JsonWebSignature jws = JsonWebSignature.parser(mJFactory).setPayloadClass(Payload.class).parse(tokenString); GoogleIdToken token = new GoogleIdToken(jws.getHeader(), (Payload) jws.getPayload(), jws.getSignatureBytes(), jws.getSignedContentBytes()) { public boolean verify(GoogleIdTokenVerifier verifier) throws GeneralSecurityException, IOException { try { return verifier.verify(this); } catch (java.security.SignatureException e) { return false; } } };
jws = JsonWebSignature.parser(JacksonFactory.getDefaultInstance()).setPayloadClass(AttestationStatement.class) .parse(signedAttestationStatment); } catch (IOException e) { try { if (tm != null) { cert = jws.verifySignature(tm); } else { cert = jws.verifySignature(); AttestationStatement stmt = (AttestationStatement) jws.getPayload(); return stmt;
// That other party, the receiver, can then use JsonWebEncryption to decrypt the message. JsonWebEncryption receiverJwe = new JsonWebEncryption(); // Set the compact serialization on new Json Web Encryption object //This is the received payload JWE payload receiverJwe.setCompactSerialization(result.toString()); // Symmetric encryption, like we are doing here, requires that both parties have the same key. // The key will have had to have been securely exchanged out-of-band somehow. receiverJwe.setKey(secretKeySpec); // Set the "alg" header, which indicates the key management mode for this JWE. // In this example we are using the direct key management mode, which means // the given key will be used directly as the content encryption key. //receiverJwe.setAlgorithmHeaderValue(KeyManagementAlgorithmIdentifiers.DIRECT); //receiverJwe.setEncryptionMethodHeaderParameter(ContentEncryptionAlgorithmIdentifiers.AES_128_CBC_HMAC_SHA_256); // Get the message that was encrypted in the JWE. This step performs the actual decryption steps. String jwsPayload = receiverJwe.getPlaintextString(); // And do whatever you need to do with the clear text message. System.out.println("plaintext: " + jwsPayload); // Create a new JsonWebSignature object JsonWebSignature jws = new JsonWebSignature(); jws.setCompactSerialization(jwsPayload); jws.setKey(secretKeySpec); boolean signatureVerified = jws.verifySignature(); // Do something useful with the result of signature verification System.out.println("JWS Signature is valid: " + signatureVerified); // Get the payload, or signed content, from the JWS String payload = jws.getPayload(); // Do something useful with the content System.out.println("JWS payload: " + payload);
JsonWebSignature signature = JsonWebSignature.parse(JSON_FACTORY, assertion); String foundEmail = signature.getPayload().getIssuer(); if (!serviceAccounts.containsKey(foundEmail)) { throw new IOException("Service Account Email not found as issuer."); String foundScopes = (String) signature.getPayload().get("scope"); if (foundScopes == null || foundScopes.length() == 0) { throw new IOException("Scopes not found.");
private void verifyJwtAccess(Map<String, List<String>> metadata, String expectedEmail, URI expectedAudience, String expectedKeyId) throws IOException { assertNotNull(metadata); List<String> authorizations = metadata.get(AuthHttpConstants.AUTHORIZATION); assertNotNull("Authorization headers not found", authorizations); String assertion = null; for (String authorization : authorizations) { if (authorization.startsWith(JWT_ACCESS_PREFIX)) { assertNull("Multiple bearer assertions found", assertion); assertion = authorization.substring(JWT_ACCESS_PREFIX.length()); } } assertNotNull("Bearer assertion not found", assertion); JsonWebSignature signature = JsonWebSignature.parse(JSON_FACTORY, assertion); assertEquals(expectedEmail, signature.getPayload().getIssuer()); assertEquals(expectedEmail, signature.getPayload().getSubject()); assertEquals(expectedAudience.toString(), signature.getPayload().getAudience()); assertEquals(expectedKeyId, signature.getHeader().getKeyId()); }
