org.mitre.openid.connect.client.OIDCAuthenticationFilter の継承関係図

org.mitre.openid.connect.client.OIDCAuthenticationFilter 連携図

クラス
class	TargetLinkURIAuthenticationSuccessHandler

公開メンバ関数
	OIDCAuthenticationFilter ()

void	afterPropertiesSet ()

Authentication	attemptAuthentication (HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException

void	setAuthenticationSuccessHandler (AuthenticationSuccessHandler successHandler)

int	getTimeSkewAllowance ()

void	setTimeSkewAllowance (int timeSkewAllowance)

JWKSetCacheService	getValidationServices ()

void	setValidationServices (JWKSetCacheService validationServices)

ServerConfigurationService	getServerConfigurationService ()

void	setServerConfigurationService (ServerConfigurationService servers)

ClientConfigurationService	getClientConfigurationService ()

void	setClientConfigurationService (ClientConfigurationService clients)

IssuerService	getIssuerService ()

void	setIssuerService (IssuerService issuerService)

AuthRequestUrlBuilder	getAuthRequestUrlBuilder ()

void	setAuthRequestUrlBuilder (AuthRequestUrlBuilder authRequestBuilder)

AuthRequestOptionsService	getAuthRequestOptionsService ()

void	setAuthRequestOptionsService (AuthRequestOptionsService authOptions)

SymmetricKeyJWTValidatorCacheService	getSymmetricCacheService ()

void	setSymmetricCacheService (SymmetricKeyJWTValidatorCacheService symmetricCacheService)

TargetLinkURIAuthenticationSuccessHandler	getTargetLinkURIAuthenticationSuccessHandler ()

void	setTargetLinkURIAuthenticationSuccessHandler (TargetLinkURIAuthenticationSuccessHandler targetSuccessHandler)

TargetLinkURIChecker	targetLinkURIChecker ()

void	setTargetLinkURIChecker (TargetLinkURIChecker deepLinkFilter)

静的公開変数類
static final String	FILTER_PROCESSES_URL = "/openid_connect_login"

限定公開メンバ関数
void	handleAuthorizationRequest (HttpServletRequest request, HttpServletResponse response) throws IOException

Authentication	handleAuthorizationCodeResponse (HttpServletRequest request, HttpServletResponse response)

void	handleError (HttpServletRequest request, HttpServletResponse response) throws IOException

静的限定公開メンバ関数
static String	createNonce (HttpSession session)

static String	getStoredNonce (HttpSession session)

static String	createState (HttpSession session)

static String	getStoredState (HttpSession session)

static String	createCodeVerifier (HttpSession session)

static String	getStoredCodeVerifier (HttpSession session)

限定公開変数類
int	httpSocketTimeout = HTTP_SOCKET_TIMEOUT

静的限定公開変数類
static final String	REDIRECT_URI_SESION_VARIABLE = "redirect_uri"

static final String	CODE_VERIFIER_SESSION_VARIABLE = "code_verifier"

static final String	STATE_SESSION_VARIABLE = "state"

static final String	NONCE_SESSION_VARIABLE = "nonce"

static final String	ISSUER_SESSION_VARIABLE = "issuer"

static final String	TARGET_SESSION_VARIABLE = "target"

static final int	HTTP_SOCKET_TIMEOUT = 30000

静的非公開メンバ関数
static String	getStoredSessionString (HttpSession session, String key)

詳解

OpenID Connect Authentication Filter class

著者: nemonik, jricher

構築子と解体子

◆ OIDCAuthenticationFilter()

org.mitre.openid.connect.client.OIDCAuthenticationFilter.OIDCAuthenticationFilter ( )

inline

OpenIdConnectAuthenticationFilter constructor

                                           {
                 super(FILTER_PROCESSES_URL);
                 targetSuccessHandler.passthrough = super.getSuccessHandler();
                 super.setAuthenticationSuccessHandler(targetSuccessHandler);
         }

関数詳解

◆ afterPropertiesSet()

void org.mitre.openid.connect.client.OIDCAuthenticationFilter.afterPropertiesSet ( )

inline

                                          {
                 super.afterPropertiesSet();
 
                 // if our JOSE validators don't get wired in, drop defaults into place
 
                 if (validationServices == null) {
                         validationServices = new JWKSetCacheService();
                 }
 
                 if (symmetricCacheService == null) {
                         symmetricCacheService = new SymmetricKeyJWTValidatorCacheService();
                 }
 
         }

◆ attemptAuthentication()

