org.jose4j.jwt.consumer.JwtConsumerBuilder Java Examples

The following examples show how to use org.jose4j.jwt.consumer.JwtConsumerBuilder.
Example #1
Source File:    From dropwizard-auth-jwt with Apache License 2.0 6 votes vote down vote up
protected ContainerRequestFilter getAuthFilter() {

            final JwtConsumer consumer = new JwtConsumerBuilder()
                .setRequireExpirationTime() // the JWT must have an expiration time
                .setAllowedClockSkewInSeconds(30) // allow some leeway in validating time based claims to account for clock skew
                .setRequireSubject() // the JWT must have a subject claim
                .setExpectedIssuer("Issuer") // whom the JWT needs to have been issued by
                .setExpectedAudience("Audience") // whom the JWT needs to have been issued by
                .setVerificationKey(new HmacKey(SECRET_KEY.getBytes(UTF_8))) // verify the signature with the public key
                .setRelaxVerificationKeyValidation() // relaxes key length requirement
                .build();// create the JwtConsumer instance

            return new JwtAuthFilter.Builder<>()
                .setAuthorizer(AuthUtil.getTestAuthorizer(ADMIN_USER, ADMIN_ROLE))
                .setAuthenticator(AuthUtil.getJWTAuthenticator(ImmutableList.of(ADMIN_USER, ORDINARY_USER)))
Example #2
Source File:    From dropwizard-auth-jwt with Apache License 2.0 6 votes vote down vote up
public void run(MyConfiguration configuration, Environment environment) throws Exception {
    final byte[] key = configuration.getJwtTokenSecret();

    final JwtConsumer consumer = new JwtConsumerBuilder()
        .setAllowedClockSkewInSeconds(30) // allow some leeway in validating time based claims to account for clock skew
        .setRequireExpirationTime() // the JWT must have an expiration time
        .setRequireSubject() // the JWT must have a subject claim
        .setVerificationKey(new HmacKey(key)) // verify the signature with the public key
        .setRelaxVerificationKeyValidation() // relaxes key length requirement
        .build(); // create the JwtConsumer instance

    environment.jersey().register(new AuthDynamicFeature(
        new JwtAuthFilter.Builder<MyUser>()
            .setAuthenticator(new ExampleAuthenticator())

    environment.jersey().register(new AuthValueFactoryProvider.Binder<>(Principal.class));
    environment.jersey().register(new SecuredResource(configuration.getJwtTokenSecret()));
Example #3
Source File:    From box-java-sdk with Apache License 2.0 6 votes vote down vote up
private JwtClaims getClaimsFromRequest(Request request) throws Exception {

        // Get the JWT out of the request body
        String body = request.getBodyAsString();
        String[] tokens = body.split("&");
        String jwt = null;
        for (String s : tokens) {
            String[] parts = s.split("=");
            if (parts[0] != null && parts[0].equals("assertion") && parts[1] != null) {
                jwt = parts[1];
        if (jwt == null) {
            throw new Exception("No jwt assertion found in request body");

        // Parse out the JWT to verify the claims
        JwtConsumer jwtConsumer = new JwtConsumerBuilder()
        return jwtConsumer.processToClaims(jwt);
Example #4
Source File:    From openhab-core with Eclipse Public License 2.0 6 votes vote down vote up
 * Performs verifications on a JWT token, then parses it into a {@link AuthenticationException} instance
 * @param jwt the base64-encoded JWT token from the request
 * @return the {@link Authentication} derived from the information in the token
 * @throws AuthenticationException
public Authentication verifyAndParseJwtAccessToken(String jwt) throws AuthenticationException {
    JwtConsumer jwtConsumer = new JwtConsumerBuilder().setRequireExpirationTime().setAllowedClockSkewInSeconds(30)
            .setJwsAlgorithmConstraints(ConstraintType.WHITELIST, AlgorithmIdentifiers.RSA_USING_SHA256).build();

    try {
        JwtClaims jwtClaims = jwtConsumer.processToClaims(jwt);
        String username = jwtClaims.getSubject();
        List<String> roles = jwtClaims.getStringListClaimValue("role");
        Authentication auth = new Authentication(username, roles.toArray(new String[roles.size()]));
        return auth;
    } catch (Exception e) {
        logger.error("Error while processing JWT token", e);
        throw new AuthenticationException(e.getMessage());
Example #5
Source File:    From microprofile-jwt-auth with Apache License 2.0 6 votes vote down vote up
protected void validateToken(String token, RSAPublicKey publicKey, String issuer, int expGracePeriodSecs) throws Exception {
    JwtConsumerBuilder builder = new JwtConsumerBuilder()
            new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.WHITELIST,


