Java Code Examples for com.nimbusds.jwt.SignedJWT#sign()

The following examples show how to use com.nimbusds.jwt.SignedJWT#sign() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: ScooldUtils.java    From scoold with Apache License 2.0 7 votes vote down vote up
public SignedJWT generateJWToken(Map<String, Object> claims, long validitySeconds) {
	String secret = Config.getConfigParam("app_secret_key", "");
	if (!StringUtils.isBlank(secret)) {
		try {
			Date now = new Date();
			JWTClaimsSet.Builder claimsSet = new JWTClaimsSet.Builder();
			claimsSet.issueTime(now);
			if (validitySeconds > 0) {
				claimsSet.expirationTime(new Date(now.getTime() + (validitySeconds * 1000)));
			}
			claimsSet.notBeforeTime(now);
			claimsSet.claim(Config._APPID, Config.getConfigParam("access_key", "x"));
			claims.entrySet().forEach((claim) -> claimsSet.claim(claim.getKey(), claim.getValue()));
			JWSSigner signer = new MACSigner(secret);
			SignedJWT signedJWT = new SignedJWT(new JWSHeader(JWSAlgorithm.HS256), claimsSet.build());
			signedJWT.sign(signer);
			return signedJWT;
		} catch (JOSEException e) {
			logger.warn("Unable to sign JWT: {}.", e.getMessage());
		}
	}
	logger.error("Failed to generate JWT token - app_secret_key is blank.");
	return null;
}
 
Example 2
Source File: AbstractGrantTypeHandler.java    From tutorials with MIT License 6 votes vote down vote up
protected String getAccessToken(String clientId, String subject, String approvedScope) throws Exception {
    //4. Signing
    JWSSigner jwsSigner = getJwsSigner();

    Instant now = Instant.now();
    //Long expiresInMin = 30L;
    Date expirationTime = Date.from(now.plus(expiresInMin, ChronoUnit.MINUTES));

    //3. JWT Payload or claims
    JWTClaimsSet jwtClaims = new JWTClaimsSet.Builder()
            .issuer("http://localhost:9080")
            .subject(subject)
            .claim("upn", subject)
            .claim("client_id", clientId)
            .audience("http://localhost:9280")
            .claim("scope", approvedScope)
            .claim("groups", Arrays.asList(approvedScope.split(" ")))
            .expirationTime(expirationTime) // expires in 30 minutes
            .notBeforeTime(Date.from(now))
            .issueTime(Date.from(now))
            .jwtID(UUID.randomUUID().toString())
            .build();
    SignedJWT signedJWT = new SignedJWT(jwsHeader, jwtClaims);
    signedJWT.sign(jwsSigner);
    return signedJWT.serialize();
}
 
Example 3
Source File: JSONWebTokenManager.java    From authmore-framework with Apache License 2.0 6 votes vote down vote up
@Override
public TokenResponse create(ClientDetails client, String userId, Set<String> scopes) {
    assertValidateScopes(client, scopes);
    JWTClaimsSet claims = new JWTClaimsSet.Builder()
            .claim(TOKEN_USER_ID, userId)
            .claim(TOKEN_CLIENT_ID, client.getClientId())
            .claim(TOKEN_AUTHORITIES, client.getAuthoritySet())
            .claim(TOKEN_SCOPES, scopes)
            .claim(TOKEN_EXPIRE_AT, expireAtByLiveTime(client.getAccessTokenValiditySeconds()))
            .claim(TOKEN_RESOURCE_IDS, client.getResourceIds())
            .build();
    PrivateKey privateKey = keyPair.getPrivate();
    RSASSASigner signer = new RSASSASigner(privateKey);
    SignedJWT signedJWT = new SignedJWT(new JWSHeader.Builder(JWSAlgorithm.RS256).build(), claims);
    try {
        signedJWT.sign(signer);
    } catch (JOSEException e) {
        throw new OAuthException("Failed to sign jwt.");
    }
    return new TokenResponse(signedJWT.serialize(), client.getAccessTokenValiditySeconds(), scopes);
}
 
Example 4
Source File: JwtAuthorizerTest.java    From outbackcdx with Apache License 2.0 6 votes vote down vote up
@Test
public void test() throws Exception {
    RSAKey rsaJWK = new RSAKeyGenerator(2048).generate();
    RSAKey rsaPublicJWK = rsaJWK.toPublicJWK();
    JWSSigner signer = new RSASSASigner(rsaJWK);
    JWTClaimsSet claimsSet = new JWTClaimsSet.Builder()
            .expirationTime(Date.from(Instant.now().plus(1, ChronoUnit.DAYS)))
            .claim("permissions", Arrays.asList(RULES_EDIT.toString(), INDEX_EDIT.toString()))
            .build();

