From 88ac12f0be37d54f40e0d45afa414927e3de220e Mon Sep 17 00:00:00 2001 From: YuriyZ Date: Wed, 15 May 2024 12:35:04 +0300 Subject: [PATCH 1/4] feat(jans-auth-server): added short uuid with length = 22 https://github.com/JanssenProject/jans/issues/8512 Signed-off-by: YuriyZ --- .../src/main/java/io/jans/util/IdUtil.java | 34 +++++++++++++++++++ .../test/java/io/jans/util/IdUtilTest.java | 24 +++++++++++++ 2 files changed, 58 insertions(+) create mode 100644 jans-core/util/src/main/java/io/jans/util/IdUtil.java create mode 100644 jans-core/util/src/test/java/io/jans/util/IdUtilTest.java diff --git a/jans-core/util/src/main/java/io/jans/util/IdUtil.java b/jans-core/util/src/main/java/io/jans/util/IdUtil.java new file mode 100644 index 00000000000..035a2b82f0b --- /dev/null +++ b/jans-core/util/src/main/java/io/jans/util/IdUtil.java @@ -0,0 +1,34 @@ +package io.jans.util; + +import java.nio.ByteBuffer; +import java.util.Base64; +import java.util.Random; +import java.util.UUID; + +/** + * @author Yuriy Z + */ +public class IdUtil { + + // we are ok to have not secured random + private static final Random RANDOM = new Random(); + + private IdUtil() { + } + + public static String randomShortUUID() { + return toShortUUID(UUID.randomUUID()); + } + + public static String toShortUUID(UUID uuid) { + ByteBuffer byteBuffer = ByteBuffer.allocate(16); + byteBuffer.putLong(uuid.getMostSignificantBits()); + byteBuffer.putLong(uuid.getLeastSignificantBits()); + return Base64.getEncoder().withoutPadding().encodeToString(byteBuffer.array()) + .replace("/", randomChar()).replace("+", randomChar()); + } + + private static String randomChar() { + return (char) (RANDOM.nextInt(26) + 'a') + ""; + } +} diff --git a/jans-core/util/src/test/java/io/jans/util/IdUtilTest.java b/jans-core/util/src/test/java/io/jans/util/IdUtilTest.java new file mode 100644 index 00000000000..101293fd752 --- /dev/null +++ b/jans-core/util/src/test/java/io/jans/util/IdUtilTest.java @@ -0,0 +1,24 @@ +package io.jans.util; + +import org.testng.annotations.Test; + +import static org.testng.AssertJUnit.assertEquals; + +/** + * @author Yuriy Z + */ +public class IdUtilTest { + + @Test + public void shortUuid_lenthMustBe22() { + assertEquals(22, IdUtil.randomShortUUID().length()); + } + + @Test(enabled = false) + public void shortUuid_generateALotIdsAndPrintThem() { + for (int i = 0; i < 100000; i++) { + final String shortUUID = IdUtil.randomShortUUID(); + System.out.println(shortUUID + " length: " + shortUUID.length()); + }; + } +} From 53abaa929ce8e7890b57f7fcec745ff6d14d9f96 Mon Sep 17 00:00:00 2001 From: YuriyZ Date: Thu, 16 May 2024 16:04:16 +0300 Subject: [PATCH 2/4] feat(jans-auth-server): added reference_id to token schema https://github.com/JanssenProject/jans/issues/8512 Signed-off-by: YuriyZ --- .../java/io/jans/model/token/TokenEntity.java | 19 ++++++++++++------- .../jans_setup/schema/jans_schema.json | 3 ++- 2 files changed, 14 insertions(+), 8 deletions(-) diff --git a/jans-core/service/src/main/java/io/jans/model/token/TokenEntity.java b/jans-core/service/src/main/java/io/jans/model/token/TokenEntity.java index d7374065eed..5b8cc5d2469 100644 --- a/jans-core/service/src/main/java/io/jans/model/token/TokenEntity.java +++ b/jans-core/service/src/main/java/io/jans/model/token/TokenEntity.java @@ -6,16 +6,11 @@ package io.jans.model.token; +import io.jans.orm.annotation.