private Object getClaim(Claims claims) { switch (claims) { case raw_token: return signed.tokenContent(); case groups: return jwt.userGroups().map(HashSet::new).orElse(null); case aud: return jwt.audience().map(HashSet::new).orElse(null); case email_verified: return jwt.emailVerified().orElse(null); case phone_number_verified: return jwt.phoneNumberVerified().orElse(null); case upn: return jwt.userPrincipal().orElse(null); default: //do nothing, just continue to processing based on type } String claimName = claims.name(); Optional<JsonValue> json = getJsonValue(claimName); return json.map(value -> convert(claims, value)).orElse(null); }
private Optional<JsonValue> getJsonValue(String claimName) { if (Claims.raw_token.name().equals(claimName)) { // special case, raw token is not really a claim return Optional.of(Json.createValue(signed.tokenContent())); } return OptionalHelper .from(jwt.payloadClaim(claimName)) .or(() -> jwt.headerClaim(claimName)) .asOptional(); }
private Subject buildSubject(Jwt jwt, SignedJwt signedJwt) { Principal principal = buildPrincipal(jwt); TokenCredential.Builder builder = TokenCredential.builder(); jwt.issueTime().ifPresent(builder::issueTime); jwt.expirationTime().ifPresent(builder::expTime); jwt.issuer().ifPresent(builder::issuer); builder.token(signedJwt.tokenContent()); builder.addToken(Jwt.class, jwt); builder.addToken(SignedJwt.class, signedJwt); Optional<List<String>> scopes = jwt.scopes(); Subject.Builder subjectBuilder = Subject.builder() .principal(principal) .addPublicCredential(TokenCredential.class, builder.build()); scopes.ifPresent(scopeList -> scopeList.forEach(scope -> subjectBuilder.addGrant(Grant.builder() .name(scope) .type("scope") .build()))); return subjectBuilder.build(); }
private OutboundSecurityResponse impersonate(JwtOutboundTarget ot, String username) { Map<String, List<String>> headers = new HashMap<>(); Jwk jwk = signKeys.forKeyId(ot.jwkKid) .orElseThrow(() -> new JwtException("Signing JWK with kid: " + ot.jwkKid + " is not defined.")); Jwt.Builder builder = Jwt.builder(); builder.addPayloadClaim("name", username); builder.subject(username) .preferredUsername(username) .issuer(issuer) .algorithm(jwk.algorithm()); ot.update(builder); Jwt jwt = builder.build(); SignedJwt signed = SignedJwt.sign(jwt, jwk); ot.outboundHandler.header(headers, signed.tokenContent()); return OutboundSecurityResponse.withHeaders(headers); }
Subject buildSubject(Jwt jwt, SignedJwt signedJwt) { JsonWebTokenImpl principal = buildPrincipal(jwt, signedJwt); TokenCredential.Builder builder = TokenCredential.builder(); jwt.issueTime().ifPresent(builder::issueTime); jwt.expirationTime().ifPresent(builder::expTime); jwt.issuer().ifPresent(builder::issuer); builder.token(signedJwt.tokenContent()); builder.addToken(JsonWebToken.class, principal); builder.addToken(Jwt.class, jwt); builder.addToken(SignedJwt.class, signedJwt); Subject.Builder subjectBuilder = Subject.builder() .principal(principal) .addPublicCredential(TokenCredential.class, builder.build()); Optional<List<String>> userGroups = jwt.userGroups(); userGroups.ifPresent(groups -> groups.forEach(group -> subjectBuilder.addGrant(Role.create(group)))); Optional<List<String>> scopes = jwt.scopes(); scopes.ifPresent(scopeList -> scopeList.forEach(scope -> subjectBuilder.addGrant(Grant.builder() .name(scope) .type("scope") .build()))); return subjectBuilder.build(); }
Subject buildSubject(Jwt jwt, SignedJwt signedJwt) { Principal principal = buildPrincipal(jwt); TokenCredential.Builder builder = TokenCredential.builder(); jwt.issueTime().ifPresent(builder::issueTime); jwt.expirationTime().ifPresent(builder::expTime); jwt.issuer().ifPresent(builder::issuer); builder.token(signedJwt.tokenContent()); builder.addToken(Jwt.class, jwt); builder.addToken(SignedJwt.class, signedJwt); Optional<List<String>> scopes = jwt.scopes(); Subject.Builder subjectBuilder = Subject.builder() .principal(principal) .addPublicCredential(TokenCredential.class, builder.build()); scopes.ifPresent(scopeList -> { scopeList.forEach(scope -> subjectBuilder.addGrant(Grant.builder() .name(scope) .type("scope") .build())); }); return subjectBuilder.build(); }
