From d90a9550638fb983dbb796279a073c1df6886a3b Mon Sep 17 00:00:00 2001 From: Wilalberto Rodriguez Date: Thu, 23 Jan 2025 14:11:13 -0600 Subject: [PATCH 1/2] Set clientId in Thread There is a need to add the client id to the thread when the method getIssuerIdentifier is invoked. --- .../clients/common/OIDCClientAuthenticatorUtil.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/dev/com.ibm.ws.security.openidconnect.clients.common/src/com/ibm/ws/security/openidconnect/clients/common/OIDCClientAuthenticatorUtil.java b/dev/com.ibm.ws.security.openidconnect.clients.common/src/com/ibm/ws/security/openidconnect/clients/common/OIDCClientAuthenticatorUtil.java index fc243ad163f4..e28fbe641441 100644 --- a/dev/com.ibm.ws.security.openidconnect.clients.common/src/com/ibm/ws/security/openidconnect/clients/common/OIDCClientAuthenticatorUtil.java +++ b/dev/com.ibm.ws.security.openidconnect.clients.common/src/com/ibm/ws/security/openidconnect/clients/common/OIDCClientAuthenticatorUtil.java @@ -466,6 +466,7 @@ public ProviderAuthenticationResult verifyResponseState(HttpServletRequest req, public static String getIssuerIdentifier(ConvergedClientConfig clientConfig) { String issuer = null; issuer = clientConfig.getIssuerIdentifier(); + setThreadClientId(clientConfig.getClientId()); if (issuer == null || issuer.isEmpty()) { issuer = extractIssuerFromTokenEndpointUrl(clientConfig); } @@ -489,7 +490,7 @@ static String extractIssuerFromTokenEndpointUrl(ConvergedClientConfig clientConf return issuer; } - private void setThreadClientId(String clientID) { + private static void setThreadClientId(String clientID) { threadClientID.set(clientID); } From 0e54250cbbdb493521cad302f22aab6357786d78 Mon Sep 17 00:00:00 2001 From: Wilalberto Rodriguez Date: Fri, 24 Jan 2025 11:32:54 -0600 Subject: [PATCH 2/2] Set the treadClientID in the AccessTokenAuthenticator --- .../client/internal/AccessTokenAuthenticator.java | 13 ++++++++++++- .../clients/common/OIDCClientAuthenticatorUtil.java | 3 +-- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/dev/com.ibm.ws.security.openidconnect.client/src/com/ibm/ws/security/openidconnect/client/internal/AccessTokenAuthenticator.java b/dev/com.ibm.ws.security.openidconnect.client/src/com/ibm/ws/security/openidconnect/client/internal/AccessTokenAuthenticator.java index 8255a94c0c34..c06a5f92b501 100644 --- a/dev/com.ibm.ws.security.openidconnect.client/src/com/ibm/ws/security/openidconnect/client/internal/AccessTokenAuthenticator.java +++ b/dev/com.ibm.ws.security.openidconnect.client/src/com/ibm/ws/security/openidconnect/client/internal/AccessTokenAuthenticator.java @@ -1,5 +1,5 @@ /******************************************************************************* - * Copyright (c) 2016, 2022 IBM Corporation and others. + * Copyright (c) 2016, 2025 IBM Corporation and others. * All rights reserved. This program and the accompanying materials * are made available under the terms of the Eclipse Public License 2.0 * which accompanies this distribution, and is available at @@ -70,6 +70,7 @@ public class AccessTokenAuthenticator { private static final String JWT_SEGMENTS = "-segments"; private static final String JWT_SEGMENT_INDEX = "-"; private static final String BEARER_SCHEME = "Bearer "; + public static ThreadLocal threadClientID = new ThreadLocal(); OidcClientUtil oidcClientUtil = new OidcClientUtil(); SSLSupport sslSupport = null; @@ -105,6 +106,9 @@ public ProviderAuthenticationResult authenticate(HttpServletRequest req, oidcClientRequest.setTokenType(OidcClientRequest.TYPE_ACCESS_TOKEN); ProviderAuthenticationResult oidcResult = new ProviderAuthenticationResult(AuthResult.FAILURE, HttpServletResponse.SC_UNAUTHORIZED); String accessToken = null; + + setThreadClientId(clientConfig.getClientId()); + if (clientConfig.getAccessTokenInLtpaCookie()) { accessToken = getAccessTokenFromReqAsAttribute(req, true); } @@ -1104,4 +1108,11 @@ void logError(OidcClientConfig oidcClientConfig, boolean warningWhenSupported, O } } } + private void setThreadClientId(String clientID) { + threadClientID.set(clientID); + } + + public static String getThreadClientId() { + return threadClientID.get(); + } } diff --git a/dev/com.ibm.ws.security.openidconnect.clients.common/src/com/ibm/ws/security/openidconnect/clients/common/OIDCClientAuthenticatorUtil.java b/dev/com.ibm.ws.security.openidconnect.clients.common/src/com/ibm/ws/security/openidconnect/clients/common/OIDCClientAuthenticatorUtil.java index e28fbe641441..fc243ad163f4 100644 --- a/dev/com.ibm.ws.security.openidconnect.clients.common/src/com/ibm/ws/security/openidconnect/clients/common/OIDCClientAuthenticatorUtil.java +++ b/dev/com.ibm.ws.security.openidconnect.clients.common/src/com/ibm/ws/security/openidconnect/clients/common/OIDCClientAuthenticatorUtil.java @@ -466,7 +466,6 @@ public ProviderAuthenticationResult verifyResponseState(HttpServletRequest req, public static String getIssuerIdentifier(ConvergedClientConfig clientConfig) { String issuer = null; issuer = clientConfig.getIssuerIdentifier(); - setThreadClientId(clientConfig.getClientId()); if (issuer == null || issuer.isEmpty()) { issuer = extractIssuerFromTokenEndpointUrl(clientConfig); } @@ -490,7 +489,7 @@ static String extractIssuerFromTokenEndpointUrl(ConvergedClientConfig clientConf return issuer; } - private static void setThreadClientId(String clientID) { + private void setThreadClientId(String clientID) { threadClientID.set(clientID); }