oauth-apis / apis Goto Github PK

I am trying to build the repo that I just cloned and getting the following error:

[ERROR] /E:/github/apis/apis-surfconext-authn/src/main/java/org/surfnet/oaaas/conext/SAMLAuthenticator.java:[39,39] package org.opensaml.ws.message.decoder does not exist

What repository contains the missing dependencies?

Thanks,
Caleb

apis-authorization-server-war does not start when I use Java 6 as my runtime environment. I get the following stack trace when I jetty:run.

java.lang.UnsupportedClassVersionError: nl/surfnet/spring/security/opensaml/ServiceProviderAuthenticationException : Unsupported major.minor version 51.0
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClassCond(Unknown Source)
at java.lang.ClassLoader.defineClass(Unknown Source)
at java.security.SecureClassLoader.defineClass(Unknown Source)
at java.net.URLClassLoader.defineClass(Unknown Source)
at java.net.URLClassLoader.access$000(Unknown Source)
at java.net.URLClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(Unknown Source)
at org.eclipse.jetty.webapp.WebAppClassLoader.loadClass(WebAppClassLoader.java:415)
at org.eclipse.jetty.webapp.WebAppClassLoader.loadClass(WebAppClassLoader.java:377)
at java.lang.Class.getDeclaredConstructors0(Native Method)
at java.lang.Class.privateGetDeclaredConstructors(Unknown Source)
at java.lang.Class.getConstructor0(Unknown Source)
at java.lang.Class.newInstance0(Unknown Source)
at java.lang.Class.newInstance(Unknown Source)
at org.surfnet.oaaas.config.SpringConfiguration.getConfiguredBean(SpringConfiguration.java:150)
at org.surfnet.oaaas.config.SpringConfiguration.authenticator(SpringConfiguration.java:129)
at org.surfnet.oaaas.config.SpringConfiguration$$EnhancerByCGLIB$$5f524ff7.CGLIB$authenticator$2()
at org.surfnet.oaaas.config.SpringConfiguration$$EnhancerByCGLIB$$5f524ff7$$FastClassByCGLIB$$6a9f3edc.invoke()
at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:228)
at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:286)
at org.surfnet.oaaas.config.SpringConfiguration$$EnhancerByCGLIB$$5f524ff7.authenticator()
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:160)
at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:578)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1055)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:951)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:487)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:458)
at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:296)
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:223)
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:293)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:194)
at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:628)
at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:932)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:479)
at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:410)
at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:306)
at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:112)
at org.eclipse.jetty.server.handler.ContextHandler.callContextInitialized(ContextHandler.java:764)
at org.eclipse.jetty.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:406)
at org.eclipse.jetty.server.handler.ContextHandler.startContext(ContextHandler.java:756)
at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:242)
at org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1234)
at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:699)
at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:467)
at org.mortbay.jetty.plugin.JettyWebAppContext.doStart(JettyWebAppContext.java:256)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:59)
at org.eclipse.jetty.server.handler.HandlerCollection.doStart(HandlerCollection.java:224)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.doStart(ContextHandlerCollection.java:167)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:59)
at org.eclipse.jetty.server.handler.HandlerCollection.doStart(HandlerCollection.java:224)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:59)
at org.eclipse.jetty.server.handler.HandlerWrapper.doStart(HandlerWrapper.java:90)
at org.eclipse.jetty.server.Server.doStart(Server.java:262)
at org.mortbay.jetty.plugin.JettyServer.doStart(JettyServer.java:65)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:59)
at org.mortbay.jetty.plugin.AbstractJettyMojo.startJetty(AbstractJettyMojo.java:511)
at org.mortbay.jetty.plugin.AbstractJettyMojo.execute(AbstractJettyMojo.java:364)
at org.mortbay.jetty.plugin.JettyRunMojo.execute(JettyRunMojo.java:516)
at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:106)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:208)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:153)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:145)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:84)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:59)
at org.apache.maven.lifecycle.internal.LifecycleStarter.singleThreadedBuild(LifecycleStarter.java:183)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:161)
at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:318)
at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:153)
at org.apache.maven.cli.MavenCli.execute(MavenCli.java:555)
at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:214)
at org.apache.maven.cli.MavenCli.main(MavenCli.java:158)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:290)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:230)
at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:414)
at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:357)

