Package com.nimbusds.jwt

Examples of com.nimbusds.jwt.JWT

60
61
62
63
64
65
66
67
68
69
70
71
72
    // check for appropriate parameters
    String assertionType = request.getParameter("client_assertion_type");
    String assertion = request.getParameter("client_assertion");

    try {
      JWT jwt = JWTParser.parse(assertion);

      String clientId = jwt.getJWTClaimsSet().getSubject();

      Authentication authRequest = new JwtBearerAssertionAuthenticationToken(clientId, jwt);

      return this.getAuthenticationManager().authenticate(authRequest);
    } catch (ParseException e) {
View Full Code Here
155
156
157
158
159
160
161
162
163
164
165
        logger.error("Couldn't find encrypter for client: " + client.getClientId());
      }

    } else {
     
      JWT idToken;
     
      if (signingAlg.equals(JWSAlgorithm.NONE)) {
        // unsigned ID token
        idToken = new PlainJWT(idClaims);
View Full Code Here
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
   */
  private void processRequestObject(String jwtString, AuthorizationRequest request) {

    // parse the request object
    try {
      JWT jwt = JWTParser.parse(jwtString);

      // TODO: move keys to constants

      if (jwt instanceof SignedJWT) {
        // it's a signed JWT, check the signature

        SignedJWT signedJwt = (SignedJWT)jwt;

        // need to check clientId first so that we can load the client to check other fields
        if (request.getClientId() == null) {
          request.setClientId(signedJwt.getJWTClaimsSet().getStringClaim("client_id"));
        }

        ClientDetailsEntity client = clientDetailsService.loadClientByClientId(request.getClientId());

        if (client == null) {
          throw new InvalidClientException("Client not found: " + request.getClientId());
        }


        JWSAlgorithm alg = signedJwt.getHeader().getAlgorithm();

        if (client.getRequestObjectSigningAlg() == null ||
            !client.getRequestObjectSigningAlg().equals(alg)) {
          throw new InvalidClientException("Client's registered request object signing algorithm (" + client.getRequestObjectSigningAlg() + ") does not match request object's actual algorithm (" + alg.getName() + ")");
        }

        if (alg.equals(JWSAlgorithm.RS256)
            || alg.equals(JWSAlgorithm.RS384)
            || alg.equals(JWSAlgorithm.RS512)) {

          // it's RSA, need to find the JWK URI and fetch the key

          if (client.getJwksUri() == null) {
            throw new InvalidClientException("Client must have a JWKS URI registered to use signed request objects.");
          }

          // check JWT signature
          JwtSigningAndValidationService validator = validators.getValidator(client.getJwksUri());

          if (validator == null) {
            throw new InvalidClientException("Unable to create signature validator for client's JWKS URI: " + client.getJwksUri());
          }

          if (!validator.validateSignature(signedJwt)) {
            throw new InvalidClientException("Signature did not validate for presented JWT request object.");
          }
        } else if (alg.equals(JWSAlgorithm.HS256)
            || alg.equals(JWSAlgorithm.HS384)
            || alg.equals(JWSAlgorithm.HS512)) {

          // it's HMAC, we need to make a validator based on the client secret

          JwtSigningAndValidationService validator = symmetricCacheService.getSymmetricValidtor(client);

          if (validator == null) {
            throw new InvalidClientException("Unable to create signature validator for client's secret: " + client.getClientSecret());
          }

          if (!validator.validateSignature(signedJwt)) {
            throw new InvalidClientException("Signature did not validate for presented JWT request object.");
          }


        }


      } else if (jwt instanceof PlainJWT) {
        PlainJWT plainJwt = (PlainJWT)jwt;

        // need to check clientId first so that we can load the client to check other fields
        if (request.getClientId() == null) {
          request.setClientId(plainJwt.getJWTClaimsSet().getStringClaim("client_id"));
        }

        ClientDetailsEntity client = clientDetailsService.loadClientByClientId(request.getClientId());

        if (client == null) {
          throw new InvalidClientException("Client not found: " + request.getClientId());
        }

        if (client.getRequestObjectSigningAlg() == null) {
          throw new InvalidClientException("Client is not registered for unsigned request objects (no request_object_signing_alg registered)");
        } else if (!client.getRequestObjectSigningAlg().equals(Algorithm.NONE)) {
          throw new InvalidClientException("Client is not registered for unsigned request objects (request_object_signing_alg is " + client.getRequestObjectSigningAlg() +")");
        }