Authentication org.mitre.openid.connect.client.OIDCAuthenticationFilter.attemptAuthentication	(	HttpServletRequest	request,
		HttpServletResponse	response
	)		throws AuthenticationException, IOException, ServletException

inline

                                                                                                                                                                             {
 
                 if (!Strings.isNullOrEmpty(request.getParameter("error"))) {
 
                         // there's an error coming back from the server, need to handle this
                         handleError(request, response);
                         return null; // no auth, response is sent to display page or something
 
                 } else if (!Strings.isNullOrEmpty(request.getParameter("code"))) {
 
                         // we got back the code, need to process this to get our tokens
                         Authentication auth = handleAuthorizationCodeResponse(request, response);
                         return auth;
 
                 } else {
 
                         // not an error, not a code, must be an initial login of some type
                         handleAuthorizationRequest(request, response);
 
                         return null; // no auth, response redirected to the server's Auth Endpoint (or possibly to the account chooser)
                 }
 
         }

◆ createCodeVerifier()

static String org.mitre.openid.connect.client.OIDCAuthenticationFilter.createCodeVerifier ( HttpSession session )

inlinestaticprotected

Create a random code challenge and store it in the session

引数

session

戻り値

                                                                         {
                 String challenge = new BigInteger(50, new SecureRandom()).toString(16);
                 session.setAttribute(CODE_VERIFIER_SESSION_VARIABLE, challenge);
                 return challenge;
         }

◆ createNonce()

static String org.mitre.openid.connect.client.OIDCAuthenticationFilter.createNonce ( HttpSession session )

inlinestaticprotected

Create a cryptographically random nonce and store it in the session

引数

session

戻り値

                                                                  {
                 String nonce = new BigInteger(50, new SecureRandom()).toString(16);
                 session.setAttribute(NONCE_SESSION_VARIABLE, nonce);
 
                 return nonce;
         }

◆ createState()

static String org.mitre.openid.connect.client.OIDCAuthenticationFilter.createState ( HttpSession session )

inlinestaticprotected

Create a cryptographically random state and store it in the session

引数

session

戻り値

                                                                  {
                 String state = new BigInteger(50, new SecureRandom()).toString(16);
                 session.setAttribute(STATE_SESSION_VARIABLE, state);
 
                 return state;
         }

◆ getAuthRequestOptionsService()

AuthRequestOptionsService org.mitre.openid.connect.client.OIDCAuthenticationFilter.getAuthRequestOptionsService ( )

inline

戻り値: the authOptions

                                                                         {
                 return authOptions;
         }

◆ getAuthRequestUrlBuilder()

AuthRequestUrlBuilder org.mitre.openid.connect.client.OIDCAuthenticationFilter.getAuthRequestUrlBuilder ( )

inline

戻り値: the authRequestBuilder

                                                                 {
                 return authRequestBuilder;
         }

◆ getClientConfigurationService()

ClientConfigurationService org.mitre.openid.connect.client.OIDCAuthenticationFilter.getClientConfigurationService ( )

inline

戻り値: the clients

                                                                           {
                 return clients;
         }

◆ getIssuerService()

IssuerService org.mitre.openid.connect.client.OIDCAuthenticationFilter.getIssuerService ( )

inline

戻り値: the issuerService

                                                 {
                 return issuerService;
         }

◆ getServerConfigurationService()

ServerConfigurationService org.mitre.openid.connect.client.OIDCAuthenticationFilter.getServerConfigurationService ( )

inline

戻り値: the servers

                                                                           {
                 return servers;
         }

◆ getStoredCodeVerifier()

static String org.mitre.openid.connect.client.OIDCAuthenticationFilter.getStoredCodeVerifier ( HttpSession session )

inlinestaticprotected

Retrieve the stored challenge from our session

引数

session

戻り値

                                                                            {
                 return getStoredSessionString(session, CODE_VERIFIER_SESSION_VARIABLE);
         }

◆ getStoredNonce()

static String org.mitre.openid.connect.client.OIDCAuthenticationFilter.getStoredNonce ( HttpSession session )

inlinestaticprotected

Get the nonce we stored in the session

引数

session

戻り値

                                                                     {
                 return getStoredSessionString(session, NONCE_SESSION_VARIABLE);
         }

◆ getStoredSessionString()

static String org.mitre.openid.connect.client.OIDCAuthenticationFilter.getStoredSessionString	(	HttpSession	session,
		String	key
	)

inlinestaticprivate

Get the named stored session variable as a string. Return null if not found or not a string.

