Eclipse
/
jetty.project
mirror of https://github.com/jetty/jetty.project.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Issue #4138 - use HttpClient for OpenID Authentication 

Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
This commit is contained in:
Lachlan Roberts 2019-10-16 16:26:21 +11:00
parent fd004817d4
commit 039fb38070
8 changed files with 88 additions and 175 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
jetty-openid/pom.xml
View File

@ -33,6 +33,11 @@
<artifactId>jetty-server</artifactId>
<version>${project.version}</version>
</dependency>
<dependency>
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-client</artifactId>
<version>${project.version}</version>
</dependency>
<dependency>
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-security</artifactId>
@ -54,10 +59,5 @@
<artifactId>jetty-test-helper</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-client</artifactId>
<version>${project.version}</version>
</dependency>
</dependencies>
</project>

15
jetty-openid/src/main/config/etc/jetty-openid.xml
View File

@ -1,8 +1,16 @@
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_3.dtd">
<Configure id="Server" class="org.eclipse.jetty.server.Server">
<New id="HttpClientFactory" class="org.eclipse.jetty.security.openid.OpenIdHttpClientFactory">
<Arg type="Boolean"><Property name="jetty.openid.trustAllCertificates" default="false"/></Arg>
<Get id="ThreadPool" name="threadPool"/>
<New id="HttpClient" class="org.eclipse.jetty.client.HttpClient">
<Arg>
<New class="org.eclipse.jetty.util.ssl.SslContextFactory$Client">
<Set name="trustAll" type="boolean">false</Set>
<Set name="endpointIdentificationAlgorithm">https</Set>
</New>
</Arg>
<Set name="followRedirects" type="boolean">false</Set>
<Set name="executor"><Ref refid="ThreadPool"/></Set>
</New>
<New id="OpenIdConfiguration" class="org.eclipse.jetty.security.openid.OpenIdConfiguration">
<Arg><Property name="jetty.openid.provider" deprecated="jetty.openid.openIdProvider"/></Arg>
@ -10,7 +18,7 @@
<Arg><Property name="jetty.openid.provider.tokenEndpoint"/></Arg>
<Arg><Property name="jetty.openid.clientId"/></Arg>
<Arg><Property name="jetty.openid.clientSecret"/></Arg>
<Arg><Ref refid="HttpClientFactory"/></Arg>
<Arg><Ref refid="HttpClient"/></Arg>
<Call name="addScopes">
<Arg>
<Call class="org.eclipse.jetty.util.StringUtil" name="csvSplit">
@ -24,7 +32,6 @@
<New class="org.eclipse.jetty.security.openid.OpenIdLoginService">
<Arg><Ref refid="OpenIdConfiguration"/></Arg>
<Arg><Ref refid="BaseLoginService"/></Arg>
<Arg><Ref refid="HttpClientFactory"/></Arg>
<Call name="setAuthenticateNewUsers">
<Arg type="boolean">
<Property name="jetty.openid.authenticateNewUsers" default="false"/>

3
jetty-openid/src/main/config/modules/openid.mod
View File

@ -22,9 +22,6 @@ etc/jetty-openid.xml
## The OpenID Identity Provider's issuer ID (the entire URL *before* ".well-known/openid-configuration")
# jetty.openid.provider=https://id.example.com/~
## Whether or not all certificates of the OpenID Connect provider's should be trusted. Only set to true during testing.
# jetty.openid.trustAllCertificates=false
## The OpenID Identity Provider's authorization endpoint (optional if the metadata of the OP is accessible)
# jetty.openid.provider.authorizationEndpoint=https://id.example.com/authorization

66
jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdConfiguration.java
View File

