Java Code Examples for org.apache.cxf.rs.security.jose.jwt.JwtClaims

The following examples show how to use org.apache.cxf.rs.security.jose.jwt.JwtClaims. These examples are extracted from open source projects. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
protected String extractSubject(JwtClaims claims) {
    String subject = claims.getSubject();

    if (subjectKey != null) {
        Object subjectObject = claims.getClaim(subjectKey);

        if (subjectObject == null) {
            log.warn("Failed to get subject from JWT claims, check if subject_key '{}' is correct.", subjectKey);
            return null;
        }

        // We expect a String. If we find something else, convert to String but issue a
        // warning
        if (!(subjectObject instanceof String)) {
            log.warn(
                    "Expected type String for roles in the JWT for subject_key {}, but value was '{}' ({}). Will convert this value to String.",
                    subjectKey, subjectObject, subjectObject.getClass());
            subject = String.valueOf(subjectObject);
        } else {
            subject = (String) subjectObject;
        }
    }
    return subject;
}
 
Example 2
static JwtToken create(String subject, String audience, Object... moreClaims) {
	JwtClaims claims = new JwtClaims();

	claims.setSubject(subject);
	claims.setAudience(audience);

	if (moreClaims != null) {
		for (int i = 0; i < moreClaims.length; i += 2) {
			claims.setClaim(String.valueOf(moreClaims[i]), moreClaims[i + 1]);
		}
	}

	JwtToken result = new JwtToken(claims);

	return result;
}
 
Example 3
Source Project: syncope   Source File: SyncopeJWTSSOProvider.java    License: Apache License 2.0 6 votes vote down vote up
@Transactional(readOnly = true)
@Override
public Pair<User, Set<SyncopeGrantedAuthority>> resolve(final JwtClaims jwtClaims) {
    User user = userDAO.findByUsername(jwtClaims.getSubject());
    Set<SyncopeGrantedAuthority> authorities = Set.of();
    if (user != null) {
        AccessToken accessToken = accessTokenDAO.find(jwtClaims.getTokenId());
        if (accessToken != null && accessToken.getAuthorities() != null) {
            try {
                authorities = POJOHelper.deserialize(
                        ENCRYPTOR.decode(new String(accessToken.getAuthorities()), CipherAlgorithm.AES),
                        new TypeReference<Set<SyncopeGrantedAuthority>>() {
                });
            } catch (Throwable t) {
                LOG.error("Could not read stored authorities", t);
            }
        }
    }

    return Pair.of(user, authorities);
}
 
Example 4
Source Project: cxf   Source File: BigQueryServer.java    License: Apache License 2.0 6 votes vote down vote up
private static ClientAccessToken getAccessToken(PrivateKey privateKey, String issuer) {
    JwsHeaders headers = new JwsHeaders(JoseType.JWT, SignatureAlgorithm.RS256);
    JwtClaims claims = new JwtClaims();
    claims.setIssuer(issuer);
    claims.setAudience("https://www.googleapis.com/oauth2/v3/token");

    long issuedAt = OAuthUtils.getIssuedAt();
    claims.setIssuedAt(issuedAt);
    claims.setExpiryTime(issuedAt + 60 * 60);
    claims.setProperty("scope", "https://www.googleapis.com/auth/bigquery.readonly");

    JwtToken token = new JwtToken(headers, claims);
    JwsJwtCompactProducer p = new JwsJwtCompactProducer(token);
    String base64UrlAssertion = p.signWith(privateKey);

    JwtBearerGrant grant = new JwtBearerGrant(base64UrlAssertion);

    WebClient accessTokenService = WebClient.create("https://www.googleapis.com/oauth2/v3/token",
                                                    Arrays.asList(new OAuthJSONProvider(),
                                                                  new AccessTokenGrantWriter()));
    WebClient.getConfig(accessTokenService).getInInterceptors().add(new LoggingInInterceptor());

    accessTokenService.type(MediaType.APPLICATION_FORM_URLENCODED).accept(MediaType.APPLICATION_JSON);

    return accessTokenService.post(grant, ClientAccessToken.class);
}
 
Example 5
Source Project: cxf   Source File: JwsCompactReaderWriterTest.java    License: Apache License 2.0 6 votes vote down vote up
@Test
public void testWriteReadJwsUnsigned() throws Exception {
    JwsHeaders headers = new JwsHeaders(JoseType.JWT);
    headers.setSignatureAlgorithm(SignatureAlgorithm.NONE);

    JwtClaims claims = new JwtClaims();
    claims.setIssuer("https://jwt-idp.example.com");
    claims.setSubject("mailto:[email protected]");
    claims.setAudiences(Collections.singletonList("https://jwt-rp.example.net"));
    claims.setNotBefore(1300815780L);
    claims.setExpiryTime(1300819380L);
    claims.setClaim("http://claims.example.com/member", true);

    JwsCompactProducer writer = new JwsJwtCompactProducer(headers, claims);
    String signed = writer.getSignedEncodedJws();

    JwsJwtCompactConsumer reader = new JwsJwtCompactConsumer(signed);
    assertEquals(0, reader.getDecodedSignature().length);

    JwtToken token = reader.getJwtToken();
    assertEquals(new JwtToken(headers, claims), token);
}
 
