Examples of com.nimbusds.jwt.JWTClaimsSet

• com.nimbusds.jwt.JWTClaimsSet
  JSON Web Token (JWT) claims set.

  Supports all {@link #getRegisteredNames()} registered claims} of the JWTspecification:

  • iss - Issuer
  • sub - Subject
  • aud - Audience
  • exp - Expiration Time
  • nbf - Not Before
  • iat - Issued At
  • jti - JWT ID
  • typ - Type

  The set may also contain {@link #setCustomClaims custom claims}; these will be serialised and parsed along the registered ones. @author Vladimir Dzhuvinov @author Justin Richer @version $version$ (2014-08-16)

      signingAlg = client.getIdTokenSignedResponseAlg();
    }


    OAuth2AccessTokenEntity idTokenEntity = new OAuth2AccessTokenEntity();
    JWTClaimsSet idClaims = new JWTClaimsSet();

    // if the auth time claim was explicitly requested OR if the client always wants the auth time, put it in
    if (request.getExtensions().containsKey("max_age")
        || (request.getExtensions().containsKey("idtoken")) // TODO: parse the ID Token claims (#473) -- for now assume it could be in there
        || (client.getRequireAuthTime() != null && client.getRequireAuthTime())) {

      Date authTime = (Date) request.getExtensions().get(AuthenticationTimeStamper.AUTH_TIMESTAMP);
      if (authTime != null) {
        idClaims.setClaim("auth_time", authTime.getTime() / 1000);
      }
    }

    idClaims.setIssueTime(issueTime);

    if (client.getIdTokenValiditySeconds() != null) {
      Date expiration = new Date(System.currentTimeMillis() + (client.getIdTokenValiditySeconds() * 1000L));
      idClaims.setExpirationTime(expiration);
      idTokenEntity.setExpiration(expiration);
    }

    idClaims.setIssuer(configBean.getIssuer());
    idClaims.setSubject(sub);
    idClaims.setAudience(Lists.newArrayList(client.getClientId()));

    String nonce = (String)request.getExtensions().get("nonce");
    if (!Strings.isNullOrEmpty(nonce)) {
      idClaims.setCustomClaim("nonce", nonce);
    }

    Set<String> responseTypes = request.getResponseTypes();

    if (responseTypes.contains("token")) {
      // calculate the token hash
      Base64URL at_hash = IdTokenHashUtils.getAccessTokenHash(signingAlg, accessToken);
      idClaims.setClaim("at_hash", at_hash);
    }

    if (client.getIdTokenEncryptedResponseAlg() != null && !client.getIdTokenEncryptedResponseAlg().equals(Algorithm.NONE)
        && client.getIdTokenEncryptedResponseEnc() != null && !client.getIdTokenEncryptedResponseEnc().equals(Algorithm.NONE)
        && !Strings.isNullOrEmpty(client.getJwksUri())) {

    AuthenticationHolderEntity authHolder = new AuthenticationHolderEntity();
    authHolder.setAuthentication(authentication);
    authHolder = authenticationHolderRepository.save(authHolder);
    token.setAuthenticationHolder(authHolder);

    JWTClaimsSet claims = new JWTClaimsSet();

    claims.setAudience(Lists.newArrayList(client.getClientId()));
    claims.setIssuer(configBean.getIssuer());
    claims.setIssueTime(new Date());
    claims.setExpirationTime(token.getExpiration());
    claims.setJWTID(UUID.randomUUID().toString()); // set a random NONCE in the middle of it

    JWSAlgorithm signingAlg = jwtService.getDefaultSigningAlgorithm();
    SignedJWT signed = new SignedJWT(new JWSHeader(signingAlg), claims);

    jwtService.signJwt(signed);

   */
  @Override
  public String buildAuthRequestUrl(ServerConfiguration serverConfig, RegisteredClient clientConfig, String redirectUri, String nonce, String state, Map<String, String> options) {

    // create our signed JWT for the request object
    JWTClaimsSet claims = new JWTClaimsSet();

    //set parameters to JwtClaims
    claims.setClaim("response_type", "code");
    claims.setClaim("client_id", clientConfig.getClientId());
    claims.setClaim("scope", Joiner.on(" ").join(clientConfig.getScope()));

