[Git][java-team/google-oauth-client-java][master] Cherrypick upstream commit to fix CVE-2020-7692
Olek Wojnar (@olek)
gitlab at salsa.debian.org
Sun May 30 19:26:31 BST 2021
Olek Wojnar pushed to branch master at Debian Java Maintainers / google-oauth-client-java
Commits:
002ca4ec by Olek Wojnar at 2021-05-30T14:25:56-04:00
Cherrypick upstream commit to fix CVE-2020-7692
- - - - -
3 changed files:
- debian/changelog
- + debian/patches/CVE-2020-7692.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,10 +1,13 @@
-google-oauth-client-java (1.28.0-2) UNRELEASED; urgency=medium
+google-oauth-client-java (1.28.0-2) unstable; urgency=high
+ [ tony mancill ]
* Correct typo in changelog for 1.28.0-1.
The previous upload closed bug 975846, not 975842.
* Add B-D on libgrpc-java. (See: #977038)
+ [ Olek Wojnar ]
+ * Cherrypick upstream commit to fix CVE-2020-7692 (Closes: #988944)
- -- tony mancill <tmancill at debian.org> Sat, 12 Dec 2020 20:21:16 -0800
+ -- Olek Wojnar <olek at debian.org> Sun, 30 May 2021 14:13:21 -0400
google-oauth-client-java (1.28.0-1) unstable; urgency=medium
=====================================
debian/patches/CVE-2020-7692.patch
=====================================
@@ -0,0 +1,645 @@
+Description: [Backport] add PKCE support to AuthorizationCodeFlow (Fixes CVE-2020-7692)
+ PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for
+ Native Apps. Without the use of PKCE, the authorization code returned by an
+ authorization server is not enough to guarantee that the client that issued
+ the initial authorization request is the one that will be authorized. An
+ attacker is able to obtain the authorization code using a malicious app on the
+ client-side and use it to gain authorization to the protected resource. This
+ affects the package com.google.oauth-client:google-oauth-client before 1.31.0.
+Origin: https://github.com/googleapis/google-oauth-java-client/commit/13433cd7dd06267fc261f0b1d4764f8e3432c824
+Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988944
+Last-Update: 2021-05-30
+Forwarded: not-needed
+
+--- a/google-oauth-client/src/main/java/com/google/api/client/auth/oauth2/AuthorizationCodeFlow.java
++++ b/google-oauth-client/src/main/java/com/google/api/client/auth/oauth2/AuthorizationCodeFlow.java
+@@ -17,10 +17,14 @@
+ import com.google.api.client.auth.oauth2.Credential.AccessMethod;
+ import com.google.api.client.http.GenericUrl;
+ import com.google.api.client.http.HttpExecuteInterceptor;
++import com.google.api.client.http.HttpRequest;
+ import com.google.api.client.http.HttpRequestInitializer;
+ import com.google.api.client.http.HttpTransport;
++import com.google.api.client.http.UrlEncodedContent;
+ import com.google.api.client.json.JsonFactory;
++import com.google.api.client.util.Base64;
+ import com.google.api.client.util.Beta;
++import com.google.api.client.util.Data;
+ import com.google.api.client.util.Clock;
+ import com.google.api.client.util.Joiner;
+ import com.google.api.client.util.Lists;
+@@ -29,8 +33,12 @@
+ import com.google.api.client.util.store.DataStoreFactory;
+
+ import java.io.IOException;
++import java.security.MessageDigest;
++import java.security.NoSuchAlgorithmException;
++import java.security.SecureRandom;
+ import java.util.Collection;
+ import java.util.Collections;
++import java.util.Map;
+
+ import static com.google.api.client.util.Strings.isNullOrEmpty;
+
+@@ -85,6 +93,9 @@
+ /** Authorization server encoded URL. */
+ private final String authorizationServerEncodedUrl;
+
++ /** The Proof Key for Code Exchange (PKCE) or {@code null} if this flow should not use PKCE. */
++ private final PKCE pkce;
++
+ /** Credential persistence store or {@code null} for none. */
+ @Beta
+ @Deprecated
+@@ -159,6 +170,7 @@ protected AuthorizationCodeFlow(Builder builder) {
+ clock = Preconditions.checkNotNull(builder.clock);
+ credentialCreatedListener = builder.credentialCreatedListener;
+ refreshListeners = Collections.unmodifiableCollection(builder.refreshListeners);
++ pkce = builder.pkce;
+ }
+
+ /**
+@@ -182,8 +194,13 @@ public void doGet(HttpServletRequest request, HttpServletResponse response) thro
+ * </pre>
+ */
+ public AuthorizationCodeRequestUrl newAuthorizationUrl() {
+- return new AuthorizationCodeRequestUrl(authorizationServerEncodedUrl, clientId).setScopes(
+- scopes);
++ AuthorizationCodeRequestUrl url = new AuthorizationCodeRequestUrl(authorizationServerEncodedUrl, clientId);
++ url.setScopes(scopes);
++ if (pkce != null) {
++ url.setCodeChallenge(pkce.getChallenge());
++ url.setCodeChallengeMethod(pkce.getChallengeMethod());
++ }
++ return url;
+ }
+
+ /**
+@@ -206,9 +223,20 @@ static TokenResponse requestAccessToken(AuthorizationCodeFlow flow, String code)
+ * @param authorizationCode authorization code.
