Package com.nimbusds.jwt

Examples of com.nimbusds.jwt.JWT


    // check for appropriate parameters
    String assertionType = request.getParameter("client_assertion_type");
    String assertion = request.getParameter("client_assertion");

    try {
      JWT jwt = JWTParser.parse(assertion);

      String clientId = jwt.getJWTClaimsSet().getSubject();

      Authentication authRequest = new JwtBearerAssertionAuthenticationToken(clientId, jwt);

      return this.getAuthenticationManager().authenticate(authRequest);
    } catch (ParseException e) {
View Full Code Here


        logger.error("Couldn't find encrypter for client: " + client.getClientId());
      }

    } else {
     
      JWT idToken;
     
      if (signingAlg.equals(JWSAlgorithm.NONE)) {
        // unsigned ID token
        idToken = new PlainJWT(idClaims);
View Full Code Here

   */
  private void processRequestObject(String jwtString, AuthorizationRequest request) {

    // parse the request object
    try {
      JWT jwt = JWTParser.parse(jwtString);

      // TODO: move keys to constants

      if (jwt instanceof SignedJWT) {
        // it's a signed JWT, check the signature

        SignedJWT signedJwt = (SignedJWT)jwt;

        // need to check clientId first so that we can load the client to check other fields
        if (request.getClientId() == null) {
          request.setClientId(signedJwt.getJWTClaimsSet().getStringClaim("client_id"));
        }

        ClientDetailsEntity client = clientDetailsService.loadClientByClientId(request.getClientId());

        if (client == null) {
          throw new InvalidClientException("Client not found: " + request.getClientId());
        }


        JWSAlgorithm alg = signedJwt.getHeader().getAlgorithm();

        if (client.getRequestObjectSigningAlg() == null ||
            !client.getRequestObjectSigningAlg().equals(alg)) {
          throw new InvalidClientException("Client's registered request object signing algorithm (" + client.getRequestObjectSigningAlg() + ") does not match request object's actual algorithm (" + alg.getName() + ")");
        }

        if (alg.equals(JWSAlgorithm.RS256)
            || alg.equals(JWSAlgorithm.RS384)
            || alg.equals(JWSAlgorithm.RS512)) {

          // it's RSA, need to find the JWK URI and fetch the key

          if (client.getJwksUri() == null) {
            throw new InvalidClientException("Client must have a JWKS URI registered to use signed request objects.");
          }

          // check JWT signature
          JwtSigningAndValidationService validator = validators.getValidator(client.getJwksUri());

          if (validator == null) {
            throw new InvalidClientException("Unable to create signature validator for client's JWKS URI: " + client.getJwksUri());
          }

          if (!validator.validateSignature(signedJwt)) {
            throw new InvalidClientException("Signature did not validate for presented JWT request object.");
          }
        } else if (alg.equals(JWSAlgorithm.HS256)
            || alg.equals(JWSAlgorithm.HS384)
            || alg.equals(JWSAlgorithm.HS512)) {

          // it's HMAC, we need to make a validator based on the client secret

          JwtSigningAndValidationService validator = symmetricCacheService.getSymmetricValidtor(client);

          if (validator == null) {
            throw new InvalidClientException("Unable to create signature validator for client's secret: " + client.getClientSecret());
          }

          if (!validator.validateSignature(signedJwt)) {
            throw new InvalidClientException("Signature did not validate for presented JWT request object.");
          }


        }


      } else if (jwt instanceof PlainJWT) {
        PlainJWT plainJwt = (PlainJWT)jwt;

        // need to check clientId first so that we can load the client to check other fields
        if (request.getClientId() == null) {
          request.setClientId(plainJwt.getJWTClaimsSet().getStringClaim("client_id"));
        }

        ClientDetailsEntity client = clientDetailsService.loadClientByClientId(request.getClientId());

        if (client == null) {
          throw new InvalidClientException("Client not found: " + request.getClientId());
        }

        if (client.getRequestObjectSigningAlg() == null) {
          throw new InvalidClientException("Client is not registered for unsigned request objects (no request_object_signing_alg registered)");
        } else if (!client.getRequestObjectSigningAlg().equals(Algorithm.NONE)) {
          throw new InvalidClientException("Client is not registered for unsigned request objects (request_object_signing_alg is " + client.getRequestObjectSigningAlg() +")");
        }

        // if we got here, we're OK, keep processing

      } else if (jwt instanceof EncryptedJWT) {

        EncryptedJWT encryptedJWT = (EncryptedJWT)jwt;

        // decrypt the jwt if we can

        encryptionService.decryptJwt(encryptedJWT);

        // TODO: what if the content is a signed JWT? (#525)

        if (!encryptedJWT.getState().equals(State.DECRYPTED)) {
          throw new InvalidClientException("Unable to decrypt the request object");
        }

        // need to check clientId first so that we can load the client to check other fields
        if (request.getClientId() == null) {
          request.setClientId(encryptedJWT.getJWTClaimsSet().getStringClaim("client_id"));
        }

        ClientDetailsEntity client = clientDetailsService.loadClientByClientId(request.getClientId());

        if (client == null) {
          throw new InvalidClientException("Client not found: " + request.getClientId());
        }


      }


      /*
       * NOTE: Claims inside the request object always take precedence over those in the parameter map.
       */

      // now that we've got the JWT, and it's been parsed, validated, and/or decrypted, we can process the claims

      ReadOnlyJWTClaimsSet claims = jwt.getJWTClaimsSet();

      Set<String> responseTypes = OAuth2Utils.parseParameterList(claims.getStringClaim("response_type"));
      if (responseTypes != null && !responseTypes.isEmpty()) {
        if (!responseTypes.equals(request.getResponseTypes())) {
          logger.info("Mismatch between request object and regular parameter for response_type, using request object");
View Full Code Here