@ -28,8 +28,10 @@ import java.util.stream.Collectors;
import org.eclipse.jetty.client.HttpClient;
import org.eclipse.jetty.util.ajax.JSON;
import org.eclipse.jetty.util.component.ContainerLifeCycle;
import org.eclipse.jetty.util.log.Log;
import org.eclipse.jetty.util.log.Logger;
import org.eclipse.jetty.util.ssl.SslContextFactory;
/**
* Holds the configuration for an OpenID Connect service.
@ -37,18 +39,19 @@ import org.eclipse.jetty.util.log.Logger;
* This uses the OpenID Provider URL with the path {@link #CONFIG_PATH} to discover
* the required information about the OIDC service.
*/
public class OpenIdConfiguration implements Serializable
public class OpenIdConfiguration extends ContainerLifeCycle implements Serializable
{
private static final Logger LOG = Log.getLogger(OpenIdConfiguration.class);
private static final long serialVersionUID = 2227941990601349102L;
private static final String CONFIG_PATH = "/.well-known/openid-configuration";
private final HttpClient httpClient;
private final String issuer;
private final String authEndpoint;
private final String tokenEndpoint;
private final String clientId;
private final String clientSecret;
private final List<String> scopes = new ArrayList<>();
private String authEndpoint;
private String tokenEndpoint;
/**
* Create an OpenID configuration for a specific OIDC provider.
@ -58,7 +61,7 @@ public class OpenIdConfiguration implements Serializable
*/
public OpenIdConfiguration(String provider, String clientId, String clientSecret)
{
this(provider, null, null, clientId, clientSecret, null);
this(provider, null, null, clientId, clientSecret, newHttpClient());
}
/**
@ -68,41 +71,55 @@ public class OpenIdConfiguration implements Serializable
* @param tokenEndpoint the URL of the OpenID provider's token endpoint if configured.
* @param clientId OAuth 2.0 Client Identifier valid at the Authorization Server.
* @param clientSecret The client secret known only by the Client and the Authorization Server.
* @param factory A factory that can create the {@link HttpClient} which will discover the provider's metadata.
* @param httpClient The {@link HttpClient} instance to use.
*/
public OpenIdConfiguration(String issuer, String authorizationEndpoint, String tokenEndpoint,
String clientId, String clientSecret, OpenIdHttpClientFactory factory)
String clientId, String clientSecret, HttpClient httpClient)
{
this.issuer = issuer;
this.clientId = clientId;
this.clientSecret = clientSecret;
this.authEndpoint = authorizationEndpoint;
this.tokenEndpoint = tokenEndpoint;
this.httpClient = httpClient;
if (issuer == null)
throw new IllegalArgumentException("Provider was not configured");
if (this.issuer == null)
throw new IllegalArgumentException("Issuer was not configured");
if (tokenEndpoint == null || authorizationEndpoint == null)
addBean(this.httpClient);
}
@Override
protected void doStart() throws Exception
{
super.doStart();
if (authEndpoint == null || tokenEndpoint == null)
{
Map<String, Object> discoveryDocument = fetchOpenIdConnectMetadata(issuer, factory == null ?
new HttpClient() : factory.createHttpClient());
Map<String, Object> discoveryDocument = fetchOpenIdConnectMetadata(issuer, httpClient);
this.authEndpoint = (String)discoveryDocument.get("authorization_endpoint");
if (this.authEndpoint == null)
authEndpoint = (String)discoveryDocument.get("authorization_endpoint");
if (authEndpoint == null)
throw new IllegalArgumentException("authorization_endpoint");
this.tokenEndpoint = (String)discoveryDocument.get("token_endpoint");
if (this.tokenEndpoint == null)
tokenEndpoint = (String)discoveryDocument.get("token_endpoint");
if (tokenEndpoint == null)
throw new IllegalArgumentException("token_endpoint");
if (!Objects.equals(discoveryDocument.get("issuer"), issuer))
LOG.warn("The provider in the metadata is not correct.");
}
else
{
this.authEndpoint = authorizationEndpoint;
this.tokenEndpoint = tokenEndpoint;
throw new IllegalArgumentException("The provider in the metadata is not correct.");
}
}
private static HttpClient newHttpClient()
{
SslContextFactory.Client sslContextFactory = new SslContextFactory.Client(false);
sslContextFactory.setEndpointIdentificationAlgorithm("https");
HttpClient client = new HttpClient(sslContextFactory);
client.setFollowRedirects(false);
return client;
}
private static Map<String, Object> fetchOpenIdConnectMetadata(String provider, HttpClient httpClient)
{
try
@ -118,14 +135,12 @@ public class OpenIdConfiguration implements Serializable
if (parsedResult instanceof Map)
{
Map<?, ?> rawResult = (Map)parsedResult;
result = rawResult.entrySet().stream()
.collect(Collectors.toMap(it -> it.getKey().toString(), Map.Entry::getValue));
}
else
{
LOG.warn("OpenID provider did not return a proper JSON object response. Result was '{}'", responseBody);
throw new IllegalStateException("Could not parse OpenID provider's malformed response");
}
@ -139,6 +154,11 @@ public class OpenIdConfiguration implements Serializable
}
}
public HttpClient getHttpClient()
{
return httpClient;
}
public String getAuthEndpoint()
{
return authEndpoint;

