restore ee9 version
Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
This commit is contained in:
parent
b6a6ef9106
commit
ab16327315
|
@ -11,7 +11,7 @@
|
|||
// ========================================================================
|
||||
//
|
||||
|
||||
package org.eclipse.jetty.security.openid;
|
||||
package org.eclipse.jetty.ee9.security.openid;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.Collections;
|
||||
|
@ -40,9 +40,6 @@ public class OpenIdConfiguration extends ContainerLifeCycle
|
|||
{
|
||||
private static final Logger LOG = LoggerFactory.getLogger(OpenIdConfiguration.class);
|
||||
private static final String CONFIG_PATH = "/.well-known/openid-configuration";
|
||||
private static final String AUTHORIZATION_ENDPOINT = "authorization_endpoint";
|
||||
private static final String TOKEN_ENDPOINT = "token_endpoint";
|
||||
private static final String ISSUER = "issuer";
|
||||
|
||||
private final HttpClient httpClient;
|
||||
private final String issuer;
|
||||
|
@ -119,45 +116,35 @@ public class OpenIdConfiguration extends ContainerLifeCycle
|
|||
|
||||
if (authEndpoint == null || tokenEndpoint == null)
|
||||
{
|
||||
Map<String, Object> discoveryDocument = fetchOpenIdConnectMetadata();
|
||||
processMetadata(discoveryDocument);
|
||||
Map<String, Object> discoveryDocument = fetchOpenIdConnectMetadata(issuer, httpClient);
|
||||
|
||||
authEndpoint = (String)discoveryDocument.get("authorization_endpoint");
|
||||
if (authEndpoint == null)
|
||||
throw new IllegalArgumentException("authorization_endpoint");
|
||||
|
||||
tokenEndpoint = (String)discoveryDocument.get("token_endpoint");
|
||||
if (tokenEndpoint == null)
|
||||
throw new IllegalArgumentException("token_endpoint");
|
||||
|
||||
if (!Objects.equals(discoveryDocument.get("issuer"), issuer))
|
||||
LOG.warn("The issuer in the metadata is not correct.");
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Process the OpenID Connect metadata discovered by {@link #fetchOpenIdConnectMetadata()}.
|
||||
* By default, only the {@link #AUTHORIZATION_ENDPOINT} and {@link #TOKEN_ENDPOINT} claims are extracted.
|
||||
* @see <a href="https://openid.net/specs/openid-connect-discovery-1_0.html">OpenID Connect Discovery 1.0</a>
|
||||
* @throws IllegalStateException if a required field is not present in the metadata.
|
||||
*/
|
||||
protected void processMetadata(Map<String, Object> discoveryDocument)
|
||||
private static HttpClient newHttpClient()
|
||||
{
|
||||
authEndpoint = (String)discoveryDocument.get(AUTHORIZATION_ENDPOINT);
|
||||
if (authEndpoint == null)
|
||||
throw new IllegalStateException(AUTHORIZATION_ENDPOINT);
|
||||
|
||||
tokenEndpoint = (String)discoveryDocument.get(TOKEN_ENDPOINT);
|
||||
if (tokenEndpoint == null)
|
||||
throw new IllegalStateException(TOKEN_ENDPOINT);
|
||||
|
||||
// We are lenient and not throw here as some major OIDC providers do not conform to this.
|
||||
if (!Objects.equals(discoveryDocument.get(ISSUER), issuer))
|
||||
LOG.warn("The issuer in the metadata is not correct.");
|
||||
ClientConnector connector = new ClientConnector();
|
||||
connector.setSslContextFactory(new SslContextFactory.Client(false));
|
||||
return new HttpClient(new HttpClientTransportOverHTTP(connector));
|
||||
}
|
||||
|
||||
/**
|
||||
* Obtain the JSON metadata from OpenID Connect Discovery Configuration Endpoint.
|
||||
* @return a set of Claims about the OpenID Provider's configuration in JSON format.
|
||||
* @throws IllegalStateException if metadata could not be fetched from the OP.
