@Override public Pair<String, Date> generateJWT( final String tokenId, final String subject, final long duration, final Map<String, Object> claims) { credentialChecker.checkIsDefaultJWSKeyInUse(); long currentTime = new Date().getTime() / 1000L; long expiryTime = currentTime + 60L * duration; JwtClaims jwtClaims = new JwtClaims(); jwtClaims.setTokenId(tokenId); jwtClaims.setSubject(subject); jwtClaims.setIssuedAt(currentTime); jwtClaims.setIssuer(jwtIssuer); jwtClaims.setExpiryTime(expiryTime); jwtClaims.setNotBefore(currentTime); claims.forEach((key, value) -> { jwtClaims.setClaim(key, value); }); JwsHeaders jwsHeaders = new JwsHeaders(JoseType.JWT, jwsSignatureProvider.getAlgorithm()); JwtToken token = new JwtToken(jwsHeaders, jwtClaims); JwsJwtCompactProducer producer = new JwsJwtCompactProducer(token); String signed = producer.signWith(jwsSignatureProvider); return Pair.of(signed, new Date(expiryTime * 1000L)); }
@Override public String getName() { return username == null ? claims.getSubject() : username; } }
public Object getClaim(String name) { return claims.getClaim(name); } public int hashCode() {
public String getRequest() { MultivaluedMap<String, String> map = super.toMap(); JwtClaims claims = new JwtClaims(); if (issuer != null) { claims.setIssuer(issuer); } for (String key : map.keySet()) { claims.setClaim(key, map.getFirst(key)); } return joseProducer.processJwt(new JwtToken(claims), clientSecret); }
JwtConsumer jwtConsumer = new JwtConsumerBuilder() .setVerificationKey(pk) .setRequireExpirationTime() .setExpectedAudience("https://citrixp.com:8443/") .setExpectedIssuer("https://sts.windows.net/dd9b6a3e-29d1-4254-a746-e02941444517/") .build(); JwtClaims claims = jwtConsumer.processToClaims(data + "." + signedData); System.out.println("Subject: " + claims.getSubject()); System.out.println("UPN: " + claims.getStringClaimValue("upn")); // or whatever, etc....
public static String createToken(String issuer, String subject, String audience, boolean expiry, boolean sign) { JwtClaims claims = new JwtClaims(); claims.setSubject(subject); if (issuer != null) { claims.setIssuer(issuer); claims.setIssuedAt(now.getEpochSecond()); if (expiry) { claims.setExpiryTime(now.plusSeconds(60L).getEpochSecond()); claims.setAudiences(Collections.singletonList(audience));
private AccessTokenValidation convertClaimsToValidation(JwtClaims claims) { AccessTokenValidation atv = new AccessTokenValidation(); atv.setInitialValidationSuccessful(true); String clientId = claims.getStringProperty(OAuthConstants.CLIENT_ID); if (clientId != null) { atv.setClientId(clientId); if (claims.getIssuedAt() != null) { atv.setTokenIssuedAt(claims.getIssuedAt()); } else { Instant now = Instant.now(); atv.setTokenIssuedAt(now.toEpochMilli()); if (claims.getExpiryTime() != null) { atv.setTokenLifetime(claims.getExpiryTime() - atv.getTokenIssuedAt()); List<String> audiences = claims.getAudiences(); if (audiences != null && !audiences.isEmpty()) { atv.setAudiences(claims.getAudiences()); if (claims.getIssuer() != null) { atv.setTokenIssuer(claims.getIssuer()); if (claims.getNotBefore() != null) { atv.setTokenNotBefore(claims.getNotBefore()); Object scope = claims.getClaim(OAuthConstants.SCOPE); if (scope != null) { String[] scopes = scope instanceof String
protected JwtClaims createJwtAccessToken(ServerAccessToken at) { JwtClaims claims = new JwtClaims(); claims.setTokenId(at.getTokenKey()); JwtTokenUtils.getClaimName(OAuthConstants.CLIENT_ID, OAuthConstants.CLIENT_ID, getJwtAccessTokenClaimMap()); claims.setClaim(clientIdClaimName, at.getClient().getClientId()); claims.setIssuedAt(at.getIssuedAt()); if (at.getExpiresIn() > 0) { claims.setExpiryTime(at.getIssuedAt() + at.getExpiresIn()); claims.setSubject(userSubject.getId()); String usernameClaimName = JwtTokenUtils.getClaimName(usernameProp, usernameProp, getJwtAccessTokenClaimMap()); claims.setClaim(usernameClaimName, userSubject.getLogin()); claims.setIssuer(at.getIssuer()); claims.setClaim(OAuthConstants.SCOPE, OAuthUtils.convertPermissionsToScopeList(at.getScopes())); List<String> resourceAudiences = at.getAudiences(); if (resourceAudiences.size() == 1) { claims.setAudience(resourceAudiences.get(0)); } else { claims.setAudiences(resourceAudiences); for (Map.Entry<String, String> entry : at.getExtraProperties().entrySet()) { if (JoseConstants.HEADER_X509_THUMBPRINT_SHA256.equals(entry.getKey())) {
