Java Code Examples for org.gluu.oxauth.model.common.AuthenticationMethod#CLIENT_SECRET_JWT
The following examples show how to use
org.gluu.oxauth.model.common.AuthenticationMethod#CLIENT_SECRET_JWT .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
| Source File: ClientAuthnEnabler.java From oxAuth with MIT License | 5 votes |
|
public void exec(ClientAuthnRequest request){
if (request.getAuthenticationMethod() == AuthenticationMethod.CLIENT_SECRET_BASIC
&& request.hasCredentials()) {
clientRequest.header("Authorization", "Basic " + request.getEncodedCredentials());
return;
}
if (request.getAuthenticationMethod() == AuthenticationMethod.CLIENT_SECRET_POST) {
if (request.getAuthUsername() != null && !request.getAuthUsername().isEmpty()) {
clientRequest.formParameter("client_id", request.getAuthUsername());
}
if (request.getAuthPassword() != null && !request.getAuthPassword().isEmpty()) {
clientRequest.formParameter("client_secret", request.getAuthPassword());
}
return;
}
if (request.getAuthenticationMethod() == AuthenticationMethod.CLIENT_SECRET_JWT ||
request.getAuthenticationMethod() == AuthenticationMethod.PRIVATE_KEY_JWT) {
clientRequest.formParameter("client_assertion_type", ClientAssertionType.JWT_BEARER);
if (request.getClientAssertion() != null) {
clientRequest.formParameter("client_assertion", request.getClientAssertion());
}
if (request.getAuthUsername() != null && !request.getAuthUsername().isEmpty()) {
clientRequest.formParameter("client_id", request.getAuthUsername());
}
}
}
Example 2
| Source File: ClientAuthnRequest.java From oxAuth with MIT License | 5 votes |
|
public void appendClientAuthnToQuery(QueryBuilder builder) {
if (getAuthenticationMethod() == AuthenticationMethod.CLIENT_SECRET_POST) {
builder.append("client_id", getAuthUsername());
builder.append("client_secret", getAuthPassword());
} else if (getAuthenticationMethod() == AuthenticationMethod.CLIENT_SECRET_JWT ||
getAuthenticationMethod() == AuthenticationMethod.PRIVATE_KEY_JWT) {
builder.append("client_assertion_type", ClientAssertionType.JWT_BEARER.toString());
builder.append("client_assertion", getClientAssertion());
}
}
Example 3
| Source File: TokenRequest.java From oxAuth with MIT License | 4 votes |
|
/**
* Returns a collection of parameters of the token request. Any
* <code>null</code> or empty parameter will be omitted.
*
* @return A collection of parameters.
*/
public Map<String, String> getParameters() {
Map<String, String> parameters = new HashMap<String, String>();
if (grantType != null) {
parameters.put("grant_type", grantType.toString());
}
if (code != null && !code.isEmpty()) {
parameters.put("code", code);
}
if (redirectUri != null && !redirectUri.isEmpty()) {
parameters.put("redirect_uri", redirectUri);
}
if (username != null && !username.isEmpty()) {
parameters.put("username", username);
}
if (password != null && !password.isEmpty()) {
parameters.put("password", password);
}
if (scope != null && !scope.isEmpty()) {
parameters.put("scope", scope);
}
if (assertion != null && !assertion.isEmpty()) {
parameters.put("assertion", assertion);
}
if (refreshToken != null && !refreshToken.isEmpty()) {
parameters.put("refresh_token", refreshToken);
}
if (getAuthenticationMethod() == AuthenticationMethod.CLIENT_SECRET_POST) {
if (getAuthUsername() != null && !getAuthUsername().isEmpty()) {
parameters.put("client_id", getAuthUsername());
}
if (getAuthPassword() != null && !getAuthPassword().isEmpty()) {
parameters.put("client_secret", getAuthPassword());
}
} else if (getAuthenticationMethod() == AuthenticationMethod.CLIENT_SECRET_JWT ||
getAuthenticationMethod() == AuthenticationMethod.PRIVATE_KEY_JWT) {
parameters.put("client_assertion_type", ClientAssertionType.JWT_BEARER.toString());
parameters.put("client_assertion", getClientAssertion());
}
for (String key : getCustomParameters().keySet()) {
parameters.put(key, getCustomParameters().get(key));
}
