org.gluu.oxauth.model.exception.InvalidJwtException Java Examples
The following examples show how to use
org.gluu.oxauth.model.exception.InvalidJwtException.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: ValidatorTest.java From oxd with Apache License 2.0 | 6 votes |
@Test public void tokenWithNAzpNotClientId_shouldNotValid() throws InvalidJwtException { //"aud": ["6b578a9b-7513-477a-9a7f-134-3b487caf8","another_aud"], //"azp":"Not_equal_to_client_id" final Jwt idToken = Jwt.parse("eyJraWQiOiJjZmFiMzRlYy0xNjhkLTQ4OTUtODRiOC0xZjAyNzgwNDkxYzciLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdF9oYXNoIjoiMnI1clZ2STdpMWxfcnNXZUV4bGRuUSIsImF1ZCI6WyI2YjU3OGE5Yi03NTEzLTQ3N2EtOWE3Zi0xMzQzYjQ4N2NhZjgiLCJhbm90aGVyX2F1ZCJdLCJhenAiOiJOb3RfZXF1YWxfdG9fY2xpZW50X2lkIiwic3ViIjoicy1fWmlyVnQ3Tk9EZG5XREFVR3JqVDJxVVp3SzZjWFRoYjlxVjk5di10ZyIsImF1dGhfdGltZSI6MTU2ODE4NTMyNywiaXNzIjoiaHR0cHM6Ly9kdW1teS1pc3N1ZXIub3JnIiwiZXhwIjoxOTY4MTg4OTMwLCJpYXQiOjE1NjgxODUzMzAsIm5vbmNlIjoiN3I0NnV0NmVtdTlnaTExZ244MDQ0dW02NDAiLCJveE9wZW5JRENvbm5lY3RWZXJzaW9uIjoib3BlbmlkY29ubmVjdC0xLjAifQ.Tnw-jF4p7VHgIE2_wcuP7WxRqtGFw2pmKltIri63hznYikYFC4frUZcJ44OKCt_tki2ZJY6EDhM1o9cPEz-_Vt-gsavfyDc711xlgNaPOBjGasdPvx5iilPLIogy4BXB4T3ROgqQpLQZf-00AQBBsrpZX5I2VJtLcyJL6_l3bKw"); String clientId = "6b578a9b-7513-477a-9a7f-1343b487caf8"; try { Validator.validateAudience(idToken, clientId); assertTrue(false); } catch (Exception e) { if (e instanceof HttpException) { HttpException httpException = (HttpException)e; assertTrue(httpException.getCode().getCode().equals("invalid_id_token_bad_authorized_party")); } } }
Example #2
Source File: JwtClaimSet.java From oxAuth with MIT License | 6 votes |
public Map<String, List<String>> toMap() throws InvalidJwtException { Map<String, List<String>> map = new HashMap<String, java.util.List<String>>(); try { for (Map.Entry<String, Object> claim : claims.entrySet()) { String key = claim.getKey(); Object value = claim.getValue(); List<String> values = new ArrayList<String>(); if (value instanceof JSONArray) { JSONArray jsonArray = (JSONArray) value; for (int i = 0; i < jsonArray.length(); i++) { values.add(jsonArray.getString(i)); } } else if (value != null) { values.add(value.toString()); } map.put(key, values); } } catch (JSONException e) { throw new InvalidJwtException(e); } return map; }
Example #3
Source File: SoftwareStatement.java From oxAuth with MIT License | 5 votes |
protected JSONObject headerToJSONObject() throws InvalidJwtException { JwtHeader jwtHeader = new JwtHeader(); jwtHeader.setAlgorithm(signatureAlgorithm); jwtHeader.setKeyId(keyId); return jwtHeader.toJsonObject(); }
Example #4
Source File: ValidatorTest.java From oxd with Apache License 2.0 | 5 votes |
@Test public void tokenWithAudArrayStringWithMultiElements_shouldBeValid() throws InvalidJwtException { //"aud": "[\"6b578a9b-7513-477a-9a7f-1343b487caf8\",\"another_element\"]", final Jwt idToken = Jwt.parse("eyJraWQiOiJjZmFiMzRlYy0xNjhkLTQ4OTUtODRiOC0xZjAyNzgwNDkxYzciLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdF9oYXNoIjoiMnI1clZ2STdpMWxfcnNXZUV4bGRuUSIsImF1ZCI6IltcIjZiNTc4YTliLTc1MTMtNDc3YS05YTdmLTEzNDNiNDg3Y2FmOFwiLFwiYW5vdGhlcl9lbGVtZW50XCJdIiwic3ViIjoicy1fWmlyVnQ3Tk9EZG5XREFVR3JqVDJxVVp3SzZjWFRoYjlxVjk5di10ZyIsImF1dGhfdGltZSI6MTU2ODE4NTMyNywiaXNzIjoiaHR0cHM6Ly9kdW1teS1pc3N1ZXIub3JnIiwiZXhwIjoxOTY4MTg4OTMwLCJpYXQiOjE1NjgxODUzMzAsIm5vbmNlIjoiN3I0NnV0NmVtdTlnaTExZ244MDQ0dW02NDAiLCJveE9wZW5JRENvbm5lY3RWZXJzaW9uIjoib3BlbmlkY29ubmVjdC0xLjAifQ.Z185fBjN4B6ghJaF7Szvvwq2_aNK8xnBdJWY_jZtSrb4DMqB8kXkEF9c11eIldt2fY3lj3cEPUIBjvW9-Bye-ClfGgqZ7eXGCXOEQ3pNdTV0YDSJDMjYOSTAnmeccx8hUsqKbSd0JoZUzaDWZgLYxXX1GodV_V_Nx_Xr3rWGGrc"); String clientId = "6b578a9b-7513-477a-9a7f-1343b487caf8"; try { Validator.validateAudience(idToken, clientId); } catch (Exception e) { assertFalse(e instanceof HttpException); } }
