/** * Verify signature against the provided keys (the kid of this * JWT should be present in the {@link JwkKeys} provided). * * @param keys JwkKeys to obtain a key to verify signature * @return Errors with collected messages, see {@link Errors#isValid()} and {@link Errors#checkValid()} */ public Errors verifySignature(JwkKeys keys) { return verifySignature(keys, null); }
AuthenticationResponse authenticate(ProviderRequest providerRequest, LoginConfig loginConfig) { return atnTokenHandler.extractToken(providerRequest.env().headers()) .map(token -> { SignedJwt signedJwt = SignedJwt.parseToken(token); Errors errors = signedJwt.verifySignature(verifyKeys, defaultJwk); if (errors.isValid()) { Jwt jwt = signedJwt.getJwt(); // verify the audience is correct Errors validate = jwt.validate(expectedIssuer, expectedAudience); if (validate.isValid()) { return AuthenticationResponse.success(buildSubject(jwt, signedJwt)); } else { return AuthenticationResponse.failed("Audience is invalid or missing: " + expectedAudience); } } else { return AuthenticationResponse.failed(errors.toString()); } }).orElseGet(() -> { if (optional) { return AuthenticationResponse.abstain(); } else { return AuthenticationResponse.failed("Header not available or in a wrong format"); } }); }
@Override protected AuthenticationResponse syncAuthenticate(ProviderRequest providerRequest) { if (!authenticate) { return AuthenticationResponse.abstain(); } return atnTokenHandler.extractToken(providerRequest.env().headers()) .map(token -> { SignedJwt signedJwt = SignedJwt.parseToken(token); Errors errors = signedJwt.verifySignature(verifyKeys); if (errors.isValid()) { Jwt jwt = signedJwt.getJwt(); // verify the audience is correct Errors validate = jwt.validate(null, expectedAudience); if (validate.isValid()) { return AuthenticationResponse.success(buildSubject(jwt, signedJwt)); } else { return AuthenticationResponse.failed("Audience is invalid or missing: " + expectedAudience); } } else { return AuthenticationResponse.failed(errors.toString()); } }).orElseGet(() -> { if (optional) { return AuthenticationResponse.abstain(); } else { return AuthenticationResponse.failed("Header not available or in a wrong format"); } }); }
this.jwtValidator = (signedJwt, collector) -> { JwkKeys jwk = oidcConfig.signJwk(); Errors errors = signedJwt.verifySignature(jwk); errors.forEach(errorMessage -> { switch (errorMessage.getSeverity()) {
/** * Verify signature against the provided keys (the kid of this * JWT should be present in the {@link JwkKeys} provided). * * @param keys JwkKeys to obtain a key to verify signature * @return Errors with collected messages, see {@link Errors#isValid()} and {@link Errors#checkValid()} */ public Errors verifySignature(JwkKeys keys) { return verifySignature(keys, null); }
AuthenticationResponse authenticate(ProviderRequest providerRequest, LoginConfig loginConfig) { return atnTokenHandler.extractToken(providerRequest.env().headers()) .map(token -> { SignedJwt signedJwt = SignedJwt.parseToken(token); Errors errors = signedJwt.verifySignature(verifyKeys, defaultJwk); if (errors.isValid()) { Jwt jwt = signedJwt.getJwt(); // verify the audience is correct Errors validate = jwt.validate(expectedIssuer, expectedAudience); if (validate.isValid()) { return AuthenticationResponse.success(buildSubject(jwt, signedJwt)); } else { return AuthenticationResponse.failed("Audience is invalid or missing: " + expectedAudience); } } else { return AuthenticationResponse.failed(errors.toString()); } }).orElseGet(() -> { if (optional) { return AuthenticationResponse.abstain(); } else { return AuthenticationResponse.failed("Header not available or in a wrong format"); } }); }
@Override protected AuthenticationResponse syncAuthenticate(ProviderRequest providerRequest) { if (!authenticate) { return AuthenticationResponse.abstain(); } return atnTokenHandler.extractToken(providerRequest.env().headers()) .map(token -> { SignedJwt signedJwt = SignedJwt.parseToken(token); Errors errors = signedJwt.verifySignature(verifyKeys); if (errors.isValid()) { Jwt jwt = signedJwt.getJwt(); // verify the audience is correct Errors validate = jwt.validate(null, expectedAudience); if (validate.isValid()) { return AuthenticationResponse.success(buildSubject(jwt, signedJwt)); } else { return AuthenticationResponse.failed("Audience is invalid or missing: " + expectedAudience); } } else { return AuthenticationResponse.failed(errors.toString()); } }).orElseGet(() -> { if (optional) { return AuthenticationResponse.abstain(); } else { return AuthenticationResponse.failed("Header not available or in a wrong format"); } }); }