|
||||
*/
|
||||
protected Map<String, Object> fetchOpenIdConnectMetadata()
|
||||
private static Map<String, Object> fetchOpenIdConnectMetadata(String provider, HttpClient httpClient)
|
||||
{
|
||||
String provider = issuer;
|
||||
if (provider.endsWith("/"))
|
||||
provider = provider.substring(0, provider.length() - 1);
|
||||
|
||||
try
|
||||
{
|
||||
if (provider.endsWith("/"))
|
||||
provider = provider.substring(0, provider.length() - 1);
|
||||
|
||||
Map<String, Object> result;
|
||||
String responseBody = httpClient.GET(provider + CONFIG_PATH).getContentAsString();
|
||||
Object parsedResult = new JSON().fromJSON(responseBody);
|
||||
|
@ -180,7 +167,7 @@ public class OpenIdConfiguration extends ContainerLifeCycle
|
|||
}
|
||||
catch (Exception e)
|
||||
{
|
||||
throw new IllegalStateException("invalid identity provider " + provider, e);
|
||||
throw new IllegalArgumentException("invalid identity provider " + provider, e);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -240,13 +227,6 @@ public class OpenIdConfiguration extends ContainerLifeCycle
|
|||
this.authenticateNewUsers = authenticateNewUsers;
|
||||
}
|
||||
|
||||
private static HttpClient newHttpClient()
|
||||
{
|
||||
ClientConnector connector = new ClientConnector();
|
||||
connector.setSslContextFactory(new SslContextFactory.Client(false));
|
||||
return new HttpClient(new HttpClientTransportOverHTTP(connector));
|
||||
}
|
||||
|
||||
@Override
|
||||
public String toString()
|
||||
{
|
||||
|
|
|
@ -11,7 +11,7 @@
|
|||
// ========================================================================
|
||||
//
|
||||
|
||||
package org.eclipse.jetty.security.authentication;
|
||||
package org.eclipse.jetty.ee9.security.authentication;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.io.PrintWriter;
|
||||
|
@ -25,14 +25,14 @@ import jakarta.servlet.ServletResponse;
|
|||
import jakarta.servlet.WriteListener;
|
||||
import jakarta.servlet.http.Cookie;
|
||||
import jakarta.servlet.http.HttpServletResponse;
|
||||
import org.eclipse.jetty.security.IdentityService;
|
||||
import org.eclipse.jetty.security.LoggedOutAuthentication;
|
||||
import org.eclipse.jetty.security.LoginService;
|
||||
import org.eclipse.jetty.security.SecurityHandler;
|
||||
import org.eclipse.jetty.security.ServerAuthException;
|
||||
import org.eclipse.jetty.security.UserAuthentication;
|
||||
import org.eclipse.jetty.server.Authentication;
|
||||
import org.eclipse.jetty.server.UserIdentity;
|
||||
import org.eclipse.jetty.ee9.nested.Authentication;
|
||||
import org.eclipse.jetty.ee9.nested.UserIdentity;
|
||||
import org.eclipse.jetty.ee9.security.IdentityService;
|
||||
import org.eclipse.jetty.ee9.security.LoggedOutAuthentication;
|
||||
import org.eclipse.jetty.ee9.security.LoginService;
|
||||
import org.eclipse.jetty.ee9.security.SecurityHandler;
|
||||
import org.eclipse.jetty.ee9.security.ServerAuthException;
|
||||
import org.eclipse.jetty.ee9.security.UserAuthentication;
|
||||
import org.eclipse.jetty.util.IO;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
|
@ -120,8 +120,11 @@ public class DeferredAuthentication implements Authentication.Deferred
|
|||
if (security != null)
|
||||
{
|
||||
security.logout(null);
|
||||
_authenticator.logout(request);
|
||||
return new LoggedOutAuthentication(_authenticator);
|
||||
if (_authenticator instanceof LoginAuthenticator)
|
||||
{
|
||||
((LoginAuthenticator)_authenticator).logout(request);
|
||||
return new LoggedOutAuthentication((LoginAuthenticator)_authenticator);
|
||||
}
|
||||
}
|
||||
|
||||
return Authentication.UNAUTHENTICATED;
|
||||
|
|
Loading…
Reference in New Issue