Java Code Examples for org.apache.cxf.rs.security.jose.jwt.JwtClaims#setTokenId()
The following examples show how to use
org.apache.cxf.rs.security.jose.jwt.JwtClaims#setTokenId() .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
| Source File: DefaultJWTClaimsProvider.java From cxf with Apache License 2.0 | 6 votes |
|
/**
* Get a JwtClaims object.
*/
public JwtClaims getJwtClaims(JWTClaimsProviderParameters jwtClaimsProviderParameters) {
JwtClaims claims = new JwtClaims();
claims.setSubject(getSubjectName(jwtClaimsProviderParameters));
claims.setTokenId(UUID.randomUUID().toString());
// Set the Issuer
String issuer = jwtClaimsProviderParameters.getIssuer();
if (issuer == null) {
STSPropertiesMBean stsProperties = jwtClaimsProviderParameters.getProviderParameters().getStsProperties();
claims.setIssuer(stsProperties.getIssuer());
} else {
claims.setIssuer(issuer);
}
handleWSTrustClaims(jwtClaimsProviderParameters, claims);
handleConditions(jwtClaimsProviderParameters, claims);
handleAudienceRestriction(jwtClaimsProviderParameters, claims);
handleActAs(jwtClaimsProviderParameters, claims);
return claims;
}
Example 2
| Source File: JWTITCase.java From syncope with Apache License 2.0 | 5 votes |
|
@Test
public void tokenValidation() throws ParseException {
// Get an initial token
SyncopeClient localClient = clientFactory.create(ADMIN_UNAME, ADMIN_PWD);
AccessTokenService accessTokenService = localClient.getService(AccessTokenService.class);
Response response = accessTokenService.login();
String token = response.getHeaderString(RESTHeaders.TOKEN);
assertNotNull(token);
JwsJwtCompactConsumer consumer = new JwsJwtCompactConsumer(token);
String tokenId = consumer.getJwtClaims().getTokenId();
// Create a new token using the Id of the first token
Date now = new Date();
long currentTime = now.getTime() / 1000L;
Calendar expiry = Calendar.getInstance();
expiry.setTime(now);
expiry.add(Calendar.MINUTE, 5);
JwtClaims jwtClaims = new JwtClaims();
jwtClaims.setTokenId(tokenId);
jwtClaims.setSubject(ADMIN_UNAME);
jwtClaims.setIssuedAt(currentTime);
jwtClaims.setIssuer(JWT_ISSUER);
jwtClaims.setExpiryTime(expiry.getTime().getTime() / 1000L);
jwtClaims.setNotBefore(currentTime);
JwsHeaders jwsHeaders = new JwsHeaders(JoseType.JWT, JWS_ALGORITHM);
JwtToken jwtToken = new JwtToken(jwsHeaders, jwtClaims);
JwsJwtCompactProducer producer = new JwsJwtCompactProducer(jwtToken);
String signed = producer.signWith(jwsSignatureProvider);
SyncopeClient jwtClient = clientFactory.create(signed);
UserSelfService jwtUserSelfService = jwtClient.getService(UserSelfService.class);
jwtUserSelfService.read();
}
Example 3
| Source File: JWTITCase.java From syncope with Apache License 2.0 | 5 votes |
|
@Test
public void noneSignature() throws ParseException {
// Get an initial token
SyncopeClient localClient = clientFactory.create(ADMIN_UNAME, ADMIN_PWD);
AccessTokenService accessTokenService = localClient.getService(AccessTokenService.class);
Response response = accessTokenService.login();
String token = response.getHeaderString(RESTHeaders.TOKEN);
assertNotNull(token);
JwsJwtCompactConsumer consumer = new JwsJwtCompactConsumer(token);
String tokenId = consumer.getJwtClaims().getTokenId();
// Create a new token using the Id of the first token
JwtClaims jwtClaims = new JwtClaims();
jwtClaims.setTokenId(tokenId);
jwtClaims.setSubject(consumer.getJwtClaims().getSubject());
jwtClaims.setIssuedAt(consumer.getJwtClaims().getIssuedAt());
jwtClaims.setIssuer(consumer.getJwtClaims().getIssuer());
