safebox/guacamole-client
4
0
Fork 0
mirror of https://github.com/gyurix1968/guacamole-client.git synced 2025-09-06 13:17:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

GUACAMOLE-210: Re-request ID token if validation or username retrieval fails.

Browse Source
This commit is contained in:
Michael Jumper
2017-08-27 22:58:12 -07:00
parent 187903563b
commit 4f8c853daa
2 changed files with 40 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/AuthenticationProviderService.java
View File

@@ -82,19 +82,23 @@ public class AuthenticationProviderService {
public AuthenticatedUser authenticateUser(Credentials credentials) public AuthenticatedUser authenticateUser(Credentials credentials)
throws GuacamoleException { throws GuacamoleException {
String token = null; String username = null;
// Pull OpenID token from request if present // Validate OpenID token in request, if present, and derive username
HttpServletRequest request = credentials.getRequest(); HttpServletRequest request = credentials.getRequest();
if (request != null) if (request != null) {
token = request.getParameter(TokenField.PARAMETER_NAME); String token = request.getParameter(TokenField.PARAMETER_NAME);
if (token != null)
username = tokenService.processUsername(token);
}
// If token provided, validate and produce authenticated user // If the username was successfully retrieved from the token, produce
if (token != null) { // authenticated user
if (username != null) {
// Create corresponding authenticated user // Create corresponding authenticated user
AuthenticatedUser authenticatedUser = authenticatedUserProvider.get(); AuthenticatedUser authenticatedUser = authenticatedUserProvider.get();
authenticatedUser.init(tokenService.processUsername(token), credentials); authenticatedUser.init(username, credentials);
return authenticatedUser; return authenticatedUser;
} }

41
extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/token/TokenValidationService.java
View File

@@ -31,6 +31,8 @@ import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwt.consumer.JwtConsumer; import org.jose4j.jwt.consumer.JwtConsumer;
import org.jose4j.jwt.consumer.JwtConsumerBuilder; import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.jose4j.keys.resolvers.HttpsJwksVerificationKeyResolver; import org.jose4j.keys.resolvers.HttpsJwksVerificationKeyResolver;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/** /**
* Service for validating ID tokens forwarded to us by the client, verifying * Service for validating ID tokens forwarded to us by the client, verifying
@@ -38,6 +40,11 @@ import org.jose4j.keys.resolvers.HttpsJwksVerificationKeyResolver;
*/ */
public class TokenValidationService { public class TokenValidationService {
/**
* Logger for this class.
*/
private final Logger logger = LoggerFactory.getLogger(TokenValidationService.class);
/** /**
* Service for retrieving OpenID configuration information. * Service for retrieving OpenID configuration information.
*/ */
@@ -48,17 +55,17 @@ public class TokenValidationService {
* Validates and parses the given ID token, returning the username contained * Validates and parses the given ID token, returning the username contained
* therein, as defined by the username claim type given in * therein, as defined by the username claim type given in
* guacamole.properties. If the username claim type is missing or the ID * guacamole.properties. If the username claim type is missing or the ID
* token is invalid, an exception is thrown instead. * token is invalid, null is returned.
* *
* @param token * @param token
* The ID token to validate and parse. * The ID token to validate and parse.
* *
* @return * @return
* The username contained within the given ID token. * The username contained within the given ID token, or null if the ID
* token is not valid or the username claim type is missing,
* *
* @throws GuacamoleException * @throws GuacamoleException
* If the ID token is not valid, the username claim type is missing, or * If guacamole.properties could not be parsed.
* guacamole.properties could not be parsed.
*/ */
public String processUsername(String token) throws GuacamoleException { public String processUsername(String token) throws GuacamoleException {
@@ -79,27 +86,37 @@ public class TokenValidationService {
try { try {
String usernameClaim = confService.getUsernameClaimType();
// Validate JWT // Validate JWT
JwtClaims claims = jwtConsumer.processToClaims(token); JwtClaims claims = jwtConsumer.processToClaims(token);
// Pull username from claims // Pull username from claims
String username = claims.getStringClaimValue(confService.getUsernameClaimType()); String username = claims.getStringClaimValue(usernameClaim);
if (username == null) if (username != null)
throw new GuacamoleSecurityException("Username missing from token");
// Username successfully retrieved from the JWT
return username; return username;
// Warn if username was not present in token, as it likely means
// the system is not set up correctly
logger.warn("Username claim \"{}\" missing from token. Perhaps the "
+ "OpenID scope and/or username claim type are "
+ "misconfigured?", usernameClaim);
} }
// Rethrow any failures to validate/parse the JWT // Log any failures to validate/parse the JWT
catch (InvalidJwtException e) { catch (InvalidJwtException e) {
throw new GuacamoleSecurityException("Invalid ID token.", e); logger.info("Rejected invalid OpenID token: {}", e.getMessage());
logger.debug("Invalid JWT received.", e);
} }
catch (MalformedClaimException e) { catch (MalformedClaimException e) {
throw new GuacamoleServerException("Unable to parse JWT claims.", e); logger.info("Rejected OpenID token with malformed claim: {}", e.getMessage());
logger.debug("Malformed claim within received JWT.", e);
} }
// Could not retrieve username from JWT
return null;
} }
} }