Example 6
Source Project: cxf   Source File: JwsCompactReaderWriterTest.java    License: Apache License 2.0 6 votes vote down vote up
private void doTestWriteJwsWithJwkSignedByMac(Object jsonWebKey) throws Exception {
    JwsHeaders headers = new JwsHeaders();
    headers.setType(JoseType.JWT);
    headers.setSignatureAlgorithm(SignatureAlgorithm.HS256);
    headers.setHeader(JoseConstants.HEADER_JSON_WEB_KEY, jsonWebKey);

    JwtClaims claims = new JwtClaims();
    claims.setIssuer("joe");
    claims.setExpiryTime(1300819380L);
    claims.setClaim("http://example.com/is_root", Boolean.TRUE);

    JwtToken token = new JwtToken(headers, claims);
    JwsCompactProducer jws = new JwsJwtCompactProducer(token, getWriter());
    jws.signWith(new HmacJwsSignatureProvider(ENCODED_MAC_KEY, SignatureAlgorithm.HS256));

    assertEquals(ENCODED_TOKEN_WITH_JSON_KEY_SIGNED_BY_MAC, jws.getSignedEncodedJws());
}
 
Example 7
Source Project: cxf   Source File: JWTAlgorithmTest.java    License: Apache License 2.0 6 votes vote down vote up
@org.junit.Test
public void testBadSignatureCertificateTest() throws Exception {

    URL busFile = JWTAlgorithmTest.class.getResource("client.xml");

    List<Object> providers = new ArrayList<>();
    providers.add(new JacksonJsonProvider());
    providers.add(new JwtAuthenticationClientFilter());

    String address = "https://localhost:" + PORT + "/signedjwtincludecert/bookstore/books";
    WebClient client =
        WebClient.create(address, providers, busFile.toString());
    client.type("application/json").accept("application/json");

    // Create the JWT Token
    JwtClaims claims = new JwtClaims();
    claims.setSubject("alice");
    claims.setIssuer("DoubleItSTSIssuer");
    claims.setIssuedAt(Instant.now().getEpochSecond());
    claims.setAudiences(toList(address));

    JwtToken token = new JwtToken(claims);

    Map<String, Object> properties = new HashMap<>();
    properties.put("rs.security.keystore.type", "jks");
    properties.put("rs.security.keystore.password", "password");
    properties.put("rs.security.key.password", "password");
    properties.put("rs.security.keystore.alias", "bethal");
    properties.put("rs.security.keystore.file", "keys/Bethal.jks");
    properties.put("rs.security.signature.algorithm", "RS256");
    properties.put("rs.security.signature.include.cert", "true");
    properties.put(JwtConstants.JWT_TOKEN, token);
    WebClient.getConfig(client).getRequestContext().putAll(properties);

    Response response = client.post(new Book("book", 123L));
    assertNotEquals(response.getStatus(), 200);
}
 
Example 8
Source Project: cxf-fediz   Source File: AbstractOIDCTest.java    License: Apache License 2.0 6 votes vote down vote up
private void validateIdToken(String idToken, String audience, String role) throws IOException {
    JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(idToken);
    JwtToken jwt = jwtConsumer.getJwtToken();
    JwtClaims jwtClaims = jwt.getClaims();

    // Validate claims
    assertEquals("alice", jwtClaims.getClaim("preferred_username"));
    assertEquals("accounts.fediz.com", jwtClaims.getIssuer());
    assertEquals(audience, jwtClaims.getAudience());
    assertNotNull(jwtClaims.getIssuedAt());
    assertNotNull(jwtClaims.getExpiryTime());

    // Check role
    if (role != null) {
        List<String> roles = jwtClaims.getListStringProperty("roles");
        assertNotNull(roles);
        assertTrue(roles.contains(role));
    }

    JwsHeaders jwsHeaders = jwt.getJwsHeaders();
    assertTrue(jwtConsumer.verifySignatureWith(
        jsonWebKeys().getKey(jwsHeaders.getKeyId()), SignatureAlgorithm.valueOf(jwsHeaders.getAlgorithm())));
}
 
Example 9
Source Project: cxf   Source File: AuthorizationGrantTest.java    License: Apache License 2.0 6 votes vote down vote up
private static void validateAccessToken(String accessToken)
    throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
    JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(accessToken);
    JwtClaims jwtClaims = jwtConsumer.getJwtToken().getClaims();

    // Validate claims
    if (!OAuthConstants.CLIENT_CREDENTIALS_GRANT.equals(jwtClaims.getStringProperty(OAuthConstants.GRANT_TYPE))) {
        // We don't have a Subject for the client credential grant
        assertNotNull(jwtClaims.getSubject());
    }
    assertNotNull(jwtClaims.getIssuedAt());
    assertNotNull(jwtClaims.getExpiryTime());
    assertEquals(ISSUER, jwtClaims.getIssuer());

    KeyStore keystore = KeyStore.getInstance("JKS");
    keystore.load(ClassLoaderUtils.getResourceAsStream("keys/alice.jks", AuthorizationGrantTest.class),
                  "password".toCharArray());
    Certificate cert = keystore.getCertificate("alice");
    assertNotNull(cert);

    assertTrue(jwtConsumer.verifySignatureWith((X509Certificate)cert,
                                                      SignatureAlgorithm.RS256));
}
 
Example 10
Source Project: cxf   Source File: DefaultJWTClaimsProvider.java    License: Apache License 2.0 6 votes vote down vote up
/**
 * Get a JwtClaims object.
 */
public JwtClaims getJwtClaims(JWTClaimsProviderParameters jwtClaimsProviderParameters) {