    if (expGracePeriodSecs > 0) {
    else {

    JwtConsumer jwtConsumer =;
    JwtContext jwtContext = jwtConsumer.process(token);
    String type = jwtContext.getJoseObjects().get(0).getHeader("typ");
    //  Validate the JWT and process it to the Claims
Example #6
Source File:    From lucene-solr with Apache License 2.0 6 votes vote down vote up
private void initConsumer() {
  JwtConsumerBuilder jwtConsumerBuilder = new JwtConsumerBuilder()
      .setAllowedClockSkewInSeconds(30); // allow some leeway in validating time based claims to account for clock skew
  String[] issuers =[]::new);
  if (issuers.length > 0) {
    jwtConsumerBuilder.setExpectedIssuers(requireIssuer, issuers); // whom the JWT needs to have been issued by
  String[] audiences =[]::new);
  if (audiences.length > 0) {
    jwtConsumerBuilder.setExpectedAudience(audiences); // to whom the JWT is intended for
  } else {
  if (requireExpirationTime)
  if (algWhitelist != null)
    jwtConsumerBuilder.setJwsAlgorithmConstraints( // only allow the expected signature algorithm(s) in the given context
        new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.WHITELIST, algWhitelist.toArray(new String[0])));
  jwtConsumer =; // create the JwtConsumer instance
Example #7
Source File:    From eplmp with Eclipse Public License 1.0 6 votes vote down vote up
public static String validateEntityToken(Key key, String jwt) {

        JwtConsumer jwtConsumer = new JwtConsumerBuilder()

        try {
            JwtClaims jwtClaims = jwtConsumer.processToClaims(jwt);
            String subject = jwtClaims.getSubject();
            try (JsonReader reader = Json.createReader(new StringReader(subject))) {
                JsonObject subjectObject = reader.readObject(); // JsonParsingException
                return subjectObject.getString(ENTITY_KEY); // Npe
        } catch (InvalidJwtException | MalformedClaimException | JsonParsingException | NullPointerException e) {
            LOGGER.log(Level.FINE, "Cannot validate jwt token", e);

        return null;

Example #8
Source File:    From eplmp with Eclipse Public License 1.0 6 votes vote down vote up
public static String validateSharedResourceToken(Key key, String jwt) {

        JwtConsumer jwtConsumer = new JwtConsumerBuilder()

        try {
            JwtClaims jwtClaims = jwtConsumer.processToClaims(jwt);
            String subject = jwtClaims.getSubject();
            try (JsonReader reader = Json.createReader(new StringReader(subject))) {
                JsonObject subjectObject = reader.readObject(); // JsonParsingException
                return subjectObject.getString(SHARED_ENTITY_UUID); // Npe
        } catch (InvalidJwtException | MalformedClaimException | JsonParsingException | NullPointerException e) {
            LOGGER.log(Level.FINE, "Cannot validate jwt token", e);

        return null;

Example #9
Source File:    From light-4j with Apache License 2.0 6 votes vote down vote up
private static boolean isTokenExpired(String authorization) {
    boolean expired = false;
    String jwt = getJwtFromAuthorization(authorization);
    if(jwt != null) {
        JwtConsumer consumer = new JwtConsumerBuilder()

