use of com.nimbusds.oauth2.sdk.TokenIntrospectionSuccessResponse in project spring-security by spring-projects.
the class NimbusReactiveOpaqueTokenIntrospector method castToNimbusSuccess.
private TokenIntrospectionSuccessResponse castToNimbusSuccess(TokenIntrospectionResponse introspectionResponse) {
if (!introspectionResponse.indicatesSuccess()) {
ErrorObject errorObject = introspectionResponse.toErrorResponse().getErrorObject();
String message = "Token introspection failed with response " + errorObject.toJSONObject().toJSONString();
this.logger.trace(message);
throw new OAuth2IntrospectionException(message);
}
return (TokenIntrospectionSuccessResponse) introspectionResponse;
}
use of com.nimbusds.oauth2.sdk.TokenIntrospectionSuccessResponse in project spring-security by spring-projects.
the class NimbusOpaqueTokenIntrospector method convertClaimsSet.
private OAuth2AuthenticatedPrincipal convertClaimsSet(TokenIntrospectionSuccessResponse response) {
Collection<GrantedAuthority> authorities = new ArrayList<>();
Map<String, Object> claims = response.toJSONObject();
if (response.getAudience() != null) {
List<String> audiences = new ArrayList<>();
for (Audience audience : response.getAudience()) {
audiences.add(audience.getValue());
}
claims.put(OAuth2TokenIntrospectionClaimNames.AUD, Collections.unmodifiableList(audiences));
}
if (response.getClientID() != null) {
claims.put(OAuth2TokenIntrospectionClaimNames.CLIENT_ID, response.getClientID().getValue());
}
if (response.getExpirationTime() != null) {
Instant exp = response.getExpirationTime().toInstant();
claims.put(OAuth2TokenIntrospectionClaimNames.EXP, exp);
}
if (response.getIssueTime() != null) {
Instant iat = response.getIssueTime().toInstant();
claims.put(OAuth2TokenIntrospectionClaimNames.IAT, iat);
}
if (response.getIssuer() != null) {
// RFC-7662 page 7 directs users to RFC-7519 for defining the values of these
// issuer fields.
// https://datatracker.ietf.org/doc/html/rfc7662#page-7
//
// RFC-7519 page 9 defines issuer fields as being 'case-sensitive' strings
// containing
// a 'StringOrURI', which is defined on page 5 as being any string, but
// strings containing ':'
// should be treated as valid URIs.
// https://datatracker.ietf.org/doc/html/rfc7519#section-2
//
// It is not defined however as to whether-or-not normalized URIs should be
// treated as the same literal
// value. It only defines validation itself, so to avoid potential ambiguity
// or unwanted side effects that
// may be awkward to debug, we do not want to manipulate this value. Previous
// versions of Spring Security
// would *only* allow valid URLs, which is not what we wish to achieve here.
claims.put(OAuth2TokenIntrospectionClaimNames.ISS, response.getIssuer().getValue());
}
if (response.getNotBeforeTime() != null) {
claims.put(OAuth2TokenIntrospectionClaimNames.NBF, response.getNotBeforeTime().toInstant());
}
if (response.getScope() != null) {
List<String> scopes = Collections.unmodifiableList(response.getScope().toStringList());
claims.put(OAuth2TokenIntrospectionClaimNames.SCOPE, scopes);
for (String scope : scopes) {
authorities.add(new SimpleGrantedAuthority(AUTHORITY_PREFIX + scope));
}
}
return new OAuth2IntrospectionAuthenticatedPrincipal(claims, authorities);
}
use of com.nimbusds.oauth2.sdk.TokenIntrospectionSuccessResponse in project spring-security by spring-projects.
the class NimbusOpaqueTokenIntrospector method introspect.