    SignedJWT signedJWT = new SignedJWT(
            new JWSHeader.Builder(JWSAlgorithm.RS256).keyID(rsaJWK.getKeyID()).build(),
            claimsSet);
    signedJWT.sign(signer);
    String token = signedJWT.serialize();

    JwtAuthorizer authorizer = new JwtAuthorizer(new ImmutableJWKSet<>(new JWKSet(rsaPublicJWK)), "permissions");
    Set<Permission> permissions = authorizer.verify("beARer " + token).permissions;
    assertEquals(EnumSet.of(RULES_EDIT, INDEX_EDIT), permissions);
}
 
Example 5
Source File: DefaultJwtSigningAndValidationService.java    From MaxKey with Apache License 2.0 6 votes vote down vote up
/**
 * Sign a jwt in place using the configured default signer.
 */
@Override
public void signJwt(SignedJWT jwt) {
	if (getDefaultSignerKeyId() == null) {
		throw new IllegalStateException("Tried to call default signing with no default signer ID set");
	}

	JWSSigner signer = signers.get(getDefaultSignerKeyId());

	try {
		jwt.sign(signer);
	} catch (JOSEException e) {

		logger.error("Failed to sign JWT, error was: ", e);
	}

}
 
Example 6
Source File: AuthorizationRequestParseRequestObjectHandlerTest.java    From graviteeio-access-management with Apache License 2.0 6 votes vote down vote up
@Test
public void override_redirect_uri() throws Exception {
    RSAKey rsaKey = getRSAKey();
    JWSSigner signer = new RSASSASigner(rsaKey);

    JWTClaimsSet claimsSet = new JWTClaimsSet.Builder()
            .subject("alice")
            .issuer("https://c2id.com")
            .claim("redirect_uri", "https://op-test:60001/authz_cb")
            .expirationTime(new Date(new Date().getTime() + 60 * 1000))
            .build();

    SignedJWT signedJWT = new SignedJWT(
            new JWSHeader.Builder(JWSAlgorithm.RS256).keyID("rsa-signature").build(),
            claimsSet);

    signedJWT.sign(signer);

    String jwt = signedJWT.serialize();
    System.out.println(jwt);
}
 
Example 7
Source File: JWSServiceTest.java    From graviteeio-access-management with Apache License 2.0 6 votes vote down vote up
@Test
public void testValidSignature_OCT() throws JOSEException{
    // Generate random 256-bit (32-byte) shared secret
    SecureRandom random = new SecureRandom();
    byte[] sharedSecret = new byte[32];
    random.nextBytes(sharedSecret);

    OCTKey key = new OCTKey();
    key.setKty("oct");
    key.setKid(KID);
    key.setK(Base64.getEncoder().encodeToString(sharedSecret));

    //Sign JWT with MAC algorithm
    SignedJWT signedJWT = new SignedJWT(
            new JWSHeader.Builder(JWSAlgorithm.HS256).keyID(KID).build(),
            new JWTClaimsSet.Builder()
                    .expirationTime(Date.from(Instant.now().plus(1, ChronoUnit.DAYS)))
                    .build()
    );
    signedJWT.sign(new MACSigner(sharedSecret));

    assertTrue("Should be ok",jwsService.isValidSignature(signedJWT, key));
}
 
Example 8
Source File: AuthorizationRequestParseRequestObjectHandlerTest.java    From graviteeio-access-management with Apache License 2.0 6 votes vote down vote up
@Test
public void invalid_do_not_override_state_and_nonce() throws Exception {
    RSAKey rsaKey = getRSAKey();
    JWSSigner signer = new RSASSASigner(rsaKey);

    JWTClaimsSet claimsSet = new JWTClaimsSet.Builder()
            .subject("alice")
            .issuer("https://c2id.com")
            .claim("state", "override-state")
            .claim("nonce", "override-nonce")
            .expirationTime(new Date(new Date().getTime() + 60 * 1000))
            .build();

    SignedJWT signedJWT = new SignedJWT(
            new JWSHeader.Builder(JWSAlgorithm.RS256).keyID("rsa-signature").build(),
            claimsSet);

    signedJWT.sign(signer);

    String jwt = signedJWT.serialize();
    System.out.println(jwt);
}
 
Example 9
Source File: AuthorizationRequestParseRequestObjectHandlerTest.java    From graviteeio-access-management with Apache License 2.0 6 votes vote down vote up
@Test
public void invalid_client() throws Exception {
    RSAKey rsaKey = getRSAKey();
    JWSSigner signer = new RSASSASigner(rsaKey);