private ClientAccessToken getAccessToken() { JwsHeaders headers = new JwsHeaders(JoseType.JWT, SignatureAlgorithm.RS256); JwtClaims claims = new JwtClaims(); claims.setIssuer(config.getServiceAccountClientId()); claims.setAudience("https://accounts.google.com/o/oauth2/token"); claims.setSubject(config.getServiceAccountSubject()); long issuedAt = OAuthUtils.getIssuedAt(); long tokenTimeout = config.getServiceAccountTokenLifetime(); claims.setIssuedAt(issuedAt); claims.setExpiryTime(issuedAt + tokenTimeout); claims.setProperty("scope", "https://www.googleapis.com/auth/admin.directory.group.readonly https://www.googleapis.com/auth/admin.directory.user"); JwtToken token = new JwtToken(headers, claims); JwsJwtCompactProducer p = new JwsJwtCompactProducer(token); String base64UrlAssertion = p.signWith(privateKey); JwtBearerGrant grant = new JwtBearerGrant(base64UrlAssertion); WebClient accessTokenService = WebClient.create("https://accounts.google.com/o/oauth2/token", Arrays.asList(new OAuthJSONProvider(), new AccessTokenGrantWriter())); accessTokenService.type(MediaType.APPLICATION_FORM_URLENCODED).accept(MediaType.APPLICATION_JSON); return accessTokenService.post(grant, ClientAccessToken.class); }
/** * Get a JwtClaims object. */ public JwtClaims getJwtClaims(JWTClaimsProviderParameters jwtClaimsProviderParameters) { JwtClaims claims = new JwtClaims(); claims.setSubject(getSubjectName(jwtClaimsProviderParameters)); claims.setTokenId(UUID.randomUUID().toString()); // Set the Issuer String issuer = jwtClaimsProviderParameters.getIssuer(); if (issuer == null) { STSPropertiesMBean stsProperties = jwtClaimsProviderParameters.getProviderParameters().getStsProperties(); claims.setIssuer(stsProperties.getIssuer()); } else { claims.setIssuer(issuer); } handleWSTrustClaims(jwtClaimsProviderParameters, claims); handleConditions(jwtClaimsProviderParameters, claims); handleAudienceRestriction(jwtClaimsProviderParameters, claims); handleActAs(jwtClaimsProviderParameters, claims); return claims; }
JwtClaims claims = new JwtClaims(); claims.setExpirationTimeMinutesInTheFuture(5); claims.setSubject("foki"); claims.setIssuer("the issuer"); claims.setAudience("the audience"); jws.setPayload(claims.toJson()); jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.HMAC_SHA256); jws.setKey(key);
@Override public void filter(ClientRequestContext requestContext) throws IOException { JwtToken jwt = getJwtToken(requestContext); if (jwt == null && super.isJweRequired()) { AuthorizationPolicy ap = JAXRSUtils.getCurrentMessage().getExchange() .getEndpoint().getEndpointInfo().getExtensor(AuthorizationPolicy.class); if (ap != null && ap.getUserName() != null) { JwtClaims claims = new JwtClaims(); claims.setSubject(ap.getUserName()); claims.setClaim("password", ap.getPassword()); claims.setIssuedAt(System.currentTimeMillis() / 1000L); jwt = new JwtToken(new JweHeaders(), claims); } } if (jwt == null) { throw new JoseException("JWT token is not available"); } String data = super.processJwt(jwt); requestContext.getHeaders().putSingle(HttpHeaders.AUTHORIZATION, authScheme + " " + data); }