引数

session
key

戻り値

                                                                                       {
                 Object o = session.getAttribute(key);
                 if (o != null && o instanceof String) {
                         return o.toString();
                 } else {
                         return null;
                 }
         }

◆ getStoredState()

static String org.mitre.openid.connect.client.OIDCAuthenticationFilter.getStoredState ( HttpSession session )

inlinestaticprotected

Get the state we stored in the session

引数

session

戻り値

                                                                     {
                 return getStoredSessionString(session, STATE_SESSION_VARIABLE);
         }

◆ getSymmetricCacheService()

SymmetricKeyJWTValidatorCacheService org.mitre.openid.connect.client.OIDCAuthenticationFilter.getSymmetricCacheService ( )

inline

                                                                                {
                 return symmetricCacheService;
         }

◆ getTargetLinkURIAuthenticationSuccessHandler()

TargetLinkURIAuthenticationSuccessHandler org.mitre.openid.connect.client.OIDCAuthenticationFilter.getTargetLinkURIAuthenticationSuccessHandler ( )

inline

                                                                                                         {
                 return targetSuccessHandler;
         }

◆ getTimeSkewAllowance()

int org.mitre.openid.connect.client.OIDCAuthenticationFilter.getTimeSkewAllowance ( )

inline

                                           {
                 return timeSkewAllowance;
         }

◆ getValidationServices()

JWKSetCacheService org.mitre.openid.connect.client.OIDCAuthenticationFilter.getValidationServices ( )

inline

戻り値: the validationServices

                                                           {
                 return validationServices;
         }

◆ handleAuthorizationCodeResponse()

Authentication org.mitre.openid.connect.client.OIDCAuthenticationFilter.handleAuthorizationCodeResponse	(	HttpServletRequest	request,
		HttpServletResponse	response
	)

inlineprotected

引数

request The request from which to extract parameters and perform the authentication

戻り値: The authenticated user token, or null if authentication is incomplete.

                                                                                                                            {
 
                 String authorizationCode = request.getParameter("code");
 
                 HttpSession session = request.getSession();
 
                 // check for state, if it doesn't match we bail early
                 String storedState = getStoredState(session);
                 String requestState = request.getParameter("state");
                 if (storedState == null || !storedState.equals(requestState)) {
                         throw new AuthenticationServiceException("State parameter mismatch on return. Expected " + storedState + " got " + requestState);
                 }
 
                 // look up the issuer that we set out to talk to
                 String issuer = getStoredSessionString(session, ISSUER_SESSION_VARIABLE);
 
                 // pull the configurations based on that issuer
                 ServerConfiguration serverConfig = servers.getServerConfiguration(issuer);
                 final RegisteredClient clientConfig = clients.getClientConfiguration(serverConfig);
 
                 MultiValueMap<String, String> form = new LinkedMultiValueMap<>();
                 form.add("grant_type", "authorization_code");
                 form.add("code", authorizationCode);
                 form.setAll(authOptions.getTokenOptions(serverConfig, clientConfig, request));
 
                 String codeVerifier = getStoredCodeVerifier(session);
                 if (codeVerifier != null) {
                         form.add("code_verifier", codeVerifier);
                 }
 
                 String redirectUri = getStoredSessionString(session, REDIRECT_URI_SESION_VARIABLE);
                 if (redirectUri != null) {
                         form.add("redirect_uri", redirectUri);
                 }
 
                 // Handle Token Endpoint interaction
 
                 if(httpClient == null) {
                         httpClient = HttpClientBuilder.create()
                                         .useSystemProperties()
                                         .setDefaultRequestConfig(RequestConfig.custom()
                                                         .setSocketTimeout(httpSocketTimeout)
                                                         .build())
                                         .build();
                 }
 
                 HttpComponentsClientHttpRequestFactory factory = new HttpComponentsClientHttpRequestFactory(httpClient);
 
                 RestTemplate restTemplate;
 
                 if (SECRET_BASIC.equals(clientConfig.getTokenEndpointAuthMethod())){
                         // use BASIC auth if configured to do so
                         restTemplate = new RestTemplate(factory) {
 
                                 @Override
                                 protected ClientHttpRequest createRequest(URI url, HttpMethod method) throws IOException {
                                         ClientHttpRequest httpRequest = super.createRequest(url, method);
                                         httpRequest.getHeaders().add("Authorization",
                                                         String.format("Basic %s", Base64.encode(String.format("%s:%s",
                                                                         UriUtils.encodePathSegment(clientConfig.getClientId(), "UTF-8"),
                                                                         UriUtils.encodePathSegment(clientConfig.getClientSecret(), "UTF-8")))));
 
