private NimbusJwtDecoder makeDelegate() { NimbusJwtDecoder delegate = new NimbusJwtDecoder(this.jwtProcessorBuilder.build()); delegate.setClaimSetConverter(this.claimSetConverter); delegate.setJwtValidator(this.jwtValidator); return delegate; }
/** * Configures a {@link ReactiveJwtDecoder} using * <a target="_blank" href="https://tools.ietf.org/html/rfc7517">JSON Web Key (JWK)</a> URL * @param jwkSetUri the URL to use. * @return the {@code JwtSpec} for additional configuration */ public JwtSpec jwkSetUri(String jwkSetUri) { this.jwtDecoder = new NimbusReactiveJwtDecoder(jwkSetUri); return this; }
/** * Returns the Issued at {@code (iat)} claim which identifies the time at which the JWT was issued. * * @return the Issued at claim which identifies the time at which the JWT was issued */ default Instant getIssuedAt() { return this.getClaimAsInstant(JwtClaimNames.IAT); }
@Bean NimbusJwtDecoder jwtDecoder() { JWTProcessor<SecurityContext> jwtProcessor = JwtProcessors.withJwkSetUri("https://example.org/.well-known/jwks.json") .restOperations(this.rest).build(); return new NimbusJwtDecoder(jwtProcessor); } }
/** * Constructs a {@code NimbusJwtDecoderJwkSupport} using the provided parameters. * * @param jwkSetUrl the JSON Web Key (JWK) Set {@code URL} * @param jwsAlgorithm the JSON Web Algorithm (JWA) used for verifying the digital signatures */ public NimbusJwtDecoderJwkSupport(String jwkSetUrl, String jwsAlgorithm) { Assert.hasText(jwkSetUrl, "jwkSetUrl cannot be empty"); Assert.hasText(jwsAlgorithm, "jwsAlgorithm cannot be empty"); this.jwtProcessorBuilder = withJwkSetUri(jwkSetUrl).jwsAlgorithm(jwsAlgorithm); this.delegate = makeDelegate(); }
private JWTClaimsSet createClaimsSet(JWT parsedToken, List<JWK> jwkList) { try { return this.jwtProcessor.process(parsedToken, new JWKContext(jwkList)); } catch (BadJOSEException | JOSEException e) { throw new JwtException("Failed to validate the token", e); } }
@Test public void buildWhenSignatureAlgorithmMismatchesKeyTypeThenThrowsException() { assertThatCode(() -> JwtProcessors.withPublicKey(key()) .jwsAlgorithm(JwsAlgorithms.ES256) .build()) .isInstanceOf(IllegalStateException.class); }
/** * Sets the {@link RestOperations} used when requesting the JSON Web Key (JWK) Set. * * @since 5.1 * @param restOperations the {@link RestOperations} used when requesting the JSON Web Key (JWK) Set */ public final void setRestOperations(RestOperations restOperations) { Assert.notNull(restOperations, "restOperations cannot be null"); this.jwtProcessorBuilder = this.jwtProcessorBuilder.restOperations(restOperations); this.delegate = makeDelegate(); } }
@Override public List<JWK> get(JWKSelector jwkSelector, JWKContext context) { return context.getJwkList(); } }
/** * Returns the JWT ID {@code (jti)} claim which provides a unique identifier for the JWT. * * @return the JWT ID claim which provides a unique identifier for the JWT */ default String getId() { return this.getClaimAsString(JwtClaimNames.JTI); } }
/** * Returns the Audience {@code (aud)} claim which identifies the recipient(s) * that the JWT is intended for. * * @return the Audience(s) that this JWT intended for */ default List<String> getAudience() { return this.getClaimAsStringList(JwtClaimNames.AUD); }
/** * Returns the Issuer {@code (iss)} claim which identifies the principal that issued the JWT. * * @return the Issuer identifier */ default URL getIssuer() { return this.getClaimAsURL(JwtClaimNames.ISS); }
@Override public Jwt decode(String token) throws JwtException { return this.delegate.decode(token); }
/** * Use the given * <a href="https://tools.ietf.org/html/rfc7517#section-5">JWK Set</a> uri. * * @param jwkSetUri the JWK Set uri to use * @return a {@link JwtProcessors} for further configurations */ public static JwkSetUriJwtProcessorBuilder withJwkSetUri(String jwkSetUri) { return new JwkSetUriJwtProcessorBuilder(jwkSetUri); }
/** * Use the given public key to validate JWTs * * @param key the public key to use * @return a {@link PublicKeyJwtProcessorBuilder} for further configurations */ public static PublicKeyJwtProcessorBuilder withPublicKey(RSAPublicKey key) { return new PublicKeyJwtProcessorBuilder(key); }
private static JWTProcessor<SecurityContext> withoutSigning() { return new MockJwtProcessor(); }
/** * Configures a {@link ReactiveJwtDecoder} that leverages the provided {@link RSAPublicKey} * * @param publicKey the public key to use. * @return the {@code JwtSpec} for additional configuration */ public JwtSpec publicKey(RSAPublicKey publicKey) { this.jwtDecoder = new NimbusReactiveJwtDecoder(publicKey); return this; }
/** * Returns the Not Before {@code (nbf)} claim which identifies the time * before which the JWT MUST NOT be accepted for processing. * * @return the Not Before time before which the JWT MUST NOT be accepted for processing */ default Instant getNotBefore() { return this.getClaimAsInstant(JwtClaimNames.NBF); }
/** * Returns the Subject {@code (sub)} claim which identifies the principal * that is the subject of the JWT. * * @return the Subject identifier */ default String getSubject() { return this.getClaimAsString(JwtClaimNames.SUB); }
/** * Returns the Expiration time {@code (exp)} claim which identifies the expiration time * on or after which the JWT MUST NOT be accepted for processing. * * @return the Expiration time on or after which the JWT MUST NOT be accepted for processing */ default Instant getExpiresAt() { return this.getClaimAsInstant(JwtClaimNames.EXP); }