final List<String> tokenAudiences = claimsSet.getAudience(); if (tokenAudiences == null) { logger.error("Audience is missing from the Knox JWT.");
String clientId = Iterables.getOnlyElement(idTokenClaims.getAudience());
@Override public OAuth2Request createOAuth2Request(ClientDetails client, TokenRequest tokenRequest, JWT assertion) { try { JWTClaimsSet claims = assertion.getJWTClaimsSet(); Set<String> scope = OAuth2Utils.parseParameterList(claims.getStringClaim("scope")); Set<String> resources = Sets.newHashSet(claims.getAudience()); return new OAuth2Request(tokenRequest.getRequestParameters(), client.getClientId(), client.getAuthorities(), true, scope, resources, null, null, null); } catch (ParseException e) { return null; } }
if (idClaims.getAudience() == null) { throw new AuthenticationServiceException("Id token audience is null"); } else if (!idClaims.getAudience().contains(clientConfig.getClientId())) { throw new AuthenticationServiceException("Audience does not match, expected " + clientConfig.getClientId() + " got " + idClaims.getAudience());
if (jwtClaims.getAudience() == null) { throw new AuthenticationServiceException("Assertion token audience is null"); } else if (!(jwtClaims.getAudience().contains(config.getIssuer()) || jwtClaims.getAudience().contains(config.getIssuer() + "token"))) { throw new AuthenticationServiceException("Audience does not match, expected " + config.getIssuer() + " or " + (config.getIssuer() + "token") + " got " + jwtClaims.getAudience());
Preconditions.checkArgument(claims.getAudience().contains(expectedAudience)); Preconditions.checkArgument(claims.getIssuer().equals(IAP_ISSUER_URL));
private boolean verifyAudiences(JWT jwtToken) throws IOException { boolean valid = false; try { List<String> tokenAudiences = jwtToken.getJWTClaimsSet().getAudience(); if (audiences == null) { valid = true; } else { for (String audience : tokenAudiences) { if (audiences.contains(audience)) { valid = true; break; } } } } catch (ParseException e) { throw new IOException("Failed to get JWT claims set", e); } return valid; }
private boolean verifyAudiences(JWT jwtToken) throws IOException { boolean valid = false; try { List<String> tokenAudiences = jwtToken.getJWTClaimsSet().getAudience(); if (audiences == null) { valid = true; } else { for (String audience : tokenAudiences) { if (audiences.contains(audience)) { valid = true; break; } } } } catch (ParseException e) { throw new IOException("Failed to get JWT claims set", e); } return valid; }
final List<String> tokenAudiences = claimsSet.getAudience(); if (tokenAudiences == null) { logger.error("Audience is missing from the Knox JWT.");
try { List<String> tokenAudienceList = jwtToken.getJWTClaimsSet() .getAudience();
@Override public JWTClaimsSet parseToken(String token, String audience) { JWTClaimsSet claims = parseToken(token); LecUtils.ensureCredentials(audience != null && claims.getAudience().contains(audience), "com.naturalprogrammer.spring.wrong.audience"); long expirationTime = claims.getExpirationTime().getTime(); long currentTime = System.currentTimeMillis(); log.debug("Parsing JWT. Expiration time = " + expirationTime + ". Current time = " + currentTime); LecUtils.ensureCredentials(expirationTime >= currentTime, "com.naturalprogrammer.spring.expiredToken"); return claims; }
@Override public void verify(JWTClaimsSet claimsSet, SecurityContext context) throws BadJWTException { super.verify(claimsSet, context); String audience = claimsSet.getAudience().get(0); if (!requiredAudience.equals(audience)) { String message = String.format("Expected audience \"%s\" to be \"%s\".", audience, requiredAudience); throw new BadJWTException(message); } String issuer = claimsSet.getIssuer(); if (!requiredIssuer.equals(issuer)) { String message = String.format("Expected issuer \"%s\" to be \"%s\".", issuer, requiredIssuer); throw new BadJWTException(message); } } });