    // build our redirect URI
    claims.setClaim("redirect_uri", redirectUri);

    // this comes back in the id token
    claims.setClaim("nonce", nonce);

    // this comes back in the auth request return
    claims.setClaim("state", state);

    // Optional parameters
    for (Entry<String, String> option : options.entrySet()) {
      claims.setClaim(option.getKey(), option.getValue());
    }

    EncryptedJWT jwt = new EncryptedJWT(new JWEHeader(alg, enc), claims);

    JwtEncryptionAndDecryptionService encryptor = encrypterService.getEncrypter(serverConfig.getJwksUri());

   */
  @Override
  public String buildAuthRequestUrl(ServerConfiguration serverConfig, RegisteredClient clientConfig, String redirectUri, String nonce, String state, Map<String, String> options) {

    // create our signed JWT for the request object
    JWTClaimsSet claims = new JWTClaimsSet();

    //set parameters to JwtClaims
    claims.setClaim("response_type", "code");
    claims.setClaim("client_id", clientConfig.getClientId());
    claims.setClaim("scope", Joiner.on(" ").join(clientConfig.getScope()));

    // build our redirect URI
    claims.setClaim("redirect_uri", redirectUri);

    // this comes back in the id token
    claims.setClaim("nonce", nonce);

    // this comes back in the auth request return
    claims.setClaim("state", state);

    // Optional parameters
    for (Entry<String, String> option : options.entrySet()) {
      claims.setClaim(option.getKey(), option.getValue());
    }



    SignedJWT jwt = new SignedJWT(new JWSHeader(signingAndValidationService.getDefaultSigningAlgorithm()), claims);

          //OAuth2AccessTokenEntity newIdToken = tokenServices.get

          OAuth2AccessTokenEntity newIdTokenEntity = new OAuth2AccessTokenEntity();

          // copy over all existing claims
          JWTClaimsSet claims = new JWTClaimsSet(idToken.getJWTClaimsSet());

          if (client instanceof ClientDetailsEntity) {

            ClientDetailsEntity clientEntity = (ClientDetailsEntity) client;

            // update expiration and issued-at claims
            if (clientEntity.getIdTokenValiditySeconds() != null) {
              Date expiration = new Date(System.currentTimeMillis() + (clientEntity.getIdTokenValiditySeconds() * 1000L));
              claims.setExpirationTime(expiration);
              newIdTokenEntity.setExpiration(expiration);
            }

          } else {
            //This should never happen
            logger.fatal("SEVERE: Client is not an instance of OAuth2AccessTokenEntity.");
            throw new BadCredentialsException("SEVERE: Client is not an instance of ClientDetailsEntity; JwtAssertionTokenGranter cannot process this request.");
          }

          claims.setIssueTime(new Date());


          SignedJWT newIdToken = new SignedJWT((JWSHeader) idToken.getHeader(), claims);
          jwtService.signJwt(newIdToken);

      StringWriter writer = new StringWriter();
      gson.toJson(json, writer);

      response.setContentType("application/jwt");

      JWTClaimsSet claims = JWTClaimsSet.parse(writer.toString());

      claims.setAudience(Lists.newArrayList(client.getClientId()));

      claims.setIssuer(config.getIssuer());

      claims.setIssueTime(new Date());

      claims.setJWTID(UUID.randomUUID().toString()); // set a random NONCE in the middle of it


      if (client.getIdTokenEncryptedResponseAlg() != null && !client.getIdTokenEncryptedResponseAlg().equals(Algorithm.NONE)
          && client.getIdTokenEncryptedResponseEnc() != null && !client.getIdTokenEncryptedResponseEnc().equals(Algorithm.NONE)
          && !Strings.isNullOrEmpty(client.getJwksUri())) {

        if (signer == null) {
          throw new AuthenticationServiceException("Couldn't find required signer service for use with private key auth.");
        }

        JWTClaimsSet claimsSet = new JWTClaimsSet();

        claimsSet.setIssuer(clientConfig.getClientId());
        claimsSet.setSubject(clientConfig.getClientId());
        claimsSet.setAudience(Lists.newArrayList(serverConfig.getTokenEndpointUri()));