        // if we got here, we're OK, keep processing

      } else if (jwt instanceof EncryptedJWT) {

        EncryptedJWT encryptedJWT = (EncryptedJWT)jwt;

        // decrypt the jwt if we can

        encryptionService.decryptJwt(encryptedJWT);

        // TODO: what if the content is a signed JWT? (#525)

        if (!encryptedJWT.getState().equals(State.DECRYPTED)) {
          throw new InvalidClientException("Unable to decrypt the request object");
        }

        // need to check clientId first so that we can load the client to check other fields
        if (request.getClientId() == null) {
          request.setClientId(encryptedJWT.getJWTClaimsSet().getStringClaim("client_id"));
        }

        ClientDetailsEntity client = clientDetailsService.loadClientByClientId(request.getClientId());

        if (client == null) {
          throw new InvalidClientException("Client not found: " + request.getClientId());
        }


      }


      /*
       * NOTE: Claims inside the request object always take precedence over those in the parameter map.
       */

      // now that we've got the JWT, and it's been parsed, validated, and/or decrypted, we can process the claims

      ReadOnlyJWTClaimsSet claims = jwt.getJWTClaimsSet();

      Set<String> responseTypes = OAuth2Utils.parseParameterList(claims.getStringClaim("response_type"));
      if (responseTypes != null && !responseTypes.isEmpty()) {
        if (!responseTypes.equals(request.getResponseTypes())) {
          logger.info("Mismatch between request object and regular parameter for response_type, using request object");
View Full Code Here
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
      // it's an ID token, process it accordingly

      try {

        // TODO: make this use a more specific idtoken class
        JWT idToken = JWTParser.parse(incomingTokenValue);

        OAuth2AccessTokenEntity accessToken = tokenServices.getAccessTokenForIdToken(incomingToken);

        if (accessToken != null) {

          //OAuth2AccessTokenEntity newIdToken = tokenServices.get

          OAuth2AccessTokenEntity newIdTokenEntity = new OAuth2AccessTokenEntity();

          // copy over all existing claims
          JWTClaimsSet claims = new JWTClaimsSet(idToken.getJWTClaimsSet());

          if (client instanceof ClientDetailsEntity) {

            ClientDetailsEntity clientEntity = (ClientDetailsEntity) client;

            // update expiration and issued-at claims
            if (clientEntity.getIdTokenValiditySeconds() != null) {
              Date expiration = new Date(System.currentTimeMillis() + (clientEntity.getIdTokenValiditySeconds() * 1000L));
              claims.setExpirationTime(expiration);
              newIdTokenEntity.setExpiration(expiration);
            }

          } else {
            //This should never happen
            logger.fatal("SEVERE: Client is not an instance of OAuth2AccessTokenEntity.");
            throw new BadCredentialsException("SEVERE: Client is not an instance of ClientDetailsEntity; JwtAssertionTokenGranter cannot process this request.");
          }

          claims.setIssueTime(new Date());


          SignedJWT newIdToken = new SignedJWT((JWSHeader) idToken.getHeader(), claims);
          jwtService.signJwt(newIdToken);

          newIdTokenEntity.setJwt(newIdToken);
          newIdTokenEntity.setAuthenticationHolder(incomingToken.getAuthenticationHolder());
          newIdTokenEntity.setScope(incomingToken.getScope());
View Full Code Here
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
      if (tokenResponse.has("refresh_token")) {
        refreshTokenValue = tokenResponse.get("refresh_token").getAsString();
      }

      try {
        JWT idToken = JWTParser.parse(idTokenValue);

        // validate our ID Token over a number of tests
        ReadOnlyJWTClaimsSet idClaims = idToken.getJWTClaimsSet();

        // check the signature
        JwtSigningAndValidationService jwtValidator = null;

        Algorithm tokenAlg = idToken.getHeader().getAlgorithm();
       
