Example 1 with JwtConsumerBuilder
use of org.jose4j.jwt.consumer.JwtConsumerBuilder in project blueocean-plugin by jenkinsci.
the class JwtImplTest method anonymousUserToken.
@Test
public void anonymousUserToken() throws Exception {
j.jenkins.setSecurityRealm(j.createDummySecurityRealm());
JenkinsRule.WebClient webClient = j.createWebClient();
Page page = webClient.goTo("jwt-auth/token/", null);
String token = page.getWebResponse().getResponseHeaderValue("X-BLUEOCEAN-JWT");
Assert.assertNotNull(token);
JsonWebStructure jsonWebStructure = JsonWebStructure.fromCompactSerialization(token);
Assert.assertTrue(jsonWebStructure instanceof JsonWebSignature);
JsonWebSignature jsw = (JsonWebSignature) jsonWebStructure;
String kid = jsw.getHeader("kid");
Assert.assertNotNull(kid);
page = webClient.goTo("jwt-auth/jwks/" + kid + "/", "application/json");
// for(NameValuePair valuePair: page.getWebResponse().getResponseHeaders()){
// System.out.println(valuePair);
// }
JSONObject jsonObject = JSONObject.fromObject(page.getWebResponse().getContentAsString());
RsaJsonWebKey rsaJsonWebKey = new RsaJsonWebKey(jsonObject, null);
JwtConsumer jwtConsumer = new JwtConsumerBuilder().setRequireExpirationTime().setAllowedClockSkewInSeconds(// allow some leeway in validating time based claims to account for clock skew
30).setRequireSubject().setVerificationKey(// verify the sign with the public key
rsaJsonWebKey.getKey()).build();
JwtClaims claims = jwtConsumer.processToClaims(token);
Assert.assertEquals("anonymous", claims.getSubject());
Map<String, Object> claimMap = claims.getClaimsMap();
Map<String, Object> context = (Map<String, Object>) claimMap.get("context");
Map<String, String> userContext = (Map<String, String>) context.get("user");
Assert.assertEquals("anonymous", userContext.get("id"));
}
Also used :
JwtClaims(org.jose4j.jwt.JwtClaims)
JwtConsumerBuilder(org.jose4j.jwt.consumer.JwtConsumerBuilder)
Page(com.gargoylesoftware.htmlunit.Page)
JenkinsRule(org.jvnet.hudson.test.JenkinsRule)
JsonWebSignature(org.jose4j.jws.JsonWebSignature)
JSONObject(net.sf.json.JSONObject)
JwtConsumer(org.jose4j.jwt.consumer.JwtConsumer)
JSONObject(net.sf.json.JSONObject)
RsaJsonWebKey(org.jose4j.jwk.RsaJsonWebKey)
Map(java.util.Map)
JsonWebStructure(org.jose4j.jwx.JsonWebStructure)
Test(org.junit.Test)
Example 2 with JwtConsumerBuilder
use of org.jose4j.jwt.consumer.JwtConsumerBuilder in project blueocean-plugin by jenkinsci.
the class JwtAuthenticationToken method validate.
private static JwtClaims validate(StaplerRequest request) {
String authHeader = request.getHeader("Authorization");
if (authHeader == null || !authHeader.startsWith("Bearer ")) {
throw new ServiceException.UnauthorizedException("JWT token not found");
}
String token = authHeader.substring("Bearer ".length());
try {
JsonWebStructure jws = JsonWebStructure.fromCompactSerialization(token);
String alg = jws.getAlgorithmHeaderValue();
if (alg == null || !alg.equals(RSA_USING_SHA256)) {
logger.error(String.format("Invalid JWT token: unsupported algorithm in header, found %s, expected %s", alg, RSA_USING_SHA256));
throw new ServiceException.UnauthorizedException("Invalid JWT token");
}
String kid = jws.getKeyIdHeaderValue();
if (kid == null) {
logger.error("Invalid JWT token: missing kid");
throw new ServiceException.UnauthorizedException("Invalid JWT token");
}
JwtToken.JwtRsaDigitalSignatureKey key = new JwtToken.JwtRsaDigitalSignatureKey(kid);
try {
if (!key.exists()) {
throw new ServiceException.NotFoundException(String.format("kid %s not found", kid));
}
} catch (IOException e) {
logger.error(String.format("Error reading RSA key for id %s: %s", kid, e.getMessage()), e);
throw new ServiceException.UnexpectedErrorException("Unexpected error: " + e.getMessage(), e);
}
JwtConsumer jwtConsumer = new JwtConsumerBuilder().setRequireExpirationTime().setRequireJwtId().setAllowedClockSkewInSeconds(// allow some leeway in validating time based claims to account for clock skew
30).setRequireSubject().setVerificationKey(// verify the sign with the public key
key.getPublicKey()).build();
try {
JwtContext context = jwtConsumer.process(token);
JwtClaims claims = context.getJwtClaims();
//check if token expired
NumericDate expirationTime = claims.getExpirationTime();
if (expirationTime.isBefore(NumericDate.now())) {
throw new ServiceException.UnauthorizedException("Invalid JWT token: expired");
}
return claims;
} catch (InvalidJwtException e) {
logger.error("Invalid JWT token: " + e.getMessage(), e);
throw new ServiceException.UnauthorizedException("Invalid JWT token");
} catch (MalformedClaimException e) {
logger.error(String.format("Error reading sub header for token %s", jws.getPayload()), e);
throw new ServiceException.UnauthorizedException("Invalid JWT token: malformed claim");
}
} catch (JoseException e) {
logger.error("Error parsing JWT token: " + e.getMessage(), e);
throw new ServiceException.UnauthorizedException("Invalid JWT Token: " + e.getMessage());
}
}
Also used :
InvalidJwtException(org.jose4j.jwt.consumer.InvalidJwtException)
NumericDate(org.jose4j.jwt.NumericDate)
JwtClaims(org.jose4j.jwt.JwtClaims)
JwtConsumerBuilder(org.jose4j.jwt.consumer.JwtConsumerBuilder)
JoseException(org.jose4j.lang.JoseException)
JwtContext(org.jose4j.jwt.consumer.JwtContext)
IOException(java.io.IOException)
JwtToken(io.jenkins.blueocean.auth.jwt.JwtToken)
MalformedClaimException(org.jose4j.jwt.MalformedClaimException)
ServiceException(io.jenkins.blueocean.commons.ServiceException)
JwtConsumer(org.jose4j.jwt.consumer.JwtConsumer)
JsonWebStructure(org.jose4j.jwx.JsonWebStructure)
Example 3 with JwtConsumerBuilder
use of org.jose4j.jwt.consumer.JwtConsumerBuilder in project blueocean-plugin by jenkinsci.
