private static Map<String, Object> validateRequiredClaims(Jwt idToken) { Map<String, Object> requiredClaims = new HashMap<>(); URL issuer = idToken.getIssuer(); if (issuer == null) { requiredClaims.put(IdTokenClaimNames.ISS, issuer); } String subject = idToken.getSubject(); if (subject == null) { requiredClaims.put(IdTokenClaimNames.SUB, subject); } List<String> audience = idToken.getAudience(); if (CollectionUtils.isEmpty(audience)) { requiredClaims.put(IdTokenClaimNames.AUD, audience); } Instant expiresAt = idToken.getExpiresAt(); if (expiresAt == null) { requiredClaims.put(IdTokenClaimNames.EXP, expiresAt); } Instant issuedAt = idToken.getIssuedAt(); if (issuedAt == null) { requiredClaims.put(IdTokenClaimNames.IAT, issuedAt); } return requiredClaims; } }
private Mono<OidcIdToken> createOidcToken(ClientRegistration clientRegistration, OAuth2AccessTokenResponse accessTokenResponse) { ReactiveJwtDecoder jwtDecoder = this.jwtDecoderFactory.createDecoder(clientRegistration); String rawIdToken = (String) accessTokenResponse.getAdditionalParameters().get(OidcParameterNames.ID_TOKEN); return jwtDecoder.decode(rawIdToken) .map(jwt -> new OidcIdToken(jwt.getTokenValue(), jwt.getIssuedAt(), jwt.getExpiresAt(), jwt.getClaims())); } }
if (now.plus(this.clockSkew).isBefore(idToken.getIssuedAt())) { invalidClaims.put(IdTokenClaimNames.IAT, idToken.getIssuedAt());
@Test public void constructorWhenParametersProvidedAndValidThenCreated() { Jwt jwt = new Jwt(JWT_TOKEN_VALUE, Instant.ofEpochMilli(IAT_VALUE), Instant.ofEpochMilli(EXP_VALUE), HEADERS, CLAIMS); assertThat(jwt.getTokenValue()).isEqualTo(JWT_TOKEN_VALUE); assertThat(jwt.getHeaders()).isEqualTo(HEADERS); assertThat(jwt.getClaims()).isEqualTo(CLAIMS); assertThat(jwt.getIssuer().toString()).isEqualTo(ISS_VALUE); assertThat(jwt.getSubject()).isEqualTo(SUB_VALUE); assertThat(jwt.getAudience()).isEqualTo(AUD_VALUE); assertThat(jwt.getExpiresAt().toEpochMilli()).isEqualTo(EXP_VALUE); assertThat(jwt.getNotBefore().getEpochSecond()).isEqualTo(NBF_VALUE); assertThat(jwt.getIssuedAt().toEpochMilli()).isEqualTo(IAT_VALUE); assertThat(jwt.getId()).isEqualTo(JTI_VALUE); } }
private OidcIdToken createOidcToken(ClientRegistration clientRegistration, OAuth2AccessTokenResponse accessTokenResponse) { JwtDecoder jwtDecoder = this.jwtDecoderFactory.createDecoder(clientRegistration); Jwt jwt; try { jwt = jwtDecoder.decode((String) accessTokenResponse.getAdditionalParameters().get(OidcParameterNames.ID_TOKEN)); } catch (JwtException ex) { OAuth2Error invalidIdTokenError = new OAuth2Error(INVALID_ID_TOKEN_ERROR_CODE, ex.getMessage(), null); throw new OAuth2AuthenticationException(invalidIdTokenError, invalidIdTokenError.toString(), ex); } OidcIdToken idToken = new OidcIdToken(jwt.getTokenValue(), jwt.getIssuedAt(), jwt.getExpiresAt(), jwt.getClaims()); return idToken; } }
private Mono<OidcIdToken> createOidcToken(ClientRegistration clientRegistration, OAuth2AccessTokenResponse accessTokenResponse) { ReactiveJwtDecoder jwtDecoder = this.decoderFactory.apply(clientRegistration); String rawIdToken = (String) accessTokenResponse.getAdditionalParameters().get(OidcParameterNames.ID_TOKEN); return jwtDecoder.decode(rawIdToken) .map(jwt -> new OidcIdToken(jwt.getTokenValue(), jwt.getIssuedAt(), jwt.getExpiresAt(), jwt.getClaims())) .doOnNext(idToken -> OidcTokenValidator.validateIdToken(idToken, clientRegistration)); }
private OidcIdToken createOidcToken(ClientRegistration clientRegistration, OAuth2AccessTokenResponse accessTokenResponse) { JwtDecoder jwtDecoder = getJwtDecoder(clientRegistration); Jwt jwt = jwtDecoder.decode((String) accessTokenResponse.getAdditionalParameters().get( OidcParameterNames.ID_TOKEN)); OidcIdToken idToken = new OidcIdToken(jwt.getTokenValue(), jwt.getIssuedAt(), jwt.getExpiresAt(), jwt.getClaims()); OidcTokenValidator.validateIdToken(idToken, clientRegistration); return idToken; }