Example 31 with JWTClaimsSet
use of com.nimbusds.jwt.JWTClaimsSet in project ddf by codice.
the class OidcTokenValidatorTest method testValidateIdTokensUnsignedJwt.
@Test(expected = OidcValidationException.class)
public void testValidateIdTokensUnsignedJwt() throws Exception {
String[] roles = { "create-realm", "offline_access", "admin", "uma_authorization" };
JWTClaimsSet claimsSet = new JWTClaimsSet.Builder().jwtID(UUID.randomUUID().toString()).expirationTime(new Date(Instant.now().plus(Duration.ofDays(3)).toEpochMilli())).notBeforeTime(new Date(0)).issueTime(new Date()).issuer("http://localhost:8080/auth/realms/master").audience("ddf-client").subject("subject").claim(PublicClaims.TYPE, "ID").claim(AUTH_TIME, new Date()).claim("roles", roles).claim(EMAIL_VERIFIED, false).claim(PREFERRED_USERNAME, "admin").build();
JWT jwt = new PlainJWT(claimsSet);
OidcTokenValidator.validateIdTokens(jwt, null, configuration, oidcClient);
}Example 32 with JWTClaimsSet
use of com.nimbusds.jwt.JWTClaimsSet in project Payara by payara.
the class OidcProvider method tokenEndpoint.
@Path("/token")
@POST
@Produces(APPLICATION_JSON)
public Response tokenEndpoint(@FormParam(CLIENT_ID) String clientId, @FormParam(CLIENT_SECRET) String clientSecret, @FormParam(GRANT_TYPE) String grantType, @FormParam(CODE) String code, @FormParam(REDIRECT_URI) String redirectUri) {
ResponseBuilder builder;
JsonObjectBuilder jsonBuilder = Json.createObjectBuilder();
if (!CLIENT_ID_VALUE.equals(clientId)) {
jsonBuilder.add(ERROR_PARAM, "invalid_client_id");
builder = Response.serverError();
} else if (!CLIENT_SECRET_VALUE.equals(clientSecret)) {
jsonBuilder.add(ERROR_PARAM, "invalid_client_secret");
builder = Response.serverError();
} else if (!AUTHORIZATION_CODE.equals(grantType)) {
jsonBuilder.add(ERROR_PARAM, "invalid_grant_type");
builder = Response.serverError();
} else if (!AUTH_CODE_VALUE.equals(code)) {
jsonBuilder.add(ERROR_PARAM, "invalid_auth_code");
builder = Response.serverError();
} else {
Date now = new Date();
JWTClaimsSet.Builder jstClaimsBuilder = new JWTClaimsSet.Builder().issuer("http://localhost:8080/openid-server/webresources/oidc-provider" + subject).subject(getSubject()).audience(asList(CLIENT_ID_VALUE)).expirationTime(new Date(now.getTime() + 1000 * 60 * 10)).notBeforeTime(now).issueTime(now).jwtID(UUID.randomUUID().toString()).claim(NONCE, nonce);
if (!rolesInUserInfoEndpoint) {
jstClaimsBuilder.claim(OpenIdConstant.GROUPS, userGroups);
}
JWTClaimsSet jwtClaims = jstClaimsBuilder.build();
PlainJWT idToken = new PlainJWT(jwtClaims);
jsonBuilder.add(IDENTITY_TOKEN, idToken.serialize());
jsonBuilder.add(ACCESS_TOKEN, ACCESS_TOKEN_VALUE);
jsonBuilder.add(TOKEN_TYPE, BEARER_TYPE);
jsonBuilder.add(EXPIRES_IN, 1000);
builder = Response.ok();
}
return builder.entity(jsonBuilder.build()).build();
}
Also used :
PlainJWT(com.nimbusds.jwt.PlainJWT)
JWTClaimsSet(com.nimbusds.jwt.JWTClaimsSet)
JsonObjectBuilder(javax.json.JsonObjectBuilder)
JsonArrayBuilder(javax.json.JsonArrayBuilder)
ResponseBuilder(javax.ws.rs.core.Response.ResponseBuilder)
ResponseBuilder(javax.ws.rs.core.Response.ResponseBuilder)
JsonObjectBuilder(javax.json.JsonObjectBuilder)
Date(java.util.Date)
Path(javax.ws.rs.Path)
POST(javax.ws.rs.POST)
Produces(javax.ws.rs.Produces)
Example 33 with JWTClaimsSet
use of com.nimbusds.jwt.JWTClaimsSet in project metron by apache.
the class KnoxSSOAuthenticationFilterTest method isValidShouldProperlyValidateToken.