      // it's an ID token, process it accordingly

      try {

        // TODO: make this use a more specific idtoken class
        JWT idToken = JWTParser.parse(incomingTokenValue);

        OAuth2AccessTokenEntity accessToken = tokenServices.getAccessTokenForIdToken(incomingToken);

        if (accessToken != null) {

          //OAuth2AccessTokenEntity newIdToken = tokenServices.get

          OAuth2AccessTokenEntity newIdTokenEntity = new OAuth2AccessTokenEntity();

          // copy over all existing claims
          JWTClaimsSet claims = new JWTClaimsSet(idToken.getJWTClaimsSet());

          if (client instanceof ClientDetailsEntity) {

            ClientDetailsEntity clientEntity = (ClientDetailsEntity) client;

            // update expiration and issued-at claims
            if (clientEntity.getIdTokenValiditySeconds() != null) {
              Date expiration = new Date(System.currentTimeMillis() + (clientEntity.getIdTokenValiditySeconds() * 1000L));
              claims.setExpirationTime(expiration);
              newIdTokenEntity.setExpiration(expiration);
            }

          } else {
            //This should never happen
            logger.fatal("SEVERE: Client is not an instance of OAuth2AccessTokenEntity.");
            throw new BadCredentialsException("SEVERE: Client is not an instance of ClientDetailsEntity; JwtAssertionTokenGranter cannot process this request.");
          }

          claims.setIssueTime(new Date());


          SignedJWT newIdToken = new SignedJWT((JWSHeader) idToken.getHeader(), claims);
          jwtService.signJwt(newIdToken);

          newIdTokenEntity.setJwt(newIdToken);
          newIdTokenEntity.setAuthenticationHolder(incomingToken.getAuthenticationHolder());
          newIdTokenEntity.setScope(incomingToken.getScope());
View Full Code Here

      if (tokenResponse.has("refresh_token")) {
        refreshTokenValue = tokenResponse.get("refresh_token").getAsString();
      }

      try {
        JWT idToken = JWTParser.parse(idTokenValue);

        // validate our ID Token over a number of tests
        ReadOnlyJWTClaimsSet idClaims = idToken.getJWTClaimsSet();

        // check the signature
        JwtSigningAndValidationService jwtValidator = null;

        Algorithm tokenAlg = idToken.getHeader().getAlgorithm();
       
        Algorithm clientAlg = clientConfig.getIdTokenSignedResponseAlg();
       
        if (clientAlg != null) {
          if (!clientAlg.equals(tokenAlg)) {
View Full Code Here

    this.clientConfigurationService = clientConfigurationService;
  }

  private String getIssuer(String accessToken) {
    try {
      JWT jwt = JWTParser.parse(accessToken);

      String issuer = jwt.getJWTClaimsSet().getIssuer();

      return issuer;

    } catch (ParseException e) {
      throw new IllegalArgumentException("Unable to parse JWT", e);
View Full Code Here


    try {
      ClientDetailsEntity client = clientService.loadClientByClientId(jwtAuth.getClientId());

      JWT jwt = jwtAuth.getJwt();
      ReadOnlyJWTClaimsSet jwtClaims = jwt.getJWTClaimsSet();

      // check the signature with nimbus
      if (jwt instanceof SignedJWT) {
        SignedJWT jws = (SignedJWT)jwt;
View Full Code Here

    String assertionString = params.get("assertion");

    if (assertionString == null || assertionString.trim().isEmpty())
      throw new ParseException("Missing or empty \"assertion\" parameter", OAuth2Error.INVALID_REQUEST);

    JWT assertion;

    try {
      assertion = JWTParser.parse(assertionString);
    } catch (java.text.ParseException e) {
      throw new ParseException("The \"assertion\" is not a JWT: " + e.getMessage(), OAuth2Error.INVALID_REQUEST, e);
View Full Code Here

    throws Exception {

    JWTClaimsSet claimsSet = new JWTClaimsSet();
    claimsSet.setSubject("alice");

    JWT assertion = new PlainJWT(claimsSet);

    JWTBearerGrant grant = new JWTBearerGrant(assertion);

    assertEquals(GrantType.JWT_BEARER, grant.getType());
    assertEquals(assertion, grant.getJWTAssertion());
    assertEquals(assertion.serialize(), grant.getAssertion());

    Map<String,String> params = grant.toParameters();
    assertEquals(GrantType.JWT_BEARER.getValue(), params.get("grant_type"));
    assertEquals(assertion.serialize(), params.get("assertion"));
    assertEquals(2, params.size());

    grant = JWTBearerGrant.parse(params);
    assertEquals(GrantType.JWT_BEARER, grant.getType());
    assertEquals(assertion.serialize(), grant.getAssertion());
  }
View Full Code Here

    throws Exception {

    JWTClaimsSet claimsSet = new JWTClaimsSet();
    claimsSet.setSubject("alice");

    JWT assertion = new PlainJWT(claimsSet);

    Map<String,String> params = new HashMap<>();
    params.put("grant_type", GrantType.JWT_BEARER.getValue());
    params.put("assertion", assertion.serialize());

    JWTBearerGrant grant = (JWTBearerGrant)AuthorizationGrant.parse(params);

    assertEquals(GrantType.JWT_BEARER, grant.getType());
    assertEquals(assertion.serialize(), grant.getAssertion());
  }
View Full Code Here

TOP

Related Classes of com.nimbusds.jwt.JWT

Copyright © 2018 www.massapicom. All rights reserved.
All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.