fix: 🐛 Fix ACR for implicit and authorization_code flows

BREAKING CHANGE: 🧨 Database needs to be updated: `ALTER TABLE saved_user_auth DROP
source_class; ALTER TABLE saved_user_auth ADD COLUMN acr VARCHAR(1024);`

Author: Dominik Frantisek Bucik

perun-oidc-server-webapp/src/main/resources/db/hsql/hsql_database_tables.sql

@@ -86,6 +86,7 @@ CREATE TABLE IF NOT EXISTS authentication_holder_request_parameter (
 
 CREATE TABLE IF NOT EXISTS saved_user_auth (
 	id BIGINT GENERATED BY DEFAULT AS IDENTITY(START WITH 1) PRIMARY KEY,
+	acr VARCHAR(1024),
 	name VARCHAR(1024),
 	authenticated BOOLEAN,
 	source_class VARCHAR(2048)

perun-oidc-server-webapp/src/main/resources/db/mysql/mysql_database_tables.sql

@@ -85,6 +85,7 @@ CREATE TABLE IF NOT EXISTS authentication_holder_request_parameter (
 
 CREATE TABLE IF NOT EXISTS saved_user_auth (
     id BIGINT AUTO_INCREMENT PRIMARY KEY,
+    acr VARCHAR(1024),
     name VARCHAR(1024),
     authenticated BOOLEAN,
     source_class VARCHAR(2048)

perun-oidc-server-webapp/src/main/resources/db/psql/psql_database_tables.sql

@@ -86,6 +86,7 @@ CREATE TABLE IF NOT EXISTS authentication_holder_request_parameter (
 
 CREATE TABLE IF NOT EXISTS saved_user_auth (
     id BIGSERIAL PRIMARY KEY,
+    acr VARCHAR(1024),
     name VARCHAR(1024),
     authenticated BOOLEAN,
     source_class VARCHAR(2048)

perun-oidc-server/src/main/java/cz/muni/ics/oauth2/model/SavedUserAuthentication.java

@@ -17,8 +17,10 @@
 package cz.muni.ics.oauth2.model;
 
 import cz.muni.ics.oauth2.model.convert.SimpleGrantedAuthorityStringConverter;
+import cz.muni.ics.oidc.saml.SamlPrincipal;
 import java.util.Collection;
 import java.util.HashSet;
+import java.util.stream.Collectors;
 import javax.persistence.Basic;
 import javax.persistence.CollectionTable;
 import javax.persistence.Column;
@@ -32,8 +34,14 @@
 import javax.persistence.JoinColumn;
 import javax.persistence.Table;
 import javax.persistence.Transient;
+import lombok.ToString;
+import lombok.extern.slf4j.Slf4j;
+import org.opensaml.saml2.core.AuthnContext;
+import org.opensaml.saml2.core.AuthnContextClassRef;
+import org.opensaml.saml2.core.AuthnStatement;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.providers.ExpiringUsernameAuthenticationToken;
 
 /**
  * This class stands in for an original Authentication object.
@@ -42,6 +50,8 @@
  */
 @Entity
 @Table(name="saved_user_auth")
+@Slf4j
+@ToString
 public class SavedUserAuthentication implements Authentication {
 
 	private static final long serialVersionUID = -1804249963940323488L;
@@ -50,18 +60,21 @@ public class SavedUserAuthentication implements Authentication {
 	private String name;
 	private Collection<GrantedAuthority> authorities;
 	private boolean authenticated;
-	private String sourceClass;
+	private String acr;
 
 	public SavedUserAuthentication(Authentication src) {
 		setName(src.getName());
 		setAuthorities(new HashSet<>(src.getAuthorities()));
 		setAuthenticated(src.isAuthenticated());
-
-		if (src instanceof SavedUserAuthentication) {
-			// if we're copying in a saved auth, carry over the original class name
-			setSourceClass(((SavedUserAuthentication) src).getSourceClass());
-		} else {
-			setSourceClass(src.getClass().getName());
+		if (src instanceof ExpiringUsernameAuthenticationToken) {
+			ExpiringUsernameAuthenticationToken token = (ExpiringUsernameAuthenticationToken) src;
+			this.acr = ((SamlPrincipal) token.getPrincipal()).getSamlCredential()
+					.getAuthenticationAssertion()
+					.getAuthnStatements().stream()
+					.map(AuthnStatement::getAuthnContext)
+					.map(AuthnContext::getAuthnContextClassRef)
+					.map(AuthnContextClassRef::getAuthnContextClassRef)
+					.collect(Collectors.joining());
 		}
 	}
 
