Search in sources :

Example 1 with Audience

use of com.nimbusds.oauth2.sdk.id.Audience in project nifi by apache.

the class KnoxServiceTest method testRequiredAudience.

@Test
public void testRequiredAudience() throws Exception {
    final String subject = "user-1";
    final Date expiration = new Date(System.currentTimeMillis() + TimeUnit.MILLISECONDS.convert(5, TimeUnit.SECONDS));
    final KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
    final KeyPair pair = keyGen.generateKeyPair();
    final RSAPrivateKey privateKey = (RSAPrivateKey) pair.getPrivate();
    final RSAPublicKey publicKey = (RSAPublicKey) pair.getPublic();
    final JWTAuthenticationClaimsSet claimsSet = getAuthenticationClaimsSet(subject, AUDIENCE, expiration);
    final PrivateKeyJWT privateKeyJWT = new PrivateKeyJWT(claimsSet, JWSAlgorithm.RS256, privateKey, null, null);
    final KnoxConfiguration configuration = getConfiguration(publicKey);
    when(configuration.getAudiences()).thenReturn(null);
    final KnoxService service = new KnoxService(configuration);
    Assert.assertEquals(subject, service.getAuthenticationFromToken(privateKeyJWT.getClientAssertion().serialize()));
}
Also used : KeyPair(java.security.KeyPair) RSAPublicKey(java.security.interfaces.RSAPublicKey) PrivateKeyJWT(com.nimbusds.oauth2.sdk.auth.PrivateKeyJWT) JWTAuthenticationClaimsSet(com.nimbusds.oauth2.sdk.auth.JWTAuthenticationClaimsSet) KeyPairGenerator(java.security.KeyPairGenerator) RSAPrivateKey(java.security.interfaces.RSAPrivateKey) Date(java.util.Date) Test(org.junit.Test)

Example 2 with Audience

use of com.nimbusds.oauth2.sdk.id.Audience in project nifi by apache.

the class KnoxServiceTest method testSignedJwt.

@Test
public void testSignedJwt() throws Exception {
    final String subject = "user-1";
    final Date expiration = new Date(System.currentTimeMillis() + TimeUnit.MILLISECONDS.convert(5, TimeUnit.SECONDS));
    final KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
    final KeyPair pair = keyGen.generateKeyPair();
    final RSAPrivateKey privateKey = (RSAPrivateKey) pair.getPrivate();
    final RSAPublicKey publicKey = (RSAPublicKey) pair.getPublic();
    final JWTAuthenticationClaimsSet claimsSet = getAuthenticationClaimsSet(subject, AUDIENCE, expiration);
    final PrivateKeyJWT privateKeyJWT = new PrivateKeyJWT(claimsSet, JWSAlgorithm.RS256, privateKey, null, null);
    final KnoxConfiguration configuration = getConfiguration(publicKey);
    final KnoxService service = new KnoxService(configuration);
    Assert.assertEquals(subject, service.getAuthenticationFromToken(privateKeyJWT.getClientAssertion().serialize()));
}
Also used : KeyPair(java.security.KeyPair) RSAPublicKey(java.security.interfaces.RSAPublicKey) PrivateKeyJWT(com.nimbusds.oauth2.sdk.auth.PrivateKeyJWT) JWTAuthenticationClaimsSet(com.nimbusds.oauth2.sdk.auth.JWTAuthenticationClaimsSet) KeyPairGenerator(java.security.KeyPairGenerator) RSAPrivateKey(java.security.interfaces.RSAPrivateKey) Date(java.util.Date) Test(org.junit.Test)

Example 3 with Audience

use of com.nimbusds.oauth2.sdk.id.Audience in project nifi by apache.

the class KnoxServiceTest method testBadSignedJwt.

@Test(expected = InvalidAuthenticationException.class)
public void testBadSignedJwt() throws Exception {
    final String subject = "user-1";
    final Date expiration = new Date(System.currentTimeMillis() + TimeUnit.MILLISECONDS.convert(5, TimeUnit.SECONDS));
    final KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
    final KeyPair pair1 = keyGen.generateKeyPair();
    final RSAPrivateKey privateKey1 = (RSAPrivateKey) pair1.getPrivate();
    final KeyPair pair2 = keyGen.generateKeyPair();
    final RSAPublicKey publicKey2 = (RSAPublicKey) pair2.getPublic();
    // sign the jwt with pair 1
    final JWTAuthenticationClaimsSet claimsSet = getAuthenticationClaimsSet(subject, AUDIENCE, expiration);
    final PrivateKeyJWT privateKeyJWT = new PrivateKeyJWT(claimsSet, JWSAlgorithm.RS256, privateKey1, null, null);
    // attempt to verify it with pair 2
    final KnoxConfiguration configuration = getConfiguration(publicKey2);
    final KnoxService service = new KnoxService(configuration);
    service.getAuthenticationFromToken(privateKeyJWT.getClientAssertion().serialize());
}
Also used : KeyPair(java.security.KeyPair) RSAPublicKey(java.security.interfaces.RSAPublicKey) PrivateKeyJWT(com.nimbusds.oauth2.sdk.auth.PrivateKeyJWT) JWTAuthenticationClaimsSet(com.nimbusds.oauth2.sdk.auth.JWTAuthenticationClaimsSet) KeyPairGenerator(java.security.KeyPairGenerator) RSAPrivateKey(java.security.interfaces.RSAPrivateKey) Date(java.util.Date) Test(org.junit.Test)

