private OAuth2AccessTokenEntity fetchValidRegistrationToken(OAuth2Authentication auth, ClientDetailsEntity client) { OAuth2AuthenticationDetails details = (OAuth2AuthenticationDetails) auth.getDetails(); OAuth2AccessTokenEntity token = tokenService.readAccessToken(details.getTokenValue()); if (config.getRegTokenLifeTime() != null) { try { // Re-issue the token if it has been issued before [currentTime - validity] Date validToDate = new Date(System.currentTimeMillis() - config.getRegTokenLifeTime() * 1000); if(token.getJwt().getJWTClaimsSet().getIssueTime().before(validToDate)) { logger.info("Rotating the registration access token for " + client.getClientId()); tokenService.revokeAccessToken(token); OAuth2AccessTokenEntity newToken = connectTokenService.createResourceAccessToken(client); tokenService.saveAccessToken(newToken); return newToken; } else { // it's not expired, keep going return token; } } catch (ParseException e) { logger.error("Couldn't parse a known-valid token?", e); return token; } } else { // tokens don't expire, just return it return token; } }
private OAuth2AccessTokenEntity rotateRegistrationTokenIfNecessary(OAuth2Authentication auth, ClientDetailsEntity client) { OAuth2AuthenticationDetails details = (OAuth2AuthenticationDetails) auth.getDetails(); OAuth2AccessTokenEntity token = tokenService.readAccessToken(details.getTokenValue()); if (config.getRegTokenLifeTime() != null) { try { // Re-issue the token if it has been issued before [currentTime - validity] Date validToDate = new Date(System.currentTimeMillis() - config.getRegTokenLifeTime() * 1000); if(token.getJwt().getJWTClaimsSet().getIssueTime().before(validToDate)) { logger.info("Rotating the registration access token for " + client.getClientId()); tokenService.revokeAccessToken(token); OAuth2AccessTokenEntity newToken = connectTokenService.createRegistrationAccessToken(client); tokenService.saveAccessToken(newToken); return newToken; } else { // it's not expired, keep going return token; } } catch (ParseException e) { logger.error("Couldn't parse a known-valid token?", e); return token; } } else { // tokens don't expire, just return it return token; } }
if (idClaims.getIssueTime() == null) { throw new AuthenticationServiceException("Id Token does not have required issued-at claim"); } else { if (now.before(idClaims.getIssueTime())) { throw new AuthenticationServiceException("Id Token was issued in the future: " + idClaims.getIssueTime());
originalAuthRequest, claims.getIssueTime(), userInfo.getSub(), token);
if (jwtClaims.getIssueTime() != null) { if (now.before(jwtClaims.getIssueTime())) { throw new AuthenticationServiceException("Assertion Token was issued in the future: " + jwtClaims.getIssueTime());
Preconditions.checkArgument(claims.getIssueTime().before(currentTime));
/** * Method to check whether id token contains the required claims(iss,sub,aud,exp,iat) defined by the oidc spec * * @param jwtClaimsSet jwt claim set * @return true or false(whether id token contains the required claims) */ private boolean isValidIdToken(JWTClaimsSet jwtClaimsSet) { if (StringUtils.isBlank(jwtClaimsSet.getIssuer())) { log.error("ID token does not have required issuer claim"); return false; } if (StringUtils.isBlank(jwtClaimsSet.getSubject())) { log.error("ID token does not have required subject claim"); return false; } if (jwtClaimsSet.getAudience() == null) { log.error("ID token does not have required audience claim"); return false; } if (jwtClaimsSet.getExpirationTime() == null) { log.error("ID token does not have required expiration time claim"); return false; } if (jwtClaimsSet.getIssueTime() == null) { log.error("ID token does not have required issued time claim"); return false; } // All mandatory claims are present. return true; }
private Jwt createJwt(JWT parsedJwt, JWTClaimsSet jwtClaimsSet) { Instant expiresAt = null; if (jwtClaimsSet.getExpirationTime() != null) { expiresAt = jwtClaimsSet.getExpirationTime().toInstant(); } Instant issuedAt = null; if (jwtClaimsSet.getIssueTime() != null) { issuedAt = jwtClaimsSet.getIssueTime().toInstant(); } else if (expiresAt != null) { // Default to expiresAt - 1 second issuedAt = Instant.from(expiresAt).minusSeconds(1); } Map<String, Object> headers = new LinkedHashMap<>(parsedJwt.getHeader().toJSONObject()); return new Jwt(parsedJwt.getParsedString(), issuedAt, expiresAt, headers, jwtClaimsSet.getClaims()); }
@Override public Jwt decode(String token) throws JwtException { Jwt jwt; try { JWT parsedJwt = JWTParser.parse(token); // Verify the signature JWTClaimsSet jwtClaimsSet = this.jwtProcessor.process(parsedJwt, null); Instant expiresAt = jwtClaimsSet.getExpirationTime().toInstant(); Instant issuedAt; if (jwtClaimsSet.getIssueTime() != null) { issuedAt = jwtClaimsSet.getIssueTime().toInstant(); } else { // issuedAt is required in SecurityToken so let's default to expiresAt - 1 second issuedAt = Instant.from(expiresAt).minusSeconds(1); } Map<String, Object> headers = new LinkedHashMap<>(parsedJwt.getHeader().toJSONObject()); jwt = new Jwt(token, issuedAt, expiresAt, headers, jwtClaimsSet.getClaims()); } catch (Exception ex) { throw new JwtException("An error occurred while attempting to decode the Jwt: " + ex.getMessage(), ex); } return jwt; } }
