feat: transfer idToken claims to session (#2865)

* feat: transfer idToken claims to session

* fixed NPE

* fixed assertion

* added 'getSession' scripting function

---------

Co-authored-by: Christian Gördes <118011644+christiangoerdes@users.noreply.github.com>

Author: rrayst

core/src/main/java/com/predic8/membrane/core/interceptor/oauth2client/rf/SessionAuthorizer.java

@@ -72,6 +72,7 @@ public void setSkipUserInfo(boolean skip) {
     }
 
     public void authorizeSession(Map<String, Object> userInfo, Session session, String authSubject) {
+        userInfo.forEach((k, v) -> { if (v != null) { session.put("idToken." + k, v); } });
 
         session.put("headerX-Authenticated-" + convertFirstLetterToUpper(authSubject), getUsername(userInfo, auth));
 

core/src/main/java/com/predic8/membrane/core/lang/CommonBuiltInFunctions.java

@@ -6,6 +6,7 @@
 import com.predic8.membrane.core.http.Message;
 import com.predic8.membrane.core.interceptor.AbstractInterceptorWithSession;
 import com.predic8.membrane.core.interceptor.Interceptor.Flow;
+import com.predic8.membrane.core.interceptor.session.Session;
 import com.predic8.membrane.core.security.BasicHttpSecurityScheme;
 import com.predic8.membrane.core.security.SecurityScheme;
 import org.slf4j.Logger;
@@ -129,6 +130,16 @@ public static boolean isLoggedIn(String beanName, Exchange exc) {
         }
     }
 
+    public static Session getSession(String beanName, Exchange exc) {
+        try {
+            return ((AbstractInterceptorWithSession) requireNonNull(exc.getHandler().getTransport().getRouter().getBeanFactory()).getBean(beanName))
+                    .getSessionManager().getSession(exc);
+        } catch (Exception e) {
+            log.info("Failed to resolve bean with name '{}'", beanName);
+            return null;
+        }
+    }
+
     public static long getDefaultSessionLifetime(String beanName, Exchange exc) {
         try {
             return ((AbstractInterceptorWithSession) requireNonNull(exc.getHandler().getTransport().getRouter().getBeanFactory()).getBean(beanName))

core/src/main/java/com/predic8/membrane/core/lang/groovy/GroovyBuiltInFunctions.java

@@ -2,6 +2,7 @@
 
 import com.predic8.membrane.core.exchange.Exchange;
 import com.predic8.membrane.core.interceptor.Interceptor.Flow;
+import com.predic8.membrane.core.interceptor.session.Session;
 import com.predic8.membrane.core.lang.CommonBuiltInFunctions;
 import groovy.lang.GroovyObjectSupport;
 
@@ -75,6 +76,10 @@ public boolean isLoggedIn(String beanName) {
         return CommonBuiltInFunctions.isLoggedIn(beanName, exchange);
     }
 
+    public Session getSession(String beanName) {
+        return CommonBuiltInFunctions.getSession(beanName, exchange);
+    }
+
     public long getDefaultSessionLifetime(String beanName) {
         return CommonBuiltInFunctions.getDefaultSessionLifetime(beanName, exchange);
     }

core/src/main/java/com/predic8/membrane/core/lang/spel/functions/SpELBuiltInFunctions.java

@@ -13,6 +13,7 @@
    limitations under the License. */
 package com.predic8.membrane.core.lang.spel.functions;
 
+import com.predic8.membrane.core.interceptor.session.Session;
 import com.predic8.membrane.core.lang.CommonBuiltInFunctions;
 import com.predic8.membrane.core.lang.spel.SpELExchangeEvaluationContext;
 
@@ -40,6 +41,10 @@ public static boolean isLoggedIn(String beanName, SpELExchangeEvaluationContext
         return CommonBuiltInFunctions.isLoggedIn(beanName, ctx.getExchange());
     }
 