*; + import java.io.Serializable; import java.util.Date; -import io.jans.orm.annotation.AttributeName; -import io.jans.orm.annotation.DN; -import io.jans.orm.annotation.DataEntry; -import io.jans.orm.annotation.Expiration; -import io.jans.orm.annotation.JsonObject; -import io.jans.orm.annotation.ObjectClass; - /** * @author Yuriy Zabrovarnyy * @author Javier Rojas Blum @@ -68,6 +63,8 @@ public class TokenEntity implements Serializable { private String claims; @AttributeName(name = "tknBndCnf") private String tokenBindingHash; + @AttributeName(name = "jansId") + private String referenceId; @AttributeName(name = "acr") private String authMode; @@ -84,6 +81,14 @@ public class TokenEntity implements Serializable { @AttributeName(name = "dpop") private String dpop; + public String getReferenceId() { + return referenceId; + } + + public void setReferenceId(String referenceId) { + this.referenceId = referenceId; + } + public TokenAttributes getAttributes() { if (attributes == null) { attributes = new TokenAttributes(); diff --git a/jans-linux-setup/jans_setup/schema/jans_schema.json b/jans-linux-setup/jans_setup/schema/jans_schema.json index 79c8f7f54d8..ef1c7677229 100644 --- a/jans-linux-setup/jans_setup/schema/jans_schema.json +++ b/jans-linux-setup/jans_setup/schema/jans_schema.json @@ -4498,7 +4498,8 @@ "ssnId", "attr", "tknBndCnf", - "dpop" + "dpop", + "jansId" ], "must": [ "objectclass" From 6aa784c797089ef86c83f3f5b3b440eda43cadd4 Mon Sep 17 00:00:00 2001 From: YuriyZ Date: Thu, 16 May 2024 17:44:57 +0300 Subject: [PATCH 3/4] feat(jans-auth-server): propagate reference_id to token and grant objects https://github.com/JanssenProject/jans/issues/8512 Signed-off-by: YuriyZ --- .../common/AbstractAuthorizationGrant.java | 17 ++++++++++++++ .../as/server/model/common/AbstractToken.java | 22 ++++++++++++++++++- .../model/common/IAuthorizationGrantList.java | 2 ++ .../as/server/model/token/IdTokenFactory.java | 2 +- 4 files changed, 41 insertions(+), 2 deletions(-) diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/model/common/AbstractAuthorizationGrant.java b/jans-auth-server/server/src/main/java/io/jans/as/server/model/common/AbstractAuthorizationGrant.java index a5527a51f9d..553bde0efef 100644 --- a/jans-auth-server/server/src/main/java/io/jans/as/server/model/common/AbstractAuthorizationGrant.java +++ b/jans-auth-server/server/src/main/java/io/jans/as/server/model/common/AbstractAuthorizationGrant.java @@ -72,6 +72,7 @@ public abstract class AbstractAuthorizationGrant implements IAuthorizationGrant private String codeChallengeMethod; private String claims; private String dpopJkt; + private String referenceId; private String acrValues; private String sessionDn; @@ -98,6 +99,14 @@ protected void init(User user, AuthorizationGrantType authorizationGrantType, Cl this.grantId = UUID.randomUUID().toString(); } + public String getReferenceId() { + return referenceId; + } + + public void setReferenceId(String referenceId) { + this.referenceId = referenceId; + } + public String getDpopJkt() { return dpopJkt; } @@ -340,6 +349,7 @@ public AccessToken createAccessToken(ExecutionContext executionContext) { accessToken.setSessionDn(getSessionDn()); accessToken.setX5ts256(CertUtils.confirmationMethodHashS256(executionContext.getCertAsPem())); + accessToken.setReferenceId(executionContext.getTokenReferenceId()); final String dpop = executionContext.getDpop(); if (StringUtils.isNoneBlank(dpop)) { @@ -352,6 +362,8 @@ public AccessToken createAccessToken(ExecutionContext executionContext) { @Override public RefreshToken createRefreshToken(ExecutionContext