+ */
+ public AuthorizationCodeTokenRequest newTokenRequest(String authorizationCode) {
++ HttpExecuteInterceptor pkceClientAuthenticationWrapper = new HttpExecuteInterceptor() {
++ @Override
++ public void intercept(HttpRequest request) throws IOException {
++ clientAuthentication.intercept(request);
++ if (pkce != null) {
++ Map<String, Object> data = Data.mapOf(UrlEncodedContent.getContent(request).getData());
++ data.put("code_verifier", pkce.getVerifier());
++ }
++ }
++ };
++
+ return new AuthorizationCodeTokenRequest(transport, jsonFactory,
+ new GenericUrl(tokenServerEncodedUrl), authorizationCode).setClientAuthentication(
+- clientAuthentication).setRequestInitializer(requestInitializer).setScopes(scopes);
++ pkceClientAuthenticationWrapper).setRequestInitializer(requestInitializer).setScopes(scopes);
+ }
+
+ /**
+@@ -412,6 +440,61 @@ public final Clock getClock() {
+ void onCredentialCreated(Credential credential, TokenResponse tokenResponse) throws IOException;
+ }
+
++ /**
++ * An implementation of <a href="https://tools.ietf.org/html/rfc7636">Proof Key for Code Exchange</a>
++ * which, according to the <a href="https://tools.ietf.org/html/rfc8252#section-6">OAuth 2.0 for Native Apps RFC</a>,
++ * is mandatory for public native apps.
++ */
++ private static class PKCE {
++ private final String verifier;
++ private String challenge;
++ private String challengeMethod;
++
++ public PKCE() {
++ verifier = generateVerifier();
++ generateChallenge(verifier);
++ }
++
++ private static String generateVerifier() {
++ SecureRandom sr = new SecureRandom();
++ byte[] code = new byte[32];
++ sr.nextBytes(code);
++ return Base64.encodeBase64URLSafeString(code);
++ }
++
++ /**
++ * Create the PKCE code verifier. It uses the S256 method but
++ * falls back to using the 'plain' method in the unlikely case
++ * that the SHA-256 MessageDigest algorithm implementation can't be
++ * loaded.
++ */
++ private void generateChallenge(String verifier) {
++ try {
++ byte[] bytes = verifier.getBytes();
++ MessageDigest md = MessageDigest.getInstance("SHA-256");
++ md.update(bytes, 0, bytes.length);
++ byte[] digest = md.digest();
++ challenge = Base64.encodeBase64URLSafeString(digest);
++ challengeMethod = "S256";
++ } catch (NoSuchAlgorithmException e) {
++ challenge = verifier;
++ challengeMethod = "plain";
++ }
++ }
++
++ public String getVerifier() {
++ return verifier;
++ }
++
++ public String getChallenge() {
++ return challenge;
++ }
++
++ public String getChallengeMethod() {
++ return challengeMethod;
++ }
++ }
++
+ /**
+ * Authorization code flow builder.
