| 
									
										
										
										
											2022-06-13 10:12:06 -04:00
										 |  |  | package auth.sso.oidc;
 | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2022-12-26 13:45:32 -06:00
										 |  |  | import java.text.ParseException;
 | 
					
						
							| 
									
										
										
										
											2022-06-13 10:12:06 -04:00
										 |  |  | import java.util.Map.Entry;
 | 
					
						
							| 
									
										
										
										
											2022-12-08 20:27:51 -06:00
										 |  |  | import java.util.Optional;
 | 
					
						
							| 
									
										
										
										
											2022-06-13 10:12:06 -04:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2022-12-26 13:45:32 -06:00
										 |  |  | import com.nimbusds.jose.Algorithm;
 | 
					
						
							|  |  |  | import com.nimbusds.jose.Header;
 | 
					
						
							|  |  |  | import com.nimbusds.jose.JWEAlgorithm;
 | 
					
						
							|  |  |  | import com.nimbusds.jose.JWSAlgorithm;
 | 
					
						
							|  |  |  | import com.nimbusds.jose.util.Base64URL;
 | 
					
						
							|  |  |  | import com.nimbusds.jose.util.JSONObjectUtils;
 | 
					
						
							|  |  |  | import com.nimbusds.jwt.EncryptedJWT;
 | 
					
						
							|  |  |  | import com.nimbusds.jwt.JWTParser;
 | 
					
						
							|  |  |  | import com.nimbusds.jwt.SignedJWT;
 | 
					
						
							|  |  |  | import net.minidev.json.JSONObject;
 | 
					
						
							| 
									
										
										
										
											2022-06-13 10:12:06 -04:00
										 |  |  | import org.pac4j.core.authorization.generator.AuthorizationGenerator;
 | 
					
						
							|  |  |  | import org.pac4j.core.context.WebContext;
 | 
					
						
							|  |  |  | import org.pac4j.core.profile.AttributeLocation;
 | 
					
						
							|  |  |  | import org.pac4j.core.profile.CommonProfile;
 | 
					
						
							| 
									
										
										
										
											2022-12-08 20:27:51 -06:00
										 |  |  | import org.pac4j.core.profile.UserProfile;
 | 
					
						
							| 
									
										
										
										
											2022-06-13 10:12:06 -04:00
										 |  |  | import org.pac4j.core.profile.definition.ProfileDefinition;
 | 
					
						
							|  |  |  | import org.pac4j.oidc.profile.OidcProfile;
 | 
					
						
							|  |  |  | import org.slf4j.Logger;
 | 
					
						
							|  |  |  | import org.slf4j.LoggerFactory;
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | import com.nimbusds.jwt.JWT;
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | public class OidcAuthorizationGenerator implements AuthorizationGenerator {
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     private static final Logger logger = LoggerFactory.getLogger(OidcAuthorizationGenerator.class);
 | 
					
						
							|  |  |  |     
 | 
					
						
							| 
									
										
										
										
											2022-12-08 20:27:51 -06:00
										 |  |  |     private final ProfileDefinition<?> profileDef;
 | 
					
						
							| 
									
										
										
										
											2022-06-13 10:12:06 -04:00
										 |  |  | 
 | 
					
						
							|  |  |  |     private final OidcConfigs oidcConfigs;
 | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2022-12-08 20:27:51 -06:00
										 |  |  |     public OidcAuthorizationGenerator(final ProfileDefinition<?> profileDef, final OidcConfigs oidcConfigs) {
 | 
					
						
							| 
									
										
										
										
											2022-06-13 10:12:06 -04:00
										 |  |  |         this.profileDef = profileDef;
 | 
					
						
							|  |  |  |         this.oidcConfigs = oidcConfigs;
 | 
					
						
							|  |  |  |     }
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |     @Override
 | 
					
						
							| 
									
										
										
										
											2022-12-08 20:27:51 -06:00
										 |  |  |     public Optional<UserProfile> generate(WebContext context, UserProfile profile) {
 | 
					
						
							| 
									
										
										
