public JwsJwtCompactProducer(JwsHeaders headers, JwtClaims claims) { this(new JwtToken(headers, claims), null); } protected JwsJwtCompactProducer(JwtToken token, JsonMapObjectReaderWriter w) {
protected JwsJwtCompactProducer(JwtToken token, JsonMapObjectReaderWriter w) { super(new JwsHeaders(token.getJwsHeaders()), w, JwtUtils.claimsToJson(token.getClaims(), w)); }
protected void validateToken(JwtToken jwt, String clientId) { // We must have the following claims if (jwt.getClaim(JwtConstants.CLAIM_ISSUER) == null || jwt.getClaim(JwtConstants.CLAIM_SUBJECT) == null || jwt.getClaim(JwtConstants.CLAIM_AUDIENCE) == null || jwt.getClaim(JwtConstants.CLAIM_EXPIRY) == null || jwt.getClaim(JwtConstants.CLAIM_ISSUED_AT) == null) { LOG.warn("The IdToken is missing a required claim"); throw new IllegalStateException("The IdToken is missing a required claim"); } // The audience must match the client_id of this client boolean match = false; for (String audience : jwt.getClaims().getAudiences()) { if (clientId.equals(audience)) { match = true; break; } } if (!match) { LOG.warn("The audience of the token does not match this client"); throw new IllegalStateException("The audience of the token does not match this client"); } JwtUtils.validateTokenClaims(jwt.getClaims(), 300, 0, false); }
public JweJwtCompactProducer(JwtToken token) { this(new JweHeaders(token.getJweHeaders()), token.getClaims()); } public JweJwtCompactProducer(JwtClaims claims) {
public JwtClaims getJwtClaims() { return getJwtToken().getClaims(); } public JwtToken getJwtToken() {
JwtToken jwt = jwtConsumer.getJwtToken(); jwt = new JwtToken(jwt.getJwsHeaders(), jweHeaders, jwt.getClaims());
if (jwt != null && jwt.getClaims() != null && LOG.isDebugEnabled()) { LOG.debug("Received Claims:"); for (Map.Entry<String, Object> claim : jwt.getClaims().asMap().entrySet()) { LOG.debug(claim.getKey() + ": " + claim.getValue()); if (jwt != null && jwt.getJwsHeaders() != null && LOG.isDebugEnabled()) { LOG.debug("Received JWS Headers:"); for (Map.Entry<String, Object> header : jwt.getJwsHeaders().asMap().entrySet()) { LOG.debug(header.getKey() + ": " + header.getValue()); Date created = new Date((long)jwt.getClaim(JwtConstants.CLAIM_ISSUED_AT) * 1000L); Date notBefore = null; if (jwt.getClaim(JwtConstants.CLAIM_NOT_BEFORE) != null) { notBefore = new Date((long)jwt.getClaim(JwtConstants.CLAIM_NOT_BEFORE) * 1000L); Date expires = new Date((long)jwt.getClaim(JwtConstants.CLAIM_EXPIRY) * 1000L); if (subjectName == null || jwt.getClaim(subjectName) == null) { LOG.debug("No claim available in the token for {}", subjectName); subjectName = "preferred_username"; LOG.debug("Falling back to use subject claim name {}", subjectName); if (subjectName == null || jwt.getClaim(subjectName) == null) { subjectName = JwtConstants.CLAIM_SUBJECT; LOG.debug("No claim available in the token for preferred_username. " createSamlAssertion(idp, trustedIdp, jwt.getClaims(), (String)jwt.getClaim(subjectName), notBefore, expires); Document doc = DOMUtils.createDocument();
@Override protected JwsSignatureVerifier getInitializedSignatureVerifier(JwtToken jwt) { JsonWebKey key = null; if (supportSelfIssuedProvider && SELF_ISSUED_ISSUER.equals(jwt.getClaim("issuer"))) { String publicKeyJson = (String)jwt.getClaim("sub_jwk"); if (publicKeyJson != null) { JsonWebKey publicKey = JwkUtils.readJwkKey(publicKeyJson); String thumbprint = JwkUtils.getThumbprint(publicKey); if (thumbprint.equals(jwt.getClaim("sub"))) { key = publicKey; String keyId = jwt.getJwsHeaders().getKeyId(); key = keyId != null ? keyMap.get(keyId) : null; if (key == null && jwkSetClient != null) { theJwsVerifier = JwsUtils.getSignatureVerifier(key, jwt.getJwsHeaders().getSignatureAlgorithm()); } else { theJwsVerifier = super.getInitializedSignatureVerifier(jwt.getJwsHeaders());