@Test
public void isValidShouldProperlyValidateToken() throws Exception {
KnoxSSOAuthenticationFilter knoxSSOAuthenticationFilter = spy(new KnoxSSOAuthenticationFilter("userSearchBase", mock(Path.class), "knoxKeyString", "knoxCookie", mock(LdapTemplate.class)));
SignedJWT jwtToken = mock(SignedJWT.class);
{
// Should be invalid on emtpy user name
assertFalse(knoxSSOAuthenticationFilter.isValid(jwtToken, null));
}
{
// Should be invalid on expired token
Date expiredDate = new Date(System.currentTimeMillis() - 10000);
JWTClaimsSet jwtClaimsSet = new JWTClaimsSet.Builder().expirationTime(expiredDate).build();
when(jwtToken.getJWTClaimsSet()).thenReturn(jwtClaimsSet);
assertFalse(knoxSSOAuthenticationFilter.isValid(jwtToken, "userName"));
}
{
// Should be invalid when date is before notBeforeTime
Date notBeforeDate = new Date(System.currentTimeMillis() + 10000);
JWTClaimsSet jwtClaimsSet = new JWTClaimsSet.Builder().notBeforeTime(notBeforeDate).build();
when(jwtToken.getJWTClaimsSet()).thenReturn(jwtClaimsSet);
assertFalse(knoxSSOAuthenticationFilter.isValid(jwtToken, "userName"));
}
{
// Should be valid if user name is present and token is within time constraints
Date expiredDate = new Date(System.currentTimeMillis() + 10000);
Date notBeforeDate = new Date(System.currentTimeMillis() - 10000);
JWTClaimsSet jwtClaimsSet = new JWTClaimsSet.Builder().expirationTime(expiredDate).notBeforeTime(notBeforeDate).build();
when(jwtToken.getJWTClaimsSet()).thenReturn(jwtClaimsSet);
doReturn(true).when(knoxSSOAuthenticationFilter).validateSignature(jwtToken);
assertTrue(knoxSSOAuthenticationFilter.isValid(jwtToken, "userName"));
}
}
Also used :
JWTClaimsSet(com.nimbusds.jwt.JWTClaimsSet)
SignedJWT(com.nimbusds.jwt.SignedJWT)
Date(java.util.Date)
Test(org.junit.jupiter.api.Test)
Example 34 with JWTClaimsSet
use of com.nimbusds.jwt.JWTClaimsSet in project metron by apache.
the class KnoxSSOAuthenticationFilterTest method doFilterShouldProperlySetAuthentication.
@Test
public void doFilterShouldProperlySetAuthentication() throws Exception {
KnoxSSOAuthenticationFilter knoxSSOAuthenticationFilter = spy(new KnoxSSOAuthenticationFilter("userSearchBase", mock(Path.class), "knoxKeyString", "knoxCookie", mock(LdapTemplate.class)));
HttpServletRequest request = mock(HttpServletRequest.class);
ServletResponse response = mock(ServletResponse.class);
FilterChain chain = mock(FilterChain.class);
SignedJWT signedJWT = mock(SignedJWT.class);
JWTClaimsSet jwtClaimsSet = new JWTClaimsSet.Builder().subject("userName").build();
Authentication authentication = mock(Authentication.class);
SecurityContext securityContext = mock(SecurityContext.class);
when(request.getHeader("Authorization")).thenReturn(null);
doReturn("serializedJWT").when(knoxSSOAuthenticationFilter).getJWTFromCookie(request);
doReturn(signedJWT).when(knoxSSOAuthenticationFilter).parseJWT(any());
when(signedJWT.getJWTClaimsSet()).thenReturn(jwtClaimsSet);
doReturn(true).when(knoxSSOAuthenticationFilter).isValid(signedJWT, "userName");
doReturn(authentication).when(knoxSSOAuthenticationFilter).getAuthentication("userName", request);
doReturn(securityContext).when(knoxSSOAuthenticationFilter).getSecurityContext();
knoxSSOAuthenticationFilter.doFilter(request, response, chain);
verify(securityContext).setAuthentication(authentication);
verify(chain).doFilter(request, response);
verifyNoMoreInteractions(chain, securityContext);
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
ServletResponse(javax.servlet.ServletResponse)
JWTClaimsSet(com.nimbusds.jwt.JWTClaimsSet)
Authentication(org.springframework.security.core.Authentication)
FilterChain(javax.servlet.FilterChain)
SecurityContext(org.springframework.security.core.context.SecurityContext)
SignedJWT(com.nimbusds.jwt.SignedJWT)
Test(org.junit.jupiter.api.Test)
Example 35 with JWTClaimsSet
use of com.nimbusds.jwt.JWTClaimsSet in project Payara by payara.
the class GCPSecretsConfigSource method buildJwt.
// Helpers
private static SignedJWT buildJwt(final String issuer, final String scope) {
Instant now = Instant.now();
Instant expiry = now.plus(1, ChronoUnit.MINUTES);
JWTClaimsSet claims = new JWTClaimsSet.Builder().issuer(issuer).audience(AUTH_URL).issueTime(Date.from(now)).expirationTime(Date.from(expiry)).claim("scope", scope).build();
JWSHeader header = new JWSHeader.Builder(JWSAlgorithm.RS256).type(JOSEObjectType.JWT).build();
return new SignedJWT(header, claims);
}
Also used :
JWTClaimsSet(com.nimbusds.jwt.JWTClaimsSet)
Instant(java.time.Instant)
ClientBuilder(javax.ws.rs.client.ClientBuilder)
SignedJWT(com.nimbusds.jwt.SignedJWT)
JWSHeader(com.nimbusds.jose.JWSHeader)
Aggregations
JWTClaimsSet (com.nimbusds.jwt.JWTClaimsSet)69
SignedJWT (com.nimbusds.jwt.SignedJWT)44
JWSHeader (com.nimbusds.jose.JWSHeader)23
Date (java.util.Date)19
Test (org.junit.Test)16
RSASSASigner (com.nimbusds.jose.crypto.RSASSASigner)14
Test (org.junit.jupiter.api.Test)11
JOSEException (com.nimbusds.jose.JOSEException)9
ParseException (java.text.ParseException)9
SecretKey (javax.crypto.SecretKey)8
JWSSigner (com.nimbusds.jose.JWSSigner)7
MacAlgorithm (org.springframework.security.oauth2.jose.jws.MacAlgorithm)7
Instant (java.time.Instant)6
ArrayList (java.util.ArrayList)6
Map (java.util.Map)6
SpringBootTest (org.springframework.boot.test.context.SpringBootTest)6
JWSAlgorithm (com.nimbusds.jose.JWSAlgorithm)5
MACSigner (com.nimbusds.jose.crypto.MACSigner)5
BadJOSEException (com.nimbusds.jose.proc.BadJOSEException)5
JWT (com.nimbusds.jwt.JWT)5
