Java Code Examples for org.apache.cxf.rs.security.jose.jwt.JwtToken#getClaim()

The following examples show how to use org.apache.cxf.rs.security.jose.jwt.JwtToken#getClaim() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: JwtBearerAuthHandler.java    From cxf with Apache License 2.0 6 votes vote down vote up
@Override
protected void validateToken(JwtToken jwt) {
    super.validateToken(jwt);

    // We must have an issuer
    if (jwt.getClaim(JwtConstants.CLAIM_ISSUER) == null) {
        throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
    }

    // We must have a Subject
    if (jwt.getClaim(JwtConstants.CLAIM_SUBJECT) == null) {
        throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
    }

    // We must have an Expiry
    if (jwt.getClaim(JwtConstants.CLAIM_EXPIRY) == null) {
        throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
    }

    JwtUtils.validateTokenClaims(jwt.getClaims(), getTtl(), getClockOffset(), isValidateAudience());
}
 
Example 2
Source File: TrustedIdpOIDCProtocolHandler.java    From cxf-fediz with Apache License 2.0 6 votes vote down vote up
protected void validateToken(JwtToken jwt, String clientId) {
    // We must have the following claims
    if (jwt.getClaim(JwtConstants.CLAIM_ISSUER) == null
        || jwt.getClaim(JwtConstants.CLAIM_SUBJECT) == null
        || jwt.getClaim(JwtConstants.CLAIM_AUDIENCE) == null
        || jwt.getClaim(JwtConstants.CLAIM_EXPIRY) == null
        || jwt.getClaim(JwtConstants.CLAIM_ISSUED_AT) == null) {
        LOG.warn("The IdToken is missing a required claim");
        throw new IllegalStateException("The IdToken is missing a required claim");
    }

    // The audience must match the client_id of this client
    boolean match = false;
    for (String audience : jwt.getClaims().getAudiences()) {
        if (clientId.equals(audience)) {
            match = true;
            break;
        }
    }
    if (!match) {
        LOG.warn("The audience of the token does not match this client");
        throw new IllegalStateException("The audience of the token does not match this client");
    }

    JwtUtils.validateTokenClaims(jwt.getClaims(), 300, 0, false);
}
 
Example 3
Source File: JWTProviderLifetimeTest.java    From cxf with Apache License 2.0 5 votes vote down vote up
/**
 * Issue JWT token with a lifetime configured in JWTTokenProvider
 * No specific lifetime requested
 */
@org.junit.Test
public void testJWTProviderLifetime() throws Exception {

    long providerLifetime = 10 * 600L;
    JWTTokenProvider tokenProvider = new JWTTokenProvider();
    DefaultJWTClaimsProvider claimsProvider = new DefaultJWTClaimsProvider();
    claimsProvider.setLifetime(providerLifetime);
    tokenProvider.setJwtClaimsProvider(claimsProvider);

    TokenProviderParameters providerParameters = createProviderParameters(JWTTokenProvider.JWT_TOKEN_TYPE);

    TokenProviderResponse providerResponse = tokenProvider.createToken(providerParameters);
    assertNotNull(providerResponse);
    assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);

    long duration = Duration.between(providerResponse.getCreated(), providerResponse.getExpires()).getSeconds();
    assertEquals(providerLifetime, duration);

    String token = (String)providerResponse.getToken();
    assertNotNull(token);

    JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(token);
    JwtToken jwt = jwtConsumer.getJwtToken();
    assertEquals(jwt.getClaim(JwtConstants.CLAIM_ISSUED_AT), providerResponse.getCreated().getEpochSecond());

    Instant now = Instant.now();
    Long expiry = (Long)jwt.getClaim(JwtConstants.CLAIM_EXPIRY);
    Instant.ofEpochSecond(expiry).isAfter(now);
}
 