        Algorithm clientAlg = clientConfig.getIdTokenSignedResponseAlg();
       
        if (clientAlg != null) {
          if (!clientAlg.equals(tokenAlg)) {
View Full Code Here
66
67
68
69
70
71
72
73
74
75
76
77
78
    this.clientConfigurationService = clientConfigurationService;
  }

  private String getIssuer(String accessToken) {
    try {
      JWT jwt = JWTParser.parse(accessToken);

      String issuer = jwt.getJWTClaimsSet().getIssuer();

      return issuer;

    } catch (ParseException e) {
      throw new IllegalArgumentException("Unable to parse JWT", e);
View Full Code Here
81
82
83
84
85
86
87
88
89
90
91
92

    try {
      ClientDetailsEntity client = clientService.loadClientByClientId(jwtAuth.getClientId());

      JWT jwt = jwtAuth.getJwt();
      ReadOnlyJWTClaimsSet jwtClaims = jwt.getJWTClaimsSet();

      // check the signature with nimbus
      if (jwt instanceof SignedJWT) {
        SignedJWT jws = (SignedJWT)jwt;
View Full Code Here
116
117
118
119
120
121
122
123
124
125
126
    String assertionString = params.get("assertion");

    if (assertionString == null || assertionString.trim().isEmpty())
      throw new ParseException("Missing or empty \"assertion\" parameter", OAuth2Error.INVALID_REQUEST);

    JWT assertion;

    try {
      assertion = JWTParser.parse(assertionString);
    } catch (java.text.ParseException e) {
      throw new ParseException("The \"assertion\" is not a JWT: " + e.getMessage(), OAuth2Error.INVALID_REQUEST, e);
View Full Code Here
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
    throws Exception {

    JWTClaimsSet claimsSet = new JWTClaimsSet();
    claimsSet.setSubject("alice");

    JWT assertion = new PlainJWT(claimsSet);

    JWTBearerGrant grant = new JWTBearerGrant(assertion);

    assertEquals(GrantType.JWT_BEARER, grant.getType());
    assertEquals(assertion, grant.getJWTAssertion());
    assertEquals(assertion.serialize(), grant.getAssertion());

    Map<String,String> params = grant.toParameters();
    assertEquals(GrantType.JWT_BEARER.getValue(), params.get("grant_type"));
    assertEquals(assertion.serialize(), params.get("assertion"));
    assertEquals(2, params.size());

    grant = JWTBearerGrant.parse(params);
    assertEquals(GrantType.JWT_BEARER, grant.getType());
    assertEquals(assertion.serialize(), grant.getAssertion());
  }
View Full Code Here
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
    throws Exception {

    JWTClaimsSet claimsSet = new JWTClaimsSet();
    claimsSet.setSubject("alice");

    JWT assertion = new PlainJWT(claimsSet);

    Map<String,String> params = new HashMap<>();
    params.put("grant_type", GrantType.JWT_BEARER.getValue());
    params.put("assertion", assertion.serialize());

    JWTBearerGrant grant = (JWTBearerGrant)AuthorizationGrant.parse(params);

    assertEquals(GrantType.JWT_BEARER, grant.getType());
    assertEquals(assertion.serialize(), grant.getAssertion());
  }
View Full Code Here
TOP

Related Classes of com.nimbusds.jwt.JWT

  • com.nimbusds.oauth2.sdk.AuthorizationGrantTest
  • com.nimbusds.oauth2.sdk.http.HTTPResponseTest
  • com.nimbusds.oauth2.sdk.JWTBearerGrant
  • com.nimbusds.oauth2.sdk.JWTBearerGrantTest
  • com.nimbusds.openid.connect.sdk.AuthenticationRequest
  • com.nimbusds.openid.connect.sdk.AuthenticationSuccessResponse
  • com.nimbusds.openid.connect.sdk.OIDCAccessTokenResponse
  • com.nimbusds.openid.connect.sdk.op.AuthenticationRequestResolver
  • com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse
  • org.mitre.oauth2.introspectingfilter.service.impl.JWTParsingIntrospectionConfigurationService
    • Copyright © 2018 www.massapicom. All rights reserved.
    All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.