Search in sources :

Example 1 with Verification

use of com.auth0.jwt.interfaces.Verification in project java-jwt by auth0.

the class JWTVerifierTest method shouldThrowOnInvalidExpiresAtIfPresent.

@Test
public void shouldThrowOnInvalidExpiresAtIfPresent() throws Exception {
    exception.expect(TokenExpiredException.class);
    exception.expectMessage(startsWith("The Token has expired on"));
    Clock clock = mock(Clock.class);
    when(clock.getToday()).thenReturn(new Date(DATE_TOKEN_MS_VALUE + 1000));
    String token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0Nzc1OTJ9.isvT0Pqx0yjnZk53mUFSeYFJLDs-Ls9IsNAm86gIdZo";
    JWTVerifier.BaseVerification verification = (JWTVerifier.BaseVerification) JWTVerifier.init(Algorithm.HMAC256("secret"));
    verification.build(clock).verify(token);
}
Also used : Clock(com.auth0.jwt.interfaces.Clock) Date(java.util.Date) Test(org.junit.Test)

Example 2 with Verification

use of com.auth0.jwt.interfaces.Verification in project java-jwt by auth0.

the class JWTVerifierTest method shouldThrowOnInvalidNotBeforeIfPresent.

@Test
public void shouldThrowOnInvalidNotBeforeIfPresent() throws Exception {
    exception.expect(InvalidClaimException.class);
    exception.expectMessage(startsWith("The Token can't be used before"));
    Clock clock = mock(Clock.class);
    when(clock.getToday()).thenReturn(new Date(DATE_TOKEN_MS_VALUE - 1000));
    String token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE0Nzc1OTJ9.wq4ZmnSF2VOxcQBxPLfeh1J2Ozy1Tj5iUaERm3FKaw8";
    JWTVerifier.BaseVerification verification = (JWTVerifier.BaseVerification) JWTVerifier.init(Algorithm.HMAC256("secret"));
    verification.build(clock).verify(token);
}
Also used : Clock(com.auth0.jwt.interfaces.Clock) Date(java.util.Date) Test(org.junit.Test)

Example 3 with Verification

use of com.auth0.jwt.interfaces.Verification in project java-jwt by auth0.

the class JWTVerifierTest method shouldThrowOnInvalidIssuedAtIfPresent.

@Test
public void shouldThrowOnInvalidIssuedAtIfPresent() throws Exception {
    exception.expect(InvalidClaimException.class);
    exception.expectMessage(startsWith("The Token can't be used before"));
    Clock clock = mock(Clock.class);
    when(clock.getToday()).thenReturn(new Date(DATE_TOKEN_MS_VALUE - 1000));
    String token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE0Nzc1OTJ9.0WJky9eLN7kuxLyZlmbcXRL3Wy8hLoNCEk5CCl2M4lo";
    JWTVerifier.BaseVerification verification = (JWTVerifier.BaseVerification) JWTVerifier.init(Algorithm.HMAC256("secret"));
    verification.build(clock).verify(token);
}
Also used : Clock(com.auth0.jwt.interfaces.Clock) Date(java.util.Date) Test(org.junit.Test)

Example 4 with Verification

use of com.auth0.jwt.interfaces.Verification in project auth0-java by auth0.

the class JobsEntityTest method shouldSendUserVerificationEmailWithClientId.

@Test
public void shouldSendUserVerificationEmailWithClientId() throws Exception {
    Request<Job> request = api.jobs().sendVerificationEmail("google-oauth2|1234", "AaiyAPdpYdesoKnqjj8HJqRn4T5titww");
    assertThat(request, is(notNullValue()));
    server.jsonResponse(MGMT_JOB_POST_VERIFICATION_EMAIL, 200);
    Job response = request.execute();
    RecordedRequest recordedRequest = server.takeRequest();
    assertThat(recordedRequest, hasMethodAndPath("POST", "/api/v2/jobs/verification-email"));
    assertThat(recordedRequest, hasHeader("Content-Type", "application/json"));
    assertThat(recordedRequest, hasHeader("Authorization", "Bearer apiToken"));
    Map<String, Object> body = bodyFromRequest(recordedRequest);
    assertThat(body.size(), is(2));
    assertThat(body, hasEntry("user_id", "google-oauth2|1234"));
    assertThat(body, hasEntry("client_id", "AaiyAPdpYdesoKnqjj8HJqRn4T5titww"));
    assertThat(response, is(notNullValue()));
}
Also used : RecordedRequest(okhttp3.mockwebserver.RecordedRequest) Job(com.auth0.json.mgmt.jobs.Job) Test(org.junit.Test)

