOException, ParseException, JOSEException {
         log.info("config {}", serverProperties);
     }
 
+    /**
+     * Provides OIDC metadata. See the spec at https://openid.net/specs/openid-connect-discovery-1_0.html
+     */
     @RequestMapping(value = METADATA_ENDPOINT, method = RequestMethod.GET, produces = MediaType.APPLICATION_JSON_VALUE)
     @CrossOrigin
     public ResponseEntity<?> metadata(UriComponentsBuilder uriBuilder, HttpServletRequest req) {
@@ -101,13 +109,19 @@ public ResponseEntity<?> metadata(UriComponentsBuilder uriBuilder, HttpServletRe
         return ResponseEntity.ok().body(m);
     }
 
+    /**
+     * Provides JSON Web Key Set containing the public part of the key used to sign ID tokens.
+     */
     @RequestMapping(value = JWKS_ENDPOINT, method = RequestMethod.GET, produces = MediaType.APPLICATION_JSON_VALUE)
     @CrossOrigin
     public ResponseEntity<String> jwks(HttpServletRequest req) {
         log.info("called " + JWKS_ENDPOINT + " from {}", req.getRemoteHost());
         return ResponseEntity.ok().body(publicJWKSet.toString());
     }
 
+    /**
+     * Provides claims about a user. Requires a valid access token.
+     */
     @RequestMapping(value = USERINFO_ENDPOINT, method = RequestMethod.GET, produces = MediaType.APPLICATION_JSON_VALUE)
     @CrossOrigin(allowedHeaders = {"Authorization", "Content-Type"})
     public ResponseEntity<?> userinfo(@RequestHeader("Authorization") String auth, HttpServletRequest req) {
@@ -120,41 +134,53 @@ public ResponseEntity<?> userinfo(@RequestHeader("Authorization") String auth, H
         if (accessTokenInfo == null) {
             return ResponseEntity.status(HttpStatus.UNAUTHORIZED).body("access token not found");
         }
+        Set<String> scopes = new HashSet<>(Arrays.asList(accessTokenInfo.scope.split(" ")));
         Map<String, Object> m = new LinkedHashMap<>();
         User user = accessTokenInfo.user;
         m.put("sub", user.getSub());
-        m.put("name", user.getName());
-        m.put("family_name", user.getFamily_name());
-        m.put("given_name", user.getGiven_name());
-        m.put("preferred_username", user.getPreferred_username());
-        m.put("email", user.getEmail());
+        if (scopes.contains("profile")) {
+            m.put("name", user.getName());
+            m.put("family_name", user.getFamily_name());
+            m.put("given_name", user.getGiven_name());
+            m.put("preferred_username", user.getPreferred_username());
+        }
+        if (scopes.contains("email")) {
+            m.put("email", user.getEmail());
+        }
         return ResponseEntity.ok().body(m);
     }
 
+    /**
+     * Provides information about a supplied access token.
+     */
     @RequestMapping(value = INTROSPECTION_ENDPOINT, method = RequestMethod.POST, produces = MediaType.APPLICATION_JSON_VALUE)
     public ResponseEntity<?> introspection(@RequestParam String token,
                                            @RequestHeader("Authorization") String auth,
-                                           UriComponentsBuilder uriBuilder,
                                            HttpServletRequest req) {
         log.info("called " + INTROSPECTION_ENDPOINT + " from {}", req.getRemoteHost());
         Map<String, Object> m = new LinkedHashMap<>();
         AccessTokenInfo accessTokenInfo = accessTokens.get(token);
-        if( accessTokenInfo == null) {
+        if (accessTokenInfo == null) {
             log.error("token not found in memory: {}", token);
             m.put("active", false);
         } else {
-            String scopes = String.join(" ", accessTokenInfo.scopes);
-            log.info("token found, releasing scopes: {}", scopes);
-            m.put("iss", uriBuilder.replacePath(null).build().encode().toUriString() + "/");
+            log.info("found token for user {}, releasing scopes: {}", accessTokenInfo.user.getSub(), accessTokenInfo.scope);
+            // see https://tools.ietf.org/html/rfc7662#section-2.2 for all claims
             m.put("active", true);
-            m.put("scope", scopes);
+            m.put("scope", accessTokenInfo.scope);
+            m.put("client_id", accessTokenInfo.clientId);
             m.put("username", accessTokenInfo.user.getSub());
-            m.put("sub", accessTokenInfo.user.getSub());
+            m.put("token_type", "Bearer");
             m.put("exp", accessTokenInfo.expiration.toInstant().toEpochMilli());
+            m.put("sub", accessTokenInfo.user.getSub());
+            m.put("iss", accessTokenInfo.iss);
         }
         return ResponseEntity.ok().body(m);
     }
 
