Skip to content

Commit cb64d68

Browse files
committed
Fix oidc/implicit service
1 parent f07b042 commit cb64d68

2 files changed

Lines changed: 3 additions & 33 deletions

File tree

knowage-core/src/main/java/it/eng/spagobi/commons/services/LoginResource.java

Lines changed: 2 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -82,7 +82,6 @@
8282
import it.eng.spagobi.services.security.service.SecurityServiceSupplierFactory;
8383
import it.eng.spagobi.tenant.Tenant;
8484
import it.eng.spagobi.tenant.TenantManager;
85-
import it.eng.spagobi.tools.dataset.notifier.fiware.OAuth2Utils;
8685
import it.eng.spagobi.utilities.exceptions.SpagoBIRuntimeException;
8786

8887
@Path("/login")
@@ -357,7 +356,7 @@ public Response loginOIDC(@Context HttpServletRequest req, Map<String, String> p
357356
try {
358357

359358
final String code = payload.get("code");
360-
final String codeVerifier = payload.get("code_verifier");
359+
final String codeVerifier = payload.get("codeVerifier");
361360
if (StringUtils.isBlank(code)) {
362361
return buildUnauthorizedResponse("Missing authorization code");
363362
}
@@ -382,16 +381,6 @@ public Response loginOIDC(@Context HttpServletRequest req, Map<String, String> p
382381

383382
}
384383

385-
/**
386-
* OIDC Nonce generation endpoint
387-
*/
388-
@GET
389-
@Path("/oidc/nonce")
390-
@PublicService
391-
public Response generateNonce() {
392-
String nonce = OAuth2Utils.createNonce();
393-
return Response.ok(Map.of("nonce", nonce)).build();
394-
}
395384

396385
/**
397386
* OIDC ID token validation endpoint Accepts OIDC ID token and performs validation
@@ -406,23 +395,14 @@ public Response validateOIDCIdToken(@Context HttpServletRequest req, Map<String,
406395
logger.debug("Starting ID token validation");
407396

408397
// Extract parameters from payload
409-
String idToken = payload.get("id_token");
410-
String expectedNonce = payload.get("nonce");
398+
String idToken = payload.get("code");
411399

412400
if (StringUtils.isBlank(idToken)) {
413401
logger.error("Missing id_token in payload");
414402
monitor.stop(new SpagoBIRuntimeException("Missing id_token"));
415403
return buildUnauthorizedResponse("Missing id_token");
416404
}
417405

418-
if (StringUtils.isBlank(expectedNonce)) {
419-
logger.error("Missing nonce in payload");
420-
monitor.stop(new SpagoBIRuntimeException("Missing nonce"));
421-
return buildUnauthorizedResponse("Missing nonce");
422-
}
423-
424-
logger.debug("ID token validation starting with expected nonce: " + expectedNonce);
425-
426406
// Decode JWT
427407
DecodedJWT decodedJWT = JWT.decode(idToken);
428408
logger.debug("JWT token properly decoded");
@@ -450,14 +430,6 @@ public Response validateOIDCIdToken(@Context HttpServletRequest req, Map<String,
450430
}
451431
logger.debug("JWT audience verified");
452432

453-
// Verify nonce (provided by client)
454-
com.auth0.jwt.interfaces.Claim nonceClaim = decodedJWT.getClaim("nonce");
455-
if (nonceClaim.isNull() || !nonceClaim.asString().equals(expectedNonce)) {
456-
logger.error("JWT token nonce [" + nonceClaim.asString() + "] does not match the expected nonce [" + expectedNonce + "]");
457-
monitor.stop(new SpagoBIRuntimeException("JWT nonce mismatch"));
458-
return buildUnauthorizedResponse("JWT nonce does not match");
459-
}
460-
logger.debug("JWT nonce verified");
461433

462434
logger.info("ID token validated successfully");
463435
monitor.stop();

knowageutils/src/main/java/it/eng/spagobi/services/oidc/OIDCIdTokenSSOService.java

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,6 @@
1818
package it.eng.spagobi.services.oidc;
1919

2020
import javax.servlet.http.HttpServletRequest;
21-
import javax.servlet.http.HttpSession;
2221

2322
import org.apache.log4j.LogMF;
2423
import org.apache.log4j.Logger;
@@ -32,8 +31,7 @@ public class OIDCIdTokenSSOService extends JWTSsoService {
3231

3332
@Override
3433
public String readUserIdentifier(HttpServletRequest request) {
35-
HttpSession session = request.getSession();
36-
String idToken = (String) session.getAttribute(Oauth2SsoService.ID_TOKEN); // ID TOKEN IS TRUSTED: it was validated by OAuth2Filter
34+
String idToken = (String) request.getAttribute(Oauth2SsoService.ID_TOKEN);
3735
if (idToken == null) {
3836
logger.debug("ID token not found.");
3937
return super.readUserIdentifier(request);

0 commit comments

Comments
 (0)