        // TODO: make this configurable
        Date exp = new Date(System.currentTimeMillis() + (60 * 1000)); // auth good for 60 seconds
        claimsSet.setExpirationTime(exp);

        Date now = new Date(System.currentTimeMillis());
        claimsSet.setIssueTime(now);
        claimsSet.setNotBeforeTime(now);

        SignedJWT jwt = new SignedJWT(new JWSHeader(alg), claimsSet);

        signer.signJwt(jwt, alg);

    OAuth2Request originalAuthRequest = authentication.getOAuth2Request();

    String clientId = originalAuthRequest.getClientId();
    ClientDetailsEntity client = clientService.loadClientByClientId(clientId);

    JWTClaimsSet claims = new JWTClaimsSet();

    claims.setAudience(Lists.newArrayList(clientId));

    claims.setIssuer(configBean.getIssuer());

    claims.setIssueTime(new Date());

    claims.setExpirationTime(token.getExpiration());

    claims.setJWTID(UUID.randomUUID().toString()); // set a random NONCE in the middle of it

    JWSAlgorithm signingAlg = jwtService.getDefaultSigningAlgorithm();

    SignedJWT signed = new SignedJWT(new JWSHeader(signingAlg), claims);

    jwtService.signJwt(signed);

    token.setJwt(signed);

    /**
     * Authorization request scope MUST include "openid" in OIDC, but access token request
     * may or may not include the scope parameter. As long as the AuthorizationRequest
     * has the proper scope, we can consider this a valid OpenID Connect request. Otherwise,
     * we consider it to be a vanilla OAuth2 request.
     *
     * Also, there must be a user authentication involved in the request for it to be considered
     * OIDC and not OAuth, so we check for that as well.
     */
    if (originalAuthRequest.getScope().contains("openid")
        && !authentication.isClientOnly()) {

      String username = authentication.getName();
      UserInfo userInfo = userInfoService.getByUsernameAndClientId(username, clientId);

      if (userInfo != null) {

        OAuth2AccessTokenEntity idTokenEntity = connectTokenService.createIdToken(client,
            originalAuthRequest, claims.getIssueTime(),
            userInfo.getSub(), token);

        // attach the id token to the parent access token
        token.setIdToken(idTokenEntity);
      } else {

      token.setAuthenticationHolder(authHolder);

      // attach a refresh token, if this client is allowed to request them and the user gets the offline scope
      if (client.isAllowRefresh() && scopes.contains(SystemScopeService.OFFLINE_ACCESS)) {
        OAuth2RefreshTokenEntity refreshToken = new OAuth2RefreshTokenEntity(); //refreshTokenFactory.createNewRefreshToken();
        JWTClaimsSet refreshClaims = new JWTClaimsSet();


        // make it expire if necessary
        if (client.getRefreshTokenValiditySeconds() != null) {
          Date expiration = new Date(System.currentTimeMillis() + (client.getRefreshTokenValiditySeconds() * 1000L));
          refreshToken.setExpiration(expiration);
          refreshClaims.setExpirationTime(expiration);
        }

        // set a random identifier
        refreshClaims.setJWTID(UUID.randomUUID().toString());

        // TODO: add issuer fields, signature to JWT

        PlainJWT refreshJwt = new PlainJWT(refreshClaims);
        refreshToken.setJwt(refreshJwt);

  protected void service(HttpServletRequest request, HttpServletResponse response)
    throws IOException, ServletException {

    // Given a user instance
    // Compose the JWT claims set
    JWTClaimsSet jwtClaims = new JWTClaimsSet();
    jwtClaims.setIssueTime(new Date());
    jwtClaims.setJWTID(UUID.randomUUID().toString());
    // jwtClaims.setCustomClaim("name", user.name);
    // jwtClaims.setCustomClaim("email", user.email);

    // Create JWS header with HS256 algorithm
    JWSHeader header = new JWSHeader(JWSAlgorithm.HS256);
    header.setContentType("text/plain");

    // Create JWS object
    JWSObject jwsObject = new JWSObject(header, new Payload(jwtClaims.toJSONObject()));

    // Create HMAC signer
    JWSSigner signer = new MACSigner(SHARED_KEY.getBytes());

    try {