@Override public String convertToDatabaseColumn(JWSAlgorithm attribute) { if (attribute != null) { return attribute.getName(); } else { return null; } }
public String getDefaultSigningAlgorithmName() { if (defaultAlgorithm != null) { return defaultAlgorithm.getName(); } else { return null; } }
public JsonPrimitive serialize(PKCEAlgorithm src, Type typeOfSrc, JsonSerializationContext context) { if (src != null) { return new JsonPrimitive(src.getName()); } else { return null;
.value((client.getSubjectType() != null) ? client.getSubjectType().getValue() : null); writer.name(REQUEST_OBJECT_SIGNING_ALG) .value((client.getRequestObjectSigningAlg() != null) ? client.getRequestObjectSigningAlg().getName() : null); writer.name(ID_TOKEN_SIGNED_RESPONSE_ALG) .value((client.getIdTokenSignedResponseAlg() != null) ? client.getIdTokenSignedResponseAlg().getName() : null); writer.name(ID_TOKEN_ENCRYPTED_RESPONSE_ALG) .value((client.getIdTokenEncryptedResponseAlg() != null) ? client.getIdTokenEncryptedResponseAlg().getName() : null); .value((client.getIdTokenEncryptedResponseEnc() != null) ? client.getIdTokenEncryptedResponseEnc().getName() : null); writer.name(USER_INFO_SIGNED_RESPONSE_ALG) .value((client.getUserInfoSignedResponseAlg() != null) ? client.getUserInfoSignedResponseAlg().getName() : null); writer.name(USER_INFO_ENCRYPTED_RESPONSE_ALG) .value((client.getUserInfoEncryptedResponseAlg() != null) ? client.getUserInfoEncryptedResponseAlg().getName() : null); .value((client.getUserInfoEncryptedResponseEnc() != null) ? client.getUserInfoEncryptedResponseEnc().getName() : null); writer.name(TOKEN_ENDPOINT_AUTH_SIGNING_ALG) .value((client.getTokenEndpointAuthSigningAlg() != null) ? client.getTokenEndpointAuthSigningAlg().getName() : null); writer.name(DEFAULT_MAX_AGE).value(client.getDefaultMaxAge()); Boolean requireAuthTime = null;
o.addProperty(SECTOR_IDENTIFIER_URI, c.getSectorIdentifierUri()); o.addProperty(SUBJECT_TYPE, c.getSubjectType() != null ? c.getSubjectType().getValue() : null); o.addProperty(REQUEST_OBJECT_SIGNING_ALG, c.getRequestObjectSigningAlg() != null ? c.getRequestObjectSigningAlg().getName() : null); o.addProperty(USERINFO_SIGNED_RESPONSE_ALG, c.getUserInfoSignedResponseAlg() != null ? c.getUserInfoSignedResponseAlg().getName() : null); o.addProperty(USERINFO_ENCRYPTED_RESPONSE_ALG, c.getUserInfoEncryptedResponseAlg() != null ? c.getUserInfoEncryptedResponseAlg().getName() : null); o.addProperty(USERINFO_ENCRYPTED_RESPONSE_ENC, c.getUserInfoEncryptedResponseEnc() != null ? c.getUserInfoEncryptedResponseEnc().getName() : null); o.addProperty(ID_TOKEN_SIGNED_RESPONSE_ALG, c.getIdTokenSignedResponseAlg() != null ? c.getIdTokenSignedResponseAlg().getName() : null); o.addProperty(ID_TOKEN_ENCRYPTED_RESPONSE_ALG, c.getIdTokenEncryptedResponseAlg() != null ? c.getIdTokenEncryptedResponseAlg().getName() : null); o.addProperty(ID_TOKEN_ENCRYPTED_RESPONSE_ENC, c.getIdTokenEncryptedResponseEnc() != null ? c.getIdTokenEncryptedResponseEnc().getName() : null); o.addProperty(TOKEN_ENDPOINT_AUTH_SIGNING_ALG, c.getTokenEndpointAuthSigningAlg() != null ? c.getTokenEndpointAuthSigningAlg().getName() : null); o.addProperty(DEFAULT_MAX_AGE, c.getDefaultMaxAge()); o.addProperty(REQUIRE_AUTH_TIME, c.getRequireAuthTime());
throw new InvalidClientException("Client's registered request object signing algorithm (" + client.getRequestObjectSigningAlg() + ") does not match request object's actual algorithm (" + alg.getName() + ")");
!client.getTokenEndpointAuthSigningAlg().equals(alg)) { throw new AuthenticationServiceException("Client's registered token endpoint signing algorithm (" + client.getTokenEndpointAuthSigningAlg() + ") does not match token's actual algorithm (" + alg.getName() + ")");
ECPublicKey publicKey = getKey(jwsHeader.getKeyID(), jwsHeader.getAlgorithm().getName());
/** * Get the supported request object signing algorithms * * @return list of algorithms */ public static List<String> getRequestObjectSigningAlgValuesSupported() { List<String> requestObjectSigningAlgValues = new ArrayList<>(); requestObjectSigningAlgValues.add(JWSAlgorithm.RS256.getName()); requestObjectSigningAlgValues.add(JWSAlgorithm.RS384.getName()); requestObjectSigningAlgValues.add(JWSAlgorithm.RS512.getName()); requestObjectSigningAlgValues.add(JWSAlgorithm.PS256.getName()); requestObjectSigningAlgValues.add(JWSAlgorithm.NONE.getName()); return requestObjectSigningAlgValues; }