context) { + context.generateRandomTokenReferenceId(); + int lifetime = appConfiguration.getRefreshTokenLifetime(); if (client.getRefreshTokenLifetime() != null && client.getRefreshTokenLifetime() > 0) { lifetime = client.getRefreshTokenLifetime(); @@ -361,15 +373,20 @@ public RefreshToken createRefreshToken(ExecutionContext context) { refreshToken.setSessionDn(getSessionDn()); refreshToken.setDpop(context.getDpop()); + refreshToken.setReferenceId(context.getTokenReferenceId()); + return refreshToken; } @Override public RefreshToken createRefreshToken(ExecutionContext context, int lifetime) { + context.generateRandomTokenReferenceId(); + RefreshToken refreshToken = new RefreshToken(lifetime); refreshToken.setSessionDn(getSessionDn()); refreshToken.setDpop(context.getDpop()); + refreshToken.setReferenceId(context.getTokenReferenceId()); return refreshToken; } diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/model/common/AbstractToken.java b/jans-auth-server/server/src/main/java/io/jans/as/server/model/common/AbstractToken.java index 8d00a61930c..376231b0c51 100644 --- a/jans-auth-server/server/src/main/java/io/jans/as/server/model/common/AbstractToken.java +++ b/jans-auth-server/server/src/main/java/io/jans/as/server/model/common/AbstractToken.java @@ -8,7 +8,6 @@ import io.jans.as.model.crypto.signature.SignatureAlgorithm; import io.jans.as.model.util.HashUtil; -import io.jans.as.model.util.Util; import io.jans.as.server.model.token.HandleTokenFactory; import io.jans.as.server.util.ServerUtil; import io.jans.orm.annotation.AttributeName; @@ -56,6 +55,9 @@ public abstract class AbstractToken implements Serializable, Deletable { @AttributeName(name = "dpop") private String dpop; + @AttributeName(name = "jansId") + private String referenceId; + @Expiration private int ttl; @@ -212,6 +214,24 @@ public synchronized void setRevoked(boolean revoked) { this.revoked = revoked; } + /** + * Gets reference id + * + * @return reference id + */ + public String getReferenceId() { + return referenceId; + } + + /** + * Sets reference id + * + * @param referenceId reference id + */ + public void setReferenceId(String referenceId) { + this.referenceId = referenceId; + } + /** * Return true if the token has expired. * diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/model/common/IAuthorizationGrantList.java b/jans-auth-server/server/src/main/java/io/jans/as/server/model/common/IAuthorizationGrantList.java index 0e3589655cf..32ed6363cd2 100644 --- a/jans-auth-server/server/src/main/java/io/jans/as/server/model/common/IAuthorizationGrantList.java +++ b/jans-auth-server/server/src/main/java/io/jans/as/server/model/common/IAuthorizationGrantList.java @@ -47,6 +47,8 @@ public interface IAuthorizationGrantList { AuthorizationGrant getAuthorizationGrantByIdToken(String idToken); + AuthorizationGrant getAuthorizationGrantByReferenceId(String idToken); + CIBAGrant getCIBAGrant(String authReqId); DeviceCodeGrant createDeviceGrant(DeviceAuthorizationCacheControl data, User user); diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/model/token/IdTokenFactory.java b/jans-auth-server/server/src/main/java/io/jans/as/server/model/token/IdTokenFactory.java index b665a6608b0..7caf382d715 100644 --- a/jans-auth-server/server/src/main/java/io/jans/as/server/model/token/IdTokenFactory.java +++ b/jans-auth-server/server/src/main/java/io/jans/as/server/model/token/IdTokenFactory.java @@ -148,7 +148,7 @@ private void fillClaims(JsonWebResponse