Example #5
Source File: ValidatorTest.java From oxd with Apache License 2.0 | 5 votes |
@Test public void tokenWithAudArrayStringWithOneElement_shouldBeValid() throws InvalidJwtException { //"aud": "[\"6b578a9b-7513-477a-9a7f-1343b487caf8\"]", final Jwt idToken = Jwt.parse("eyJraWQiOiJjZmFiMzRlYy0xNjhkLTQ4OTUtODRiOC0xZjAyNzgwNDkxYzciLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdF9oYXNoIjoiMnI1clZ2STdpMWxfcnNXZUV4bGRuUSIsImF1ZCI6IltcIjZiNTc4YTliLTc1MTMtNDc3YS05YTdmLTEzNDNiNDg3Y2FmOFwiXSIsInN1YiI6InMtX1ppclZ0N05PRGRuV0RBVUdyalQycVVad0s2Y1hUaGI5cVY5OXYtdGciLCJhdXRoX3RpbWUiOjE1NjgxODUzMjcsImlzcyI6Imh0dHBzOi8vZHVtbXktaXNzdWVyLm9yZyIsImV4cCI6MTk2ODE4ODkzMCwiaWF0IjoxNTY4MTg1MzMwLCJub25jZSI6IjdyNDZ1dDZlbXU5Z2kxMWduODA0NHVtNjQwIiwib3hPcGVuSURDb25uZWN0VmVyc2lvbiI6Im9wZW5pZGNvbm5lY3QtMS4wIn0.bFgbYtgt5OA2hdwAXXCwaVMUYprArsGoURJgaA0d-YfsDYu8HU9zVDraDhflSc2Wg9uMv4RAKqEfldDwLIRIocGk5XwjyeOHFAWAlDMeDSPUAWy7d7oNGwPrRNZu37RUT1ncRS9ZAIsOhtJjflUTD0J12DeD-wT_V6Jpv8jn3Mo"); String clientId = "6b578a9b-7513-477a-9a7f-1343b487caf8"; try { Validator.validateAudience(idToken, clientId); } catch (Exception e) { assertFalse(e instanceof HttpException); } }
Example #6
Source File: ValidatorTest.java From oxd with Apache License 2.0 | 5 votes |
@Test public void tokenWithSingleAudStringAndNoAzp_shouldBeValid() throws InvalidJwtException { //"aud": "6b578a9b-7513-477a-9a7f-1343b487caf8", final Jwt idToken = Jwt.parse("eyJraWQiOiJjZmFiMzRlYy0xNjhkLTQ4OTUtODRiOC0xZjAyNzgwNDkxYzciLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdF9oYXNoIjoiMnI1clZ2STdpMWxfcnNXZUV4bGRuUSIsImF1ZCI6IjZiNTc4YTliLTc1MTMtNDc3YS05YTdmLTEzNDNiNDg3Y2FmOCIsInN1YiI6InMtX1ppclZ0N05PRGRuV0RBVUdyalQycVVad0s2Y1hUaGI5cVY5OXYtdGciLCJhdXRoX3RpbWUiOjE1NjgxODUzMjcsImlzcyI6Imh0dHBzOi8vZHVtbXktaXNzdWVyLm9yZyIsImV4cCI6MTk2ODE4ODkzMCwiaWF0IjoxNTY4MTg1MzMwLCJub25jZSI6IjdyNDZ1dDZlbXU5Z2kxMWduODA0NHVtNjQwIiwib3hPcGVuSURDb25uZWN0VmVyc2lvbiI6Im9wZW5pZGNvbm5lY3QtMS4wIn0.PqnRiAhXqdeTbW1_JdRl6rLDMn36ists9Eq1n_2vOKYjGs_VxxkcdQfCt93KfC3WqEObhjlKDzwp6YUXi_7Wqta58ftUz0FU2jB7np3mq5m8lY_hKVhoZJMvxzMbCkiH-8jwtq9MZKEw3qyrwQEHQ0l21tograWD80gRedaQuD4"); String clientId = "6b578a9b-7513-477a-9a7f-1343b487caf8"; try { Validator.validateAudience(idToken, clientId); } catch (Exception e) { assertFalse(e instanceof HttpException); } }
Example #7
Source File: ValidatorTest.java From oxd with Apache License 2.0 | 5 votes |
@Test public void tokenWithSingleAudArrayAndNoAzp_shouldBeValid() throws InvalidJwtException { //"aud": ["6b578a9b-7513-477a-9a7f-1343b487caf8"], final Jwt idToken = Jwt.parse("eyJraWQiOiJjZmFiMzRlYy0xNjhkLTQ4OTUtODRiOC0xZjAyNzgwNDkxYzciLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdF9oYXNoIjoiMnI1clZ2STdpMWxfcnNXZUV4bGRuUSIsImF1ZCI6WyI2YjU3OGE5Yi03NTEzLTQ3N2EtOWE3Zi0xMzQzYjQ4N2NhZjgiXSwic3ViIjoicy1fWmlyVnQ3Tk9EZG5XREFVR3JqVDJxVVp3SzZjWFRoYjlxVjk5di10ZyIsImF1dGhfdGltZSI6MTU2ODE4NTMyNywiaXNzIjoiaHR0cHM6Ly9kdW1teS1pc3N1ZXIub3JnIiwiZXhwIjoxOTY4MTg4OTMwLCJpYXQiOjE1NjgxODUzMzAsIm5vbmNlIjoiN3I0NnV0NmVtdTlnaTExZ244MDQ0dW02NDAiLCJveE9wZW5JRENvbm5lY3RWZXJzaW9uIjoib3BlbmlkY29ubmVjdC0xLjAifQ.cP6DGPkYYnzDTHrH04F4Q48cPqH2T4R4RjGJmLr5QGA1pUYOOxvLj8Ak0EqmzV_83Zy0wgvyzFCv0xdi06BguUgnM4u6LL8V0hLzrdHIwJHvz5L5Gqbvs5Vg61CpP409lo0sHUN08zfN_WU3EWXK6JlSvFtE59jWSJWBF5pmLX4"); String clientId = "6b578a9b-7513-477a-9a7f-1343b487caf8"; try { Validator.validateAudience(idToken, clientId); } catch (Exception e) { assertFalse(e instanceof HttpException); } }
