Examples with DefaultJWTClaimsVerifier com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier used on opensource projects

Example 1 with DefaultJWTClaimsVerifier

use of com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier in project iaf by ibissource.

the class JwtValidator method init.

public void init(String jwksUrl, String requiredIssuer) throws ParseException, MalformedURLException, IOException {
    JWKSource<C> keySource = getKeySource(new URL(jwksUrl));
    // The expected JWS algorithm of the access tokens (agreed out-of-band)
    JWSAlgorithm expectedJWSAlg = JWSAlgorithm.RS256;
    // Configure the JWT processor with a key selector to feed matching public
    // RSA keys sourced from the JWK set URL
    JWSKeySelector<C> keySelector = new JWSVerificationKeySelector<C>(expectedJWSAlg, keySource);
    // and validity time window (bounded by the "iat", "nbf" and "exp" claims)
    if (StringUtils.isNotEmpty(requiredIssuer)) {
        DefaultJWTClaimsVerifier<C> verifier = new DefaultJWTClaimsVerifier<C>() {

            @Override
            public void verify(JWTClaimsSet claimsSet, C context) throws BadJWTException {
                super.verify(claimsSet, context);
                String issuer = claimsSet.getIssuer();
                if (!requiredIssuer.equals(issuer)) {
                    throw new BadJWTException("illegal issuer [" + issuer + "], must be [" + requiredIssuer + "]");
                }
            }
        };
        getJwtProcessor().setJWTClaimsSetVerifier(verifier);
    }
    getJwtProcessor().setJWSKeySelector(keySelector);
}

Example 2 with DefaultJWTClaimsVerifier

use of com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier in project carbon-apimgt by wso2.

the class GatewayUtils method isJwtTokenExpired.

/**
 * Check whether the jwt token is expired or not.
 *
 * @param payload The payload of the JWT token
 * @return returns true if the JWT token is expired
 */
public static boolean isJwtTokenExpired(JWTClaimsSet payload) {
    int timestampSkew = (int) OAuthServerConfiguration.getInstance().getTimeStampSkewInSeconds();
    DefaultJWTClaimsVerifier jwtClaimsSetVerifier = new DefaultJWTClaimsVerifier();
    jwtClaimsSetVerifier.setMaxClockSkew(timestampSkew);
    try {
        jwtClaimsSetVerifier.verify(payload);
        if (log.isDebugEnabled()) {
            log.debug("Token is not expired. User: " + payload.getSubject());
        }
    } catch (BadJWTException e) {
        if ("Expired JWT".equals(e.getMessage())) {
            return true;
        }
    }
    if (log.isDebugEnabled()) {
        log.debug("Token is not expired. User: " + payload.getSubject());
    }
    return false;
}

Example 3 with DefaultJWTClaimsVerifier

use of com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier in project carbon-apimgt by wso2.

the class ApiKeyAuthenticator method isJwtTokenExpired.

/**
 * Check whether the jwt token is expired or not.
 *
 * @param payload The payload of the JWT token
 * @return returns true if the JWT token is expired
 */
private static boolean isJwtTokenExpired(JWTClaimsSet payload) {
    int timestampSkew = (int) OAuthServerConfiguration.getInstance().getTimeStampSkewInSeconds();
    DefaultJWTClaimsVerifier jwtClaimsSetVerifier = new DefaultJWTClaimsVerifier();
    jwtClaimsSetVerifier.setMaxClockSkew(timestampSkew);
    try {
        jwtClaimsSetVerifier.verify(payload);
        if (log.isDebugEnabled()) {
            log.debug("Token is not expired. User: " + payload.getSubject());
        }
    } catch (BadJWTException e) {
        if ("Expired JWT".equals(e.getMessage())) {
            return true;
        }
    }
    if (log.isDebugEnabled()) {
        log.debug("Token is not expired. User: " + payload.getSubject());
    }
    return false;
}

Example 4 with DefaultJWTClaimsVerifier

use of com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier in project knox by apache.

the class DefaultTokenAuthorityService method verifyToken.

@Override
public boolean verifyToken(JWT token, String jwksurl, String algorithm, Set<JOSEObjectType> allowedJwsTypes) throws TokenServiceException {
    boolean verified = false;
    try {
        if (algorithm != null && jwksurl != null) {
            JWSAlgorithm expectedJWSAlg = JWSAlgorithm.parse(algorithm);
            JWKSource<SecurityContext> keySource = new RemoteJWKSet<>(new URL(jwksurl));
            JWSKeySelector<SecurityContext> keySelector = new JWSVerificationKeySelector<>(expectedJWSAlg, keySource);
            // Create a JWT processor for the access tokens
            ConfigurableJWTProcessor<SecurityContext> jwtProcessor = new DefaultJWTProcessor<>();
            jwtProcessor.setJWSKeySelector(keySelector);
            JWTClaimsSetVerifier<SecurityContext> claimsVerifier = new DefaultJWTClaimsVerifier<>();
            jwtProcessor.setJWTClaimsSetVerifier(claimsVerifier);
            final JOSEObjectTypeVerifier<SecurityContext> objectTypeVerifier = new DefaultJOSEObjectTypeVerifier<>(allowedJwsTypes);
            jwtProcessor.setJWSTypeVerifier(objectTypeVerifier);
            // Process the token
            // optional context parameter, not required here
            SecurityContext ctx = null;
            jwtProcessor.process(token.toString(), ctx);
            verified = true;
        }
    } catch (BadJOSEException | JOSEException | ParseException | MalformedURLException e) {
        throw new TokenServiceException("Cannot verify token.", e);
    }
    return verified;
}