How can I include a flexible set of SAML attributes (e.g. uuid, displayName, eduPersonPrincipleName) in the principle profile. At the moment only DISPLAY_NAME and INDENTITY_PROVIDER show up as attributes in the principle information. See the example taken from the README:

{
    "audience": "Authorization Server Admin Client",
    "scopes": [
        "read",
        "write"
    ],
    "principal": {
        "name": "aaaaa",
        "roles": [],
        "groups": [],
        "adminPrincipal": false,
        "attributes": {
            "DISPLAY_NAME": "test-user",
            "IDENTITY_PROVIDER": "http://mock-idp"
        }
    },
    "expires_in": 1373178401833
}

I noticed the constants IDENTITY_PROVIDER and DISPLAY_NAME in
https://github.com/OpenConextApps/apis/blob/8d5ac4616bd999415129ed1bb1b8e179ca418a26/apis-surfconext-authn/src/main/java/org/surfnet/oaaas/conext/SAMLAuthenticatedPrincipal.java.
How can I pass additional SAML attributes, in particular eduPersonPrincipalName, to the principle attributes?

The use case for this is an API facade tied to backend systems for 'someuniversity' and 'otheruniversity'. Based on the value of eduPersonPrincipleName ([email protected]) / ([email protected]) it is serving resources from 'someuniversity' backend system or 'otheruniversity' backend system.

I'm wondering why you limit clients to access only one resource server?
"Every client app belongs to one (and only one) resource server".

My client must access multiple resource servers with (possibly different) tokens.
Is there any way to extend the data model to a 1-n relation of clients and resource servers?

Btw: Great work, thanks! Your example did run out of the box (except for the jetty-maven PermGen Space issue).

Quick question - If we have multiple instances of auth servers that are behind a load balancer, are there any additional configurations or any issues we should watch out for? We will be using Oracle DB for all persistence.

Hi, I'm missing a dependency called org.surfnet.coin:mujina-idp:war:2.13.0.

Please provide repo details, thanks!

[ERROR] Failed to execute goal org.mortbay.jetty:jetty-maven-plugin:8.1.4.v20120524:run (default-cli) on project apis-authorization-server-war: Execution default-cli of goal org.mortbay.jetty:jetty-maven-plugin:8.1.4.v20120524:run failed: Plugin org.mortbay.jetty:jetty-maven-plugin:8.1.4.v20120524 or one of its dependencies could not be resolved: Could not find artifact org.surfnet.coin:mujina-idp:war:2.13.0 in central (http://repo.maven.apache.org/maven2) -> [Help 1]

What is the correct way to invalidate an active token to properly log off?

No matter what MAVEN_OPTS I'm setting:
MAVEN_OPTS="-d64 -Xms3G -Xmx3G -XX:MaxPermSize=2G -XX:+CMSClassUnloadingEnabled -XX:+UseConcMarkSweepGC"
JAVA_HOME=C:\lib\java\jdk1.7.40
I keep getting this error on sample applications.

Stack trace:
java.lang.OutOfMemoryError: PermGen space
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:792)
at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:449)
at java.net.URLClassLoader.access$100(URLClassLoader.java:71)
at java.net.URLClassLoader$1.run(URLClassLoader.java:361)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
at java.net.FactoryURLClassLoader.loadClass(URLClassLoader.java:789)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
at java.util.ResourceBundle$Control.newBundle(ResourceBundle.java:2566)
at java.util.ResourceBundle.loadBundle(ResourceBundle.java:1436)
at java.util.ResourceBundle.findBundle(ResourceBundle.java:1400)
at java.util.ResourceBundle.findBundle(ResourceBundle.java:1354)
at java.util.ResourceBundle.findBundle(ResourceBundle.java:1354)
at java.util.ResourceBundle.getBundleImpl(ResourceBundle.java:1296)
at java.util.ResourceBundle.getBundle(ResourceBundle.java:795)
at com.sun.tools.javac.util.JavacMessages.getBundles(JavacMessages.java:121)
at com.sun.tools.javac.util.JavacMessages.setCurrentLocale(JavacMessages.java:73)
at com.sun.tools.javac.util.JavacMessages.(JavacMessages.java:98)
at com.sun.tools.javac.util.JavacMessages.(JavacMessages.java:88)
at com.sun.tools.javac.main.Main.getLocalizedString(Main.java:584)
at com.sun.tools.javac.main.Main.resourceMessage(Main.java:527)
at com.sun.tools.javac.main.Main.compile(Main.java:459)
at com.sun.tools.javac.api.JavacTaskImpl.call(JavacTaskImpl.java:132)
at org.apache.jasper.compiler.Jsr199JavaCompiler.compile(Jsr199JavaCompiler.java:248)
at org.apache.jasper.compiler.Compiler.generateClass(Compiler.java:384)
at org.apache.jasper.compiler.Compiler.compile(Compiler.java:453)
at org.apache.jasper.JspCompilationContext.compile(JspCompilationContext.java:625)
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:374)

