Examples with ImmutableJWKSet - com.nimbusds.jose.jwk.source.ImmutableJWKSet

Example 1 with ImmutableJWKSet

use of com.nimbusds.jose.jwk.source.ImmutableJWKSet in project spring-security by spring-projects.

the class NimbusJwtClientAuthenticationParametersConverter method convert.

@Override
public MultiValueMap<String, String> convert(T authorizationGrantRequest) {
    Assert.notNull(authorizationGrantRequest, "authorizationGrantRequest cannot be null");
    ClientRegistration clientRegistration = authorizationGrantRequest.getClientRegistration();
    if (!ClientAuthenticationMethod.PRIVATE_KEY_JWT.equals(clientRegistration.getClientAuthenticationMethod()) && !ClientAuthenticationMethod.CLIENT_SECRET_JWT.equals(clientRegistration.getClientAuthenticationMethod())) {
        return null;
    }
    JWK jwk = this.jwkResolver.apply(clientRegistration);
    if (jwk == null) {
        OAuth2Error oauth2Error = new OAuth2Error(INVALID_KEY_ERROR_CODE, "Failed to resolve JWK signing key for client registration '" + clientRegistration.getRegistrationId() + "'.", null);
        throw new OAuth2AuthorizationException(oauth2Error);
    }
    JwsAlgorithm jwsAlgorithm = resolveAlgorithm(jwk);
    if (jwsAlgorithm == null) {
        OAuth2Error oauth2Error = new OAuth2Error(INVALID_ALGORITHM_ERROR_CODE, "Unable to resolve JWS (signing) algorithm from JWK associated to client registration '" + clientRegistration.getRegistrationId() + "'.", null);
        throw new OAuth2AuthorizationException(oauth2Error);
    }
    JwsHeader.Builder headersBuilder = JwsHeader.with(jwsAlgorithm);
    Instant issuedAt = Instant.now();
    Instant expiresAt = issuedAt.plus(Duration.ofSeconds(60));
    // @formatter:off
    JwtClaimsSet.Builder claimsBuilder = JwtClaimsSet.builder().issuer(clientRegistration.getClientId()).subject(clientRegistration.getClientId()).audience(Collections.singletonList(clientRegistration.getProviderDetails().getTokenUri())).id(UUID.randomUUID().toString()).issuedAt(issuedAt).expiresAt(expiresAt);
    // @formatter:on
    JwsHeader jwsHeader = headersBuilder.build();
    JwtClaimsSet jwtClaimsSet = claimsBuilder.build();
    JwsEncoderHolder jwsEncoderHolder = this.jwsEncoders.compute(clientRegistration.getRegistrationId(), (clientRegistrationId, currentJwsEncoderHolder) -> {
        if (currentJwsEncoderHolder != null && currentJwsEncoderHolder.getJwk().equals(jwk)) {
            return currentJwsEncoderHolder;
        }
        JWKSource<SecurityContext> jwkSource = new ImmutableJWKSet<>(new JWKSet(jwk));
        return new JwsEncoderHolder(new NimbusJwtEncoder(jwkSource), jwk);
    });
    JwtEncoder jwsEncoder = jwsEncoderHolder.getJwsEncoder();
    Jwt jws = jwsEncoder.encode(JwtEncoderParameters.from(jwsHeader, jwtClaimsSet));
    MultiValueMap<String, String> parameters = new LinkedMultiValueMap<>();
    parameters.set(OAuth2ParameterNames.CLIENT_ASSERTION_TYPE, CLIENT_ASSERTION_TYPE_VALUE);
    parameters.set(OAuth2ParameterNames.CLIENT_ASSERTION, jws.getTokenValue());
    return parameters;
}

Also used : OAuth2AuthorizationException(org.springframework.security.oauth2.core.OAuth2AuthorizationException) JwsAlgorithm(org.springframework.security.oauth2.jose.jws.JwsAlgorithm) LinkedMultiValueMap(org.springframework.util.LinkedMultiValueMap) Jwt(org.springframework.security.oauth2.jwt.Jwt) Instant(java.time.Instant) OAuth2Error(org.springframework.security.oauth2.core.OAuth2Error) JwsHeader(org.springframework.security.oauth2.jwt.JwsHeader) JwtEncoder(org.springframework.security.oauth2.jwt.JwtEncoder) NimbusJwtEncoder(org.springframework.security.oauth2.jwt.NimbusJwtEncoder) ImmutableJWKSet(com.nimbusds.jose.jwk.source.ImmutableJWKSet) JwtClaimsSet(org.springframework.security.oauth2.jwt.JwtClaimsSet) NimbusJwtEncoder(org.springframework.security.oauth2.jwt.NimbusJwtEncoder) ClientRegistration(org.springframework.security.oauth2.client.registration.ClientRegistration) JWKSet(com.nimbusds.jose.jwk.JWKSet) ImmutableJWKSet(com.nimbusds.jose.jwk.source.ImmutableJWKSet) SecurityContext(com.nimbusds.jose.proc.SecurityContext) JWK(com.nimbusds.jose.jwk.JWK)

