com.nimbusds.jose.JOSEException Java Examples

public boolean isValidJWToken(String jwt) {
	try {
		String secret = Config.getConfigParam("app_secret_key", "");
		if (secret != null && jwt != null) {
			JWSVerifier verifier = new MACVerifier(secret);
			SignedJWT sjwt = SignedJWT.parse(jwt);
			if (sjwt.verify(verifier)) {
				Date referenceTime = new Date();
				JWTClaimsSet claims = sjwt.getJWTClaimsSet();

				Date expirationTime = claims.getExpirationTime();
				Date notBeforeTime = claims.getNotBeforeTime();
				String jti = claims.getJWTID();
				boolean expired = expirationTime != null && expirationTime.before(referenceTime);
				boolean notYetValid = notBeforeTime != null && notBeforeTime.after(referenceTime);
				boolean jtiRevoked = isApiKeyRevoked(jti, expired);
				return !(expired || notYetValid || jtiRevoked);
			}
		}
	} catch (JOSEException e) {
		logger.warn(null, e);
	} catch (ParseException ex) {
		logger.warn(null, ex);
	}
	return false;
}
 

public SignedJWT generateJWToken(Map<String, Object> claims, long validitySeconds) {
	String secret = Config.getConfigParam("app_secret_key", "");
	if (!StringUtils.isBlank(secret)) {
		try {
			Date now = new Date();
			JWTClaimsSet.Builder claimsSet = new JWTClaimsSet.Builder();
			claimsSet.issueTime(now);
			if (validitySeconds > 0) {
				claimsSet.expirationTime(new Date(now.getTime() + (validitySeconds * 1000)));
			}
			claimsSet.notBeforeTime(now);
			claimsSet.claim(Config._APPID, Config.getConfigParam("access_key", "x"));
			claims.entrySet().forEach((claim) -> claimsSet.claim(claim.getKey(), claim.getValue()));
			JWSSigner signer = new MACSigner(secret);
			SignedJWT signedJWT = new SignedJWT(new JWSHeader(JWSAlgorithm.HS256), claimsSet.build());
			signedJWT.sign(signer);
			return signedJWT;
		} catch (JOSEException e) {
			logger.warn("Unable to sign JWT: {}.", e.getMessage());
		}
	}
	logger.error("Failed to generate JWT token - app_secret_key is blank.");
	return null;
}
 

@Test
public void testJSONWebTokenManager() throws ParseException, JOSEException, BadJOSEException {

    JSONWebTokenManager tokens = new JSONWebTokenManager(clients, keyPair);
    ClientDetails client = clients.findAll().get(0);
    String userId = "user_1";
    TokenResponse tokenResponse = tokens.create(client, userId, Collections.emptySet());
    String accessToken;
    assertNotNull(tokenResponse);
    assertNotNull(accessToken = tokenResponse.getAccess_token());
    ConfigurableJWTProcessor<SecurityContext> jwtProcessor = new DefaultJWTProcessor<>();
    JWKSource<SecurityContext> keySource = new ImmutableJWKSet<>(jwkSet);
    JWSAlgorithm expectedJWSAlg = JWSAlgorithm.RS256;
    JWSKeySelector<SecurityContext> keySelector = new JWSVerificationKeySelector<>(expectedJWSAlg, keySource);
    jwtProcessor.setJWSKeySelector(keySelector);
    JWTClaimsSet claimsSet = jwtProcessor.process(accessToken, null);
    assertEquals(userId, claimsSet.getClaim(OAuthProperties.TOKEN_USER_ID));
}
 

public String build() throws CelleryAuthException {

        // Build the JWT Header
        try {
            JWSHeader jwsHeader = buildJWSHeader();
            // Add mandatory claims
            addMandatoryClaims(claimSetBuilder);
            JWTClaimsSet claimsSet = this.claimSetBuilder.build();

            SignedJWT signedJWT = new SignedJWT(jwsHeader, claimsSet);
            JWSSigner signer = new RSASSASigner(getRSASigningKey());

            signedJWT.sign(signer);
            return signedJWT.serialize();
        } catch (IdentityOAuth2Exception | JOSEException e) {
            throw new CelleryAuthException("Error while generating the signed JWT.", e);
        }
    }
 