private OutboundSecurityResponse impersonate(JwtOutboundTarget ot, String username) { Map<String, List<String>> headers = new HashMap<>(); Jwk jwk = signKeys.forKeyId(ot.jwkKid) .orElseThrow(() -> new JwtException("Signing JWK with kid: " + ot.jwkKid + " is not defined.")); Jwt.Builder builder = Jwt.builder(); builder.addPayloadClaim("name", username); builder.subject(username) .preferredUsername(username) .issuer(issuer) .algorithm(jwk.algorithm()); ot.update(builder); Jwt jwt = builder.build(); SignedJwt signed = SignedJwt.sign(jwt, jwk); ot.outboundHandler.header(headers, signed.tokenContent()); return OutboundSecurityResponse.withHeaders(headers); }
private OutboundSecurityResponse propagate(JwtOutboundTarget ot, Subject subject) { Map<String, List<String>> headers = new HashMap<>(); Jwk jwk = signKeys.forKeyId(ot.jwkKid) .orElseThrow(() -> new JwtException("Signing JWK with kid: " + ot.jwkKid + " is not defined.")); Principal principal = subject.principal(); Jwt.Builder builder = Jwt.builder(); principal.abacAttributeNames().forEach(name -> { principal.abacAttribute(name).ifPresent(val -> builder.addPayloadClaim(name, val)); }); OptionalHelper.from(principal.abacAttribute("full_name")) .ifPresentOrElse(name -> builder.addPayloadClaim("name", name), () -> builder.removePayloadClaim("name")); builder.subject(principal.id()) .preferredUsername(principal.getName()) .issuer(issuer) .algorithm(jwk.algorithm()); ot.update(builder); // MP specific if (!principal.abacAttribute("upn").isPresent()) { builder.userPrincipal(principal.getName()); } Security.getRoles(subject) .forEach(builder::addUserGroup); Jwt jwt = builder.build(); SignedJwt signed = SignedJwt.sign(jwt, jwk); ot.outboundHandler.header(headers, signed.tokenContent()); return OutboundSecurityResponse.withHeaders(headers); }
private OutboundSecurityResponse propagate(JwtOutboundTarget ot, Subject subject) { Map<String, List<String>> headers = new HashMap<>(); Jwk jwk = signKeys.forKeyId(ot.jwkKid) .orElseThrow(() -> new JwtException("Signing JWK with kid: " + ot.jwkKid + " is not defined.")); Principal principal = subject.principal(); Jwt.Builder builder = Jwt.builder(); principal.abacAttributeNames().forEach(name -> { principal.abacAttribute(name).ifPresent(val -> builder.addPayloadClaim(name, val)); }); OptionalHelper.from(principal.abacAttribute("full_name")) .ifPresentOrElse(name -> builder.addPayloadClaim("name", name), () -> builder.removePayloadClaim("name")); builder.subject(principal.id()) .preferredUsername(principal.getName()) .issuer(issuer) .algorithm(jwk.algorithm()); ot.update(builder); Jwt jwt = builder.build(); SignedJwt signed = SignedJwt.sign(jwt, jwk); ot.outboundHandler.header(headers, signed.tokenContent()); return OutboundSecurityResponse.withHeaders(headers); }
formValues.putSingle("token", signedJwt.tokenContent()); Response response = oidcConfig.introspectEndpoint().request() .accept(MediaType.APPLICATION_JSON_TYPE)
private Object getClaim(Claims claims) { switch (claims) { case raw_token: return signed.tokenContent(); case groups: return jwt.userGroups().map(HashSet::new).orElse(null); case aud: return jwt.audience().map(HashSet::new).orElse(null); case email_verified: return jwt.emailVerified().orElse(null); case phone_number_verified: return jwt.phoneNumberVerified().orElse(null); case upn: return jwt.userPrincipal().orElse(null); default: //do nothing, just continue to processing based on type } String claimName = claims.name(); Optional<JsonValue> json = getJsonValue(claimName); return json.map(value -> convert(claims, value)).orElse(null); }
private Optional<JsonValue> getJsonValue(String claimName) { if (Claims.raw_token.name().equals(claimName)) { // special case, raw token is not really a claim return Optional.of(Json.createValue(signed.tokenContent())); } return OptionalHelper .from(jwt.payloadClaim(claimName)) .or(() -> jwt.headerClaim(claimName)) .asOptional(); }
Subject buildSubject(Jwt jwt, SignedJwt signedJwt) { JsonWebTokenImpl principal = buildPrincipal(jwt, signedJwt); TokenCredential.Builder builder = TokenCredential.builder(); jwt.issueTime().ifPresent(builder::issueTime); jwt.expirationTime().ifPresent(builder::expTime); jwt.issuer().ifPresent(builder::issuer); builder.token(signedJwt.tokenContent()); builder.addToken(JsonWebToken.class, principal); builder.addToken(Jwt.class, jwt); builder.addToken(SignedJwt.class, signedJwt); Subject.Builder subjectBuilder = Subject.builder() .principal(principal) .addPublicCredential(TokenCredential.class, builder.build()); Optional<List<String>> userGroups = jwt.userGroups(); userGroups.ifPresent(groups -> groups.forEach(group -> subjectBuilder.addGrant(Role.create(group)))); Optional<List<String>> scopes = jwt.scopes(); scopes.ifPresent(scopeList -> scopeList.forEach(scope -> subjectBuilder.addGrant(Grant.builder() .name(scope) .type("scope") .build()))); return subjectBuilder.build(); }