Example #8
Source File: ValidatorTest.java From oxd with Apache License 2.0 | 5 votes |
@Test public void tokenWithMultiAudAndAzp_shouldBeValid() throws InvalidJwtException { //"aud": ["6b578a9b-7513-477a-9a7f-1343b487caf8","another_aud"], //"azp":"6b578a9b-7513-477a-9a7f-1343b487caf8" final Jwt idToken = Jwt.parse("eyJraWQiOiJjZmFiMzRlYy0xNjhkLTQ4OTUtODRiOC0xZjAyNzgwNDkxYzciLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdF9oYXNoIjoiMnI1clZ2STdpMWxfcnNXZUV4bGRuUSIsImF1ZCI6WyI2YjU3OGE5Yi03NTEzLTQ3N2EtOWE3Zi0xMzQzYjQ4N2NhZjgiLCJhbm90aGVyX2F1ZCJdLCJhenAiOiI2YjU3OGE5Yi03NTEzLTQ3N2EtOWE3Zi0xMzQzYjQ4N2NhZjgiLCJzdWIiOiJzLV9aaXJWdDdOT0RkbldEQVVHcmpUMnFVWndLNmNYVGhiOXFWOTl2LXRnIiwiYXV0aF90aW1lIjoxNTY4MTg1MzI3LCJpc3MiOiJodHRwczovL2R1bW15LWlzc3Vlci5vcmciLCJleHAiOjE5NjgxODg5MzAsImlhdCI6MTU2ODE4NTMzMCwibm9uY2UiOiI3cjQ2dXQ2ZW11OWdpMTFnbjgwNDR1bTY0MCIsIm94T3BlbklEQ29ubmVjdFZlcnNpb24iOiJvcGVuaWRjb25uZWN0LTEuMCJ9.Q1WsYrrMx4Uo7ZT5X840yuPljdRM5AU1otNAlc7-XcCUWB2yzdHZ5ptNdcGUEKr3bHLN4f-YyBC4n6Yea60eFxTkjXKGpGJESRU690xJ_OHb69DzHXiRnbtBRcHRMUgra5CBC4WNqyTRc0SBJFGOVuNAceNyVLSP7zPXgGNQHcA"); String clientId = "6b578a9b-7513-477a-9a7f-1343b487caf8"; try { Validator.validateAudience(idToken, clientId); } catch (Exception e) { assertFalse(e instanceof HttpException); } }
Example #9
Source File: AccessTokenAsJwtTest.java From oxd with Apache License 2.0 | 5 votes |
@Parameters({"host", "opHost", "redirectUrls", "postLogoutRedirectUrls"}) @Test public void getClientToken(String host, String opHost, String redirectUrls, String postLogoutRedirectUrls) throws InvalidJwtException { final RegisterSiteParams params = new RegisterSiteParams(); params.setOpHost(opHost); params.setRedirectUris(Lists.newArrayList(redirectUrls.split(" "))); params.setPostLogoutRedirectUris(Lists.newArrayList(postLogoutRedirectUrls.split(" "))); params.setScope(Lists.newArrayList("openid", "uma_protection", "profile")); params.setAccessTokenAsJwt(true); params.setGrantTypes(Lists.newArrayList( GrantType.AUTHORIZATION_CODE.getValue(), GrantType.CLIENT_CREDENTIALS.getValue())); final RegisterSiteResponse resp = org.gluu.oxd.server.Tester.newClient(host).registerSite(params); assertResponse(resp); final GetClientTokenParams tokenParams = new GetClientTokenParams(); tokenParams.setOpHost(opHost); tokenParams.setScope(Lists.newArrayList("openid")); tokenParams.setClientId(resp.getClientId()); tokenParams.setClientSecret(resp.getClientSecret()); GetClientTokenResponse tokenResponse = org.gluu.oxd.server.Tester.newClient(host).getClientToken(tokenParams); assertNotNull(tokenResponse); notEmpty(tokenResponse.getAccessToken()); final Jwt parse = Jwt.parse(tokenResponse.getAccessToken()); assertNotNull(parse); System.out.println("access token as JWT: " + tokenResponse.getAccessToken() + ", claims: " + parse.getClaims()); }
Example #10
Source File: RpGetRptTest.java From oxd with Apache License 2.0 | 5 votes |
@Parameters({"host", "opHost", "redirectUrls", "rsProtect"}) @Test public void rptAsJwt(String host, String opHost, String redirectUrls, String rsProtect) throws IOException, InvalidJwtException { ClientInterface client = Tester.newClient(host); final RegisterSiteParams params = new RegisterSiteParams(); params.setOpHost(opHost); params.setRedirectUris(Lists.newArrayList(redirectUrls.split(" "))); params.setPostLogoutRedirectUris(Lists.newArrayList(redirectUrls.split(" "))); params.setClientFrontchannelLogoutUris(Lists.newArrayList(redirectUrls.split(" "))); params.setScope(Lists.newArrayList("openid", "uma_protection", "profile", "oxd")); params.setRptAsJwt(true); params.setGrantTypes(Lists.newArrayList( GrantType.AUTHORIZATION_CODE.getValue(), GrantType.OXAUTH_UMA_TICKET.getValue(), GrantType.CLIENT_CREDENTIALS.getValue())); final