From 84a122f524720b5a3bb033af83fe5a1ea608576d Mon Sep 17 00:00:00 2001 From: Lachlan Roberts Date: Mon, 16 Aug 2021 15:43:19 +1000 Subject: [PATCH 1/3] Issue #6617 - add support for the client_secret_basic authentication method Signed-off-by: Lachlan Roberts --- .../src/main/config/etc/jetty-openid.xml | 1 + .../src/main/config/modules/openid.mod | 7 +++-- .../security/openid/OpenIdConfiguration.java | 23 +++++++++++++++ .../security/openid/OpenIdCredentials.java | 28 +++++++++++++++---- 4 files changed, 51 insertions(+), 8 deletions(-) diff --git a/jetty-openid/src/main/config/etc/jetty-openid.xml b/jetty-openid/src/main/config/etc/jetty-openid.xml index 1daa662318c..d11b935730f 100644 --- a/jetty-openid/src/main/config/etc/jetty-openid.xml +++ b/jetty-openid/src/main/config/etc/jetty-openid.xml @@ -16,6 +16,7 @@ + diff --git a/jetty-openid/src/main/config/modules/openid.mod b/jetty-openid/src/main/config/modules/openid.mod index fde0b9882e1..2c2072bb900 100644 --- a/jetty-openid/src/main/config/modules/openid.mod +++ b/jetty-openid/src/main/config/modules/openid.mod @@ -1,7 +1,7 @@ # DO NOT EDIT - See: https://www.eclipse.org/jetty/documentation/current/startup-modules.html [description] -Adds OpenId Connect authentication. +Adds OpenId Connect authentication to the server. [depend] security @@ -41,4 +41,7 @@ etc/jetty-openid.xml # jetty.openid.authenticateNewUsers=false ## True if all certificates should be trusted by the default SslContextFactory -# jetty.openid.sslContextFactory.trustAll=false \ No newline at end of file +# jetty.openid.sslContextFactory.trustAll=false + +## What authentication method to use with the Token Endpoint (client_secret_post, client_secret_basic). +# jetty.openid.basicAuth=client_secret_post \ No newline at end of file diff --git a/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdConfiguration.java b/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdConfiguration.java index 5e266fdc422..626e41ebe80 100644 --- a/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdConfiguration.java +++ b/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdConfiguration.java @@ -48,6 +48,7 @@ public class OpenIdConfiguration extends ContainerLifeCycle private final String clientId; private final String clientSecret; private final List scopes = new ArrayList<>(); + private final String authMethod; private String authEndpoint; private String tokenEndpoint; @@ -73,6 +74,22 @@ public class OpenIdConfiguration extends ContainerLifeCycle */ public OpenIdConfiguration(String issuer, String authorizationEndpoint, String tokenEndpoint, String clientId, String clientSecret, HttpClient httpClient) + { + this(issuer, authorizationEndpoint, tokenEndpoint, clientId, clientSecret, "post", httpClient); + } + + /** + * Create an OpenID configuration for a specific OIDC provider. + * @param issuer The URL of the OpenID provider. + * @param authorizationEndpoint the URL of the OpenID provider's authorization endpoint if configured. + * @param tokenEndpoint the URL of the OpenID provider's token endpoint if configured. + * @param clientId OAuth 2.0 Client Identifier valid at the Authorization Server. + * @param clientSecret The client secret known only by the Client and the Authorization Server. + * @param authMethod Authentication method to use with the Token Endpoint. + * @param httpClient The {@link HttpClient} instance to use. + */ + public OpenIdConfiguration(String issuer, String authorizationEndpoint, String tokenEndpoint, + String clientId, String clientSecret, String authMethod, HttpClient httpClient) { this.issuer = issuer; this.clientId = clientId; @@ -80,6 +97,7 @@ public class OpenIdConfiguration extends ContainerLifeCycle this.authEndpoint = authorizationEndpoint; this.tokenEndpoint = tokenEndpoint; this.httpClient = httpClient != null ? httpClient : newHttpClient(); + this.authMethod = authMethod; if (this.issuer == null) throw new IllegalArgumentException("Issuer was not configured"); @@ -179,6 +197,11 @@ public class OpenIdConfiguration extends ContainerLifeCycle return tokenEndpoint; } + public String getAuthMethod() + { + return authMethod; + } + public void addScopes(String... scopes) { if (scopes != null) diff --git a/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdCredentials.java b/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdCredentials.java index 622595ded24..7076a19fc08 100644 --- a/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdCredentials.java +++ b/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdCredentials.java @@ -19,13 +19,16 @@ package org.eclipse.jetty.security.openid; import java.io.Serializable; +import java.net.URI; import java.util.Arrays; import java.util.List; import java.util.Map; import java.util.concurrent.TimeUnit; +import org.eclipse.jetty.client.api.Authentication; import org.eclipse.jetty.client.api.ContentResponse; import org.eclipse.jetty.client.api.Request; +import org.eclipse.jetty.client.util.BasicAuthentication; import org.eclipse.jetty.client.util.FormContentProvider; import org.eclipse.jetty.util.Fields; import org.eclipse.jetty.util.ajax.JSON; @@ -173,14 +176,27 @@ public class OpenIdCredentials implements Serializable { Fields fields = new Fields(); fields.add("code", authCode); - fields.add("client_id", configuration.getClientId()); - fields.add("client_secret", configuration.getClientSecret()); fields.add("redirect_uri", redirectUri); fields.add("grant_type", "authorization_code"); - FormContentProvider formContentProvider = new FormContentProvider(fields); - Request request = configuration.getHttpClient().POST(configuration.getTokenEndpoint()) - .content(formContentProvider) - .timeout(10, TimeUnit.SECONDS); + + Request request = configuration.getHttpClient().POST(configuration.getTokenEndpoint()); + switch (configuration.getAuthMethod()) + { + case "client_secret_basic": + URI uri = URI.create(configuration.getTokenEndpoint()); + Authentication.Result authentication = new BasicAuthentication.BasicResult(uri, configuration.getClientId(), configuration.getClientSecret()); + authentication.apply(request); + break; + case "client_secret_post": + fields.add("client_id", configuration.getClientId()); + fields.add("client_secret", configuration.getClientSecret()); + break; + default: + throw new IllegalStateException(configuration.getAuthMethod()); + } + + FormContentProvider formContent = new FormContentProvider(fields); + request = request.content(formContent).timeout(10, TimeUnit.SECONDS); ContentResponse response = request.send(); String responseBody = response.getContentAsString(); if (LOG.isDebugEnabled()) From 604f6b3f82b0a5a3f3e6070f2643433ff3aba369 Mon Sep 17 00:00:00 2001 From: Lachlan Roberts Date: Tue, 17 Aug 2021 09:24:02 +1000 Subject: [PATCH 2/3] Use correct auth method string in OpenIdConfiguration default constructor Signed-off-by: Lachlan Roberts --- .../org/eclipse/jetty/security/openid/OpenIdConfiguration.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdConfiguration.java b/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdConfiguration.java index 626e41ebe80..79bdf7c89f8 100644 --- a/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdConfiguration.java +++ b/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdConfiguration.java @@ -75,7 +75,7 @@ public class OpenIdConfiguration extends ContainerLifeCycle public OpenIdConfiguration(String issuer, String authorizationEndpoint, String tokenEndpoint, String clientId, String clientSecret, HttpClient httpClient) { - this(issuer, authorizationEndpoint, tokenEndpoint, clientId, clientSecret, "post", httpClient); + this(issuer, authorizationEndpoint, tokenEndpoint, clientId, clientSecret, "client_secret_post", httpClient); } /** From 11c8ea0fa2cd65a4ac9d208f6813f4c91f6a9550 Mon Sep 17 00:00:00 2001 From: Lachlan Roberts Date: Wed, 18 Aug 2021 10:43:50 +1000 Subject: [PATCH 3/3] Issue #6617 - change jetty property name to jetty.openid.authMethod Signed-off-by: Lachlan Roberts --- jetty-openid/src/main/config/etc/jetty-openid.xml | 2 +- jetty-openid/src/main/config/modules/openid.mod | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/jetty-openid/src/main/config/etc/jetty-openid.xml b/jetty-openid/src/main/config/etc/jetty-openid.xml index d11b935730f..714963a11bc 100644 --- a/jetty-openid/src/main/config/etc/jetty-openid.xml +++ b/jetty-openid/src/main/config/etc/jetty-openid.xml @@ -16,7 +16,7 @@ - + diff --git a/jetty-openid/src/main/config/modules/openid.mod b/jetty-openid/src/main/config/modules/openid.mod index 2c2072bb900..7f04767a2d9 100644 --- a/jetty-openid/src/main/config/modules/openid.mod +++ b/jetty-openid/src/main/config/modules/openid.mod @@ -44,4 +44,4 @@ etc/jetty-openid.xml # jetty.openid.sslContextFactory.trustAll=false ## What authentication method to use with the Token Endpoint (client_secret_post, client_secret_basic). -# jetty.openid.basicAuth=client_secret_post \ No newline at end of file +# jetty.openid.authMethod=client_secret_post