I have an RS and a Client, both have an ID of 22222 in the DB (set up in analogy to V1__auth-server-admin.sql). Now when I want e.g. add an additional scope to that RS via the admin client interface (a modification which ends up in a POST to /oauth2/admin/resourceServer/22222), the user agent sees an Internal Server Error, with the Cause in apis.log:

org.springframework.orm.jpa.JpaObjectRetrievalFailureException: Attempted to attach instance "22222" of type "class org.surfnet.oaaas.model.ResourceServer", but this instance is already in the datastore as type "class org.surfnet.oaaas.model.Client".

I believe this is a bug, or otherwise one needs a specification that ID ranges of different classes must be kept apart (a workaround I chose short-term).

Currently, resource server keys and secrets are both generated UUIDs.
The key could be more human readable, to help visually checking the correctness of a used key.

Login on admin client
view consent page
click 'deny'.

server side log says:
21:01:25.071 [qtp15986263-28] WARN o.s.oaaas.resource.TokenResource - Not a valid AbstractAuthenticator.AUTH_STATE on the Request

I noticed that the server war provides a servlet mapping under three roots:

• admin -- applies an auth check which requires a previously issued bearer token, so it seems to be designed to protect access to the resource API (for registering resource servers and clients).
• oauth2 -- applies an authentication check specifically to the authorize resource, so it appears to be designed to handle the RO authentication required by section 3.1 of the spec.
• v1 -- just provides raw access.

However the code behind the various resources makes assumptions about which filters will actually be applied. For example, the resource manager code (such as ResourceServerResource.java) expects that the access will have been authorized and thus a verified token will be available. This isn't in this case, so the result is an NPE on any access. What is the intended purpose of the v1 mapping?

A related question is why all 3 mappings actually give you access to the same resource URIs (so you could issue "admin/authorize" or "oauth2/resourceServer" as valid URIs, though they may or may not work properly). Seems like a more precise set of mappings would be better to avoid confusion and spurious errors (or accidental success).

I would like to enable my trusted clients to dynamically inject additional attributes for the principal that can be accessed by the resource server later.

What would be the best way to do this?
Thanks!

Unless I misread the spec, section 3.3 says that the list of scopes should be space delimited. However, my read of the code is that it is being treated as a comma delimited list.

It turns out that this is hard to see because what happens is that the space delimited list of scopes just gets treated as a single scope in the code (with the spaces preserved), so in the end it comes out looking correct (it just isn't doing what I think it thinks it is doing).

The value should be in seconds. Changing this is tricky, existing clients may break.

Relevant spec-fragment: http://tools.ietf.org/html/draft-ietf-oauth-v2-31#section-5.1.

Relevant code: https://github.com/OpenConextApps/apis/blob/master/apis-authorization-server/src/main/java/org/surfnet/oaaas/resource/TokenResource.java#L143

Tried to work through the demo features, and got as far as the 2nd step in the browser, but am consistently getting an out of memory error. I'm running this on a high spec mac book so it would seem to be a code issue rather than a system issue. Is this something you've seen before?

