Example 1 with JWKSelector
use of com.nimbusds.jose.jwk.JWKSelector in project spring-security by spring-projects.
the class JwtDecoderProviderConfigurationUtils method getJWSAlgorithms.
static <C extends SecurityContext> Set<JWSAlgorithm> getJWSAlgorithms(JWKSource<C> jwkSource) {
JWKMatcher jwkMatcher = new JWKMatcher.Builder().publicOnly(true).keyUses(KeyUse.SIGNATURE, null).keyTypes(KeyType.RSA, KeyType.EC).build();
Set<JWSAlgorithm> jwsAlgorithms = new HashSet<>();
try {
List<? extends JWK> jwks = jwkSource.get(new JWKSelector(jwkMatcher), null);
for (JWK jwk : jwks) {
if (jwk.getAlgorithm() != null) {
JWSAlgorithm jwsAlgorithm = JWSAlgorithm.parse(jwk.getAlgorithm().getName());
jwsAlgorithms.add(jwsAlgorithm);
} else {
if (jwk.getKeyType() == KeyType.RSA) {
jwsAlgorithms.addAll(JWSAlgorithm.Family.RSA);
} else if (jwk.getKeyType() == KeyType.EC) {
jwsAlgorithms.addAll(JWSAlgorithm.Family.EC);
}
}
}
} catch (KeySourceException ex) {
throw new IllegalStateException(ex);
}
Assert.notEmpty(jwsAlgorithms, "Failed to find any algorithms from the JWK set");
return jwsAlgorithms;
}
Also used :
JWKSelector(com.nimbusds.jose.jwk.JWKSelector)
UriComponentsBuilder(org.springframework.web.util.UriComponentsBuilder)
JWSAlgorithm(com.nimbusds.jose.JWSAlgorithm)
KeySourceException(com.nimbusds.jose.KeySourceException)
JWKMatcher(com.nimbusds.jose.jwk.JWKMatcher)
HashSet(java.util.HashSet)
JWK(com.nimbusds.jose.jwk.JWK)
Example 2 with JWKSelector
use of com.nimbusds.jose.jwk.JWKSelector in project spring-security by spring-projects.
the class NimbusJwtEncoder method selectJwk.
private JWK selectJwk(JwsHeader headers) {
List<JWK> jwks;
try {
JWKSelector jwkSelector = new JWKSelector(createJwkMatcher(headers));
jwks = this.jwkSource.get(jwkSelector, null);
} catch (Exception ex) {
throw new JwtEncodingException(String.format(ENCODING_ERROR_MESSAGE_TEMPLATE, "Failed to select a JWK signing key -> " + ex.getMessage()), ex);
}
if (jwks.size() > 1) {
throw new JwtEncodingException(String.format(ENCODING_ERROR_MESSAGE_TEMPLATE, "Found multiple JWK signing keys for algorithm '" + headers.getAlgorithm().getName() + "'"));
}
if (jwks.isEmpty()) {
throw new JwtEncodingException(String.format(ENCODING_ERROR_MESSAGE_TEMPLATE, "Failed to select a JWK signing key"));
}
return jwks.get(0);
}
Also used :
JWKSelector(com.nimbusds.jose.jwk.JWKSelector)
JOSEException(com.nimbusds.jose.JOSEException)
JWK(com.nimbusds.jose.jwk.JWK)
Example 3 with JWKSelector
use of com.nimbusds.jose.jwk.JWKSelector in project spring-security by spring-projects.
the class NimbusJwtEncoderTests method encodeWhenKeysRotatedThenNewKeyUsed.
@Test
public void encodeWhenKeysRotatedThenNewKeyUsed() throws Exception {
TestJWKSource jwkSource = new TestJWKSource();
JWKSource<SecurityContext> jwkSourceDelegate = spy(new JWKSource<SecurityContext>() {
@Override
public List<JWK> get(JWKSelector jwkSelector, SecurityContext context) {
return jwkSource.get(jwkSelector, context);
}
});
NimbusJwtEncoder jwtEncoder = new NimbusJwtEncoder(jwkSourceDelegate);
JwkListResultCaptor jwkListResultCaptor = new JwkListResultCaptor();
willAnswer(jwkListResultCaptor).given(jwkSourceDelegate).get(any(), any());
JwsHeader jwsHeader = JwsHeader.with(SignatureAlgorithm.RS256).build();
JwtClaimsSet jwtClaimsSet = TestJwtClaimsSets.jwtClaimsSet().build();
Jwt encodedJws = jwtEncoder.encode(JwtEncoderParameters.from(jwsHeader, jwtClaimsSet));
JWK jwk1 = jwkListResultCaptor.getResult().get(0);
NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withPublicKey(((RSAKey) jwk1).toRSAPublicKey()).build();
jwtDecoder.decode(encodedJws.getTokenValue());
// Simulate key rotation
jwkSource.rotate();
encodedJws = jwtEncoder.encode(JwtEncoderParameters.from(jwsHeader, jwtClaimsSet));
JWK jwk2 = jwkListResultCaptor.getResult().get(0);
jwtDecoder = NimbusJwtDecoder.withPublicKey(((RSAKey) jwk2).toRSAPublicKey()).build();
jwtDecoder.decode(encodedJws.getTokenValue());
assertThat(jwk1.getKeyID()).isNotEqualTo(jwk2.getKeyID());
}
Also used :
JWKSelector(com.nimbusds.jose.jwk.JWKSelector)
RSAKey(com.nimbusds.jose.jwk.RSAKey)
SecurityContext(com.nimbusds.jose.proc.SecurityContext)
ArrayList(java.util.ArrayList)
List(java.util.List)
JWK(com.nimbusds.jose.jwk.JWK)
Test(org.junit.jupiter.api.Test)
Example 4 with JWKSelector
use of com.nimbusds.jose.jwk.JWKSelector in project dhis2-core by dhis2.
