Java Code Examples for org.gluu.oxauth.model.common.AuthenticationMethod#CLIENT_SECRET_JWT

The following examples show how to use org.gluu.oxauth.model.common.AuthenticationMethod#CLIENT_SECRET_JWT . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: ClientAuthnEnabler.java    From oxAuth with MIT License 5 votes vote down vote up
public void exec(ClientAuthnRequest request){
    if (request.getAuthenticationMethod() == AuthenticationMethod.CLIENT_SECRET_BASIC
            && request.hasCredentials()) {
        clientRequest.header("Authorization", "Basic " + request.getEncodedCredentials());
        return;
    }

    if (request.getAuthenticationMethod() == AuthenticationMethod.CLIENT_SECRET_POST) {
        if (request.getAuthUsername() != null && !request.getAuthUsername().isEmpty()) {
            clientRequest.formParameter("client_id", request.getAuthUsername());
        }
        if (request.getAuthPassword() != null && !request.getAuthPassword().isEmpty()) {
            clientRequest.formParameter("client_secret", request.getAuthPassword());
        }
        return;
    }
    if (request.getAuthenticationMethod() == AuthenticationMethod.CLIENT_SECRET_JWT ||
            request.getAuthenticationMethod() == AuthenticationMethod.PRIVATE_KEY_JWT) {
        clientRequest.formParameter("client_assertion_type", ClientAssertionType.JWT_BEARER);
        if (request.getClientAssertion() != null) {
            clientRequest.formParameter("client_assertion", request.getClientAssertion());
        }
        if (request.getAuthUsername() != null && !request.getAuthUsername().isEmpty()) {
            clientRequest.formParameter("client_id", request.getAuthUsername());
        }
    }
}
 
Example 2
Source File: ClientAuthnRequest.java    From oxAuth with MIT License 5 votes vote down vote up
public void appendClientAuthnToQuery(QueryBuilder builder) {
    if (getAuthenticationMethod() == AuthenticationMethod.CLIENT_SECRET_POST) {
        builder.append("client_id", getAuthUsername());
        builder.append("client_secret", getAuthPassword());
    } else if (getAuthenticationMethod() == AuthenticationMethod.CLIENT_SECRET_JWT ||
            getAuthenticationMethod() == AuthenticationMethod.PRIVATE_KEY_JWT) {
        builder.append("client_assertion_type", ClientAssertionType.JWT_BEARER.toString());
        builder.append("client_assertion", getClientAssertion());
    }
}
 
Example 3
Source File: TokenRequest.java    From oxAuth with MIT License 4 votes vote down vote up
/**
 * Returns a collection of parameters of the token request. Any
 * <code>null</code> or empty parameter will be omitted.
 *
 * @return A collection of parameters.
 */
public Map<String, String> getParameters() {
    Map<String, String> parameters = new HashMap<String, String>();

    if (grantType != null) {
        parameters.put("grant_type", grantType.toString());
    }
    if (code != null && !code.isEmpty()) {
        parameters.put("code", code);
    }
    if (redirectUri != null && !redirectUri.isEmpty()) {
        parameters.put("redirect_uri", redirectUri);
    }
    if (username != null && !username.isEmpty()) {
        parameters.put("username", username);
    }
    if (password != null && !password.isEmpty()) {
        parameters.put("password", password);
    }
    if (scope != null && !scope.isEmpty()) {
        parameters.put("scope", scope);
    }
    if (assertion != null && !assertion.isEmpty()) {
        parameters.put("assertion", assertion);
    }
    if (refreshToken != null && !refreshToken.isEmpty()) {
        parameters.put("refresh_token", refreshToken);
    }
    if (getAuthenticationMethod() == AuthenticationMethod.CLIENT_SECRET_POST) {
        if (getAuthUsername() != null && !getAuthUsername().isEmpty()) {
            parameters.put("client_id", getAuthUsername());
        }
        if (getAuthPassword() != null && !getAuthPassword().isEmpty()) {
            parameters.put("client_secret", getAuthPassword());
        }
    } else if (getAuthenticationMethod() == AuthenticationMethod.CLIENT_SECRET_JWT ||
            getAuthenticationMethod() == AuthenticationMethod.PRIVATE_KEY_JWT) {
        parameters.put("client_assertion_type", ClientAssertionType.JWT_BEARER.toString());
        parameters.put("client_assertion", getClientAssertion());
    }
    for (String key : getCustomParameters().keySet()) {
        parameters.put(key, getCustomParameters().get(key));
    }

    return parameters;
}
 
Example 4
Source File: ClientAssertion.java    From oxAuth with MIT License 4 votes vote down vote up
private boolean load(AppConfiguration appConfiguration, AbstractCryptoProvider cryptoProvider, String clientId, ClientAssertionType clientAssertionType, String encodedAssertion)
        throws Exception {
    boolean result;

    if (clientAssertionType == ClientAssertionType.JWT_BEARER) {
        if (StringUtils.isNotBlank(encodedAssertion)) {
            jwt = Jwt.parse(encodedAssertion);

