private String getIssuer(String accessToken) { try { JWT jwt = JWTParser.parse(accessToken); String issuer = jwt.getJWTClaimsSet().getIssuer(); return issuer; } catch (ParseException e) { throw new IllegalArgumentException("Unable to parse JWT", e); } }
@Override public Collection<? extends GrantedAuthority> mapAuthorities(JWT idToken, UserInfo userInfo) { Set<GrantedAuthority> out = new HashSet<>(); try { JWTClaimsSet claims = idToken.getJWTClaimsSet(); SubjectIssuerGrantedAuthority authority = new SubjectIssuerGrantedAuthority(claims.getSubject(), claims.getIssuer()); out.add(authority); if (admins.contains(authority)) { out.add(ROLE_ADMIN); } // everybody's a user by default out.add(ROLE_USER); } catch (ParseException e) { logger.error("Unable to parse ID Token inside of authorities mapper (huh?)"); } return out; }
/** * Create an unauthenticated token with the given subject and jwt * @param subject * @param jwt */ public JWTBearerAssertionAuthenticationToken(JWT jwt) { super(null); try { // save the subject of the JWT in case the credentials get erased later this.subject = jwt.getJWTClaimsSet().getSubject(); } catch (ParseException e) { // TODO Auto-generated catch block e.printStackTrace(); } this.jwt = jwt; setAuthenticated(false); }
/** * Create an authenticated token with the given clientID, jwt, and authorities set * @param subject * @param jwt * @param authorities */ public JWTBearerAssertionAuthenticationToken(JWT jwt, Collection<? extends GrantedAuthority> authorities) { super(authorities); try { // save the subject of the JWT in case the credentials get erased later this.subject = jwt.getJWTClaimsSet().getSubject(); } catch (ParseException e) { // TODO Auto-generated catch block e.printStackTrace(); } this.jwt = jwt; setAuthenticated(true); }
/** * Pull the assertion out of the request and send it up to the auth manager for processing. */ @Override public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException { // check for appropriate parameters String assertionType = request.getParameter("client_assertion_type"); String assertion = request.getParameter("client_assertion"); try { JWT jwt = JWTParser.parse(assertion); String clientId = jwt.getJWTClaimsSet().getSubject(); Authentication authRequest = new JWTBearerAssertionAuthenticationToken(jwt); return this.getAuthenticationManager().authenticate(authRequest); } catch (ParseException e) { throw new BadCredentialsException("Invalid JWT credential: " + assertion); } }
@Override public boolean isValid(JWT assertion) { if (!(assertion instanceof SignedJWT)) { // unsigned assertion return false; } JWTClaimsSet claims; try { claims = assertion.getJWTClaimsSet(); } catch (ParseException e) { logger.debug("Invalid assertion claims"); return false; } // make sure the issuer exists if (Strings.isNullOrEmpty(claims.getIssuer())) { logger.debug("No issuer for assertion, rejecting"); return false; } // make sure the issuer is us if (!claims.getIssuer().equals(config.getIssuer())) { logger.debug("Issuer is not the same as this server, rejecting"); return false; } // validate the signature based on our public key if (jwtService.validateSignature((SignedJWT) assertion)) { return true; } else { return false; } }
@Override public boolean isValid(JWT assertion) { if (!(assertion instanceof SignedJWT)) { // unsigned assertion return false; } JWTClaimsSet claims; try { claims = assertion.getJWTClaimsSet(); } catch (ParseException e) { logger.debug("Invalid assertion claims"); return false; } if (Strings.isNullOrEmpty(claims.getIssuer())) { logger.debug("No issuer for assertion, rejecting"); return false; } if (!whitelist.containsKey(claims.getIssuer())) { logger.debug("Issuer is not in whitelist, rejecting"); return false; } String jwksUri = whitelist.get(claims.getIssuer()); JWTSigningAndValidationService validator = jwkCache.getValidator(jwksUri); if (validator.validateSignature((SignedJWT) assertion)) { return true; } else { return false; } }
idTokenClaims = idToken.getJWTClaimsSet();
