Package org.oa4mp.server.loader.oauth2.cm.oidc_cm

Class OIDCCMServlet

  • All Implemented Interfaces:
    edu.uiuc.ncsa.security.core.Logable, Serializable, javax.servlet.Servlet, javax.servlet.ServletConfig
    public class OIDCCMServlet
extends EnvServlet
    Note that in all of these calls, the assumption is that an admin client has been requested and approved out of band. The identifier and secret of that are used to make the bearer token that allows access to the calls in this API. This implements both RFC 7591 and part of RFC 7592. Mostly we do not allow the setting of client secrets via tha API and since we do not store them (only a hash of them) we cannot return them. If a secret is lost, the only option is to register a new client.

    Nota Bene: RFC 7592 is not intended to become a specification since there is too much variance in how this can operate.

    Created by Jeff Gaynor
    on 11/28/18 at 10:04 AM

    See Also:
    Serialized Form

    • Constructor Detail

      • OIDCCMServlet

        public OIDCCMServlet()

    • Method Detail

      • storeUpdates

        public void storeUpdates()
                  throws IOException,
                         SQLException
        Description copied from class: EnvServlet
        This will be invoked at init before anything else and should include code to seamlessly upgrade stores from earlier versions. For instance, if a new column needs to be added to a table. This pre-supposes that the current user has the correct permissions to alter the table, btw. This also updates the internal flag EnvServlet.storeUpdatesDone which should be checks in overrides. If you override this method and call super, let super manage this flag. If it is true, do not execute your method.
        Specified by:
        storeUpdates in class EnvServlet
        Throws:
        IOException
        SQLException

      • getOA2SE

        protected OA2SE getOA2SE()

      • doGet

        public void doGet​(javax.servlet.http.HttpServletRequest httpServletRequest,
                  javax.servlet.http.HttpServletResponse httpServletResponse)
           throws javax.servlet.ServletException,
                  IOException
        Return information about the client. Note that we do not return the client secret in this call, since among other reasons, we do not have it.
        Overrides:
        doGet in class edu.uiuc.ncsa.security.servlet.AbstractServlet
        Parameters:
        httpServletRequest -
        httpServletResponse -
        Throws:
        javax.servlet.ServletException
        IOException

      • formatIdentifiable

        protected String formatIdentifiable​(edu.uiuc.ncsa.security.core.Store store,
                                    edu.uiuc.ncsa.security.core.Identifiable identifiable)

      • toJSONObject

        protected net.sf.json.JSONObject toJSONObject​(OA2Client client,
                                              String version,
                                              boolean isGet)
        Take a client and turn it in to a response object. This is used by both GET do PUT (which is supposed to return the same output as GET when done with its updates)
        Parameters:
        client -
        Returns:

      • toJSONObject5_5

        protected net.sf.json.JSONObject toJSONObject5_5​(OA2Client client,
                                                 boolean isGet)

      • toJSONObject5_4

        protected net.sf.json.JSONObject toJSONObject5_4​(OA2Client client,
                                                 boolean isGet)

      • getDefaultAPIVersion

        public static String getDefaultAPIVersion()

      • setDefaultAPIVersion

        public static void setDefaultAPIVersion​(String defaultAPIVersion)

      • lifetimeToSec

        protected long lifetimeToSec​(long lifetime)
        Used in serializing the client to JSON. lifetime that are positive are divided by 1000 to convert from milliseconds to seconds.

        If they are non-positive, however, they are returned as is since negative values are overloaded.
        Parameters:
        lifetime -
        Returns:

      • lifetimeFromSec

        protected long lifetimeFromSec​(long lifetime)

      • doDelete

        protected void doDelete​(javax.servlet.http.HttpServletRequest req,
                        javax.servlet.http.HttpServletResponse resp)
                 throws javax.servlet.ServletException,
                        IOException
        Remove the given client in toto.
        Overrides:
        doDelete in class javax.servlet.http.HttpServlet
        Parameters:
        req -
        resp -
        Throws:
        javax.servlet.ServletException
        IOException

      • checkAdminPermission

        protected void checkAdminPermission​(AdminClient adminClient,
                                    OA2Client client)
        Checks that this client exists on the system and that if it exists, the admin client actually owns it.
        Parameters:
        adminClient -
        client -

      • getVersion

        protected String getVersion​(CMConfig cmConfig,
                            javax.servlet.http.HttpServletRequest req)

      • doPut

        protected void doPut​(javax.servlet.http.HttpServletRequest req,
                     javax.servlet.http.HttpServletResponse resp)
              throws javax.servlet.ServletException,
                     IOException
        Update a client. Note that as per the specification, all values that are sent over-write existing values and omitted values are taken to mean the stored value is unset.
        Overrides:
        doPut in class javax.servlet.http.HttpServlet
        Parameters:
        req -
        resp -
        Throws:
        javax.servlet.ServletException
        IOException