        try {
        } catch (InvalidJwtException e) {
            if(e.hasExpired()) expired = true;
    return expired;
Example #10
Source File:    From quarkus with Apache License 2.0 5 votes vote down vote up
private JsonWebToken getTokenCredential(Class<? extends TokenCredential> type) {
    if (identity.isAnonymous()) {
        return new NullJsonWebToken();
    if (identity.getPrincipal() instanceof OidcJwtCallerPrincipal
            && ((OidcJwtCallerPrincipal) identity.getPrincipal()).getCredential().getClass() == type) {
        return (JsonWebToken) identity.getPrincipal();
    TokenCredential credential = identity.getCredential(type);
    if (credential != null) {
        if (credential instanceof AccessTokenCredential && ((AccessTokenCredential) credential).isOpaque()) {
            throw new OIDCException("Opaque access token can not be converted to JsonWebToken");
        JwtClaims jwtClaims;
        try {
            jwtClaims = new JwtConsumerBuilder()
        } catch (InvalidJwtException e) {
            throw new OIDCException(e);
        jwtClaims.setClaim(, credential.getToken());
        return new OidcJwtCallerPrincipal(jwtClaims, credential);
    String tokenType = type == AccessTokenCredential.class ? "access" : "ID";
    throw new OIDCException("Current identity is not associated with an " + tokenType + " token");
Example #11
Source File:    From light with Apache License 2.0 5 votes vote down vote up
public static Map<String, Object> verifyJwt(String jwt) throws InvalidJwtException, MalformedClaimException {
    Map<String, Object> user = null;
    X509VerificationKeyResolver x509VerificationKeyResolver = new X509VerificationKeyResolver(certificate);

    JwtConsumer jwtConsumer = new JwtConsumerBuilder()
            .setRequireExpirationTime() // the JWT must have an expiration time
            .setAllowedClockSkewInSeconds((Integer) config.get(CLOCK_SKEW_IN_MINUTE)*60) // allow some leeway in validating time based claims to account for clock skew
            .setRequireSubject() // the JWT must have a subject claim
            .setVerificationKeyResolver(x509VerificationKeyResolver) // verify the signature with the certificates
            .build(); // create the JwtConsumer instance

    //  Validate the JWT and process it to the Claims
    JwtClaims claims = jwtConsumer.processToClaims(jwt);
    if(claims != null) {
        user = new HashMap<String, Object>();
        user.put("userId", claims.getClaimValue("userId"));
        user.put("clientId", claims.getClaimValue("clientId"));
        List roles = claims.getStringListClaimValue("roles");
        user.put("roles", roles);
        Object host = claims.getClaimValue("host");
        if(host != null) user.put("host", host);
    return user;
Example #12
Source File:    From datamill with ISC License 5 votes vote down vote up
protected JsonWebToken verify(JwtConsumerBuilder builder, String jwt) {
    try {
        JwtClaims claims =;
        return new JsonWebToken(claims);
    } catch (InvalidJwtException e) {
        throw new SecurityException(e);
Example #13
Source File:    From thorntail with Apache License 2.0 5 votes vote down vote up
 * This just parses the token without validation to extract one of the following in order to obtain
 * the name to be used for the principal:
 * upn
 * preferred_username
 * subject
 * If there is an exception it sets the name to INVALID_TOKEN_NAME and saves the exception for access
 * via {@link #getJwtException()}
 * @return the name to use for the principal
public String getName() {
    if (name == null) {
        name = "INVALID_TOKEN_NAME";
        try {
            // Build a JwtConsumer that doesn't check signatures or do any validation.
            JwtConsumer firstPassJwtConsumer = new JwtConsumerBuilder()

            //The first JwtConsumer is basically just used to parse the JWT into a JwtContext object.
            JwtContext jwtContext = firstPassJwtConsumer.process(bearerToken);
            JwtClaims claimsSet = jwtContext.getJwtClaims();
            // We have to determine the unique name to use as the principal name. It comes from upn, preferred_username, sub in that order
            name = claimsSet.getClaimValue("upn", String.class);
            if (name == null) {
                name = claimsSet.getClaimValue("preferred_username", String.class);
                if (name == null) {
                    name = claimsSet.getSubject();
        } catch (Exception e) {
            jwtException = e;
    return name;
Example #14
Source File:    From eplmp with Eclipse Public License 1.0 5 votes vote down vote up
public static JWTokenUserGroupMapping validateAuthToken(Key key, String jwt) {

        JwtConsumer jwtConsumer = new JwtConsumerBuilder()

        try {
            JwtClaims jwtClaims = jwtConsumer.processToClaims(jwt);
            String subject = jwtClaims.getSubject();

            try (JsonReader reader = Json.createReader(new StringReader(subject))) {
                JsonObject subjectObject = reader.readObject(); // JsonParsingException
                String login = subjectObject.getString(SUBJECT_LOGIN); // Npe
                String groupName = subjectObject.getString(SUBJECT_GROUP_NAME); // Npe

                if (login != null && !login.isEmpty() && groupName != null && !groupName.isEmpty()) {
                    return new JWTokenUserGroupMapping(jwtClaims, new UserGroupMapping(login, groupName));

