Package com.nimbusds.jose

Examples of com.nimbusds.jose.JWSAlgorithm


  private OAuth2TokenEntityService tokenService;

  @Override
  public OAuth2AccessTokenEntity createIdToken(ClientDetailsEntity client, OAuth2Request request, Date issueTime, String sub, OAuth2AccessTokenEntity accessToken) {

    JWSAlgorithm signingAlg = jwtService.getDefaultSigningAlgorithm();

    if (client.getIdTokenSignedResponseAlg() != null) {
      signingAlg = client.getIdTokenSignedResponseAlg();
    }


    OAuth2AccessTokenEntity idTokenEntity = new OAuth2AccessTokenEntity();
    JWTClaimsSet idClaims = new JWTClaimsSet();

    // if the auth time claim was explicitly requested OR if the client always wants the auth time, put it in
    if (request.getExtensions().containsKey("max_age")
        || (request.getExtensions().containsKey("idtoken")) // TODO: parse the ID Token claims (#473) -- for now assume it could be in there
        || (client.getRequireAuthTime() != null && client.getRequireAuthTime())) {

      Date authTime = (Date) request.getExtensions().get(AuthenticationTimeStamper.AUTH_TIMESTAMP);
      if (authTime != null) {
        idClaims.setClaim("auth_time", authTime.getTime() / 1000);
      }
    }

    idClaims.setIssueTime(issueTime);

    if (client.getIdTokenValiditySeconds() != null) {
      Date expiration = new Date(System.currentTimeMillis() + (client.getIdTokenValiditySeconds() * 1000L));
      idClaims.setExpirationTime(expiration);
      idTokenEntity.setExpiration(expiration);
    }

    idClaims.setIssuer(configBean.getIssuer());
    idClaims.setSubject(sub);
    idClaims.setAudience(Lists.newArrayList(client.getClientId()));

    String nonce = (String)request.getExtensions().get("nonce");
    if (!Strings.isNullOrEmpty(nonce)) {
      idClaims.setCustomClaim("nonce", nonce);
    }

    Set<String> responseTypes = request.getResponseTypes();

    if (responseTypes.contains("token")) {
      // calculate the token hash
      Base64URL at_hash = IdTokenHashUtils.getAccessTokenHash(signingAlg, accessToken);
      idClaims.setClaim("at_hash", at_hash);
    }

    if (client.getIdTokenEncryptedResponseAlg() != null && !client.getIdTokenEncryptedResponseAlg().equals(Algorithm.NONE)
        && client.getIdTokenEncryptedResponseEnc() != null && !client.getIdTokenEncryptedResponseEnc().equals(Algorithm.NONE)
        && !Strings.isNullOrEmpty(client.getJwksUri())) {

      JwtEncryptionAndDecryptionService encrypter = encrypters.getEncrypter(client.getJwksUri());

      if (encrypter != null) {

        EncryptedJWT idToken = new EncryptedJWT(new JWEHeader(client.getIdTokenEncryptedResponseAlg(), client.getIdTokenEncryptedResponseEnc()), idClaims);

        encrypter.encryptJwt(idToken);

        idTokenEntity.setJwt(idToken);

      } else {
        logger.error("Couldn't find encrypter for client: " + client.getClientId());
      }

    } else {
     
      JWT idToken;
     
      if (signingAlg.equals(JWSAlgorithm.NONE)) {
        // unsigned ID token
        idToken = new PlainJWT(idClaims);

      } else {

        // signed ID token
        idToken = new SignedJWT(new JWSHeader(signingAlg), idClaims);
 
        if (signingAlg.equals(JWSAlgorithm.HS256)
            || signingAlg.equals(JWSAlgorithm.HS384)
            || signingAlg.equals(JWSAlgorithm.HS512)) {
          JwtSigningAndValidationService signer = symmetricCacheService.getSymmetricValidtor(client);
 
          // sign it with the client's secret
          signer.signJwt((SignedJWT) idToken);
        } else {
View Full Code Here


    claims.setIssuer(configBean.getIssuer());
    claims.setIssueTime(new Date());
    claims.setExpirationTime(token.getExpiration());
    claims.setJWTID(UUID.randomUUID().toString()); // set a random NONCE in the middle of it

    JWSAlgorithm signingAlg = jwtService.getDefaultSigningAlgorithm();
    SignedJWT signed = new SignedJWT(new JWSHeader(signingAlg), claims);

    jwtService.signJwt(signed);

    token.setJwt(signed);
View Full Code Here

        if (client == null) {
          throw new InvalidClientException("Client not found: " + request.getClientId());
        }


        JWSAlgorithm alg = signedJwt.getHeader().getAlgorithm();

        if (client.getRequestObjectSigningAlg() == null ||
            !client.getRequestObjectSigningAlg().equals(alg)) {
          throw new InvalidClientException("Client's registered request object signing algorithm (" + client.getRequestObjectSigningAlg() + ") does not match request object's actual algorithm (" + alg.getName() + ")");
        }

        if (alg.equals(JWSAlgorithm.RS256)
            || alg.equals(JWSAlgorithm.RS384)
            || alg.equals(JWSAlgorithm.RS512)) {

          // it's RSA, need to find the JWK URI and fetch the key

          if (client.getJwksUri() == null) {
            throw new InvalidClientException("Client must have a JWKS URI registered to use signed request objects.");
          }

          // check JWT signature
          JwtSigningAndValidationService validator = validators.getValidator(client.getJwksUri());

          if (validator == null) {
            throw new InvalidClientException("Unable to create signature validator for client's JWKS URI: " + client.getJwksUri());
          }

          if (!validator.validateSignature(signedJwt)) {
            throw new InvalidClientException("Signature did not validate for presented JWT request object.");
          }
        } else if (alg.equals(JWSAlgorithm.HS256)
            || alg.equals(JWSAlgorithm.HS384)
            || alg.equals(JWSAlgorithm.HS512)) {

