Search in sources :

Example 1 with Algorithm

use of com.nimbusds.jose.Algorithm in project spring-security by spring-projects.

the class JwtDecoderProviderConfigurationUtilsTests method getSignatureAlgorithmsWhenAlgorithmThenParses.

// gh-9651
@Test
public void getSignatureAlgorithmsWhenAlgorithmThenParses() throws Exception {
    JWKSource<SecurityContext> jwkSource = mock(JWKSource.class);
    RSAKey key = new RSAKey.Builder(TestKeys.DEFAULT_PUBLIC_KEY).keyUse(KeyUse.SIGNATURE).algorithm(new Algorithm(JwsAlgorithms.RS256)).build();
    given(jwkSource.get(any(JWKSelector.class), isNull())).willReturn(Collections.singletonList(key));
    Set<SignatureAlgorithm> algorithms = JwtDecoderProviderConfigurationUtils.getSignatureAlgorithms(jwkSource);
    assertThat(algorithms).containsOnly(SignatureAlgorithm.RS256);
}
Also used : JWKSelector(com.nimbusds.jose.jwk.JWKSelector) RSAKey(com.nimbusds.jose.jwk.RSAKey) SecurityContext(com.nimbusds.jose.proc.SecurityContext) SignatureAlgorithm(org.springframework.security.oauth2.jose.jws.SignatureAlgorithm) JWSAlgorithm(com.nimbusds.jose.JWSAlgorithm) SignatureAlgorithm(org.springframework.security.oauth2.jose.jws.SignatureAlgorithm) Algorithm(com.nimbusds.jose.Algorithm) Test(org.junit.jupiter.api.Test)

Example 2 with Algorithm

use of com.nimbusds.jose.Algorithm in project ddf by codice.

the class OidcTokenValidator method validateAccessTokenSignature.

/**
 * Validates an access token's signature
 *
 * @param accessToken - the token to validate
 * @param idToken - the corresponding ID token or null if one is not available. If an ID token is
 *     provided, the signature algorithm in the ID token is used. Otherwise the Algorithm provided
 *     in the header of the access token is used.
 * @param resourceRetriever - resource retriever
 * @param metadata - OIDC metadata
 */
private static void validateAccessTokenSignature(AccessToken accessToken, JWT idToken, ResourceRetriever resourceRetriever, OIDCProviderMetadata metadata) throws OidcValidationException {
    try {
        ConfigurableJWTProcessor jwtProcessor = new DefaultJWTProcessor();
        JWKSource keySource = new RemoteJWKSet(metadata.getJWKSetURI().toURL(), resourceRetriever);
        // Get signature algorithm, if ID token is given get algorithm from ID Token otherwise
        // get algorithm from access token header
        Algorithm expectedAlgorithm;
        if (idToken == null || idToken.getHeader().getAlgorithm() == Algorithm.NONE) {
            String accessTokenString = accessToken.getValue();
            Base64URL header = new Base64URL(accessTokenString.substring(0, accessTokenString.indexOf('.')));
            JSONObject jsonObject = JSONObjectUtils.parse(header.decodeToString());
            expectedAlgorithm = Header.parseAlgorithm(jsonObject);
        } else {
            expectedAlgorithm = idToken.getHeader().getAlgorithm();
        }
        if (expectedAlgorithm == Algorithm.NONE) {
            LOGGER.error("Error validating access token. Access token was not signed.");
            throw new OidcValidationException("Error validating access token. Access token was not signed.");
        }
        JWSAlgorithm expectedJWSAlgorithm = new JWSAlgorithm(expectedAlgorithm.getName(), expectedAlgorithm.getRequirement());
        JWSKeySelector keySelector = new JWSVerificationKeySelector(expectedJWSAlgorithm, keySource);
        jwtProcessor.setJWSKeySelector(keySelector);
        jwtProcessor.process(accessToken.getValue(), null);
    } catch (Exception e) {
        LOGGER.error(ACCESS_VALIDATION_ERR_MSG, e);
        throw new OidcValidationException(ACCESS_VALIDATION_ERR_MSG, e);
    }
}
Also used : JWSAlgorithm(com.nimbusds.jose.JWSAlgorithm) JWSAlgorithm(com.nimbusds.jose.JWSAlgorithm) Algorithm(com.nimbusds.jose.Algorithm) JWKSource(com.nimbusds.jose.jwk.source.JWKSource) RemoteJWKSet(com.nimbusds.jose.jwk.source.RemoteJWKSet) Base64URL(com.nimbusds.jose.util.Base64URL) JWSVerificationKeySelector(com.nimbusds.jose.proc.JWSVerificationKeySelector) ConfigurableJWTProcessor(com.nimbusds.jwt.proc.ConfigurableJWTProcessor) DefaultJWTProcessor(com.nimbusds.jwt.proc.DefaultJWTProcessor) JSONObject(net.minidev.json.JSONObject) JWSKeySelector(com.nimbusds.jose.proc.JWSKeySelector)

Aggregations

Algorithm (com.nimbusds.jose.Algorithm)2 JWSAlgorithm (com.nimbusds.jose.JWSAlgorithm)2 JWKSelector (com.nimbusds.jose.jwk.JWKSelector)1 RSAKey (com.nimbusds.jose.jwk.RSAKey)1 JWKSource (com.nimbusds.jose.jwk.source.JWKSource)1 RemoteJWKSet (com.nimbusds.jose.jwk.source.RemoteJWKSet)1 JWSKeySelector (com.nimbusds.jose.proc.JWSKeySelector)1 JWSVerificationKeySelector (com.nimbusds.jose.proc.JWSVerificationKeySelector)1 SecurityContext (com.nimbusds.jose.proc.SecurityContext)1 Base64URL (com.nimbusds.jose.util.Base64URL)1 ConfigurableJWTProcessor (com.nimbusds.jwt.proc.ConfigurableJWTProcessor)1 DefaultJWTProcessor (com.nimbusds.jwt.proc.DefaultJWTProcessor)1 JSONObject (net.minidev.json.JSONObject)1 Test (org.junit.jupiter.api.Test)1 SignatureAlgorithm (org.springframework.security.oauth2.jose.jws.SignatureAlgorithm)1