        } catch (InvalidJwtException | MalformedClaimException | JsonParsingException | NullPointerException e) {
            LOGGER.log(Level.FINE, "Cannot validate jwt token", e);

        return null;

Example #15
Source File:    From microprofile-jwt-auth with Apache License 2.0 5 votes vote down vote up
protected void validateToken(String token, URL jwksURL, String issuer, int expGracePeriodSecs) throws Exception {
    JwtConsumerBuilder builder = new JwtConsumerBuilder()
            new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.WHITELIST,

    HttpsJwks keySource = new HttpsJwks(jwksURL.toExternalForm());
    List<JsonWebKey> keys = keySource.getJsonWebKeys();
    JsonWebKey key = keys.get(0);
    if(key instanceof PublicJsonWebKey) {
        PublicJsonWebKey publicJsonWebKey = (PublicJsonWebKey) key;
        PublicKey pk = publicJsonWebKey.getPublicKey();
        byte[] encoded = pk.getEncoded();
        String pem = Base64.getEncoder().encodeToString(encoded);
        System.out.printf("pk.pem: %s\n", pem);
    builder.setVerificationKeyResolver(new HttpsJwksVerificationKeyResolver(keySource));

    if (expGracePeriodSecs > 0) {
    else {

    JwtConsumer jwtConsumer =;
    JwtContext jwtContext = jwtConsumer.process(token);
    String type = jwtContext.getJoseObjects().get(0).getHeader("typ");
    //  Validate the JWT and process it to the Claims

Example #16
Source File:    From server_face_recognition with GNU General Public License v3.0 5 votes vote down vote up
public static Token decypherToken(String token) {
    JwtConsumer jwtConsumer = new JwtConsumerBuilder()
                    new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.WHITELIST,

    Token decypheredToken = null;
        JwtClaims jwtClaims = jwtConsumer.processToClaims(token);
        decypheredToken = new Token(token,
    } catch (InvalidJwtException e) {

    return decypheredToken;
Example #17
Source File:    From smallrye-jwt with Apache License 2.0 5 votes vote down vote up
void setExpectedAudience(JwtConsumerBuilder builder, JWTAuthContextInfo authContextInfo) {
    final Set<String> expectedAudience = authContextInfo.getExpectedAudience();

    if (expectedAudience != null) {
        builder.setExpectedAudience(expectedAudience.toArray(new String[0]));
    } else {
Example #18
Source File:    From blueocean-plugin with MIT License 4 votes vote down vote up
    public void anonymousUserToken() throws Exception{
        JenkinsRule.WebClient webClient = j.createWebClient();
        String token = getToken(webClient);

        JsonWebStructure jsonWebStructure = JsonWebStructure.fromCompactSerialization(token);

        Assert.assertTrue(jsonWebStructure instanceof JsonWebSignature);

        JsonWebSignature jsw = (JsonWebSignature) jsonWebStructure;

        String kid = jsw.getHeader("kid");


        Page page = webClient.goTo("jwt-auth/jwks/"+kid+"/", "application/json");

//        for(NameValuePair valuePair: page.getWebResponse().getResponseHeaders()){
//            System.out.println(valuePair);
//        }

        JSONObject jsonObject = JSONObject.fromObject(page.getWebResponse().getContentAsString());
        RsaJsonWebKey rsaJsonWebKey = new RsaJsonWebKey(jsonObject,null);

        JwtConsumer jwtConsumer = new JwtConsumerBuilder()
            .setRequireExpirationTime() // the JWT must have an expiration time
            .setAllowedClockSkewInSeconds(30) // allow some leeway in validating time based claims to account for clock skew
            .setRequireSubject() // the JWT must have a subject claim
            .setVerificationKey(rsaJsonWebKey.getKey()) // verify the sign with the public key
            .build(); // create the JwtConsumer instance

        JwtClaims claims = jwtConsumer.processToClaims(token);

        Map<String,Object> claimMap = claims.getClaimsMap();