@Override public OAuth2Request createOAuth2Request(ClientDetails client, TokenRequest tokenRequest, JWT assertion) { try { JWTClaimsSet claims = assertion.getJWTClaimsSet(); Set<String> scope = OAuth2Utils.parseParameterList(claims.getStringClaim("scope")); Set<String> resources = Sets.newHashSet(claims.getAudience()); return new OAuth2Request(tokenRequest.getRequestParameters(), client.getClientId(), client.getAuthorities(), true, scope, resources, null, null, null); } catch (ParseException e) { return null; } }
private OAuth2AccessTokenEntity fetchValidRegistrationToken(OAuth2Authentication auth, ClientDetailsEntity client) { OAuth2AuthenticationDetails details = (OAuth2AuthenticationDetails) auth.getDetails(); OAuth2AccessTokenEntity token = tokenService.readAccessToken(details.getTokenValue()); if (config.getRegTokenLifeTime() != null) { try { // Re-issue the token if it has been issued before [currentTime - validity] Date validToDate = new Date(System.currentTimeMillis() - config.getRegTokenLifeTime() * 1000); if(token.getJwt().getJWTClaimsSet().getIssueTime().before(validToDate)) { logger.info("Rotating the registration access token for " + client.getClientId()); tokenService.revokeAccessToken(token); OAuth2AccessTokenEntity newToken = connectTokenService.createResourceAccessToken(client); tokenService.saveAccessToken(newToken); return newToken; } else { // it's not expired, keep going return token; } } catch (ParseException e) { logger.error("Couldn't parse a known-valid token?", e); return token; } } else { // tokens don't expire, just return it return token; } }
private OAuth2AccessTokenEntity rotateRegistrationTokenIfNecessary(OAuth2Authentication auth, ClientDetailsEntity client) { OAuth2AuthenticationDetails details = (OAuth2AuthenticationDetails) auth.getDetails(); OAuth2AccessTokenEntity token = tokenService.readAccessToken(details.getTokenValue()); if (config.getRegTokenLifeTime() != null) { try { // Re-issue the token if it has been issued before [currentTime - validity] Date validToDate = new Date(System.currentTimeMillis() - config.getRegTokenLifeTime() * 1000); if(token.getJwt().getJWTClaimsSet().getIssueTime().before(validToDate)) { logger.info("Rotating the registration access token for " + client.getClientId()); tokenService.revokeAccessToken(token); OAuth2AccessTokenEntity newToken = connectTokenService.createRegistrationAccessToken(client); tokenService.saveAccessToken(newToken); return newToken; } else { // it's not expired, keep going return token; } } catch (ParseException e) { logger.error("Couldn't parse a known-valid token?", e); return token; } } else { // tokens don't expire, just return it return token; } }
claimsSet = successResponse.getUserInfo().toJWTClaimsSet(); } else { claimsSet = successResponse.getUserInfoJWT().getJWTClaimsSet();
JWTClaimsSet idClaims = idToken.getJWTClaimsSet();
JWTClaimsSet claims = jwt.getJWTClaimsSet();
JWTClaimsSet jwtClaims = jwt.getJWTClaimsSet();
JWTClaimsSet claimSet = newClient.getSoftwareStatement().getJWTClaimsSet(); for (String claim : claimSet.getClaims().keySet()) { switch (claim) {
JWTClaimsSet claimSet = newClient.getSoftwareStatement().getJWTClaimsSet(); for (String claim : claimSet.getClaims().keySet()) { switch (claim) {
private String getIssuer(String accessToken) { try { JWT jwt = JWTParser.parse(accessToken); String issuer = jwt.getJWTClaimsSet().getIssuer(); return issuer; } catch (ParseException e) { throw new IllegalArgumentException("Unable to parse JWT", e); } }
@Override public String getAccessTokenHash(String accessToken) throws OAuthSystemException { try { JWT parse = JWTParser.parse(accessToken); return parse.getJWTClaimsSet().getJWTID(); } catch (ParseException e) { if (log.isDebugEnabled() && IdentityUtil.isTokenLoggable(IdentityConstants.IdentityTokens.ACCESS_TOKEN)) { log.debug("Error while getting JWTID from token: " + accessToken); } throw new OAuthSystemException("Error while getting access token hash", e); } }
@Override public OAuth2Request createOAuth2Request(ClientDetails client, TokenRequest tokenRequest, JWT assertion) { try { JWTClaimsSet claims = assertion.getJWTClaimsSet(); Set<String> scope = OAuth2Utils.parseParameterList(claims.getStringClaim("scope")); Set<String> resources = Sets.newHashSet(claims.getAudience()); return new OAuth2Request(tokenRequest.getRequestParameters(), client.getClientId(), client.getAuthorities(), true, scope, resources, null, null, null); } catch (ParseException e) { return null; } }