use of com.nimbusds.jose.jwk.RSAKey in project spring-security by spring-projects.
the class NimbusJwtClientAuthenticationParametersConverterTests method convertWhenPrivateKeyJwtClientAuthenticationMethodThenCustomized.
@Test
public void convertWhenPrivateKeyJwtClientAuthenticationMethodThenCustomized() throws Exception {
RSAKey rsaJwk = TestJwks.DEFAULT_RSA_JWK;
given(this.jwkResolver.apply(any())).willReturn(rsaJwk);
// @formatter:off
ClientRegistration clientRegistration = TestClientRegistrations.clientCredentials().clientAuthenticationMethod(ClientAuthenticationMethod.PRIVATE_KEY_JWT).build();
// @formatter:on
OAuth2ClientCredentialsGrantRequest clientCredentialsGrantRequest = new OAuth2ClientCredentialsGrantRequest(clientRegistration);
MultiValueMap<String, String> parameters = this.converter.convert(clientCredentialsGrantRequest);
assertThat(parameters.getFirst(OAuth2ParameterNames.CLIENT_ASSERTION_TYPE)).isEqualTo("urn:ietf:params:oauth:client-assertion-type:jwt-bearer");
String encodedJws = parameters.getFirst(OAuth2ParameterNames.CLIENT_ASSERTION);
assertThat(encodedJws).isNotNull();
NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withPublicKey(rsaJwk.toRSAPublicKey()).build();
Jwt jws = jwtDecoder.decode(encodedJws);
assertThat(jws.getHeaders().get(JoseHeaderNames.ALG)).isEqualTo(SignatureAlgorithm.RS256.getName());
assertThat(jws.getHeaders().get(JoseHeaderNames.KID)).isEqualTo(rsaJwk.getKeyID());
assertThat(jws.<String>getClaim(JwtClaimNames.ISS)).isEqualTo(clientRegistration.getClientId());
assertThat(jws.getSubject()).isEqualTo(clientRegistration.getClientId());
assertThat(jws.getAudience()).isEqualTo(Collections.singletonList(clientRegistration.getProviderDetails().getTokenUri()));
assertThat(jws.getId()).isNotNull();
assertThat(jws.getIssuedAt()).isNotNull();
assertThat(jws.getExpiresAt()).isNotNull();
}
use of com.nimbusds.jose.jwk.RSAKey in project spring-security by spring-projects.
the class NimbusJwtClientAuthenticationParametersConverterTests method convertWhenClientKeyChangesThenNewKeyUsed.
// gh-9814
@Test
public void convertWhenClientKeyChangesThenNewKeyUsed() throws Exception {
// @formatter:off
ClientRegistration clientRegistration = TestClientRegistrations.clientCredentials().clientAuthenticationMethod(ClientAuthenticationMethod.PRIVATE_KEY_JWT).build();
// @formatter:on
RSAKey rsaJwk1 = TestJwks.DEFAULT_RSA_JWK;
given(this.jwkResolver.apply(eq(clientRegistration))).willReturn(rsaJwk1);
OAuth2ClientCredentialsGrantRequest clientCredentialsGrantRequest = new OAuth2ClientCredentialsGrantRequest(clientRegistration);
MultiValueMap<String, String> parameters = this.converter.convert(clientCredentialsGrantRequest);
String encodedJws = parameters.getFirst(OAuth2ParameterNames.CLIENT_ASSERTION);
NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withPublicKey(rsaJwk1.toRSAPublicKey()).build();
jwtDecoder.decode(encodedJws);
RSAKey rsaJwk2 = generateRsaJwk();
given(this.jwkResolver.apply(eq(clientRegistration))).willReturn(rsaJwk2);
parameters = this.converter.convert(clientCredentialsGrantRequest);
encodedJws = parameters.getFirst(OAuth2ParameterNames.CLIENT_ASSERTION);
jwtDecoder = NimbusJwtDecoder.withPublicKey(rsaJwk2.toRSAPublicKey()).build();
jwtDecoder.decode(encodedJws);
}
use of com.nimbusds.jose.jwk.RSAKey in project spring-security by spring-projects.
the class NimbusJwtEncoderTests method encodeWhenJwkSelectWithProvidedKidThenSelected.