RegisterSiteResponse site = client.registerSite(params); assertNotNull(site); assertTrue(!Strings.isNullOrEmpty(site.getOxdId())); final RpGetRptResponse response = requestRpt(client, site, rsProtect); assertNotNull(response); Jwt jwt = Jwt.parse(response.getRpt()); assertNotNull(jwt); assertEquals(site.getClientId(), jwt.getClaims().getClaimAsString("client_id")); assertTrue(jwt.getClaims().getClaimAsString("permissions").contains("resource_id")); }
Example #11
Source File: JweEncrypterImpl.java From oxAuth with MIT License | 5 votes |
@Override public Jwe encrypt(Jwe jwe) throws InvalidJweException { try { JWEEncrypter encrypter = createJweEncrypter(); if (jwe.getSignedJWTPayload() != null) { jwe.getHeader().setContentType(JwtType.JWT); } JWEObject jweObject = new JWEObject(JWEHeader.parse(jwe.getHeader().toJsonObject().toString()), createPayload(jwe)); jweObject.encrypt(encrypter); String encryptedJwe = jweObject.serialize(); String[] jweParts = encryptedJwe.split("\\."); if (jweParts.length != 5) { throw new InvalidJwtException("Invalid JWS format."); } String encodedHeader = jweParts[0]; String encodedEncryptedKey = jweParts[1]; String encodedInitializationVector = jweParts[2]; String encodedCipherText = jweParts[3]; String encodedIntegrityValue = jweParts[4]; jwe.setEncodedHeader(encodedHeader); jwe.setEncodedEncryptedKey(encodedEncryptedKey); jwe.setEncodedInitializationVector(encodedInitializationVector); jwe.setEncodedCiphertext(encodedCipherText); jwe.setEncodedIntegrityValue(encodedIntegrityValue); jwe.setHeader(new JwtHeader(encodedHeader)); return jwe; } catch (Exception e) { throw new InvalidJweException(e); } }
Example #12
Source File: Jwt.java From oxAuth with MIT License | 5 votes |
@Override public String toString() { try { if (encodedSignature == null) { return getSigningInput() + "."; } else { return getSigningInput() + "." + encodedSignature; } } catch (InvalidJwtException e) { e.printStackTrace(); } return ""; }
Example #13
Source File: Jwt.java From oxAuth with MIT License | 5 votes |
public static Jwt parse(String encodedJwt) throws InvalidJwtException { if (StringUtils.isBlank(encodedJwt)) { return null; } String encodedHeader = null; String encodedClaims = null; String encodedSignature = null; String[] jwtParts = encodedJwt.split("\\."); if (jwtParts.length == 2) { // Signature Algorithm NONE encodedHeader = jwtParts[0]; encodedClaims = jwtParts[1]; encodedSignature = ""; } else if (jwtParts.length == 3) { encodedHeader = jwtParts[0]; encodedClaims = jwtParts[1]; encodedSignature = jwtParts[2]; } else { throw new InvalidJwtException("Invalid JWT format."); } Jwt jwt = new Jwt(); jwt.setHeader(new JwtHeader(encodedHeader)); jwt.setClaims(new JwtClaims(encodedClaims)); jwt.setEncodedSignature(encodedSignature); jwt.encodedHeader = encodedHeader; jwt.encodedClaims = encodedClaims; jwt.loaded = true; return jwt; }
Example #14
Source File: Jwt.java From oxAuth with MIT License | 5 votes |
public String getSigningInput() throws InvalidJwtException { if (loaded) { return encodedHeader + "." + encodedClaims; } else { return header.toBase64JsonObject() + "." + claims.toBase64JsonObject(); } }
Example #15
Source File: JwtClaimSet.java From oxAuth with MIT License | 5 votes |
public String toBase64JsonObject() throws InvalidJwtException { try { String jsonObjectString = toJsonString(); byte[] jsonObjectBytes = jsonObjectString.getBytes(Util.UTF8_STRING_ENCODING); return Base64Util.base64urlencode(jsonObjectBytes); } catch (UnsupportedEncodingException e) { return null; } }