the class JwtUtils method jwkSource.
public JWKSource<SecurityContext> jwkSource() {
RSAKey rsaKey = Jwks.generateRsa();
JWKSet jwkSet = new JWKSet(rsaKey);
return (jwkSelector, securityContext) -> jwkSelector.select(jwkSet);
}
Also used :
SecurityContext(com.nimbusds.jose.proc.SecurityContext)
JWKSelector(com.nimbusds.jose.jwk.JWKSelector)
URL(java.net.URL)
Date(java.util.Date)
JOSEException(com.nimbusds.jose.JOSEException)
JWTClaimsSet(com.nimbusds.jwt.JWTClaimsSet)
JWKSet(com.nimbusds.jose.jwk.JWKSet)
JWSSignerFactory(com.nimbusds.jose.produce.JWSSignerFactory)
Map(java.util.Map)
Base64URL(com.nimbusds.jose.util.Base64URL)
Jwt(org.springframework.security.oauth2.jwt.Jwt)
Base64(com.nimbusds.jose.util.Base64)
Converter(org.springframework.core.convert.converter.Converter)
JWKSource(com.nimbusds.jose.jwk.source.JWKSource)
DefaultJWSSignerFactory(com.nimbusds.jose.crypto.factories.DefaultJWSSignerFactory)
ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap)
Set(java.util.Set)
JWSAlgorithm(com.nimbusds.jose.JWSAlgorithm)
UUID(java.util.UUID)
Instant(java.time.Instant)
Collectors(java.util.stream.Collectors)
JWSHeader(com.nimbusds.jose.JWSHeader)
SignedJWT(com.nimbusds.jwt.SignedJWT)
JWK(com.nimbusds.jose.jwk.JWK)
KeySourceException(com.nimbusds.jose.KeySourceException)
List(java.util.List)
JWSSigner(com.nimbusds.jose.JWSSigner)
RSAKey(com.nimbusds.jose.jwk.RSAKey)
JSONObject(net.minidev.json.JSONObject)
CollectionUtils(org.springframework.util.CollectionUtils)
JOSEObjectType(com.nimbusds.jose.JOSEObjectType)
JWKMatcher(com.nimbusds.jose.jwk.JWKMatcher)
Assert(org.springframework.util.Assert)
StringUtils(org.springframework.util.StringUtils)
RSAKey(com.nimbusds.jose.jwk.RSAKey)
JWKSet(com.nimbusds.jose.jwk.JWKSet)
Example 5 with JWKSelector
use of com.nimbusds.jose.jwk.JWKSelector in project dhis2-core by dhis2.
the class JwtUtils method selectJwk.
private JWK selectJwk(JoseHeader headers) {
JWSAlgorithm jwsAlgorithm = JWSAlgorithm.parse(headers.getJwsAlgorithm().getName());
JWSHeader jwsHeader = new JWSHeader(jwsAlgorithm);
JWKSelector jwkSelector = new JWKSelector(JWKMatcher.forJWSHeader(jwsHeader));
List<JWK> jwks;
try {
jwks = this.jwkSource.get(jwkSelector, null);
} catch (KeySourceException ex) {
throw new JwtEncodingException(String.format(ENCODING_ERROR_MESSAGE_TEMPLATE, "Failed to select a JWK signing key -> " + ex.getMessage()), ex);
}
if (jwks.size() > 1) {
throw new JwtEncodingException(String.format(ENCODING_ERROR_MESSAGE_TEMPLATE, "Found multiple JWK signing keys for algorithm '" + jwsAlgorithm.getName() + "'"));
}
return !jwks.isEmpty() ? jwks.get(0) : null;
}
Also used :
JWKSelector(com.nimbusds.jose.jwk.JWKSelector)
JWSAlgorithm(com.nimbusds.jose.JWSAlgorithm)
JWSHeader(com.nimbusds.jose.JWSHeader)
KeySourceException(com.nimbusds.jose.KeySourceException)
JWK(com.nimbusds.jose.jwk.JWK)
Aggregations
JWKSelector (com.nimbusds.jose.jwk.JWKSelector)6
JWK (com.nimbusds.jose.jwk.JWK)5
JWSAlgorithm (com.nimbusds.jose.JWSAlgorithm)3
KeySourceException (com.nimbusds.jose.KeySourceException)3
JOSEException (com.nimbusds.jose.JOSEException)2
JWSHeader (com.nimbusds.jose.JWSHeader)2
JWKMatcher (com.nimbusds.jose.jwk.JWKMatcher)2
RSAKey (com.nimbusds.jose.jwk.RSAKey)2
SecurityContext (com.nimbusds.jose.proc.SecurityContext)2
List (java.util.List)2
JOSEObjectType (com.nimbusds.jose.JOSEObjectType)1
JWSSigner (com.nimbusds.jose.JWSSigner)1
DefaultJWSSignerFactory (com.nimbusds.jose.crypto.factories.DefaultJWSSignerFactory)1
JWKSet (com.nimbusds.jose.jwk.JWKSet)1
JWKSource (com.nimbusds.jose.jwk.source.JWKSource)1
JWSSignerFactory (com.nimbusds.jose.produce.JWSSignerFactory)1
Base64 (com.nimbusds.jose.util.Base64)1
Base64URL (com.nimbusds.jose.util.Base64URL)1
JWTClaimsSet (com.nimbusds.jwt.JWTClaimsSet)1
SignedJWT (com.nimbusds.jwt.SignedJWT)1