+ *
+@@ -448,6 +531,8 @@ public final Clock getClock() {
+ /** Authorization server encoded URL. */
+ String authorizationServerEncodedUrl;
+
++ PKCE pkce;
++
+ /** Credential persistence store or {@code null} for none. */
+ @Deprecated
+ @Beta
+@@ -784,6 +869,16 @@ public Builder setRequestInitializer(HttpRequestInitializer requestInitializer)
+ return this;
+ }
+
++ /**
++ * Enables Proof Key for Code Exchange (PKCE) for this Athorization Code Flow.
++ * @since 1.31
++ */
++ @Beta
++ public Builder enablePKCE() {
++ this.pkce = new PKCE();
++ return this;
++ }
++
+ /**
+ * Sets the collection of scopes.
+ *
+diff --git a/google-oauth-client/src/main/java/com/google/api/client/auth/oauth2/AuthorizationCodeRequestUrl.java b/google-oauth-client/src/main/java/com/google/api/client/auth/oauth2/AuthorizationCodeRequestUrl.java
+index 3dc6bb46..025aaa2e 100644
+--- a/google-oauth-client/src/main/java/com/google/api/client/auth/oauth2/AuthorizationCodeRequestUrl.java
++++ b/google-oauth-client/src/main/java/com/google/api/client/auth/oauth2/AuthorizationCodeRequestUrl.java
+@@ -14,6 +14,8 @@
+
+ package com.google.api.client.auth.oauth2;
+
++import com.google.api.client.util.Key;
++
+ import java.util.Collection;
+ import java.util.Collections;
+
+@@ -52,6 +54,20 @@ public void doGet(HttpServletRequest request, HttpServletResponse response) thro
+ */
+ public class AuthorizationCodeRequestUrl extends AuthorizationRequestUrl {
+
++ /**
++ * The PKCE <a href="https://tools.ietf.org/html/rfc7636#section-4.3">Code Challenge</a>.
++ * @since 1.31
++ */
++ @Key("code_challenge")
++ String codeChallenge;
++
++ /**
++ * The PKCE <a href="https://tools.ietf.org/html/rfc7636#section-4.3">Code Challenge Method</a>.
++ * @since 1.31
++ */
++ @Key("code_challenge_method")
++ String codeChallengeMethod;
++
+ /**
+ * @param authorizationServerEncodedUrl authorization server encoded URL
+ * @param clientId client identifier
+@@ -60,6 +76,44 @@ public AuthorizationCodeRequestUrl(String authorizationServerEncodedUrl, String
+ super(authorizationServerEncodedUrl, clientId, Collections.singleton("code"));
+ }
+
++ /**
++ * Get the code challenge (<a href="https://tools.ietf.org/html/rfc7636#section-4.3">details</a>).
++ *
++ * @since 1.31
++ */
++ public String getCodeChallenge() {
++ return codeChallenge;
++ }
++
++ /**
++ * Get the code challenge method (<a href="https://tools.ietf.org/html/rfc7636#section-4.3">details</a>).
++ *
++ * @since 1.31
++ */
++ public String getCodeChallengeMethod() {
++ return codeChallengeMethod;
++ }
++
++ /**
++ * Set the code challenge (<a href="https://tools.ietf.org/html/rfc7636#section-4.3">details</a>).
++ * @param codeChallenge the code challenge.
++ *
++ * @since 1.31
++ */
++ public void setCodeChallenge(String codeChallenge) {
++ this.codeChallenge = codeChallenge;
++ }
++
++ /**
++ * Set the code challenge method (<a href="https://tools.ietf.org/html/rfc7636#section-4.3">details</a>).
++ * @param codeChallengeMethod the code challenge method.
++ *
++ * @since 1.31
++ */
++ public void setCodeChallengeMethod(String codeChallengeMethod) {
++ this.codeChallengeMethod = codeChallengeMethod;
++ }
++
+ @Override
+ public AuthorizationCodeRequestUrl setResponseTypes(Collection<String> responseTypes) {
+ return (AuthorizationCodeRequestUrl) super.setResponseTypes(responseTypes);
+diff --git a/google-oauth-client/src/test/java/com/google/api/client/auth/oauth2/AuthorizationCodeFlowTest.java b/google-oauth-client/src/test/java/com/google/api/client/auth/oauth2/AuthorizationCodeFlowTest.java
+index 75f65f54..e5bed2e9 100644
+--- a/google-oauth-client/src/test/java/com/google/api/client/auth/oauth2/AuthorizationCodeFlowTest.java
++++ b/google-oauth-client/src/test/java/com/google/api/client/auth/oauth2/AuthorizationCodeFlowTest.java
+@@ -23,6 +23,8 @@
+ import java.util.Arrays;
+ import java.util.Collection;
+ import java.util.Collections;
++import java.util.HashSet;
++import java.util.Set;
+
+ /**
+ * Tests {@link AuthorizationCodeFlow}.