    JwtClaims claims = new JwtClaims();
    claims.setSubject(getSubjectName(jwtClaimsProviderParameters));
    claims.setTokenId(UUID.randomUUID().toString());

    // Set the Issuer
    String issuer = jwtClaimsProviderParameters.getIssuer();
    if (issuer == null) {
        STSPropertiesMBean stsProperties = jwtClaimsProviderParameters.getProviderParameters().getStsProperties();
        claims.setIssuer(stsProperties.getIssuer());
    } else {
        claims.setIssuer(issuer);
    }

    handleWSTrustClaims(jwtClaimsProviderParameters, claims);

    handleConditions(jwtClaimsProviderParameters, claims);

    handleAudienceRestriction(jwtClaimsProviderParameters, claims);

    handleActAs(jwtClaimsProviderParameters, claims);

    return claims;
}
 
Example 11
Source Project: cxf   Source File: DefaultJWTClaimsProvider.java    License: Apache License 2.0 6 votes vote down vote up
protected void handleWSTrustClaims(JWTClaimsProviderParameters jwtClaimsProviderParameters, JwtClaims claims) {
    TokenProviderParameters providerParameters = jwtClaimsProviderParameters.getProviderParameters();

    // Handle Claims
    ProcessedClaimCollection retrievedClaims = ClaimsUtils.processClaims(providerParameters);
    if (retrievedClaims != null) {
        Iterator<ProcessedClaim> claimIterator = retrievedClaims.iterator();
        while (claimIterator.hasNext()) {
            ProcessedClaim claim = claimIterator.next();
            if (claim.getClaimType() != null && claim.getValues() != null && !claim.getValues().isEmpty()) {
                Object claimValues = claim.getValues();
                if (claim.getValues().size() == 1) {
                    claimValues = claim.getValues().get(0);
                }
                claims.setProperty(translateClaim(claim.getClaimType().toString()), claimValues);
            }
        }
    }
}
 
Example 12
@SuppressWarnings("unchecked")
protected String[] extractRoles(JwtClaims claims) {
    if (rolesKey == null) {
        return new String[0];
    }

    Object rolesObject = claims.getClaim(rolesKey);

    if (rolesObject == null) {
        log.warn(
                "Failed to get roles from JWT claims with roles_key '{}'. Check if this key is correct and available in the JWT payload.",
                rolesKey);
        return new String[0];
    }

    String[] roles = String.valueOf(rolesObject).split(",");

    // We expect a String or Collection. If we find something else, convert to
    // String but issue a warning
    if (!(rolesObject instanceof String) && !(rolesObject instanceof Collection<?>)) {
        log.warn(
                "Expected type String or Collection for roles in the JWT for roles_key {}, but value was '{}' ({}). Will convert this value to String.",
                rolesKey, rolesObject, rolesObject.getClass());
    } else if (rolesObject instanceof Collection<?>) {
        roles = ((Collection<String>) rolesObject).toArray(new String[0]);
    }

    for (int i = 0; i < roles.length; i++) {
        roles[i] = roles[i].trim();
    }

    return roles;
}
 
Example 13
private void validateClaims(JwtToken jwt) throws BadCredentialsException, JwtException {
	JwtClaims claims = jwt.getClaims();

	if (claims != null) {
		JwtUtils.validateJwtExpiry(claims, 0, false);
		JwtUtils.validateJwtNotBefore(claims, 0, false);
	}
}
 
Example 14
private String createJwt(SamlResponse samlResponse) throws Exception {
    JwtClaims jwtClaims = new JwtClaims();
    JwtToken jwt = new JwtToken(jwtClaims);

    jwtClaims.setNotBefore(System.currentTimeMillis() / 1000);
    jwtClaims.setExpiryTime(getJwtExpiration(samlResponse));

    jwtClaims.setProperty(this.jwtSubjectKey, this.extractSubject(samlResponse));

    if (this.samlSubjectKey != null) {
        jwtClaims.setProperty("saml_ni", samlResponse.getNameId());
    }

    if (samlResponse.getNameIdFormat() != null) {
        jwtClaims.setProperty("saml_nif", SamlNameIdFormat.getByUri(samlResponse.getNameIdFormat()).getShortName());
    }

    String sessionIndex = samlResponse.getSessionIndex();

    if (sessionIndex != null) {
        jwtClaims.setProperty("saml_si", sessionIndex);
    }

    if (this.samlRolesKey != null && this.jwtRolesKey != null) {
        String[] roles = this.extractRoles(samlResponse);

        jwtClaims.setProperty(this.jwtRolesKey, roles);
    }

    String encodedJwt = this.jwtProducer.processJwt(jwt);

    if (token_log.isDebugEnabled()) {
        token_log.debug("Created JWT: " + encodedJwt + "\n" + jsonMapReaderWriter.toJson(jwt.getJwsHeaders()) + "\n"
                + JwtUtils.claimsToJson(jwt.getClaims()));
    }

    return encodedJwt;
}
 
Example 15
Source Project: g-suite-identity-sync   Source File: TokenCache.java    License: Apache License 2.0 5 votes vote down vote up
private ClientAccessToken getAccessToken() throws NoPrivateKeyException {
    JwsHeaders headers = new JwsHeaders(JoseType.JWT, SignatureAlgorithm.RS256);
    JwtClaims claims = new JwtClaims();
    claims.setIssuer(config.getServiceAccountEmail());
    claims.setAudience(config.getServiceAccountTokenUri());
    claims.setSubject(config.getServiceAccountSubject());

    long issuedAt = OAuthUtils.getIssuedAt();
    long tokenTimeout = config.getServiceAccountTokenLifetime();
    claims.setIssuedAt(issuedAt);
    claims.setExpiryTime(issuedAt + tokenTimeout);
    String scopes = String.join(" ", config.getServiceAccountScopes());
    claims.setProperty("scope", scopes);