Example 5 with Verification

use of com.auth0.jwt.interfaces.Verification in project auth0-java by auth0.

the class IdTokenVerifier method verify.

/**
 * Verifies a provided ID Token follows the <a href="https://openid.net/specs/openid-connect-core-1_0-final.html#IDTokenValidation">OIDC specification.</a>
 *
 * @param token                the ID Token to verify. Must not be null or empty.
 * @param nonce                the nonce expected on the ID token, which must match the nonce specified on the authorization request.
 *                             If null, no validation of the nonce will occur.
 * @param maxAuthenticationAge The maximum authentication age allowed, which specifies the allowable elapsed time in seconds
 *                             since the last time the end-user was actively authenticated. This must match the specified
 *                             {@code max_age} parameter specified on the authorization request. If null, no validation
 *                             of the {@code auth_time} claim will occur.
 * @throws IdTokenValidationException if:
 *                                    <ul>
 *                                        <li>The ID token is null</li>
 *                                        <li>The ID token's signing algorithm is not supported</li>
 *                                        <li>The ID token's signature is invalid</li>
 *                                        <li>Any of the ID token's claims are invalid</li>
 *                                    </ul>
 * @see IdTokenVerifier#verify(String)
 * @see IdTokenVerifier#verify(String, String)
 */
public void verify(String token, String nonce, Integer maxAuthenticationAge) throws IdTokenValidationException {
    if (isEmpty(token)) {
        throw new IdTokenValidationException("ID token is required but missing");
    }
    DecodedJWT decoded = this.signatureVerifier.verifySignature(token);
    if (isEmpty(decoded.getIssuer())) {
        throw new IdTokenValidationException("Issuer (iss) claim must be a string present in the ID token");
    }
    if (!decoded.getIssuer().equals(this.issuer)) {
        throw new IdTokenValidationException(String.format("Issuer (iss) claim mismatch in the ID token, expected \"%s\", found \"%s\"", this.issuer, decoded.getIssuer()));
    }
    if (isEmpty(decoded.getSubject())) {
        throw new IdTokenValidationException("Subject (sub) claim must be a string present in the ID token");
    }
    final List<String> audience = decoded.getAudience();
    if (audience == null) {
        throw new IdTokenValidationException("Audience (aud) claim must be a string or array of strings present in the ID token");
    }
    if (!audience.contains(this.audience)) {
        throw new IdTokenValidationException(String.format("Audience (aud) claim mismatch in the ID token; expected \"%s\" but found \"%s\"", this.audience, decoded.getAudience()));
    }
    // Org verification
    if (this.organization != null) {
        String orgClaim = decoded.getClaim("org_id").asString();
        if (isEmpty(orgClaim)) {
            throw new IdTokenValidationException("Organization Id (org_id) claim must be a string present in the ID token");
        }
        if (!this.organization.equals(orgClaim)) {
            throw new IdTokenValidationException(String.format("Organization (org_id) claim mismatch in the ID token; expected \"%s\" but found \"%s\"", this.organization, orgClaim));
        }
    }
    final Calendar cal = Calendar.getInstance();
    final Date now = this.clock != null ? this.clock : cal.getTime();
    final int clockSkew = this.leeway != null ? this.leeway : DEFAULT_LEEWAY;
    if (decoded.getExpiresAt() == null) {
        throw new IdTokenValidationException("Expiration Time (exp) claim must be a number present in the ID token");
    }
    cal.setTime(decoded.getExpiresAt());
    cal.add(Calendar.SECOND, clockSkew);
    Date expDate = cal.getTime();
    if (now.after(expDate)) {
        throw new IdTokenValidationException(String.format("Expiration Time (exp) claim error in the ID token; current time (%d) is after expiration time (%d)", now.getTime() / 1000, expDate.getTime() / 1000));
    }
    if (decoded.getIssuedAt() == null) {
        throw new IdTokenValidationException("Issued At (iat) claim must be a number present in the ID token");
    }
    cal.setTime(decoded.getIssuedAt());
    cal.add(Calendar.SECOND, -1 * clockSkew);
    if (nonce != null) {
        String nonceClaim = decoded.getClaim(NONCE_CLAIM).asString();
        if (isEmpty(nonceClaim)) {
            throw new IdTokenValidationException("Nonce (nonce) claim must be a string present in the ID token");
        }
        if (!nonce.equals(nonceClaim)) {
            throw new IdTokenValidationException(String.format("Nonce (nonce) claim mismatch in the ID token; expected \"%s\", found \"%s\"", nonce, nonceClaim));
        }
    }
    if (audience.size() > 1) {
        String azpClaim = decoded.getClaim(AZP_CLAIM).asString();
        if (isEmpty(azpClaim)) {
            throw new IdTokenValidationException("Authorized Party (azp) claim must be a string present in the ID token when Audience (aud) claim has multiple values");
        }
        if (!this.audience.equals(azpClaim)) {
            throw new IdTokenValidationException(String.format("Authorized Party (azp) claim mismatch in the ID token; expected \"%s\", found \"%s\"", this.audience, azpClaim));
        }
    }
    if (maxAuthenticationAge != null) {
        Date authTime = decoded.getClaim(AUTH_TIME_CLAIM).asDate();
        if (authTime == null) {
            throw new IdTokenValidationException("Authentication Time (auth_time) claim must be a number present in the ID token when Max Age (max_age) is specified");
        }
        cal.setTime(authTime);
        cal.add(Calendar.SECOND, maxAuthenticationAge);
        cal.add(Calendar.SECOND, clockSkew);
        Date authTimeDate = cal.getTime();
        if (now.after(authTimeDate)) {
            throw new IdTokenValidationException(String.format("Authentication Time (auth_time) claim in the ID token indicates that too much time has passed since the last end-user authentication. Current time (%d) is after last auth at (%d)", now.getTime() / 1000, authTimeDate.getTime() / 1000));
        }
    }
}
Also used : IdTokenValidationException(com.auth0.exception.IdTokenValidationException) Calendar(java.util.Calendar) DecodedJWT(com.auth0.jwt.interfaces.DecodedJWT) Date(java.util.Date)

