mitreid-connect / openid-connect-java-spring-server Goto Github PK
View Code? Open in Web Editor NEWAn OpenID Connect reference implementation in Java on the Spring platform.
License: Other
An OpenID Connect reference implementation in Java on the Spring platform.
License: Other
Configure header filter, get list of protected URIs to OAM team
We need to support http basic auth for client authentication at the token endpoint. For now, stick to url query authorization with the client_id and client_secret parameters.
Multiple errors (such as InvalidJwtSignature) need to have error view beans mapped to them.
We need to implement our own UserApprovalHandler. This class is injected into the AuthorizationEndpoint and is called on to check whether the user has already approved this request.
Add support for request objects and request files, both signed and unsigned.
The user needs to be granted more options on the authorization page, including:
These choices need to be passed through to the granter and expressed in the grant decision.
Deploy system in production configuration for application scanning.
Concerning org.mitre.oauth2.model.ClientDetailsEntity:
Must implement int getAccessTokenValiditySeconds()
. Added stub so that this will compile.
Add support for the implicit flow
If a user tries to access the authorization endpoint to request an authorization code while they are already logged in and have a session, Spring Security goes in to an infinite redirect loop. We probably have a bad setting somewhere in our Spring Security config.
The latest update from SECOAUTH makes ClientDetails.registeredRedirectUri a Set of Strings, rather than a single String. The management interface code needs to be updated to support this change.
Our builds on the Travis CI are taking a very long time:
http://travis-ci.org/#!/jricher/OpenID-Connect-Java-Spring-Server/builds
Recent ones on the order of a half an hour. There must be something wrong with our Travis config that is causing it to timeout.
Develop an account chooser application to allow redirection to multiple Connect servers
Update SECOAUTH reference to the HEAD revision and refactor token code
The CheckID Endpoint needs to to support all methods of the Bearer token presentation, including the query parameter, form parameter, and auth header mechanisms. This should be wired in using SECOAUTH filters.
Our unit tests are broken since the refactor into client/server/common submodules. They should at least be fixed to allow for a clean compile, and more unit tests need to be added.
Issuer URL is read correctly but several of the URLs are incorrect.
Several UI elements need to have type ahead completion, such as the scope and authority entries on the client registration page.
Add support for dynamic client registration
Not sure if this is a configuration issue or not but the iss attribute in the checkid response is set to http://localhost/
Should be in resource/bootstrap2 not resource/boostrap2. Easy to miss, inconsistent.
Create a view to output the tokens instead of using a direct JSON serializer, submit patch back to SECOAUTH.
We need to add licence headers to our class files.
This repo is under Justin's name, it should be moved to an organization instead.
Title says it all
The "issuer" field of the IdTokens created when passing through the ConnectAuthCodeTokenGranter needs to be set to the server's current base URL. org.mitre.Utility.findBaseUrl() will produce that URL if given an HttpRequest, but the request object is not available inside the token granter. For now, the token granter is using a dummy string value.
Is there a way to properly insert the (dynamically discovered) current base URL into the token granter? Or should this value be statically configured at deployment time?
Concerning org.mitre.oauth2.model.OAuth2RefreshTokenEntity:
Superclass (ExpiringOAuth2RefreshToken) does not have a default (empty) constructor. Constructor takes String value
and Date expiration
. expiration
is marked final in the superclass and cannot be set other than through the constructor.
Added super(null, null)
to OAuth2RefreshTokenEntity constructor, and commented out super.setExpiration
in setExpiration
so that this will compile.
Develop a Connect Client filter that can speak to multiple Connect servers, mitigated through an Account Chooser UI application. The Account Chooser will be developed separately and run on a separate system.
Protocol flow:
User starts at client app, protected by this filter
Filter starts OIDC transaction against configured Account Chooser endpoint (AC)
AC gives user multiple options for login against different connect servers, handles login to these servers
AC redirects user back to client app with Code and some indicator as to which server the user chose
Filter picks up the code and the server indicator and finishes the OIDC transaction
The Algorithm enum is defined in all of the JwtSigner implementations. It should be moved to a centralized Enum class.
It's possible to set it via constructor args, but it really is better to do this via get/set methods. Also, consider making it protected to allow subclassing.
Concerning: org.mitre.oauth2.service.impl.DefaultOAuth2ProviderTokenService
Must implement new method from OAuth2TokenEntityService
--> AuthorizationServerTokenServices
interface, getAccessToken(OAuth2Authentication authentication)
. Added stub so that this will compile.
Add support for a protected PortableContacts (PoCo) compatible endpoint, fed by the same data as the UserInfo endpoint
The signatures produced by the RsaSigner are very long - 2-3 times longer than the jwt itself. They make the jwts too big to be stored in our original database tables. We've updated the table definition in accesstoken.sql and on idsandbox to fit them, but they probably should not be that large. Signatures should be smaller than the entity being signed.
In the client administration panels, the id and secret need to be directly viewable and editable by the admin.
Make the home page less of a mockup.
The "redirect uri" portion of a client's information is now stored in a utility table instead of in the client details table itself. The sql file and any documentation needs to be updated.
The client name and description should not be limited to only 3+ alphanumeric characters. These are free-text user-facing values and need to contain arbitrary text. They are also completely optional and may be left blank. Blank values should be pushed in as nulls.
The button styling on the user authorization page is missing, likely due to the switch to Bootstrap2 throughout the project.
Add a service and controller for the UserInfo endpoint.
Trim ECDSA Code from repository
Client edit, add, delete, etc, in the admin pages
The RsaSigner class will return true from its verify method, even if the signature has been removed from the given jwt.
Justin and I had a conversation with Dave Syer today, and decided it would be worth taking a look at how we could move the custom token generation/enhancement code, which we currently have in our TokenGranter impl, into the token service layer instead.
This will change the TokenService interface, which the SECOAUTH team is OK with re-evaluating. We also talked about the TokenService interface having create, enhance, and finish methods.
I will fork our code and push up a new branch to work on these changes.
Create mechanisms to support whitelisting of registered clients and blacklisting of domains.
Modify the nexus project to work with the transition of the project to the mitre-id connect organization.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.