Issue #4138 - Changes from review

Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
2019-10-17 15:57:57 +11:00 · 2019-10-17 15:57:57 +11:00 · 337b6c1439
parent 039fb38070
commit 337b6c1439
3 changed files with 17 additions and 9 deletions
--- a/jetty-openid/src/main/config/etc/jetty-openid.xml
+++ b/jetty-openid/src/main/config/etc/jetty-openid.xml
@ -9,7 +9,6 @@
        <Set name="endpointIdentificationAlgorithm">https</Set>
      </New>
    </Arg>
-    <Set name="followRedirects" type="boolean">false</Set>
    <Set name="executor"><Ref refid="ThreadPool"/></Set>
  </New>
  <New id="OpenIdConfiguration" class="org.eclipse.jetty.security.openid.OpenIdConfiguration">
--- a/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdConfiguration.java
+++ b/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdConfiguration.java
@ -115,9 +115,7 @@ public class OpenIdConfiguration extends ContainerLifeCycle implements Serializa
    {
        SslContextFactory.Client sslContextFactory = new SslContextFactory.Client(false);
        sslContextFactory.setEndpointIdentificationAlgorithm("https");
-        HttpClient client = new HttpClient(sslContextFactory);
-        client.setFollowRedirects(false);
-        return client;
+        return new HttpClient(sslContextFactory);
    }

    private static Map<String, Object> fetchOpenIdConnectMetadata(String provider, HttpClient httpClient)
--- a/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdCredentials.java
+++ b/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdCredentials.java
@ -78,7 +78,7 @@ public class OpenIdCredentials implements Serializable
        return response;
    }

-    public void redeemAuthCode(HttpClient httpClient) throws Throwable
+    public void redeemAuthCode(HttpClient httpClient) throws Exception
    {
        if (LOG.isDebugEnabled())
            LOG.debug("redeemAuthCode() {}", this);
@ -185,7 +185,10 @@ public class OpenIdCredentials implements Serializable
        String jwtClaimString = new String(decoder.decode(padJWTSection(sections[1])), StandardCharsets.UTF_8);
        String jwtSignature = sections[2];

-        Map<String, Object> jwtHeader = (Map)JSON.parse(jwtHeaderString);
+        Object parsedJwtHeader = JSON.parse(jwtHeaderString);
+        if (!(parsedJwtHeader instanceof Map))
+            throw new IllegalStateException("Invalid JWT header");
+        Map<String, Object> jwtHeader = (Map)parsedJwtHeader;
        LOG.debug("JWT Header: {}", jwtHeader);

        /* If the ID Token is received via direct communication between the Client
@ -194,7 +197,11 @@ public class OpenIdCredentials implements Serializable
        if (LOG.isDebugEnabled())
            LOG.debug("JWT signature not validated {}", jwtSignature);

-        return (Map)JSON.parse(jwtClaimString);
+        Object parsedClaims = JSON.parse(jwtClaimString);
+        if (!(parsedClaims instanceof Map))
+            throw new IllegalStateException("Could not decode JSON for JWT claims.");
+
+        return (Map)parsedClaims;
    }

    private static byte[] padJWTSection(String unpaddedEncodedJwtSection)
@ -223,7 +230,7 @@ public class OpenIdCredentials implements Serializable
        return paddedEncodedJwtSection;
    }

-    private Map<String, Object> claimAuthCode(HttpClient httpClient, String authCode) throws Throwable
+    private Map<String, Object> claimAuthCode(HttpClient httpClient, String authCode) throws Exception
    {
        Fields fields = new Fields();
        fields.add("code", authCode);
@ -240,6 +247,10 @@ public class OpenIdCredentials implements Serializable
        if (LOG.isDebugEnabled())
            LOG.debug("Authentication response: {}", responseBody);

-        return (Map)JSON.parse(responseBody);
+        Object parsedResponse = JSON.parse(responseBody);
+        if (!(parsedResponse instanceof Map))
+            throw new IllegalStateException("Malformed response from OpenID Provider");
+
+        return (Map)parsedResponse;
    }
 }