jwtClaims.setExpiryTime(consumer.getJwtClaims().getExpiryTime());
jwtClaims.setNotBefore(consumer.getJwtClaims().getNotBefore());
JwsHeaders jwsHeaders = new JwsHeaders(JoseType.JWT, SignatureAlgorithm.NONE);
JwtToken jwtToken = new JwtToken(jwsHeaders, jwtClaims);
JwsJwtCompactProducer producer = new JwsJwtCompactProducer(jwtToken);
JwsSignatureProvider noneJwsSignatureProvider = new NoneJwsSignatureProvider();
String signed = producer.signWith(noneJwsSignatureProvider);
SyncopeClient jwtClient = clientFactory.create(signed);
UserSelfService jwtUserSelfService = jwtClient.getService(UserSelfService.class);
try {
jwtUserSelfService.read();
fail("Failure expected on no signature");
} catch (AccessControlException ex) {
// expected
}
}
Example 4
| Source File: JWTITCase.java From syncope with Apache License 2.0 | 5 votes |
|
@Test
public void thirdPartyToken() throws ParseException {
assumeFalse(SignatureAlgorithm.isPublicKeyAlgorithm(JWS_ALGORITHM));
// Create a new token
Date now = new Date();
long currentTime = now.getTime() / 1000L;
Calendar expiry = Calendar.getInstance();
expiry.setTime(now);
expiry.add(Calendar.MINUTE, 5);
JwtClaims jwtClaims = new JwtClaims();
jwtClaims.setTokenId(UUID.randomUUID().toString());
jwtClaims.setSubject("[email protected]");
jwtClaims.setIssuedAt(currentTime);
jwtClaims.setIssuer(CustomJWTSSOProvider.ISSUER);
jwtClaims.setExpiryTime(expiry.getTime().getTime() / 1000L);
jwtClaims.setNotBefore(currentTime);
JwsHeaders jwsHeaders = new JwsHeaders(JoseType.JWT, JWS_ALGORITHM);
JwtToken jwtToken = new JwtToken(jwsHeaders, jwtClaims);
JwsJwtCompactProducer producer = new JwsJwtCompactProducer(jwtToken);
JwsSignatureProvider customSignatureProvider =
new HmacJwsSignatureProvider(CustomJWTSSOProvider.CUSTOM_KEY.getBytes(), JWS_ALGORITHM);
String signed = producer.signWith(customSignatureProvider);
SyncopeClient jwtClient = clientFactory.create(signed);
Pair<Map<String, Set<String>>, UserTO> self = jwtClient.self();
assertFalse(self.getLeft().isEmpty());
assertEquals("puccini", self.getRight().getUsername());
}
Example 5
| Source File: JWTITCase.java From syncope with Apache License 2.0 | 5 votes |
|
@Test
public void thirdPartyTokenUnknownUser() throws ParseException {
assumeFalse(SignatureAlgorithm.isPublicKeyAlgorithm(JWS_ALGORITHM));
// Create a new token
Date now = new Date();
long currentTime = now.getTime() / 1000L;
Calendar expiry = Calendar.getInstance();
expiry.setTime(now);
expiry.add(Calendar.MINUTE, 5);
JwtClaims jwtClaims = new JwtClaims();
jwtClaims.setTokenId(UUID.randomUUID().toString());
jwtClaims.setSubject("[email protected]");
jwtClaims.setIssuedAt(currentTime);
jwtClaims.setIssuer(CustomJWTSSOProvider.ISSUER);
jwtClaims.setExpiryTime(expiry.getTime().getTime() / 1000L);
jwtClaims.setNotBefore(currentTime);
JwsHeaders jwsHeaders = new JwsHeaders(JoseType.JWT, JWS_ALGORITHM);
JwtToken jwtToken = new JwtToken(jwsHeaders, jwtClaims);
JwsJwtCompactProducer producer = new JwsJwtCompactProducer(jwtToken);
JwsSignatureProvider customSignatureProvider =
new HmacJwsSignatureProvider(CustomJWTSSOProvider.CUSTOM_KEY.getBytes(), JWS_ALGORITHM);
String signed = producer.signWith(customSignatureProvider);
SyncopeClient jwtClient = clientFactory.create(signed);
try {
jwtClient.self();
fail("Failure expected on an unknown subject");
} catch (AccessControlException ex) {
// expected
}
}
Example 6
| Source File: JWTITCase.java From syncope with Apache License 2.0 | 5 votes |
|
@Test
public void thirdPartyTokenUnknownIssuer() throws ParseException {