private void validateIdToken(String idToken, String nonce) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException { JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(idToken); JwtToken jwt = jwtConsumer.getJwtToken(); // Validate claims assertEquals("alice", jwt.getClaim(JwtConstants.CLAIM_SUBJECT)); assertEquals("OIDC IdP", jwt.getClaim(JwtConstants.CLAIM_ISSUER)); assertEquals("consumer-id", jwt.getClaim(JwtConstants.CLAIM_AUDIENCE)); assertNotNull(jwt.getClaim(JwtConstants.CLAIM_EXPIRY)); assertNotNull(jwt.getClaim(JwtConstants.CLAIM_ISSUED_AT)); if (nonce != null) { assertEquals(nonce, jwt.getClaim(IdToken.NONCE_CLAIM)); } KeyStore keystore = KeyStore.getInstance("JKS"); keystore.load(ClassLoaderUtils.getResourceAsStream("keys/alice.jks", this.getClass()), "password".toCharArray()); Certificate cert = keystore.getCertificate("alice"); assertNotNull(cert); assertTrue(jwtConsumer.verifySignatureWith((X509Certificate)cert, SignatureAlgorithm.RS256)); }
protected JwsSignatureVerifier getInitializedSignatureVerifier(JwtToken jwt) { return super.getInitializedSignatureVerifier(jwt.getJwsHeaders()); }
private boolean isVerifiedWithAPublicKey(JwtToken jwt) { String alg = (String)jwt.getJwsHeader(JoseConstants.HEADER_ALGORITHM); SignatureAlgorithm sigAlg = SignatureAlgorithm.getAlgorithm(alg); return SignatureAlgorithm.isPublicKeyAlgorithm(sigAlg); }
public JwtClaims getJwtClaims() { return getJwtToken().getClaims(); } public JwtToken getJwtToken() {
JwtToken jwt = jwtConsumer.getJwtToken(); jwt = new JwtToken(jwt.getJwsHeaders(), jweHeaders, jwt.getClaims());
public JweJwtCompactProducer(JwtToken token) { this(new JweHeaders(token.getJweHeaders()), token.getClaims()); } public JweJwtCompactProducer(JwtClaims claims) {
@Override protected JwsSignatureVerifier getInitializedSignatureVerifier(JwtToken jwt) { JsonWebKey key = null; if (supportSelfIssuedProvider && SELF_ISSUED_ISSUER.equals(jwt.getClaim("issuer"))) { String publicKeyJson = (String)jwt.getClaim("sub_jwk"); if (publicKeyJson != null) { JsonWebKey publicKey = JwkUtils.readJwkKey(publicKeyJson); String thumbprint = JwkUtils.getThumbprint(publicKey); if (thumbprint.equals(jwt.getClaim("sub"))) { key = publicKey; String keyId = jwt.getJwsHeaders().getKeyId(); key = keyId != null ? keyMap.get(keyId) : null; if (key == null && jwkSetClient != null) { theJwsVerifier = JwsUtils.getSignatureVerifier(key, jwt.getJwsHeaders().getSignatureAlgorithm()); } else { theJwsVerifier = super.getInitializedSignatureVerifier(jwt.getJwsHeaders());
private void validateIdToken(String idToken, String nonce) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException { JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(idToken); JwtToken jwt = jwtConsumer.getJwtToken(); // Validate claims assertEquals("alice", jwt.getClaim(JwtConstants.CLAIM_SUBJECT)); assertEquals("OIDC IdP", jwt.getClaim(JwtConstants.CLAIM_ISSUER)); assertEquals("consumer-id", jwt.getClaim(JwtConstants.CLAIM_AUDIENCE)); assertNotNull(jwt.getClaim(JwtConstants.CLAIM_EXPIRY)); assertNotNull(jwt.getClaim(JwtConstants.CLAIM_ISSUED_AT)); if (nonce != null) { assertEquals(nonce, jwt.getClaim(IdToken.NONCE_CLAIM)); } KeyStore keystore = KeyStore.getInstance("JKS"); keystore.load(ClassLoaderUtils.getResourceAsStream("keys/alice.jks", this.getClass()), "password".toCharArray()); Certificate cert = keystore.getCertificate("alice"); assertNotNull(cert); assertTrue(jwtConsumer.verifySignatureWith((X509Certificate)cert, SignatureAlgorithm.RS256)); }
protected JwsSignatureVerifier getInitializedSignatureVerifier(JwtToken jwt) { return super.getInitializedSignatureVerifier(jwt.getJwsHeaders()); }
private boolean isVerifiedWithAPublicKey(JwtToken jwt) { String alg = (String)jwt.getJwsHeader(JoseConstants.HEADER_ALGORITHM); SignatureAlgorithm sigAlg = SignatureAlgorithm.getAlgorithm(alg); return SignatureAlgorithm.isPublicKeyAlgorithm(sigAlg); }
public JwsJwtCompactProducer(JwsHeaders headers, JwtClaims claims) { this(new JwtToken(headers, claims), null); } protected JwsJwtCompactProducer(JwtToken token, JsonMapObjectReaderWriter w) {
protected JwsJwtCompactProducer(JwtToken token, JsonMapObjectReaderWriter w) { super(new JwsHeaders(token.getJwsHeaders()), w, JwtUtils.claimsToJson(token.getClaims(), w)); }