Examples with JWTVerifier com.auth0.jwt.JWTVerifier used on opensource projects

Example 56 with JWTVerifier

use of com.auth0.jwt.JWTVerifier in project cu-kfs by CU-CommunityApps.

the class CuCapAssetInventoryServerAuthFilter method isAuthorized.

private boolean isAuthorized(HttpServletRequest request) {
    String cognitoIdToken = request.getHeader(CuCamsConstants.CapAssetApi.COGNITO_ID_TOKEN);
    PublicKey cognitoUserPoolPublicKey = getCognitoUserPoolPublicKey();
    if (ObjectUtils.isNull(cognitoUserPoolPublicKey)) {
        return false;
    }
    String cognitoUserPoolIssuerUrl = getConfigurationService().getPropertyValueAsString(CuCamsConstants.CapAssetApi.ConfigurationProperties.COGNITO_USER_POOL_ISSUER_URL);
    Algorithm algorithm = Algorithm.RSA256((RSAPublicKey) cognitoUserPoolPublicKey, null);
    JWTVerifier verifier = JWT.require(algorithm).withIssuer(cognitoUserPoolIssuerUrl).withClaim(CuCamsConstants.CapAssetApi.TOKEN_USE, CuCamsConstants.CapAssetApi.ID).build();
    DecodedJWT jwt = verifier.verify(cognitoIdToken);
    String email = jwt.getClaim(CuCamsConstants.CapAssetApi.EMAIL).asString();
    LOG.info("CapAssetInventory Authorized {}", email);
    return true;
}

Example 57 with JWTVerifier

use of com.auth0.jwt.JWTVerifier in project java-rest-api by messagebird.

the class RequestValidator method validateSignature.

/**
 * Returns raw signature payload after validating a signature successfully,
 * otherwise throws {@code RequestValidationException}.
 * <p>
 * This JWT is signed with a MessageBird account unique secret key, ensuring the request is from MessageBird and
 * a specific account.
 * The JWT contains the following claims:
 * </p>
 * <ul>
 *   <li>"url_hash" - the raw URL hashed with SHA256 ensuring the URL wasn't altered.</li>
 *   <li> "payload_hash" - the raw payload hashed with SHA256 ensuring the payload wasn't altered.</li>
 *   <li> "jti" - a unique token ID to implement an optional non-replay check (NOT validated by default).</li>
 *   <li> "nbf" - the not before timestamp.</li>
 *   <li> "exp" - the expiration timestamp is ensuring that a request isn't captured and used at a later time.</li>
 *   <li> "iss" - the issuer name, always MessageBird.</li>
 * </ul>
 *
 * @param clock       custom {@link Clock} instance to validate timestamp claims.
 * @param signature   the actual signature.
 * @param url         the raw url including the protocol, hostname and query string,
 *                    {@code https://example.com/?example=42}.
 * @param requestBody the raw request body.
 * @return raw signature payload as {@link DecodedJWT} object.
 * @throws RequestValidationException when the signature is invalid.
 * @see <a href="https://developers.messagebird.com/docs/verify-http-requests">Verify HTTP Requests</a>
 */
public DecodedJWT validateSignature(Clock clock, String signature, String url, byte[] requestBody) throws RequestValidationException {
    if (signature == null || signature.length() == 0)
        throw new RequestValidationException("The signature can not be empty.");
    if (!skipURLValidation && (url == null || url.length() == 0))
        throw new RequestValidationException("The url can not be empty.");
    DecodedJWT jwt = JWT.decode(signature);
    Algorithm algorithm;
    switch(jwt.getAlgorithm()) {
        case "HS256":
            algorithm = HMAC256;
            break;
        case "HS384":
            algorithm = HMAC384;
            break;
        case "HS512":
            algorithm = HMAC512;
            break;
        default:
            throw new RequestValidationException(String.format("The signing method '%s' is invalid.", jwt.getAlgorithm()));
    }
    BaseVerification builder = (BaseVerification) JWT.require(algorithm).withIssuer("MessageBird").ignoreIssuedAt().acceptLeeway(1);
    if (!skipURLValidation)
        builder.withClaim("url_hash", calculateSha256(url.getBytes()));
    boolean payloadHashClaimExist = !jwt.getClaim("payload_hash").isNull();
    if (requestBody != null && requestBody.length > 0) {
        if (!payloadHashClaimExist) {
            throw new RequestValidationException("The Claim 'payload_hash' is not set but payload is present.");
        }
        builder.withClaim("payload_hash", calculateSha256(requestBody));
    } else if (payloadHashClaimExist) {
        throw new RequestValidationException("The Claim 'payload_hash' is set but actual payload is missing.");
    }
    JWTVerifier verifier = clock == null ? builder.build() : builder.build(clock);
    try {
        return verifier.verify(jwt);
    } catch (SignatureVerificationException e) {
        throw new RequestValidationException("Signature is invalid.", e);
    } catch (JWTVerificationException e) {
        throw new RequestValidationException(e.getMessage(), e.getCause());
    }
}

Example 58 with JWTVerifier

use of com.auth0.jwt.JWTVerifier in project jwt-validator by FritsvanLieshout.

the class AuthorizationFilterImpl method verifyToken.

@Override
public DecodedJWT verifyToken(String secretKey, String token) {
    try {
        Algorithm algorithm = Algorithm.HMAC256(secretKey);
        JWTVerifier verifier = JWT.require(algorithm).build();
        return verifier.verify(token);
    } catch (JWTVerificationException exception) {
        return null;
    }
}

Example 59 with JWTVerifier

use of com.auth0.jwt.JWTVerifier in project ofbiz-framework by apache.

the class JWTManager method validateToken.

/**
 * Validates the provided token using the secret key.
 * If the token is valid it will get the conteined claims and return them.
 * If token validation failed it will return an error.
 * Public for API access from third party code.
 * @param jwtToken the JWT token
 * @param key the server side key to verify the signature
 * @return Map of the claims contained in the token or an error
 */
public static Map<String, Object> validateToken(String jwtToken, String key) {
    Map<String, Object> result = new HashMap<>();
    if (UtilValidate.isEmpty(jwtToken) || UtilValidate.isEmpty(key)) {
        String msg = "JWT token or key can not be empty.";
        Debug.logError(msg, MODULE);
        return ServiceUtil.returnError(msg);
    }
    try {
        JWTVerifier verifToken = JWT.require(Algorithm.HMAC512(key)).withIssuer("ApacheOFBiz").build();
        DecodedJWT jwt = verifToken.verify(jwtToken);
        Map<String, Claim> claims = jwt.getClaims();
        // OK, we can trust this JWT
        for (Map.Entry<String, Claim> entry : claims.entrySet()) {
            result.put(entry.getKey(), entry.getValue().asString());
        }
        return result;
    } catch (JWTVerificationException e) {
        // signature not valid or token expired
        Debug.logError(e.getMessage(), MODULE);
        return ServiceUtil.returnError(e.getMessage());
    }
}

Example 60 with JWTVerifier

use of com.auth0.jwt.JWTVerifier in project litemall by linlinjava.

the class JwtHelper method verifyTokenAndGetUserId.

public Integer verifyTokenAndGetUserId(String token) {
    try {
        Algorithm algorithm = Algorithm.HMAC256(SECRET);
        JWTVerifier verifier = JWT.require(algorithm).withIssuer(ISSUSER).build();
        DecodedJWT jwt = verifier.verify(token);
        Map<String, Claim> claims = jwt.getClaims();
        Claim claim = claims.get("userId");
        return claim.asInt();
    } catch (JWTVerificationException exception) {
    // exception.printStackTrace();
    }
    return 0;
}