88
jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdCredentials.java
View File

@ -18,29 +18,19 @@
package org.eclipse.jetty.security.openid;
import java.io.DataOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.Serializable;
import java.net.HttpURLConnection;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collections;
import java.util.Map;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;
import java.util.stream.Collectors;
import org.eclipse.jetty.client.HttpClient;
import org.eclipse.jetty.client.api.ContentResponse;
import org.eclipse.jetty.client.api.Request;
import org.eclipse.jetty.client.util.FormContentProvider;
import org.eclipse.jetty.util.Fields;
import org.eclipse.jetty.util.IO;
import org.eclipse.jetty.util.UrlEncoded;
import org.eclipse.jetty.util.ajax.JSON;
import org.eclipse.jetty.util.log.Log;
import org.eclipse.jetty.util.log.Logger;
@ -51,7 +41,7 @@ import org.eclipse.jetty.util.log.Logger;
*
* <p>
* This is constructed with an authorization code from the authentication request. This authorization code
* is then exchanged using {@link #claimAuthCode} for a response containing the ID Token and Access Token.
* is then exchanged using {@link #redeemAuthCode(HttpClient)} for a response containing the ID Token and Access Token.
* The response is then validated against the {@link OpenIdConfiguration}.
* </p>
*/
@ -88,7 +78,7 @@ public class OpenIdCredentials implements Serializable
return response;
}
public void redeemAuthCode(HttpClient httpClient) throws IOException
public void redeemAuthCode(HttpClient httpClient) throws Throwable
{
if (LOG.isDebugEnabled())
LOG.debug("redeemAuthCode() {}", this);
@ -129,14 +119,8 @@ public class OpenIdCredentials implements Serializable
private void validateClaims()
{
// Issuer Identifier for the OpenID Provider MUST exactly match the value of the iss (issuer) Claim.
Object assertedIssuer = claims.get("iss");
String configuredIssuer = configuration.getIssuer();
if (!configuredIssuer.equals(assertedIssuer))
{
LOG.warn("Issuers don't match. Configured = {}, asserted = {}", configuredIssuer, assertedIssuer);
if (!configuration.getIssuer().equals(claims.get("iss")))
throw new IllegalArgumentException("Issuer Identifier MUST exactly match the iss Claim");
}
// The aud (audience) Claim MUST contain the client_id value.
validateAudience();
@ -239,57 +223,23 @@ public class OpenIdCredentials implements Serializable
return paddedEncodedJwtSection;
}
private Map<String, Object> claimAuthCode(HttpClient httpClient, String authCode)
private Map<String, Object> claimAuthCode(HttpClient httpClient, String authCode) throws Throwable
{
Map<String, Object> result;
Fields fields = new Fields();
fields.add("code", authCode);
fields.add("client_id", configuration.getClientId());
fields.add("client_secret", configuration.getClientSecret());
fields.add("redirect_uri", redirectUri);
fields.add("grant_type", "authorization_code");
FormContentProvider formContentProvider = new FormContentProvider(fields);
Request request = httpClient.POST(configuration.getTokenEndpoint())
.content(formContentProvider)
.timeout(10, TimeUnit.SECONDS);
ContentResponse response = request.send();
String responseBody = response.getContentAsString();
if (LOG.isDebugEnabled())
LOG.debug("Authentication response: {}", responseBody);
try
{
Fields fields = new Fields();
fields.add("code", authCode);
fields.add("client_id", configuration.getClientId());
fields.add("client_secret", configuration.getClientSecret());
fields.add("redirect_uri", redirectUri);
fields.add("grant_type", "authorization_code");
FormContentProvider formContentProvider = new FormContentProvider(fields);
Request request = httpClient.POST(configuration.getTokenEndpoint())
.content(formContentProvider)
.timeout(10, TimeUnit.SECONDS);
ContentResponse response = request.send();
String responseBody = response.getContentAsString();
Object parsedResult = JSON.parse(responseBody);
if (parsedResult instanceof Map)
{
Map<?, ?> rawResult = (Map)parsedResult;
result = rawResult.entrySet().stream().collect(Collectors.toMap(it -> it.getKey().toString(), Map.Entry::getValue));
LOG.debug("Got result from token server: {}", result);
}
else
{
LOG.warn("OpenID provider did not return a proper JSON object response. Result was '{}'", responseBody);
throw new IllegalStateException("Could not parse OpenID provider's malformed response");
}
}
catch (InterruptedException e)
{
LOG.debug("Call to token endpoint was interrupted", e);
result = Collections.emptyMap();
}
catch (ExecutionException e)
{
LOG.warn("Call to token endpoint was failed", e);
result = Collections.emptyMap();
}
catch (TimeoutException e)
{
LOG.warn("Call to token endpoint was did not complete in a timely manner", e);
result = Collections.emptyMap();
}
return result;
return (Map)JSON.parse(responseBody);
}
}

