Java Code Examples for io.vertx.ext.auth.JWTOptions#getAudience()

The following examples show how to use io.vertx.ext.auth.JWTOptions#getAudience() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: OAuth2AuthProviderImpl.java    From vertx-auth with Apache License 2.0 4 votes vote down vote up
private void validateUser(User user, Handler<AsyncResult<User>> handler) {

    if (!user.attributes().containsKey("accessToken")) {
      // nothing else to do
      handler.handle(Future.succeededFuture(user));
      return;
    }

    // the user object is a JWT so we should validate it as mandated by OIDC
    final JWTOptions jwtOptions = config.getJWTOptions();

    // basic validation passed, the token is not expired,
    // the spec mandates that that a few extra checks are performed
    final JsonObject payload;

    try {
      payload = user.attributes().getJsonObject("accessToken");
    } catch (RuntimeException e) {
      handler.handle(Future.failedFuture("User accessToken isn't a JsonObject"));
      return;
    }

    if (jwtOptions.getAudience() != null) {
      JsonArray target;
      if (payload.getValue("aud") instanceof String) {
        target = new JsonArray().add(payload.getValue("aud", ""));
      } else {
        target = payload.getJsonArray("aud", new JsonArray());
      }

      if (Collections.disjoint(jwtOptions.getAudience(), target.getList())) {
        handler.handle(Future.failedFuture("Invalid JWT audience. expected: " + Json.encode(jwtOptions.getAudience())));
        return;
      }
    }

    if (jwtOptions.getIssuer() != null) {
      if (!jwtOptions.getIssuer().equals(payload.getString("iss"))) {
        handler.handle(Future.failedFuture("Invalid JWT issuer"));
        return;
      }
    }

    handler.handle(Future.succeededFuture(user));
  }
 
Example 2
Source File: JWT.java    From vertx-auth with Apache License 2.0 4 votes vote down vote up
public String sign(JsonObject payload, JWTOptions options) {
  final String algorithm = options.getAlgorithm();

  List<Crypto> cryptos = SIGN.get(algorithm);

  if (cryptos == null || cryptos.size() == 0) {
    throw new RuntimeException("Algorithm not supported: " + algorithm);
  }

  // lock the crypto implementation
  final Crypto crypto = cryptos.get(RND.nextInt(cryptos.size()));

  // header, typ is fixed value.
  JsonObject header = new JsonObject()
    .mergeIn(options.getHeader())
    .put("typ", "JWT")
    .put("alg", algorithm);

  // add kid if present
  if (crypto.getId() != null) {
    header.put("kid", crypto.getId());
  }

  // NumericDate is a number is seconds since 1st Jan 1970 in UTC
  long timestamp = System.currentTimeMillis() / 1000;

  if (!options.isNoTimestamp()) {
    payload.put("iat", payload.getValue("iat", timestamp));
  }

  if (options.getExpiresInSeconds() > 0) {
    payload.put("exp", timestamp + options.getExpiresInSeconds());
  }

  if (options.getAudience() != null && options.getAudience().size() >= 1) {
    if (options.getAudience().size() > 1) {
      payload.put("aud", new JsonArray(options.getAudience()));
    } else {
      payload.put("aud", options.getAudience().get(0));
    }
  }

  if(options.getScopes() != null && options.getScopes().size() >= 1) {
    if(options.hasScopeDelimiter()) {
      payload.put("scope", String.join(options.getScopeDelimiter(), options.getScopes()));
    } else {
      payload.put("scope", new JsonArray(options.getScopes()));
    }
  }

  if (options.getIssuer() != null) {
    payload.put("iss", options.getIssuer());
  }

  if (options.getSubject() != null) {
    payload.put("sub", options.getSubject());
  }

  // create segments, all segment should be base64 string
  String headerSegment = base64urlEncode(header.encode());
  String payloadSegment = base64urlEncode(payload.encode());
  String signingInput = headerSegment + "." + payloadSegment;
  String signSegment = base64urlEncode(crypto.sign(signingInput.getBytes(UTF8)));

  return headerSegment + "." + payloadSegment + "." + signSegment;
}