use of com.nimbusds.jose.jwk.JWK in project mycore by MyCoRe-Org.
the class MCRJSONWebTokenUtil method retrievePublicKeyFromLoginToken.
/**
* retrieves the client public key from Login Token
*
* @param token - the serialized JSON Web Token from login
* @return the public key as JWK object
*/
public static JWK retrievePublicKeyFromLoginToken(String token) {
JWK result = null;
JWEObject jweObject;
try {
jweObject = JWEObject.parse(token);
// Decrypt with shared key
jweObject.decrypt(new RSADecrypter(RSA_KEYS.getPrivate()));
// Extract payload
SignedJWT signedJWT = jweObject.getPayload().toSignedJWT();
result = signedJWT.getHeader().getJWK();
RSAKey publicKey = RSAKey.parse(result.toJSONObject());
if (signedJWT.verify(new RSASSAVerifier(publicKey))) {
return result;
}
} catch (ParseException | JOSEException e) {
LOGGER.error(e);
}
return null;
}
use of com.nimbusds.jose.jwk.JWK in project mycore by MyCoRe-Org.
the class MCRRestAPIAuthentication method authorize.
/**
* Validation: https://jwt.io/ Public Key: http://localhost:8080/api/v1/auth/public_key.txt
*
* Unauthenticated requests should return a response whose header contains a HTTP 401 Unauthorized status and a
* WWW-Authenticate field.
*
* 200 OK Content-Type: application/json;charset=UTF-8
*
* { "access_token": "NgCXRK...MzYjw", "token_type": "Bearer", "expires_at": 1372700873, "refresh_token":
* "NgAagA...Um_SHo" }
*
* Returning the JWT (Java Web Token to the client is not properly specified). We use the "Authorization" Header in
* the response, which is unusual but not strictly forbidden.
*
* @param authorization - content HTTP Header Authorization
* @return response message as JSON
*/
@POST
@Produces({ MediaType.APPLICATION_JSON + ";charset=UTF-8" })
@Path("/login")
public Response authorize(@DefaultValue("") @HeaderParam("Authorization") String authorization) {
String username = null;
String password = null;
JWK clientPubKey = null;
String userPwd = null;
if (authorization.startsWith("Basic ")) {
byte[] encodedAuth = authorization.substring(6).trim().getBytes(StandardCharsets.ISO_8859_1);
userPwd = new String(Base64.getDecoder().decode(encodedAuth), StandardCharsets.ISO_8859_1);
}
if (authorization.startsWith(HEADER_PREFIX_BEARER)) {
userPwd = MCRJSONWebTokenUtil.retrieveUsernamePasswordFromLoginToken(authorization.substring(7).trim());
clientPubKey = MCRJSONWebTokenUtil.retrievePublicKeyFromLoginToken(authorization.substring(7).trim());
}
if (userPwd != null && userPwd.contains(":")) {
int splitPos = userPwd.indexOf(":");
username = userPwd.substring(0, splitPos);
password = userPwd.substring(splitPos + 1);
}
// validate username and password
if (username != null && password != null && MCRUserManager.checkPassword(username, password) != null) {
SignedJWT jwt = MCRJSONWebTokenUtil.createJWT(username, Collections.singletonList("restapi"), MCRFrontendUtil.getBaseURL(), clientPubKey);
if (jwt != null) {
String msg = "{" + "\n \"login_successful\":true," + "\n \"access_token\": \"" + jwt.serialize() + "\"," + "\n \"token_type\": \"Bearer\"" + "\n}";
return Response.ok(msg).type("application/json; charset=UTF-8").header(HEADER_NAME_AUTHORIZATION, HEADER_PREFIX_BEARER + jwt.serialize()).build();
}
}
String msg = "{" + "\n \"login_successful\":false," + "\n \"error\": \"login_failed\"" + "\n \"error_description\": " + "\"Login failed. Please provider proper user name and password via HTTP Basic Authentication.\"" + "\n}";
return Response.status(Status.FORBIDDEN).header("WWW-Authenticate", "Basic realm=\"MyCoRe REST API\"").entity(msg).type("application/json; charset=UTF-8").build();
}
Aggregations