@@ -85,6 +98,10 @@ public String getName() {
 		return name;
 	}
 
+	public void setName(String name) {
+		this.name = name;
+	}
+
 	@Override
 	@ElementCollection(fetch = FetchType.EAGER)
 	@CollectionTable(name="saved_user_auth_authority", joinColumns=@JoinColumn(name="owner_id"))
@@ -94,22 +111,18 @@ public Collection<GrantedAuthority> getAuthorities() {
 		return authorities;
 	}
 
-	@Override
-	@Transient
-	public Object getCredentials() {
-		return "";
+	public void setAuthorities(Collection<GrantedAuthority> authorities) {
+		this.authorities = authorities;
 	}
 
-	@Override
-	@Transient
-	public Object getDetails() {
-		return null;
+	@Basic
+	@Column(name = "acr")
+	public String getAcr() {
+		return acr;
 	}
 
-	@Override
-	@Transient
-	public Object getPrincipal() {
-		return getName();
+	public void setAcr(String acr) {
+		this.acr = acr;
 	}
 
 	@Override
@@ -124,22 +137,22 @@ public void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentExce
 		this.authenticated = isAuthenticated;
 	}
 
-	@Basic
-	@Column(name="source_class")
-	public String getSourceClass() {
-		return sourceClass;
-	}
-
-	public void setSourceClass(String sourceClass) {
-		this.sourceClass = sourceClass;
+	@Override
+	@Transient
+	public Object getCredentials() {
+		return "";
 	}
 
-	public void setName(String name) {
-		this.name = name;
+	@Override
+	@Transient
+	public Object getDetails() {
+		return null;
 	}
 
-	public void setAuthorities(Collection<GrantedAuthority> authorities) {
-		this.authorities = authorities;
+	@Override
+	@Transient
+	public Object getPrincipal() {
+		return getName();
 	}
 
 }

perun-oidc-server/src/main/java/cz/muni/ics/oauth2/token/DeviceTokenGranter.java

@@ -22,6 +22,7 @@
 import cz.muni.ics.oauth2.service.DeviceCodeService;
 import cz.muni.ics.oauth2.web.DeviceEndpoint;
 import java.util.Date;
+import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.oauth2.common.exceptions.InvalidGrantException;
 import org.springframework.security.oauth2.provider.ClientDetails;
@@ -42,6 +43,7 @@
  *
  */
 @Component("deviceTokenGranter")
+@Slf4j
 public class DeviceTokenGranter extends AbstractTokenGranter {
 
 	public static final String GRANT_TYPE = "urn:ietf:params:oauth:grant-type:device_code";

perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/DeviceEndpoint.java

@@ -243,8 +243,9 @@ public String readUserCode(@RequestParam("user_code") String userCode, ModelMap
 
 	@PreAuthorize("hasRole('ROLE_USER')")
 	@RequestMapping(value = "/" + USER_URL + "/approve", method = RequestMethod.POST)
-	public String approveDevice(@RequestParam("user_code") String userCode, @RequestParam(value = "user_oauth_approval") Boolean approve, ModelMap model, Authentication auth, HttpSession session) {
-
+	public String approveDevice(@RequestParam("user_code") String userCode,
+								@RequestParam(value = "user_oauth_approval") Boolean approve,
+								ModelMap model, Authentication auth, HttpSession session) {
 		AuthorizationRequest authorizationRequest = (AuthorizationRequest) session.getAttribute("authorizationRequest");
 		DeviceCode dc = (DeviceCode) session.getAttribute("deviceCode");
 

perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/PerunSamlAuthenticationProvider.java