+@@ -123,4 +125,24 @@ public void subsetTestNewAuthorizationUrl(Collection<String> scopes) {
+ assertEquals(Joiner.on(' ').join(scopes), url.getScopes());
+ }
+ }
++
++ public void testPKCE() {
++ AuthorizationCodeFlow flow =
++ new AuthorizationCodeFlow.Builder(BearerToken.queryParameterAccessMethod(),
++ new AccessTokenTransport(),
++ new JacksonFactory(),
++ TOKEN_SERVER_URL,
++ new BasicAuthentication(CLIENT_ID, CLIENT_SECRET),
++ CLIENT_ID,
++ "https://example.com")
++ .enablePKCE()
++ .build();
++
++ AuthorizationCodeRequestUrl url = flow.newAuthorizationUrl();
++ assertNotNull(url.getCodeChallenge());
++ assertNotNull(url.getCodeChallengeMethod());
++ Set<String> methods = new HashSet<>(Arrays.asList("plain", "s256"));
++ assertTrue(methods.contains(url.getCodeChallengeMethod().toLowerCase()));
++ assertTrue(url.getCodeChallenge().length() > 0);
++ }
+ }
+diff --git a/pom.xml b/pom.xml
+index 83b10f46..40d72672 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -65,6 +65,7 @@
+ <module>google-oauth-client-java6</module>
+ <module>google-oauth-client-jetty</module>
+ <module>samples/dailymotion-cmdline-sample</module>
++ <module>samples/keycloak-pkce-cmdline-sample</module>
+
+ <!-- For deployment reasons, a deployable artifact must be the last one. -->
+ <module>google-oauth-client-assembly</module>
+diff --git a/samples/dailymotion-cmdline-sample/README.md b/samples/dailymotion-cmdline-sample/README.md
+index 82b4063b..c4a1fbb1 100644
+--- a/samples/dailymotion-cmdline-sample/README.md
++++ b/samples/dailymotion-cmdline-sample/README.md
+@@ -6,7 +6,7 @@
+
+ ## Command-Line Instructions
+
+-**Prerequisites:** install [Java 6 or higher][install-java], [git][install-git], and
++**Prerequisites:** install [Java 7 or higher][install-java], [git][install-git], and
+ [Maven][install-maven]. You may need to set your `JAVA_HOME`.
+
+ 1. Check out the sample code:
+diff --git a/samples/keycloak-pkce-cmdline-sample/README.md b/samples/keycloak-pkce-cmdline-sample/README.md
+new file mode 100644
+index 00000000..c5b5416a
+--- /dev/null
++++ b/samples/keycloak-pkce-cmdline-sample/README.md
+@@ -0,0 +1,42 @@
++# Instructions for the Keycloak OAuth2 with PKCE Command-Line Sample
++
++## Browse Online
++
++[Browse Source][browse-source], or main file [PKCESample.java][main-source].
++
++## Command-Line Instructions
++
++**Prerequisites:** install [Java 7 or higher][install-java], [git][install-git], and
++[Maven][install-maven]. You may need to set your `JAVA_HOME`.
++You'll also need [Docker][install-docker].
++
++1. Check out the sample code:
++
++ ```bash
++ git clone https://github.com/google/google-oauth-java-client.git
++ cd google-oauth-java-client
++ ```
++
++2. Run keycloak in a docker container:
++
++ ```
++ docker run -p 8080:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin quay.io/keycloak/keycloak:10.0.1
++ ```
++
++3. Run the sample:
++
++ ```bash
++ mvn install
++ mvn exec:java -pl samples/keycloak-pkce-cmdline-sample
++ ```
++
++ This will open up the Keycloak login page where you can log in with the username/password specified
++ when running the Keycloak docker container above (`admin / admin`). Once you log in, the application
++ will print out a message that it successfully obtained an access token.