                                         return httpRequest;
                                 }
                         };
                 } else {
                         // we're not doing basic auth, figure out what other flavor we have
                         restTemplate = new RestTemplate(factory);
 
                         if (SECRET_JWT.equals(clientConfig.getTokenEndpointAuthMethod()) || PRIVATE_KEY.equals(clientConfig.getTokenEndpointAuthMethod())) {
                                 // do a symmetric secret signed JWT for auth
 
 
                                 JWTSigningAndValidationService signer = null;
                                 JWSAlgorithm alg = clientConfig.getTokenEndpointAuthSigningAlg();
 
                                 if (SECRET_JWT.equals(clientConfig.getTokenEndpointAuthMethod()) &&
                                                 (JWSAlgorithm.HS256.equals(alg)
                                                                 || JWSAlgorithm.HS384.equals(alg)
                                                                 || JWSAlgorithm.HS512.equals(alg))) {
 
                                         // generate one based on client secret
                                         signer = symmetricCacheService.getSymmetricValidtor(clientConfig.getClient());
 
                                 } else if (PRIVATE_KEY.equals(clientConfig.getTokenEndpointAuthMethod())) {
 
                                         // needs to be wired in to the bean
                                         signer = authenticationSignerService;
 
                                         if (alg == null) {
                                                 alg = authenticationSignerService.getDefaultSigningAlgorithm();
                                         }
                                 }
 
                                 if (signer == null) {
                                         throw new AuthenticationServiceException("Couldn't find required signer service for use with private key auth.");
                                 }
 
                                 JWTClaimsSet.Builder claimsSet = new JWTClaimsSet.Builder();
 
                                 claimsSet.issuer(clientConfig.getClientId());
                                 claimsSet.subject(clientConfig.getClientId());
                                 claimsSet.audience(Lists.newArrayList(serverConfig.getTokenEndpointUri()));
                                 claimsSet.jwtID(UUID.randomUUID().toString());
 
                                 // TODO: make this configurable
                                 Date exp = new Date(System.currentTimeMillis() + (60 * 1000)); // auth good for 60 seconds
                                 claimsSet.expirationTime(exp);
 
                                 Date now = new Date(System.currentTimeMillis());
                                 claimsSet.issueTime(now);
                                 claimsSet.notBeforeTime(now);
 
                                 JWSHeader header = new JWSHeader(alg, null, null, null, null, null, null, null, null, null,
                                                 signer.getDefaultSignerKeyId(),
                                                 null, null);
                                 SignedJWT jwt = new SignedJWT(header, claimsSet.build());
 
                                 signer.signJwt(jwt, alg);
 
                                 form.add("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer");
                                 form.add("client_assertion", jwt.serialize());
                         } else {
                                 //Alternatively use form based auth
                                 form.add("client_id", clientConfig.getClientId());
                                 form.add("client_secret", clientConfig.getClientSecret());
                         }
 
                 }
 
                 logger.debug("tokenEndpointURI = " + serverConfig.getTokenEndpointUri());
                 logger.debug("form = " + form);
 
                 String jsonString = null;
 
                 try {
                         jsonString = restTemplate.postForObject(serverConfig.getTokenEndpointUri(), form, String.class);
                 } catch (RestClientException e) {
 
                         // Handle error
 
                         logger.error("Token Endpoint error response:  " + e.getMessage());
 
                         throw new AuthenticationServiceException("Unable to obtain Access Token: " + e.getMessage());
                 }
 
                 logger.debug("from TokenEndpoint jsonString = " + jsonString);
 
                 JsonElement jsonRoot = new JsonParser().parse(jsonString);
                 if (!jsonRoot.isJsonObject()) {
                         throw new AuthenticationServiceException("Token Endpoint did not return a JSON object: " + jsonRoot);
                 }
 
                 JsonObject tokenResponse = jsonRoot.getAsJsonObject();
 
                 if (tokenResponse.get("error") != null) {
 
                         // Handle error
 
                         String error = tokenResponse.get("error").getAsString();
 
                         logger.error("Token Endpoint returned: " + error);
 
                         throw new AuthenticationServiceException("Unable to obtain Access Token.  Token Endpoint returned: " + error);
 
                 } else {
 
                         // Extract the id_token to insert into the
                         // OIDCAuthenticationToken
 
                         // get out all the token strings
                         String accessTokenValue = null;
                         String idTokenValue = null;
                         String refreshTokenValue = null;
 
                         if (tokenResponse.has("access_token")) {
                                 accessTokenValue = tokenResponse.get("access_token").getAsString();
                         } else {
                                 throw new AuthenticationServiceException("Token Endpoint did not return an access_token: " + jsonString);
                         }
 
