org.mitre.openid.connect.web.EndSessionEndpoint クラス

org.mitre.openid.connect.web.EndSessionEndpoint 連携図

公開メンバ関数
String	endSession (@RequestParam(value="id_token_hint", required=false) String idTokenHint, @RequestParam(value="post_logout_redirect_uri", required=false) String postLogoutRedirectUri, @RequestParam(value=STATE_KEY, required=false) String state, HttpServletRequest request, HttpServletResponse response, HttpSession session, Authentication auth, Model m)
String	processLogout (@RequestParam(value="approve", required=false) String approved, HttpServletRequest request, HttpServletResponse response, HttpSession session, Authentication auth, Model m)

静的公開変数類
static final String	URL = "endsession"

非公開変数類
SelfAssertionValidator	validator
UserInfoService	userInfoService
ClientDetailsEntityService	clientService

静的非公開変数類
static final String	CLIENT_KEY = "client"
static final String	STATE_KEY = "state"
static final String	REDIRECT_URI_KEY = "redirectUri"
static Logger	logger = LoggerFactory.getLogger(EndSessionEndpoint.class)

詳解

Implementation of the End Session Endpoint from OIDC session management

著者

jricher

関数詳解

endSession()

String org.mitre.openid.connect.web.EndSessionEndpoint.endSession ( @RequestParam(value="id_token_hint", required=false) String  idTokenHint, @RequestParam(value="post_logout_redirect_uri", required=false) String  postLogoutRedirectUri, @RequestParam(value=STATE_KEY, required=false) String  state, HttpServletRequest  request, HttpServletResponse  response, HttpSession  session, Authentication  auth, Model  m  )

inline

                                                  {

                // conditionally filled variables
                JWTClaimsSet idTokenClaims = null; // pulled from the parsed and validated ID token
                ClientDetailsEntity client = null; // pulled from ID token's audience field
                
                if (!Strings.isNullOrEmpty(postLogoutRedirectUri)) {
                        session.setAttribute(REDIRECT_URI_KEY, postLogoutRedirectUri);
                }
                if (!Strings.isNullOrEmpty(state)) {
                        session.setAttribute(STATE_KEY, state);
                }
                
                // parse the ID token hint to see if it's valid
                if (!Strings.isNullOrEmpty(idTokenHint)) {
                        try {
                                JWT idToken = JWTParser.parse(idTokenHint);
                                
                                if (validator.isValid(idToken)) {
                                        // we issued this ID token, figure out who it's for
                                        idTokenClaims = idToken.getJWTClaimsSet();
                                        
                                        String clientId = Iterables.getOnlyElement(idTokenClaims.getAudience());
                                        
                                        client = clientService.loadClientByClientId(clientId);
                                        
                                        // save a reference in the session for us to pick up later
                                        //session.setAttribute("endSession_idTokenHint_claims", idTokenClaims);
                                        session.setAttribute(CLIENT_KEY, client);
                                }
                        } catch (ParseException e) {
                                // it's not a valid ID token, ignore it
                                logger.debug("Invalid id token hint", e);
                        } catch (InvalidClientException e) {
                                // couldn't find the client, ignore it
                                logger.debug("Invalid client", e);
                        }
                }
                
                // are we logged in or not?
                if (auth == null || !request.isUserInRole("ROLE_USER")) {
                        // we're not logged in anyway, process the final redirect bits if needed
                        return processLogout(null, request, response, session, auth, m);
                } else {
                        // we are logged in, need to prompt the user before we log out
                
                        // see who the current user is
                        UserInfo ui = userInfoService.getByUsername(auth.getName()); 
                        
                        if (idTokenClaims != null) {
                                String subject = idTokenClaims.getSubject();
                                // see if the current user is the same as the one in the ID token
                                // TODO: should we do anything different in these cases?
                                if (!Strings.isNullOrEmpty(subject) && subject.equals(ui.getSub())) {
                                        // it's the same user
                                } else { 
                                        // it's not the same user
                                }
                        }

                        m.addAttribute("client", client);
                        m.addAttribute("idToken", idTokenClaims);
                        
                        // display the log out confirmation page
                        return "logoutConfirmation";
                }
        }

processLogout()

String org.mitre.openid.connect.web.EndSessionEndpoint.processLogout ( @RequestParam(value="approve", required=false) String  approved, HttpServletRequest  request, HttpServletResponse  response, HttpSession  session, Authentication  auth, Model  m  )

inline

                                                  {

                String redirectUri = (String) session.getAttribute(REDIRECT_URI_KEY);
                String state = (String) session.getAttribute(STATE_KEY);
                ClientDetailsEntity client = (ClientDetailsEntity) session.getAttribute(CLIENT_KEY);
                
                if (!Strings.isNullOrEmpty(approved)) {
                        // use approved, perform the logout
                        if (auth != null){    
                                new SecurityContextLogoutHandler().logout(request, response, auth);
                        }
                        SecurityContextHolder.getContext().setAuthentication(null);
                        // TODO: hook into other logout post-processing
                }
                
                // if the user didn't approve, don't log out but hit the landing page anyway for redirect as needed

                
                
                // if we have a client AND the client has post-logout redirect URIs
                // registered AND the URI given is in that list, then...
                if (!Strings.isNullOrEmpty(redirectUri) && 
                        client != null && client.getPostLogoutRedirectUris() != null) {
                        
                        if (client.getPostLogoutRedirectUris().contains(redirectUri)) {
                                // TODO: future, add the redirect URI to the model for the display page for an interstitial
                                // m.addAttribute("redirectUri", postLogoutRedirectUri);
                                
                                UriComponents uri = UriComponentsBuilder.fromHttpUrl(redirectUri).queryParam("state", state).build();
                                
                                return "redirect:" + uri;
                        }
                }
                
                // otherwise, return to a nice post-logout landing page
                return "postLogout";
        }

メンバ詳解

CLIENT_KEY

final String org.mitre.openid.connect.web.EndSessionEndpoint.CLIENT_KEY = "client"

staticprivate

clientService

ClientDetailsEntityService org.mitre.openid.connect.web.EndSessionEndpoint.clientService

private

logger

Logger org.mitre.openid.connect.web.EndSessionEndpoint.logger = LoggerFactory.getLogger(EndSessionEndpoint.class)

staticprivate

REDIRECT_URI_KEY

final String org.mitre.openid.connect.web.EndSessionEndpoint.REDIRECT_URI_KEY = "redirectUri"

staticprivate

STATE_KEY

final String org.mitre.openid.connect.web.EndSessionEndpoint.STATE_KEY = "state"

staticprivate

URL

final String org.mitre.openid.connect.web.EndSessionEndpoint.URL = "endsession"

static

userInfoService

UserInfoService org.mitre.openid.connect.web.EndSessionEndpoint.userInfoService

private

validator

SelfAssertionValidator org.mitre.openid.connect.web.EndSessionEndpoint.validator

private

---

このクラス詳解は次のファイルから抽出されました:

• D:/AppData/OpenId/mitreid-connect/src/openid-connect-server/src/main/java/org/mitre/openid/connect/web/EndSessionEndpoint.java