From b91c3fdbb044e62d713ab0b581267dc91d9efcd3 Mon Sep 17 00:00:00 2001 From: Lachlan Roberts Date: Mon, 16 Aug 2021 15:43:19 +1000 Subject: [PATCH 1/3] Issue #6617 - add support for the client_secret_basic authentication method Signed-off-by: Lachlan Roberts --- .../src/main/config/etc/jetty-openid.xml | 1 + .../src/main/config/modules/openid.mod | 3 +++ .../security/openid/OpenIdConfiguration.java | 23 ++++++++++++++++ .../security/openid/OpenIdCredentials.java | 26 +++++++++++++++---- 4 files changed, 48 insertions(+), 5 deletions(-) diff --git a/jetty-openid/src/main/config/etc/jetty-openid.xml b/jetty-openid/src/main/config/etc/jetty-openid.xml index 5072c160495..4e792549121 100644 --- a/jetty-openid/src/main/config/etc/jetty-openid.xml +++ b/jetty-openid/src/main/config/etc/jetty-openid.xml @@ -26,6 +26,7 @@ + diff --git a/jetty-openid/src/main/config/modules/openid.mod b/jetty-openid/src/main/config/modules/openid.mod index 85f0de4c889..2c2072bb900 100644 --- a/jetty-openid/src/main/config/modules/openid.mod +++ b/jetty-openid/src/main/config/modules/openid.mod @@ -42,3 +42,6 @@ etc/jetty-openid.xml ## True if all certificates should be trusted by the default SslContextFactory # jetty.openid.sslContextFactory.trustAll=false + +## What authentication method to use with the Token Endpoint (client_secret_post, client_secret_basic). +# jetty.openid.basicAuth=client_secret_post \ No newline at end of file diff --git a/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdConfiguration.java b/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdConfiguration.java index a1a82fe2b0e..043a5f4ee80 100644 --- a/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdConfiguration.java +++ b/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdConfiguration.java @@ -45,6 +45,7 @@ public class OpenIdConfiguration extends ContainerLifeCycle private final String clientId; private final String clientSecret; private final List scopes = new ArrayList<>(); + private final String authMethod; private String authEndpoint; private String tokenEndpoint; @@ -70,6 +71,22 @@ public class OpenIdConfiguration extends ContainerLifeCycle */ public OpenIdConfiguration(String issuer, String authorizationEndpoint, String tokenEndpoint, String clientId, String clientSecret, HttpClient httpClient) + { + this(issuer, authorizationEndpoint, tokenEndpoint, clientId, clientSecret, "post", httpClient); + } + + /** + * Create an OpenID configuration for a specific OIDC provider. + * @param issuer The URL of the OpenID provider. + * @param authorizationEndpoint the URL of the OpenID provider's authorization endpoint if configured. + * @param tokenEndpoint the URL of the OpenID provider's token endpoint if configured. + * @param clientId OAuth 2.0 Client Identifier valid at the Authorization Server. + * @param clientSecret The client secret known only by the Client and the Authorization Server. + * @param authMethod Authentication method to use with the Token Endpoint. + * @param httpClient The {@link HttpClient} instance to use. + */ + public OpenIdConfiguration(String issuer, String authorizationEndpoint, String tokenEndpoint, + String clientId, String clientSecret, String authMethod, HttpClient httpClient) { this.issuer = issuer; this.clientId = clientId; @@ -77,6 +94,7 @@ public class OpenIdConfiguration extends ContainerLifeCycle this.authEndpoint = authorizationEndpoint; this.tokenEndpoint = tokenEndpoint; this.httpClient = httpClient != null ? httpClient : newHttpClient(); + this.authMethod = authMethod; if (this.issuer == null) throw new IllegalArgumentException("Issuer was not configured"); @@ -177,6 +195,11 @@ public class OpenIdConfiguration extends ContainerLifeCycle return tokenEndpoint; } + public String getAuthMethod() + { + return authMethod; + } + public void addScopes(String... scopes) { if (scopes != null) diff --git a/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdCredentials.java b/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdCredentials.java index c87ef1604f2..de90391a6dc 100644 --- a/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdCredentials.java +++ b/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdCredentials.java @@ -14,12 +14,15 @@ package org.eclipse.jetty.security.openid; import