                         if (tokenResponse.has("id_token")) {
                                 idTokenValue = tokenResponse.get("id_token").getAsString();
                         } else {
                                 logger.error("Token Endpoint did not return an id_token");
                                 throw new AuthenticationServiceException("Token Endpoint did not return an id_token");
                         }
 
                         if (tokenResponse.has("refresh_token")) {
                                 refreshTokenValue = tokenResponse.get("refresh_token").getAsString();
                         }
 
                         try {
                                 JWT idToken = JWTParser.parse(idTokenValue);
 
                                 // validate our ID Token over a number of tests
                                 JWTClaimsSet idClaims = idToken.getJWTClaimsSet();
 
                                 // check the signature
                                 JWTSigningAndValidationService jwtValidator = null;
 
                                 Algorithm tokenAlg = idToken.getHeader().getAlgorithm();
 
                                 Algorithm clientAlg = clientConfig.getIdTokenSignedResponseAlg();
 
                                 if (clientAlg != null) {
                                         if (!clientAlg.equals(tokenAlg)) {
                                                 throw new AuthenticationServiceException("Token algorithm " + tokenAlg + " does not match expected algorithm " + clientAlg);
                                         }
                                 }
 
                                 if (idToken instanceof PlainJWT) {
 
                                         if (clientAlg == null) {
                                                 throw new AuthenticationServiceException("Unsigned ID tokens can only be used if explicitly configured in client.");
                                         }
 
                                         if (tokenAlg != null && !tokenAlg.equals(Algorithm.NONE)) {
                                                 throw new AuthenticationServiceException("Unsigned token received, expected signature with " + tokenAlg);
                                         }
                                 } else if (idToken instanceof SignedJWT) {
 
                                         SignedJWT signedIdToken = (SignedJWT)idToken;
 
                                         if (tokenAlg.equals(JWSAlgorithm.HS256)
                                                         || tokenAlg.equals(JWSAlgorithm.HS384)
                                                         || tokenAlg.equals(JWSAlgorithm.HS512)) {
 
                                                 // generate one based on client secret
                                                 jwtValidator = symmetricCacheService.getSymmetricValidtor(clientConfig.getClient());
                                         } else {
                                                 // otherwise load from the server's public key
                                                 jwtValidator = validationServices.getValidator(serverConfig.getJwksUri());
                                         }
 
                                         if (jwtValidator != null) {
                                                 if(!jwtValidator.validateSignature(signedIdToken)) {
                                                         throw new AuthenticationServiceException("Signature validation failed");
                                                 }
                                         } else {
                                                 logger.error("No validation service found. Skipping signature validation");
                                                 throw new AuthenticationServiceException("Unable to find an appropriate signature validator for ID Token.");
                                         }
                                 } // TODO: encrypted id tokens
 
                                 // check the issuer
                                 if (idClaims.getIssuer() == null) {
                                         throw new AuthenticationServiceException("Id Token Issuer is null");
                                 } else if (!idClaims.getIssuer().equals(serverConfig.getIssuer())){
                                         throw new AuthenticationServiceException("Issuers do not match, expected " + serverConfig.getIssuer() + " got " + idClaims.getIssuer());
                                 }
 
                                 // check expiration
                                 if (idClaims.getExpirationTime() == null) {
                                         throw new AuthenticationServiceException("Id Token does not have required expiration claim");
                                 } else {
                                         // it's not null, see if it's expired
                                         Date now = new Date(System.currentTimeMillis() - (timeSkewAllowance * 1000));
                                         if (now.after(idClaims.getExpirationTime())) {
                                                 throw new AuthenticationServiceException("Id Token is expired: " + idClaims.getExpirationTime());
                                         }
                                 }
 
                                 // check not before
                                 if (idClaims.getNotBeforeTime() != null) {
                                         Date now = new Date(System.currentTimeMillis() + (timeSkewAllowance * 1000));
                                         if (now.before(idClaims.getNotBeforeTime())){
                                                 throw new AuthenticationServiceException("Id Token not valid untill: " + idClaims.getNotBeforeTime());
                                         }
                                 }
 
                                 // check issued at
                                 if (idClaims.getIssueTime() == null) {
                                         throw new AuthenticationServiceException("Id Token does not have required issued-at claim");
                                 } else {
                                         // since it's not null, see if it was issued in the future
                                         Date now = new Date(System.currentTimeMillis() + (timeSkewAllowance * 1000));
                                         if (now.before(idClaims.getIssueTime())) {
                                                 throw new AuthenticationServiceException("Id Token was issued in the future: " + idClaims.getIssueTime());
                                         }
                                 }
 