assumeFalse(SignatureAlgorithm.isPublicKeyAlgorithm(JWS_ALGORITHM));
// Create a new token
Date now = new Date();
long currentTime = now.getTime() / 1000L;
Calendar expiry = Calendar.getInstance();
expiry.setTime(now);
expiry.add(Calendar.MINUTE, 5);
JwtClaims jwtClaims = new JwtClaims();
jwtClaims.setTokenId(UUID.randomUUID().toString());
jwtClaims.setSubject("[email protected]");
jwtClaims.setIssuedAt(currentTime);
jwtClaims.setIssuer(CustomJWTSSOProvider.ISSUER + '_');
jwtClaims.setExpiryTime(expiry.getTime().getTime() / 1000L);
jwtClaims.setNotBefore(currentTime);
JwsHeaders jwsHeaders = new JwsHeaders(JoseType.JWT, JWS_ALGORITHM);
JwtToken jwtToken = new JwtToken(jwsHeaders, jwtClaims);
JwsJwtCompactProducer producer = new JwsJwtCompactProducer(jwtToken);
JwsSignatureProvider customSignatureProvider =
new HmacJwsSignatureProvider(CustomJWTSSOProvider.CUSTOM_KEY.getBytes(), JWS_ALGORITHM);
String signed = producer.signWith(customSignatureProvider);
SyncopeClient jwtClient = clientFactory.create(signed);
try {
jwtClient.self();
fail("Failure expected on an unknown issuer");
} catch (AccessControlException ex) {
// expected
}
}
Example 7
| Source File: JWTITCase.java From syncope with Apache License 2.0 | 5 votes |
|
@Test
public void thirdPartyTokenBadSignature() throws ParseException {
assumeFalse(SignatureAlgorithm.isPublicKeyAlgorithm(JWS_ALGORITHM));
// Create a new token
Date now = new Date();
Calendar expiry = Calendar.getInstance();
expiry.setTime(now);
expiry.add(Calendar.MINUTE, 5);
JwtClaims jwtClaims = new JwtClaims();
jwtClaims.setTokenId(UUID.randomUUID().toString());
jwtClaims.setSubject("[email protected]");
jwtClaims.setIssuedAt(now.getTime());
jwtClaims.setIssuer(CustomJWTSSOProvider.ISSUER);
jwtClaims.setExpiryTime(expiry.getTime().getTime());
jwtClaims.setNotBefore(now.getTime());
JwsHeaders jwsHeaders = new JwsHeaders(JoseType.JWT, JWS_ALGORITHM);
JwtToken jwtToken = new JwtToken(jwsHeaders, jwtClaims);
JwsJwtCompactProducer producer = new JwsJwtCompactProducer(jwtToken);
JwsSignatureProvider customSignatureProvider =
new HmacJwsSignatureProvider((CustomJWTSSOProvider.CUSTOM_KEY + '_').getBytes(), JWS_ALGORITHM);
String signed = producer.signWith(customSignatureProvider);
SyncopeClient jwtClient = clientFactory.create(signed);
try {
jwtClient.self();
fail("Failure expected on a bad signature");
} catch (AccessControlException ex) {
// expected
}
}
Example 8
| Source File: AccessTokenDataBinderImpl.java From syncope with Apache License 2.0 | 5 votes |
|
@Override
public Pair<String, Date> generateJWT(
final String tokenId,
final String subject,
final long duration,
final Map<String, Object> claims) {
credentialChecker.checkIsDefaultJWSKeyInUse();
long currentTime = new Date().getTime() / 1000L;
long expiryTime = currentTime + 60L * duration;
JwtClaims jwtClaims = new JwtClaims();
jwtClaims.setTokenId(tokenId);
jwtClaims.setSubject(subject);
jwtClaims.setIssuedAt(currentTime);
jwtClaims.setIssuer(jwtIssuer);
jwtClaims.setExpiryTime(expiryTime);
jwtClaims.setNotBefore(currentTime);
claims.forEach(jwtClaims::setClaim);
JwsHeaders jwsHeaders = new JwsHeaders(JoseType.JWT, jwsSignatureProvider.getAlgorithm());
JwtToken token = new JwtToken(jwsHeaders, jwtClaims);
JwsJwtCompactProducer producer = new JwsJwtCompactProducer(token);
String signed = producer.signWith(jwsSignatureProvider);
return Pair.of(signed, new Date(expiryTime * 1000L));
}
Example 9
| Source File: BackChannelLogoutHandler.java From cxf-fediz with Apache License 2.0 | 5 votes |