Aggregations

Test (org.junit.Test)29 DecodedJWT (com.auth0.jwt.interfaces.DecodedJWT)28 Algorithm (com.auth0.jwt.algorithms.Algorithm)14 JWTVerificationException (com.auth0.jwt.exceptions.JWTVerificationException)11 Date (java.util.Date)11 Verification (com.auth0.jwt.interfaces.Verification)9 UnsupportedEncodingException (java.io.UnsupportedEncodingException)6 JWTVerifier (com.auth0.jwt.JWTVerifier)5 RSAPublicKey (java.security.interfaces.RSAPublicKey)5 Job (com.auth0.json.mgmt.jobs.Job)4 Claim (com.auth0.jwt.interfaces.Claim)4 Clock (com.auth0.jwt.interfaces.Clock)4 List (java.util.List)4 RecordedRequest (okhttp3.mockwebserver.RecordedRequest)4 JWT (com.auth0.jwt.JWT)3 JWTVerifier (com.auth0.jwt.interfaces.JWTVerifier)3 JsonProcessingException (com.fasterxml.jackson.core.JsonProcessingException)3 IOException (java.io.IOException)3 ByteBuffer (java.nio.ByteBuffer)3 FloodlightModuleException (net.floodlightcontroller.core.module.FloodlightModuleException)3