tokenValidator = new IDTokenValidator(oidcProviderMetadata.getIssuer(), clientId, preferredJwsAlgorithm, clientSecret); } else { final ResourceRetriever retriever = new DefaultResourceRetriever(oidcConnectTimeout, oidcReadTimeout); tokenValidator = new IDTokenValidator(oidcProviderMetadata.getIssuer(), clientId, preferredJwsAlgorithm, oidcProviderMetadata.getJWKSetURI().toURL(), retriever);
con = (HttpURLConnection)url.openConnection(); con.setConnectTimeout(getConnectTimeout()); con.setReadTimeout(getReadTimeout()); if (getSizeLimit() > 0) { inputStream = new BoundedInputStream(inputStream, getSizeLimit());
@Override public Resource retrieveResource(final URL url) throws IOException { final Resource ret = super.retrieveResource(url); return new Resource(ret.getContent().replace("{tenantid}", "%7Btenantid%7D"), ret.getContentType()); } }
@Bean @Scope(BeanDefinition.SCOPE_SINGLETON) @ConditionalOnMissingBean(ResourceRetriever.class) public ResourceRetriever getJWTResourceRetriever() { return new DefaultResourceRetriever(aadAuthProps.getJwtConnectTimeout(), aadAuthProps.getJwtReadTimeout(), aadAuthProps.getJwtSizeLimit()); }
public RemoteKeyRetrieverService( ResourceServerService resourceServerService, ResourceServerManagementProperties resourceServerManagementProperties ) { this.resourceServerService = resourceServerService; ResourceServerManagementProperties.ResourceRetrieverProperties resourceRetrieverProperties = resourceServerManagementProperties.getResourceRetriever(); this.resourceRetriever = new DefaultResourceRetriever( Optional.ofNullable(resourceRetrieverProperties.getHttpConnectTimeout()).orElse(DEFAULT_HTTP_CONNECT_TIMEOUT), Optional.ofNullable(resourceRetrieverProperties.getHttpReadTimeout()).orElse(DEFAULT_HTTP_READ_TIMEOUT), Optional.ofNullable(resourceRetrieverProperties.getHttpSizeLimit()).orElse(DEFAULT_HTTP_SIZE_LIMIT) ); }
@Bean @Scope(BeanDefinition.SCOPE_SINGLETON) @ConditionalOnMissingBean(ResourceRetriever.class) public ResourceRetriever getJWTResourceRetriever() { return new DefaultResourceRetriever(aadAuthProps.getJwtConnectTimeout(), aadAuthProps.getJwtReadTimeout(), aadAuthProps.getJwtSizeLimit()); }
jwkSetRetriever = resourceRetriever; } else { jwkSetRetriever = new DefaultResourceRetriever(DEFAULT_HTTP_CONNECT_TIMEOUT, DEFAULT_HTTP_READ_TIMEOUT, DEFAULT_HTTP_SIZE_LIMIT);
public NimbusJwtDecoderJwkSupport(String jwkSetUrl, String jwsAlgorithm) { Assert.hasText(jwkSetUrl, "jwkSetUrl cannot be empty"); Assert.hasText(jwsAlgorithm, "jwsAlgorithm cannot be empty"); try { this.jwkSetUrl = new URL(jwkSetUrl); } catch (MalformedURLException ex) { throw new IllegalArgumentException("Invalid JWK Set URL: " + ex.getMessage(), ex); } this.jwsAlgorithm = JWSAlgorithm.parse(jwsAlgorithm); ResourceRetriever jwkSetRetriever = new DefaultResourceRetriever(30000, 30000); JWKSource jwkSource = new RemoteJWKSet(this.jwkSetUrl, jwkSetRetriever); JWSKeySelector<SecurityContext> jwsKeySelector = new JWSVerificationKeySelector<SecurityContext>(this.jwsAlgorithm, jwkSource); this.jwtProcessor = new DefaultJWTProcessor<>(); this.jwtProcessor.setJWSKeySelector(jwsKeySelector); }
/** * Retrieve JWKS from jwks_uri. * * @param jwksUri Identity provider's jwks_uri. * @return RemoteJWKSet * @throws MalformedURLException for invalid URL. */ private RemoteJWKSet<SecurityContext> retrieveJWKSFromJWKSEndpoint(String jwksUri) throws MalformedURLException { // Retrieve HTTP endpoint configurations. int connectionTimeout = readHTTPConnectionConfigValue(HTTP_CONNECTION_TIMEOUT_XPATH); int readTimeout = readHTTPConnectionConfigValue(HTTP_READ_TIMEOUT_XPATH); int sizeLimit = readHTTPConnectionConfigValue(HTTP_SIZE_LIMIT_XPATH); if (connectionTimeout <= 0) { connectionTimeout = DEFAULT_HTTP_CONNECTION_TIMEOUT; } if (readTimeout <= 0) { readTimeout = DEFAULT_HTTP_READ_TIMEOUT; } if (sizeLimit <= 0) { sizeLimit = RemoteJWKSet.DEFAULT_HTTP_SIZE_LIMIT; } DefaultResourceRetriever resourceRetriever = new DefaultResourceRetriever( connectionTimeout, readTimeout, sizeLimit); return new RemoteJWKSet<>(new URL(jwksUri), resourceRetriever); }