++
++[browse-source]: https://github.com/google/google-oauth-java-client/tree/dev/samples/keycloak-pkce-cmdline-sample
++[main-source]: https://github.com/google/google-oauth-java-client/blob/dev/samples/keycloak-pkce-cmdline-sample/src/main/java/com/google/api/services/samples/keycloak/cmdline/PKCESample.java
++[install-java]: https://java.com/
++[install-git]: https://git-scm.com
++[install-maven]: https://maven.apache.org
++[install-docker]: https://docs.docker.com/get-docker/
+\ No newline at end of file
+diff --git a/samples/keycloak-pkce-cmdline-sample/pom.xml b/samples/keycloak-pkce-cmdline-sample/pom.xml
+new file mode 100644
+index 00000000..b19a662a
+--- /dev/null
++++ b/samples/keycloak-pkce-cmdline-sample/pom.xml
+@@ -0,0 +1,104 @@
++<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
++ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
++ <modelVersion>4.0.0</modelVersion>
++ <parent>
++ <groupId>com.google.oauth-client</groupId>
++ <artifactId>google-oauth-client-parent</artifactId>
++ <version>1.30.7-SNAPSHOT</version><!-- {x-version-update:google-oauth-client:current} -->
++ <relativePath>../../pom.xml</relativePath>
++ </parent>
++ <artifactId>keycloak-pkce-cmdline-sample</artifactId>
++ <name>Example for obtaining OAuth2 tokens with PKCE verification using the Authorization Code Flow against Keycloak.</name>
++
++ <build>
++ <plugins>
++ <plugin>
++ <groupId>org.codehaus.mojo</groupId>
++ <artifactId>exec-maven-plugin</artifactId>
++ <version>1.6.0</version>
++ <executions>
++ <execution>
++ <goals>
++ <goal>java</goal>
++ </goals>
++ </execution>
++ </executions>
++ <configuration>
++ <mainClass>com.google.api.services.samples.keycloak.cmdline.PKCESample</mainClass>
++ <systemProperties>
++ <systemProperty>
++ <key>java.util.logging.config.file</key>
++ <value>logging.properties</value>
++ </systemProperty>
++ </systemProperties>
++ </configuration>
++ </plugin>
++ <plugin>
++ <artifactId>maven-checkstyle-plugin</artifactId>
++ <version>2.6</version>
++ <configuration>
++ <configLocation>../checkstyle.xml</configLocation>
++ <consoleOutput>true</consoleOutput>
++ <failOnViolation>false</failOnViolation>
++ </configuration>
++ <executions>
++ <execution>
++ <goals>
++ <goal>check</goal>
++ </goals>
++ </execution>
++ </executions>
++ </plugin>
++ <plugin>
++ <groupId>org.codehaus.mojo</groupId>
++ <artifactId>findbugs-maven-plugin</artifactId>
++ <version>3.0.5</version>
++ <configuration>
++ <excludeFilterFile>../../findbugs-exclude.xml</excludeFilterFile>
++ <failOnError>false</failOnError>
++ </configuration>
++ <executions>
++ <execution>
++ <goals>
++ <goal>check</goal>
++ </goals>
++ </execution>
++ </executions>
++ </plugin>
++ <plugin>
++ <groupId>org.apache.maven.plugins</groupId>
++ <artifactId>maven-deploy-plugin</artifactId>
++ <version>2.8.2</version>
++ <configuration>
++ <skip>true</skip>
++ </configuration>
++ </plugin>
++ <plugin>
++ <groupId>org.sonatype.plugins</groupId>
++ <artifactId>nexus-staging-maven-plugin</artifactId>
++ <version>1.6.8</version>
++ <configuration>
++ <skipNexusStagingDeployMojo>true</skipNexusStagingDeployMojo>
++ </configuration>
++ </plugin>
++ </plugins>
++ <finalName>${project.artifactId}-${project.version}</finalName>
++ </build>
++ <dependencies>
++ <dependency>
++ <groupId>com.google.oauth-client</groupId>
++ <artifactId>google-oauth-client</artifactId>
++ </dependency>
++ <dependency>
++ <groupId>com.google.oauth-client</groupId>
++ <artifactId>google-oauth-client-jetty</artifactId>
++ </dependency>
++ <dependency>
++ <groupId>com.google.http-client</groupId>
++ <artifactId>google-http-client-jackson2</artifactId>
++ </dependency>
++ </dependencies>
++ <properties>
++ <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
++ </properties>
++</project>
+diff --git a/samples/keycloak-pkce-cmdline-sample/scripts/initialize-keycloak.sh b/samples/keycloak-pkce-cmdline-sample/scripts/initialize-keycloak.sh
+new file mode 100755
+index 00000000..257da7d6
+--- /dev/null
++++ b/samples/keycloak-pkce-cmdline-sample/scripts/initialize-keycloak.sh
+@@ -0,0 +1,44 @@
++#!/bin/sh
++# Copyright 2020 Google LLC
++#
++# Licensed under the Apache License, Version 2.0 (the "License");
++# you may not use this file except in compliance with the License.
