use of com.nimbusds.jwt.JWTClaimsSet.Builder in project ORCID-Source by ORCID.
the class OpenIDConnectTokenEnhancer method enhance.
@Override
public OAuth2AccessToken enhance(OAuth2AccessToken accessToken, OAuth2Authentication authentication) {
//We have the code at this point, but it has already been consumed and removed.
//So instead we check for a nonce and max_age which are added back into request by OrcidClientCredentialEndPointDelegatorImpl
Map<String, String> params = authentication.getOAuth2Request().getRequestParameters();
//only add if we're using openid scope.
String scopes = params.get(OrcidOauth2Constants.SCOPE_PARAM);
if (PojoUtil.isEmpty(scopes) || !ScopePathType.getScopesFromSpaceSeparatedString(scopes).contains(ScopePathType.OPENID)) {
return accessToken;
}
//this means we do not have to support using them for authentication purposes. Some APIs support it, but it is not part of the spec.
try {
//shared secret for signing. Use HMAC as we can do it with existing keys and not certs
Builder claims = new JWTClaimsSet.Builder();
claims.audience(params.get(OrcidOauth2Constants.CLIENT_ID_PARAM));
claims.subject(accessToken.getAdditionalInformation().get("orcid").toString());
claims.issuer("https://orcid.org");
Date now = new Date();
claims.expirationTime(new Date(now.getTime() + 600000));
claims.issueTime(now);
claims.jwtID(UUID.randomUUID().toString());
if (params.get(OrcidOauth2Constants.NONCE) != null)
claims.claim(OrcidOauth2Constants.NONCE, params.get(OrcidOauth2Constants.NONCE));
claims.claim(OrcidOauth2Constants.AUTH_TIME, profileEntityManager.getLastLogin(accessToken.getAdditionalInformation().get("orcid").toString()));
SignedJWT signedJWT = keyManager.sign(claims.build());
String idTok = signedJWT.serialize();
accessToken.getAdditionalInformation().put(OrcidOauth2Constants.ID_TOKEN, idTok);
} catch (JOSEException e) {
e.printStackTrace();
} catch (Exception e) {
e.printStackTrace();
}
return accessToken;
}
Aggregations