use of com.nimbusds.jose.util.DefaultResourceRetriever in project cas by apereo.
the class AmazonCognitoAuthenticationConfiguration method amazonCognitoAuthenticationJwtProcessor.
@ConditionalOnMissingBean(name = "amazonCognitoAuthenticationJwtProcessor")
@Bean
@RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
public ConfigurableJWTProcessor amazonCognitoAuthenticationJwtProcessor(final CasConfigurationProperties casProperties) throws Exception {
val cognito = casProperties.getAuthn().getCognito();
val resourceRetriever = new DefaultResourceRetriever((int) Beans.newDuration(cognito.getConnectionTimeout()).toMillis(), (int) Beans.newDuration(cognito.getSocketTimeout()).toMillis());
val region = StringUtils.defaultIfBlank(cognito.getRegion(), Region.AWS_GLOBAL.id());
val url = String.format("https://cognito-idp.%s.amazonaws.com/%s/.well-known/jwks.json", region, cognito.getUserPoolId());
val jwkSetURL = new URL(url);
val keySource = new RemoteJWKSet(jwkSetURL, resourceRetriever);
val jwtProcessor = new DefaultJWTProcessor();
val keySelector = new JWSVerificationKeySelector(JWSAlgorithm.RS256, keySource);
jwtProcessor.setJWSKeySelector(keySelector);
return jwtProcessor;
}
use of com.nimbusds.jose.util.DefaultResourceRetriever in project ddf by codice.
the class OidcTokenValidator method validateUserInfoIdToken.
/**
* Validates id tokens received from the userinfo endpoint.
*
* <ul>
* <li>If the ID token is not signed, validation is ignored
* <li>If the ID token is signed
* <ul>
* <li>If the userinfo signing algorithms are listed in the metadata, we use that
* information along with the header attributes to validate the token
* <li>If the userinfo signing algorithms are NOT listed in the metadata, we just use the
* header attributes to validate the token
* </ul>
*
* @param idToken - id token to validate
* @param resourceRetriever - resource retriever
* @param metadata - OIDC metadata
*/
public static void validateUserInfoIdToken(JWT idToken, ResourceRetriever resourceRetriever, OIDCProviderMetadata metadata) throws OidcValidationException {
if (metadata == null) {
LOGGER.debug("Oidc metadata is null. Unable to validate userinfo id token.");
return;
}
if (resourceRetriever == null) {
resourceRetriever = new DefaultResourceRetriever();
}
try {
if (!(idToken instanceof SignedJWT)) {
LOGGER.info("ID token received from the userinfo endpoint was not signed.");
return;
}
JWKSource jwkSource = new RemoteJWKSet(metadata.getJWKSetURI().toURL(), resourceRetriever);
SignedJWT signedJWT = ((SignedJWT) idToken);
JWSAlgorithm jwsAlgorithm = signedJWT.getHeader().getAlgorithm();
List<JWSAlgorithm> userInfoSigAlgList = metadata.getUserInfoJWSAlgs();
if (userInfoSigAlgList.isEmpty()) {
LOGGER.warn("A JWS algorithm was not listed in the OpenID Connect provider metadata. " + "Using JWS algorithm specified in the header.");
} else {
if (!userInfoSigAlgList.contains(jwsAlgorithm)) {
LOGGER.error("The signature algorithm of the id token do not match the expected ones.");
throw new OidcValidationException("The signature algorithm of the id token do not match the expected ones.");
}
}
JWSKeySelector jwsKeySelector = new JWSVerificationKeySelector(jwsAlgorithm, jwkSource);
JWSVerifierFactory jwsVerifierFactory = new DefaultJWSVerifierFactory();
List<? extends Key> keyCandidates = jwsKeySelector.selectJWSKeys(signedJWT.getHeader(), null);
if (keyCandidates == null || keyCandidates.isEmpty()) {
throw new OidcValidationException("Error Validating userinfo ID token. No matching key(s) found");
}
ListIterator<? extends Key> it = keyCandidates.listIterator();
while (it.hasNext()) {
JWSVerifier verifier = jwsVerifierFactory.createJWSVerifier(signedJWT.getHeader(), it.next());
if (verifier == null) {
continue;
}
final boolean validSignature = signedJWT.verify(verifier);
if (validSignature) {
return;
}
if (!it.hasNext()) {
throw new OidcValidationException("Error Validating userinfo ID token. Invalid signature");
}
}
throw new OidcValidationException("Error Validating userinfo ID token. No matching verifier(s) found");
} catch (Exception e) {
LOGGER.error(ID_VALIDATION_ERR_MSG, e);
throw new OidcValidationException(ID_VALIDATION_ERR_MSG, e);
}
}
Aggregations