@Override
public TokenResponse create(ClientDetails client, String userId, Set<String> scopes) {
    assertValidateScopes(client, scopes);
    JWTClaimsSet claims = new JWTClaimsSet.Builder()
            .claim(TOKEN_USER_ID, userId)
            .claim(TOKEN_CLIENT_ID, client.getClientId())
            .claim(TOKEN_AUTHORITIES, client.getAuthoritySet())
            .claim(TOKEN_SCOPES, scopes)
            .claim(TOKEN_EXPIRE_AT, expireAtByLiveTime(client.getAccessTokenValiditySeconds()))
            .claim(TOKEN_RESOURCE_IDS, client.getResourceIds())
            .build();
    PrivateKey privateKey = keyPair.getPrivate();
    RSASSASigner signer = new RSASSASigner(privateKey);
    SignedJWT signedJWT = new SignedJWT(new JWSHeader.Builder(JWSAlgorithm.RS256).build(), claims);
    try {
        signedJWT.sign(signer);
    } catch (JOSEException e) {
        throw new OAuthException("Failed to sign jwt.");
    }
    return new TokenResponse(signedJWT.serialize(), client.getAccessTokenValiditySeconds(), scopes);
}
 

/**
 * Verify the JWT token signature.
 *
 * @param jwt SignedJwt Token
 * @param publicKey      public certificate
 * @return whether the signature is verified or or not
 */
public static boolean verifyTokenSignature(SignedJWT jwt, RSAPublicKey publicKey) {

    JWSAlgorithm algorithm = jwt.getHeader().getAlgorithm();
    if ((JWSAlgorithm.RS256.equals(algorithm) || JWSAlgorithm.RS512.equals(algorithm) ||
            JWSAlgorithm.RS384.equals(algorithm))) {
        try {
            JWSVerifier jwsVerifier = new RSASSAVerifier(publicKey);
            return jwt.verify(jwsVerifier);
        } catch (JOSEException e) {
            log.error("Error while verifying JWT signature", e);
            return false;
        }
    } else {
        log.error("Public key is not a RSA");
        return false;
    }
}
 

/**
 * Validates a JWT token.
 * @param secret secret used for generating the token
 * @param jwt token to validate
 * @return true if token is valid
 */
public static boolean isValidJWToken(String secret, SignedJWT jwt) {
	try {
		if (secret != null && jwt != null) {
			JWSVerifier verifier = new MACVerifier(secret);
			if (jwt.verify(verifier)) {
				Date referenceTime = new Date();
				JWTClaimsSet claims = jwt.getJWTClaimsSet();

				Date expirationTime = claims.getExpirationTime();
				Date notBeforeTime = claims.getNotBeforeTime();
				boolean expired = expirationTime == null || expirationTime.before(referenceTime);
				boolean notYetValid = notBeforeTime != null && notBeforeTime.after(referenceTime);

				return !(expired || notYetValid);
			}
		}
	} catch (JOSEException e) {
		logger.warn(null, e);
	} catch (ParseException ex) {
		logger.warn(null, ex);
	}
	return false;
}
 

@Override
public void decryptJwt(JWEObject jwt) {
	if (getDefaultDecryptionKeyId() == null) {
		throw new IllegalStateException("Tried to call default decryption with no default decrypter ID set");
	}

	JWEDecrypter decrypter = decrypters.get(getDefaultDecryptionKeyId());

	try {
		jwt.decrypt(decrypter);
	} catch (JOSEException e) {

		logger.error("Failed to decrypt JWT, error was: ", e);
	}

}
 

@Test
public void testValidSignature_OCT() throws JOSEException{
    // Generate random 256-bit (32-byte) shared secret
    SecureRandom random = new SecureRandom();
    byte[] sharedSecret = new byte[32];
    random.nextBytes(sharedSecret);

