updates to config (2)

OpenLiberty · Nov 1, 2023 · a48f897 · a48f897
1 parent bf4e530
commit a48f897
Show file tree

Hide file tree

Showing 5 changed files with 29 additions and 19 deletions.
diff --git a/dev/com.ibm.ws.security.openidconnect.client/resources/OSGI-INF/l10n/metatype.properties b/dev/com.ibm.ws.security.openidconnect.client/resources/OSGI-INF/l10n/metatype.properties
@@ -298,3 +298,8 @@ pkceCodeChallengeMethod.S256=S256
 
 tokenRequestOriginHeader=Token request origin header
 tokenRequestOriginHeader.desc=Specifies the value to use in the Origin HTTP header that is included in the HTTP POST request to the token endpoint of the OpenID Connect provider. If not specified, an Origin HTTP header is not included in the request.
+
+tokenOrderToFetchCallerClaims=Specify one or more tokens to fetch caller claims 
+tokenOrderToFetchCallerClaims.desc=Specifies the order of the token/s to fetch the caller name and group claim values. If the claim does not exist in the first token, then the OpenID Connect client will continue the search with other tokens in the list
+tokenOrderToFetchCallerClaims.one=Use IDToken only to determine the caller claims
+tokenOrderToFetchCallerClaims.multiple=Use AccessToken, IDToken and Userinfo tokens , in this order, to determine the caller claims.
diff --git a/dev/com.ibm.ws.security.openidconnect.client/resources/OSGI-INF/metatype/metatype.xml b/dev/com.ibm.ws.security.openidconnect.client/resources/OSGI-INF/metatype/metatype.xml
@@ -163,9 +163,10 @@
                 <Option label="%pkceCodeChallengeMethod.S256" value="S256" />
          </AD>
          <AD id="tokenRequestOriginHeader" name="%tokenRequestOriginHeader" description="%tokenRequestOriginHeader.desc" required="false" type="String" />
-		 <AD id="tokenOrderToFetchCallerClaims" type="String" required="false" name="%tokenOrder" description="%tokenOrder.desc" default="IDToken" ibm:beta="true">        
-        	<Option label="%tokenOrder.one" value="IDToken" />
-         	<Option label="%tokenOrder.two" value="AccessToken IDToken Userinfo" /> 
+
+		 <AD id="tokenOrderToFetchCallerClaims" type="String" required="false" name="%tokenOrderToFetchCallerClaims" description="%tokenOrderToFetchCallerClaims.desc" default="IDToken" ibm:beta="true">        
+        	<Option label="%tokenOrderToFetchCallerClaims.one" value="IDToken" />
+         	<Option label="%tokenOrderToFetchCallerClaims.multiple" value="AccessToken:IDToken:Userinfo" /> 
    		 </AD>    
      </OCD>
 

diff --git a/...ct.client/src/com/ibm/ws/security/openidconnect/client/internal/OidcClientConfigImpl.java b/...ct.client/src/com/ibm/ws/security/openidconnect/client/internal/OidcClientConfigImpl.java
@@ -18,6 +18,7 @@
 import java.security.PublicKey;
 import java.security.cert.CertificateException;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Dictionary;
 import java.util.HashMap;
 import java.util.List;
@@ -566,13 +567,14 @@ private void processConfigProps(Map<String, Object> props) {
         // checkValidationEndpointUrl();
 