jwr, jwr.getClaims().setExpirationTime(expiration); jwr.getClaims().setIssuedAt(issuedAt); - jwr.setClaim("random", UUID.randomUUID().toString()); // provided uniqueness of id_token for same RP requests, oxauth: 1493 + jwr.setClaim("reference_id", executionContext.getTokenReferenceId()); // provided uniqueness of id_token for same RP requests, oxauth: 1493 if (executionContext.getPreProcessing() != null) { executionContext.getPreProcessing().apply(jwr); From 2f3e6f112651da8b3d4dd105a587058ea1ec5f6c Mon Sep 17 00:00:00 2001 From: YuriyZ Date: Fri, 17 May 2024 11:18:59 +0300 Subject: [PATCH 4/4] feat(jans-auth-server): generate and keep jti in execution context https://github.com/JanssenProject/jans/issues/8512 Signed-off-by: YuriyZ --- .../model/common/AuthorizationGrant.java | 5 +++++ .../model/common/AuthorizationGrantList.java | 19 +++++++++++++++++++ .../server/model/common/ExecutionContext.java | 15 +++++++++++++++ .../as/server/model/token/IdTokenFactory.java | 2 +- .../jans/as/server/service/GrantService.java | 16 ++++++++++++++++ 5 files changed, 56 insertions(+), 1 deletion(-) diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/model/common/AuthorizationGrant.java b/jans-auth-server/server/src/main/java/io/jans/as/server/model/common/AuthorizationGrant.java index ac382ca845a..96f1738fb67 100644 --- a/jans-auth-server/server/src/main/java/io/jans/as/server/model/common/AuthorizationGrant.java +++ b/jans-auth-server/server/src/main/java/io/jans/as/server/model/common/AuthorizationGrant.java @@ -122,6 +122,7 @@ private IdToken createIdTokenInternal(AuthorizationCode authorizationCode, Acces JsonWebResponse jwr = idTokenFactory.createJwr(this, authorizationCode, accessToken, refreshToken, executionContext); final IdToken idToken = new IdToken(jwr.toString(), jwr.getClaims().getClaimAsDate(JwtClaimName.ISSUED_AT), jwr.getClaims().getClaimAsDate(JwtClaimName.EXPIRATION_TIME)); + idToken.setReferenceId(executionContext.getTokenReferenceId()); if (log.isTraceEnabled()) log.trace("Created id_token: {}", idToken.getCode()); return idToken; @@ -202,6 +203,7 @@ private void initTokenFromGrant(TokenEntity token) { public AccessToken createAccessToken(ExecutionContext context) { try { context.initFromGrantIfNeeded(this); + context.generateRandomTokenReferenceId(); final AccessToken accessToken = super.createAccessToken(context); if (accessToken.getExpiresIn() < 0) { @@ -282,6 +284,7 @@ public JwtSigner createAccessTokenAsJwt(AccessToken accessToken, ExecutionContex jwt.getClaims().setIssuedAt(accessToken.getCreationDate()); jwt.getClaims().setSubjectIdentifier(getSub()); jwt.getClaims().setClaim("x5t#S256", accessToken.getX5ts256()); + jwt.getClaims().setClaim("jti", context.getTokenReferenceId()); final AuthzDetails authzDetails = getAuthzDetails(); if (!AuthzDetails.isEmpty(authzDetails)) { @@ -401,6 +404,7 @@ public IdToken createIdToken( executionContext.setClaimsAsString(getClaims()); executionContext.setNonce(nonce); executionContext.setState(state); + executionContext.generateRandomTokenReferenceId(); final IdToken idToken = createIdTokenInternal(authorizationCode, accessToken, refreshToken, executionContext); final AuthorizationGrant grant = executionContext.getGrant(); @@ -488,6 +492,7 @@ public TokenEntity asTokenEntity(AbstractToken token) { result.setUserId(getUserId()); result.setUserDn(getUserDn()); result.setClientId(getClientId()); + result.setReferenceId(token.getReferenceId()); result.getAttributes().setX5cs256(token.getX5ts256()); result.getAttributes().setDpopJkt(getDpopJkt()); diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/model/common/AuthorizationGrantList.java