                                 // check audience
                                 if (idClaims.getAudience() == null) {
                                         throw new AuthenticationServiceException("Id token audience is null");
                                 } else if (!idClaims.getAudience().contains(clientConfig.getClientId())) {
                                         throw new AuthenticationServiceException("Audience does not match, expected " + clientConfig.getClientId() + " got " + idClaims.getAudience());
                                 }
 
                                 // compare the nonce to our stored claim
                                 String nonce = idClaims.getStringClaim("nonce");
                                 if (Strings.isNullOrEmpty(nonce)) {
 
                                         logger.error("ID token did not contain a nonce claim.");
 
                                         throw new AuthenticationServiceException("ID token did not contain a nonce claim.");
                                 }
 
                                 String storedNonce = getStoredNonce(session);
                                 if (!nonce.equals(storedNonce)) {
                                         logger.error("Possible replay attack detected! The comparison of the nonce in the returned "
                                                         + "ID Token to the session " + NONCE_SESSION_VARIABLE + " failed. Expected " + storedNonce + " got " + nonce + ".");
 
                                         throw new AuthenticationServiceException(
                                                         "Possible replay attack detected! The comparison of the nonce in the returned "
                                                                         + "ID Token to the session " + NONCE_SESSION_VARIABLE + " failed. Expected " + storedNonce + " got " + nonce + ".");
                                 }
 
                                 // construct an PendingOIDCAuthenticationToken and return a Authentication object w/the userId and the idToken
 
                                 PendingOIDCAuthenticationToken token = new PendingOIDCAuthenticationToken(idClaims.getSubject(), idClaims.getIssuer(),
                                                 serverConfig,
                                                 idToken, accessTokenValue, refreshTokenValue);
 
                                 Authentication authentication = this.getAuthenticationManager().authenticate(token);
 
                                 return authentication;
                         } catch (ParseException e) {
                                 throw new AuthenticationServiceException("Couldn't parse idToken: ", e);
                         }
 
 
 
                 }
         }

◆ handleAuthorizationRequest()

void org.mitre.openid.connect.client.OIDCAuthenticationFilter.handleAuthorizationRequest	(	HttpServletRequest	request,
		HttpServletResponse	response
	)		throws IOException

inlineprotected

Initiate an Authorization request

引数

request	The request from which to extract parameters and perform the authentication
response

例外

IOException If an input or output exception occurs

                                                                                                                                {
 
                 HttpSession session = request.getSession();
 
                 IssuerServiceResponse issResp = issuerService.getIssuer(request);
 
                 if (issResp == null) {
                         logger.error("Null issuer response returned from service.");
                         throw new AuthenticationServiceException("No issuer found.");
                 }
 
                 if (issResp.shouldRedirect()) {
                         response.sendRedirect(issResp.getRedirectUrl());
                 } else {
                         String issuer = issResp.getIssuer();
 
                         if (!Strings.isNullOrEmpty(issResp.getTargetLinkUri())) {
                                 // there's a target URL in the response, we should save this so we can forward to it later
                                 session.setAttribute(TARGET_SESSION_VARIABLE, issResp.getTargetLinkUri());
                         }
 
                         if (Strings.isNullOrEmpty(issuer)) {
                                 logger.error("No issuer found: " + issuer);
                                 throw new AuthenticationServiceException("No issuer found: " + issuer);
                         }
 
                         ServerConfiguration serverConfig = servers.getServerConfiguration(issuer);
                         if (serverConfig == null) {
                                 logger.error("No server configuration found for issuer: " + issuer);
                                 throw new AuthenticationServiceException("No server configuration found for issuer: " + issuer);
                         }
 
 
                         session.setAttribute(ISSUER_SESSION_VARIABLE, serverConfig.getIssuer());
 
                         RegisteredClient clientConfig = clients.getClientConfiguration(serverConfig);
                         if (clientConfig == null) {
                                 logger.error("No client configuration found for issuer: " + issuer);
                                 throw new AuthenticationServiceException("No client configuration found for issuer: " + issuer);
                         }
 
                         String redirectUri = null;
                         if (clientConfig.getRegisteredRedirectUri() != null && clientConfig.getRegisteredRedirectUri().size() == 1) {
                                 // if there's a redirect uri configured (and only one), use that
                                 redirectUri = Iterables.getOnlyElement(clientConfig.getRegisteredRedirectUri());
                         } else {
                                 // otherwise our redirect URI is this current URL, with no query parameters
                                 redirectUri = request.getRequestURL().toString();
                         }
                         session.setAttribute(REDIRECT_URI_SESION_VARIABLE, redirectUri);
 