    JwtToken token = new JwtToken(headers, claims);
    JwsJwtCompactProducer p = new JwsJwtCompactProducer(token);
    String base64UrlAssertion = p.signWith(config.readServiceAccountKey());

    JwtBearerGrant grant = new JwtBearerGrant(base64UrlAssertion);

    WebClient accessTokenService = WebClient.create(config.getServiceAccountTokenUri(),
            Arrays.asList(new OAuthJSONProvider(), new AccessTokenGrantWriter()));

    accessTokenService.type(MediaType.APPLICATION_FORM_URLENCODED).accept(MediaType.APPLICATION_JSON);

    return accessTokenService.post(grant, ClientAccessToken.class);
}
 
Example 16
Source Project: syncope   Source File: JWTITCase.java    License: Apache License 2.0 5 votes vote down vote up
@Test
public void tokenValidation() throws ParseException {
    // Get an initial token
    SyncopeClient localClient = clientFactory.create(ADMIN_UNAME, ADMIN_PWD);
    AccessTokenService accessTokenService = localClient.getService(AccessTokenService.class);

    Response response = accessTokenService.login();
    String token = response.getHeaderString(RESTHeaders.TOKEN);
    assertNotNull(token);
    JwsJwtCompactConsumer consumer = new JwsJwtCompactConsumer(token);
    String tokenId = consumer.getJwtClaims().getTokenId();

    // Create a new token using the Id of the first token
    Date now = new Date();
    long currentTime = now.getTime() / 1000L;

    Calendar expiry = Calendar.getInstance();
    expiry.setTime(now);
    expiry.add(Calendar.MINUTE, 5);

    JwtClaims jwtClaims = new JwtClaims();
    jwtClaims.setTokenId(tokenId);
    jwtClaims.setSubject(ADMIN_UNAME);
    jwtClaims.setIssuedAt(currentTime);
    jwtClaims.setIssuer(JWT_ISSUER);
    jwtClaims.setExpiryTime(expiry.getTime().getTime() / 1000L);
    jwtClaims.setNotBefore(currentTime);

    JwsHeaders jwsHeaders = new JwsHeaders(JoseType.JWT, JWS_ALGORITHM);
    JwtToken jwtToken = new JwtToken(jwsHeaders, jwtClaims);
    JwsJwtCompactProducer producer = new JwsJwtCompactProducer(jwtToken);

    String signed = producer.signWith(jwsSignatureProvider);

    SyncopeClient jwtClient = clientFactory.create(signed);
    UserSelfService jwtUserSelfService = jwtClient.getService(UserSelfService.class);
    jwtUserSelfService.read();
}
 
Example 17
Source Project: syncope   Source File: JWTITCase.java    License: Apache License 2.0 5 votes vote down vote up
@Test
public void noneSignature() throws ParseException {
    // Get an initial token
    SyncopeClient localClient = clientFactory.create(ADMIN_UNAME, ADMIN_PWD);
    AccessTokenService accessTokenService = localClient.getService(AccessTokenService.class);

    Response response = accessTokenService.login();
    String token = response.getHeaderString(RESTHeaders.TOKEN);
    assertNotNull(token);
    JwsJwtCompactConsumer consumer = new JwsJwtCompactConsumer(token);
    String tokenId = consumer.getJwtClaims().getTokenId();

    // Create a new token using the Id of the first token
    JwtClaims jwtClaims = new JwtClaims();
    jwtClaims.setTokenId(tokenId);
    jwtClaims.setSubject(consumer.getJwtClaims().getSubject());
    jwtClaims.setIssuedAt(consumer.getJwtClaims().getIssuedAt());
    jwtClaims.setIssuer(consumer.getJwtClaims().getIssuer());
    jwtClaims.setExpiryTime(consumer.getJwtClaims().getExpiryTime());
    jwtClaims.setNotBefore(consumer.getJwtClaims().getNotBefore());

    JwsHeaders jwsHeaders = new JwsHeaders(JoseType.JWT, SignatureAlgorithm.NONE);
    JwtToken jwtToken = new JwtToken(jwsHeaders, jwtClaims);
    JwsJwtCompactProducer producer = new JwsJwtCompactProducer(jwtToken);

    JwsSignatureProvider noneJwsSignatureProvider = new NoneJwsSignatureProvider();
    String signed = producer.signWith(noneJwsSignatureProvider);

    SyncopeClient jwtClient = clientFactory.create(signed);
    UserSelfService jwtUserSelfService = jwtClient.getService(UserSelfService.class);
    try {
        jwtUserSelfService.read();
        fail("Failure expected on no signature");
    } catch (AccessControlException ex) {
        // expected
    }
}
 
Example 18
Source Project: syncope   Source File: JWTITCase.java    License: Apache License 2.0 5 votes vote down vote up
@Test
public void thirdPartyToken() throws ParseException {
    assumeFalse(SignatureAlgorithm.isPublicKeyAlgorithm(JWS_ALGORITHM));