private OutboundSecurityResponse impersonate(JwtOutboundTarget ot, String username) { Map<String, List<String>> headers = new HashMap<>(); Jwk jwk = signKeys.forKeyId(ot.jwkKid) .orElseThrow(() -> new JwtException("Signing JWK with kid: " + ot.jwkKid + " is not defined.")); Jwt.Builder builder = Jwt.builder(); builder.addPayloadClaim("name", username); builder.subject(username) .preferredUsername(username) .issuer(issuer) .algorithm(jwk.algorithm()); ot.update(builder); Jwt jwt = builder.build(); SignedJwt signed = SignedJwt.sign(jwt, jwk); ot.outboundHandler.header(headers, signed.tokenContent()); return OutboundSecurityResponse.withHeaders(headers); }
private OutboundSecurityResponse impersonate(JwtOutboundTarget ot, String username) { Map<String, List<String>> headers = new HashMap<>(); Jwk jwk = signKeys.forKeyId(ot.jwkKid) .orElseThrow(() -> new JwtException("Signing JWK with kid: " + ot.jwkKid + " is not defined.")); Jwt.Builder builder = Jwt.builder(); builder.addPayloadClaim("name", username); builder.subject(username) .preferredUsername(username) .issuer(issuer) .algorithm(jwk.algorithm()); ot.update(builder); Jwt jwt = builder.build(); SignedJwt signed = SignedJwt.sign(jwt, jwk); ot.outboundHandler.header(headers, signed.tokenContent()); return OutboundSecurityResponse.withHeaders(headers); }
Subject buildSubject(Jwt jwt, SignedJwt signedJwt) { Principal principal = buildPrincipal(jwt); TokenCredential.Builder builder = TokenCredential.builder(); jwt.issueTime().ifPresent(builder::issueTime); jwt.expirationTime().ifPresent(builder::expTime); jwt.issuer().ifPresent(builder::issuer); builder.token(signedJwt.tokenContent()); builder.addToken(Jwt.class, jwt); builder.addToken(SignedJwt.class, signedJwt); Optional<List<String>> scopes = jwt.scopes(); Subject.Builder subjectBuilder = Subject.builder() .principal(principal) .addPublicCredential(TokenCredential.class, builder.build()); scopes.ifPresent(scopeList -> { scopeList.forEach(scope -> subjectBuilder.addGrant(Grant.builder() .name(scope) .type("scope") .build())); }); return subjectBuilder.build(); }
private OutboundSecurityResponse propagate(JwtOutboundTarget ot, Subject subject) { Map<String, List<String>> headers = new HashMap<>(); Jwk jwk = signKeys.forKeyId(ot.jwkKid) .orElseThrow(() -> new JwtException("Signing JWK with kid: " + ot.jwkKid + " is not defined.")); Principal principal = subject.principal(); Jwt.Builder builder = Jwt.builder(); principal.abacAttributeNames().forEach(name -> { principal.abacAttribute(name).ifPresent(val -> builder.addPayloadClaim(name, val)); }); OptionalHelper.from(principal.abacAttribute("full_name")) .ifPresentOrElse(name -> builder.addPayloadClaim("name", name), () -> builder.removePayloadClaim("name")); builder.subject(principal.id()) .preferredUsername(principal.getName()) .issuer(issuer) .algorithm(jwk.algorithm()); ot.update(builder); // MP specific if (!principal.abacAttribute("upn").isPresent()) { builder.userPrincipal(principal.getName()); } Security.getRoles(subject) .forEach(builder::addUserGroup); Jwt jwt = builder.build(); SignedJwt signed = SignedJwt.sign(jwt, jwk); ot.outboundHandler.header(headers, signed.tokenContent()); return OutboundSecurityResponse.withHeaders(headers); }
private OutboundSecurityResponse propagate(JwtOutboundTarget ot, Subject subject) { Map<String, List<String>> headers = new HashMap<>(); Jwk jwk = signKeys.forKeyId(ot.jwkKid) .orElseThrow(() -> new JwtException("Signing JWK with kid: " + ot.jwkKid + " is not defined.")); Principal principal = subject.principal(); Jwt.Builder builder = Jwt.builder(); principal.abacAttributeNames().forEach(name -> { principal.abacAttribute(name).ifPresent(val -> builder.addPayloadClaim(name, val)); }); OptionalHelper.from(principal.abacAttribute("full_name")) .ifPresentOrElse(name -> builder.addPayloadClaim("name", name), () -> builder.removePayloadClaim("name")); builder.subject(principal.id()) .preferredUsername(principal.getName()) .issuer(issuer) .algorithm(jwk.algorithm()); ot.update(builder); Jwt jwt = builder.build(); SignedJwt signed = SignedJwt.sign(jwt, jwk); ot.outboundHandler.header(headers, signed.tokenContent()); return OutboundSecurityResponse.withHeaders(headers); }