From af316e58ffda20cd575fe48c43c317917293bd1f Mon Sep 17 00:00:00 2001 From: Lachlan Roberts Date: Tue, 17 Aug 2021 13:31:49 +1000 Subject: [PATCH] Issue #6618 - Use a new OpenIdCredentials constructor instead of static method. Signed-off-by: Lachlan Roberts --- .../security/openid/OpenIdCredentials.java | 21 +++++++++++++++---- .../openid/OpenIdCredentialsTest.java | 2 +- 2 files changed, 18 insertions(+), 5 deletions(-) diff --git a/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdCredentials.java b/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdCredentials.java index 2dee0d32faf6..ccc26d70989b 100644 --- a/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdCredentials.java +++ b/jetty-openid/src/main/java/org/eclipse/jetty/security/openid/OpenIdCredentials.java @@ -46,6 +46,14 @@ public class OpenIdCredentials implements Serializable private String authCode; private Map response; private Map claims; + private boolean verified = false; + + public OpenIdCredentials(Map claims) + { + this.redirectUri = null; + this.authCode = null; + this.claims = claims; + } public OpenIdCredentials(String authCode, String redirectUri) { @@ -96,7 +104,6 @@ public void redeemAuthCode(OpenIdConfiguration configuration) throws Exception claims = JwtDecoder.decode(idToken); if (LOG.isDebugEnabled()) LOG.debug("claims {}", claims); - validateClaims(claims, configuration); } finally { @@ -104,16 +111,22 @@ public void redeemAuthCode(OpenIdConfiguration configuration) throws Exception authCode = null; } } + + if (!verified) + { + validateClaims(configuration); + verified = true; + } } - static void validateClaims(Map claims, OpenIdConfiguration configuration) throws Exception + private void validateClaims(OpenIdConfiguration configuration) throws Exception { // Issuer Identifier for the OpenID Provider MUST exactly match the value of the iss (issuer) Claim. if (!configuration.getIssuer().equals(claims.get("iss"))) throw new AuthenticationException("Issuer Identifier MUST exactly match the iss Claim"); // The aud (audience) Claim MUST contain the client_id value. - validateAudience(claims, configuration); + validateAudience(configuration); // If an azp (authorized party) Claim is present, verify that its client_id is the Claim Value. Object azp = claims.get("azp"); @@ -127,7 +140,7 @@ static void validateClaims(Map claims, OpenIdConfiguration confi throw new AuthenticationException("ID Token has expired"); } - private static void validateAudience(Map claims, OpenIdConfiguration configuration) throws AuthenticationException + private void validateAudience(OpenIdConfiguration configuration) throws AuthenticationException { Object aud = claims.get("aud"); String clientId = configuration.getClientId(); diff --git a/jetty-openid/src/test/java/org/eclipse/jetty/security/openid/OpenIdCredentialsTest.java b/jetty-openid/src/test/java/org/eclipse/jetty/security/openid/OpenIdCredentialsTest.java index b816d9752363..18ac12841f46 100644 --- a/jetty-openid/src/test/java/org/eclipse/jetty/security/openid/OpenIdCredentialsTest.java +++ b/jetty-openid/src/test/java/org/eclipse/jetty/security/openid/OpenIdCredentialsTest.java @@ -35,6 +35,6 @@ public void testSingleAudienceValueInArray() throws Exception claims.put("aud", new String[]{clientId}); claims.put("exp", System.currentTimeMillis() + 5000); - assertDoesNotThrow(() -> OpenIdCredentials.validateClaims(claims, configuration)); + assertDoesNotThrow(() -> new OpenIdCredentials(claims).redeemAuthCode(configuration)); } }