throw new IllegalArgumentException("Invalid signature found in Relay State"); Long expiryTime = relayState.getJwtClaims().getExpiryTime(); if (expiryTime == null || (expiryTime * 1000L) < new Date().getTime()) { throw new IllegalArgumentException("Relay State is expired"); relayState.getJwtClaims().getClaim(JWT_CLAIM_IDP_DEFLATE).toString()); if (relayState != null && !relayState.getJwtClaims().getSubject().equals(logoutResponse.getInResponseTo())) { throw new IllegalArgumentException("Unmatching request ID: " + logoutResponse.getInResponseTo()); accessTokenDAO.delete(consumer.getJwtClaims().getTokenId()); } else { SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.Unknown);
/** * Set a single audience value which will be serialized as a String * @param audience the audience */ public void setAudience(String audience) { setClaim(JwtConstants.CLAIM_AUDIENCE, audience); }
protected void validateClaims(Client client, JwtClaims claims) { if (getAudience() != null) { JAXRSUtils.getCurrentMessage().put(JwtConstants.EXPECTED_CLAIM_AUDIENCE, getAudience()); } JwtUtils.validateTokenClaims(claims, ttl, clockOffset, true); validateIssuer(claims.getIssuer()); validateSubject(client, claims.getSubject()); // We must have an Expiry if (claims.getClaim(JwtConstants.CLAIM_EXPIRY) == null) { throw new OAuthServiceException(OAuthConstants.INVALID_GRANT); } }
response.setToken(tokenData); response.setTokenId(claims.getTokenId()); if (claims.getIssuedAt() > 0) { response.setCreated(Instant.ofEpochMilli(claims.getIssuedAt() * 1000L)); if (claims.getExpiryTime() > 0) { expires = Instant.ofEpochMilli(claims.getExpiryTime() * 1000L); response.setExpires(expires);
public JwtTokenSecurityContext(JwtToken jwt, String roleClaim) { principal = new SimplePrincipal(jwt.getClaims().getSubject()); this.token = jwt; if (roleClaim != null && jwt.getClaims().containsProperty(roleClaim)) { roles = new HashSet<>(); String role = jwt.getClaims().getStringProperty(roleClaim).trim(); for (String r : role.split(",")) { roles.add(new SimpleGroup(r)); } } else { roles = Collections.emptySet(); } // Parse JwtToken into ClaimCollection jwt.getClaims().asMap().forEach((String name, Object values) -> { Claim claim = new Claim(); claim.setClaimType(name); if (values instanceof List<?>) { claim.setValues(CastUtils.cast((List<?>)values)); } else { claim.setValues(Collections.singletonList(values)); } claims.add(claim); }); }
Set<SyncopeGrantedAuthority> authorities; if (adminUser.equals(authentication.getClaims().getSubject())) { AccessToken accessToken = accessTokenDAO.find(authentication.getClaims().getTokenId()); if (accessToken == null) { throw new AuthenticationCredentialsNotFoundException( "Could not find an Access Token for JWT " + authentication.getClaims().getTokenId()); authorities = getAdminAuthorities(); } else { JWTSSOProvider jwtSSOProvider = getJWTSSOProvider(authentication.getClaims().getIssuer()); Pair<User, Set<SyncopeGrantedAuthority>> resolved = jwtSSOProvider.resolve(authentication.getClaims()); if (resolved == null || resolved.getLeft() == null) { throw new AuthenticationCredentialsNotFoundException( "Could not find User " + authentication.getClaims().getSubject() + " for JWT " + authentication.getClaims().getTokenId()); authorities = resolved.getRight() == null ? Collections.emptySet() : resolved.getRight(); LOG.debug("JWT {} issued by {} resolved to User {} with authorities {}", authentication.getClaims().getTokenId(), authentication.getClaims().getIssuer(), username, authorities);
claims.setIssuedAt(currentTime); claims.setNotBefore(currentTime); claims.setExpiryTime(currentTime + lifetime); claims.setIssuedAt(creationTimeInSeconds); claims.setNotBefore(creationTimeInSeconds); claims.setExpiryTime(expirationTime.getEpochSecond());
relayState.getJwtClaims().getClaim(JWT_CLAIM_IDP_DEFLATE).toString()); requestId = relayState.getJwtClaims().getSubject(); Long expiryTime = relayState.getJwtClaims().getExpiryTime(); if (expiryTime == null || (expiryTime * 1000L) < new Date().getTime()) { throw new IllegalArgumentException("Relay State is expired");