in src/main/java/com/googlesource/gerrit/plugins/oauth/AzureActiveDirectoryService.java [109:198]
public OAuthUserInfo getUserInfo(OAuthToken token) throws IOException {
// ?: Have we set a custom tenant and is this a tenant other than the one set in
// TENANTS_WITHOUT_VALIDATION
if (!TENANTS_WITHOUT_VALIDATION.contains(tenant)) {
// -> Yes, we are using a tenant that should be validated, so verify that is issued for the
// same one that we
// have set.
String tid = getTokenJson(token.getToken()).get("tid").getAsString();
// ?: Verify that this token has the same tenant as we are currently using
if (!tenant.equals(tid)) {
// -> No, this tenant does not equals the one in the token. So we should stop processing
log.warn(
String.format(
"The token was issued by the tenant [%s] while we are set to use [%s]",
tid, tenant));
// Return null so the user will be shown Unauthorized.
return null;
}
}
// Due to scribejava does not expose the id_token we need to do this a bit convoluted way to
// extract this our self
// see <a href="https://github.com/scribejava/scribejava/issues/968">Obtaining id_token from
// access_token</a> for
// the scribejava issue on this.
String rawToken = token.getRaw();
JsonObject jwtJson = gson.fromJson(rawToken, JsonObject.class);
String idTokenBase64 = jwtJson.get("id_token").getAsString();
String aud = getTokenJson(idTokenBase64).get("aud").getAsString();
// ?: Does this token have the same clientId set in the 'aud' part of the id_token as we are
// using.
// If not we should reject it
// see <a href="https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens">id
// tokens Payload claims></a>
// for information on the aud claim.
if (!clientId.equals(aud)) {
log.warn(
String.format(
"The id_token had aud [%s] while we expected it to be equal to the clientId [%s]",
aud, clientId));
// Return null so the user will be shown Unauthorized.
return null;
}
OAuthRequest request = new OAuthRequest(Verb.GET, PROTECTED_RESOURCE_URL);
OAuth2AccessToken t = new OAuth2AccessToken(token.getToken(), token.getRaw());
service.signRequest(t, request);
request.addHeader("Accept", "*/*");
JsonElement userJson = null;
try (Response response = service.execute(request)) {
if (response.getCode() != HttpServletResponse.SC_OK) {
throw new IOException(
String.format(
"Status %s (%s) for request %s",
response.getCode(), response.getBody(), request.getUrl()));
}
userJson = JSON.newGson().fromJson(response.getBody(), JsonElement.class);
if (log.isDebugEnabled()) {
log.debug("User info response: {}", response.getBody());
}
if (userJson.isJsonObject()) {
JsonObject jsonObject = userJson.getAsJsonObject();
JsonElement id = jsonObject.get("id");
if (id == null || id.isJsonNull()) {
throw new IOException("Response doesn't contain id field");
}
JsonElement email = jsonObject.get("mail");
JsonElement name = jsonObject.get("displayName");
String login = null;
if (useEmailAsUsername && !email.isJsonNull()) {
login = email.getAsString().split("@")[0];
}
return new OAuthUserInfo(
providerPrefix + id.getAsString() /*externalId*/,
login /*username*/,
email == null || email.isJsonNull() ? null : email.getAsString() /*email*/,
name == null || name.isJsonNull() ? null : name.getAsString() /*displayName*/,
linkOffice365Id ? OFFICE365_PROVIDER_PREFIX + id.getAsString() : null);
}
} catch (ExecutionException | InterruptedException e) {
throw new RuntimeException("Cannot retrieve user info resource", e);
}
throw new IOException(String.format("Invalid JSON '%s': not a JSON Object", userJson));
}