b/jans-auth-server/server/src/main/java/io/jans/as/server/model/common/AuthorizationGrantList.java index 8a3158713cf..7c854b097c6 100644 --- a/jans-auth-server/server/src/main/java/io/jans/as/server/model/common/AuthorizationGrantList.java +++ b/jans-auth-server/server/src/main/java/io/jans/as/server/model/common/AuthorizationGrantList.java @@ -275,6 +275,18 @@ public AuthorizationGrant getAuthorizationGrantByIdToken(String idToken) { return null; } + @Override + public AuthorizationGrant getAuthorizationGrantByReferenceId(String referenceId) { + if (StringUtils.isBlank(referenceId)) { + return null; + } + final TokenEntity tokenEntity = grantService.getGrantByReferenceId(referenceId); + if (tokenEntity != null) { + return asGrant(tokenEntity); + } + return null; + } + public AuthorizationGrant asGrant(TokenEntity tokenEntity) { if (tokenEntity != null) { final AuthorizationGrantType grantType = AuthorizationGrantType.fromString(tokenEntity.getGrantType()); @@ -353,6 +365,7 @@ public AuthorizationGrant asGrant(TokenEntity tokenEntity) { result.setX5ts256(tokenEntity.getAttributes().getX5cs256()); result.setDpopJkt(tokenEntity.getAttributes().getDpopJkt()); result.setTokenEntity(tokenEntity); + result.setReferenceId(tokenEntity.getReferenceId()); if (StringUtils.isNotBlank(grantId)) { result.setGrantId(grantId); } @@ -381,34 +394,40 @@ public AuthorizationGrant asGrant(TokenEntity tokenEntity) { final AuthorizationCode code = new AuthorizationCode(tokenEntity.getTokenCode(), tokenEntity.getCreationDate(), tokenEntity.getExpirationDate()); final AuthorizationCodeGrant g = (AuthorizationCodeGrant) result; code.setX5ts256(g.getX5ts256()); + code.setReferenceId(tokenEntity.getReferenceId()); g.setAuthorizationCode(code); } break; case REFRESH_TOKEN: final RefreshToken refreshToken = new RefreshToken(tokenEntity.getTokenCode(), tokenEntity.getCreationDate(), tokenEntity.getExpirationDate()); refreshToken.setX5ts256(result.getX5ts256()); + refreshToken.setReferenceId(tokenEntity.getReferenceId()); result.setRefreshTokens(Collections.singletonList(refreshToken)); break; case ACCESS_TOKEN: final AccessToken accessToken = new AccessToken(tokenEntity.getTokenCode(), tokenEntity.getCreationDate(), tokenEntity.getExpirationDate()); accessToken.setDpop(tokenEntity.getDpop()); accessToken.setX5ts256(result.getX5ts256()); + accessToken.setReferenceId(tokenEntity.getReferenceId()); result.setAccessTokens(Collections.singletonList(accessToken)); break; case TX_TOKEN: final TxToken txToken = new TxToken(tokenEntity.getTokenCode(), tokenEntity.getCreationDate(), tokenEntity.getExpirationDate()); txToken.setDpop(tokenEntity.getDpop()); txToken.setX5ts256(result.getX5ts256()); + txToken.setReferenceId(tokenEntity.getReferenceId()); result.setTxTokens(Collections.singletonList(txToken)); break; case ID_TOKEN: final IdToken idToken = new IdToken(tokenEntity.getTokenCode(), tokenEntity.getCreationDate(), tokenEntity.getExpirationDate()); idToken.setX5ts256(result.getX5ts256()); + idToken.setReferenceId(tokenEntity.getReferenceId()); result.setIdToken(idToken); break; case LONG_LIVED_ACCESS_TOKEN: final AccessToken longLivedAccessToken = new