62
jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdHttpClientFactory.java
View File

@ -1,62 +0,0 @@
//
// ========================================================================
// Copyright (c) 1995-2019 Mort Bay Consulting Pty. Ltd.
// ------------------------------------------------------------------------
// All rights reserved. This program and the accompanying materials
// are made available under the terms of the Eclipse Public License v1.0
// and Apache License v2.0 which accompanies this distribution.
//
// The Eclipse Public License is available at
// http://www.eclipse.org/legal/epl-v10.html
//
// The Apache License v2.0 is available at
// http://www.opensource.org/licenses/apache2.0.php
//
// You may elect to redistribute this code under either of these licenses.
// ========================================================================
//
package org.eclipse.jetty.security.openid;
import org.eclipse.jetty.client.HttpClient;
import org.eclipse.jetty.client.HttpClientTransport;
import org.eclipse.jetty.client.http.HttpClientTransportOverHTTP;
import org.eclipse.jetty.util.ssl.SslContextFactory;
public final class OpenIdHttpClientFactory
{
private final boolean trustAll;
public OpenIdHttpClientFactory()
{
this(false);
}
public OpenIdHttpClientFactory(boolean trustAll)
{
this.trustAll = trustAll;
}
public HttpClient createHttpClient()
{
SslContextFactory.Client sslContextFactory = new SslContextFactory.Client(trustAll);
sslContextFactory.setEndpointIdentificationAlgorithm("https");
HttpClientTransport transport = new HttpClientTransportOverHTTP();
HttpClient client = new HttpClient(transport, sslContextFactory);
client.setFollowRedirects(false);
try
{
client.start();
}
catch (Exception e)
{
throw new RuntimeException(e);
}
return client;
}
}

17
jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdLoginService.java
View File

@ -41,15 +41,15 @@ public class OpenIdLoginService extends ContainerLifeCycle implements LoginServi
{
private static final Logger LOG = Log.getLogger(OpenIdLoginService.class);
private final OpenIdConfiguration _configuration;
private final OpenIdConfiguration configuration;
private final LoginService loginService;
private final HttpClient httpClient;
private IdentityService identityService;
private boolean authenticateNewUsers;
public OpenIdLoginService(OpenIdConfiguration configuration, OpenIdHttpClientFactory factory)
public OpenIdLoginService(OpenIdConfiguration configuration)
{
this(configuration, null, factory);
this(configuration, null);
}
/**
@ -59,23 +59,24 @@ public class OpenIdLoginService extends ContainerLifeCycle implements LoginServi
* @param configuration the OpenID configuration to use.
* @param loginService the wrapped LoginService to defer to for user roles.
*/
public OpenIdLoginService(OpenIdConfiguration configuration, LoginService loginService, OpenIdHttpClientFactory factory)
public OpenIdLoginService(OpenIdConfiguration configuration, LoginService loginService)
{
_configuration = configuration;
this.configuration = configuration;
this.loginService = loginService;
this.httpClient = factory.createHttpClient();
this.httpClient = configuration.getHttpClient();
addBean(this.configuration);
addBean(this.loginService);
}
@Override
public String getName()
{
return _configuration.getIssuer();
return configuration.getIssuer();
}
public OpenIdConfiguration getConfiguration()
{
return _configuration;
return configuration;
}
@Override

2
jetty-openid/src/test/java/org/eclipse/jetty/security/openid/OpenIdAuthenticationTest.java
View File

@ -102,7 +102,7 @@ public class OpenIdAuthenticationTest
OpenIdConfiguration configuration = new OpenIdConfiguration(openIdProvider.getProvider(), CLIENT_ID, CLIENT_SECRET);
// Configure OpenIdLoginService optionally providing a base LoginService to provide user roles
OpenIdLoginService loginService = new OpenIdLoginService(configuration, new OpenIdHttpClientFactory());
OpenIdLoginService loginService = new OpenIdLoginService(configuration);//, hashLoginService);
securityHandler.setLoginService(loginService);
Authenticator authenticator = new OpenIdAuthenticator(configuration, "/error");