    // Create a new token
    Date now = new Date();
    long currentTime = now.getTime() / 1000L;

    Calendar expiry = Calendar.getInstance();
    expiry.setTime(now);
    expiry.add(Calendar.MINUTE, 5);

    JwtClaims jwtClaims = new JwtClaims();
    jwtClaims.setTokenId(UUID.randomUUID().toString());
    jwtClaims.setSubject("[email protected]");
    jwtClaims.setIssuedAt(currentTime);
    jwtClaims.setIssuer(CustomJWTSSOProvider.ISSUER);
    jwtClaims.setExpiryTime(expiry.getTime().getTime() / 1000L);
    jwtClaims.setNotBefore(currentTime);

    JwsHeaders jwsHeaders = new JwsHeaders(JoseType.JWT, JWS_ALGORITHM);
    JwtToken jwtToken = new JwtToken(jwsHeaders, jwtClaims);
    JwsJwtCompactProducer producer = new JwsJwtCompactProducer(jwtToken);

    JwsSignatureProvider customSignatureProvider =
            new HmacJwsSignatureProvider(CustomJWTSSOProvider.CUSTOM_KEY.getBytes(), JWS_ALGORITHM);
    String signed = producer.signWith(customSignatureProvider);

    SyncopeClient jwtClient = clientFactory.create(signed);

    Pair<Map<String, Set<String>>, UserTO> self = jwtClient.self();
    assertFalse(self.getLeft().isEmpty());
    assertEquals("puccini", self.getRight().getUsername());
}
 
Example 19
Source Project: syncope   Source File: JWTITCase.java    License: Apache License 2.0 5 votes vote down vote up
@Test
public void thirdPartyTokenUnknownUser() throws ParseException {
    assumeFalse(SignatureAlgorithm.isPublicKeyAlgorithm(JWS_ALGORITHM));

    // Create a new token
    Date now = new Date();
    long currentTime = now.getTime() / 1000L;

    Calendar expiry = Calendar.getInstance();
    expiry.setTime(now);
    expiry.add(Calendar.MINUTE, 5);

    JwtClaims jwtClaims = new JwtClaims();
    jwtClaims.setTokenId(UUID.randomUUID().toString());
    jwtClaims.setSubject("[email protected]");
    jwtClaims.setIssuedAt(currentTime);
    jwtClaims.setIssuer(CustomJWTSSOProvider.ISSUER);
    jwtClaims.setExpiryTime(expiry.getTime().getTime() / 1000L);
    jwtClaims.setNotBefore(currentTime);

    JwsHeaders jwsHeaders = new JwsHeaders(JoseType.JWT, JWS_ALGORITHM);
    JwtToken jwtToken = new JwtToken(jwsHeaders, jwtClaims);
    JwsJwtCompactProducer producer = new JwsJwtCompactProducer(jwtToken);

    JwsSignatureProvider customSignatureProvider =
            new HmacJwsSignatureProvider(CustomJWTSSOProvider.CUSTOM_KEY.getBytes(), JWS_ALGORITHM);
    String signed = producer.signWith(customSignatureProvider);

    SyncopeClient jwtClient = clientFactory.create(signed);

    try {
        jwtClient.self();
        fail("Failure expected on an unknown subject");
    } catch (AccessControlException ex) {
        // expected
    }
}
 
Example 20
Source Project: syncope   Source File: JWTITCase.java    License: Apache License 2.0 5 votes vote down vote up
@Test
public void thirdPartyTokenUnknownIssuer() throws ParseException {
    assumeFalse(SignatureAlgorithm.isPublicKeyAlgorithm(JWS_ALGORITHM));

    // Create a new token
    Date now = new Date();
    long currentTime = now.getTime() / 1000L;

    Calendar expiry = Calendar.getInstance();
    expiry.setTime(now);
    expiry.add(Calendar.MINUTE, 5);

    JwtClaims jwtClaims = new JwtClaims();
    jwtClaims.setTokenId(UUID.randomUUID().toString());
    jwtClaims.setSubject("[email protected]");
    jwtClaims.setIssuedAt(currentTime);
    jwtClaims.setIssuer(CustomJWTSSOProvider.ISSUER + '_');
    jwtClaims.setExpiryTime(expiry.getTime().getTime() / 1000L);
    jwtClaims.setNotBefore(currentTime);

    JwsHeaders jwsHeaders = new JwsHeaders(JoseType.JWT, JWS_ALGORITHM);
    JwtToken jwtToken = new JwtToken(jwsHeaders, jwtClaims);
    JwsJwtCompactProducer producer = new JwsJwtCompactProducer(jwtToken);

    JwsSignatureProvider customSignatureProvider =
            new HmacJwsSignatureProvider(CustomJWTSSOProvider.CUSTOM_KEY.getBytes(), JWS_ALGORITHM);
    String signed = producer.signWith(customSignatureProvider);

    SyncopeClient jwtClient = clientFactory.create(signed);

    try {
        jwtClient.self();
        fail("Failure expected on an unknown issuer");
    } catch (AccessControlException ex) {
        // expected
    }
}
 
Example 21
Source Project: syncope   Source File: JWTITCase.java    License: Apache License 2.0 5 votes vote down vote up
@Test
public void thirdPartyTokenBadSignature() throws ParseException {
    assumeFalse(SignatureAlgorithm.isPublicKeyAlgorithm(JWS_ALGORITHM));