the class JwtImplTest method getToken.
@Test
public void getToken() throws Exception {
j.jenkins.setSecurityRealm(j.createDummySecurityRealm());
User user = j.jenkins.getUser("alice");
user.setFullName("Alice Cooper");
user.addProperty(new Mailer.UserProperty("alice@jenkins-ci.org"));
JenkinsRule.WebClient webClient = j.createWebClient();
webClient.login("alice");
Page page = webClient.goTo("jwt-auth/token/", null);
String token = page.getWebResponse().getResponseHeaderValue("X-BLUEOCEAN-JWT");
Assert.assertNotNull(token);
JsonWebStructure jsonWebStructure = JsonWebStructure.fromCompactSerialization(token);
Assert.assertTrue(jsonWebStructure instanceof JsonWebSignature);
JsonWebSignature jsw = (JsonWebSignature) jsonWebStructure;
System.out.println(token);
System.out.println(jsw.toString());
String kid = jsw.getHeader("kid");
Assert.assertNotNull(kid);
page = webClient.goTo("jwt-auth/jwks/" + kid + "/", "application/json");
// for(NameValuePair valuePair: page.getWebResponse().getResponseHeaders()){
// System.out.println(valuePair);
// }
JSONObject jsonObject = JSONObject.fromObject(page.getWebResponse().getContentAsString());
System.out.println(jsonObject.toString());
RsaJsonWebKey rsaJsonWebKey = new RsaJsonWebKey(jsonObject, null);
JwtConsumer jwtConsumer = new JwtConsumerBuilder().setRequireExpirationTime().setAllowedClockSkewInSeconds(// allow some leeway in validating time based claims to account for clock skew
30).setRequireSubject().setVerificationKey(// verify the sign with the public key
rsaJsonWebKey.getKey()).build();
JwtClaims claims = jwtConsumer.processToClaims(token);
Assert.assertEquals("alice", claims.getSubject());
Map<String, Object> claimMap = claims.getClaimsMap();
Map<String, Object> context = (Map<String, Object>) claimMap.get("context");
Map<String, String> userContext = (Map<String, String>) context.get("user");
Assert.assertEquals("alice", userContext.get("id"));
Assert.assertEquals("Alice Cooper", userContext.get("fullName"));
Assert.assertEquals("alice@jenkins-ci.org", userContext.get("email"));
}
Also used :
User(hudson.model.User)
JwtClaims(org.jose4j.jwt.JwtClaims)
JwtConsumerBuilder(org.jose4j.jwt.consumer.JwtConsumerBuilder)
Mailer(hudson.tasks.Mailer)
Page(com.gargoylesoftware.htmlunit.Page)
JenkinsRule(org.jvnet.hudson.test.JenkinsRule)
JsonWebSignature(org.jose4j.jws.JsonWebSignature)
JSONObject(net.sf.json.JSONObject)
JwtConsumer(org.jose4j.jwt.consumer.JwtConsumer)
JSONObject(net.sf.json.JSONObject)
RsaJsonWebKey(org.jose4j.jwk.RsaJsonWebKey)
Map(java.util.Map)
JsonWebStructure(org.jose4j.jwx.JsonWebStructure)
Test(org.junit.Test)
Aggregations
JwtClaims (org.jose4j.jwt.JwtClaims)3
JwtConsumer (org.jose4j.jwt.consumer.JwtConsumer)3
JwtConsumerBuilder (org.jose4j.jwt.consumer.JwtConsumerBuilder)3
JsonWebStructure (org.jose4j.jwx.JsonWebStructure)3
Page (com.gargoylesoftware.htmlunit.Page)2
Map (java.util.Map)2
JSONObject (net.sf.json.JSONObject)2
RsaJsonWebKey (org.jose4j.jwk.RsaJsonWebKey)2
JsonWebSignature (org.jose4j.jws.JsonWebSignature)2
Test (org.junit.Test)2
JenkinsRule (org.jvnet.hudson.test.JenkinsRule)2
User (hudson.model.User)1
Mailer (hudson.tasks.Mailer)1
JwtToken (io.jenkins.blueocean.auth.jwt.JwtToken)1
ServiceException (io.jenkins.blueocean.commons.ServiceException)1
IOException (java.io.IOException)1
MalformedClaimException (org.jose4j.jwt.MalformedClaimException)1
NumericDate (org.jose4j.jwt.NumericDate)1
InvalidJwtException (org.jose4j.jwt.consumer.InvalidJwtException)1
JwtContext (org.jose4j.jwt.consumer.JwtContext)1
