private static Map<String, Object> validateRequiredClaims(Jwt idToken) { Map<String, Object> requiredClaims = new HashMap<>(); URL issuer = idToken.getIssuer(); if (issuer == null) { requiredClaims.put(IdTokenClaimNames.ISS, issuer); } String subject = idToken.getSubject(); if (subject == null) { requiredClaims.put(IdTokenClaimNames.SUB, subject); } List<String> audience = idToken.getAudience(); if (CollectionUtils.isEmpty(audience)) { requiredClaims.put(IdTokenClaimNames.AUD, audience); } Instant expiresAt = idToken.getExpiresAt(); if (expiresAt == null) { requiredClaims.put(IdTokenClaimNames.EXP, expiresAt); } Instant issuedAt = idToken.getIssuedAt(); if (issuedAt == null) { requiredClaims.put(IdTokenClaimNames.IAT, issuedAt); } return requiredClaims; } }
if (!idToken.getAudience().contains(this.clientRegistration.getClientId())) { invalidClaims.put(IdTokenClaimNames.AUD, idToken.getAudience()); if (idToken.getAudience().size() > 1 && authorizedParty == null) { invalidClaims.put(IdTokenClaimNames.AZP, authorizedParty);
@Test public void constructorWhenParametersProvidedAndValidThenCreated() { Jwt jwt = new Jwt(JWT_TOKEN_VALUE, Instant.ofEpochMilli(IAT_VALUE), Instant.ofEpochMilli(EXP_VALUE), HEADERS, CLAIMS); assertThat(jwt.getTokenValue()).isEqualTo(JWT_TOKEN_VALUE); assertThat(jwt.getHeaders()).isEqualTo(HEADERS); assertThat(jwt.getClaims()).isEqualTo(CLAIMS); assertThat(jwt.getIssuer().toString()).isEqualTo(ISS_VALUE); assertThat(jwt.getSubject()).isEqualTo(SUB_VALUE); assertThat(jwt.getAudience()).isEqualTo(AUD_VALUE); assertThat(jwt.getExpiresAt().toEpochMilli()).isEqualTo(EXP_VALUE); assertThat(jwt.getNotBefore().getEpochSecond()).isEqualTo(NBF_VALUE); assertThat(jwt.getIssuedAt().toEpochMilli()).isEqualTo(IAT_VALUE); assertThat(jwt.getId()).isEqualTo(JTI_VALUE); } }
@Override public OAuth2TokenValidatorResult validate(Jwt t) { if (t.getAudience() != null && t.getAudience().contains(this.audience)) { return OAuth2TokenValidatorResult.success(); } else { if (LOGGER.isWarnEnabled()) { LOGGER.warn(String.format( "Expected audience %s did not match token audience %s", this.audience, t.getAudience())); } return OAuth2TokenValidatorResult.failure(INVALID_AUDIENCE); } }
@Override public OAuth2TokenValidatorResult validate(Jwt t) { if (t.getAudience() != null && t.getAudience().contains(this.audience)) { return OAuth2TokenValidatorResult.success(); } else { if (LOGGER.isWarnEnabled()) { LOGGER.warn(String.format( "Expected audience %s did not match token audience %s", this.audience, t.getAudience())); } return OAuth2TokenValidatorResult.failure(INVALID_AUDIENCE); } }
@Bean @ConditionalOnMissingBean JwtDecoder jwtDecoder(OAuth2ResourceServerProperties oAuth2ResourceServerProperties, OktaOAuth2Properties oktaOAuth2Properties) { List<OAuth2TokenValidator<Jwt>> validators = new ArrayList<>(); validators.add(new JwtTimestampValidator()); validators.add(new JwtIssuerValidator(oAuth2ResourceServerProperties.getJwt().getIssuerUri())); validators.add(token -> { Set<String> expectedAudience = new HashSet<>(); expectedAudience.add(oktaOAuth2Properties.getAudience()); return !Collections.disjoint(token.getAudience(), expectedAudience) ? OAuth2TokenValidatorResult.success() : OAuth2TokenValidatorResult.failure(INVALID_AUDIENCE); }); OAuth2TokenValidator<Jwt> validator = new DelegatingOAuth2TokenValidator<>(validators); NimbusJwtDecoderJwkSupport decoder = new NimbusJwtDecoderJwkSupport(oAuth2ResourceServerProperties.getJwt().getJwkSetUri()); decoder.setJwtValidator(validator); decoder.setRestOperations(restOperations()); return decoder; }