        Map<String,Object> context = (Map<String, Object>) claimMap.get("context");
        Map<String,String> userContext = (Map<String, String>) context.get("user");
        Assert.assertEquals("anonymous", userContext.get("id"));
Example #19
Source File:    From rufus with MIT License 4 votes vote down vote up
public void run(RufusConfiguration conf, Environment env) throws Exception {
    final DBIFactory factory = new DBIFactory();
    final DBI jdbi =, conf.getDataSourceFactory(), DB_SOURCE);

    final UserDao userDao = jdbi.onDemand(UserDao.class);
    final ArticleDao articleDao = jdbi.onDemand(ArticleDao.class);

    final FeedProcessorImpl processor = FeedProcessorImpl.newInstance(articleDao);
    final FeedParser parser = new FeedParser(articleDao, processor);

    final JwtConsumer jwtConsumer = new JwtConsumerBuilder()
        .setVerificationKey(new HmacKey(VERIFICATION_KEY))
    final CachingJwtAuthenticator<User> cachingJwtAuthenticator = new CachingJwtAuthenticator<>(
        new JwtAuthenticator(userDao),

    env.jersey().register(new ArticleResource(userDao, articleDao, processor, parser));
        new UserResource(
            new BasicAuthenticator(userDao),
            new TokenGenerator(VERIFICATION_KEY),

    //route source

    env.jersey().register(new AuthValueFactoryProvider.Binder<>(User.class));
    env.jersey().register(new AuthDynamicFeature(
        new JwtAuthFilter.Builder<User>()
Example #20
Source File:    From demo-spring-boot-security-oauth2 with MIT License 4 votes vote down vote up
public void setup() {
	jwtConsumer = new JwtConsumerBuilder().setSkipAllValidators().setDisableRequireSignature()
Example #21
Source File:    From iloveapis2015-jwt-jwe-jws with Apache License 2.0 4 votes vote down vote up
public ExecutionResult execute (MessageContext msgCtxt,
        ExecutionContext exeCtxt) {
    String varName;

    try {
        String encryptedJwt = getJwt(msgCtxt); // dot-separated JWT
        // diagnostic purposes
        varName = getVarname("jwt");
        msgCtxt.setVariable(varName, encryptedJwt);

        RSAPrivateKey privateKey = (RSAPrivateKey) getPrivateKey(msgCtxt);
        BASE64Encoder b64 = new BASE64Encoder();
        varName = getVarname("PrivateKey");
        msgCtxt.setVariable(varName, b64.encode(privateKey.getEncoded()));

        /***************************RECEIVER'S END ***********************************/

        JwtConsumer consumer = new JwtConsumerBuilder()
        JwtClaims receivedClaims = consumer.processToClaims(encryptedJwt);
        //System.out.println("SUCESS :: JWT Validation :: " + receivedClaims);
        String receivedClaimsJSON = receivedClaims.getRawJson();

        varName = getVarname("receivedClaims");
        msgCtxt.setVariable(varName, receivedClaimsJSON);
    catch (Exception e) {
        varName = getVarname("error");
        msgCtxt.setVariable(varName, "Exception (A): " + e.toString());
        varName = getVarname("stacktrace");
        msgCtxt.setVariable(varName, "Stack (A): " + ExceptionUtils.getStackTrace(e));
    return ExecutionResult.SUCCESS;

Example #22
Source File:    From microprofile-jwt-auth with Apache License 2.0 4 votes vote down vote up
private void validateToken(String jweCompact, SignatureAlgorithm signatureAlgorithm, boolean jwtExpected) throws Exception {
    JsonWebEncryption jwe = new JsonWebEncryption();
       new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.WHITELIST, "RSA-OAEP"));
    RSAPrivateKey privateKey = (RSAPrivateKey) TokenUtils.readPrivateKey("/privateKey.pem");
    String token = jwe.getPlaintextString();

    if (jwtExpected) {
        if (!"JWT".equals(jwe.getHeader("cty"))) {
            throw new InvalidJwtException("'cty' header is missing", Collections.emptyList(), null);
    else {

    // verify the nested token
    PublicKey publicKey = signatureAlgorithm == SignatureAlgorithm.RS256 ? TokenUtils.readPublicKey("/publicKey.pem")
            : TokenUtils.readECPublicKey("/ecPublicKey.pem");

    int expGracePeriodSecs = 60;

    JwtConsumerBuilder builder = new JwtConsumerBuilder();