|
private void submitBackChannelLogoutRequest(final Client client, final OidcUserSubject subject,
final IdToken idTokenHint, final String uri) {
// Application context is expected to contain HttpConduit HTTPS configuration
final WebClient wc = WebClient.create(uri);
IdToken idToken = idTokenHint != null ? idTokenHint : subject.getIdToken();
JwtClaims claims = new JwtClaims();
claims.setIssuer(idToken.getIssuer());
claims.setSubject(idToken.getSubject());
claims.setAudience(client.getClientId());
claims.setIssuedAt(System.currentTimeMillis() / 1000);
claims.setTokenId(Base64UrlUtility.encode(CryptoUtils.generateSecureRandomBytes(16)));
claims.setClaim(EVENTS_PROPERTY,
Collections.singletonMap(BACK_CHANNEL_LOGOUT_EVENT, Collections.emptyMap()));
if (idToken.getName() != null) {
claims.setClaim(IdToken.NAME_CLAIM, idToken.getName());
}
final String logoutToken = super.processJwt(new JwtToken(claims));
executorService.submit(new Runnable() {
@Override
public void run() {
try {
wc.form(new Form().param(LOGOUT_TOKEN, logoutToken));
} catch (Exception ex) {
LOG.info(String.format("Back channel request to %s to log out %s from client %s has failed",
uri, subject.getLogin(), client.getClientId()));
LOG.fine(String.format("%s request failure: %s", uri, ExceptionUtils.getStackTrace(ex)));
}
}
});
}
Example 10
| Source File: JWTITCase.java From syncope with Apache License 2.0 | 4 votes |
|
@Test
public void invalidIssuer() throws ParseException {
// Get an initial token
SyncopeClient localClient = clientFactory.create(ADMIN_UNAME, ADMIN_PWD);
AccessTokenService accessTokenService = localClient.getService(AccessTokenService.class);
Response response = accessTokenService.login();
String token = response.getHeaderString(RESTHeaders.TOKEN);
assertNotNull(token);
JwsJwtCompactConsumer consumer = new JwsJwtCompactConsumer(token);
String tokenId = consumer.getJwtClaims().getTokenId();
// Create a new token using the Id of the first token
Date now = new Date();
long currentTime = now.getTime() / 1000L;
Calendar expiry = Calendar.getInstance();
expiry.setTime(now);
expiry.add(Calendar.MINUTE, 5);
JwtClaims jwtClaims = new JwtClaims();
jwtClaims.setTokenId(tokenId);
jwtClaims.setSubject(ADMIN_UNAME);
jwtClaims.setIssuedAt(currentTime);
jwtClaims.setIssuer("UnknownIssuer");
jwtClaims.setExpiryTime(expiry.getTime().getTime() / 1000L);
jwtClaims.setNotBefore(currentTime);
JwsHeaders jwsHeaders = new JwsHeaders(JoseType.JWT, JWS_ALGORITHM);
JwtToken jwtToken = new JwtToken(jwsHeaders, jwtClaims);
JwsJwtCompactProducer producer = new JwsJwtCompactProducer(jwtToken);
String signed = producer.signWith(jwsSignatureProvider);
SyncopeClient jwtClient = clientFactory.create(signed);
UserSelfService jwtUserSelfService = jwtClient.getService(UserSelfService.class);
try {
jwtUserSelfService.read();
fail("Failure expected on an invalid issuer");
} catch (AccessControlException ex) {
// expected
}
}
Example 11
| Source File: JWTITCase.java From syncope with Apache License 2.0 | 4 votes |
|
@Test
public void expiredToken() throws ParseException {
// Get an initial token
SyncopeClient localClient = clientFactory.create(ADMIN_UNAME, ADMIN_PWD);
AccessTokenService accessTokenService = localClient.getService(AccessTokenService.class);
Response response = accessTokenService.login();
String token = response.getHeaderString(RESTHeaders.TOKEN);
assertNotNull(token);
JwsJwtCompactConsumer consumer = new JwsJwtCompactConsumer(token);
String tokenId = consumer.getJwtClaims().getTokenId();
