use of com.nimbusds.jose.JOSEException in project hadoop by apache.
the class JWTRedirectAuthenticationHandler method validateSignature.
/**
* Verify the signature of the JWT token in this method. This method depends
* on the public key that was established during init based upon the
* provisioned public key. Override this method in subclasses in order to
* customize the signature verification behavior.
*
* @param jwtToken the token that contains the signature to be validated
* @return valid true if signature verifies successfully; false otherwise
*/
protected boolean validateSignature(SignedJWT jwtToken) {
boolean valid = false;
if (JWSObject.State.SIGNED == jwtToken.getState()) {
LOG.debug("JWT token is in a SIGNED state");
if (jwtToken.getSignature() != null) {
LOG.debug("JWT token signature is not null");
try {
JWSVerifier verifier = new RSASSAVerifier(publicKey);
if (jwtToken.verify(verifier)) {
valid = true;
LOG.debug("JWT token has been successfully verified");
} else {
LOG.warn("JWT signature verification failed.");
}
} catch (JOSEException je) {
LOG.warn("Error while validating signature", je);
}
}
}
return valid;
}
use of com.nimbusds.jose.JOSEException in project ORCID-Source by ORCID.
the class OpenIDConnectTokenEnhancer method enhance.
@Override
public OAuth2AccessToken enhance(OAuth2AccessToken accessToken, OAuth2Authentication authentication) {
//We have the code at this point, but it has already been consumed and removed.
//So instead we check for a nonce and max_age which are added back into request by OrcidClientCredentialEndPointDelegatorImpl
Map<String, String> params = authentication.getOAuth2Request().getRequestParameters();
//only add if we're using openid scope.
String scopes = params.get(OrcidOauth2Constants.SCOPE_PARAM);
if (PojoUtil.isEmpty(scopes) || !ScopePathType.getScopesFromSpaceSeparatedString(scopes).contains(ScopePathType.OPENID)) {
return accessToken;
}
//this means we do not have to support using them for authentication purposes. Some APIs support it, but it is not part of the spec.
try {
//shared secret for signing. Use HMAC as we can do it with existing keys and not certs
Builder claims = new JWTClaimsSet.Builder();
claims.audience(params.get(OrcidOauth2Constants.CLIENT_ID_PARAM));
claims.subject(accessToken.getAdditionalInformation().get("orcid").toString());
claims.issuer("https://orcid.org");
Date now = new Date();
claims.expirationTime(new Date(now.getTime() + 600000));
claims.issueTime(now);
claims.jwtID(UUID.randomUUID().toString());
if (params.get(OrcidOauth2Constants.NONCE) != null)
claims.claim(OrcidOauth2Constants.NONCE, params.get(OrcidOauth2Constants.NONCE));
claims.claim(OrcidOauth2Constants.AUTH_TIME, profileEntityManager.getLastLogin(accessToken.getAdditionalInformation().get("orcid").toString()));
SignedJWT signedJWT = keyManager.sign(claims.build());
String idTok = signedJWT.serialize();
accessToken.getAdditionalInformation().put(OrcidOauth2Constants.ID_TOKEN, idTok);
} catch (JOSEException e) {
e.printStackTrace();
} catch (Exception e) {
e.printStackTrace();
}
return accessToken;
}
Aggregations