@@ -30,8 +30,7 @@ public PerunSamlAuthenticationProvider(List<String> adminIds) {
     @Override
     protected Object getPrincipal(SAMLCredential credential, Object userDetail) {
         PerunUser user = (PerunUser) userDetail;
-        return new User(String.valueOf(user.getId()), credential.getRemoteEntityID(),
-                getEntitlements(credential, userDetail));
+        return new SamlPrincipal(user.getId(), credential, getEntitlements(credential, userDetail));
     }
 
     @Override

perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/SamlPrincipal.java

@@ -0,0 +1,27 @@
+package cz.muni.ics.oidc.saml;
+
+import java.util.Collection;
+import lombok.Getter;
+import lombok.Setter;
+import lombok.ToString;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.saml.SAMLCredential;
+
+@Getter
+@Setter
+@ToString
+public class SamlPrincipal extends User {
+
+    private Long perunUserId;
+    private SAMLCredential samlCredential;
+
+    public SamlPrincipal(Long perunUserId,
+                         SAMLCredential samlCredential,
+                         Collection<? extends GrantedAuthority> authorities) {
+        super(String.valueOf(perunUserId), "[PROTECTED]", authorities);
+        this.perunUserId = perunUserId;
+        this.samlCredential = samlCredential;
+    }
+
+}

perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/PerunOIDCTokenService.java

@@ -18,9 +18,6 @@
 import net.minidev.json.JSONArray;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.oauth2.provider.OAuth2Request;
-import org.springframework.web.context.request.RequestAttributes;
-import org.springframework.web.context.request.RequestContextHolder;
-import org.springframework.web.context.request.ServletRequestAttributes;
 
 /**
  * Modifies ID Token.
@@ -49,8 +46,11 @@ public PerunOIDCTokenService(UserInfoService userInfoService,
 	}
 
 	@Override
-	protected void addCustomIdTokenClaims(JWTClaimsSet.Builder idClaims, ClientDetailsEntity client, OAuth2Request request,
-										  String sub, OAuth2AccessTokenEntity accessToken)
+	protected void addCustomIdTokenClaims(JWTClaimsSet.Builder idClaims,
+										  ClientDetailsEntity client,
+										  OAuth2Request request,
+										  String sub,
+										  OAuth2AccessTokenEntity accessToken)
 	{
 		log.debug("modifying ID token");
 		String userId = accessToken.getAuthenticationHolder().getAuthentication().getName();
@@ -73,18 +73,17 @@ protected void addCustomIdTokenClaims(JWTClaimsSet.Builder idClaims, ClientDetai
 			}
 		}
 
-		String acr = getAuthnContextClass();
-		if (acr != null) {
-			log.debug("adding to ID token claim acr with value {}", acr);
-			idClaims.claim("acr", acr);
+		if (accessToken.getAuthenticationHolder() != null
+			&& accessToken.getAuthenticationHolder().getUserAuth() != null)
+		{
+			String acr = accessToken.getAuthenticationHolder().getUserAuth().getAcr();
+			if (acr != null) {
+				log.debug("adding to ID token claim acr with value {}", acr);
+				idClaims.claim("acr", acr);
+			}
 		}
 	}
 
-	private String getAuthnContextClass() {
-		ServletRequestAttributes attr = (ServletRequestAttributes) RequestContextHolder.currentRequestAttributes();
-		return (String) attr.getAttribute(SESSION_PARAM_ACR, RequestAttributes.SCOPE_SESSION);
-	}
-
 	/**
 	 * Converts claim values from com.google.gson.JsonElement to net.minidev.json.JSONObject or primitive value
 	 *

perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/service/impl/DefaultOIDCTokenService.java

@@ -66,7 +66,6 @@
  * @author Amanda Anganes
  *
  */
-@Service
 @Slf4j
 public class DefaultOIDCTokenService implements OIDCTokenService {