Search in sources :

Example 1 with DefaultResourceRetriever

use of com.nimbusds.jose.util.DefaultResourceRetriever in project cas by apereo.

the class AmazonCognitoAuthenticationConfiguration method amazonCognitoAuthenticationJwtProcessor.

@ConditionalOnMissingBean(name = "amazonCognitoAuthenticationJwtProcessor")
@Bean
@RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
public ConfigurableJWTProcessor amazonCognitoAuthenticationJwtProcessor(final CasConfigurationProperties casProperties) throws Exception {
    val cognito = casProperties.getAuthn().getCognito();
    val resourceRetriever = new DefaultResourceRetriever((int) Beans.newDuration(cognito.getConnectionTimeout()).toMillis(), (int) Beans.newDuration(cognito.getSocketTimeout()).toMillis());
    val region = StringUtils.defaultIfBlank(cognito.getRegion(), Region.AWS_GLOBAL.id());
    val url = String.format("https://cognito-idp.%s.amazonaws.com/%s/.well-known/jwks.json", region, cognito.getUserPoolId());
    val jwkSetURL = new URL(url);
    val keySource = new RemoteJWKSet(jwkSetURL, resourceRetriever);
    val jwtProcessor = new DefaultJWTProcessor();
    val keySelector = new JWSVerificationKeySelector(JWSAlgorithm.RS256, keySource);
    jwtProcessor.setJWSKeySelector(keySelector);
    return jwtProcessor;
}
Also used : lombok.val(lombok.val) DefaultJWTProcessor(com.nimbusds.jwt.proc.DefaultJWTProcessor) DefaultResourceRetriever(com.nimbusds.jose.util.DefaultResourceRetriever) URL(java.net.URL) RemoteJWKSet(com.nimbusds.jose.jwk.source.RemoteJWKSet) JWSVerificationKeySelector(com.nimbusds.jose.proc.JWSVerificationKeySelector) RefreshScope(org.springframework.cloud.context.config.annotation.RefreshScope) ConditionalOnMissingBean(org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean) ConditionalOnMissingBean(org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean) Bean(org.springframework.context.annotation.Bean)

Example 2 with DefaultResourceRetriever

use of com.nimbusds.jose.util.DefaultResourceRetriever in project ddf by codice.

the class OidcTokenValidator method validateUserInfoIdToken.