                         // this value comes back in the id token and is checked there
                         String nonce = createNonce(session);
 
                         // this value comes back in the auth code response
                         String state = createState(session);
 
                         Map<String, String> options = authOptions.getOptions(serverConfig, clientConfig, request);
 
                         // if we're using PKCE, handle the challenge here
                         if (clientConfig.getCodeChallengeMethod() != null) {
                                 String codeVerifier = createCodeVerifier(session);
                                 options.put("code_challenge_method", clientConfig.getCodeChallengeMethod().getName());
                                 if (clientConfig.getCodeChallengeMethod().equals(PKCEAlgorithm.plain)) {
                                         options.put("code_challenge", codeVerifier);
                                 } else if (clientConfig.getCodeChallengeMethod().equals(PKCEAlgorithm.S256)) {
                                         try {
                                                 MessageDigest digest = MessageDigest.getInstance("SHA-256");
                                                 String hash = Base64URL.encode(digest.digest(codeVerifier.getBytes(StandardCharsets.US_ASCII))).toString();
                                                 options.put("code_challenge", hash);
                                         } catch (NoSuchAlgorithmException e) {
                                                 // TODO Auto-generated catch block
                                                 e.printStackTrace();
                                         }
 
 
                                 }
                         }
 
                         String authRequest = authRequestBuilder.buildAuthRequestUrl(serverConfig, clientConfig, redirectUri, nonce, state, options, issResp.getLoginHint());
 
                         logger.debug("Auth Request:  " + authRequest);
 
                         response.sendRedirect(authRequest);
                 }
         }

◆ handleError()

void org.mitre.openid.connect.client.OIDCAuthenticationFilter.handleError	(	HttpServletRequest	request,
		HttpServletResponse	response
	)		throws IOException

inlineprotected

Handle Authorization Endpoint error

引数

request	The request from which to extract parameters and handle the error
response	The response, needed to do a redirect to display the error

例外

IOException If an input or output exception occurs

                                                                                                                 {
 
                 String error = request.getParameter("error");
                 String errorDescription = request.getParameter("error_description");
                 String errorURI = request.getParameter("error_uri");
 
                 throw new AuthorizationEndpointException(error, errorDescription, errorURI);
         }

◆ setAuthenticationSuccessHandler()

void org.mitre.openid.connect.client.OIDCAuthenticationFilter.setAuthenticationSuccessHandler ( AuthenticationSuccessHandler successHandler )

inline

                                                                                                  {
                 targetSuccessHandler.passthrough = successHandler;
                 super.setAuthenticationSuccessHandler(targetSuccessHandler);
         }

◆ setAuthRequestOptionsService()

void org.mitre.openid.connect.client.OIDCAuthenticationFilter.setAuthRequestOptionsService ( AuthRequestOptionsService authOptions )

inline

引数

authOptions the authOptions to set

                                                                                         {
                 this.authOptions = authOptions;
         }

◆ setAuthRequestUrlBuilder()

void org.mitre.openid.connect.client.OIDCAuthenticationFilter.setAuthRequestUrlBuilder ( AuthRequestUrlBuilder authRequestBuilder )

inline

引数

authRequestBuilder the authRequestBuilder to set

                                                                                        {
                 this.authRequestBuilder = authRequestBuilder;
         }

◆ setClientConfigurationService()

void org.mitre.openid.connect.client.OIDCAuthenticationFilter.setClientConfigurationService ( ClientConfigurationService clients )

inline

引数

clients the clients to set

                                                                                       {
                 this.clients = clients;
         }

◆ setIssuerService()

void org.mitre.openid.connect.client.OIDCAuthenticationFilter.setIssuerService ( IssuerService issuerService )

inline

引数

issuerService the issuerService to set

                                                                   {
                 this.issuerService = issuerService;
         }

◆ setServerConfigurationService()

void org.mitre.openid.connect.client.OIDCAuthenticationFilter.setServerConfigurationService ( ServerConfigurationService servers )

inline

引数

servers the servers to set

                                                                                       {
                 this.servers = servers;
         }

◆ setSymmetricCacheService()

void org.mitre.openid.connect.client.OIDCAuthenticationFilter.setSymmetricCacheService ( SymmetricKeyJWTValidatorCacheService symmetricCacheService )

inline

                                                                                                          {
                 this.symmetricCacheService = symmetricCacheService;
         }