2013-07-04 20:41:12.203:WARN:oejs.ServletHandler:Error for /mujina-idp/AuthnResponder
java.lang.OutOfMemoryError: PermGen space
at java.lang.ClassLoader.defineClass1(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:792)
at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:449)
at java.net.URLClassLoader.access$100(URLClassLoader.java:71)
at java.net.URLClassLoader$1.run(URLClassLoader.java:361)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at org.eclipse.jetty.webapp.WebAppClassLoader.loadClass(WebAppClassLoader.java:415)
at org.eclipse.jetty.webapp.WebAppClassLoader.loadClass(WebAppClassLoader.java:377)
at org.opensaml.common.impl.AbstractSAMLObjectMarshaller.marshall(AbstractSAMLObjectMarshaller.java:57)
at org.opensaml.xml.io.AbstractXMLObjectMarshaller.marshall(AbstractXMLObjectMarshaller.java:86)
at nl.surfnet.mujina.saml.xml.AssertionGenerator.signAssertion(AssertionGenerator.java:117)
at nl.surfnet.mujina.saml.xml.AssertionGenerator.generateAssertion(AssertionGenerator.java:100)
at nl.surfnet.mujina.saml.xml.AuthnResponseGenerator.generateAuthnResponse(AuthnResponseGenerator.java:63)
at nl.surfnet.mujina.saml.SSOSuccessAuthnResponder.handleRequest(SSOSuccessAuthnResponder.java:118)
at org.springframework.web.context.support.HttpRequestHandlerServlet.service(HttpRequestHandlerServlet.java:67)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:598)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1367)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:369)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:109)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:97)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:100)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:78)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)

Hi,
How can I revoke access given to an application?

I'm having some problems in getting tokens from auth server. I'll try to explain here:

Running Authorization Server - Resource Server demo flow:

Using the dummy account for test I'm getting this response after the performing the curl as suggested:

curl -v -H "Accept: application/json" -H "Content-type: application/x-www-form-urlencoded" -H \
  "Authorization: Basic aXQtdGVzdC1jbGllbnQtY3JlZGVudGlhbC1ncmFudDpzb21lLXNlY3JldC1jbGllbnQtY3JlZGVudGlhbC1ncmFudA==" \
  -X POST -d 'grant_type=client_credentials' http://localhost:8080/oauth2/token

I'm getting back this response:

 HTTP/1.1 400 Bad Request
< Content-Type: application/json
< Transfer-Encoding: chunked
* Server Jetty(8.1.4.v20120524) is not blacklisted
< Server: Jetty(8.1.4.v20120524)
< 
{"error":"unsupported_grant_type","error_description":"The supported grant_type values are 'authorization_code' and 'refresh_token'"}* Connection #0 to host localhost left intact

I've tried even by building the http header using a browser-plugin and the result is slightly different:

1. First it ask me for a username/password (couldn't find a valid pair btw)
2. Then it returns a 401 unauthorized response.

Something similar happens when I'm trying to get a token by authorization code flow: I'm able to get a request_code but not able to exchange it for an authorization token. When I'm asking by building the http request header via browser plugin it asks me again for the username-login password for connecting to OAuthSecure2 server.

PS: The key that I'm using for generating the key use in Authorization header is obtained by openssl base64 command

Concerning dates, the /v1/tokeninfo endpoint returns a JSON string that only contains the "expires_in" key, with a value that is taken from the database directly without recomputation. Thus a resource server can neither know when the token was created nor when it will expire.
Proposal would be to enhance this to either a) dynamically compute the "expire_in" value such that it correctly reflects the time left from "now", or b) additionally release a "creationdate" key/value pair to be released via /tokeninfo.
Preference is on b) because it adds valueable information, the "creationdate" value can be taken directly from the database and there is no computation of the expiry date needed while accessing /tokeninfo.

Hi,
Do you have a support for the grant type of password which was described in this section of the protocol http://tools.ietf.org/html/draft-ietf-oauth-v2-31#section-4.3 ?

Currently the apis authorization-server only supports the bearer Access Token Type. For better spec compliancy the MAC Access Token Type should be supported. See for more details http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-01

Although I can set a token expiration value, it doesn't appear to have any effect. Is there anything implemented for expiration, or is this a bug?