// Create a new token using the Id of the first token
Date now = new Date();
long currentTime = now.getTime() / 1000L;
Calendar expiry = Calendar.getInstance();
expiry.setTime(now);
expiry.add(Calendar.MINUTE, 5);
JwtClaims jwtClaims = new JwtClaims();
jwtClaims.setTokenId(tokenId);
jwtClaims.setSubject(ADMIN_UNAME);
jwtClaims.setIssuedAt(currentTime);
jwtClaims.setIssuer(JWT_ISSUER);
jwtClaims.setExpiryTime((now.getTime() - 5000L) / 1000L);
jwtClaims.setNotBefore(currentTime);
JwsHeaders jwsHeaders = new JwsHeaders(JoseType.JWT, JWS_ALGORITHM);
JwtToken jwtToken = new JwtToken(jwsHeaders, jwtClaims);
JwsJwtCompactProducer producer = new JwsJwtCompactProducer(jwtToken);
String signed = producer.signWith(jwsSignatureProvider);
SyncopeClient jwtClient = clientFactory.create(signed);
UserSelfService jwtUserSelfService = jwtClient.getService(UserSelfService.class);
try {
jwtUserSelfService.read();
fail("Failure expected on an expired token");
} catch (AccessControlException ex) {
// expected
}
}
Example 12
| Source File: JWTITCase.java From syncope with Apache License 2.0 | 4 votes |
|
@Test
public void notBefore() throws ParseException {
// Get an initial token
SyncopeClient localClient = clientFactory.create(ADMIN_UNAME, ADMIN_PWD);
AccessTokenService accessTokenService = localClient.getService(AccessTokenService.class);
Response response = accessTokenService.login();
String token = response.getHeaderString(RESTHeaders.TOKEN);
assertNotNull(token);
JwsJwtCompactConsumer consumer = new JwsJwtCompactConsumer(token);
String tokenId = consumer.getJwtClaims().getTokenId();
// Create a new token using the Id of the first token
Date now = new Date();
long currentTime = now.getTime() / 1000L;
Calendar expiry = Calendar.getInstance();
expiry.setTime(now);
expiry.add(Calendar.MINUTE, 5);
JwtClaims jwtClaims = new JwtClaims();
jwtClaims.setTokenId(tokenId);
jwtClaims.setSubject(ADMIN_UNAME);
jwtClaims.setIssuedAt(currentTime);
jwtClaims.setIssuer(JWT_ISSUER);
jwtClaims.setExpiryTime(expiry.getTime().getTime() / 1000L);
jwtClaims.setNotBefore(currentTime + 60L);
JwsHeaders jwsHeaders = new JwsHeaders(JoseType.JWT, JWS_ALGORITHM);
JwtToken jwtToken = new JwtToken(jwsHeaders, jwtClaims);
JwsJwtCompactProducer producer = new JwsJwtCompactProducer(jwtToken);
String signed = producer.signWith(jwsSignatureProvider);
SyncopeClient jwtClient = clientFactory.create(signed);
UserSelfService jwtUserSelfService = jwtClient.getService(UserSelfService.class);
try {
jwtUserSelfService.read();
fail("Failure expected on a token that is not valid yet");
} catch (AccessControlException ex) {
// expected
}
}
Example 13
| Source File: JWTITCase.java From syncope with Apache License 2.0 | 4 votes |
|
@Test
public void unknownId() throws ParseException {
// Get an initial token
SyncopeClient localClient = clientFactory.create(ADMIN_UNAME, ADMIN_PWD);
AccessTokenService accessTokenService = localClient.getService(AccessTokenService.class);
Response response = accessTokenService.login();
String token = response.getHeaderString(RESTHeaders.TOKEN);
assertNotNull(token);
// Create a new token using an unknown Id
Date now = new Date();
long currentTime = now.getTime() / 1000L;
Calendar expiry = Calendar.getInstance();
expiry.setTime(now);
expiry.add(Calendar.MINUTE, 5);
JwtClaims jwtClaims = new JwtClaims();
jwtClaims.setTokenId(UUID.randomUUID().toString());
jwtClaims.setSubject(ADMIN_UNAME);
jwtClaims.setIssuedAt(currentTime);
jwtClaims.setIssuer(JWT_ISSUER);
jwtClaims.setExpiryTime(expiry.getTime().getTime() / 1000L);