java.io.Serializable; +import java.net.URI; import java.util.Arrays; import java.util.Map; import java.util.concurrent.TimeUnit; +import org.eclipse.jetty.client.api.Authentication; import org.eclipse.jetty.client.api.ContentResponse; import org.eclipse.jetty.client.api.Request; +import org.eclipse.jetty.client.util.BasicAuthentication; import org.eclipse.jetty.client.util.FormRequestContent; import org.eclipse.jetty.util.Fields; import org.eclipse.jetty.util.ajax.JSON; @@ -153,14 +156,27 @@ public class OpenIdCredentials implements Serializable { Fields fields = new Fields(); fields.add("code", authCode); - fields.add("client_id", configuration.getClientId()); - fields.add("client_secret", configuration.getClientSecret()); fields.add("redirect_uri", redirectUri); fields.add("grant_type", "authorization_code"); + + Request request = configuration.getHttpClient().POST(configuration.getTokenEndpoint()); + switch (configuration.getAuthMethod()) + { + case "client_secret_basic": + URI uri = URI.create(configuration.getTokenEndpoint()); + Authentication.Result authentication = new BasicAuthentication.BasicResult(uri, configuration.getClientId(), configuration.getClientSecret()); + authentication.apply(request); + break; + case "client_secret_post": + fields.add("client_id", configuration.getClientId()); + fields.add("client_secret", configuration.getClientSecret()); + break; + default: + throw new IllegalStateException(configuration.getAuthMethod()); + } + FormRequestContent formContent = new FormRequestContent(fields); - Request request = configuration.getHttpClient().POST(configuration.getTokenEndpoint()) - .body(formContent) - .timeout(10, TimeUnit.SECONDS); + request = request.body(formContent).timeout(10, TimeUnit.SECONDS); ContentResponse response = request.send(); String responseBody = response.getContentAsString(); if (LOG.isDebugEnabled()) From b0503091c223194b79425fc9a8a481f908120e6d Mon Sep 17 00:00:00 2001 From: Lachlan Roberts Date: Tue, 17 Aug 2021 09:24:02 +1000 Subject: [PATCH 2/3] Use correct auth method string in OpenIdConfiguration default constructor Signed-off-by: Lachlan Roberts --- .../org/eclipse/jetty/security/openid/OpenIdConfiguration.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdConfiguration.java b/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdConfiguration.java index 043a5f4ee80..8a60ec3418c 100644 --- a/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdConfiguration.java +++ b/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdConfiguration.java @@ -72,7 +72,7 @@ public class OpenIdConfiguration extends ContainerLifeCycle public OpenIdConfiguration(String issuer, String authorizationEndpoint, String tokenEndpoint, String clientId, String clientSecret, HttpClient httpClient) { - this(issuer, authorizationEndpoint, tokenEndpoint, clientId, clientSecret, "post", httpClient); + this(issuer, authorizationEndpoint, tokenEndpoint, clientId, clientSecret, "client_secret_post", httpClient); } /** From 50798ff504d64f9290be70f5649518ce1f581cb7 Mon Sep 17 00:00:00 2001 From: Lachlan Roberts Date: Wed, 18 Aug 2021 10:43:50 +1000 Subject: [PATCH 3/3] Issue #6617 - change jetty property name to jetty.openid.authMethod Signed-off-by: Lachlan Roberts --- jetty-openid/src/main/config/etc/jetty-openid.xml | 2 +- jetty-openid/src/main/config/modules/openid.mod | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/jetty-openid/src/main/config/etc/jetty-openid.xml b/jetty-openid/src/main/config/etc/jetty-openid.xml index 4e792549121..8e252c22f80 100644 --- a/jetty-openid/src/main/config/etc/jetty-openid.xml +++ b/jetty-openid/src/main/config/etc/jetty-openid.xml @@ -26,7 +26,7 @@ - + diff --git a/jetty-openid/src/main/config/modules/openid.mod b/jetty-openid/src/main/config/modules/openid.mod index 2c2072bb900..7f04767a2d9 100644 --- a/jetty-openid/src/main/config/modules/openid.mod +++ b/jetty-openid/src/main/config/modules/openid.mod @@ -44,4 +44,4 @@ etc/jetty-openid.xml # jetty.openid.sslContextFactory.trustAll=false ## What authentication method to use with the Token Endpoint (client_secret_post, client_secret_basic). -# jetty.openid.basicAuth=client_secret_post \ No newline at end of file +# jetty.openid.authMethod=client_secret_post