From c004e80dbdeab827d3e092fb3619f26a0086691f Mon Sep 17 00:00:00 2001 From: Diana Krepinska Date: Tue, 30 Jan 2024 15:01:35 +0100 Subject: [PATCH] [ELY-2714] Attempting to read address data from an OIDC id token causes ClassCastException --- .../wildfly/security/http/oidc/IDToken.java | 12 +++- .../security/http/oidc/IDTokenTest.java | 56 +++++++++++++++++++ 2 files changed, 66 insertions(+), 2 deletions(-) create mode 100644 http/oidc/src/test/java/org/wildfly/security/http/oidc/IDTokenTest.java diff --git a/http/oidc/src/main/java/org/wildfly/security/http/oidc/IDToken.java b/http/oidc/src/main/java/org/wildfly/security/http/oidc/IDToken.java index b6445cc412e..d40be6bfce8 100644 --- a/http/oidc/src/main/java/org/wildfly/security/http/oidc/IDToken.java +++ b/http/oidc/src/main/java/org/wildfly/security/http/oidc/IDToken.java @@ -20,10 +20,12 @@ import static org.wildfly.security.http.oidc.ElytronMessages.log; +import com.fasterxml.jackson.core.JsonProcessingException; +import com.fasterxml.jackson.databind.ObjectMapper; import jakarta.json.JsonObject; import jakarta.json.JsonValue; -import java.util.Map; +import java.util.HashMap; import org.jose4j.jwt.JwtClaims; @@ -163,7 +165,13 @@ public AddressClaimSet getAddress() { if (! (addressValueAsJson instanceof JsonObject)) { throw log.invalidTokenClaimValue(); } - return new AddressClaimSet((Map) addressValueAsJson); + HashMap result; + try { + result = new ObjectMapper().readValue(addressValueAsJson.toString(), HashMap.class); + } catch (JsonProcessingException e) { + throw log.invalidTokenClaimValue(); + } + return new AddressClaimSet(result); } /** diff --git a/http/oidc/src/test/java/org/wildfly/security/http/oidc/IDTokenTest.java b/http/oidc/src/test/java/org/wildfly/security/http/oidc/IDTokenTest.java new file mode 100644 index 00000000000..3678d433247 --- /dev/null +++ b/http/oidc/src/test/java/org/wildfly/security/http/oidc/IDTokenTest.java @@ -0,0 +1,56 @@ +/* + * JBoss, Home of Professional Open Source. + * Copyright 2024 Red Hat, Inc., and individual contributors + * as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.wildfly.security.http.oidc; + +import jakarta.json.Json; +import jakarta.json.JsonObject; +import org.jose4j.jwt.JwtClaims; +import org.junit.Test; + +import static org.junit.Assert.assertEquals; +import static org.wildfly.common.Assert.assertNotNull; + +/** + * Tests for ID Token. + */ +public class IDTokenTest { + + @Test + public void testIDTokenWithAddressClaim() { + JwtClaims jwtClaims = new JwtClaims(); + JsonObject jsonObject = Json.createObjectBuilder() + .add("address", Json.createObjectBuilder() + .add("region", "US") + .add("country", "New York") + .add("locality", "NY") + .add("postal_code", "10021")) + .build(); + jwtClaims.setClaim("given_name", "Alice"); + jwtClaims.setClaim("family_name", "Smith"); + jwtClaims.setClaim("address", jsonObject.get("address")); + IDToken idToken = new IDToken(jwtClaims); + assertNotNull(idToken); + assertEquals("NY", idToken.getAddress().getLocality()); + assertEquals("10021", idToken.getAddress().getPostalCode()); + assertEquals("US", idToken.getAddress().getRegion()); + assertEquals("New York", idToken.getAddress().getCountry()); + assertEquals("Alice", idToken.getGivenName()); + assertEquals("Smith", idToken.getFamilyName()); + } +}