/**
 * Validates id tokens received from the userinfo endpoint.
 *
 * <ul>
 *   <li>If the ID token is not signed, validation is ignored
 *   <li>If the ID token is signed
 *       <ul>
 *         <li>If the userinfo signing algorithms are listed in the metadata, we use that
 *             information along with the header attributes to validate the token
 *         <li>If the userinfo signing algorithms are NOT listed in the metadata, we just use the
 *             header attributes to validate the token
 *       </ul>
 *
 * @param idToken - id token to validate
 * @param resourceRetriever - resource retriever
 * @param metadata - OIDC metadata
 */
public static void validateUserInfoIdToken(JWT idToken, ResourceRetriever resourceRetriever, OIDCProviderMetadata metadata) throws OidcValidationException {
    if (metadata == null) {
        LOGGER.debug("Oidc metadata is null. Unable to validate userinfo id token.");
        return;
    }
    if (resourceRetriever == null) {
        resourceRetriever = new DefaultResourceRetriever();
    }
    try {
        if (!(idToken instanceof SignedJWT)) {
            LOGGER.info("ID token received from the userinfo endpoint was not signed.");
            return;
        }
        JWKSource jwkSource = new RemoteJWKSet(metadata.getJWKSetURI().toURL(), resourceRetriever);
        SignedJWT signedJWT = ((SignedJWT) idToken);
        JWSAlgorithm jwsAlgorithm = signedJWT.getHeader().getAlgorithm();
        List<JWSAlgorithm> userInfoSigAlgList = metadata.getUserInfoJWSAlgs();
        if (userInfoSigAlgList.isEmpty()) {
            LOGGER.warn("A JWS algorithm was not listed in the OpenID Connect provider metadata. " + "Using JWS algorithm specified in the header.");
        } else {
            if (!userInfoSigAlgList.contains(jwsAlgorithm)) {
                LOGGER.error("The signature algorithm of the id token do not match the expected ones.");
                throw new OidcValidationException("The signature algorithm of the id token do not match the expected ones.");
            }
        }
        JWSKeySelector jwsKeySelector = new JWSVerificationKeySelector(jwsAlgorithm, jwkSource);
        JWSVerifierFactory jwsVerifierFactory = new DefaultJWSVerifierFactory();
        List<? extends Key> keyCandidates = jwsKeySelector.selectJWSKeys(signedJWT.getHeader(), null);
        if (keyCandidates == null || keyCandidates.isEmpty()) {
            throw new OidcValidationException("Error Validating userinfo ID token. No matching key(s) found");
        }
        ListIterator<? extends Key> it = keyCandidates.listIterator();
        while (it.hasNext()) {
            JWSVerifier verifier = jwsVerifierFactory.createJWSVerifier(signedJWT.getHeader(), it.next());
            if (verifier == null) {
                continue;
            }
            final boolean validSignature = signedJWT.verify(verifier);
            if (validSignature) {
                return;
            }
            if (!it.hasNext()) {
                throw new OidcValidationException("Error Validating userinfo ID token. Invalid signature");
            }
        }
        throw new OidcValidationException("Error Validating userinfo ID token. No matching verifier(s) found");
    } catch (Exception e) {
        LOGGER.error(ID_VALIDATION_ERR_MSG, e);
        throw new OidcValidationException(ID_VALIDATION_ERR_MSG, e);
    }
}
Also used : DefaultJWSVerifierFactory(com.nimbusds.jose.crypto.factories.DefaultJWSVerifierFactory) JWSVerifier(com.nimbusds.jose.JWSVerifier) JWSVerifierFactory(com.nimbusds.jose.proc.JWSVerifierFactory) DefaultJWSVerifierFactory(com.nimbusds.jose.crypto.factories.DefaultJWSVerifierFactory) SignedJWT(com.nimbusds.jwt.SignedJWT) JWSAlgorithm(com.nimbusds.jose.JWSAlgorithm) JWKSource(com.nimbusds.jose.jwk.source.JWKSource) RemoteJWKSet(com.nimbusds.jose.jwk.source.RemoteJWKSet) JWSVerificationKeySelector(com.nimbusds.jose.proc.JWSVerificationKeySelector) JWSKeySelector(com.nimbusds.jose.proc.JWSKeySelector) DefaultResourceRetriever(com.nimbusds.jose.util.DefaultResourceRetriever)

Aggregations

RemoteJWKSet (com.nimbusds.jose.jwk.source.RemoteJWKSet)2 JWSVerificationKeySelector (com.nimbusds.jose.proc.JWSVerificationKeySelector)2 DefaultResourceRetriever (com.nimbusds.jose.util.DefaultResourceRetriever)2 JWSAlgorithm (com.nimbusds.jose.JWSAlgorithm)1 JWSVerifier (com.nimbusds.jose.JWSVerifier)1 DefaultJWSVerifierFactory (com.nimbusds.jose.crypto.factories.DefaultJWSVerifierFactory)1 JWKSource (com.nimbusds.jose.jwk.source.JWKSource)1 JWSKeySelector (com.nimbusds.jose.proc.JWSKeySelector)1 JWSVerifierFactory (com.nimbusds.jose.proc.JWSVerifierFactory)1 SignedJWT (com.nimbusds.jwt.SignedJWT)1 DefaultJWTProcessor (com.nimbusds.jwt.proc.DefaultJWTProcessor)1 URL (java.net.URL)1 lombok.val (lombok.val)1 ConditionalOnMissingBean (org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean)1 RefreshScope (org.springframework.cloud.context.config.annotation.RefreshScope)1 Bean (org.springframework.context.annotation.Bean)1