    // Create a new token
    Date now = new Date();

    Calendar expiry = Calendar.getInstance();
    expiry.setTime(now);
    expiry.add(Calendar.MINUTE, 5);

    JwtClaims jwtClaims = new JwtClaims();
    jwtClaims.setTokenId(UUID.randomUUID().toString());
    jwtClaims.setSubject("[email protected]");
    jwtClaims.setIssuedAt(now.getTime());
    jwtClaims.setIssuer(CustomJWTSSOProvider.ISSUER);
    jwtClaims.setExpiryTime(expiry.getTime().getTime());
    jwtClaims.setNotBefore(now.getTime());

    JwsHeaders jwsHeaders = new JwsHeaders(JoseType.JWT, JWS_ALGORITHM);
    JwtToken jwtToken = new JwtToken(jwsHeaders, jwtClaims);
    JwsJwtCompactProducer producer = new JwsJwtCompactProducer(jwtToken);

    JwsSignatureProvider customSignatureProvider =
            new HmacJwsSignatureProvider((CustomJWTSSOProvider.CUSTOM_KEY + '_').getBytes(), JWS_ALGORITHM);
    String signed = producer.signWith(customSignatureProvider);

    SyncopeClient jwtClient = clientFactory.create(signed);

    try {
        jwtClient.self();
        fail("Failure expected on a bad signature");
    } catch (AccessControlException ex) {
        // expected
    }
}
 
Example 22
Source Project: cxf   Source File: OIDCFlowTest.java    License: Apache License 2.0 5 votes vote down vote up
@org.junit.Test
public void testAuthorizationCodeFlowUnsignedJWT() throws Exception {
    URL busFile = OIDCFlowTest.class.getResource("client.xml");

    String address = "https://localhost:" + port + "/unsignedjwtservices/";
    WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(),
                                        "alice", "security", busFile.toString());
    // Save the Cookie for the second request...
    WebClient.getConfig(client).getRequestContext().put(
        org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE);

    JwtClaims claims = new JwtClaims();
    claims.setIssuer("consumer-id");
    claims.setIssuedAt(Instant.now().getEpochSecond());
    claims.setAudiences(
        Collections.singletonList("https://localhost:" + port + "/unsignedjwtservices/"));

    JwsHeaders headers = new JwsHeaders();
    headers.setAlgorithm("none");

    JwtToken token = new JwtToken(headers, claims);

    JwsJwtCompactProducer jws = new JwsJwtCompactProducer(token);
    String request = jws.getSignedEncodedJws();

    // Get Authorization Code
    AuthorizationCodeParameters parameters = new AuthorizationCodeParameters();
    parameters.setConsumerId("consumer-id");
    parameters.setScope("openid");
    parameters.setResponseType("code");
    parameters.setPath("authorize/");
    parameters.setRequest(request);

    String location = OAuth2TestUtils.getLocation(client, parameters);
    String code = OAuth2TestUtils.getSubstring(location, "code");
    assertNotNull(code);
}
 
Example 23
Source Project: cxf   Source File: OIDCFlowTest.java    License: Apache License 2.0 5 votes vote down vote up
@org.junit.Test
public void testAuthorizationCodeFlowUnsignedJWTWithState() throws Exception {
    URL busFile = OIDCFlowTest.class.getResource("client.xml");

    String address = "https://localhost:" + port + "/unsignedjwtservices/";
    WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(),
                                        "alice", "security", busFile.toString());
    // Save the Cookie for the second request...
    WebClient.getConfig(client).getRequestContext().put(
        org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE);

    JwtClaims claims = new JwtClaims();
    claims.setIssuer("consumer-id");
    claims.setIssuedAt(Instant.now().getEpochSecond());
    claims.setAudiences(
        Collections.singletonList("https://localhost:" + port + "/unsignedjwtservices/"));

    JwsHeaders headers = new JwsHeaders();
    headers.setAlgorithm("none");

    JwtToken token = new JwtToken(headers, claims);

    JwsJwtCompactProducer jws = new JwsJwtCompactProducer(token);
    String request = jws.getSignedEncodedJws();

    // Get Authorization Code
    AuthorizationCodeParameters parameters = new AuthorizationCodeParameters();
    parameters.setConsumerId("consumer-id");
    parameters.setScope("openid");
    parameters.setResponseType("code");
    parameters.setPath("authorize/");
    parameters.setState("123456789");
    parameters.setRequest(request);

    String location = OAuth2TestUtils.getLocation(client, parameters);
    String code = OAuth2TestUtils.getSubstring(location, "code");
    assertNotNull(code);
}
 
