Merge pull request #67 from authlete/native-sso

Native SSO Support

Author: TakahikoKawasaki

pom.xml

@@ -12,8 +12,8 @@
   <properties>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 
-    <authlete.java.common.version>4.12</authlete.java.common.version>
-    <authlete.java.jaxrs.version>2.80</authlete.java.jaxrs.version>
+    <authlete.java.common.version>4.19</authlete.java.common.version>
+    <authlete.java.jaxrs.version>2.86</authlete.java.jaxrs.version>
     <authlete.cbor.version>1.18</authlete.cbor.version>
     <javax.servlet-api.version>3.0.1</javax.servlet-api.version>
     <jersey.version>2.30.1</jersey.version>

src/main/java/com/authlete/jaxrs/server/api/AuthorizationDecisionEndpoint.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2016-2019 Authlete, Inc.
+ * Copyright (C) 2016-2025 Authlete, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -20,7 +20,6 @@
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Date;
-import java.util.List;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpSession;
 import javax.ws.rs.Consumes;
@@ -110,7 +109,8 @@ public Response post(
         // Implementation of AuthorizationDecisionHandlerSpi.
         AuthorizationDecisionHandlerSpi spi =
             new AuthorizationDecisionHandlerSpiImpl(
-                parameters, user, authTime, idTokenClaims, acrs, client);
+                parameters, user, authTime, idTokenClaims, acrs, client,
+                session.getId());
 
         // Handle the end-user's decision.
         return handle(AuthleteApiFactory.getDefaultApi(), spi, params);

src/main/java/com/authlete/jaxrs/server/api/AuthorizationDecisionHandlerSpiImpl.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2016-2022 Authlete, Inc.
+ * Copyright (C) 2016-2025 Authlete, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -104,6 +104,12 @@ class AuthorizationDecisionHandlerSpiImpl extends AuthorizationDecisionHandlerSp
     private Client mClient;
 
 
+    /**
+     * The session ID of the user's authentication session.
+     */
+    private String mSessionId;
+
+
     /**
      * Constructor with a request from the form in the authorization page.
      *
@@ -114,7 +120,8 @@ class AuthorizationDecisionHandlerSpiImpl extends AuthorizationDecisionHandlerSp
      */
     public AuthorizationDecisionHandlerSpiImpl(
             MultivaluedMap<String, String> parameters, User user,
-            Date userAuthenticatedAt, String idTokenClaims, String[] acrs, Client client)
+            Date userAuthenticatedAt, String idTokenClaims, String[] acrs,
+            Client client, String sessionId)
     {
         // If the end-user clicked the "Authorize" button, "authorized"
         // is contained in the request.
@@ -159,6 +166,9 @@ public AuthorizationDecisionHandlerSpiImpl(
 
         // The client associated with the request.
         mClient = client;
+
+        // The session ID of the user's authentication session.
+        mSessionId = sessionId;
     }
 
 
@@ -255,7 +265,7 @@ private static Map<String, Object> parseJson(String json)
 
         try
         {
-            return (Map<String, Object>)Utils.fromJson(json, Map.class);
+            return Utils.fromJson(json, Map.class);
         }
         catch (Exception e)
         {
@@ -483,4 +493,11 @@ public Object getVerifiedClaims(String subject, Object verifiedClaimsRequest)
         // of the request from the available datasets.
         return new VerifiedClaimsBuilder(verifiedClaimsRequest, datasets).build();
     }
+
+
+    @Override
+    public String getSessionId()
+    {
+        return mSessionId;
+    }
 }

src/main/java/com/authlete/jaxrs/server/api/JwtAuthzGrantProcessor.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2022 Authlete, Inc.
+ * Copyright (C) 2022-2025 Authlete, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,10 +17,13 @@
 package com.authlete.jaxrs.server.api;
 
 
+import java.util.Map;
+import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.WebApplicationException;
 import javax.ws.rs.core.CacheControl;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
+import javax.ws.rs.core.Response.ResponseBuilder;
 import javax.ws.rs.core.Response.Status;
 import com.authlete.common.api.AuthleteApi;
 import com.authlete.common.dto.TokenCreateRequest;
@@ -66,13 +69,19 @@
 class JwtAuthzGrantProcessor
 {
     private final AuthleteApi mAuthleteApi;
+    private final HttpServletRequest mRequest;
     private final TokenResponse mTokenResponse;
+    private final Map<String, Object> mHeaders;
 
 
-    public JwtAuthzGrantProcessor(AuthleteApi authleteApi, TokenResponse tokenResponse)
+    public JwtAuthzGrantProcessor(
+            AuthleteApi authleteApi, HttpServletRequest request,
+            TokenResponse tokenResponse, Map<String, Object> headers)
     {
         mAuthleteApi   = authleteApi;
+        mRequest       = request;
         mTokenResponse = tokenResponse;
+        mHeaders       = headers;
     }
 
 
@@ -326,12 +335,29 @@ private Response toJsonResponse(Status status, String content)
         cacheControl.setNoCache(true);
         cacheControl.setNoStore(true);
 
-        return Response
-                .status(status)
+        ResponseBuilder builder = Response.status(status)
                 .type(MediaType.APPLICATION_JSON_TYPE)
                 .cacheControl(cacheControl)
                 .entity(content)
-                .build();
+                ;
+
+        addResponseHeaders(builder, mHeaders);
+
+        return builder.build();
+    }
+
+
+    private static void addResponseHeaders(ResponseBuilder builder, Map<String, Object> headers)
+    {
+        if (headers == null)
+        {
+            return;
+        }
+
+        for (Map.Entry<String, Object> header : headers.entrySet())
+        {
+            builder.header(header.getKey(), header.getValue());
+        }
     }