use of com.nimbusds.jose.Algorithm in project spring-security by spring-projects.
the class JwtDecoderProviderConfigurationUtilsTests method getSignatureAlgorithmsWhenAlgorithmThenParses.
// gh-9651
@Test
public void getSignatureAlgorithmsWhenAlgorithmThenParses() throws Exception {
JWKSource<SecurityContext> jwkSource = mock(JWKSource.class);
RSAKey key = new RSAKey.Builder(TestKeys.DEFAULT_PUBLIC_KEY).keyUse(KeyUse.SIGNATURE).algorithm(new Algorithm(JwsAlgorithms.RS256)).build();
given(jwkSource.get(any(JWKSelector.class), isNull())).willReturn(Collections.singletonList(key));
Set<SignatureAlgorithm> algorithms = JwtDecoderProviderConfigurationUtils.getSignatureAlgorithms(jwkSource);
assertThat(algorithms).containsOnly(SignatureAlgorithm.RS256);
}
use of com.nimbusds.jose.Algorithm in project ddf by codice.
the class OidcTokenValidator method validateAccessTokenSignature.
/**
* Validates an access token's signature
*
* @param accessToken - the token to validate
* @param idToken - the corresponding ID token or null if one is not available. If an ID token is
* provided, the signature algorithm in the ID token is used. Otherwise the Algorithm provided
* in the header of the access token is used.
* @param resourceRetriever - resource retriever
* @param metadata - OIDC metadata
*/
private static void validateAccessTokenSignature(AccessToken accessToken, JWT idToken, ResourceRetriever resourceRetriever, OIDCProviderMetadata metadata) throws OidcValidationException {
try {
ConfigurableJWTProcessor jwtProcessor = new DefaultJWTProcessor();
JWKSource keySource = new RemoteJWKSet(metadata.getJWKSetURI().toURL(), resourceRetriever);
// Get signature algorithm, if ID token is given get algorithm from ID Token otherwise
// get algorithm from access token header
Algorithm expectedAlgorithm;
if (idToken == null || idToken.getHeader().getAlgorithm() == Algorithm.NONE) {
String accessTokenString = accessToken.getValue();
Base64URL header = new Base64URL(accessTokenString.substring(0, accessTokenString.indexOf('.')));
JSONObject jsonObject = JSONObjectUtils.parse(header.decodeToString());
expectedAlgorithm = Header.parseAlgorithm(jsonObject);
} else {
expectedAlgorithm = idToken.getHeader().getAlgorithm();
}
if (expectedAlgorithm == Algorithm.NONE) {
LOGGER.error("Error validating access token. Access token was not signed.");
throw new OidcValidationException("Error validating access token. Access token was not signed.");
}
JWSAlgorithm expectedJWSAlgorithm = new JWSAlgorithm(expectedAlgorithm.getName(), expectedAlgorithm.getRequirement());
JWSKeySelector keySelector = new JWSVerificationKeySelector(expectedJWSAlgorithm, keySource);
jwtProcessor.setJWSKeySelector(keySelector);
jwtProcessor.process(accessToken.getValue(), null);
} catch (Exception e) {
LOGGER.error(ACCESS_VALIDATION_ERR_MSG, e);
throw new OidcValidationException(ACCESS_VALIDATION_ERR_MSG, e);
}
}
Aggregations