    JWTClaimsSet claimsSet = new JWTClaimsSet.Builder()
            .subject("alice")
            .issuer("https://c2id.com")
            .claim("client_id", "unknown_client")
            .expirationTime(new Date(new Date().getTime() + 60 * 1000))
            .build();

    System.out.println(new PlainJWT(claimsSet).serialize());
    SignedJWT signedJWT = new SignedJWT(
            new JWSHeader.Builder(JWSAlgorithm.RS256).keyID("rsa-signature").build(),
            claimsSet);

    signedJWT.sign(signer);

    String jwt = signedJWT.serialize();
    System.out.println(jwt);
}
 
Example 10
Source File: AuthorizationRequestParseRequestObjectHandlerTest.java    From graviteeio-access-management with Apache License 2.0 6 votes vote down vote up
@Test
public void invalid_request_object() throws Exception {
    RSAKey rsaKey = getRSAKey();
    JWSSigner signer = new RSASSASigner(rsaKey);

    JWTClaimsSet claimsSet = new JWTClaimsSet.Builder()
            .subject("alice")
            .issuer("https://c2id.com")
            .expirationTime(new Date(new Date().getTime() + 60 * 1000))
            .build();

    SignedJWT signedJWT = new SignedJWT(
            new JWSHeader.Builder(JWSAlgorithm.RS256).keyID("rsa-signature").build(),
            claimsSet);

    signedJWT.sign(signer);

    String jwt = signedJWT.serialize();
    System.out.println(jwt);
}
 
Example 11
Source File: TokenUtils.java    From tomee with Apache License 2.0 5 votes vote down vote up
public static String generateJWTString(String jsonResource) throws Exception {
    byte[] byteBuffer = new byte[16384];
    currentThread().getContextClassLoader()
            .getResource(jsonResource)
            .openStream()
            .read(byteBuffer);

    JSONParser parser = new JSONParser(DEFAULT_PERMISSIVE_MODE);
    JSONObject jwtJson = (JSONObject) parser.parse(byteBuffer);

    long currentTimeInSecs = (System.currentTimeMillis() / 1000);
    long expirationTime = currentTimeInSecs + 1000;

    jwtJson.put(Claims.iat.name(), currentTimeInSecs);
    jwtJson.put(Claims.auth_time.name(), currentTimeInSecs);
    jwtJson.put(Claims.exp.name(), expirationTime);

    SignedJWT signedJWT = new SignedJWT(new JWSHeader
            .Builder(RS256)
            .keyID("/privateKey.pem")
            .type(JWT)
            .build(), parse(jwtJson));

    signedJWT.sign(new RSASSASigner(readPrivateKey("privateKey.pem")));

    return signedJWT.serialize();
}
 
Example 12
Source File: AbstractGrantTypeHandler.java    From tutorials with MIT License 5 votes vote down vote up
protected String getRefreshToken(String clientId, String subject, String approvedScope) throws Exception {
    JWSSigner jwsSigner = getJwsSigner();
    Instant now = Instant.now();
    //6.Build refresh token
    JWTClaimsSet refreshTokenClaims = new JWTClaimsSet.Builder()
            .subject(subject)
            .claim("client_id", clientId)
            .claim("scope", approvedScope)
            //refresh token for 1 day.
            .expirationTime(Date.from(now.plus(1, ChronoUnit.DAYS)))
            .build();
    SignedJWT signedRefreshToken = new SignedJWT(jwsHeader, refreshTokenClaims);
    signedRefreshToken.sign(jwsSigner);
    return signedRefreshToken.serialize();
}
 
Example 13
Source File: TokenHelperImpl.java    From peer-os with Apache License 2.0 5 votes vote down vote up
protected String generate( final String issuer, final String subject, final Date issueTime, final Date expireTime,
                           final String secret ) throws JOSEException
{
    JWSHeader jwtHeader = new JWSHeader( JWSAlgorithm.HS256 );
    JWTClaimsSet claimset =
            new JWTClaimsSet.Builder().expirationTime( expireTime ).issuer( issuer ).issueTime( issueTime )
                                      .subject( subject ).build();
    SignedJWT jwt = new SignedJWT( jwtHeader, claimset );

    JWSSigner signer = new MACSigner( secret );
    jwt.sign( signer );
    return jwt.serialize();
}
 