+    public static Session getSession(String beanName, SpELExchangeEvaluationContext ctx) {
+        return CommonBuiltInFunctions.getSession(beanName, ctx.getExchange());
+    }
+
     public static long getDefaultSessionLifetime(String beanName, SpELExchangeEvaluationContext ctx) {
         return CommonBuiltInFunctions.getDefaultSessionLifetime(beanName, ctx.getExchange());
     }

core/src/test/java/com/predic8/membrane/core/interceptor/oauth2/client/b2c/B2CMembrane.java

@@ -19,10 +19,12 @@
 import com.predic8.membrane.core.exchange.*;
 import com.predic8.membrane.core.http.*;
 import com.predic8.membrane.core.interceptor.*;
+import com.predic8.membrane.core.interceptor.flow.ReturnInterceptor;
 import com.predic8.membrane.core.interceptor.oauth2.*;
 import com.predic8.membrane.core.interceptor.oauth2.authorizationservice.*;
 import com.predic8.membrane.core.interceptor.oauth2client.*;
 import com.predic8.membrane.core.interceptor.session.*;
+import com.predic8.membrane.core.interceptor.templating.TemplateInterceptor;
 import com.predic8.membrane.core.proxies.*;
 import org.jetbrains.annotations.*;
 
@@ -88,7 +90,9 @@ public void init() {
         });
         ServiceProxy sp7_requireAuth = createRequireAuthServiceProxy(tc.api2Id, "/api2/", ra -> ra.setScope("https://localhost/" + tc.api2Id + "/Read"));
         ServiceProxy sp8_afterLogout = createAfterLogoutServiceProxy();
+        ServiceProxy sp9_getClaim = createGetClaimProxy();
 
+        oauth2Resource.getRuleManager().addProxy(sp9_getClaim, MANUAL);
         oauth2Resource.getRuleManager().addProxy(sp8_afterLogout, MANUAL);
         oauth2Resource.getRuleManager().addProxy(sp7_requireAuth, MANUAL);
         oauth2Resource.getRuleManager().addProxy(sp6_requireAuth_ErrorStatus403, MANUAL);
@@ -99,6 +103,9 @@ public void init() {
         oauth2Resource.getRuleManager().addProxy(sp1_oauth2resource2, MANUAL);
         oauth2Resource.start();
 
+        FakeApplicationContext applicationContext = new FakeApplicationContext();
+        applicationContext.registerBean("oauth2", oAuth2Resource2Interceptor);
+        oauth2Resource.setApplicationContext(applicationContext);
     }
 
     public void stop() {
@@ -201,6 +208,21 @@ public Outcome handleRequest(Exchange exc) {
         return sp;
     }
 
+    private ServiceProxy createGetClaimProxy() {
+        ServiceProxy sp = new ServiceProxy(new ServiceProxyKey(tc.clientPort), null, 99999);
+        Path p = new Path();
+        p.setUri("/claim");
+        sp.setPath(p);
+
+        TemplateInterceptor ti = new TemplateInterceptor();
+        ti.setContentType("application/json");
+        ti.setSrc("{\"claim\":\"${fn.getSession('oauth2')?.get('idToken.name')}\"}");
+        sp.getFlow().add(ti);
+        sp.getFlow().add(new ReturnInterceptor());
+
+        return sp;
+    }
+
     private static @NotNull List<LoginParameter> createLoginParameters2() {
         var lp1 = new LoginParameter();
         lp1.setName("domain_hint");
@@ -236,6 +258,8 @@ public Outcome handleRequestInternal(Exchange exc) throws IOException {
                 body.put("method", exc.getRequest().getMethod());
                 body.put("body", exc.getRequest().getBodyAsStringDecoded());
 
+                body.put("name", ((Session)exc.getProperty("SESSION")).get("idToken.name"));
+
                 exc.setResponse(ok(om.writeValueAsString(body)).build());
                 return RETURN;
             }