++# You may obtain a copy of the License at
++#
++# http://www.apache.org/licenses/LICENSE-2.0
++#
++# Unless required by applicable law or agreed to in writing, software
++# distributed under the License is distributed on an "AS IS" BASIS,
++# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++# See the License for the specific language governing permissions and
++# limitations under the License.
++
++
++#Start keycloak server before running this script:
++# docker run -p 8080:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin quay.io/keycloak/keycloak:10.0.1
++
++# The following script will create a new public client in the running keycloak server
++# in which PKCE is required for obtaining an authorization token via the authorization
++# code flow. Once this script has been run, the PKCESample.java sample application can
++# be run.
++
++KEYCLOAK_BASE_URL="http://localhost:8080/auth"
++KEYCLOAK_REALM="master"
++KEYCLOAK_URL="${KEYCLOAK_BASE_URL}/realms/${KEYCLOAK_REALM}"
++
++KEYCLOAK_CLIENT_ID="admin"
++KEYCLOAK_CLIENT_SECRET="admin"
++
++export TKN=$(curl -s -X POST "${KEYCLOAK_URL}/protocol/openid-connect/token" \
++ -H "Content-Type: application/x-www-form-urlencoded" \
++ -d "username=${KEYCLOAK_CLIENT_ID}" \
++ -d "password=${KEYCLOAK_CLIENT_SECRET}" \
++ -d 'grant_type=password' \
++ -d 'client_id=admin-cli' | jq -r '.access_token')
++
++curl -s -X POST "${KEYCLOAK_URL}/clients-registrations/default" \
++ -d '{ "clientId": "pkce-test-client", "publicClient": true, "redirectUris": ["http://127.0.0.1*"], "attributes": {"pkce.code.challenge.method": "S256"} }' \
++ -H "Content-Type:application/json" \
++ -H "Authorization: bearer ${TKN}"
++
++
+\ No newline at end of file
+diff --git a/samples/keycloak-pkce-cmdline-sample/src/main/java/com/google/api/services/samples/keycloak/cmdline/PKCESample.java b/samples/keycloak-pkce-cmdline-sample/src/main/java/com/google/api/services/samples/keycloak/cmdline/PKCESample.java
+new file mode 100644
+index 00000000..8fa63ca9
+--- /dev/null
++++ b/samples/keycloak-pkce-cmdline-sample/src/main/java/com/google/api/services/samples/keycloak/cmdline/PKCESample.java
+@@ -0,0 +1,100 @@
++/*
++ * Copyright (c) 2020 Google Inc.
++ *
++ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
++ * in compliance with the License. You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software distributed under the License
++ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
++ * or implied. See the License for the specific language governing permissions and limitations under
++ * the License.