On starting the server as suggested

cd apis-authorization-server-war
mvn jetty:run

the first line of output is

Listening for transport dt_socket at address: 8787

On starting the client as suggested

cd apis-example-client-app
mvn jetty:run

the output is

ERROR: transport error 202: bind failed: Address already in use
ERROR: JDWP Transport dt_socket failed to initialize, TRANSPORT_INIT(510)
JDWP exit error AGENT_ERROR_TRANSPORT_INIT(197): No transports initialized [../../../src/share/back/debugInit.c:690]
FATAL ERROR in native method: JDWP No transports initialized, jvmtiError=AGENT_ERROR_TRANSPORT_INIT(197)
Aborted

My understanding is JVM debugger for server is bounding on port 8787 and the debugger from client is also trying to bound to port 8787 but complains because it is already in use.

I also assume that Jetty automatically starts debugger when tests are configured.

Hello guys,

I am running the apis-authorization-server-war on a ubuntu virtual machine and trying to access the server from my host os which is also ubuntu with the example client.

I can succesfully access the server client html page from my host and also start the authorization process from the example client in the host os.

The problem pops up during the mujina login. I somehow can't access the page from my host os. It defaultly goes to the localhost:8080/mujina-idp/SingleSignOnService. I know that, I should replace the localhost with my server IP address.

So, can you please tell me, what changes that are required to be made in the server files / client files. It would be great, If you can guide me through this process. I am still a ametuer with this stuff.

Cheers !!

Thanking you in advance !!

With regards,
Prashanth

Hello,

I am seeing above (java.io.IOException: Illegal footer: -property-named-idpCertificate) when starting apis-authorization-server-war-1.3.6-SNAPSHOT in this environment -

java -version
java version "1.7.0_51"
Java(TM) SE Runtime Environment (build 1.7.0_51-b13)
Java HotSpot(TM) 64-Bit Server VM (build 24.51-b03, mixed mode)

sw_vers
ProductName: Mac OS X
ProductVersion: 10.9.2
BuildVersion: 13C64

bin/catalina.sh version
Using CATALINA_BASE: /Users/naga/ocat
Using CATALINA_HOME: /Users/naga/ocat
Using CATALINA_TMPDIR: /Users/naga/ocat/temp
Using JRE_HOME: /Library/Java/JavaVirtualMachines/jdk1.7.0_51.jdk/Contents/Home
Using CLASSPATH: /Users/naga/ocat/bin/bootstrap.jar:/Users/naga/ocat/bin/tomcat-juli.jar
Server version: Apache Tomcat/7.0.54
Server built: May 19 2014 10:26:15
Server number: 7.0.54.0
OS Name: Mac OS X
OS Version: 10.9.2
Architecture: x86_64
JVM Version: 1.7.0_51-b13
JVM Vendor: Oracle Corporation

Has anyone encountered this issue? If yes, how to overcome?

Thanks
Naga

I have a basic (newbie) question.

The Resource Server definition (as configured through the UI) does not point to the actual resource server. There is no URL defined for the resource server.
So how can a Client Application be restricted to only access resource of the desired resource server? Should this be custom implementation?

I've found at least 2 issues so far:

• The redirect URL in index.html is "/client/client.html" which only works off root.
• When logging into the client application you end up in an infinite redirect loop processing the token response. Not sure why at this point.

Workaround is to ensure that the WAR is deployed at the root context of the container.

I am trying to use the server with Android clients (Native app) not based on webview.

Below is what I understood from the documentation

1. Resource Servers and Client apps can be registered from the GUI found at http://localhost:8080/client/client.html

1. Pressing "Login" will present a screen like this and your can enter anything into login/password field

QUESTION - HOW TO CONFIGURE THIS LOGIN PAGE SO THAT IT DOES NOT USE ANY USER NAME/PASSWORD?

1. On pressing add another resource the following page is presented

QUESTION - I HAVE A JAVA SERVLET BASED RESOURCE SERVER HOSTED ON TOMCAT, HOW TO ADD THAT SERVER ON THIS PAGE?

The client will be native apps on Android devices, how do I register them?

When I login it keeps on going back and forth between authorization and the page over and over and never lets me use the logged in pages (/client/client.html)
The log file is filled with:

WARNING: A servlet POST request, to the URI http://localhost:8080/oauth2/authorize, contains form parameters in the request body but the request body has been consumed by the servlet or a servlet filter accessing the request parameters. Only resource methods using @FormParam will work as expected. Resource methods consuming the request body by other means will not work as expected.
09:12:03.722 [qtp1146625698-19] WARN  o.s.o.auth.AuthorizationServerFilter - No valid access-token on request. Will respond with error response: 403 OAuth2 endpoint
09:12:03.736 [qtp1146625698-24] WARN  o.s.o.auth.AuthorizationServerFilter - No valid access-token on request. Will respond with error response: 403 OAuth2 endpoint

Not sure what to check.

