/** * Creates a {@link ReactiveJwtDecoder} using the provided * <a href="http://openid.net/specs/openid-connect-core-1_0.html#IssuerIdentifier">Issuer</a> by making an * <a href="https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest">OpenID Provider * Configuration Request</a> and using the values in the * <a href="https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse">OpenID * Provider Configuration Response</a> to initialize the {@link ReactiveJwtDecoder}. * * @param oidcIssuerLocation the <a href="http://openid.net/specs/openid-connect-core-1_0.html#IssuerIdentifier">Issuer</a> * @return a {@link ReactiveJwtDecoder} that was initialized by the OpenID Provider Configuration. */ public static ReactiveJwtDecoder fromOidcIssuerLocation(String oidcIssuerLocation) { Map<String, Object> openidConfiguration = getOpenidConfiguration(oidcIssuerLocation); String metadataIssuer = "(unavailable)"; if (openidConfiguration.containsKey("issuer")) { metadataIssuer = openidConfiguration.get("issuer").toString(); } if (!oidcIssuerLocation.equals(metadataIssuer)) { throw new IllegalStateException("The Issuer \"" + metadataIssuer + "\" provided in the OpenID Configuration " + "did not match the requested issuer \"" + oidcIssuerLocation + "\""); } OAuth2TokenValidator<Jwt> jwtValidator = JwtValidators.createDefaultWithIssuer(oidcIssuerLocation); NimbusReactiveJwtDecoder jwtDecoder = new NimbusReactiveJwtDecoder(openidConfiguration.get("jwks_uri").toString()); jwtDecoder.setJwtValidator(jwtValidator); return jwtDecoder; }
@Test public void issuerWhenResponseIsMalformedThenThrowsRuntimeException() { prepareOpenIdConfigurationResponse("malformed"); assertThatCode(() -> ReactiveJwtDecoders.fromOidcIssuerLocation(this.issuer)) .isInstanceOf(RuntimeException.class); }
/** * Creates a {@link ReactiveJwtDecoder} using the provided * <a href="http://openid.net/specs/openid-connect-core-1_0.html#IssuerIdentifier">Issuer</a> by making an * <a href="https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest">OpenID Provider * Configuration Request</a> and using the values in the * <a href="https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse">OpenID * Provider Configuration Response</a> to initialize the {@link ReactiveJwtDecoder}. * * @param oidcIssuerLocation the <a href="http://openid.net/specs/openid-connect-core-1_0.html#IssuerIdentifier">Issuer</a> * @return a {@link ReactiveJwtDecoder} that was initialized by the OpenID Provider Configuration. */ public static ReactiveJwtDecoder fromOidcIssuerLocation(String oidcIssuerLocation) { Map<String, Object> openidConfiguration = getOpenidConfiguration(oidcIssuerLocation); String metadataIssuer = "(unavailable)"; if (openidConfiguration.containsKey("issuer")) { metadataIssuer = openidConfiguration.get("issuer").toString(); } if (!oidcIssuerLocation.equals(metadataIssuer)) { throw new IllegalStateException("The Issuer \"" + metadataIssuer + "\" provided in the OpenID Configuration " + "did not match the requested issuer \"" + oidcIssuerLocation + "\""); } OAuth2TokenValidator<Jwt> jwtValidator = JwtValidators.createDefaultWithIssuer(oidcIssuerLocation); NimbusReactiveJwtDecoder jwtDecoder = new NimbusReactiveJwtDecoder(openidConfiguration.get("jwks_uri").toString()); jwtDecoder.setJwtValidator(jwtValidator); return jwtDecoder; }
@Test public void issuerWhenRespondingIssuerMismatchesRequestedIssuerThenThrowsIllegalStateException() { prepareOpenIdConfigurationResponse(); assertThatCode(() -> ReactiveJwtDecoders.fromOidcIssuerLocation(this.issuer + "/wrong")) .isInstanceOf(IllegalStateException.class); }
@Test public void issuerWhenRequestedIssuerIsUnresponsiveThenThrowsIllegalArgumentException() throws Exception { this.server.shutdown(); assertThatCode(() -> ReactiveJwtDecoders.fromOidcIssuerLocation("https://issuer")) .isInstanceOf(IllegalArgumentException.class); }
@Test public void issuerWhenResponseIsNonCompliantThenThrowsRuntimeException() { prepareOpenIdConfigurationResponse("{ \"missing_required_keys\" : \"and_values\" }"); assertThatCode(() -> ReactiveJwtDecoders.fromOidcIssuerLocation(this.issuer)) .isInstanceOf(RuntimeException.class); }
@Test public void issuerWhenResponseIsTypicalThenReturnedDecoderValidatesIssuer() { prepareOpenIdConfigurationResponse(); this.server.enqueue(new MockResponse().setBody(JWK_SET)); ReactiveJwtDecoder decoder = ReactiveJwtDecoders.fromOidcIssuerLocation(this.issuer); assertThatCode(() -> decoder.decode(ISSUER_MISMATCH).block()) .isInstanceOf(JwtValidationException.class) .hasMessageContaining("This iss claim is not equal to the configured issuer"); }