    // 'exp' must be available
    // 'iat' must be available
    // 'RS256' is required
       new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.WHITELIST, signatureAlgorithm.getAlgorithm()));

    // issuer must be equal to TCKConstants.TEST_ISSUER
    builder.setExpectedIssuer(true, TCKConstants.TEST_ISSUER);

    JwtClaims claimsSet =;
    // Confirm all the claims available in /Token1.json have made it into the verified claimSet

    Assert.assertEquals(claimsSet.getClaimsMap().size(), 19);
    Assert.assertEquals(claimsSet.getIssuer(), "");
    Assert.assertEquals(claimsSet.getJwtId(), "a-123");
    Assert.assertEquals(claimsSet.getSubject(), "24400320");
    Assert.assertEquals(claimsSet.getClaimValueAsString("upn"), "");
    Assert.assertEquals(claimsSet.getClaimValueAsString("preferred_username"), "jdoe");
    Assert.assertEquals(claimsSet.getAudience().size(), 1);
    Assert.assertEquals(claimsSet.getAudience().get(0), "s6BhdRkqt3");
    long exp = claimsSet.getExpirationTime().getValue();
    Assert.assertEquals(claimsSet.getIssuedAt().getValue(), exp - 300);
    Assert.assertEquals(NumericDate.fromSeconds(claimsSet.getClaimValue("auth_time", Long.class)).getValue(),
            exp - 300);
    Assert.assertEquals(claimsSet.getClaimValueAsString("customString"), "customStringValue");
    Assert.assertEquals(claimsSet.getClaimValue("customInteger", Long.class), Long.valueOf(123456789));
    Assert.assertEquals(claimsSet.getClaimValue("customDouble", Double.class), 3.141592653589793);
    Assert.assertEquals(((List<?>)claimsSet.getClaimsMap().get("roles")).size(), 1);
    Assert.assertEquals(((List<?>)claimsSet.getClaimsMap().get("groups")).size(), 4);
    Assert.assertEquals(((List<?>)claimsSet.getClaimsMap().get("customStringArray")).size(), 3);
    Assert.assertEquals(((List<?>)claimsSet.getClaimsMap().get("customIntegerArray")).size(), 4);
    Assert.assertEquals(((List<?>)claimsSet.getClaimsMap().get("customDoubleArray")).size(), 5);
    Assert.assertEquals(((Map<?, ?>)claimsSet.getClaimsMap().get("customObject")).size(), 3);
Example #23
Source File:    From microprofile-jwt-auth with Apache License 2.0 4 votes vote down vote up
private void validateToken(String token, SignatureAlgorithm algorithm, Long expectedExpValue) throws Exception {

        PublicKey publicKey = algorithm == SignatureAlgorithm.RS256 ? TokenUtils.readPublicKey("/publicKey.pem")
            : TokenUtils.readECPublicKey("/ecPublicKey.pem");
        int expGracePeriodSecs = 60;

        JwtConsumerBuilder builder = new JwtConsumerBuilder();

        // 'exp' must be available
        // 'iat' must be available
        // 'RS256' is required
           new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.WHITELIST, algorithm.getAlgorithm()));

        // issuer must be equal to TCKConstants.TEST_ISSUER
        builder.setExpectedIssuer(true, TCKConstants.TEST_ISSUER);

        JwtClaims claimsSet =;
        // Confirm all the claims available in /Token1.json have made it into the verified claimSet

        Assert.assertEquals(claimsSet.getClaimsMap().size(), 19);
        Assert.assertEquals(claimsSet.getIssuer(), "");
        Assert.assertEquals(claimsSet.getJwtId(), "a-123");
        Assert.assertEquals(claimsSet.getSubject(), "24400320");
        Assert.assertEquals(claimsSet.getClaimValueAsString("upn"), "");
        Assert.assertEquals(claimsSet.getClaimValueAsString("preferred_username"), "jdoe");
        Assert.assertEquals(claimsSet.getAudience().size(), 1);
        Assert.assertEquals(claimsSet.getAudience().get(0), "s6BhdRkqt3");
        if (expectedExpValue != null) {
            Assert.assertEquals(claimsSet.getExpirationTime().getValue(), (long)expectedExpValue);
            Assert.assertEquals(claimsSet.getIssuedAt().getValue(), expectedExpValue - 5);
            Assert.assertEquals(NumericDate.fromSeconds(claimsSet.getClaimValue("auth_time", Long.class)).getValue(),
                    expectedExpValue - 5);
        else {
            long exp = claimsSet.getExpirationTime().getValue();
            Assert.assertEquals(claimsSet.getIssuedAt().getValue(), exp - 300);
            Assert.assertEquals(NumericDate.fromSeconds(claimsSet.getClaimValue("auth_time", Long.class)).getValue(),
                    exp - 300);