Example 14
Source File: DCOSAuthCredentials.java    From marathon-client with Apache License 2.0 5 votes vote down vote up
private static String signJWT(String uid, PrivateKey privateKey) {
    final JWSHeader header = new JWSHeader.Builder(JWSAlgorithm.RS256).type(JOSEObjectType.JWT).build();
    final JWTClaimsSet payload = new JWTClaimsSet.Builder().claim("uid", uid).build();
    final SignedJWT signedJWT = new SignedJWT(header, payload);

    try {
        signedJWT.sign(new RSASSASigner(privateKey));
        return signedJWT.serialize();
    } catch (JOSEException e) {
        throw new RuntimeException(e);
    }
}
 
Example 15
Source File: JWSServiceTest.java    From graviteeio-access-management with Apache License 2.0 5 votes vote down vote up
@Test
public void testValidSignature_EC() throws NoSuchAlgorithmException, InvalidAlgorithmParameterException, JOSEException {
    //Generate EC key
    KeyPairGenerator kpg = KeyPairGenerator.getInstance("EC");
    ECGenParameterSpec gps = new ECGenParameterSpec (Curve.P_521.getStdName());
    kpg.initialize(gps);
    KeyPair ecKey = kpg.generateKeyPair();

    ECPublicKey ecPublicKey  = (ECPublicKey)ecKey.getPublic();
    ECKey key = new ECKey();
    key.setKty("EC");
    key.setKid(KID);
    key.setCrv(Curve.P_521.getName());
    key.setX(Base64.getUrlEncoder().encodeToString(ecPublicKey.getW().getAffineX().toByteArray()));
    key.setY(Base64.getUrlEncoder().encodeToString(ecPublicKey.getW().getAffineY().toByteArray()));

    //Sign JWT with Elliptic Curve algorithm
    SignedJWT signedJWT = new SignedJWT(
            new JWSHeader.Builder(JWSAlgorithm.ES512).keyID(KID).build(),
            new JWTClaimsSet.Builder()
                    .expirationTime(Date.from(Instant.now().plus(1, ChronoUnit.DAYS)))
                    .build()
    );
    signedJWT.sign(new ECDSASigner((ECPrivateKey) ecKey.getPrivate()));

    assertTrue("Should be ok",jwsService.isValidSignature(signedJWT, key));
}
 
Example 16
Source File: JwtTokenGenerator.java    From piranha with BSD 3-Clause "New" or "Revised" License 5 votes vote down vote up
public static String generateJWTString(String jsonResource) throws Exception {
    byte[] byteBuffer = new byte[16384];
    currentThread().getContextClassLoader()
                   .getResource(jsonResource)
                   .openStream()
                   .read(byteBuffer);

    JSONParser parser = new JSONParser(DEFAULT_PERMISSIVE_MODE);
    JSONObject jwtJson = (JSONObject) parser.parse(byteBuffer);
    
    long currentTimeInSecs = (System.currentTimeMillis() / 1000);
    long expirationTime = currentTimeInSecs + 1000;
   
    jwtJson.put(Claims.iat.name(), currentTimeInSecs);
    jwtJson.put(Claims.auth_time.name(), currentTimeInSecs);
    jwtJson.put(Claims.exp.name(), expirationTime);
    
    SignedJWT signedJWT = new SignedJWT(new JWSHeader
                                        .Builder(RS256)
                                        .keyID("/privateKey.pem")
                                        .type(JWT)
                                        .build(), parse(jwtJson));
    
    signedJWT.sign(new RSASSASigner(readPrivateKey("privateKey.pem")));
    
    return signedJWT.serialize();
}
 
Example 17
Source File: MobiTokenVerifier.java    From mobi with GNU Affero General Public License v3.0 5 votes vote down vote up
/**
 * Creates a JWT Token String for the user with the provided username using the Mobi token key and the provided
 * issuer, scope, tokenDuration, and additional claims.
 *
 * @param username The sub of the token
 * @param issuer The issuer of the token
 * @param scope The scope of the token
 * @param tokenDuration The duration for the new token
 * @param claims An optional map of custom claims to add to the token
 * @return The String representing the encoded and compact JWT Token
 * @throws JOSEException if there is a problem creating the token
 */
SignedJWT generateToken(String username, String issuer, String scope, long tokenDuration,
                        @Nullable Map<String, Object> claims) throws JOSEException {
    // Create HMAC signer
    JWSSigner signer = new MACSigner(padKey(KEY));

    Date now = new Date();
    Date expirationDate = new Date(now.getTime() + tokenDuration);

    // Prepare JWT Builder with claims set
    JWTClaimsSet.Builder builder = new JWTClaimsSet.Builder()
            .subject(username)
            .issuer(issuer)
            .expirationTime(expirationDate)
            .claim("scope", scope);

    if (claims != null) {
        claims.forEach(builder::claim);
    }

    SignedJWT signedJWT = new SignedJWT(new JWSHeader(JWSAlgorithm.HS256), builder.build());