AccessToken(tokenEntity.getTokenCode(), tokenEntity.getCreationDate(), tokenEntity.getExpirationDate()); longLivedAccessToken.setX5ts256(result.getX5ts256()); + longLivedAccessToken.setReferenceId(tokenEntity.getReferenceId()); result.setLongLivedAccessToken(longLivedAccessToken); break; } diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/model/common/ExecutionContext.java b/jans-auth-server/server/src/main/java/io/jans/as/server/model/common/ExecutionContext.java index 93e7e3f7c16..94c4b272fe7 100644 --- a/jans-auth-server/server/src/main/java/io/jans/as/server/model/common/ExecutionContext.java +++ b/jans-auth-server/server/src/main/java/io/jans/as/server/model/common/ExecutionContext.java @@ -18,6 +18,7 @@ import io.jans.as.server.model.audit.OAuth2AuditLog; import io.jans.model.custom.script.conf.CustomScriptConfiguration; import io.jans.model.token.TokenEntity; +import io.jans.util.IdUtil; import jakarta.faces.context.ExternalContext; import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletResponse; @@ -65,6 +66,7 @@ public class ExecutionContext { private String nonce; private String state; + private String tokenReferenceId = IdUtil.randomShortUUID(); private boolean includeIdTokenClaims; @@ -158,6 +160,19 @@ public static ExecutionContext of(ExecutionContext context) { return executionContext; } + public String generateRandomTokenReferenceId() { + tokenReferenceId = IdUtil.randomShortUUID(); + return tokenReferenceId; + } + + public String getTokenReferenceId() { + return tokenReferenceId; + } + + public void setTokenReferenceId(String tokenReferenceId) { + this.tokenReferenceId = tokenReferenceId; + } + public ExecutionContext copy() { return of(this); } diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/model/token/IdTokenFactory.java b/jans-auth-server/server/src/main/java/io/jans/as/server/model/token/IdTokenFactory.java index 7caf382d715..ac16c678af9 100644 --- a/jans-auth-server/server/src/main/java/io/jans/as/server/model/token/IdTokenFactory.java +++ b/jans-auth-server/server/src/main/java/io/jans/as/server/model/token/IdTokenFactory.java @@ -148,7 +148,7 @@ private void fillClaims(JsonWebResponse jwr, jwr.getClaims().setExpirationTime(expiration); jwr.getClaims().setIssuedAt(issuedAt); - jwr.setClaim("reference_id", executionContext.getTokenReferenceId()); // provided uniqueness of id_token for same RP requests, oxauth: 1493 + jwr.setClaim("jti", executionContext.getTokenReferenceId()); // provided uniqueness of id_token for same RP requests, oxauth: 1493 if (executionContext.getPreProcessing() != null) { executionContext.getPreProcessing().apply(jwr); diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/service/GrantService.java b/jans-auth-server/server/src/main/java/io/jans/as/server/service/GrantService.java index 40d32f0e667..2e0565dda24 100644 --- a/jans-auth-server/server/src/main/java/io/jans/as/server/service/GrantService.java +++ b/jans-auth-server/server/src/main/java/io/jans/as/server/service/GrantService.java @@ -207,6 +207,22 @@ public TokenEntity getGrantByCode(String code) { } } + public TokenEntity getGrantByReferenceId(String referenceId) { + try { + final List grants = persistenceEntryManager.findEntries(tokenBaseDn(), TokenEntity.class, Filter.createEqualityFilter("jansId", referenceId)); + if (grants.size() > 1) { + log.error("Found more then one tokens by referenceId {}", referenceId); + return null; + } + if (grants.size() == 1) { + return grants.get(0); + } + } catch (Exception e) { + logException(e); + } + return null; + } + private void logException(Exception e) { if (isTrue(appConfiguration.getLogNotFoundEntityAsError())) { log.error(e.getMessage(), e);