The directory https://build.surfconext.nl/repository/public/snapshots/nl/surfnet/apis/apis-resource-server-library/1.3.6-SNAPSHOT/ is empty, maven cannot obtain nl.surfnet.apis:apis-resource-server-library:jar:1.3.6-SNAPSHOT

Resource servers that use the java class 'AuthorizationServerFilter' look for a file called 'apis.application.properties' in case no file name is provided by an init-param.
If the resource server shares the classpath with an Apis authorization server, those files clash.

When requesting the Authorization Code indicating an invalid or otherwise forged redirection URI, a GET request to e.g.
https://apis.example.de/oauth2/authorize?response_type=code&client_id=registered_id&redirect_uri=https://unregisted.client.com/malware.php&scope=myScope&state=12345
redirects to that invalid redirection URI, giving an attacker the code. However, in the preamble of http://tools.ietf.org/html/rfc6749#section-4.1.2.1 it is stated that it "MUST NOT" do this, leaving it a task of the AS to return an error to the user.
This should be considered a security hole, as some attacker can redirect the user to its own page.

Caused by: java.lang.UnsupportedClassVersionError: nl/surfnet/spring/security/opensaml/ServiceProviderAuthenticationException : Unsupported major.minor version 51.0

I'm a devops engineer, and I'm working on a problem with a deployment of the apis-authorization-server-war. I have no idea whether my developers are using/deploying the WAR as intended, so please excuse me if we are being total hacks. :)

I am currently trying to figure out how to override certain property settings. My developers were originally including an apis.application.properties directly in the apis-authorization-server-war. This worked fine for a single deployment environment, but we need to deploy to multiple environments, and we would like to do so without building multiple wars with different properties files like it is done in the apis-authorization-server-dist.

It appears that most of the properties are used/configured in such a way that they can be overridden with context parameters. In other words, we deploy to both the WAR and an application context file. In the context file, we override the "jdbc.driverClassName" property by including "". Unfortunately, properties like "adminService.tokenVerificationUrl" cannot be overridden in the same way.

After poking around for a while, I realized that could define the various "adminServce" properties in a filter in the web.xml rather than a properties file (using param name "authorization-server-url" in place of "adminService.tokenVerificationUrl" and so forth). I thought that I might then be able to override the properties using the context params, but no such luck. I also experimented with using something like "${authorization-server-url}" as the param variable and then overriding with environment variables. I tried defining the env variables several ways: (1) In the context file -- '', (2) From the command-line, (3) etc; but again with no luck.

It really seems like there should be a good way to easily override these "adminService" properties externally to the WAR, but I'm at a loss. Is there a way? Any help or guidance would be greatly appreciated.

On

cd apis-authorization-server-war
mvn jetty:run

Getting the following error

2013-09-01 18:41:27.021:WARN:oejuc.AbstractLifeCycle:FAILED [email protected]:8080: java.net.BindException: Address already in use
java.net.BindException: Address already in use

Since 3673319 the serialization of VerifyTokenResponse contains Java type information. The following is a representative example from the authorization server webapp:

["org.surfnet.oaaas.model.VerifyTokenResponse",
{
    "audience": "client",
    "scopes": ["org.apache.openjpa.util.java$util$ArrayList$proxy", ["read", "write"]],
    "principal": ["org.surfnet.oaaas.conext.SAMLAuthenticatedPrincipal",
    {
        "name": "admin",
        "roles": ["java.util.ArrayList", []],
        "groups": ["java.util.ArrayList", []],
        "adminPrincipal": false,
        "attributes": ["java.util.HashMap",
        {
            "DISPLAY_NAME": "admin",
            "IDENTITY_PROVIDER": "http://mock-idp"
        }]
    }],
    "expires_in": 0
}]

In order to deserialize such JSON, a resource server must explicitly include at least two additional dependencies (and inherit their numerous transitive dependencies). Otherwise, it will experience errors such as the following:

ERROR [2013-07-02 19:36:14,535] org.surfnet.oaaas.auth.AuthorizationServerFilter: Exception in reading result from AuthorizationServer
! org.codehaus.jackson.map.JsonMappingException: Invalid type id 'org.surfnet.oaaas.conext.SAMLAuthenticatedPrincipal' (for id type 'Id.class'): no such class found (through reference chain: org.surfnet.oaaas.model.VerifyTokenResponse["principal"])

The OpenJPA dependency, although extraneous from the resource server's perspective, can be easily handled by declaring it in apis-resource-server-library/pom.xml.