return parameters;
}
Example 4
| Source File: ClientAssertion.java From oxAuth with MIT License | 4 votes |
|
private boolean load(AppConfiguration appConfiguration, AbstractCryptoProvider cryptoProvider, String clientId, ClientAssertionType clientAssertionType, String encodedAssertion)
throws Exception {
boolean result;
if (clientAssertionType == ClientAssertionType.JWT_BEARER) {
if (StringUtils.isNotBlank(encodedAssertion)) {
jwt = Jwt.parse(encodedAssertion);
// TODO: Store jti this value to check for duplicates
// Validate clientId
String issuer = jwt.getClaims().getClaimAsString(JwtClaimName.ISSUER);
String subject = jwt.getClaims().getClaimAsString(JwtClaimName.SUBJECT_IDENTIFIER);
List<String> audience = jwt.getClaims().getClaimAsStringList(JwtClaimName.AUDIENCE);
Date expirationTime = jwt.getClaims().getClaimAsDate(JwtClaimName.EXPIRATION_TIME);
//SignatureAlgorithm algorithm = SignatureAlgorithm.fromName(jwt.getHeader().getClaimAsString(JwtHeaderName.ALGORITHM));
if ((clientId == null && StringUtils.isNotBlank(issuer) && StringUtils.isNotBlank(subject) && issuer.equals(subject))
|| (StringUtils.isNotBlank(clientId) && StringUtils.isNotBlank(issuer)
&& StringUtils.isNotBlank(subject) && clientId.equals(issuer) && issuer.equals(subject))) {
// Validate audience
String tokenUrl = appConfiguration.getTokenEndpoint();
String cibaAuthUrl = appConfiguration.getBackchannelAuthenticationEndpoint();
if (audience != null && (audience.contains(appConfiguration.getIssuer()) || audience.contains(tokenUrl) || audience.contains(cibaAuthUrl))) {
// Validate expiration
if (expirationTime.after(new Date())) {
ClientService clientService = CdiUtil.bean(ClientService.class);
Client client = clientService.getClient(subject);
// Validate client
if (client != null) {
JwtType jwtType = JwtType.fromString(jwt.getHeader().getClaimAsString(JwtHeaderName.TYPE));
AuthenticationMethod authenticationMethod = client.getAuthenticationMethod();
SignatureAlgorithm signatureAlgorithm = jwt.getHeader().getSignatureAlgorithm();
if (jwtType == null && signatureAlgorithm != null) {
jwtType = signatureAlgorithm.getJwtType();
}
if (jwtType != null && signatureAlgorithm != null && signatureAlgorithm.getFamily() != null &&
((authenticationMethod == AuthenticationMethod.CLIENT_SECRET_JWT && AlgorithmFamily.HMAC.equals(signatureAlgorithm.getFamily()))
|| (authenticationMethod == AuthenticationMethod.PRIVATE_KEY_JWT && (AlgorithmFamily.RSA.equals(signatureAlgorithm.getFamily()) || AlgorithmFamily.EC.equals(signatureAlgorithm.getFamily()))))) {
if (client.getTokenEndpointAuthSigningAlg() == null || SignatureAlgorithm.fromString(client.getTokenEndpointAuthSigningAlg()).equals(signatureAlgorithm)) {
clientSecret = clientService.decryptSecret(client.getClientSecret());
// Validate the crypto segment
String keyId = jwt.getHeader().getKeyId();
JSONObject jwks = Strings.isNullOrEmpty(client.getJwks()) ?
JwtUtil.getJSONWebKeys(client.getJwksUri()) :
new JSONObject(client.getJwks());
String sharedSecret = clientService.decryptSecret(client.getClientSecret());
boolean validSignature = cryptoProvider.verifySignature(jwt.getSigningInput(), jwt.getEncodedSignature(),
keyId, jwks, sharedSecret, signatureAlgorithm);
if (validSignature) {
result = true;
} else {
throw new InvalidJwtException("Invalid cryptographic segment");
}
} else {
throw new InvalidJwtException("Invalid signing algorithm");
}
} else {
throw new InvalidJwtException("Invalid authentication method");
}
} else {
throw new InvalidJwtException("Invalid client");
}
} else {
throw new InvalidJwtException("JWT has expired");
}
} else {
throw new InvalidJwtException("Invalid audience: " + audience);
}
} else {
throw new InvalidJwtException("Invalid clientId");
}
} else {
throw new InvalidJwtException("The Client Assertion is null or empty");
}
} else {
throw new InvalidJwtException("Invalid Client Assertion Type");
}
return result;
}