        Assert.assertEquals(claimsSet.getClaimValueAsString("customString"), "customStringValue");
        Assert.assertEquals(claimsSet.getClaimValue("customInteger", Long.class), Long.valueOf(123456789));
        Assert.assertEquals(claimsSet.getClaimValue("customDouble", Double.class), 3.141592653589793);
        Assert.assertTrue(claimsSet.getClaimValue("customBoolean", Boolean.class));
        Assert.assertEquals(((List<?>)claimsSet.getClaimsMap().get("roles")).size(), 1);
        Assert.assertEquals(((List<?>)claimsSet.getClaimsMap().get("groups")).size(), 4);
        Assert.assertEquals(((List<?>)claimsSet.getClaimsMap().get("customStringArray")).size(), 3);
        Assert.assertEquals(((List<?>)claimsSet.getClaimsMap().get("customIntegerArray")).size(), 4);
        Assert.assertEquals(((List<?>)claimsSet.getClaimsMap().get("customDoubleArray")).size(), 5);
        Assert.assertEquals(((Map<?, ?>)claimsSet.getClaimsMap().get("customObject")).size(), 3);
Example #24
Source File:    From microprofile-jwt-auth with Apache License 2.0 4 votes vote down vote up
private void validateToken(String token, Long expectedExpValue) throws Exception {

        RSAPrivateKey privateKey = (RSAPrivateKey) TokenUtils.readPrivateKey("/privateKey.pem");
        int expGracePeriodSecs = 60;

        JwtConsumerBuilder builder = new JwtConsumerBuilder();
        // 'exp' must be available
        // 'iat' must be available
        // 'RSA-OAEP' is required
           new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.WHITELIST, "RSA-OAEP"));

        // issuer must be equal to TCKConstants.TEST_ISSUER
        builder.setExpectedIssuer(true, TCKConstants.TEST_ISSUER);

        JwtClaims claimsSet =;
        // Confirm all the claims available in /Token1.json have made it into the verified claimSet

        Assert.assertEquals(claimsSet.getClaimsMap().size(), 19);
        Assert.assertEquals(claimsSet.getIssuer(), "");
        Assert.assertEquals(claimsSet.getJwtId(), "a-123");
        Assert.assertEquals(claimsSet.getSubject(), "24400320");
        Assert.assertEquals(claimsSet.getClaimValueAsString("upn"), "");
        Assert.assertEquals(claimsSet.getClaimValueAsString("preferred_username"), "jdoe");
        Assert.assertEquals(claimsSet.getAudience().size(), 1);
        Assert.assertEquals(claimsSet.getAudience().get(0), "s6BhdRkqt3");
        if (expectedExpValue != null) {
            Assert.assertEquals(claimsSet.getExpirationTime().getValue(), (long)expectedExpValue);
            Assert.assertEquals(claimsSet.getIssuedAt().getValue(), expectedExpValue - 5);
            Assert.assertEquals(NumericDate.fromSeconds(claimsSet.getClaimValue("auth_time", Long.class)).getValue(),
                    expectedExpValue - 5);
        else {
            long exp = claimsSet.getExpirationTime().getValue();
            Assert.assertEquals(claimsSet.getIssuedAt().getValue(), exp - 300);
            Assert.assertEquals(NumericDate.fromSeconds(claimsSet.getClaimValue("auth_time", Long.class)).getValue(),
                    exp - 300);