Example 4
Source File: JwtBearerAuthHandler.java    From cxf with Apache License 2.0 4 votes vote down vote up
@Override
public void filter(ContainerRequestContext context) {
    Message message = JAXRSUtils.getCurrentMessage();
    Form form = readFormData(message);
    MultivaluedMap<String, String> formData = form.asMap();
    String assertionType = formData.getFirst(Constants.CLIENT_AUTH_ASSERTION_TYPE);
    String decodedAssertionType = assertionType != null ? HttpUtils.urlDecode(assertionType) : null;
    if (decodedAssertionType == null || !Constants.CLIENT_AUTH_JWT_BEARER.equals(decodedAssertionType)) {
        throw ExceptionUtils.toNotAuthorizedException(null, null);
    }

    String assertion = formData.getFirst(Constants.CLIENT_AUTH_ASSERTION_PARAM);
    if (assertion == null) {
        throw ExceptionUtils.toNotAuthorizedException(null, null);
    }

    String clientId = formData.getFirst(OAuthConstants.CLIENT_ID);

    Client client = null;
    if (clientId != null && clientProvider != null) {
        client = clientProvider.getClient(clientId);
        if (client == null) {
            throw ExceptionUtils.toNotAuthorizedException(null, null);
        }
        message.put(Client.class, client);
    }
    JwtToken token = super.getJwtToken(assertion, client);

    String subjectName = (String)token.getClaim(JwtConstants.CLAIM_SUBJECT);
    if (clientId != null && !clientId.equals(subjectName)) {
        throw ExceptionUtils.toNotAuthorizedException(null, null);
    }
    message.put(OAuthConstants.CLIENT_ID, subjectName);

    formData.remove(OAuthConstants.CLIENT_ID);
    formData.remove(Constants.CLIENT_AUTH_ASSERTION_PARAM);
    formData.remove(Constants.CLIENT_AUTH_ASSERTION_TYPE);

    SecurityContext securityContext = configureSecurityContext(token);
    if (securityContext != null) {
        JAXRSUtils.getCurrentMessage().put(SecurityContext.class, securityContext);
    }

    // restore input stream
    try {
        FormUtils.restoreForm(provider, form, message);
    } catch (Exception ex) {
        throw ExceptionUtils.toNotAuthorizedException(null, null);
    }
}
 
Example 5
Source File: OidcClaimsValidator.java    From cxf with Apache License 2.0 4 votes vote down vote up
@Override
protected JwsSignatureVerifier getInitializedSignatureVerifier(JwtToken jwt) {
    JsonWebKey key = null;
    if (supportSelfIssuedProvider && SELF_ISSUED_ISSUER.equals(jwt.getClaim("issuer"))) {
        String publicKeyJson = (String)jwt.getClaim("sub_jwk");
        if (publicKeyJson != null) {
            JsonWebKey publicKey = JwkUtils.readJwkKey(publicKeyJson);
            String thumbprint = JwkUtils.getThumbprint(publicKey);
            if (thumbprint.equals(jwt.getClaim("sub"))) {
                key = publicKey;
            }
        }
        if (key == null) {
            throw new SecurityException("Self-issued JWK key is invalid or not available");
        }
    } else {
        String keyId = jwt.getJwsHeaders().getKeyId();
        key = keyId != null ? keyMap.get(keyId) : null;
        if (key == null && jwkSetClient != null) {
            JsonWebKeys keys = jwkSetClient.get(JsonWebKeys.class);
            if (keyId != null) {
                key = keys.getKey(keyId);
            } else if (keys.getKeys().size() == 1) {
                key = keys.getKeys().get(0);
            }
            //jwkSetClient returns the most up-to-date keys
            keyMap.clear();
            keyMap.putAll(keys.getKeyIdMap());
        }
    }
    JwsSignatureVerifier theJwsVerifier = null;
    if (key != null) {
        theJwsVerifier = JwsUtils.getSignatureVerifier(key, jwt.getJwsHeaders().getSignatureAlgorithm());
    } else {
        theJwsVerifier = super.getInitializedSignatureVerifier(jwt.getJwsHeaders());
    }
    if (theJwsVerifier == null) {
        throw new SecurityException("JWS Verifier is not available");
    }

    return theJwsVerifier;
}