Example 24
Source Project: cxf   Source File: AbstractOAuthDataProvider.java    License: Apache License 2.0 5 votes vote down vote up
protected ServerAccessToken doRefreshAccessToken(Client client,
                                                 RefreshToken oldRefreshToken,
                                                 List<String> restrictedScopes) {
    ServerAccessToken at = createNewAccessToken(client, oldRefreshToken.getSubject());
    at.setAudiences(oldRefreshToken.getAudiences() != null
            ? new ArrayList<String>(oldRefreshToken.getAudiences()) : null);
    at.setGrantType(oldRefreshToken.getGrantType());
    at.setGrantCode(oldRefreshToken.getGrantCode());
    at.setSubject(oldRefreshToken.getSubject());
    at.setNonce(oldRefreshToken.getNonce());
    at.setClientCodeVerifier(oldRefreshToken.getClientCodeVerifier());
    at.getExtraProperties().putAll(oldRefreshToken.getExtraProperties());
    if (restrictedScopes.isEmpty()) {
        at.setScopes(oldRefreshToken.getScopes() != null
                ? new ArrayList<OAuthPermission>(oldRefreshToken.getScopes()) : null);
    } else {
        List<OAuthPermission> theNewScopes = convertScopeToPermissions(client, restrictedScopes);
        if (oldRefreshToken.getScopes().containsAll(theNewScopes)) {
            at.setScopes(theNewScopes);
        } else {
            throw new OAuthServiceException("Invalid scopes");
        }
    }

    if (isUseJwtFormatForAccessTokens()) {
        JwtClaims claims = createJwtAccessToken(at);
        String jose = processJwtAccessToken(claims);
        if (isPersistJwtEncoding()) {
            at.setTokenKey(jose);
        } else {
            at.setEncodedToken(jose);
        }
    }

    return at;
}
 
Example 25
Source Project: cxf   Source File: JWTAlgorithmTest.java    License: Apache License 2.0 5 votes vote down vote up
@org.junit.Test
public void testBadSigningKey() throws Exception {

    URL busFile = JWTAlgorithmTest.class.getResource("client.xml");

    List<Object> providers = new ArrayList<>();
    providers.add(new JacksonJsonProvider());
    providers.add(new JwtAuthenticationClientFilter());

    String address = "https://localhost:" + PORT + "/signedjwt/bookstore/books";
    WebClient client =
        WebClient.create(address, providers, busFile.toString());
    client.type("application/json").accept("application/json");

    // Create the JWT Token
    JwtClaims claims = new JwtClaims();
    claims.setSubject("alice");
    claims.setIssuer("DoubleItSTSIssuer");
    claims.setIssuedAt(Instant.now().getEpochSecond());
    claims.setAudiences(toList(address));

    JwtToken token = new JwtToken(claims);

    Map<String, Object> properties = new HashMap<>();
    properties.put("rs.security.keystore.type", "jks");
    properties.put("rs.security.keystore.password", "password");
    properties.put("rs.security.key.password", "password");
    properties.put("rs.security.keystore.alias", "alice");
    properties.put("rs.security.keystore.file", "keys/alice.jks");
    properties.put("rs.security.signature.algorithm", "RS256");
    properties.put(JwtConstants.JWT_TOKEN, token);
    WebClient.getConfig(client).getRequestContext().putAll(properties);

    Response response = client.post(new Book("book", 123L));
    assertNotEquals(response.getStatus(), 200);
}
 
Example 26
Source Project: cxf   Source File: JWTAlgorithmTest.java    License: Apache License 2.0 5 votes vote down vote up
@org.junit.Test
public void testSignatureEllipticCurve() throws Exception {

    URL busFile = JWTAlgorithmTest.class.getResource("client.xml");

    List<Object> providers = new ArrayList<>();
    providers.add(new JacksonJsonProvider());
    providers.add(new JwtAuthenticationClientFilter());

    String address = "https://localhost:" + PORT + "/signedjwtec/bookstore/books";
    WebClient client =
        WebClient.create(address, providers, busFile.toString());
    client.type("application/json").accept("application/json");

    // Create the JWT Token
    JwtClaims claims = new JwtClaims();
    claims.setSubject("alice");
    claims.setIssuer("DoubleItSTSIssuer");
    claims.setIssuedAt(Instant.now().getEpochSecond());
    claims.setAudiences(toList(address));

    JwtToken token = new JwtToken(claims);

    Map<String, Object> properties = new HashMap<>();
    properties.put("rs.security.keystore.type", "jwk");
    properties.put("rs.security.keystore.alias", "ECKey");
    properties.put("rs.security.keystore.file",
                   "org/apache/cxf/systest/jaxrs/security/certs/jwkPrivateSet.txt");
    properties.put("rs.security.signature.algorithm", "ES256");
    properties.put(JwtConstants.JWT_TOKEN, token);
    WebClient.getConfig(client).getRequestContext().putAll(properties);

    Response response = client.post(new Book("book", 123L));
    assertEquals(response.getStatus(), 200);

    Book returnedBook = response.readEntity(Book.class);
    assertEquals(returnedBook.getName(), "book");
    assertEquals(returnedBook.getId(), 123L);
}
 
Example 27
Source Project: cxf   Source File: JWTAlgorithmTest.java    License: Apache License 2.0 5 votes vote down vote up
@org.junit.Test
public void testSmallSignatureKeySize() throws Exception {

    URL busFile = JWTAlgorithmTest.class.getResource("client.xml");

    List<Object> providers = new ArrayList<>();
    providers.add(new JacksonJsonProvider());
    providers.add(new JwtAuthenticationClientFilter());

    String address = "https://localhost:" + PORT + "/signedjwt/bookstore/books";
    WebClient client =
        WebClient.create(address, providers, busFile.toString());
    client.type("application/json").accept("application/json");

    // Create the JWT Token
    JwtClaims claims = new JwtClaims();
    claims.setSubject("alice");
    claims.setIssuer("DoubleItSTSIssuer");
    claims.setIssuedAt(Instant.now().getEpochSecond());
    claims.setAudiences(toList(address));