        Assert.assertEquals(claimsSet.getClaimValueAsString("customString"), "customStringValue");
        Assert.assertEquals(claimsSet.getClaimValue("customInteger", Long.class), Long.valueOf(123456789));
        Assert.assertEquals(claimsSet.getClaimValue("customDouble", Double.class), 3.141592653589793);
        Assert.assertEquals(((List<?>)claimsSet.getClaimsMap().get("roles")).size(), 1);
        Assert.assertEquals(((List<?>)claimsSet.getClaimsMap().get("groups")).size(), 4);
        Assert.assertEquals(((List<?>)claimsSet.getClaimsMap().get("customStringArray")).size(), 3);
        Assert.assertEquals(((List<?>)claimsSet.getClaimsMap().get("customIntegerArray")).size(), 4);
        Assert.assertEquals(((List<?>)claimsSet.getClaimsMap().get("customDoubleArray")).size(), 5);
        Assert.assertEquals(((Map<?, ?>)claimsSet.getClaimsMap().get("customObject")).size(), 3);
Example #25
Source File:    From tomee with Apache License 2.0 4 votes vote down vote up
public void validateJWKS() throws Exception {
    System.setProperty(Names.VERIFIER_PUBLIC_KEY, "");
    System.setProperty(Names.VERIFIER_PUBLIC_KEY_LOCATION, "file://" +
                                                           Paths.get("").toAbsolutePath().toString() +
    System.setProperty(Names.ISSUER, TCKConstants.TEST_ISSUER);

    final PrivateKey privateKey = TokenUtils.readPrivateKey("/privateKey4k.pem");
    final String kid = "publicKey4k";
    final String token = TokenUtils.generateTokenString(privateKey, kid, "/Token1.json", null, new HashMap<>());
    System.out.println("token = " + token);

    final JWTAuthConfigurationProperties JWTAuthConfigurationProperties = new JWTAuthConfigurationProperties();

    final JWTAuthConfiguration jwtAuthConfiguration =

    final JwtConsumerBuilder jwtConsumerBuilder = new JwtConsumerBuilder()
            .setJwsAlgorithmConstraints(new AlgorithmConstraints(WHITELIST, RSA_USING_SHA256))

    if (jwtAuthConfiguration.getExpGracePeriodSecs() > 0) {
    } else {

    if (jwtAuthConfiguration.isSingleKey()) {
    } else {
        jwtConsumerBuilder.setVerificationKeyResolver(new JwksVerificationKeyResolver(jwtAuthConfiguration.getPublicKeys()));

    final JwtConsumer jwtConsumer =;
    final JwtContext jwtContext = jwtConsumer.process(token);
    Assert.assertEquals(jwtContext.getJwtClaims().getStringClaimValue("upn"), "");
Example #26
Source File:    From blueocean-plugin with MIT License 2 votes vote down vote up
    public void getToken() throws Exception {

        User user = User.get("alice");
        user.setFullName("Alice Cooper");
        user.addProperty(new Mailer.UserProperty(""));

        JenkinsRule.WebClient webClient = j.createWebClient();


        String token = getToken(webClient);


        JsonWebStructure jsonWebStructure = JsonWebStructure.fromCompactSerialization(token);

        Assert.assertTrue(jsonWebStructure instanceof JsonWebSignature);

        JsonWebSignature jsw = (JsonWebSignature) jsonWebStructure;


        String kid = jsw.getHeader("kid");


        Page page = webClient.goTo("jwt-auth/jwks/"+kid+"/", "application/json");

//        for(NameValuePair valuePair: page.getWebResponse().getResponseHeaders()){
//            System.out.println(valuePair);
//        }

        JSONObject jsonObject = JSONObject.fromObject(page.getWebResponse().getContentAsString());
        RsaJsonWebKey rsaJsonWebKey = new RsaJsonWebKey(jsonObject,null);

        JwtConsumer jwtConsumer = new JwtConsumerBuilder()
            .setRequireExpirationTime() // the JWT must have an expiration time
            .setAllowedClockSkewInSeconds(30) // allow some leeway in validating time based claims to account for clock skew
            .setRequireSubject() // the JWT must have a subject claim
            .setVerificationKey(rsaJsonWebKey.getKey()) // verify the sign with the public key
            .build(); // create the JwtConsumer instance

        JwtClaims claims = jwtConsumer.processToClaims(token);

        Map<String,Object> claimMap = claims.getClaimsMap();

        Map<String,Object> context = (Map<String, Object>) claimMap.get("context");
        Map<String,String> userContext = (Map<String, String>) context.get("user");
        Assert.assertEquals("alice", userContext.get("id"));
        Assert.assertEquals("Alice Cooper", userContext.get("fullName"));
        Assert.assertEquals("", userContext.get("email"));