private Optional<SignedJwt> getAndCacheAppTokenFromServer() { MultivaluedMap<String, String> formData = new MultivaluedHashMap<>(); formData.putSingle("grant_type", "client_credentials"); formData.putSingle("scope", "urn:opc:idm:__myscopes__"); Response tokenResponse = tokenEndpoint .request() .accept(MediaType.APPLICATION_JSON_TYPE) .post(Entity.form(formData)); if (tokenResponse.getStatusInfo().getFamily() == Response.Status.Family.SUCCESSFUL) { JsonObject response = tokenResponse.readEntity(JsonObject.class); String accessToken = response.getString(ACCESS_TOKEN_KEY); LOGGER.finest(() -> "Access token: " + accessToken); SignedJwt signedJwt = SignedJwt.parseToken(accessToken); this.appToken = signedJwt; this.appJwt = signedJwt.getJwt(); return Optional.of(signedJwt); } else { LOGGER.severe("Failed to obtain access token for application to read groups" + " from IDCS. Response code: " + tokenResponse.getStatus() + ", entity: " + tokenResponse.readEntity(String.class)); return Optional.empty(); } }
private JsonWebTokenImpl(SignedJwt signed) { this.jwt = signed.getJwt(); this.signed = signed; BasicAttributes container = BasicAttributes.create(); jwt.payloadClaims() .forEach((key, jsonValue) -> container.put(key, JwtUtil.toObject(jsonValue))); jwt.email().ifPresent(value -> container.put("email", value)); jwt.emailVerified().ifPresent(value -> container.put("email_verified", value)); jwt.locale().ifPresent(value -> container.put("locale", value)); jwt.familyName().ifPresent(value -> container.put("family_name", value)); jwt.givenName().ifPresent(value -> container.put("given_name", value)); jwt.fullName().ifPresent(value -> container.put("full_name", value)); this.properties = container; String subject = jwt.subject() .orElseThrow(() -> new JwtException("JWT does not contain subject claim, cannot create principal.")); this.name = OptionalHelper.from(jwt.userPrincipal()) .or(jwt::preferredUsername).asOptional() .orElse(subject); this.id = subject; }
private AuthenticationResponse validateToken(ProviderRequest providerRequest, String token) { SignedJwt signed = SignedJwt.parseToken(token); Jwt jwt = signed.getJwt(); Errors.Collector collector = Errors.collector(); jwtValidator.accept(signed, collector);
AuthenticationResponse authenticate(ProviderRequest providerRequest, LoginConfig loginConfig) { return atnTokenHandler.extractToken(providerRequest.env().headers()) .map(token -> { SignedJwt signedJwt = SignedJwt.parseToken(token); Errors errors = signedJwt.verifySignature(verifyKeys, defaultJwk); if (errors.isValid()) { Jwt jwt = signedJwt.getJwt(); // verify the audience is correct Errors validate = jwt.validate(expectedIssuer, expectedAudience); if (validate.isValid()) { return AuthenticationResponse.success(buildSubject(jwt, signedJwt)); } else { return AuthenticationResponse.failed("Audience is invalid or missing: " + expectedAudience); } } else { return AuthenticationResponse.failed(errors.toString()); } }).orElseGet(() -> { if (optional) { return AuthenticationResponse.abstain(); } else { return AuthenticationResponse.failed("Header not available or in a wrong format"); } }); }
@Override protected AuthenticationResponse syncAuthenticate(ProviderRequest providerRequest) { if (!authenticate) { return AuthenticationResponse.abstain(); } return atnTokenHandler.extractToken(providerRequest.env().headers()) .map(token -> { SignedJwt signedJwt = SignedJwt.parseToken(token); Errors errors = signedJwt.verifySignature(verifyKeys); if (errors.isValid()) { Jwt jwt = signedJwt.getJwt(); // verify the audience is correct Errors validate = jwt.validate(null, expectedAudience); if (validate.isValid()) { return AuthenticationResponse.success(buildSubject(jwt, signedJwt)); } else { return AuthenticationResponse.failed("Audience is invalid or missing: " + expectedAudience); } } else { return AuthenticationResponse.failed(errors.toString()); } }).orElseGet(() -> { if (optional) { return AuthenticationResponse.abstain(); } else { return AuthenticationResponse.failed("Header not available or in a wrong format"); } }); }
private JsonWebTokenImpl(SignedJwt signed) { this.jwt = signed.getJwt(); this.signed = signed; BasicAttributes container = BasicAttributes.create(); jwt.payloadClaims() .forEach((key, jsonValue) -> container.put(key, JwtUtil.toObject(jsonValue))); jwt.email().ifPresent(value -> container.put("email", value)); jwt.emailVerified().ifPresent(value -> container.put("email_verified", value)); jwt.locale().ifPresent(value -> container.put("locale", value)); jwt.familyName().ifPresent(value -> container.put("family_name", value)); jwt.givenName().ifPresent(value -> container.put("given_name", value)); jwt.fullName().ifPresent(value -> container.put("full_name", value)); this.properties = container; String subject = jwt.subject() .orElseThrow(() -> new JwtException("JWT does not contain subject claim, cannot create principal.")); this.name = OptionalHelper.from(jwt.userPrincipal()) .or(jwt::preferredUsername).asOptional() .orElse(subject); this.id = subject; }
AuthenticationResponse authenticate(ProviderRequest providerRequest, LoginConfig loginConfig) { return atnTokenHandler.extractToken(providerRequest.env().headers()) .map(token -> { SignedJwt signedJwt = SignedJwt.parseToken(token); Errors errors = signedJwt.verifySignature(verifyKeys, defaultJwk); if (errors.isValid()) { Jwt jwt = signedJwt.getJwt(); // verify the audience is correct Errors validate = jwt.validate(expectedIssuer, expectedAudience); if (validate.isValid()) { return AuthenticationResponse.success(buildSubject(jwt, signedJwt)); } else { return AuthenticationResponse.failed("Audience is invalid or missing: " + expectedAudience); } } else { return AuthenticationResponse.failed(errors.toString()); } }).orElseGet(() -> { if (optional) { return AuthenticationResponse.abstain(); } else { return AuthenticationResponse.failed("Header not available or in a wrong format"); } }); }
@Override protected AuthenticationResponse syncAuthenticate(ProviderRequest providerRequest) { if (!authenticate) { return AuthenticationResponse.abstain(); } return atnTokenHandler.extractToken(providerRequest.env().headers()) .map(token -> { SignedJwt signedJwt = SignedJwt.parseToken(token); Errors errors = signedJwt.verifySignature(verifyKeys); if (errors.isValid()) { Jwt jwt = signedJwt.getJwt(); // verify the audience is correct Errors validate = jwt.validate(null, expectedAudience); if (validate.isValid()) { return AuthenticationResponse.success(buildSubject(jwt, signedJwt)); } else { return AuthenticationResponse.failed("Audience is invalid or missing: " + expectedAudience); } } else { return AuthenticationResponse.failed(errors.toString()); } }).orElseGet(() -> { if (optional) { return AuthenticationResponse.abstain(); } else { return AuthenticationResponse.failed("Header not available or in a wrong format"); } }); }