Examples with JWKSet com.nimbusds.jose.jwk.JWKSet used on opensource projects

Example 1 with JWKSet

use of com.nimbusds.jose.jwk.JWKSet in project java-docs-samples by GoogleCloudPlatform.

the class VerifyIapRequestHeader method getKey.

private ECPublicKey getKey(String kid, String alg) throws Exception {
    JWK jwk = keyCache.get(kid);
    if (jwk == null) {
        // update cache loading jwk public key data from url
        JWKSet jwkSet = JWKSet.load(new URL(PUBLIC_KEY_VERIFICATION_URL));
        for (JWK key : jwkSet.getKeys()) {
            keyCache.put(key.getKeyID(), key);
        }
        jwk = keyCache.get(kid);
    }
    // confirm that algorithm matches
    if (jwk != null && jwk.getAlgorithm().getName().equals(alg)) {
        return ECKey.parse(jwk.toJSONString()).toECPublicKey();
    }
    return null;
}

Example 2 with JWKSet

use of com.nimbusds.jose.jwk.JWKSet in project spring-security by spring-projects.

the class NimbusJwtClientAuthenticationParametersConverter method convert.

@Override
public MultiValueMap<String, String> convert(T authorizationGrantRequest) {
    Assert.notNull(authorizationGrantRequest, "authorizationGrantRequest cannot be null");
    ClientRegistration clientRegistration = authorizationGrantRequest.getClientRegistration();
    if (!ClientAuthenticationMethod.PRIVATE_KEY_JWT.equals(clientRegistration.getClientAuthenticationMethod()) && !ClientAuthenticationMethod.CLIENT_SECRET_JWT.equals(clientRegistration.getClientAuthenticationMethod())) {
        return null;
    }
    JWK jwk = this.jwkResolver.apply(clientRegistration);
    if (jwk == null) {
        OAuth2Error oauth2Error = new OAuth2Error(INVALID_KEY_ERROR_CODE, "Failed to resolve JWK signing key for client registration '" + clientRegistration.getRegistrationId() + "'.", null);
        throw new OAuth2AuthorizationException(oauth2Error);
    }
    JwsAlgorithm jwsAlgorithm = resolveAlgorithm(jwk);
    if (jwsAlgorithm == null) {
        OAuth2Error oauth2Error = new OAuth2Error(INVALID_ALGORITHM_ERROR_CODE, "Unable to resolve JWS (signing) algorithm from JWK associated to client registration '" + clientRegistration.getRegistrationId() + "'.", null);
        throw new OAuth2AuthorizationException(oauth2Error);
    }
    JwsHeader.Builder headersBuilder = JwsHeader.with(jwsAlgorithm);
    Instant issuedAt = Instant.now();
    Instant expiresAt = issuedAt.plus(Duration.ofSeconds(60));
    // @formatter:off
    JwtClaimsSet.Builder claimsBuilder = JwtClaimsSet.builder().issuer(clientRegistration.getClientId()).subject(clientRegistration.getClientId()).audience(Collections.singletonList(clientRegistration.getProviderDetails().getTokenUri())).id(UUID.randomUUID().toString()).issuedAt(issuedAt).expiresAt(expiresAt);
    // @formatter:on
    JwsHeader jwsHeader = headersBuilder.build();
    JwtClaimsSet jwtClaimsSet = claimsBuilder.build();
    JwsEncoderHolder jwsEncoderHolder = this.jwsEncoders.compute(clientRegistration.getRegistrationId(), (clientRegistrationId, currentJwsEncoderHolder) -> {
        if (currentJwsEncoderHolder != null && currentJwsEncoderHolder.getJwk().equals(jwk)) {
            return currentJwsEncoderHolder;
        }
        JWKSource<SecurityContext> jwkSource = new ImmutableJWKSet<>(new JWKSet(jwk));
        return new JwsEncoderHolder(new NimbusJwtEncoder(jwkSource), jwk);
    });
    JwtEncoder jwsEncoder = jwsEncoderHolder.getJwsEncoder();
    Jwt jws = jwsEncoder.encode(JwtEncoderParameters.from(jwsHeader, jwtClaimsSet));
    MultiValueMap<String, String> parameters = new LinkedMultiValueMap<>();
    parameters.set(OAuth2ParameterNames.CLIENT_ASSERTION_TYPE, CLIENT_ASSERTION_TYPE_VALUE);
    parameters.set(OAuth2ParameterNames.CLIENT_ASSERTION, jws.getTokenValue());
    return parameters;
}

Example 3 with JWKSet

use of com.nimbusds.jose.jwk.JWKSet in project dhis2-core by dhis2.

the class JwtBearerTokenTest method setUpClass.

@BeforeAll
static void setUpClass() throws JOSEException {
    DhisWebApiWebSecurityConfig.setApiContextPath("");
    JWKSource<SecurityContext> jwkSource = (jwkSelector, securityContext) -> jwkSelector.select(new JWKSet(ImmutableList.of(RSA_KEY)));
    jwsEncoder = new JwtUtils(jwkSource);
    jwtDecoder = NimbusJwtDecoder.withPublicKey(RSA_KEY.toRSAPublicKey()).build();
}

Example 4 with JWKSet

use of com.nimbusds.jose.jwk.JWKSet in project dhis2-core by dhis2.

the class JwtUtils method jwkSource.

public JWKSource<SecurityContext> jwkSource() {
    RSAKey rsaKey = Jwks.generateRsa();
    JWKSet jwkSet = new JWKSet(rsaKey);
    return (jwkSelector, securityContext) -> jwkSelector.select(jwkSet);
}

Example 5 with JWKSet

use of com.nimbusds.jose.jwk.JWKSet in project SEPA by arces-wot.

the class AuthorizationManager method init.

private boolean init(KeyStore keyStore, String keyAlias, String keyPwd) throws KeyStoreException, JOSEException {
    // Load the key from the key store
    RSAKey jwk = RSAKey.load(keyStore, keyAlias, keyPwd.toCharArray());
    // Get the private and public keys to sign and verify
    RSAPrivateKey privateKey;
    RSAPublicKey publicKey;
    privateKey = jwk.toRSAPrivateKey();
    publicKey = jwk.toRSAPublicKey();
    // Create RSA-signer with the private key
    signer = new RSASSASigner(privateKey);
    // Create RSA-verifier with the public key
    verifier = new RSASSAVerifier(publicKey);
    // Serialize the public key to be deliverer during registration
    jwkPublicKey = new JsonParser().parse(jwk.toPublicJWK().toJSONString());
    // Set up a JWT processor to parse the tokens and then check their signature
    // and validity time window (bounded by the "iat", "nbf" and "exp" claims)
    jwtProcessor = new DefaultJWTProcessor<SEPASecurityContext>();
    JWKSet jws = new JWKSet(jwk);
    JWKSource<SEPASecurityContext> keySource = new ImmutableJWKSet<SEPASecurityContext>(jws);
    JWSAlgorithm expectedJWSAlg = JWSAlgorithm.RS256;
    JWSKeySelector<SEPASecurityContext> keySelector = new JWSVerificationKeySelector<SEPASecurityContext>(expectedJWSAlg, keySource);
    jwtProcessor.setJWSKeySelector(keySelector);
    return true;
}