@Bean public ConfigurableJWTProcessor configurableJWTProcessor() throws MalformedURLException { ResourceRetriever resourceRetriever = new DefaultResourceRetriever(jwtConfiguration.getConnectionTimeout(), jwtConfiguration.getReadTimeout()); URL jwkSetURL = new URL(jwtConfiguration.getJwkUrl()); JWKSource keySource = new RemoteJWKSet(jwkSetURL, resourceRetriever); ConfigurableJWTProcessor jwtProcessor = new DefaultJWTProcessor(); JWSKeySelector keySelector = new JWSVerificationKeySelector(RS256, keySource); jwtProcessor.setJWSKeySelector(keySelector); return jwtProcessor; }
/** * Loads a JSON Web Key (JWK) set from the specified URL. * * @param url The JWK set URL. Must not be {@code null}. * @param connectTimeout The URL connection timeout, in milliseconds. * If zero no (infinite) timeout. * @param readTimeout The URL read timeout, in milliseconds. If zero * no (infinite) timeout. * @param sizeLimit The read size limit, in bytes. If zero no * limit. * * @return The JWK set. * * @throws IOException If the file couldn't be read. * @throws ParseException If the file couldn't be parsed to a valid * JSON Web Key (JWK) set. */ public static JWKSet load(final URL url, final int connectTimeout, final int readTimeout, final int sizeLimit) throws IOException, ParseException { RestrictedResourceRetriever resourceRetriever = new DefaultResourceRetriever( connectTimeout, readTimeout, sizeLimit); Resource resource = resourceRetriever.retrieveResource(url); return parse(resource.getContent()); }
new DefaultResourceRetriever(jwksConnectTimeout, jwksReadTimeout, RemoteJWKSet.DEFAULT_HTTP_SIZE_LIMIT);
tokenValidator = new IDTokenValidator(oidcProviderMetadata.getIssuer(), clientId, preferredJwsAlgorithm, clientSecret); } else { final ResourceRetriever retriever = new DefaultResourceRetriever(oidcConnectTimeout, oidcReadTimeout); tokenValidator = new IDTokenValidator(oidcProviderMetadata.getIssuer(), clientId, preferredJwsAlgorithm, oidcProviderMetadata.getJWKSetURI().toURL(), retriever);
@Override protected void internalInit() { // checks CommonHelper.assertNotBlank("clientId", getClientId()); if (!AUTHORIZATION_CODE_FLOWS.contains(responseType) && !IMPLICIT_FLOWS.contains(responseType) && !HYBRID_CODE_FLOWS.contains(responseType)) { throw new TechnicalException("Unsupported responseType: " + responseType); } // except for the implicit flow, the secret is mandatory if (!IMPLICIT_FLOWS.contains(responseType)) { CommonHelper.assertNotBlank("secret", getSecret()); } if (this.getDiscoveryURI() == null && this.getProviderMetadata() == null) { throw new TechnicalException("You must define either the discovery URL or directly the provider metadata"); } // default value if (getResourceRetriever() == null) { setResourceRetriever(new DefaultResourceRetriever(getConnectTimeout(),getReadTimeout())); } if (this.getProviderMetadata() == null) { CommonHelper.assertNotBlank("discoveryURI", getDiscoveryURI()); try { // Download OIDC metadata this.setProviderMetadata(OIDCProviderMetadata.parse(getResourceRetriever().retrieveResource( new URL(this.getDiscoveryURI())).getContent())); } catch (final IOException | ParseException e) { throw new TechnicalException(e); } } }