Example 2 with ImmutableJWKSet

use of com.nimbusds.jose.jwk.source.ImmutableJWKSet in project SEPA by arces-wot.

the class AuthorizationManager method init.

private boolean init(KeyStore keyStore, String keyAlias, String keyPwd) throws KeyStoreException, JOSEException {
    // Load the key from the key store
    RSAKey jwk = RSAKey.load(keyStore, keyAlias, keyPwd.toCharArray());
    // Get the private and public keys to sign and verify
    RSAPrivateKey privateKey;
    RSAPublicKey publicKey;
    privateKey = jwk.toRSAPrivateKey();
    publicKey = jwk.toRSAPublicKey();
    // Create RSA-signer with the private key
    signer = new RSASSASigner(privateKey);
    // Create RSA-verifier with the public key
    verifier = new RSASSAVerifier(publicKey);
    // Serialize the public key to be deliverer during registration
    jwkPublicKey = new JsonParser().parse(jwk.toPublicJWK().toJSONString());
    // Set up a JWT processor to parse the tokens and then check their signature
    // and validity time window (bounded by the "iat", "nbf" and "exp" claims)
    jwtProcessor = new DefaultJWTProcessor<SEPASecurityContext>();
    JWKSet jws = new JWKSet(jwk);
    JWKSource<SEPASecurityContext> keySource = new ImmutableJWKSet<SEPASecurityContext>(jws);
    JWSAlgorithm expectedJWSAlg = JWSAlgorithm.RS256;
    JWSKeySelector<SEPASecurityContext> keySelector = new JWSVerificationKeySelector<SEPASecurityContext>(expectedJWSAlg, keySource);
    jwtProcessor.setJWSKeySelector(keySelector);
    return true;
}

Also used : RSAKey(com.nimbusds.jose.jwk.RSAKey) RSASSAVerifier(com.nimbusds.jose.crypto.RSASSAVerifier) ImmutableJWKSet(com.nimbusds.jose.jwk.source.ImmutableJWKSet) JWSAlgorithm(com.nimbusds.jose.JWSAlgorithm) JWSVerificationKeySelector(com.nimbusds.jose.proc.JWSVerificationKeySelector) RSAPublicKey(java.security.interfaces.RSAPublicKey) JWKSet(com.nimbusds.jose.jwk.JWKSet) ImmutableJWKSet(com.nimbusds.jose.jwk.source.ImmutableJWKSet) RSASSASigner(com.nimbusds.jose.crypto.RSASSASigner) RSAPrivateKey(java.security.interfaces.RSAPrivateKey) JsonParser(com.google.gson.JsonParser)

Aggregations

JWKSet (com.nimbusds.jose.jwk.JWKSet)2 ImmutableJWKSet (com.nimbusds.jose.jwk.source.ImmutableJWKSet)2 JsonParser (com.google.gson.JsonParser)1 JWSAlgorithm (com.nimbusds.jose.JWSAlgorithm)1 RSASSASigner (com.nimbusds.jose.crypto.RSASSASigner)1 RSASSAVerifier (com.nimbusds.jose.crypto.RSASSAVerifier)1 JWK (com.nimbusds.jose.jwk.JWK)1 RSAKey (com.nimbusds.jose.jwk.RSAKey)1 JWSVerificationKeySelector (com.nimbusds.jose.proc.JWSVerificationKeySelector)1 SecurityContext (com.nimbusds.jose.proc.SecurityContext)1 RSAPrivateKey (java.security.interfaces.RSAPrivateKey)1 RSAPublicKey (java.security.interfaces.RSAPublicKey)1 Instant (java.time.Instant)1 ClientRegistration (org.springframework.security.oauth2.client.registration.ClientRegistration)1 OAuth2AuthorizationException (org.springframework.security.oauth2.core.OAuth2AuthorizationException)1 OAuth2Error (org.springframework.security.oauth2.core.OAuth2Error)1 JwsAlgorithm (org.springframework.security.oauth2.jose.jws.JwsAlgorithm)1 JwsHeader (org.springframework.security.oauth2.jwt.JwsHeader)1 Jwt (org.springframework.security.oauth2.jwt.Jwt)1 JwtClaimsSet (org.springframework.security.oauth2.jwt.JwtClaimsSet)1