Provide fix for Google iss claim

Fixes gh-4511
This commit is contained in:
Joe Grandja 2017-08-26 18:49:05 -04:00
parent 4951550d7d
commit b6212cba66
1 changed files with 17 additions and 1 deletions

View File

@ -44,11 +44,27 @@ public class IdToken extends SecurityToken implements IdTokenClaimAccessor {
public IdToken(String tokenValue, Instant issuedAt, Instant expiresAt, Map<String, Object> claims) { public IdToken(String tokenValue, Instant issuedAt, Instant expiresAt, Map<String, Object> claims) {
super(tokenValue, issuedAt, expiresAt); super(tokenValue, issuedAt, expiresAt);
Assert.notEmpty(claims, "claims cannot be empty"); Assert.notEmpty(claims, "claims cannot be empty");
this.claims = Collections.unmodifiableMap(new LinkedHashMap<>(claims)); this.claims = Collections.unmodifiableMap(new LinkedHashMap<>(this.sanitize(claims)));
} }
@Override @Override
public Map<String, Object> getClaims() { public Map<String, Object> getClaims() {
return this.claims; return this.claims;
} }
private Map<String, Object> sanitize(Map<String, Object> claims) {
// NOTE:
// Google's OpenID Connect implementation issues ID Tokens
// that omit the required https:// scheme prefix from the iss claim.
// This method will apply the required scheme prefix as a temporary workaround
// until Google's OpenID Connect implementation is updated.
// See http://openid.net/specs/openid-connect-core-1_0.html#GoogleIss
String iss = (String)claims.get(IdTokenClaim.ISS);
if (!iss.startsWith("https://")) {
claims = new LinkedHashMap<>(claims);
claims.put(IdTokenClaim.ISS, "https://" + iss);
}
return claims;
}
} }