protected void validateToken(JwtToken jwt) { JwtUtils.validateTokenClaims(jwt.getClaims(), ttl, clockOffset, false); }
public JweJwtCompactProducer(JweHeaders joseHeaders, JwtClaims claims) { super(joseHeaders, JwtUtils.claimsToJson(claims)); } }
public static void validateTokenClaims(JwtClaims claims, int timeToLive, int clockOffset, boolean validateAudienceRestriction) { // If we have no issued time then we need to have an expiry boolean expiredRequired = claims.getIssuedAt() == null; validateJwtExpiry(claims, clockOffset, expiredRequired); validateJwtNotBefore(claims, clockOffset, false); // If we have no expiry then we must have an issued at boolean issuedAtRequired = claims.getExpiryTime() == null; validateJwtIssuedAt(claims, timeToLive, clockOffset, issuedAtRequired); if (validateAudienceRestriction) { validateJwtAudienceRestriction(claims, PhaseInterceptorChain.getCurrentMessage()); } }
validateClaimsAlways || strictTimeValidation && claims.getIssuedAt() == null; try { JwtUtils.validateJwtExpiry(claims, getClockOffset(), expiredRequired); } catch (JwtException ex) { throw new OAuthServiceException("ID Token has expired", ex); validateClaimsAlways || strictTimeValidation && claims.getExpiryTime() == null; try { JwtUtils.validateJwtIssuedAt(claims, getTtl(), getClockOffset(), issuedAtRequired); } catch (JwtException ex) { throw new OAuthServiceException("Invalid issuedAt claim", ex); JwtUtils.validateJwtNotBefore(claims, getClockOffset(), strictTimeValidation); } catch (JwtException ex) { throw new OAuthServiceException("ID Token can not be used yet", ex);
public JwtToken decryptWith(JweDecryptionProvider jwe) { byte[] bytes = jwe.decrypt(jweConsumer.getJweDecryptionInput()); JwtClaims claims = JwtUtils.jsonToClaims(toString(bytes)); return new JwtToken(headers, claims); }
protected boolean checkSecurityContext(ContainerRequestContext rc) { OidcClientTokenContext tokenContext = (OidcClientTokenContext)stateManager.getClientTokenContext(mc); if (tokenContext == null) { return false; } IdToken idToken = tokenContext.getIdToken(); try { // If ID token has expired then the context is no longer valid JwtUtils.validateJwtExpiry(idToken, 0, idToken.getExpiryTime() != null); } catch (JwtException ex) { stateManager.removeClientTokenContext(new MessageContextImpl(JAXRSUtils.getCurrentMessage())); return false; } OidcClientTokenContextImpl newTokenContext = new OidcClientTokenContextImpl(); newTokenContext.setToken(tokenContext.getToken()); newTokenContext.setIdToken(idToken); newTokenContext.setUserInfo(tokenContext.getUserInfo()); newTokenContext.setState(toRequestState(rc)); JAXRSUtils.getCurrentMessage().setContent(ClientTokenContext.class, newTokenContext); OidcSecurityContext oidcSecCtx = new OidcSecurityContext(newTokenContext); oidcSecCtx.setRoleClaim(roleClaim); rc.setSecurityContext(oidcSecCtx); return true; } private MultivaluedMap<String, String> toRequestState(ContainerRequestContext rc) {
validateClaimsAlways || strictTimeValidation && claims.getIssuedAt() == null; try { JwtUtils.validateJwtExpiry(claims, getClockOffset(), expiredRequired); } catch (JwtException ex) { throw new OAuthServiceException("ID Token has expired", ex); validateClaimsAlways || strictTimeValidation && claims.getExpiryTime() == null; try { JwtUtils.validateJwtIssuedAt(claims, getTtl(), getClockOffset(), issuedAtRequired); } catch (JwtException ex) { throw new OAuthServiceException("Invalid issuedAt claim", ex); JwtUtils.validateJwtNotBefore(claims, getClockOffset(), strictTimeValidation); } catch (JwtException ex) { throw new OAuthServiceException("ID Token can not be used yet", ex);
public JwtToken decryptWith(JweDecryptionProvider jwe) { byte[] bytes = jwe.decrypt(jweConsumer.getJweDecryptionInput()); JwtClaims claims = JwtUtils.jsonToClaims(toString(bytes)); return new JwtToken(headers, claims); }