private String generateJwtAccess(URI uri) throws IOException { JsonWebSignature.Header header = new JsonWebSignature.Header(); header.setAlgorithm("RS256"); header.setType("JWT"); header.setKeyId(privateKeyId); JsonWebToken.Payload payload = new JsonWebToken.Payload(); long currentTime = clock.currentTimeMillis(); // Both copies of the email are required payload.setIssuer(clientEmail); payload.setSubject(clientEmail); payload.setAudience(uri.toString()); payload.setIssuedAtTimeSeconds(currentTime / 1000); payload.setExpirationTimeSeconds(currentTime / 1000 + LIFE_SPAN_SECS); JsonFactory jsonFactory = OAuth2Utils.JSON_FACTORY; String assertion; try { assertion = JsonWebSignature.signUsingRsaSha256( privateKey, jsonFactory, header, payload); } catch (GeneralSecurityException e) { throw new IOException("Error signing service account JWT access header with private key.", e); } return assertion; }
JsonParser jsonParser = new JacksonFactory().createJsonParser(jws.getPayload().get("appctx").toString()); String appctxsender=jws.getPayload().get("appctxsender").toString(); String[] splitApptxSender = appctxsender.split("@"); new GenericUrl(appCtx.getSecurityTokenServiceUri()), jws.getPayload().get("refreshtoken").toString()); new ClientParametersAuthentication(jws.getPayload().getAudience(), SharePointAppSecret)); tokenRequest.setGrantType("refresh_token"); tokenRequest.set("resource", resource); tokenRequest.set("refresh_token", jws.getPayload().get("refreshtoken").toString()); TokenResponse response =tokenRequest.execute();
JsonWebSignature signature = JsonWebSignature.parse(JSON_FACTORY, assertion); String foundEmail = signature.getPayload().getIssuer(); if (!serviceAccounts.containsKey(foundEmail)) { throw new IOException("Service Account Email not found as issuer."); String foundScopes = (String) signature.getPayload().get("scope"); if (foundScopes == null || foundScopes.length() == 0) { throw new IOException("Scopes not found.");
private String generateJwtAccess(URI uri) throws IOException { JsonWebSignature.Header header = new JsonWebSignature.Header(); header.setAlgorithm("RS256"); header.setType("JWT"); header.setKeyId(privateKeyId); JsonWebToken.Payload payload = new JsonWebToken.Payload(); long currentTime = clock.currentTimeMillis(); // Both copies of the email are required payload.setIssuer(clientEmail); payload.setSubject(clientEmail); payload.setAudience(uri.toString()); payload.setIssuedAtTimeSeconds(currentTime / 1000); payload.setExpirationTimeSeconds(currentTime / 1000 + LIFE_SPAN_SECS); JsonFactory jsonFactory = OAuth2Utils.JSON_FACTORY; String assertion; try { assertion = JsonWebSignature.signUsingRsaSha256( privateKey, jsonFactory, header, payload); } catch (GeneralSecurityException e) { throw new IOException("Error signing service account JWT access header with private key.", e); } return assertion; }
JsonWebSignature jws = JsonWebSignature.parser(mJFactory).setPayloadClass(Payload.class).parse(tokenString); GoogleIdToken token = new GoogleIdToken(jws.getHeader(), (Payload) jws.getPayload(), jws.getSignatureBytes(), jws.getSignedContentBytes()) { public boolean verify(GoogleIdTokenVerifier verifier) throws GeneralSecurityException, IOException { try { return verifier.verify(this); } catch (java.security.SignatureException e) { return false; } } };
