private IdToken convertToIdToken()

in services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java [91:208]

• 91 lines of code
• 30 McCabe index (conditional complexity)

    private IdToken convertToIdToken(MessageContext mc, Element samlToken, String subjectName, String subjectId,
                                     ClaimCollection claims, List<String> roles,
                                     MultivaluedMap<String, String> params) {
        // The current SAML Assertion represents an authentication record.
        // It has to be translated into IdToken (JWT) so that it can be returned
        // to client applications participating in various OIDC flows.

        IdToken idToken = new IdToken();

        // TODO: make the mapping between the subject name and IdToken claim configurable
        idToken.setPreferredUserName(subjectName);
        idToken.setSubject(subjectId);

        Assertion saml2Assertion = getSaml2Assertion(samlToken);
        // authInstant
        if (saml2Assertion != null && !saml2Assertion.getAuthnStatements().isEmpty()) {
            DateTime authInstant = saml2Assertion.getAuthnStatements().get(0).getAuthnInstant();
            idToken.setAuthenticationTime(authInstant.getMillis() / 1000L);
        }
        // Check if default issuer, issuedAt values have to be set
        if (issuer != null) {
            final String realIssuer;
            if (issuer.startsWith("/")) {
                UriBuilder ub = mc.getUriInfo().getBaseUriBuilder();
                URI uri = ub.path(issuer).build();
                if (this.stripPathFromIssuerUri) {
                    StringBuilder sb = new StringBuilder();
                    sb.append(uri.getScheme()).append("://").append(uri.getHost());
                    if (uri.getPort() != -1) {
                        sb.append(':').append(uri.getPort());
                    }
                    realIssuer = sb.toString();
                } else {
                    realIssuer = uri.toString();
                }
            } else {
                realIssuer = issuer;
            }
            idToken.setIssuer(realIssuer);
        } else if (saml2Assertion != null) {
            Issuer assertionIssuer = saml2Assertion.getIssuer();
            if (assertionIssuer != null) {
                idToken.setIssuer(assertionIssuer.getValue());
            }
        }

        idToken.setTokenId(OAuthUtils.generateRandomTokenKey());

        // Compute exp claim
        final long iat = OAuthUtils.getIssuedAt();
        idToken.setIssuedAt(iat);
        HttpSession httpSession = mc.getHttpServletRequest().getSession(false);
        if (timeToLive > 0) {
            idToken.setExpiryTime(iat + timeToLive);
        } else if (httpSession != null && httpSession.getMaxInactiveInterval() > 0) {
            idToken.setExpiryTime(iat + httpSession.getMaxInactiveInterval());
        } else {
            idToken.setExpiryTime(iat + DEFAULT_TIME_TO_LIVE);
        }

        List<String> requestedClaimsList = new ArrayList<>();
        // Derive claims from scope
        String requestedScope = params.getFirst(OAuthConstants.SCOPE);
        if (requestedScope != null && !requestedScope.isEmpty()) {
            String[] scopes = requestedScope.split(" ");
            // TODO: Note that if the consent screen enabled then it is feasible
            // that the claims added in this code after mapping the scopes to claims
            // may need to be removed if the user disapproves the related scope

            // standard scope to claims mapping:
            requestedClaimsList.addAll(OidcUtils.getScopeClaims(scopes));
            // custom scopes to claims mapping
            requestedClaimsList.addAll(getCustomScopeClaims(scopes));
        }
        // Additional claims requested
        String requestedClaims = params.getFirst("claims");
        if (requestedClaims != null && !requestedClaims.isEmpty()) {
            requestedClaimsList.addAll(Arrays.asList(requestedClaims.trim().split(" ")));
        }

        // Map claims
        if (claims != null) {
            String firstName = null;
            String lastName = null;
            for (Claim c : claims) {
                if (!(c.getValue() instanceof String)) {
                    continue;
                }
                if (ClaimTypes.FIRSTNAME.equals(c.getClaimType())) {
                    idToken.setGivenName((String) c.getValue());
                    firstName = (String) c.getValue();
                } else if (ClaimTypes.LASTNAME.equals(c.getClaimType())) {
                    idToken.setFamilyName((String) c.getValue());
                    lastName = (String) c.getValue();
                } else if (ClaimTypes.EMAILADDRESS.equals(c.getClaimType())) {
                    idToken.setEmail((String) c.getValue());
                } else if (supportedClaims.containsKey(c.getClaimType().toString())
                        && requestedClaimsList.contains(supportedClaims.get(c.getClaimType().toString()))) {
                    idToken.setClaim(supportedClaims.get(c.getClaimType().toString()), c.getValue());
                }

            }
            if (firstName != null && lastName != null) {
                idToken.setName(firstName + " " + lastName);
            }
        }

        if (roles != null && !roles.isEmpty()
                && supportedClaims.containsKey(FedizConstants.DEFAULT_ROLE_URI.toString())) {

            String roleClaimName = supportedClaims.get(FedizConstants.DEFAULT_ROLE_URI.toString());
            if (requestedClaimsList.contains(roleClaimName)) {
                idToken.setClaim(roleClaimName, roles);
            }
        }

        return idToken;
    }