/** * Method to check whether id token contains the required claims(iss,sub,aud,exp,iat) defined by the oidc spec * * @param jwtClaimsSet jwt claim set * @return true or false(whether id token contains the required claims) */ private boolean isValidIdToken(JWTClaimsSet jwtClaimsSet) { if (StringUtils.isBlank(jwtClaimsSet.getIssuer())) { log.error("ID token does not have required issuer claim"); return false; } if (StringUtils.isBlank(jwtClaimsSet.getSubject())) { log.error("ID token does not have required subject claim"); return false; } if (jwtClaimsSet.getAudience() == null) { log.error("ID token does not have required audience claim"); return false; } if (jwtClaimsSet.getExpirationTime() == null) { log.error("ID token does not have required expiration time claim"); return false; } if (jwtClaimsSet.getIssueTime() == null) { log.error("ID token does not have required issued time claim"); return false; } // All mandatory claims are present. return true; }
private boolean validateRequiredFields(JWTClaimsSet claimsSet) throws IdentityOAuth2Exception { String subject = resolveSubject(claimsSet); List<String> audience = claimsSet.getAudience(); String jti = claimsSet.getJWTID(); if (StringUtils.isEmpty(claimsSet.getIssuer()) || StringUtils.isEmpty(subject) || claimsSet.getExpirationTime() == null || audience == null || jti == null) { throw new IdentityOAuth2Exception("Mandatory fields(Issuer, Subject, Expiration time," + " jtl or Audience) are empty in the given Token."); } return true; }
protected boolean isValidAudience(RequestObject requestObject, OAuth2Parameters oAuth2Parameters) throws RequestObjectException { String tokenEPUrl = getTokenEpURL(oAuth2Parameters.getTenantDomain()); List<String> audience = requestObject.getClaimsSet().getAudience(); return validateAudience(tokenEPUrl, audience); }
@Override public OAuth2Request createOAuth2Request(ClientDetails client, TokenRequest tokenRequest, JWT assertion) { try { JWTClaimsSet claims = assertion.getJWTClaimsSet(); Set<String> scope = OAuth2Utils.parseParameterList(claims.getStringClaim("scope")); Set<String> resources = Sets.newHashSet(claims.getAudience()); return new OAuth2Request(tokenRequest.getRequestParameters(), client.getClientId(), client.getAuthorities(), true, scope, resources, null, null, null); } catch (ParseException e) { return null; } }
List<String> aud = jwt.getJWTClaimsSet().getAudience(); Date exp = jwt.getJWTClaimsSet().getExpirationTime();
List<String> aud = jwt.getJWTClaimsSet().getAudience(); Date exp = jwt.getJWTClaimsSet().getExpirationTime();
private void validateRequiredClaims(JWTClaimsSet claims) throws MissingRequiredClaimException { checkClaimNotNull(claims.getAudience(), Claim.AUDIENCE); checkClaimNotNull(claims.getIssuer(), Claim.ISSUER); checkClaimNotNull(claims.getJWTID(), Claim.JWT_ID); checkClaimNotNull(claims.getIssueTime(), Claim.ISSUED_AT); checkClaimNotNull(claims.getExpirationTime(), Claim.EXPIRY); }
/** * Factory method to create a signature verifiable jwt. * * @param jwsObject a json web signature object * @param claims jwt claims set * @return a signature verifiable jwt * @throws UnsupportedAlgorithmException if the signing algorithm is not supported */ public static VerifiableJwt buildVerifiableJwt(JWSObject jwsObject, JWTClaimsSet claims) throws UnsupportedAlgorithmException { Jwt unverifiedJwt = JwtBuilder.newJwt() .algorithm(getSigningAlgorithm(jwsObject.getHeader().getAlgorithm().getName())) .keyId(jwsObject.getHeader().getKeyID()) .issuer(claims.getIssuer()) .subject(option(claims.getSubject())) .audience(claims.getAudience()) .expirationTime(DATE_TO_DATETIME.apply(claims.getExpirationTime())) .issuedAt(DATE_TO_DATETIME.apply(claims.getIssueTime())) .notBefore(option(claims.getNotBeforeTime()).map(DATE_TO_DATETIME)) .build(); return new NimbusVerifiableJwt(unverifiedJwt, jwsObject); }