Example #16
Source File: JwtClaimSet.java From oxAuth with MIT License | 5 votes |
public String toJsonString() throws InvalidJwtException { JSONObject jsonObject = toJsonObject(); String jsonObjectString = jsonObject.toString(); jsonObjectString = jsonObjectString.replace("\\/", "/"); return jsonObjectString; }
Example #17
Source File: JwtAuthorizationRequest.java From oxAuth with MIT License | 5 votes |
protected JSONObject headerToJSONObject() throws InvalidJwtException { JwtHeader jwtHeader = new JwtHeader(); jwtHeader.setType(type); if (keyEncryptionAlgorithm != null && blockEncryptionAlgorithm != null) { jwtHeader.setAlgorithm(keyEncryptionAlgorithm); jwtHeader.setEncryptionMethod(blockEncryptionAlgorithm); } else { jwtHeader.setAlgorithm(signatureAlgorithm); } jwtHeader.setKeyId(keyId); return jwtHeader.toJsonObject(); }
Example #18
Source File: JwtState.java From oxAuth with MIT License | 5 votes |
protected JSONObject headerToJSONObject() throws InvalidJwtException { JwtHeader jwtHeader = new JwtHeader(); jwtHeader.setType(type); if (keyEncryptionAlgorithm != null && blockEncryptionAlgorithm != null) { jwtHeader.setAlgorithm(keyEncryptionAlgorithm); jwtHeader.setEncryptionMethod(blockEncryptionAlgorithm); } else { jwtHeader.setAlgorithm(signatureAlgorithm); } jwtHeader.setKeyId(keyId); return jwtHeader.toJsonObject(); }
Example #19
Source File: JsonWebResponse.java From oxAuth with MIT License | 5 votes |
public String asString() { try { return claims.toJsonString(); } catch (InvalidJwtException ex) { ex.printStackTrace(); } return ""; }
Example #20
Source File: SelectAccountHttpTest.java From oxAuth with MIT License | 5 votes |
private void assertIdToken(String idToken) throws InvalidJwtException { Jwt jwt = Jwt.parse(idToken); assertNotNull(jwt.getHeader().getClaimAsString(JwtHeaderName.TYPE)); assertNotNull(jwt.getHeader().getClaimAsString(JwtHeaderName.ALGORITHM)); assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.ISSUER)); assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.AUDIENCE)); assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.EXPIRATION_TIME)); assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.ISSUED_AT)); }
Example #21
Source File: AuthenticationFilter.java From oxAuth with MIT License | 5 votes |
private void processJwtAuth(HttpServletRequest servletRequest, HttpServletResponse servletResponse, FilterChain filterChain) { boolean authorized = false; try { if (servletRequest.getParameter("client_assertion") != null && servletRequest.getParameter("client_assertion_type") != null) { String clientId = servletRequest.getParameter("client_id"); ClientAssertionType clientAssertionType = ClientAssertionType .fromString(servletRequest.getParameter("client_assertion_type")); String encodedAssertion = servletRequest.getParameter("client_assertion"); if (clientAssertionType == ClientAssertionType.JWT_BEARER) { ClientAssertion clientAssertion = new ClientAssertion(appConfiguration, cryptoProvider, clientId, clientAssertionType, encodedAssertion); String username = clientAssertion.getSubjectIdentifier(); String password = clientAssertion.getClientSecret(); // Only authenticate if username doesn't match // Identity.username and user isn't authenticated if (!username.equals(identity.getCredentials().getUsername()) || !identity.isLoggedIn()) { identity.getCredentials().setUsername(username); identity.getCredentials().setPassword(password); authenticator.authenticateClient(servletRequest, true); authorized = true; } } } filterChain.doFilter(servletRequest, servletResponse); } catch (ServletException | IOException | InvalidJwtException ex) { log.info("JWT authentication failed: {}", ex); } if (!authorized) { sendError(servletResponse); } }