+    /**
+     * Provides authorization endpoint.
+     */
     @RequestMapping(value = AUTHORIZATION_ENDPOINT, method = RequestMethod.GET)
     public ResponseEntity<?> authorize(@RequestParam String client_id,
                                        @RequestParam String redirect_uri,
@@ -165,26 +191,26 @@ public ResponseEntity<?> authorize(@RequestParam String client_id,
                                        @RequestHeader(name = "Authorization", required = false) String auth,
                                        UriComponentsBuilder uriBuilder,
                                        HttpServletRequest req) throws JOSEException, NoSuchAlgorithmException {
-        log.info("called " + AUTHORIZATION_ENDPOINT+" from {}, scope={} response_type={} client_id={} redirect_uri={}",
+        log.info("called " + AUTHORIZATION_ENDPOINT + " from {}, scope={} response_type={} client_id={} redirect_uri={}",
                 req.getRemoteHost(), scope, response_type, client_id, redirect_uri);
         if (auth == null) {
             log.info("user and password not provided");
             return response401();
         } else {
             String[] creds = new String(Base64.getDecoder().decode(auth.split(" ")[1])).split(":", 2);
-            String logname = creds[0];
+            String login = creds[0];
             String password = creds[1];
             User user = serverProperties.getUser();
-            if (user.getLogname().equals(logname) && user.getPassword().equals(password)) {
-                log.info("password for user {} is correct", logname);
+            if (user.getLogname().equals(login) && user.getPassword().equals(password)) {
+                log.info("password for user {} is correct", login);
                 String iss = uriBuilder.replacePath("/").build().encode().toUriString();
                 String access_token = createAccessToken(iss, user, client_id, scope);
                 String id_token = createIdToken(iss, user, client_id, nonce, access_token);
                 String url = redirect_uri + "#" +
                         "access_token=" + urlencode(access_token) +
                         "&token_type=Bearer" +
                         "&state=" + urlencode(state) +
-                        "&expires_in=36000" +
+                        "&expires_in=" + serverProperties.getTokenExpirationSeconds() +
                         "&id_token=" + urlencode(id_token);
                 return ResponseEntity.status(HttpStatus.FOUND).header("Location", url).build();
             } else {
@@ -211,16 +237,16 @@ private String createAccessToken(String iss, User user, String client_id, String
         // sign the JWT token
         jwt.sign(signer);
         String access_token = jwt.serialize();
-        accessTokens.put(access_token, new AccessTokenInfo(user, access_token, expiration, scope.split(" ")));
+        accessTokens.put(access_token, new AccessTokenInfo(user, access_token, expiration, scope, client_id, iss));
         return access_token;
     }
 
     private String createIdToken(String iss, User user, String client_id, String nonce, String accessToken) throws NoSuchAlgorithmException, JOSEException {
         // compute at_hash
-        MessageDigest hasher = MessageDigest.getInstance("SHA-256");
-        hasher.reset();
-        hasher.update(accessToken.getBytes(StandardCharsets.UTF_8));
-        byte[] hashBytes = hasher.digest();
+        MessageDigest digest = MessageDigest.getInstance("SHA-256");
+        digest.reset();
+        digest.update(accessToken.getBytes(StandardCharsets.UTF_8));
+        byte[] hashBytes = digest.digest();
         byte[] hashBytesLeftHalf = Arrays.copyOf(hashBytes, hashBytes.length / 2);
         Base64URL encodedHash = Base64URL.encode(hashBytesLeftHalf);
         // create JWT claims
@@ -254,32 +280,21 @@ private static ResponseEntity<String> response401() {
 
 
     private static class AccessTokenInfo {
-        User user;
-        String accessToken;
-        Date expiration;
-        String[] scopes;
+        final User user;
+        final String accessToken;
+        final Date expiration;
+        final String scope;
+        final String clientId;
+        final String iss;
 
-        public AccessTokenInfo(User user, String accessToken, Date expiration, String[] scopes) {
+        public AccessTokenInfo(User user, String accessToken, Date expiration, String scope, String clientId, String iss) {
             this.user = user;
             this.accessToken = accessToken;
             this.expiration = expiration;
-            this.scopes = scopes;
+            this.scope = scope;
+            this.clientId = clientId;
+            this.iss = iss;
         }
 
-        public User getUser() {
-            return user;
-        }
-
-        public String getAccessToken() {
-            return accessToken;
-        }
-
-        public Date getExpiration() {
-            return expiration;
-        }
-
-        public String[] getScopes() {
-            return scopes;
-        }
     }
 }