      • doPost

        public void doPost​(javax.servlet.http.HttpServletRequest httpServletRequest,
                   javax.servlet.http.HttpServletResponse httpServletResponse)
            throws javax.servlet.ServletException,
                   IOException
        Overrides:
        doPost in class edu.uiuc.ncsa.security.servlet.AbstractServlet
        Throws:
        javax.servlet.ServletException
        IOException

      • getPermissionServer

        public PermissionServer getPermissionServer()
        We want to be able to manage the permissions associated with a standard client and an admin client.
        Returns:

      • getAndCheckAdminClient

        protected AdminClient getAndCheckAdminClient​(javax.servlet.http.HttpServletRequest request)
                                      throws Throwable
        Pulls the id and secret from the header then verifies the secret and if it passes, returns the client.
        Parameters:
        request -
        Returns:
        Throws:
        Throwable

      • getAndCheckOA2Client

        protected OA2Client getAndCheckOA2Client​(javax.servlet.http.HttpServletRequest request)
                                  throws Throwable
        Throws:
        Throwable

      • doIt

        protected void doIt​(javax.servlet.http.HttpServletRequest httpServletRequest,
                    javax.servlet.http.HttpServletResponse httpServletResponse)
             throws Throwable
        Specified by:
        doIt in class edu.uiuc.ncsa.security.servlet.AbstractServlet
        Throws:
        Throwable

      • doIt2

        protected void doIt2​(javax.servlet.http.HttpServletRequest httpServletRequest,
                     javax.servlet.http.HttpServletResponse httpServletResponse)
              throws Throwable
        The workhorse method for POST.
        Parameters:
        httpServletRequest -
        httpServletResponse -
        Throws:
        Throwable

      • getPayload

        protected net.sf.json.JSON getPayload​(javax.servlet.http.HttpServletRequest httpServletRequest,
                                      edu.uiuc.ncsa.security.core.util.MetaDebugUtil adminDebugger)
                               throws IOException
        Throws:
        IOException

      • getClient

        protected OA2Client getClient​(javax.servlet.http.HttpServletRequest req)
        Get the client from the request. Note that this may return null if no such client exists and it is up to the calling method to decide if this is ok.
        Parameters:
        req -
        Returns:

      • updateClient

        protected OA2Client updateClient​(OA2Client client,
                                 AdminClient adminClient,
                                 boolean isAnonymous,
                                 net.sf.json.JSONObject jsonRequest,
                                 boolean newClient,
                                 String version)

      • lifetimeFromParameter

        protected long lifetimeFromParameter​(Object raw)
        So clients can send strings of values with units, e.g. "1 month". OA4MP supports this for its own values.
        Parameters:
        raw -
        Returns:

      • toJSONArray

        protected net.sf.json.JSONArray toJSONArray​(net.sf.json.JSONObject jsonRequest,
                                            String key,
                                            OA2Client client)

      • handleResponseTypes

        protected void handleResponseTypes​(OA2Client client,
                                   net.sf.json.JSONObject jsonRequest,
                                   OA2ClientKeys keys)
        TL;DR: we support the grant types for the authorization_code flow so only code and id_token. We explicitly reject every other response_type at this point, in particular, we reject the value of "token" which is only for the implicit flow.
        Parameters:
        client -
        jsonRequest -
        keys -

      • checkJAEntry

        protected boolean checkJAEntry​(net.sf.json.JSONArray jsonArray,
                               String entry)
        JSONArray does not check its contains sanely against strings at times.
        Parameters:
        jsonArray -
        entry -
        Returns:

      • areAllGrantsSupported

        protected boolean areAllGrantsSupported​(net.sf.json.JSONArray proposedGrants,
                                        String[] supportedGrants)

      • handleGrants

        protected void handleGrants​(OA2Client client,
                            net.sf.json.JSONObject jsonRequest,
                            OA2ClientKeys keys)

      • toJA

        protected net.sf.json.JSONArray toJA​(net.sf.json.JSONObject obj,
                                     String key)
        Some attribute scan come over the wire as either arrays of string or as blank delimited strings, e.g. scopes and grant types. Just figure it out and hand back the array. Note this will remove duplicates.
        Parameters:
        obj -
        key -
        Returns:

      • processRegistrationRequest

        protected OA2Client processRegistrationRequest​(net.sf.json.JSONObject jsonRequest,
                                               AdminClient adminClient,
                                               boolean isAnonymous,
                                               OA2Client client,
                                               String version)

      • fireMessage

        protected void fireMessage​(boolean isAnonymous,
                           OA2SE oa2SE,
                           HashMap<String,​String> replacements)

      • getJwkUtil

        public edu.uiuc.ncsa.security.util.jwk.JWKUtil2 getJwkUtil()

      • setJwkUtil

        public void setJwkUtil​(edu.uiuc.ncsa.security.util.jwk.JWKUtil2 jwkUtil)