if (idClaims.getIssueTime() == null) { isValid = false; log.error("Id Token does not have required issued-at claim"); if (now.before(idClaims.getIssueTime())) { isValid = false; log.error("Id Token was issued in the future: " + idClaims.getIssueTime());
private OAuth2AccessTokenEntity rotateRegistrationTokenIfNecessary(OAuth2Authentication auth, ClientDetailsEntity client) { OAuth2AuthenticationDetails details = (OAuth2AuthenticationDetails) auth.getDetails(); OAuth2AccessTokenEntity token = tokenService.readAccessToken(details.getTokenValue()); if (config.getRegTokenLifeTime() != null) { try { // Re-issue the token if it has been issued before [currentTime - validity] Date validToDate = new Date(System.currentTimeMillis() - config.getRegTokenLifeTime() * 1000); if(token.getJwt().getJWTClaimsSet().getIssueTime().before(validToDate)) { logger.info("Rotating the registration access token for " + client.getClientId()); tokenService.revokeAccessToken(token); OAuth2AccessTokenEntity newToken = connectTokenService.createRegistrationAccessToken(client); tokenService.saveAccessToken(newToken); return newToken; } else { // it's not expired, keep going return token; } } catch (ParseException e) { logger.error("Couldn't parse a known-valid token?", e); return token; } } else { // tokens don't expire, just return it return token; } }
private OAuth2AccessTokenEntity fetchValidRegistrationToken(OAuth2Authentication auth, ClientDetailsEntity client) { OAuth2AuthenticationDetails details = (OAuth2AuthenticationDetails) auth.getDetails(); OAuth2AccessTokenEntity token = tokenService.readAccessToken(details.getTokenValue()); if (config.getRegTokenLifeTime() != null) { try { // Re-issue the token if it has been issued before [currentTime - validity] Date validToDate = new Date(System.currentTimeMillis() - config.getRegTokenLifeTime() * 1000); if(token.getJwt().getJWTClaimsSet().getIssueTime().before(validToDate)) { logger.info("Rotating the registration access token for " + client.getClientId()); tokenService.revokeAccessToken(token); OAuth2AccessTokenEntity newToken = connectTokenService.createResourceAccessToken(client); tokenService.saveAccessToken(newToken); return newToken; } else { // it's not expired, keep going return token; } } catch (ParseException e) { logger.error("Couldn't parse a known-valid token?", e); return token; } } else { // tokens don't expire, just return it return token; } }
if (claims.getIssueTime() == null || claims.getExpirationTime() == null) { throw new JwtInvalidClaimException("'exp' and 'iat' are required claims. Atlassian JWT does not allow JWTs with " + "unlimited lifetimes.");
if (claims.getIssueTime() == null || claims.getExpirationTime() == null)
private void validateRequiredClaims(JWTClaimsSet claims) throws MissingRequiredClaimException { checkClaimNotNull(claims.getAudience(), Claim.AUDIENCE); checkClaimNotNull(claims.getIssuer(), Claim.ISSUER); checkClaimNotNull(claims.getJWTID(), Claim.JWT_ID); checkClaimNotNull(claims.getIssueTime(), Claim.ISSUED_AT); checkClaimNotNull(claims.getExpirationTime(), Claim.EXPIRY); }
if (idClaims.getIssueTime() == null) { throw new AuthenticationServiceException("Id Token does not have required issued-at claim"); } else { if (now.before(idClaims.getIssueTime())) { throw new AuthenticationServiceException("Id Token was issued in the future: " + idClaims.getIssueTime());
originalAuthRequest, claims.getIssueTime(), userInfo.getSub(), token);
if (jwtClaims.getIssueTime() != null) { if (now.before(jwtClaims.getIssueTime())) { throw new AuthenticationServiceException("Assertion Token was issued in the future: " + jwtClaims.getIssueTime());
/** * Factory method to create a signature verifiable jwt. * * @param jwsObject a json web signature object * @param claims jwt claims set * @return a signature verifiable jwt * @throws UnsupportedAlgorithmException if the signing algorithm is not supported */ public static VerifiableJwt buildVerifiableJwt(JWSObject jwsObject, JWTClaimsSet claims) throws UnsupportedAlgorithmException { Jwt unverifiedJwt = JwtBuilder.newJwt() .algorithm(getSigningAlgorithm(jwsObject.getHeader().getAlgorithm().getName())) .keyId(jwsObject.getHeader().getKeyID()) .issuer(claims.getIssuer()) .subject(option(claims.getSubject())) .audience(claims.getAudience()) .expirationTime(DATE_TO_DATETIME.apply(claims.getExpirationTime())) .issuedAt(DATE_TO_DATETIME.apply(claims.getIssueTime())) .notBefore(option(claims.getNotBeforeTime()).map(DATE_TO_DATETIME)) .build(); return new NimbusVerifiableJwt(unverifiedJwt, jwsObject); }
long diff = refreshClaimsSet.getIssueTime().getTime() - previousCS.getIssueTime().getTime(); refreshTimeToLive = prev.subtract(new LongDuration(diff, TimeUnit.MILLISECONDS));