/** * Creates a new JWS header builder. * * @param alg The JWS algorithm ({@code alg}) parameter. Must * not be "none" or {@code null}. */ public Builder(final JWSAlgorithm alg) { if (alg.getName().equals(Algorithm.NONE.getName())) { throw new IllegalArgumentException("The JWS algorithm \"alg\" cannot be \"none\""); } this.alg = alg; }
/** * This method map signature algorithm define in identity.xml to nimbus * signature algorithm * * @param signatureAlgorithm name of the signature algorithm * @return mapped JWSAlgorithm name * @throws IdentityOAuth2Exception */ @Deprecated public static String mapSignatureAlgorithm(String signatureAlgorithm) throws IdentityOAuth2Exception { return mapSignatureAlgorithmForJWSAlgorithm(signatureAlgorithm).getName(); }
private boolean isUnsignedIDToken() { return JWSAlgorithm.NONE.getName().equals(signatureAlgorithm.getName()); }
private boolean isIDTokenSigned() { return !JWSAlgorithm.NONE.getName().equals(signatureAlgorithm.getName()); }
private boolean isIDTokenSigned() { return !JWSAlgorithm.NONE.getName().equals(signatureAlgorithm.getName()); }
/** * Checks if the specified JWS algorithm is supported by the default * system JCA provider(s). * * @param alg The JWS algorithm. Must not be {@code null}. * * @return {@code true} if the JWS algorithm is supported, else * {@code false}. */ public static boolean isSupported(final JWSAlgorithm alg) { if (alg.getName().equals(Algorithm.NONE.getName())) { return true; } for (Provider p: Security.getProviders()) { if (isSupported(alg, p)) { return true; } } return false; }
/** * Verifies the signature of a JWS object. This uses the key ID in the header, or falls back to the public key * specified on the jwtSigningPublicKey field if the key ID (kid) header is not specified. */ private void verifySignature(final String token, final Key key, final Provider jcaProvider) { final JWSObject jwsObject; try { jwsObject = JWSObject.parse(token); } catch (final ParseException e) { logger.warning(Oauth2Codes.JWT_UNABLE_PARSE, String.format("Unable to parse token: %s", token)); throw new TokenUnparseableException("The token is invalid", null); } final JWSHeader header = jwsObject.getHeader(); if (header == null) { logger.warning(Oauth2Codes.JWT_INVALID_HEADER, String.format("The JWT does not have a valid header. Full token: %s", token)); throw new TokenUnparseableException("The token header is invalid", null); } if (!supportedAlgorithms.contains(header.getAlgorithm().getName())) { throw new SigningAlgorithmUnsupportedException( String.format("Algorithm %s is not supported.", header.getAlgorithm().getName()), null, header.getAlgorithm().getName(), supportedAlgorithms.toArray(new String[supportedAlgorithms.size()]) ); } verify(token, jwsObject, null, null, key, jcaProvider); }
String alg = signedJWT.getHeader().getAlgorithm().getName(); if (log.isDebugEnabled()) { log.debug("Signature Algorithm found in the JWT Header: " + alg);
public SimpleUnverifiedJwt parse(String jwt) throws JwtParseException { JWSObject jwsObject = parseJWSObject(jwt); try { JWTClaimsSet claims = JWTClaimsSet.parse(jwsObject.getPayload().toJSONObject()); return new SimpleUnverifiedJwt(jwsObject.getHeader().getAlgorithm().getName(), claims.getIssuer(), claims.getSubject(), jwsObject.getPayload().toString()); } catch (ParseException e) { throw new JwtParseException(e); } }
/** * Factory method to create a signature verifiable jwt. * * @param jwsObject a json web signature object * @param claims jwt claims set * @return a signature verifiable jwt * @throws UnsupportedAlgorithmException if the signing algorithm is not supported */ public static VerifiableJwt buildVerifiableJwt(JWSObject jwsObject, JWTClaimsSet claims) throws UnsupportedAlgorithmException { Jwt unverifiedJwt = JwtBuilder.newJwt() .algorithm(getSigningAlgorithm(jwsObject.getHeader().getAlgorithm().getName())) .keyId(jwsObject.getHeader().getKeyID()) .issuer(claims.getIssuer()) .subject(option(claims.getSubject())) .audience(claims.getAudience()) .expirationTime(DATE_TO_DATETIME.apply(claims.getExpirationTime())) .issuedAt(DATE_TO_DATETIME.apply(claims.getIssueTime())) .notBefore(option(claims.getNotBeforeTime()).map(DATE_TO_DATETIME)) .build(); return new NimbusVerifiableJwt(unverifiedJwt, jwsObject); }