    OCTKey key = new OCTKey();
    key.setKty("oct");
    key.setKid(KID);
    key.setK(Base64.getEncoder().encodeToString(sharedSecret));

    //Sign JWT with MAC algorithm
    SignedJWT signedJWT = new SignedJWT(
            new JWSHeader.Builder(JWSAlgorithm.HS256).keyID(KID).build(),
            new JWTClaimsSet.Builder()
                    .expirationTime(Date.from(Instant.now().plus(1, ChronoUnit.DAYS)))
                    .build()
    );
    signedJWT.sign(new MACSigner(sharedSecret));

    assertTrue("Should be ok",jwsService.isValidSignature(signedJWT, key));
}
 

@Test
public void testValidSignature_OKP() throws JOSEException{
    //Generate OKP key
    OctetKeyPair okp = new OctetKeyPairGenerator(Curve.Ed25519).generate();
    OKPKey key = new OKPKey();
    key.setKty("OKP");
    key.setKid(KID);
    key.setCrv(okp.getCurve().getStdName());
    key.setX(okp.getX().toString());

    //Sign JWT with Edward Curve algorithm
    SignedJWT signedJWT = new SignedJWT(
            new JWSHeader.Builder(JWSAlgorithm.EdDSA).keyID(KID).build(),
            new JWTClaimsSet.Builder()
                    .expirationTime(Date.from(Instant.now().plus(1, ChronoUnit.DAYS)))
                    .build()
    );
    signedJWT.sign(new Ed25519Signer(okp));

    assertTrue("Should be ok",jwsService.isValidSignature(signedJWT, key));
}
 

private JWSVerifier from(ECKey ecKey) {
    try {
        Curve curve = Curve.parse(ecKey.getCrv());
        if(curve.getStdName()==null) {
            throw new IllegalArgumentException("Unknown EC Curve: "+ecKey.getCrv());
        }
        AlgorithmParameters parameters = AlgorithmParameters.getInstance("EC");
        parameters.init(new ECGenParameterSpec(curve.getStdName()));
        ECParameterSpec ecParameters = parameters.getParameterSpec(ECParameterSpec.class);

        byte[] x = Base64.getUrlDecoder().decode(ecKey.getX());
        byte[] y = Base64.getUrlDecoder().decode(ecKey.getY());
        ECPoint ecPoint = new ECPoint(new BigInteger(1,x), new BigInteger(1,y));

        ECPublicKeySpec ecPublicKeySpec = new ECPublicKeySpec(ecPoint, ecParameters);
        ECPublicKey ecPublicKey = (ECPublicKey) KeyFactory.getInstance("EC").generatePublic(ecPublicKeySpec);
        return new ECDSAVerifier(ecPublicKey);
    }
    catch (NoSuchAlgorithmException | InvalidParameterSpecException | InvalidKeySpecException | JOSEException ex) {
        LOGGER.error("Unable to build Verifier from Elliptic Curve (EC) key",ex);
        throw new IllegalArgumentException("Signature is using and unknown/not managed key");
    }
}
 

private boolean verifySignature(String jwt) {
    try {
        SignedJWT signedJWT = SignedJWT.parse(jwt);
        if (new Date().before(signedJWT.getJWTClaimsSet().getExpirationTime())) {
            JWSVerifier verifier =
                    new RSASSAVerifier((RSAPublicKey) getPublicKey(KEYSTORE, KEYSTORE_PASSWORD, ALIAS));
            return signedJWT.verify(verifier);
        } else {
            log.info("Token has expired");
        }
    } catch (ParseException | IOException | KeyStoreException | CertificateException |
            NoSuchAlgorithmException | UnrecoverableKeyException | JOSEException e) {
        log.error("Error occurred while JWT signature verification. JWT=" + jwt, e);
    }
    return false;
}
 

@Override
public boolean verifyToken(JWT token, String jwksurl, String algorithm) throws TokenServiceException {
  boolean verified = false;
  try {
    if (algorithm != null && jwksurl != null) {
      JWSAlgorithm expectedJWSAlg = JWSAlgorithm.parse(algorithm);
      JWKSource<SecurityContext> keySource = new RemoteJWKSet<>(new URL(jwksurl));
      JWSKeySelector<SecurityContext> keySelector = new JWSVerificationKeySelector<>(expectedJWSAlg, keySource);

