Issue #6618 - Use a new OpenIdCredentials constructor instead of stat…

…ic method. Signed-off-by: Lachlan Roberts <lachlan@webtide.com>
jetty · Aug 17, 2021 · af316e5 · af316e5
1 parent 9af67f8
commit af316e5
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 5 deletions.
diff --git a/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdCredentials.java b/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdCredentials.java
@@ -46,6 +46,14 @@ public class OpenIdCredentials implements Serializable
     private String authCode;
     private Map<String, Object> response;
     private Map<String, Object> claims;
+    private boolean verified = false;
+
+    public OpenIdCredentials(Map<String, Object> claims)
+    {
+        this.redirectUri = null;
+        this.authCode = null;
+        this.claims = claims;
+    }
 
     public OpenIdCredentials(String authCode, String redirectUri)
     {
@@ -96,24 +104,29 @@ public void redeemAuthCode(OpenIdConfiguration configuration) throws Exception
                 claims = JwtDecoder.decode(idToken);
                 if (LOG.isDebugEnabled())
                     LOG.debug("claims {}", claims);
-                validateClaims(claims, configuration);
             }
             finally
             {
                 // reset authCode as it can only be used once
                 authCode = null;
             }
         }
+
+        if (!verified)
+        {
+            validateClaims(configuration);
+            verified = true;
+        }
     }
 
-    static void validateClaims(Map<String, Object> claims, OpenIdConfiguration configuration) throws Exception
+    private void validateClaims(OpenIdConfiguration configuration) throws Exception
     {
         // Issuer Identifier for the OpenID Provider MUST exactly match the value of the iss (issuer) Claim.
         if (!configuration.getIssuer().equals(claims.get("iss")))
             throw new AuthenticationException("Issuer Identifier MUST exactly match the iss Claim");
 
         // The aud (audience) Claim MUST contain the client_id value.
-        validateAudience(claims, configuration);
+        validateAudience(configuration);
 
         // If an azp (authorized party) Claim is present, verify that its client_id is the Claim Value.
         Object azp = claims.get("azp");
@@ -127,7 +140,7 @@ static void validateClaims(Map<String, Object> claims, OpenIdConfiguration confi
             throw new AuthenticationException("ID Token has expired");
     }
 
-    private static void validateAudience(Map<String, Object> claims, OpenIdConfiguration configuration) throws AuthenticationException
+    private void validateAudience(OpenIdConfiguration configuration) throws AuthenticationException
     {
         Object aud = claims.get("aud");
         String clientId = configuration.getClientId();

diff --git a/jetty-openid/src/test/java/org/eclipse/jetty/security/openid/OpenIdCredentialsTest.java b/jetty-openid/src/test/java/org/eclipse/jetty/security/openid/OpenIdCredentialsTest.java
@@ -35,6 +35,6 @@ public void testSingleAudienceValueInArray() throws Exception
         claims.put("aud", new String[]{clientId});
         claims.put("exp", System.currentTimeMillis() + 5000);
 
-        assertDoesNotThrow(() -> OpenIdCredentials.validateClaims(claims, configuration));
+        assertDoesNotThrow(() -> new OpenIdCredentials(claims).redeemAuthCode(configuration));
     }
 }