/** * <p> * Create a {@link Jwt} Validator that contains all standard validators when an issuer is known. * </p> * <p> * User's wanting to leverage the defaults plus additional validation can add the result of this * method to {@code DelegatingOAuth2TokenValidator} along with the additional validators. * </p> * @param issuer the issuer * @return - a delegating validator containing all standard validators as well as any supplied */ public static OAuth2TokenValidator<Jwt> createDefaultWithIssuer(String issuer) { List<OAuth2TokenValidator<Jwt>> validators = new ArrayList<>(); validators.add(new JwtTimestampValidator()); validators.add(new JwtIssuerValidator(issuer)); return new DelegatingOAuth2TokenValidator<>(validators); }
@Test public void validateWhenIssuerMatchesAndIsNotAUriThenReturnsSuccess() { Jwt jwt = new Jwt( MOCK_TOKEN, MOCK_ISSUED_AT, MOCK_EXPIRES_AT, MOCK_HEADERS, Collections.singletonMap(JwtClaimNames.ISS, "issuer")); JwtIssuerValidator validator = new JwtIssuerValidator("issuer"); assertThat(validator.validate(jwt)) .isEqualTo(OAuth2TokenValidatorResult.success()); }
@Test public void validateWhenJwtIsNullThenThrowsIllegalArgumentException() { assertThatCode(() -> this.validator.validate(null)) .isInstanceOf(IllegalArgumentException.class); }
@Test public void validateWhenIssuerMatchesThenReturnsSuccess() { Jwt jwt = new Jwt( MOCK_TOKEN, MOCK_ISSUED_AT, MOCK_EXPIRES_AT, MOCK_HEADERS, Collections.singletonMap("iss", ISSUER)); assertThat(this.validator.validate(jwt)) .isEqualTo(OAuth2TokenValidatorResult.success()); }
@Test public void constructorWhenNullIssuerIsGivenThenThrowsIllegalArgumentException() { assertThatCode(() -> new JwtIssuerValidator(null)) .isInstanceOf(IllegalArgumentException.class); } }
@Test public void validateWhenIssuerMismatchesThenReturnsError() { Jwt jwt = new Jwt( MOCK_TOKEN, MOCK_ISSUED_AT, MOCK_EXPIRES_AT, MOCK_HEADERS, Collections.singletonMap(JwtClaimNames.ISS, "https://other")); OAuth2TokenValidatorResult result = this.validator.validate(jwt); assertThat(result.getErrors()).isNotEmpty(); }
@Bean @ConditionalOnMissingBean(name = "iapJwtDelegatingValidator") public DelegatingOAuth2TokenValidator<Jwt> iapJwtDelegatingValidator(IapAuthenticationProperties properties, AudienceValidator audienceValidator) { List<OAuth2TokenValidator<Jwt>> validators = new ArrayList<>(); validators.add(new JwtTimestampValidator()); validators.add(new JwtIssuerValidator(properties.getIssuer())); validators.add(audienceValidator); if (LOGGER.isInfoEnabled()) { LOGGER.info("Audience configured for IAP JWT validation: " + audienceValidator.getAudience()); } return new DelegatingOAuth2TokenValidator<>(validators); }
@Test public void validateWhenJwtHasNoIssuerThenReturnsError() { Jwt jwt = new Jwt( MOCK_TOKEN, MOCK_ISSUED_AT, MOCK_EXPIRES_AT, MOCK_HEADERS, Collections.singletonMap(JwtClaimNames.AUD, "https://aud")); OAuth2TokenValidatorResult result = this.validator.validate(jwt); assertThat(result.getErrors()).isNotEmpty(); }
/** * <p> * Create a {@link Jwt} Validator that contains all standard validators when an issuer is known. * </p> * <p> * User's wanting to leverage the defaults plus additional validation can add the result of this * method to {@code DelegatingOAuth2TokenValidator} along with the additional validators. * </p> * @param issuer the issuer * @return - a delegating validator containing all standard validators as well as any supplied */ public static OAuth2TokenValidator<Jwt> createDefaultWithIssuer(String issuer) { List<OAuth2TokenValidator<Jwt>> validators = new ArrayList<>(); validators.add(new JwtTimestampValidator()); validators.add(new JwtIssuerValidator(issuer)); return new DelegatingOAuth2TokenValidator<>(validators); }
@Bean @ConditionalOnMissingBean JwtDecoder jwtDecoder(OAuth2ResourceServerProperties oAuth2ResourceServerProperties, OktaOAuth2Properties oktaOAuth2Properties) { List<OAuth2TokenValidator<Jwt>> validators = new ArrayList<>(); validators.add(new JwtTimestampValidator()); validators.add(new JwtIssuerValidator(oAuth2ResourceServerProperties.getJwt().getIssuerUri())); validators.add(token -> { Set<String> expectedAudience = new HashSet<>(); expectedAudience.add(oktaOAuth2Properties.getAudience()); return !Collections.disjoint(token.getAudience(), expectedAudience) ? OAuth2TokenValidatorResult.success() : OAuth2TokenValidatorResult.failure(INVALID_AUDIENCE); }); OAuth2TokenValidator<Jwt> validator = new DelegatingOAuth2TokenValidator<>(validators); NimbusJwtDecoderJwkSupport decoder = new NimbusJwtDecoderJwkSupport(oAuth2ResourceServerProperties.getJwt().getJwkSetUri()); decoder.setJwtValidator(validator); decoder.setRestOperations(restOperations()); return decoder; }