Examples with InvalidClientException com.nimbusds.oauth2.sdk.auth.verifier.InvalidClientException used on opensource projects

Example 1 with InvalidClientException

use of com.nimbusds.oauth2.sdk.auth.verifier.InvalidClientException in project di-ipv-cri-uk-passport-back by alphagov.

the class TokenRequestValidator method validateMaxAllowedAuthClientTtl.

private void validateMaxAllowedAuthClientTtl(JWTAuthenticationClaimsSet claimsSet) throws InvalidClientException {
    Date expirationTime = claimsSet.getExpirationTime();
    String maxAllowedTtl = configurationService.getMaxClientAuthTokenTtl();
    OffsetDateTime offsetDateTime = OffsetDateTime.now().plusSeconds(Long.parseLong(maxAllowedTtl));
    if (expirationTime.getTime() / 1000L > offsetDateTime.toEpochSecond()) {
        LOGGER.error("Client JWT expiry date is too far in the future");
        throw new InvalidClientException("The client JWT expiry date has surpassed the maximum allowed ttl value");
    }
}

Example 2 with InvalidClientException

use of com.nimbusds.oauth2.sdk.auth.verifier.InvalidClientException in project di-ipv-cri-uk-passport-back by alphagov.

the class TokenRequestValidator method authenticateClientWithJwt.

private void authenticateClientWithJwt(String requestBody) throws ClientAuthenticationException {
    PrivateKeyJWT clientJwt;
    try {
        clientJwt = PrivateKeyJWT.parse(requestBody);
        String clientId = clientJwt.getClientID().getValue();
        String clientAuthenticationMethod = configurationService.getClientAuthenticationMethod(clientId);
        if (clientAuthenticationMethod.equals(NONE)) {
            return;
        }
        verifier.verify(clientJwtWithConcatSignature(clientJwt, requestBody), null, null);
        validateMaxAllowedAuthClientTtl(clientJwt.getJWTAuthenticationClaimsSet());
    } catch (ParseException | InvalidClientException | JOSEException | java.text.ParseException e) {
        LOGGER.error("Validation of client_assertion jwt failed");
        throw new ClientAuthenticationException(e);
    }
}

Example 3 with InvalidClientException

use of com.nimbusds.oauth2.sdk.auth.verifier.InvalidClientException in project di-ipv-cri-uk-passport-back by alphagov.

the class ConfigurationServicePublicKeySelectorTest method selectPublicKeysShouldThrowInvalidClientExceptionIfCanNotConvertKeyToJavaInterfaceEcKey.

@Test
void selectPublicKeysShouldThrowInvalidClientExceptionIfCanNotConvertKeyToJavaInterfaceEcKey() throws Exception {
    ECKey ecKeyMock = mock(ECKey.class);
    when(ecKeyMock.toECPublicKey()).thenThrow(new JOSEException("Something went wrong..."));
    when(mockConfigurationService.getClientSigningPublicJwk("testClientId")).thenReturn(ecKeyMock);
    InvalidClientException exception = assertThrows(InvalidClientException.class, () -> keySelector.selectPublicKeys(new ClientID("testClientId"), null, null, false, null));
    assertEquals("Something went wrong...", exception.getMessage());
}

Example 4 with InvalidClientException

use of com.nimbusds.oauth2.sdk.auth.verifier.InvalidClientException in project di-ipv-cri-uk-passport-back by alphagov.

the class ConfigurationServicePublicKeySelectorTest method selectPublicKeysShouldThrowInvalidClientExceptionIfCanNotParsePublicJwk.

@Test
void selectPublicKeysShouldThrowInvalidClientExceptionIfCanNotParsePublicJwk() throws Exception {
    when(mockConfigurationService.getClientSigningPublicJwk("testClientId")).thenThrow(new ParseException("Not a JWK", 0));
    InvalidClientException exception = assertThrows(InvalidClientException.class, () -> keySelector.selectPublicKeys(new ClientID("testClientId"), null, null, false, null));
    assertEquals("Not a JWK", exception.getMessage());
}

Example 5 with InvalidClientException

use of com.nimbusds.oauth2.sdk.auth.verifier.InvalidClientException in project di-authentication-api by alphagov.

the class TokenService method validatePrivateKeyJWT.

public Optional<ErrorObject> validatePrivateKeyJWT(String requestString, String publicKey, String tokenUrl, String clientID) {
    PrivateKeyJWT privateKeyJWT;
    try {
        privateKeyJWT = PrivateKeyJWT.parse(requestString);
    } catch (ParseException e) {
        LOG.warn("Could not parse Private Key JWT");
        return Optional.of(OAuth2Error.INVALID_CLIENT);
    }
    if (hasPrivateKeyJwtExpired(privateKeyJWT.getClientAssertion())) {
        LOG.warn("PrivateKeyJWT has expired");
        return Optional.of(OAuth2Error.INVALID_GRANT);
    }
    if (Objects.isNull(privateKeyJWT.getClientID()) || !privateKeyJWT.getClientID().toString().equals(clientID)) {
        LOG.warn("Invalid ClientID in PrivateKeyJWT");
        return Optional.of(OAuth2Error.INVALID_CLIENT);
    }
    ClientAuthenticationVerifier<?> authenticationVerifier = new ClientAuthenticationVerifier<>(generateClientCredentialsSelector(publicKey), Collections.singleton(new Audience(tokenUrl)));
    try {
        authenticationVerifier.verify(privateKeyJWT, null, null);
    } catch (InvalidClientException | JOSEException e) {
        LOG.warn("Unable to Verify Signature of Private Key JWT", e);
        return Optional.of(OAuth2Error.INVALID_CLIENT);
    }
    return Optional.empty();
}