@Override
public OAuth2AuthenticatedPrincipal introspect(String token) {
RequestEntity<?> requestEntity = this.requestEntityConverter.convert(token);
if (requestEntity == null) {
throw new OAuth2IntrospectionException("requestEntityConverter returned a null entity");
}
ResponseEntity<String> responseEntity = makeRequest(requestEntity);
HTTPResponse httpResponse = adaptToNimbusResponse(responseEntity);
TokenIntrospectionResponse introspectionResponse = parseNimbusResponse(httpResponse);
TokenIntrospectionSuccessResponse introspectionSuccessResponse = castToNimbusSuccess(introspectionResponse);
// 'exp', for example)
if (!introspectionSuccessResponse.isActive()) {
this.logger.trace("Did not validate token since it is inactive");
throw new BadOpaqueTokenException("Provided token isn't active");
}
return convertClaimsSet(introspectionSuccessResponse);
}
use of com.nimbusds.oauth2.sdk.TokenIntrospectionSuccessResponse in project spring-security by spring-projects.
the class NimbusOpaqueTokenIntrospector method castToNimbusSuccess.
private TokenIntrospectionSuccessResponse castToNimbusSuccess(TokenIntrospectionResponse introspectionResponse) {
if (!introspectionResponse.indicatesSuccess()) {
ErrorObject errorObject = introspectionResponse.toErrorResponse().getErrorObject();
String message = "Token introspection failed with response " + errorObject.toJSONObject().toJSONString();
this.logger.trace(message);
throw new OAuth2IntrospectionException(message);
}
return (TokenIntrospectionSuccessResponse) introspectionResponse;
}
use of com.nimbusds.oauth2.sdk.TokenIntrospectionSuccessResponse in project spring-security by spring-projects.
the class NimbusReactiveOpaqueTokenIntrospector method convertClaimsSet.
private OAuth2AuthenticatedPrincipal convertClaimsSet(TokenIntrospectionSuccessResponse response) {
Map<String, Object> claims = response.toJSONObject();
Collection<GrantedAuthority> authorities = new ArrayList<>();
if (response.getAudience() != null) {
List<String> audiences = new ArrayList<>();
for (Audience audience : response.getAudience()) {
audiences.add(audience.getValue());
}
claims.put(OAuth2TokenIntrospectionClaimNames.AUD, Collections.unmodifiableList(audiences));
}
if (response.getClientID() != null) {
claims.put(OAuth2TokenIntrospectionClaimNames.CLIENT_ID, response.getClientID().getValue());
}
if (response.getExpirationTime() != null) {
Instant exp = response.getExpirationTime().toInstant();
claims.put(OAuth2TokenIntrospectionClaimNames.EXP, exp);
}
if (response.getIssueTime() != null) {
Instant iat = response.getIssueTime().toInstant();
claims.put(OAuth2TokenIntrospectionClaimNames.IAT, iat);
}
if (response.getIssuer() != null) {
// RFC-7662 page 7 directs users to RFC-7519 for defining the values of these
// issuer fields.
// https://datatracker.ietf.org/doc/html/rfc7662#page-7
//
// RFC-7519 page 9 defines issuer fields as being 'case-sensitive' strings
// containing
// a 'StringOrURI', which is defined on page 5 as being any string, but
// strings containing ':'
// should be treated as valid URIs.
// https://datatracker.ietf.org/doc/html/rfc7519#section-2
//
// It is not defined however as to whether-or-not normalized URIs should be
// treated as the same literal
// value. It only defines validation itself, so to avoid potential ambiguity
// or unwanted side effects that
// may be awkward to debug, we do not want to manipulate this value. Previous
// versions of Spring Security
// would *only* allow valid URLs, which is not what we wish to achieve here.
claims.put(OAuth2TokenIntrospectionClaimNames.ISS, response.getIssuer().getValue());
}
if (response.getNotBeforeTime() != null) {
claims.put(OAuth2TokenIntrospectionClaimNames.NBF, response.getNotBeforeTime().toInstant());
}
if (response.getScope() != null) {
List<String> scopes = Collections.unmodifiableList(response.getScope().toStringList());
claims.put(OAuth2TokenIntrospectionClaimNames.SCOPE, scopes);
for (String scope : scopes) {
authorities.add(new SimpleGrantedAuthority(AUTHORITY_PREFIX + scope));
}
}
return new OAuth2IntrospectionAuthenticatedPrincipal(claims, authorities);
}
Aggregations