    // Apply the HMAC protection
    signedJWT.sign(signer);

    return signedJWT;
}
 
Example 18
Source File: SecurityUtils.java    From para with Apache License 2.0 5 votes vote down vote up
/**
 * Generates a new JWT token.
 * @param user a User object belonging to the app
 * @param app the app object
 * @return a new JWT or null
 */
public static SignedJWT generateJWToken(User user, App app) {
	if (app != null) {
		try {
			Date now = new Date();
			JWTClaimsSet.Builder claimsSet = new JWTClaimsSet.Builder();
			String userSecret = "";
			claimsSet.issueTime(now);
			claimsSet.expirationTime(new Date(now.getTime() + (app.getTokenValiditySec() * 1000)));
			claimsSet.notBeforeTime(now);
			claimsSet.claim("refresh", getNextRefresh(app.getTokenValiditySec()));
			claimsSet.claim(Config._APPID, app.getId());
			if (user != null) {
				claimsSet.subject(user.getId());
				claimsSet.claim("idp", user.getIdentityProvider());
				userSecret = user.getTokenSecret();
			}
			JWSSigner signer = new MACSigner(app.getSecret() + userSecret);
			SignedJWT signedJWT = new SignedJWT(new JWSHeader(JWSAlgorithm.HS256), claimsSet.build());
			signedJWT.sign(signer);
			return signedJWT;
		} catch (JOSEException e) {
			logger.warn("Unable to sign JWT: {}.", e.getMessage());
		}
	}
	return null;
}
 
Example 19
Source File: ClientAssertionServiceTest.java    From graviteeio-access-management with Apache License 2.0 5 votes vote down vote up
private String generateJWT(JWSSigner jwsSigner) throws JOSEException {
    SignedJWT signedJWT = new SignedJWT(
            new JWSHeader.Builder(JWSAlgorithm.HS256).keyID(KID).build(),
            new JWTClaimsSet.Builder()
                    .issuer(ISSUER)
                    .subject(CLIENT_ID)
                    .audience(AUDIENCE)
                    .expirationTime(Date.from(Instant.now().plus(1, ChronoUnit.DAYS)))
                    .build()
    );

    signedJWT.sign(jwsSigner);

    return signedJWT.serialize();
}
 
Example 20
Source File: ClientAssertionServiceTest.java    From graviteeio-access-management with Apache License 2.0 4 votes vote down vote up
@Test
public void testRsaJwt_withoutKid() throws NoSuchAlgorithmException, JOSEException{
    KeyPair rsaKey = generateRsaKeyPair();

    RSAPublicKey publicKey = (RSAPublicKey) rsaKey.getPublic();
    RSAPrivateKey privateKey = (RSAPrivateKey) rsaKey.getPrivate();

    RSAKey key = new RSAKey();
    key.setKty("RSA");
    key.setKid(KID);
    key.setE(Base64.getUrlEncoder().encodeToString(publicKey.getPublicExponent().toByteArray()));
    key.setN(Base64.getUrlEncoder().encodeToString(publicKey.getModulus().toByteArray()));

    Client client = generateClient(key);
    client.setTokenEndpointAuthMethod(ClientAuthenticationMethod.PRIVATE_KEY_JWT);
    OpenIDProviderMetadata openIDProviderMetadata = Mockito.mock(OpenIDProviderMetadata.class);
    String basePath="/";

    SignedJWT signedJWT = new SignedJWT(
            new JWSHeader.Builder(JWSAlgorithm.RS256).build(),
            new JWTClaimsSet.Builder()
                    .issuer(ISSUER)
                    .subject(CLIENT_ID)
                    .audience(AUDIENCE)
                    .expirationTime(Date.from(Instant.now().plus(1, ChronoUnit.DAYS)))
                    .build()
    );
    signedJWT.sign(new RSASSASigner(privateKey));
    String assertion = signedJWT.serialize();

    when(clientSyncService.findByClientId(any())).thenReturn(Maybe.just(client));
    when(openIDProviderMetadata.getTokenEndpoint()).thenReturn(AUDIENCE);
    when(openIDDiscoveryService.getConfiguration(basePath)).thenReturn(openIDProviderMetadata);
    when(jwkService.getKey(any(),any())).thenReturn(Maybe.just(key));
    when(jwsService.isValidSignature(any(),any())).thenReturn(true);

    TestObserver testObserver = clientAssertionService.assertClient(JWT_BEARER_TYPE,assertion,basePath).test();

    testObserver.assertNoErrors();
    testObserver.assertValue(client);
}