@Test
public void encodeWhenJwkSelectWithProvidedKidThenSelected() {
// @formatter:off
RSAKey rsaJwk1 = TestJwks.jwk(TestKeys.DEFAULT_PUBLIC_KEY, TestKeys.DEFAULT_PRIVATE_KEY).keyID("rsa-jwk-1").build();
this.jwkList.add(rsaJwk1);
RSAKey rsaJwk2 = TestJwks.jwk(TestKeys.DEFAULT_PUBLIC_KEY, TestKeys.DEFAULT_PRIVATE_KEY).keyID("rsa-jwk-2").build();
this.jwkList.add(rsaJwk2);
// @formatter:on
JwsHeader jwsHeader = JwsHeader.with(SignatureAlgorithm.RS256).keyId(rsaJwk2.getKeyID()).build();
JwtClaimsSet jwtClaimsSet = TestJwtClaimsSets.jwtClaimsSet().build();
Jwt encodedJws = this.jwtEncoder.encode(JwtEncoderParameters.from(jwsHeader, jwtClaimsSet));
assertThat(encodedJws.getHeaders().get(JoseHeaderNames.KID)).isEqualTo(rsaJwk2.getKeyID());
}
use of com.nimbusds.jose.jwk.RSAKey in project spring-security by spring-projects.
the class NimbusJwtEncoderTests method encodeWhenKeysRotatedThenNewKeyUsed.
@Test
public void encodeWhenKeysRotatedThenNewKeyUsed() throws Exception {
TestJWKSource jwkSource = new TestJWKSource();
JWKSource<SecurityContext> jwkSourceDelegate = spy(new JWKSource<SecurityContext>() {
@Override
public List<JWK> get(JWKSelector jwkSelector, SecurityContext context) {
return jwkSource.get(jwkSelector, context);
}
});
NimbusJwtEncoder jwtEncoder = new NimbusJwtEncoder(jwkSourceDelegate);
JwkListResultCaptor jwkListResultCaptor = new JwkListResultCaptor();
willAnswer(jwkListResultCaptor).given(jwkSourceDelegate).get(any(), any());
JwsHeader jwsHeader = JwsHeader.with(SignatureAlgorithm.RS256).build();
JwtClaimsSet jwtClaimsSet = TestJwtClaimsSets.jwtClaimsSet().build();
Jwt encodedJws = jwtEncoder.encode(JwtEncoderParameters.from(jwsHeader, jwtClaimsSet));
JWK jwk1 = jwkListResultCaptor.getResult().get(0);
NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withPublicKey(((RSAKey) jwk1).toRSAPublicKey()).build();
jwtDecoder.decode(encodedJws.getTokenValue());
// Simulate key rotation
jwkSource.rotate();
encodedJws = jwtEncoder.encode(JwtEncoderParameters.from(jwsHeader, jwtClaimsSet));
JWK jwk2 = jwkListResultCaptor.getResult().get(0);
jwtDecoder = NimbusJwtDecoder.withPublicKey(((RSAKey) jwk2).toRSAPublicKey()).build();
jwtDecoder.decode(encodedJws.getTokenValue());
assertThat(jwk1.getKeyID()).isNotEqualTo(jwk2.getKeyID());
}
use of com.nimbusds.jose.jwk.RSAKey in project spring-security by spring-projects.
the class NimbusJwtEncoderTests method encodeWhenJwkSelectWithProvidedX5TS256ThenSelected.
@Test
public void encodeWhenJwkSelectWithProvidedX5TS256ThenSelected() {
// @formatter:off
RSAKey rsaJwk1 = TestJwks.jwk(TestKeys.DEFAULT_PUBLIC_KEY, TestKeys.DEFAULT_PRIVATE_KEY).x509CertSHA256Thumbprint(new Base64URL("x509CertSHA256Thumbprint-1")).keyID(null).build();
this.jwkList.add(rsaJwk1);
RSAKey rsaJwk2 = TestJwks.jwk(TestKeys.DEFAULT_PUBLIC_KEY, TestKeys.DEFAULT_PRIVATE_KEY).x509CertSHA256Thumbprint(new Base64URL("x509CertSHA256Thumbprint-2")).keyID(null).build();
this.jwkList.add(rsaJwk2);
// @formatter:on
JwsHeader jwsHeader = JwsHeader.with(SignatureAlgorithm.RS256).x509SHA256Thumbprint(rsaJwk1.getX509CertSHA256Thumbprint().toString()).build();
JwtClaimsSet jwtClaimsSet = TestJwtClaimsSets.jwtClaimsSet().build();
Jwt encodedJws = this.jwtEncoder.encode(JwtEncoderParameters.from(jwsHeader, jwtClaimsSet));
assertThat(encodedJws.getHeaders().get(JoseHeaderNames.X5T_S256)).isEqualTo(rsaJwk1.getX509CertSHA256Thumbprint().toString());
assertThat(encodedJws.getHeaders().get(JoseHeaderNames.KID)).isNull();
}
Aggregations