      // Create a JWT processor for the access tokens
      ConfigurableJWTProcessor<SecurityContext> jwtProcessor = new DefaultJWTProcessor<>();
      jwtProcessor.setJWSKeySelector(keySelector);
      JWTClaimsSetVerifier<SecurityContext> claimsVerifier = new DefaultJWTClaimsVerifier<>();
      jwtProcessor.setJWTClaimsSetVerifier(claimsVerifier);

      // Process the token
      SecurityContext ctx = null; // optional context parameter, not required here
      jwtProcessor.process(token.toString(), ctx);
      verified = true;
    }
  } catch (BadJOSEException | JOSEException | ParseException | MalformedURLException e) {
    throw new TokenServiceException("Cannot verify token.", e);
  }
  return verified;
}
 

public static boolean verifyTokenRSA( PublicKey pKey, String token )
{
    try
    {
        Payload pl = new Payload( token );
        JWSObject jwsObject = new JWSObject( new JWSHeader( JWSAlgorithm.RS256 ), pl );
        JWSVerifier verifier = new RSASSAVerifier( ( RSAPublicKey ) pKey );

        return jwsObject.verify( verifier );
    }
    catch ( JOSEException e )
    {
        LOG.warn( "Error verifying RSA token", e.getMessage() );

        return false;
    }
}
 

@Test
public void testRsaJwt_withClientJwks() throws NoSuchAlgorithmException, JOSEException{
    KeyPair rsaKey = generateRsaKeyPair();

    RSAPublicKey publicKey = (RSAPublicKey) rsaKey.getPublic();
    RSAPrivateKey privateKey = (RSAPrivateKey) rsaKey.getPrivate();

    RSAKey key = new RSAKey();
    key.setKty("RSA");
    key.setKid(KID);
    key.setE(Base64.getUrlEncoder().encodeToString(publicKey.getPublicExponent().toByteArray()));
    key.setN(Base64.getUrlEncoder().encodeToString(publicKey.getModulus().toByteArray()));

    Client client = generateClient(key);
    client.setTokenEndpointAuthMethod(ClientAuthenticationMethod.PRIVATE_KEY_JWT);
    String assertion = generateJWT(privateKey);
    OpenIDProviderMetadata openIDProviderMetadata = Mockito.mock(OpenIDProviderMetadata.class);
    String basePath="/";

    when(clientSyncService.findByClientId(any())).thenReturn(Maybe.just(client));
    when(openIDProviderMetadata.getTokenEndpoint()).thenReturn(AUDIENCE);
    when(openIDDiscoveryService.getConfiguration(basePath)).thenReturn(openIDProviderMetadata);
    when(jwkService.getKey(any(),any())).thenReturn(Maybe.just(key));
    when(jwsService.isValidSignature(any(),any())).thenReturn(true);

    TestObserver testObserver = clientAssertionService.assertClient(JWT_BEARER_TYPE,assertion,basePath).test();

    testObserver.assertNoErrors();
    testObserver.assertValue(client);
}
 

@Test(expectedExceptions = {JOSEException.class, AlgorithmMismatchException.class, InvalidJwtException.class, UnsupportedJwtException.class},
    description = "Illustrate validation of signature algorithm")
public void testFailSignatureAlgorithm() throws Exception {
    HashSet<TokenUtils.InvalidClaims> invalidFields = new HashSet<>();
    invalidFields.add(TokenUtils.InvalidClaims.ALG);
    String token = TokenUtils.generateTokenString("/Token1.json", invalidFields);
    RSAPublicKey publicKey = (RSAPublicKey) TokenUtils.readPublicKey("/publicKey.pem");
    int expGracePeriodSecs = 60;
    validateToken(token, publicKey, TEST_ISSUER, expGracePeriodSecs);
}
 