            // TODO: Store jti this value to check for duplicates

            // Validate clientId
            String issuer = jwt.getClaims().getClaimAsString(JwtClaimName.ISSUER);
            String subject = jwt.getClaims().getClaimAsString(JwtClaimName.SUBJECT_IDENTIFIER);
            List<String> audience = jwt.getClaims().getClaimAsStringList(JwtClaimName.AUDIENCE);
            Date expirationTime = jwt.getClaims().getClaimAsDate(JwtClaimName.EXPIRATION_TIME);
            //SignatureAlgorithm algorithm = SignatureAlgorithm.fromName(jwt.getHeader().getClaimAsString(JwtHeaderName.ALGORITHM));
            if ((clientId == null && StringUtils.isNotBlank(issuer) && StringUtils.isNotBlank(subject) && issuer.equals(subject))
                    || (StringUtils.isNotBlank(clientId) && StringUtils.isNotBlank(issuer)
                    && StringUtils.isNotBlank(subject) && clientId.equals(issuer) && issuer.equals(subject))) {

                // Validate audience
                String tokenUrl = appConfiguration.getTokenEndpoint();
                String cibaAuthUrl = appConfiguration.getBackchannelAuthenticationEndpoint();
                if (audience != null && (audience.contains(appConfiguration.getIssuer()) || audience.contains(tokenUrl) || audience.contains(cibaAuthUrl))) {

                    // Validate expiration
                    if (expirationTime.after(new Date())) {
                        ClientService clientService = CdiUtil.bean(ClientService.class);
                        Client client = clientService.getClient(subject);

                        // Validate client
                        if (client != null) {
                            JwtType jwtType = JwtType.fromString(jwt.getHeader().getClaimAsString(JwtHeaderName.TYPE));
                            AuthenticationMethod authenticationMethod = client.getAuthenticationMethod();
                            SignatureAlgorithm signatureAlgorithm = jwt.getHeader().getSignatureAlgorithm();

                            if (jwtType == null && signatureAlgorithm != null) {
                                jwtType = signatureAlgorithm.getJwtType();
                            }

                            if (jwtType != null && signatureAlgorithm != null && signatureAlgorithm.getFamily() != null &&
                                    ((authenticationMethod == AuthenticationMethod.CLIENT_SECRET_JWT && AlgorithmFamily.HMAC.equals(signatureAlgorithm.getFamily()))
                                            || (authenticationMethod == AuthenticationMethod.PRIVATE_KEY_JWT && (AlgorithmFamily.RSA.equals(signatureAlgorithm.getFamily()) || AlgorithmFamily.EC.equals(signatureAlgorithm.getFamily()))))) {
                                if (client.getTokenEndpointAuthSigningAlg() == null || SignatureAlgorithm.fromString(client.getTokenEndpointAuthSigningAlg()).equals(signatureAlgorithm)) {
                                    clientSecret = clientService.decryptSecret(client.getClientSecret());

                                    // Validate the crypto segment
                                    String keyId = jwt.getHeader().getKeyId();
                                    JSONObject jwks = Strings.isNullOrEmpty(client.getJwks()) ?
                                            JwtUtil.getJSONWebKeys(client.getJwksUri()) :
                                            new JSONObject(client.getJwks());
                                    String sharedSecret = clientService.decryptSecret(client.getClientSecret());
                                    boolean validSignature = cryptoProvider.verifySignature(jwt.getSigningInput(), jwt.getEncodedSignature(),
                                            keyId, jwks, sharedSecret, signatureAlgorithm);

                                    if (validSignature) {
                                        result = true;
                                    } else {
                                        throw new InvalidJwtException("Invalid cryptographic segment");
                                    }
                                } else {
                                    throw new InvalidJwtException("Invalid signing algorithm");
                                }
                            } else {
                                throw new InvalidJwtException("Invalid authentication method");
                            }
                        } else {
                            throw new InvalidJwtException("Invalid client");
                        }
                    } else {
                        throw new InvalidJwtException("JWT has expired");
                    }
                } else {
                    throw new InvalidJwtException("Invalid audience: " + audience);
                }
            } else {
                throw new InvalidJwtException("Invalid clientId");
            }
        } else {
            throw new InvalidJwtException("The Client Assertion is null or empty");
        }
    } else {
        throw new InvalidJwtException("Invalid Client Assertion Type");
    }

    return result;
}