Example #22
Source File: UmaPCT.java From oxAuth with MIT License | 5 votes |
public void setClaims(JwtClaims claims) throws InvalidJwtException { if (claims != null) { claimValuesAsJson = claims.toJsonString(); } else { claimValuesAsJson = null; } }
Example #23
Source File: UmaGatherContext.java From oxAuth with MIT License | 5 votes |
/** * Must not take any parameters */ public void persist() { try { pct.setClaims(claims); } catch (InvalidJwtException e) { getLog().error("Failed to persist claims", e); } sessionService.persist(session); pctService.merge(pct); }
Example #24
Source File: Authenticator.java From oxTrust with MIT License | 4 votes |
private String requestAccessToken(String oxAuthHost, String authorizationCode, String sessionState, String scopes, String clientID, String clientPassword) { OpenIdConfigurationResponse openIdConfiguration = openIdService.getOpenIdConfiguration(); // 1. Request access token using the authorization code. TokenClient tokenClient1 = new TokenClient(openIdConfiguration.getTokenEndpoint()); log.info("Sending request to token endpoint"); String redirectURL = appConfiguration.getLoginRedirectUrl(); log.info("redirectURI : " + redirectURL); TokenResponse tokenResponse = tokenClient1.execAuthorizationCode(authorizationCode, redirectURL, clientID, clientPassword); log.debug(" tokenResponse : " + tokenResponse); if (tokenResponse == null) { log.error("Get empty token response. User rcan't log into application"); return OxTrustConstants.RESULT_NO_PERMISSIONS; } log.debug(" tokenResponse.getErrorType() : " + tokenResponse.getErrorType()); String accessToken = tokenResponse.getAccessToken(); log.debug(" accessToken : " + accessToken); String idToken = tokenResponse.getIdToken(); log.debug(" idToken : " + idToken); if (idToken == null) { log.error("Failed to get id_token"); return OxTrustConstants.RESULT_NO_PERMISSIONS; } log.info("Session validation successful. User is logged in"); UserInfoClient userInfoClient = new UserInfoClient(openIdConfiguration.getUserInfoEndpoint()); UserInfoResponse userInfoResponse = userInfoClient.execUserInfo(accessToken); if (userInfoResponse == null) { log.error("Get empty token response. User can't log into application"); return OxTrustConstants.RESULT_NO_PERMISSIONS; } // Parse JWT Jwt jwt; try { jwt = Jwt.parse(idToken); } catch (InvalidJwtException ex) { log.error("Failed to parse id_token"); return OxTrustConstants.RESULT_NO_PERMISSIONS; } // Check nonce String nonceResponse = (String) jwt.getClaims().getClaim(JwtClaimName.NONCE); String nonceSession = (String) identity.getSessionMap().get(OxTrustConstants.OXAUTH_NONCE); if (!StringHelper.equals(nonceSession, nonceResponse)) { log.error("User info response : nonce is not matching."); return OxTrustConstants.RESULT_NO_PERMISSIONS; } // Determine uid List<String> uidValues = userInfoResponse.getClaims().get(JwtClaimName.USER_NAME); if ((uidValues == null) || (uidValues.size() == 0)) { log.error("User info response doesn't contains uid claim"); return OxTrustConstants.RESULT_NO_PERMISSIONS; } // Check requested authentication method if (identity.getSessionMap().containsKey(OxTrustConstants.OXAUTH_ACR_VALUES)) { String requestAcrValues = (String) identity.getSessionMap().get(OxTrustConstants.OXAUTH_ACR_VALUES); String issuer = openIdConfiguration.getIssuer(); String responseIssuer = (String) jwt.getClaims().getClaim(JwtClaimName.ISSUER); if (issuer == null || responseIssuer == null || !issuer.equals(responseIssuer)) { log.error("User info response : Issuer."); return OxTrustConstants.RESULT_NO_PERMISSIONS; } List<String> acrValues = jwt.getClaims() .getClaimAsStringList(JwtClaimName.AUTHENTICATION_CONTEXT_CLASS_REFERENCE); if ((acrValues == null) || (acrValues.size() == 0) || !acrValues.contains(requestAcrValues)) { log.error("User info response doesn't contains acr claim"); return OxTrustConstants.RESULT_NO_PERMISSIONS; } if (!acrValues.contains(requestAcrValues)) { log.error("User info response contains acr='{}' claim but expected acr='{}'", acrValues, requestAcrValues); return OxTrustConstants.RESULT_NO_PERMISSIONS; } } OauthData oauthData = identity.getOauthData(); oauthData.setHost(oxAuthHost); oauthData.setUserUid(uidValues.get(0)); oauthData.setAccessToken(accessToken); oauthData.setAccessTokenExpirationInSeconds(tokenResponse.getExpiresIn()); oauthData.setScopes(scopes); oauthData.setIdToken(idToken); oauthData.setSessionState(sessionState); identity.setWorkingParameter(OxTrustConstants.OXAUTH_SSO_SESSION_STATE, Boolean.FALSE); log.info("user uid:" + oauthData.getUserUid()); String result = authenticate(); return result; }
Example #25
Source File: ClientAssertion.java From oxAuth with MIT License | 4 votes |
private boolean load(AppConfiguration appConfiguration, AbstractCryptoProvider cryptoProvider, String clientId, ClientAssertionType clientAssertionType, String encodedAssertion) throws Exception { boolean result; if (clientAssertionType == ClientAssertionType.JWT_BEARER) { if (StringUtils.isNotBlank(encodedAssertion)) { jwt = Jwt.parse(encodedAssertion); // TODO: Store jti this value to check for duplicates // Validate clientId String issuer = jwt.getClaims().getClaimAsString(JwtClaimName.ISSUER); String subject = jwt.getClaims().getClaimAsString(JwtClaimName.SUBJECT_IDENTIFIER); List<String> audience = jwt.getClaims().getClaimAsStringList(JwtClaimName.AUDIENCE); Date expirationTime = jwt.getClaims().getClaimAsDate(JwtClaimName.EXPIRATION_TIME); //SignatureAlgorithm algorithm = SignatureAlgorithm.fromName(jwt.getHeader().getClaimAsString(JwtHeaderName.ALGORITHM)); if ((clientId == null && StringUtils.isNotBlank(issuer) && StringUtils.isNotBlank(subject) && issuer.equals(subject)) || (StringUtils.isNotBlank(clientId) && StringUtils.isNotBlank(issuer) && StringUtils.isNotBlank(subject) && clientId.equals(issuer) && issuer.equals(subject))) { // Validate audience String tokenUrl = appConfiguration.getTokenEndpoint(); String cibaAuthUrl = appConfiguration.getBackchannelAuthenticationEndpoint(); if (audience != null && (audience.contains(appConfiguration.getIssuer()) || audience.contains(tokenUrl) || audience.contains(cibaAuthUrl))) { // Validate expiration if (expirationTime.after(new Date())) { ClientService clientService = CdiUtil.bean(ClientService.class); Client client = clientService.getClient(subject); // Validate client if (client != null) { JwtType jwtType = JwtType.fromString(jwt.getHeader().getClaimAsString(JwtHeaderName.TYPE)); AuthenticationMethod authenticationMethod = client.getAuthenticationMethod(); SignatureAlgorithm signatureAlgorithm = jwt.getHeader().getSignatureAlgorithm(); if (jwtType == null && signatureAlgorithm != null) { jwtType = signatureAlgorithm.getJwtType(); } if (jwtType != null && signatureAlgorithm != null && signatureAlgorithm.getFamily() != null && ((authenticationMethod == AuthenticationMethod.CLIENT_SECRET_JWT && AlgorithmFamily.HMAC.equals(signatureAlgorithm.getFamily())) || (authenticationMethod == AuthenticationMethod.PRIVATE_KEY_JWT && (AlgorithmFamily.RSA.equals(signatureAlgorithm.getFamily()) || AlgorithmFamily.EC.equals(signatureAlgorithm.getFamily()))))) { if (client.getTokenEndpointAuthSigningAlg() == null || SignatureAlgorithm.fromString(client.getTokenEndpointAuthSigningAlg()).equals(signatureAlgorithm)) { clientSecret = clientService.decryptSecret(client.getClientSecret()); // Validate the crypto segment String keyId = jwt.getHeader().getKeyId(); JSONObject jwks = Strings.isNullOrEmpty(client.getJwks()) ? JwtUtil.getJSONWebKeys(client.getJwksUri()) : new JSONObject(client.getJwks()); String sharedSecret = clientService.decryptSecret(client.getClientSecret()); boolean validSignature = cryptoProvider.verifySignature(jwt.getSigningInput(), jwt.getEncodedSignature(), keyId, jwks, sharedSecret, signatureAlgorithm); if (validSignature) { result = true; } else { throw new InvalidJwtException("Invalid cryptographic segment"); } } else { throw new InvalidJwtException("Invalid signing algorithm"); } } else { throw new InvalidJwtException("Invalid authentication method"); } } else { throw new InvalidJwtException("Invalid client"); } } else { throw new InvalidJwtException("JWT has expired"); } } else { throw new InvalidJwtException("Invalid audience: " + audience); } } else { throw new InvalidJwtException("Invalid clientId"); } } else { throw new InvalidJwtException("The Client Assertion is null or empty"); } } else { throw new InvalidJwtException("Invalid Client Assertion Type"); } return result; }
Example #26
Source File: CrossEncryptionTest.java From oxAuth with MIT License | 4 votes |
private void decryptAndValidateSignatureWithGluu(String jweString) throws ParseException, JOSEException, InvalidJweException, JSONException, InvalidJwtException { JWK jwk = JWK.parse(recipientJwkJson); RSAPrivateKey rsaPrivateKey = ((RSAKey) jwk).toRSAPrivateKey(); JweDecrypterImpl decrypter = new JweDecrypterImpl(rsaPrivateKey); decrypter.setKeyEncryptionAlgorithm(KeyEncryptionAlgorithm.RSA_OAEP); decrypter.setBlockEncryptionAlgorithm(BlockEncryptionAlgorithm.A128GCM); final Jwe jwe = decrypter.decrypt(jweString); assertEquals(JwtType.JWT, jwe.getHeader().getContentType()); final Jwt jwt = jwe.getSignedJWTPayload(); final RSAPublicKey senderPublicKey = RSAKeyFactory.valueOf(getSenderWebKey()).getPublicKey(); Assert.assertTrue(new RSASigner(SignatureAlgorithm.RS256, senderPublicKey).validate(jwt)); System.out.println("Gluu decrypt and nested jwt signature verification succeed: " + jwt.getClaims().toJsonString()); }
Example #27
Source File: JweEncrypterImpl.java From oxAuth with MIT License | 4 votes |
public static Payload createPayload(Jwe jwe) throws ParseException, InvalidJwtException, UnsupportedEncodingException { if (jwe.getSignedJWTPayload() != null) { return new Payload(SignedJWT.parse(jwe.getSignedJWTPayload().toString())); } return new Payload(Base64Util.base64urlencode(jwe.getClaims().toJsonString().getBytes("UTF-8"))); }
Example #28
Source File: AbstractJwsSigner.java From oxAuth with MIT License | 4 votes |
@Override public Jwt sign(Jwt jwt) throws InvalidJwtException, SignatureException { String signature = generateSignature(jwt.getSigningInput()); jwt.setEncodedSignature(signature); return jwt; }
Example #29
Source File: JwtClaims.java From oxAuth with MIT License | 4 votes |
public JwtClaims(String base64JsonObject) throws InvalidJwtException { super(base64JsonObject); }
Example #30
Source File: JwtClaimSet.java From oxAuth with MIT License | 4 votes |
public JwtClaimSet(String base64JsonObject) throws InvalidJwtException { this(); load(base64JsonObject); }