++ */
++
++package com.google.api.services.samples.keycloak.cmdline;
++
++import com.google.api.client.auth.oauth2.AuthorizationCodeFlow;
++import com.google.api.client.auth.oauth2.BearerToken;
++import com.google.api.client.auth.oauth2.ClientParametersAuthentication;
++import com.google.api.client.auth.oauth2.Credential;
++import com.google.api.client.extensions.java6.auth.oauth2.AuthorizationCodeInstalledApp;
++import com.google.api.client.extensions.jetty.auth.oauth2.LocalServerReceiver;
++import com.google.api.client.http.GenericUrl;
++import com.google.api.client.http.HttpTransport;
++import com.google.api.client.http.javanet.NetHttpTransport;
++import com.google.api.client.json.JsonFactory;
++import com.google.api.client.json.jackson2.JacksonFactory;
++import com.google.api.client.util.store.DataStoreFactory;
++import com.google.api.client.util.store.MemoryDataStoreFactory;
++
++import java.io.IOException;
++import java.util.Arrays;
++
++/**
++ * A sample application that demonstrates how the Google OAuth2 library can be used to authenticate
++ * against a locally running Keycloak server with a registered public client where using
++ * <a href="https://tools.ietf.org/html/rfc7636">PKCE</a> is required.
++ *
++ * Please note that before running this sample application, a local Keycloak server must be running
++ * and a PKCE enabled client must have been defined. Please see
++ * <code>samples/keycloak-pkce-cmdline-sample/scripts/initialize-keycloak.sh</code> for further
++ * information.
++ *
++ * @author Stefan Freyr Stefansson
++ */
++public class PKCESample {
++ /**
++ * Global instance of the {@link DataStoreFactory}. The best practice is to make it a single
++ * globally shared instance across your application.
++ */
++ private static DataStoreFactory DATA_STORE_FACTORY;
++
++ /** OAuth 2 scope. */
++ private static final String SCOPE = "email";
++
++ /** Global instance of the HTTP transport. */
++ private static final HttpTransport HTTP_TRANSPORT = new NetHttpTransport();
++
++ /** Global instance of the JSON factory. */
++ static final JsonFactory JSON_FACTORY = new JacksonFactory();
++
++ private static final String TOKEN_SERVER_URL = "http://127.0.0.1:8080/auth/realms/master/protocol/openid-connect/token";
++ private static final String AUTHORIZATION_SERVER_URL = "http://127.0.0.1:8080/auth/realms/master/protocol/openid-connect/auth";
++
++ /** Authorizes the installed application to access user's protected data. */
++ private static Credential authorize() throws Exception {
++ // set up authorization code flow
++ String clientId = "pkce-test-client";
++ AuthorizationCodeFlow flow = new AuthorizationCodeFlow.Builder(
++ BearerToken.authorizationHeaderAccessMethod(),
++ HTTP_TRANSPORT,
++ JSON_FACTORY,
++ new GenericUrl(TOKEN_SERVER_URL),
++ new ClientParametersAuthentication(clientId, null),
++ clientId,
++ AUTHORIZATION_SERVER_URL)
++ .setScopes(Arrays.asList(SCOPE))
++ .enablePKCE()
++ .setDataStoreFactory(DATA_STORE_FACTORY).build();
++ // authorize
++ LocalServerReceiver receiver = new LocalServerReceiver.Builder().setHost("127.0.0.1").build();
++ return new AuthorizationCodeInstalledApp(flow, receiver).authorize("user");
++ }
++
++ public static void main(String[] args) {
++ try {
++ DATA_STORE_FACTORY = new MemoryDataStoreFactory();
++ final Credential credential = authorize();
++ System.out.println("Successfully obtained credential from Keycloak running on localhost.");
++ final String accessToken = credential.getAccessToken();
++ System.out.println("Retrieved an access token of length " + accessToken.length());
++ return;
++ } catch (IOException e) {
++ System.err.println(e.getMessage());
++ } catch (Throwable t) {
++ t.printStackTrace();
++ }
++ System.exit(1);
++ }
++}
=====================================
debian/patches/series
=====================================
@@ -1,2 +1,3 @@
verbose-build.patch
only-build-required-modules.patch
+CVE-2020-7692.patch
View it on GitLab: https://salsa.debian.org/java-team/google-oauth-client-java/-/commit/002ca4ec363167c37b7e8ff13c6f352bb6c51a19
--
View it on GitLab: https://salsa.debian.org/java-team/google-oauth-client-java/-/commit/002ca4ec363167c37b7e8ff13c6f352bb6c51a19
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20210530/61bdddb2/attachment.htm>
More information about the pkg-java-commits
mailing list