         // validateAuthzTokenEndpoints(); //TODO: update tests to expect the error if the validation here fails
-
-        tokenOrderToFetchCallerClaims = split(trimIt((String) props.get(CFG_KEY_TOKEN_ORDER_TOFETCH_CALLER_CLAIMS)));
-        if (tokenOrderToFetchCallerClaims == null || tokenOrderToFetchCallerClaims.size() == 0) {
-            tokenOrderToFetchCallerClaims = new ArrayList<String>(3);
+        String tokens = configUtils.getConfigAttributeWithDefaultValue(props, CFG_KEY_TOKEN_ORDER_TOFETCH_CALLER_CLAIMS, "IDToken");//getStringArrayConfigAttribute(props, CFG_KEY_TOKEN_ORDER_TOFETCH_CALLER_CLAIMS);
+ /*       if (tokens == null) {
+            Tr.info(tc, "@AMMI, null tokens");
+            tokenOrderToFetchCallerClaims = new ArrayList<String>(1);
             tokenOrderToFetchCallerClaims.add(com.ibm.ws.security.openidconnect.clients.common.Constants.TOKEN_TYPE_ID_TOKEN);
-        }
-
+        } else {    */        
+            tokenOrderToFetchCallerClaims = split(tokens);
+       /* }*/
         if (discovery) {
             logDiscoveryMessage("OIDC_CLIENT_DISCOVERY_COMPLETE");
         }
@@ -647,7 +649,7 @@ private void processConfigProps(Map<String, Object> props) {
             Tr.debug(tc, "accessTokenCacheTimeout:" + accessTokenCacheTimeout);
             Tr.debug(tc, "pkceCodeChallengeMethod:" + pkceCodeChallengeMethod);
             Tr.debug(tc, "tokenRequestOriginHeader:" + tokenRequestOriginHeader);
-            Tr.debug(tc, "tokenOrderToFetchCallerClaims:" + tokenOrderToFetchCallerClaims);
+            Tr.debug(tc, "tokenOrderToFetchCallerClaims:" + tokenOrderToFetchCallerClaims.toString());
         }
 
     }
@@ -1959,14 +1961,16 @@ public List<String> getTokenOrderToFetchCallerClaims() {
         return tokenOrderToFetchCallerClaims;
     }
 
-    List<String> split(String str) {
+    List<String> split(String str) {    
         List<String> rvalue = new ArrayList<String>(3);
-        if (str != null) {
-            StringTokenizer st = new StringTokenizer(str, ",");
-            while (st.hasMoreElements()) {
-                rvalue.add(st.nextToken());
+            if (str.contains(":")) {
+                StringTokenizer st = new StringTokenizer(str, ":");
+                while (st.hasMoreElements()) {
+                    rvalue.add(st.nextToken());
+                }
+            } else {
+                rvalue.add(str);
             }
-        }
         return rvalue;
     }
 }
diff --git a/...t.clients.common/src/com/ibm/ws/security/openidconnect/client/jose4j/util/Jose4jUtil.java b/...t.clients.common/src/com/ibm/ws/security/openidconnect/client/jose4j/util/Jose4jUtil.java
@@ -180,7 +180,7 @@ public ProviderAuthenticationResult createResultWithJose4J(String responseState,
             }
 
             List<String> tokensOrderToFetchCallerClaims = clientConfig.getTokenOrderToFetchCallerClaims();
-            if (tokensOrderToFetchCallerClaims.size() > 1) {
+            if (tokensOrderToFetchCallerClaims.size() > 1 && tokensOrderToFetchCallerClaims.contains(Constants.TOKEN_TYPE_ACCESS_TOKEN)) {
                 // access token
                 JwtClaims accessTokenClaims = getClaimsFromAccessToken(accessTokenStr);
                 tokenClaimsMap.put(Constants.TOKEN_TYPE_ACCESS_TOKEN, accessTokenClaims);

diff --git a/...m.ibm.ws.security.social/src/com/ibm/ws/security/social/internal/OidcLoginConfigImpl.java b/...m.ibm.ws.security.social/src/com/ibm/ws/security/social/internal/OidcLoginConfigImpl.java
@@ -145,7 +145,7 @@ public class OidcLoginConfigImpl extends Oauth2LoginConfigImpl implements Conver
     private String tokenRequestOriginHeader = null;
 
     public static final String CFG_KEY_TOKEN_ORDER_TOFETCH_CALLER_CLAIMS = "tokenOrderToFetchCallerClaims";
-    private List<String> tokenOrderToFetchCallerClaims = new ArrayList<String>();
+    private List<String> tokenOrderToFetchCallerClaims;
 
     HttpUtils httputils = new HttpUtils();
     ConfigUtils oidcConfigUtils = new ConfigUtils(null);
@@ -236,7 +236,7 @@ protected void setAllConfigAttributes(Map<String, Object> props) throws SocialLo
         }
 
         performMiscellaneousConfigurationChecks();
-        tokenOrderToFetchCallerClaims = new ArrayList<String>(3);
+        tokenOrderToFetchCallerClaims = new ArrayList<String>(1);
         tokenOrderToFetchCallerClaims.add(com.ibm.ws.security.openidconnect.clients.common.Constants.TOKEN_TYPE_ID_TOKEN); //IDToken only for now
     }