    JwtToken token = new JwtToken(claims);

    Map<String, Object> properties = new HashMap<>();
    properties.put("rs.security.keystore.type", "jks");
    properties.put("rs.security.keystore.alias", "smallkey");
    properties.put("rs.security.keystore.password", "security");
    properties.put("rs.security.key.password", "security");
    properties.put("rs.security.keystore.file",
        "org/apache/cxf/systest/jaxrs/security/certs/smallkeysize.jks");
    properties.put("rs.security.signature.algorithm", "RS256");
    properties.put(JwtConstants.JWT_TOKEN, token);
    WebClient.getConfig(client).getRequestContext().putAll(properties);

    Response response = client.post(new Book("book", 123L));
    assertNotEquals(response.getStatus(), 200);
}
 
Example 28
Source Project: cxf   Source File: JWTAlgorithmTest.java    License: Apache License 2.0 5 votes vote down vote up
@org.junit.Test
public void testUnsignedTokenFailure() throws Exception {

    URL busFile = JWTAlgorithmTest.class.getResource("client.xml");

    List<Object> providers = new ArrayList<>();
    providers.add(new JacksonJsonProvider());
    providers.add(new JwtAuthenticationClientFilter());

    String address = "https://localhost:" + PORT + "/signedjwt/bookstore/books";
    WebClient client =
        WebClient.create(address, providers, busFile.toString());
    client.type("application/json").accept("application/json");

    // Create the JWT Token
    JwtClaims claims = new JwtClaims();
    claims.setSubject("alice");
    claims.setIssuer("DoubleItSTSIssuer");
    claims.setIssuedAt(Instant.now().getEpochSecond());
    claims.setAudiences(toList(address));

    JwtToken token = new JwtToken(claims);

    Map<String, Object> properties = new HashMap<>();
    properties.put("rs.security.signature.algorithm", "none");
    properties.put(JwtConstants.JWT_TOKEN, token);
    WebClient.getConfig(client).getRequestContext().putAll(properties);

    Response response = client.post(new Book("book", 123L));
    assertNotEquals(response.getStatus(), 200);
}
 
Example 29
Source Project: cxf   Source File: JWTAlgorithmTest.java    License: Apache License 2.0 5 votes vote down vote up
@org.junit.Test
public void testHMACSignature() throws Exception {

    URL busFile = JWTAlgorithmTest.class.getResource("client.xml");

    List<Object> providers = new ArrayList<>();
    providers.add(new JacksonJsonProvider());
    providers.add(new JwtAuthenticationClientFilter());

    String address = "https://localhost:" + PORT + "/hmacsignedjwt/bookstore/books";
    WebClient client =
        WebClient.create(address, providers, busFile.toString());
    client.type("application/json").accept("application/json");

    // Create the JWT Token
    JwtClaims claims = new JwtClaims();
    claims.setSubject("alice");
    claims.setIssuer("DoubleItSTSIssuer");
    claims.setIssuedAt(Instant.now().getEpochSecond());
    claims.setAudiences(toList(address));

    JwtToken token = new JwtToken(claims);

    Map<String, Object> properties = new HashMap<>();
    properties.put("rs.security.keystore.type", "jwk");
    properties.put("rs.security.keystore.alias", "HMAC512Key");
    properties.put("rs.security.keystore.file",
                   "org/apache/cxf/systest/jaxrs/security/certs/jwkPrivateSet.txt");
    properties.put(JwtConstants.JWT_TOKEN, token);
    WebClient.getConfig(client).getRequestContext().putAll(properties);

    Response response = client.post(new Book("book", 123L));
    assertEquals(response.getStatus(), 200);

    Book returnedBook = response.readEntity(Book.class);
    assertEquals(returnedBook.getName(), "book");
    assertEquals(returnedBook.getId(), 123L);
}
 
Example 30
Source Project: cxf   Source File: JWTAlgorithmTest.java    License: Apache License 2.0 5 votes vote down vote up
@org.junit.Test
public void testBadHMACSignature() throws Exception {

    URL busFile = JWTAlgorithmTest.class.getResource("client.xml");

    List<Object> providers = new ArrayList<>();
    providers.add(new JacksonJsonProvider());
    providers.add(new JwtAuthenticationClientFilter());

    String address = "https://localhost:" + PORT + "/hmacsignedjwt/bookstore/books";
    WebClient client =
        WebClient.create(address, providers, busFile.toString());
    client.type("application/json").accept("application/json");

    // Create the JWT Token
    JwtClaims claims = new JwtClaims();
    claims.setSubject("alice");
    claims.setIssuer("DoubleItSTSIssuer");
    claims.setIssuedAt(Instant.now().getEpochSecond());
    claims.setAudiences(toList(address));

    JwtToken token = new JwtToken(claims);

    Map<String, Object> properties = new HashMap<>();
    properties.put("rs.security.keystore.type", "jwk");
    properties.put("rs.security.keystore.alias", "HMACKey");
    properties.put("rs.security.keystore.file",
                   "org/apache/cxf/systest/jaxrs/security/certs/jwkPrivateSet.txt");
    properties.put(JwtConstants.JWT_TOKEN, token);
    WebClient.getConfig(client).getRequestContext().putAll(properties);

    Response response = client.post(new Book("book", 123L));
    assertNotEquals(response.getStatus(), 200);
}