However, the SAML dependency is indicative of a larger problem, which is that the presence of this type information couples a resource server to the specific authenticators used by the authorization server. That is especially surprising when simply using AuthorizationServerFilter to protect resources.

From http://tools.ietf.org/html/rfc6749#section-4.1.2:
code
REQUIRED. The authorization code generated by the
authorization server. The authorization code MUST expire
shortly after it is issued to mitigate the risk of leaks. A
maximum authorization code lifetime of 10 minutes is
RECOMMENDED. The client MUST NOT use the authorization
code more than once....

From what I saw, even 2 year old authZ codes do still work, so I guess some cleanup process should be implemented.

When I try to compile using mvn clean install I get the following exception:

And the report of the maven execution:
[INFO] API Secure ........................................ SUCCESS [0.971s]
[INFO] API Secure - resource server library .............. SUCCESS [9.049s]
[INFO] API Secure - authorization server ................. SUCCESS [14.483s]
[INFO] API Secure - conext authentication plugin ......... SUCCESS [4.320s]
[INFO] API Secure - example resource server .............. SUCCESS [18.038s]
[INFO] API Secure - mock openconext group api ............ SUCCESS [2.018s]
[INFO] API Secure - authorization server webapp .......... FAILURE [7.814s]
[INFO] API Secure - example resource server war .......... SKIPPED
[INFO] API Secure - example client app war ............... SKIPPED
[INFO] API Secure - authorization server webapp dist ..... SKIPPED
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 57.281s
[INFO] Finished at: Fri Feb 07 09:30:21 CET 2014
[INFO] Final Memory: 77M/163M

So it seems to me that multiple spring libraries are included. This happens both with the 1.3.3 and 1.3.4 versions. What can I do to make it work?

Thanks!

Hi, not sure if this is right place to ask question on the code, but I have not found alternative path to ask it, so here goes.

I am reviewing the code (OpenConextApps/apis) for possible use in a project/demo that I am scoping.

One thing I am stuck on is how login.jsp gets invoked. Basically, I can see how ClientController creates the Authorization Request and sends redirect to authorization server.

I am assuming that FormLoginAuthenticator is configured in apis.application.properties, although in downloaded version it is commented out, but when I set up the project I will uncomment it accordingly.

Now I assume when the redirect is received at the authorization server (war) that AbstractAuthenticator will have doFilter() invoked, and in turn invoke authenticate() in FormLoginAuthenticator.

Here is where I have the problem. it appears to me that the only way that login.jsp can be shown to the user is if FormLoginAuthenticator.processInitial() is called.

However, it appears to me that the only way that this can happen is if the principal is null, which is ok, but first the code must find that request.getMethod().equals("POST") is false!

Unless I am missing something the above should return true, since in ClientController.step2() that the preceding annotation @RequestMapping sets method=RequestMethod.POST.

So, what am I missing? do I have it completely wrong? or does getMethod() return something other than POST?

Any help or suggestion where I might better submit the question would be appreciated.

Thanks,
Rich

Hi,

How should one send the following request to the authorization server :

GET https:///v1/tokeninfo?access_token=<access_token>
Authorization: Basic
Accept: application/json

I am replacing the content within <> accordingly to my environment. Further, should I also include Base64 encoded in the authorization section.

I am passing the above request in my browser itself, can you provide me some information on how to send this GET request to the authorization server.

I am still a ametuer with this stuff, please do help me.

With regards,
Prashanth

https://datatracker.ietf.org/doc/draft-richer-oauth-introspection/

I'm trying to work with your server implementation, by the way when I'm trying to add a new resource server, from the page containing the proper form, nothing happens. I just fill the fields and then click on "save changes" but it seems to do nothing. Any idea about this kind of problem?