          // it's HMAC, we need to make a validator based on the client secret

          JwtSigningAndValidationService validator = symmetricCacheService.getSymmetricValidtor(client);
View Full Code Here

        } else {
          logger.error("Couldn't find encrypter for client: " + client.getClientId());
        }
      } else {

        JWSAlgorithm signingAlg = jwtService.getDefaultSigningAlgorithm(); // default to the server's preference
        if (client.getUserInfoSignedResponseAlg() != null) {
          signingAlg = client.getUserInfoSignedResponseAlg(); // override with the client's preference if available
        }

        SignedJWT signed = new SignedJWT(new JWSHeader(signingAlg), claims);

        if (signingAlg.equals(JWSAlgorithm.HS256)
            || signingAlg.equals(JWSAlgorithm.HS384)
            || signingAlg.equals(JWSAlgorithm.HS512)) {

          // sign it with the client's secret
          JwtSigningAndValidationService signer = symmetricCacheService.getSymmetricValidtor(client);
          signer.signJwt(signed);
View Full Code Here

      if (SECRET_JWT.equals(clientConfig.getTokenEndpointAuthMethod()) || PRIVATE_KEY.equals(clientConfig.getTokenEndpointAuthMethod())) {
        // do a symmetric secret signed JWT for auth


        JwtSigningAndValidationService signer = null;
        JWSAlgorithm alg = clientConfig.getTokenEndpointAuthSigningAlg();

        if (SECRET_JWT.equals(clientConfig.getTokenEndpointAuthMethod()) &&
            (alg.equals(JWSAlgorithm.HS256)
                || alg.equals(JWSAlgorithm.HS384)
                || alg.equals(JWSAlgorithm.HS512))) {

          // generate one based on client secret
          signer = symmetricCacheService.getSymmetricValidtor(clientConfig.getClient());

        } else if (PRIVATE_KEY.equals(clientConfig.getTokenEndpointAuthMethod())) {
View Full Code Here

    claims.setExpirationTime(token.getExpiration());

    claims.setJWTID(UUID.randomUUID().toString()); // set a random NONCE in the middle of it

    JWSAlgorithm signingAlg = jwtService.getDefaultSigningAlgorithm();

    SignedJWT signed = new SignedJWT(new JWSHeader(signingAlg), claims);

    jwtService.signJwt(signed);
View Full Code Here

      // check the signature with nimbus
      if (jwt instanceof SignedJWT) {
        SignedJWT jws = (SignedJWT)jwt;

        JWSAlgorithm alg = jws.getHeader().getAlgorithm();

        if (client.getTokenEndpointAuthSigningAlg() != null &&
            !client.getTokenEndpointAuthSigningAlg().equals(alg)) {
          throw new InvalidClientException("Client's registered request object signing algorithm (" + client.getRequestObjectSigningAlg() + ") does not match request object's actual algorithm (" + alg.getName() + ")");
        }

        if (client.getTokenEndpointAuthMethod() == null ||
            client.getTokenEndpointAuthMethod().equals(AuthMethod.NONE) ||
            client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_BASIC) ||
            client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_POST)) {
         
          // this client doesn't support this type of authentication
          throw new AuthenticationServiceException("Client does not support this authentication method.");
         
        } else if (client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY) &&
            (alg.equals(JWSAlgorithm.RS256)
                || alg.equals(JWSAlgorithm.RS384)
                || alg.equals(JWSAlgorithm.RS512))) {

          JwtSigningAndValidationService validator = validators.getValidator(client.getJwksUri());

          if (validator == null) {
            throw new AuthenticationServiceException("Unable to create signature validator for client's JWKS URI: " + client.getJwksUri());
          }

          if (!validator.validateSignature(jws)) {
            throw new AuthenticationServiceException("Signature did not validate for presented JWT authentication.");
          }
        } else if (client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_JWT) &&
            (alg.equals(JWSAlgorithm.HS256)
                || alg.equals(JWSAlgorithm.HS384)
                || alg.equals(JWSAlgorithm.HS512))) {

          // it's HMAC, we need to make a validator based on the client secret

          JwtSigningAndValidationService validator = symmetricCacheService.getSymmetricValidtor(client);
View Full Code Here

    if (query == null)
      throw new ParseException("Missing HTTP POST request entity body");
   
    Map<String,String> params = URLUtils.parseParameters(query);
   
    JWSAlgorithm alg = parseClientAssertion(params).getHeader().getAlgorithm();
     
    if (ClientSecretJWT.getSupportedJWAs().contains(alg))
      return ClientSecretJWT.parse(params);
       
    else if (PrivateKeyJWT.getSupportedJWAs().contains(alg))
View Full Code Here

    URI jwksURI = new URI("https://c2id.com/jwks.json");

    OIDCProviderMetadata meta = new OIDCProviderMetadata(issuer, subjectTypes, jwksURI);

    List<JWSAlgorithm> tokenEndpointJWTAlgs = new ArrayList<>();
    tokenEndpointJWTAlgs.add(new JWSAlgorithm("none"));

    try {
      meta.setTokenEndpointJWSAlgs(tokenEndpointJWTAlgs);

      fail("Failed to raise IllegalArgumentException");
View Full Code Here

  public void testUnsupportedJWSAlg() {

    AccessToken token = new TypelessAccessToken("12345678");

    assertNull(AccessTokenHash.compute(token, new JWSAlgorithm("no-such-alg")));
  }
View Full Code Here

TOP

Related Classes of com.nimbusds.jose.JWSAlgorithm

Copyright © 2018 www.massapicom. All rights reserved.
All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.