jws = JsonWebSignature.parser(JacksonFactory.getDefaultInstance()) .setPayloadClass(AttestationStatement.class).parse(signedAttestationStatment); } catch (IOException e) { cert = jws.verifySignature(); if (cert == null) { System.err.println("Failure: Signature verification failed."); AttestationStatement stmt = (AttestationStatement) jws.getPayload(); return stmt;
@Test public void createAssertion_correct() throws IOException { PrivateKey privateKey = ServiceAccountCredentials.privateKeyFromPkcs8(SA_PRIVATE_KEY_PKCS8); List<String> scopes = Arrays.asList("scope1", "scope2"); ServiceAccountCredentials credentials = ServiceAccountCredentials.newBuilder() .setClientId(SA_CLIENT_ID) .setClientEmail(SA_CLIENT_EMAIL) .setPrivateKey(privateKey) .setPrivateKeyId(SA_PRIVATE_KEY_ID) .setScopes(scopes) .setServiceAccountUser(SERVICE_ACCOUNT_USER) .setProjectId(PROJECT_ID) .build(); JsonFactory jsonFactory = OAuth2Utils.JSON_FACTORY; long currentTimeMillis = Clock.SYSTEM.currentTimeMillis(); String assertion = credentials.createAssertion(jsonFactory, currentTimeMillis, null); JsonWebSignature signature = JsonWebSignature.parse(jsonFactory, assertion); JsonWebToken.Payload payload = signature.getPayload(); assertEquals(SA_CLIENT_EMAIL, payload.getIssuer()); assertEquals(OAuth2Utils.TOKEN_SERVER_URI.toString(), payload.getAudience()); assertEquals(currentTimeMillis / 1000, (long) payload.getIssuedAtTimeSeconds()); assertEquals(currentTimeMillis / 1000 + 3600, (long) payload.getExpirationTimeSeconds()); assertEquals(SERVICE_ACCOUNT_USER, payload.getSubject()); assertEquals(Joiner.on(' ').join(scopes), payload.get("scope")); }
private String getServiceAccountToken(GoogleCredential credential, String targetAudience) throws IOException, GeneralSecurityException { log.debug("Fetching service account access token for {}", credential.getServiceAccountUser()); final TokenRequest request = new TokenRequest( this.httpTransport, JSON_FACTORY, new GenericUrl(credential.getTokenServerEncodedUrl()), "urn:ietf:params:oauth:grant-type:jwt-bearer"); final Header header = jwtHeader(); final Payload payload = jwtPayload( targetAudience, credential.getServiceAccountId(), credential.getTokenServerEncodedUrl()); request.put("assertion", JsonWebSignature.signUsingRsaSha256( credential.getServiceAccountPrivateKey(), JSON_FACTORY, header, payload)); final TokenResponse response = request.execute(); return (String) response.get("id_token"); }
/** * Parses the given ID token string and returns the parsed {@link GoogleIdToken}. * * @param jsonFactory JSON factory * @param idTokenString ID token string * @return parsed Google ID token */ public static GoogleIdToken parse(JsonFactory jsonFactory, String idTokenString) throws IOException { JsonWebSignature jws = JsonWebSignature.parser(jsonFactory).setPayloadClass(Payload.class).parse(idTokenString); return new GoogleIdToken(jws.getHeader(), (Payload) jws.getPayload(), jws.getSignatureBytes(), jws.getSignedContentBytes()); }
@Test public void createAssertion_withTokenUri_correct() throws IOException { PrivateKey privateKey = ServiceAccountCredentials.privateKeyFromPkcs8(SA_PRIVATE_KEY_PKCS8); List<String> scopes = Arrays.asList("scope1", "scope2"); ServiceAccountCredentials credentials = ServiceAccountCredentials.newBuilder() .setClientId(SA_CLIENT_ID) .setClientEmail(SA_CLIENT_EMAIL) .setPrivateKey(privateKey) .setPrivateKeyId(SA_PRIVATE_KEY_ID) .setScopes(scopes) .setServiceAccountUser(SERVICE_ACCOUNT_USER) .setProjectId(PROJECT_ID) .build(); JsonFactory jsonFactory = OAuth2Utils.JSON_FACTORY; long currentTimeMillis = Clock.SYSTEM.currentTimeMillis(); String assertion = credentials.createAssertion(jsonFactory, currentTimeMillis, "https://foo.com/bar"); JsonWebSignature signature = JsonWebSignature.parse(jsonFactory, assertion); JsonWebToken.Payload payload = signature.getPayload(); assertEquals(SA_CLIENT_EMAIL, payload.getIssuer()); assertEquals("https://foo.com/bar", payload.getAudience()); assertEquals(currentTimeMillis / 1000, (long) payload.getIssuedAtTimeSeconds()); assertEquals(currentTimeMillis / 1000 + 3600, (long) payload.getExpirationTimeSeconds()); assertEquals(SERVICE_ACCOUNT_USER, payload.getSubject()); assertEquals(Joiner.on(' ').join(scopes), payload.get("scope")); }