PS: I'm getting a similar issue when dealing with tokens. If i try to delete one token it opens a pop-up asking for confirmation, but then nothing happens. (i.e. tokens are not deleted)

Could be something related to the java version installed?

Just a quick question. I didn't see any licensing information associated with this repo. Curious if you intended it to include a license. This will help people understand how they can use this project and the limits on how it can be used.

Thanks!

can not find coin-test.jar,the pom file of maven has error? i am in beijing,why?

Hello,

Thank you so much for APIs Secure. It's working great, except for one issue that I'm hoping someone might be kind enough to help me out with. It would seem that when several (implicit grant) bearer token issuance requests come in at the same time that one of three exceptions intermittently are thrown.

I'm using a brand new clone of the apis repository with only the following adjustments to: apis-authorization-server-war/src/test/resources/apis.application.properties:

1. Using MySQL instead of hsqldb.
2. Using NoopAuthenticator as authenticatorClass.
3. Using NoopUserConsentHandler as userConsentHandlerClass.

The authorization server is run via (also reproduced under Tomcat 8):

mvn jetty:run

To reproduce the below issue, I'm executing:

for i in seq 1 3; do (curl -i http://$host:8080/oauth2/authorize?response_type=token\&client_id=$client_id\&redirect_uri=http://localhost:$port/redirect\&scope=read\&state=example &); done

After running that a few times, I'll begin seeing the following exceptions:

https://gist.github.com/jsmith190721117/26912e8bd7f0937a35c4#file-gistfile1-txt
https://gist.github.com/jsmith190721117/3cca683e9d69f6c0deeb#file-gistfile1-txt
https://gist.github.com/jsmith190721117/f1dca4ad373a5fc5d9ff#file-gistfile1-txt

Any assistance that anyone could provide would be greatly appreciated. Thank you.

Hi,
I am very new to OAuth2 and Maven and hence i am trying to install APIS and while i am running command from command prompt getting below issues

[ERROR] Failed to execute goal org.apache.openjpa:openjpa-maven-plugin:2.2.0:enh
ance (enhancer) on project apis-authorization-server: Execution enhancer of goal
org.apache.openjpa:openjpa-maven-plugin:2.2.0:enhance failed: Plugin org.apache
.openjpa:openjpa-maven-plugin:2.2.0 or one of its dependencies could not be reso
lved: Could not transfer artifact org.slf4j:slf4j-api:jar:1.6.1 from/to central
(https://repo.maven.apache.org/maven2): Connect to repo.maven.apache.org:443 [re
po.maven.apache.org/199.27.79.215] failed: Connection timed out: connect -> [Hel
p 1]

Please guide me to fix the issue .

The org.surfnet.oaaas.auth.AuthorizationServerFilter class is meant to be used independently by resource server applications. Based on an initial inspection of the code, however, there are a couple of unpleasant consequences of it being packaged as part of the authorization server codebase.

First, if the apis-authorization-server artifact is included as a dependency in the resource server, it appears that the auth server's JAX-RS resources will be auto-discovered and provisioned in the resource server application.

Second, the filter pulls in heavyweight dependencies on Spring, Guava, SLF4J, and Jackson. The Spring dependency is just a couple of convenience utilities and really shouldn't be included. Guava, SLF4J, and Jackson are easier to deal with as they are common, but these are mostly not required either and could be eliminated.

I realize that the filter code can be copied and the dependencies removed downstream, but ideally, the project could package the filter in a separate submodule that can be referenced independently by resource servers with minimal dependencies.

org.springframework.dao.InvalidDataAccessApiUsageException: Result type "class org.surfnet.oaaas.model.AccessToken" does not have any public fields or setter methods for the projection or aggregate result element "creationDate", nor does it have a generic put(Object,Object) method that can be used, nor does it have a public constructor that takes the types null.; nested exception is <openjpa-2.2.0-r422266:1244990 nonfatal user error> org.apache.openjpa.persistence.ArgumentException: Result type "class org.surfnet.oaaas.model.AccessToken" does not have any public fields or setter methods for the projection or aggregate result element "creationDate", nor does it have a generic put(Object,Object) method that can be used, nor does it have a public constructor that takes the types null

Access tokens that have expired should be removed