@Override @SneakyThrows public JwtClaims validate(final String token) { val jsonWebKey = getSigningKey(); if (jsonWebKey.getPublicKey() == null) { throw new IllegalArgumentException("JSON web key used to validate the id token signature has no associated public key"); } val jwt = EncodingUtils.verifyJwsSignature(jsonWebKey.getPublicKey(), token); val result = new String(jwt, StandardCharsets.UTF_8); val claims = JwtClaims.parse(result); LOGGER.debug("Validated claims as [{}]", claims); if (StringUtils.isBlank(claims.getIssuer())) { throw new IllegalArgumentException("Claims do not container an issuer"); } if (claims.getIssuer().equalsIgnoreCase(this.issuer)) { throw new IllegalArgumentException("Issuer assigned to claims does not match " + this.issuer); } if (StringUtils.isBlank(claims.getStringClaimValue(OAuth20Constants.CLIENT_ID))) { throw new IllegalArgumentException("Claims do not contain a client id claim"); } return claims; }
private static URI extractIssuer(final String jwt) throws InvalidJwtException, MalformedClaimException { // Parse JWT without validation final JwtConsumer jwtConsumer = new JwtConsumerBuilder() .setSkipAllValidators() .setDisableRequireSignature() .setSkipSignatureVerification() .build(); final JwtContext jwtContext = jwtConsumer.process(jwt); // Resolve Json Web Key Set URI by the issuer String issuer = jwtContext.getJwtClaims().getIssuer(); if (issuer.endsWith("/")) { issuer = issuer.substring(0, issuer.length() - 1); } return URI.create(issuer); }
@Override public Error validate(JwtContext jwtContext) throws MalformedClaimException { String issuer = jwtContext.getJwtClaims().getIssuer(); if (issuer == null) { return requireIssuer ? new Error(ErrorCodes.ISSUER_MISSING, "No Issuer (iss) claim present but was expecting " + expectedValue()) : null; } if (expectedIssuers != null && !expectedIssuers.contains(issuer)) { return new Error(ErrorCodes.ISSUER_INVALID, "Issuer (iss) claim value (" + issuer + ") doesn't match expected value of " + expectedValue()); } return null; }
val claims = JwtClaims.parse(json); if (!claims.getIssuer().equals(issuer)) { LOGGER.error("Token issuer does not match CAS"); return null;