◆ setTargetLinkURIAuthenticationSuccessHandler()

void org.mitre.openid.connect.client.OIDCAuthenticationFilter.setTargetLinkURIAuthenticationSuccessHandler ( TargetLinkURIAuthenticationSuccessHandler targetSuccessHandler )

inline

                                                                                         {
                 this.targetSuccessHandler = targetSuccessHandler;
         }

◆ setTargetLinkURIChecker()

void org.mitre.openid.connect.client.OIDCAuthenticationFilter.setTargetLinkURIChecker ( TargetLinkURIChecker deepLinkFilter )

inline

                                                                                  {
                 this.deepLinkFilter = deepLinkFilter;
         }

◆ setTimeSkewAllowance()

void org.mitre.openid.connect.client.OIDCAuthenticationFilter.setTimeSkewAllowance ( int timeSkewAllowance )

inline

                                                                 {
                 this.timeSkewAllowance = timeSkewAllowance;
         }

◆ setValidationServices()

void org.mitre.openid.connect.client.OIDCAuthenticationFilter.setValidationServices ( JWKSetCacheService validationServices )

inline

引数

validationServices the validationServices to set

                                                                                  {
                 this.validationServices = validationServices;
         }

◆ targetLinkURIChecker()

TargetLinkURIChecker org.mitre.openid.connect.client.OIDCAuthenticationFilter.targetLinkURIChecker ( )

inline

                                                            {
                 return deepLinkFilter;
         }

private

このクラス詳解は次のファイルから抽出されました:

D:/AppData/OpenId/mitreid-connect/src/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationFilter.java

非公開変数類
int	timeSkewAllowance = 300

JWKSetCacheService	validationServices

SymmetricKeyJWTValidatorCacheService	symmetricCacheService

JWTSigningAndValidationService	authenticationSignerService

HttpClient	httpClient

IssuerService	issuerService

ServerConfigurationService	servers

ClientConfigurationService	clients

AuthRequestOptionsService	authOptions = new StaticAuthRequestOptionsService()

AuthRequestUrlBuilder	authRequestBuilder

TargetLinkURIAuthenticationSuccessHandler	targetSuccessHandler = new TargetLinkURIAuthenticationSuccessHandler()

TargetLinkURIChecker	deepLinkFilter

クラス

公開メンバ関数

静的公開変数類

限定公開メンバ関数

静的限定公開メンバ関数

限定公開変数類

静的限定公開変数類

静的非公開メンバ関数

非公開変数類

詳解

構築子と解体子

◆ OIDCAuthenticationFilter()

関数詳解

◆ afterPropertiesSet()

◆ attemptAuthentication()

◆ createCodeVerifier()

◆ createNonce()

◆ createState()

◆ getAuthRequestOptionsService()

◆ getAuthRequestUrlBuilder()

◆ getClientConfigurationService()

◆ getIssuerService()

◆ getServerConfigurationService()

◆ getStoredCodeVerifier()

◆ getStoredNonce()

◆ getStoredSessionString()

◆ getStoredState()

◆ getSymmetricCacheService()

◆ getTargetLinkURIAuthenticationSuccessHandler()

◆ getTimeSkewAllowance()

◆ getValidationServices()

◆ handleAuthorizationCodeResponse()

◆ handleAuthorizationRequest()

◆ handleError()

◆ setAuthenticationSuccessHandler()

◆ setAuthRequestOptionsService()

◆ setAuthRequestUrlBuilder()

◆ setClientConfigurationService()

◆ setIssuerService()

◆ setServerConfigurationService()

◆ setSymmetricCacheService()

◆ setTargetLinkURIAuthenticationSuccessHandler()

◆ setTargetLinkURIChecker()

◆ setTimeSkewAllowance()

◆ setValidationServices()

◆ targetLinkURIChecker()

メンバ詳解

◆ authenticationSignerService

◆ authOptions

◆ authRequestBuilder

◆ clients

◆ CODE_VERIFIER_SESSION_VARIABLE

◆ deepLinkFilter

◆ FILTER_PROCESSES_URL

◆ HTTP_SOCKET_TIMEOUT

◆ httpClient

◆ httpSocketTimeout

◆ ISSUER_SESSION_VARIABLE

◆ issuerService

◆ NONCE_SESSION_VARIABLE

◆ REDIRECT_URI_SESION_VARIABLE

◆ servers

◆ STATE_SESSION_VARIABLE

◆ symmetricCacheService

◆ TARGET_SESSION_VARIABLE

◆ targetSuccessHandler

◆ timeSkewAllowance

◆ validationServices