protected boolean checkSecurityContext(ContainerRequestContext rc) { OidcClientTokenContext tokenContext = (OidcClientTokenContext)stateManager.getClientTokenContext(mc); if (tokenContext == null) { return false; } IdToken idToken = tokenContext.getIdToken(); try { // If ID token has expired then the context is no longer valid JwtUtils.validateJwtExpiry(idToken, 0, idToken.getExpiryTime() != null); } catch (JwtException ex) { stateManager.removeClientTokenContext(new MessageContextImpl(JAXRSUtils.getCurrentMessage())); return false; } OidcClientTokenContextImpl newTokenContext = new OidcClientTokenContextImpl(); newTokenContext.setToken(tokenContext.getToken()); newTokenContext.setIdToken(idToken); newTokenContext.setUserInfo(tokenContext.getUserInfo()); newTokenContext.setState(toRequestState(rc)); JAXRSUtils.getCurrentMessage().setContent(ClientTokenContext.class, newTokenContext); OidcSecurityContext oidcSecCtx = new OidcSecurityContext(newTokenContext); oidcSecCtx.setRoleClaim(roleClaim); rc.setSecurityContext(oidcSecCtx); return true; } private MultivaluedMap<String, String> toRequestState(ContainerRequestContext rc) {
protected void validateToken(JwtToken jwt) { JwtUtils.validateTokenClaims(jwt.getClaims(), ttl, clockOffset, false); }
public static void validateTokenClaims(JwtClaims claims, int timeToLive, int clockOffset, boolean validateAudienceRestriction) { // If we have no issued time then we need to have an expiry boolean expiredRequired = claims.getIssuedAt() == null; validateJwtExpiry(claims, clockOffset, expiredRequired); validateJwtNotBefore(claims, clockOffset, false); // If we have no expiry then we must have an issued at boolean issuedAtRequired = claims.getExpiryTime() == null; validateJwtIssuedAt(claims, timeToLive, clockOffset, issuedAtRequired); if (validateAudienceRestriction) { validateJwtAudienceRestriction(claims, PhaseInterceptorChain.getCurrentMessage()); } }
protected Object convertUserInfoToResponseEntity(UserInfo userInfo) { // By default a JAX-RS MessageBodyWriter is expected to serialize UserInfo. return convertClearUserInfoToString ? JwtUtils.claimsToJson(userInfo) : userInfo; }
assertNotNull(at.getTokenKey()); JwsJwtCompactConsumer c = new JwsJwtCompactConsumer(at.getTokenKey()); JwtClaims claims = JwtUtils.jsonToClaims(c.getDecodedJwsPayload());
@Override protected void validateToken(JwtToken jwt) { JwtUtils.validateTokenClaims(jwt.getClaims(), getTtl(), getClockOffset(), isValidateAudience()); }
public static String claimsToJson(JwtClaims claims) { return claimsToJson(claims, null); } public static String claimsToJson(JwtClaims claims, JsonMapObjectReaderWriter writer) {
protected void validateToken(JwtToken jwt, String clientId) { // We must have the following claims if (jwt.getClaim(JwtConstants.CLAIM_ISSUER) == null || jwt.getClaim(JwtConstants.CLAIM_SUBJECT) == null || jwt.getClaim(JwtConstants.CLAIM_AUDIENCE) == null || jwt.getClaim(JwtConstants.CLAIM_EXPIRY) == null || jwt.getClaim(JwtConstants.CLAIM_ISSUED_AT) == null) { LOG.warn("The IdToken is missing a required claim"); throw new IllegalStateException("The IdToken is missing a required claim"); } // The audience must match the client_id of this client boolean match = false; for (String audience : jwt.getClaims().getAudiences()) { if (clientId.equals(audience)) { match = true; break; } } if (!match) { LOG.warn("The audience of the token does not match this client"); throw new IllegalStateException("The audience of the token does not match this client"); } JwtUtils.validateTokenClaims(jwt.getClaims(), 300, 0, false); }
public static String claimsToJson(JwtClaims claims) { return claimsToJson(claims, null); } public static String claimsToJson(JwtClaims claims, JsonMapObjectReaderWriter writer) {
protected void validateClaims(Client client, JwtClaims claims) { if (getAudience() != null) { JAXRSUtils.getCurrentMessage().put(JwtConstants.EXPECTED_CLAIM_AUDIENCE, getAudience()); } JwtUtils.validateTokenClaims(claims, ttl, clockOffset, true); validateIssuer(claims.getIssuer()); validateSubject(client, claims.getSubject()); // We must have an Expiry if (claims.getClaim(JwtConstants.CLAIM_EXPIRY) == null) { throw new OAuthServiceException(OAuthConstants.INVALID_GRANT); } }
public JweJwtCompactProducer(JweHeaders joseHeaders, JwtClaims claims) { super(joseHeaders, JwtUtils.claimsToJson(claims)); } }
protected void validateClaims(Client client, JwtClaims claims) { if (getAudience() != null) { JAXRSUtils.getCurrentMessage().put(JwtConstants.EXPECTED_CLAIM_AUDIENCE, getAudience()); } JwtUtils.validateTokenClaims(claims, ttl, clockOffset, true); validateIssuer(claims.getIssuer()); validateSubject(client, claims.getSubject()); // We must have an Expiry if (claims.getClaim(JwtConstants.CLAIM_EXPIRY) == null) { throw new OAuthServiceException(OAuthConstants.INVALID_GRANT); } }