@Test
public void encryptUserinfo() {
    try {
        //prepare encryption private & public key
        com.nimbusds.jose.jwk.ECKey jwk = new ECKeyGenerator(this.crv).generate();

        ECKey key = new ECKey();
        key.setKid("ecEnc");
        key.setUse("enc");
        key.setCrv(jwk.getCurve().getName());
        key.setX(jwk.getX().toString());
        key.setY(jwk.getY().toString());

        Client client = new Client();
        client.setUserinfoEncryptedResponseAlg(alg);
        client.setUserinfoEncryptedResponseEnc(enc);

        when(jwkService.getKeys(client)).thenReturn(Maybe.just(new JWKSet()));
        when(jwkService.filter(any(), any())).thenReturn(Maybe.just(key));

        TestObserver testObserver = jweService.encryptUserinfo("JWT", client).test();
        testObserver.assertNoErrors();
        testObserver.assertComplete();
        testObserver.assertValue(jweString -> {
            JWEObject jwe = JWEObject.parse((String) jweString);
            jwe.decrypt(new ECDHDecrypter(jwk));
            return "JWT".equals(jwe.getPayload().toString());
        });
    }
    catch (JOSEException e) {
        fail(e.getMessage());
    }
}
 

@Test
public void encryptIdToken() {
    try {
        //prepare encryption private & public key
        com.nimbusds.jose.jwk.ECKey jwk = new ECKeyGenerator(this.crv).generate();

        ECKey key = new ECKey();
        key.setKid("ecEnc");
        key.setUse("enc");
        key.setCrv(jwk.getCurve().getName());
        key.setX(jwk.getX().toString());
        key.setY(jwk.getY().toString());

        Client client = new Client();
        client.setIdTokenEncryptedResponseAlg(alg);
        client.setIdTokenEncryptedResponseEnc(enc);

        when(jwkService.getKeys(client)).thenReturn(Maybe.just(new JWKSet()));
        when(jwkService.filter(any(), any())).thenReturn(Maybe.just(key));

        TestObserver testObserver = jweService.encryptIdToken("JWT", client).test();
        testObserver.assertNoErrors();
        testObserver.assertComplete();
        testObserver.assertValue(jweString -> {
            JWEObject jwe = JWEObject.parse((String) jweString);
            jwe.decrypt(new ECDHDecrypter(jwk));
            return "JWT".equals(jwe.getPayload().toString());
        });
    }
    catch (JOSEException e) {
        fail(e.getMessage());
    }
}
 

@Test
public void shouldLoadUserByUsername_authentication_badToken() throws ParseException, JOSEException, BadJOSEException {
    when(jwtProcessor.process("test", null)).thenThrow(new JOSEException("jose exception"));

    when(configuration.getResponseType()).thenReturn(ResponseType.ID_TOKEN);
    TestObserver<User> testObserver = authenticationProvider.loadUserByUsername(new Authentication() {
        @Override
        public Object getCredentials() {
            return "__social__";
        }

        @Override
        public Object getPrincipal() {
            return "__social__";
        }

        @Override
        public AuthenticationContext getContext() {
            DummyRequest dummyRequest = new DummyRequest();
            dummyRequest.setParameters(Collections.singletonMap("urlHash", Collections.singletonList("#id_token=test")));
            return new DummyAuthenticationContext(Collections.singletonMap("id_token", "test"), dummyRequest);
        }
    }).test();

    testObserver.awaitTerminalEvent();
    testObserver.assertError(BadCredentialsException.class);
}
 

@Override
public boolean isValidSignature(JWT jwt, JWK jwk) {
    try {
        SignedJWT signedJwt = (SignedJWT)jwt;
        return signedJwt.verify(this.verifier(jwk));
    } catch (ClassCastException | JOSEException ex) {
        LOGGER.error(ex.getMessage(),ex);
        return false;
    }
}
 

@Test
public void shouldLoadUserByUsername_authentication() throws ParseException, JOSEException, BadJOSEException {
    JWTClaimsSet claims = new JWTClaimsSet.Builder().subject("bob").build();

    when(configuration.getResponseType()).thenReturn(ResponseType.ID_TOKEN);
    when(jwtProcessor.process("test", null)).thenReturn(claims);