jwtClaims.setNotBefore(currentTime);
JwsHeaders jwsHeaders = new JwsHeaders(JoseType.JWT, JWS_ALGORITHM);
JwtToken jwtToken = new JwtToken(jwsHeaders, jwtClaims);
JwsJwtCompactProducer producer = new JwsJwtCompactProducer(jwtToken);
String signed = producer.signWith(jwsSignatureProvider);
SyncopeClient jwtClient = clientFactory.create(signed);
UserSelfService jwtUserSelfService = jwtClient.getService(UserSelfService.class);
try {
jwtUserSelfService.read();
fail("Failure expected on an unknown id");
} catch (AccessControlException ex) {
// expected
}
}
Example 14
| Source File: AbstractOAuthDataProvider.java From cxf with Apache License 2.0 | 4 votes |
|
protected JwtClaims createJwtAccessToken(ServerAccessToken at) {
JwtClaims claims = new JwtClaims();
claims.setTokenId(at.getTokenKey());
// 'client_id' or 'cid', default client_id
String clientIdClaimName =
JwtTokenUtils.getClaimName(OAuthConstants.CLIENT_ID, OAuthConstants.CLIENT_ID,
getJwtAccessTokenClaimMap());
claims.setClaim(clientIdClaimName, at.getClient().getClientId());
claims.setIssuedAt(at.getIssuedAt());
if (at.getExpiresIn() > 0) {
claims.setExpiryTime(at.getIssuedAt() + at.getExpiresIn());
}
UserSubject userSubject = at.getSubject();
if (userSubject != null) {
if (userSubject.getId() != null) {
claims.setSubject(userSubject.getId());
}
// 'username' by default to be consistent with the token introspection response
final String usernameProp = "username";
String usernameClaimName =
JwtTokenUtils.getClaimName(usernameProp, usernameProp, getJwtAccessTokenClaimMap());
claims.setClaim(usernameClaimName, userSubject.getLogin());
}
if (at.getIssuer() != null) {
claims.setIssuer(at.getIssuer());
}
if (!at.getScopes().isEmpty()) {
claims.setClaim(OAuthConstants.SCOPE,
OAuthUtils.convertPermissionsToScopeList(at.getScopes()));
}
// OAuth2 resource indicators (resource server audience)
if (!at.getAudiences().isEmpty()) {
List<String> resourceAudiences = at.getAudiences();
if (resourceAudiences.size() == 1) {
claims.setAudience(resourceAudiences.get(0));
} else {
claims.setAudiences(resourceAudiences);
}
}
if (!at.getExtraProperties().isEmpty()) {
Map<String, String> actualExtraProps = new HashMap<>();
for (Map.Entry<String, String> entry : at.getExtraProperties().entrySet()) {
if (JoseConstants.HEADER_X509_THUMBPRINT_SHA256.equals(entry.getKey())) {
claims.setClaim(JwtConstants.CLAIM_CONFIRMATION,
Collections.singletonMap(JoseConstants.HEADER_X509_THUMBPRINT_SHA256,
entry.getValue()));
} else {
actualExtraProps.put(entry.getKey(), entry.getValue());
}
}
claims.setClaim("extra_properties", actualExtraProps);
}
// Can be used to check at RS/etc which grant was used to get this token issued
if (at.getGrantType() != null) {
claims.setClaim(OAuthConstants.GRANT_TYPE, at.getGrantType());
}
// Can be used to check the original code grant value which was removed from the storage
// (and is no longer valid) when this token was issued; relevant only if the authorization
// code flow was used
if (at.getGrantCode() != null) {
claims.setClaim(OAuthConstants.AUTHORIZATION_CODE_GRANT, at.getGrantCode());
}
// Can be used to link the clients (especially public ones) to this token
// to have a knowledge which client instance is using this token - might be handy at the RS/etc
if (at.getClientCodeVerifier() != null) {
claims.setClaim(OAuthConstants.AUTHORIZATION_CODE_VERIFIER, at.getClientCodeVerifier());
}
if (at.getNonce() != null) {
claims.setClaim(OAuthConstants.NONCE, at.getNonce());
}
return claims;
}
