private Optional<SignedJwt> getCachedAppToken() { if (null == appToken) { return Optional.empty(); } if (appJwt.validate(Jwt.defaultTimeValidators()).isValid()) { return Optional.of(appToken); } appToken = null; appJwt = null; return Optional.empty(); }
/** * Validates all default values. * Values validated: * <ul> * <li>{@link #expirationTime() Expiration time} if defined</li> * <li>{@link #issueTime() Issue time} if defined</li> * <li>{@link #notBefore() Not before time} if defined</li> * <li>{@link #issuer()} Issuer} if defined</li> * <li>{@link #audience() Audience} if defined</li> * </ul> * * @param issuer validates that this JWT was issued by this issuer. Setting this to non-null value will make * issuer claim mandatory * @param audience validates that this JWT was issued for this audience. Setting this to non-null value will make * audience claim mandatory * @return errors instance to check for validation result */ public Errors validate(String issuer, String audience) { List<Validator<Jwt>> validators = defaultTimeValidators(); if (null != issuer) { addIssuerValidator(validators, issuer, true); } if (null != audience) { addAudienceValidator(validators, audience, true); } return validate(validators); }
Errors validationErrors = jwt.validate(oidcConfig.issuer(), oidcConfig.audience());
AuthenticationResponse authenticate(ProviderRequest providerRequest, LoginConfig loginConfig) { return atnTokenHandler.extractToken(providerRequest.env().headers()) .map(token -> { SignedJwt signedJwt = SignedJwt.parseToken(token); Errors errors = signedJwt.verifySignature(verifyKeys, defaultJwk); if (errors.isValid()) { Jwt jwt = signedJwt.getJwt(); // verify the audience is correct Errors validate = jwt.validate(expectedIssuer, expectedAudience); if (validate.isValid()) { return AuthenticationResponse.success(buildSubject(jwt, signedJwt)); } else { return AuthenticationResponse.failed("Audience is invalid or missing: " + expectedAudience); } } else { return AuthenticationResponse.failed(errors.toString()); } }).orElseGet(() -> { if (optional) { return AuthenticationResponse.abstain(); } else { return AuthenticationResponse.failed("Header not available or in a wrong format"); } }); }
@Override protected AuthenticationResponse syncAuthenticate(ProviderRequest providerRequest) { if (!authenticate) { return AuthenticationResponse.abstain(); } return atnTokenHandler.extractToken(providerRequest.env().headers()) .map(token -> { SignedJwt signedJwt = SignedJwt.parseToken(token); Errors errors = signedJwt.verifySignature(verifyKeys); if (errors.isValid()) { Jwt jwt = signedJwt.getJwt(); // verify the audience is correct Errors validate = jwt.validate(null, expectedAudience); if (validate.isValid()) { return AuthenticationResponse.success(buildSubject(jwt, signedJwt)); } else { return AuthenticationResponse.failed("Audience is invalid or missing: " + expectedAudience); } } else { return AuthenticationResponse.failed(errors.toString()); } }).orElseGet(() -> { if (optional) { return AuthenticationResponse.abstain(); } else { return AuthenticationResponse.failed("Header not available or in a wrong format"); } }); }
/** * Validates all default values. * Values validated: * <ul> * <li>{@link #expirationTime() Expiration time} if defined</li> * <li>{@link #issueTime() Issue time} if defined</li> * <li>{@link #notBefore() Not before time} if defined</li> * <li>{@link #issuer()} Issuer} if defined</li> * <li>{@link #audience() Audience} if defined</li> * </ul> * * @param issuer validates that this JWT was issued by this issuer. Setting this to non-null value will make * issuer claim mandatory * @param audience validates that this JWT was issued for this audience. Setting this to non-null value will make * audience claim mandatory * @return errors instance to check for validation result */ public Errors validate(String issuer, String audience) { List<Validator<Jwt>> validators = defaultTimeValidators(); if (null != issuer) { addIssuerValidator(validators, issuer, true); } if (null != audience) { addAudienceValidator(validators, audience, true); } return validate(validators); }
AuthenticationResponse authenticate(ProviderRequest providerRequest, LoginConfig loginConfig) { return atnTokenHandler.extractToken(providerRequest.env().headers()) .map(token -> { SignedJwt signedJwt = SignedJwt.parseToken(token); Errors errors = signedJwt.verifySignature(verifyKeys, defaultJwk); if (errors.isValid()) { Jwt jwt = signedJwt.getJwt(); // verify the audience is correct Errors validate = jwt.validate(expectedIssuer, expectedAudience); if (validate.isValid()) { return AuthenticationResponse.success(buildSubject(jwt, signedJwt)); } else { return AuthenticationResponse.failed("Audience is invalid or missing: " + expectedAudience); } } else { return AuthenticationResponse.failed(errors.toString()); } }).orElseGet(() -> { if (optional) { return AuthenticationResponse.abstain(); } else { return AuthenticationResponse.failed("Header not available or in a wrong format"); } }); }
@Override protected AuthenticationResponse syncAuthenticate(ProviderRequest providerRequest) { if (!authenticate) { return AuthenticationResponse.abstain(); } return atnTokenHandler.extractToken(providerRequest.env().headers()) .map(token -> { SignedJwt signedJwt = SignedJwt.parseToken(token); Errors errors = signedJwt.verifySignature(verifyKeys); if (errors.isValid()) { Jwt jwt = signedJwt.getJwt(); // verify the audience is correct Errors validate = jwt.validate(null, expectedAudience); if (validate.isValid()) { return AuthenticationResponse.success(buildSubject(jwt, signedJwt)); } else { return AuthenticationResponse.failed("Audience is invalid or missing: " + expectedAudience); } } else { return AuthenticationResponse.failed(errors.toString()); } }).orElseGet(() -> { if (optional) { return AuthenticationResponse.abstain(); } else { return AuthenticationResponse.failed("Header not available or in a wrong format"); } }); }