    TestObserver<User> testObserver = authenticationProvider.loadUserByUsername(new Authentication() {
        @Override
        public Object getCredentials() {
            return "__social__";
        }

        @Override
        public Object getPrincipal() {
            return "__social__";
        }

        @Override
        public AuthenticationContext getContext() {
            DummyRequest dummyRequest = new DummyRequest();
            dummyRequest.setParameters(Collections.singletonMap("urlHash", Collections.singletonList("#id_token=test")));
            return new DummyAuthenticationContext(Collections.singletonMap("id_token", "test"), dummyRequest);
        }
    }).test();

    testObserver.assertComplete();
    testObserver.assertNoErrors();
    testObserver.assertValue(u -> "bob".equals(u.getUsername()));
}
 

@Test
public void testRsaJwt_withClientJwksUri() throws NoSuchAlgorithmException, JOSEException{
    KeyPair rsaKey = generateRsaKeyPair();

    RSAPublicKey publicKey = (RSAPublicKey) rsaKey.getPublic();
    RSAPrivateKey privateKey = (RSAPrivateKey) rsaKey.getPrivate();

    RSAKey key = new RSAKey();
    key.setKty("RSA");
    key.setKid(KID);
    key.setE(Base64.getUrlEncoder().encodeToString(publicKey.getPublicExponent().toByteArray()));
    key.setN(Base64.getUrlEncoder().encodeToString(publicKey.getModulus().toByteArray()));
    JWKSet jwkSet = new JWKSet();
    jwkSet.setKeys(Arrays.asList(key));

    Client client = new Client();
    client.setClientId(CLIENT_ID);
    client.setTokenEndpointAuthMethod(ClientAuthenticationMethod.PRIVATE_KEY_JWT);
    client.setJwksUri("http://fake/jwk/uri");
    String assertion = generateJWT(privateKey);
    OpenIDProviderMetadata openIDProviderMetadata = Mockito.mock(OpenIDProviderMetadata.class);
    String basePath="/";

    when(clientSyncService.findByClientId(any())).thenReturn(Maybe.just(client));
    when(openIDProviderMetadata.getTokenEndpoint()).thenReturn(AUDIENCE);
    when(openIDDiscoveryService.getConfiguration(basePath)).thenReturn(openIDProviderMetadata);
    when(jwkService.getKeys(anyString())).thenReturn(Maybe.just(jwkSet));
    when(jwkService.getKey(any(),any())).thenReturn(Maybe.just(key));
    when(jwsService.isValidSignature(any(),any())).thenReturn(true);

    TestObserver testObserver = clientAssertionService.assertClient(JWT_BEARER_TYPE,assertion,basePath).test();

    testObserver.assertNoErrors();
    testObserver.assertValue(client);
}
 

public static boolean verifySignatureAndDate( String token, String sharedKey ) throws SystemSecurityException
{
    try
    {
        JWSObject jwsObject = JWSObject.parse( token );
        JWSVerifier verifier = new MACVerifier( sharedKey.getBytes() );

        if ( jwsObject.verify( verifier ) )
        {
            long date = getDate( jwsObject );

            if ( date == 0 || System.currentTimeMillis() <= date )
            {
                return true;
            }
            else
            {
                throw new IdentityExpiredException();
            }
        }
        else
        {
            throw new InvalidLoginException();
        }
    }
    catch ( JOSEException | ParseException ex )
    {
        LOG.warn( ex.getMessage() );

        throw new InvalidLoginException();
    }
}
 

/**
 * Generate JWT Token with JWTTokenInfo object
 *
 * @param jwtToken JWT Token info object
 * @return Serialized JWT token
 * @throws JOSEException
 * @throws NoSuchAlgorithmException
 */
public String generateJWTToken(JWTTokenInfoDTO jwtToken) throws JOSEException, NoSuchAlgorithmException {

    KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(AuthConstants.TOKEN_STORE_KEY_ALGORITHM);
    keyPairGenerator.initialize(Integer.parseInt(JWTConfig.getInstance().getJwtConfigDto().getTokenSize()));
    RSAKey rsaJWK = generateRSAKey(jwtToken, keyPairGenerator); //Currently uses generated key pair

    SignedJWT signedJWT = populateSignedJWTToken(jwtToken, rsaJWK);

    JWSSigner signer = new RSASSASigner(rsaJWK);
    signedJWT.sign(signer);

    return signedJWT.serialize();
}
 

@Override
public boolean verify(JWSVerifier verifier) {
  boolean rc = false;

  try {
    rc = jwt.verify(verifier);
  } catch (JOSEException e) {
    log.unableToVerifyToken(e);
  }

  return rc;
}
 

public TokenHelperImpl( String issuer, String subject, Date issueTime, Date expireTime, String secret )
        throws TokenCreateException
{
    try
    {
        this.token = generate( issuer, subject, issueTime, expireTime, secret );
    }
    catch ( JOSEException e )
    {
        throw new TokenCreateException( e.getMessage() );
    }
}
 

@Test
public void generateAuthTokenExceptionTest() throws Exception {
    // Setup:
    when(mobiTokenVerifier.generateToken(anyString(), anyString(), anyString(), anyLong(), any(Map.class))).thenThrow(new JOSEException(""));
    thrown.expect(MobiException.class);

    SignedJWT result = manager.generateAuthToken("username");
    assertEquals(jwt, result);
    verify(mobiTokenVerifier).generateToken("username", SimpleTokenManager.ISSUER, SimpleTokenManager.AUTH_SCOPE, 86400000, null);
}
 

@Test
public void testHmacJwt_invalidClientAuthMethod() throws NoSuchAlgorithmException, JOSEException {
    // Generate random 256-bit (32-byte) shared secret
    SecureRandom random = new SecureRandom();
    byte[] sharedSecret = new byte[32];
    random.nextBytes(sharedSecret);

    String clientSecret = new String(sharedSecret, StandardCharsets.UTF_8);

    JWSSigner signer = new MACSigner(clientSecret);

    Client client = new Client();
    client.setClientId(CLIENT_ID);
    client.setClientSecret(new String(sharedSecret));
    client.setTokenEndpointAuthMethod(ClientAuthenticationMethod.PRIVATE_KEY_JWT);
    String assertion = generateJWT(signer);
    OpenIDProviderMetadata openIDProviderMetadata = Mockito.mock(OpenIDProviderMetadata.class);
    String basePath="/";

    when(clientSyncService.findByClientId(any())).thenReturn(Maybe.just(client));
    when(openIDProviderMetadata.getTokenEndpoint()).thenReturn(AUDIENCE);
    when(openIDDiscoveryService.getConfiguration(basePath)).thenReturn(openIDProviderMetadata);

    TestObserver testObserver = clientAssertionService.assertClient(JWT_BEARER_TYPE,assertion,basePath).test();

    testObserver.assertError(InvalidClientException.class);
    testObserver.assertNotComplete();
}
 

public static Token createToken(String host, long sub) throws JOSEException {
  JWTClaimsSet claim = new JWTClaimsSet();
  claim.setSubject(Long.toString(sub));
  claim.setIssuer(host);
  claim.setIssueTime(DateTime.now().toDate());
  claim.setExpirationTime(DateTime.now().plusDays(14).toDate());

  JWSSigner signer = new MACSigner(TOKEN_SECRET);
  SignedJWT jwt = new SignedJWT(JWT_HEADER, claim);
  jwt.sign(signer);

  return new Token(jwt.serialize());
}
 

private JWSVerifier from(OCTKey octKey) {
    try {
        OctetSequenceKey jwk = new OctetSequenceKey.Builder(new Base64URL(octKey.getK())).build();
        return new MACVerifier(jwk);
    }
    catch (JOSEException ex) {
        LOGGER.error("Unable to build Verifier from Edwards Curve (OKP) key",ex);
        throw new IllegalArgumentException("Signature is using and unknown/not managed key");
    }
}