										
											2022-06-13 10:12:06 -04:00
										 |  |  |         if (oidcConfigs.getExtractJwtAccessTokenClaims().orElse(false)) {
 | 
					
						
							|  |  |  |             try {
 | 
					
						
							|  |  |  |                 final JWT jwt = JWTParser.parse(((OidcProfile) profile).getAccessToken().getValue());
 | 
					
						
							| 
									
										
										
										
											2022-12-08 20:27:51 -06:00
										 |  |  | 
 | 
					
						
							|  |  |  |                 CommonProfile commonProfile = new CommonProfile();
 | 
					
						
							| 
									
										
										
										
											2022-06-13 10:12:06 -04:00
										 |  |  |     
 | 
					
						
							|  |  |  |                 for (final Entry<String, Object> entry : jwt.getJWTClaimsSet().getClaims().entrySet()) {
 | 
					
						
							|  |  |  |                     final String claimName = entry.getKey();
 | 
					
						
							| 
									
										
										
										
											2022-12-08 20:27:51 -06:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2022-06-13 10:12:06 -04:00
										 |  |  |                     if (profile.getAttribute(claimName) == null) {
 | 
					
						
							| 
									
										
										
										
											2022-12-08 20:27:51 -06:00
										 |  |  |                         profileDef.convertAndAdd(commonProfile, AttributeLocation.PROFILE_ATTRIBUTE, claimName, entry.getValue());
 | 
					
						
							| 
									
										
										
										
											2022-06-13 10:12:06 -04:00
										 |  |  |                     }
 | 
					
						
							|  |  |  |                 }
 | 
					
						
							| 
									
										
										
										
											2022-12-08 20:27:51 -06:00
										 |  |  | 
 | 
					
						
							|  |  |  |                 return Optional.of(commonProfile);
 | 
					
						
							| 
									
										
										
										
											2022-06-13 10:12:06 -04:00
										 |  |  |             } catch (Exception e) {
 | 
					
						
							|  |  |  |                 logger.warn("Cannot parse access token claims", e);
 | 
					
						
							|  |  |  |             }
 | 
					
						
							|  |  |  |         }
 | 
					
						
							|  |  |  |         
 | 
					
						
							| 
									
										
										
										
											2022-12-08 20:27:51 -06:00
										 |  |  |         return Optional.ofNullable(profile);
 | 
					
						
							| 
									
										
										
										
											2022-06-13 10:12:06 -04:00
										 |  |  |     }
 | 
					
						
							| 
									
										
										
										
											2022-12-26 13:45:32 -06:00
										 |  |  | 
 | 
					
						
							|  |  |  |     private static JWT parse(final String s) throws ParseException {
 | 
					
						
							|  |  |  |         final int firstDotPos = s.indexOf(".");
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |         if (firstDotPos == -1) {
 | 
					
						
							|  |  |  |             throw new ParseException("Invalid JWT serialization: Missing dot delimiter(s)", 0);
 | 
					
						
							|  |  |  |         }
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |         Base64URL header = new Base64URL(s.substring(0, firstDotPos));
 | 
					
						
							|  |  |  |         JSONObject jsonObject;
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |         try {
 | 
					
						
							|  |  |  |             jsonObject = JSONObjectUtils.parse(header.decodeToString());
 | 
					
						
							|  |  |  |         } catch (ParseException e) {
 | 
					
						
							|  |  |  |             throw new ParseException("Invalid unsecured/JWS/JWE header: " + e.getMessage(), 0);
 | 
					
						
							|  |  |  |         }
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |         Algorithm alg = Header.parseAlgorithm(jsonObject);
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |         if (alg instanceof JWSAlgorithm) {
 | 
					
						
							|  |  |  |             return SignedJWT.parse(s);
 | 
					
						
							|  |  |  |         } else if (alg instanceof JWEAlgorithm) {
 | 
					
						
							|  |  |  |             return EncryptedJWT.parse(s);
 | 
					
						
							|  |  |  |         } else {
 | 
					
						
							|  |  |  |             throw new AssertionError("Unexpected algorithm type: " + alg);
 | 
					
						
							|  |  |  |         }
 | 
					
						
							|  |  |  |     }
 | 
					
						
							| 
									
										
										
										
											2022-06-13 10:12:06 -04:00
										 |  |  |     
 | 
					
						
							|  |  |  | }
 |