String createAssertion(JsonFactory jsonFactory, long currentTime, String audience) throws IOException { JsonWebSignature.Header header = new JsonWebSignature.Header(); header.setAlgorithm("RS256"); header.setType("JWT"); header.setKeyId(privateKeyId); JsonWebToken.Payload payload = new JsonWebToken.Payload(); payload.setIssuer(clientEmail); payload.setIssuedAtTimeSeconds(currentTime / 1000); payload.setExpirationTimeSeconds(currentTime / 1000 + 3600); payload.setSubject(serviceAccountUser); payload.put("scope", Joiner.on(' ').join(scopes)); if (audience == null) { payload.setAudience(OAuth2Utils.TOKEN_SERVER_URI.toString()); } else { payload.setAudience(audience); } String assertion; try { assertion = JsonWebSignature.signUsingRsaSha256( privateKey, jsonFactory, header, payload); } catch (GeneralSecurityException e) { throw new IOException( "Error signing service account access token request with private key.", e); } return assertion; }
/** Parses a JWT token string and extracts its headers and payload fields. */ public static FirebaseCustomAuthToken parse(JsonFactory jsonFactory, String tokenString) throws IOException { JsonWebSignature jws = JsonWebSignature.parser(jsonFactory).setPayloadClass(Payload.class).parse(tokenString); return new FirebaseCustomAuthToken( jws.getHeader(), (Payload) jws.getPayload(), jws.getSignatureBytes(), jws.getSignedContentBytes()); }
String createAssertion(JsonFactory jsonFactory, long currentTime, String audience) throws IOException { JsonWebSignature.Header header = new JsonWebSignature.Header(); header.setAlgorithm("RS256"); header.setType("JWT"); header.setKeyId(privateKeyId); JsonWebToken.Payload payload = new JsonWebToken.Payload(); payload.setIssuer(clientEmail); payload.setIssuedAtTimeSeconds(currentTime / 1000); payload.setExpirationTimeSeconds(currentTime / 1000 + 3600); payload.setSubject(serviceAccountUser); payload.put("scope", Joiner.on(' ').join(scopes)); if (audience == null) { payload.setAudience(OAuth2Utils.TOKEN_SERVER_URI.toString()); } else { payload.setAudience(audience); } String assertion; try { assertion = JsonWebSignature.signUsingRsaSha256( privateKey, jsonFactory, header, payload); } catch (GeneralSecurityException e) { throw new IOException( "Error signing service account access token request with private key.", e); } return assertion; }
static FirebaseToken parse(JsonFactory jsonFactory, String tokenString) throws IOException { try { JsonWebSignature jws = JsonWebSignature.parser(jsonFactory) .setPayloadClass(FirebaseTokenImpl.Payload.class) .parse(tokenString); return new FirebaseToken( new FirebaseTokenImpl( jws.getHeader(), (FirebaseTokenImpl.Payload) jws.getPayload(), jws.getSignatureBytes(), jws.getSignedContentBytes())); } catch (IOException e) { throw new IOException( "Decoding Firebase ID token failed. Make sure you passed the entire string JWT " + "which represents an ID token. See https://firebase.google.com/docs/auth/admin/" + "verify-id-tokens for details on how to retrieve an ID token.", e); } }
JsonWebSignature.signUsingRsaSha256( getServiceAccountPrivateKey(), getJsonFactory(), header, payload); TokenRequest request =