Example 4 with Audience

use of com.nimbusds.oauth2.sdk.id.Audience in project spring-security by spring-projects.

the class NimbusOpaqueTokenIntrospector method convertClaimsSet.

private OAuth2AuthenticatedPrincipal convertClaimsSet(TokenIntrospectionSuccessResponse response) {
    Collection<GrantedAuthority> authorities = new ArrayList<>();
    Map<String, Object> claims = response.toJSONObject();
    if (response.getAudience() != null) {
        List<String> audiences = new ArrayList<>();
        for (Audience audience : response.getAudience()) {
            audiences.add(audience.getValue());
        }
        claims.put(OAuth2TokenIntrospectionClaimNames.AUD, Collections.unmodifiableList(audiences));
    }
    if (response.getClientID() != null) {
        claims.put(OAuth2TokenIntrospectionClaimNames.CLIENT_ID, response.getClientID().getValue());
    }
    if (response.getExpirationTime() != null) {
        Instant exp = response.getExpirationTime().toInstant();
        claims.put(OAuth2TokenIntrospectionClaimNames.EXP, exp);
    }
    if (response.getIssueTime() != null) {
        Instant iat = response.getIssueTime().toInstant();
        claims.put(OAuth2TokenIntrospectionClaimNames.IAT, iat);
    }
    if (response.getIssuer() != null) {
        // RFC-7662 page 7 directs users to RFC-7519 for defining the values of these
        // issuer fields.
        // https://datatracker.ietf.org/doc/html/rfc7662#page-7
        // 
        // RFC-7519 page 9 defines issuer fields as being 'case-sensitive' strings
        // containing
        // a 'StringOrURI', which is defined on page 5 as being any string, but
        // strings containing ':'
        // should be treated as valid URIs.
        // https://datatracker.ietf.org/doc/html/rfc7519#section-2
        // 
        // It is not defined however as to whether-or-not normalized URIs should be
        // treated as the same literal
        // value. It only defines validation itself, so to avoid potential ambiguity
        // or unwanted side effects that
        // may be awkward to debug, we do not want to manipulate this value. Previous
        // versions of Spring Security
        // would *only* allow valid URLs, which is not what we wish to achieve here.
        claims.put(OAuth2TokenIntrospectionClaimNames.ISS, response.getIssuer().getValue());
    }
    if (response.getNotBeforeTime() != null) {
        claims.put(OAuth2TokenIntrospectionClaimNames.NBF, response.getNotBeforeTime().toInstant());
    }
    if (response.getScope() != null) {
        List<String> scopes = Collections.unmodifiableList(response.getScope().toStringList());
        claims.put(OAuth2TokenIntrospectionClaimNames.SCOPE, scopes);
        for (String scope : scopes) {
            authorities.add(new SimpleGrantedAuthority(AUTHORITY_PREFIX + scope));
        }
    }
    return new OAuth2IntrospectionAuthenticatedPrincipal(claims, authorities);
}
Also used : SimpleGrantedAuthority(org.springframework.security.core.authority.SimpleGrantedAuthority) Audience(com.nimbusds.oauth2.sdk.id.Audience) SimpleGrantedAuthority(org.springframework.security.core.authority.SimpleGrantedAuthority) GrantedAuthority(org.springframework.security.core.GrantedAuthority) Instant(java.time.Instant) ArrayList(java.util.ArrayList) ErrorObject(com.nimbusds.oauth2.sdk.ErrorObject)

Example 5 with Audience

use of com.nimbusds.oauth2.sdk.id.Audience in project nifi by apache.

the class KnoxServiceTest method testInvalidAudience.

@Test(expected = InvalidAuthenticationException.class)
public void testInvalidAudience() throws Exception {
    final String subject = "user-1";
    final Date expiration = new Date(System.currentTimeMillis() + TimeUnit.MILLISECONDS.convert(5, TimeUnit.SECONDS));
    final KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
    final KeyPair pair = keyGen.generateKeyPair();
    final RSAPrivateKey privateKey = (RSAPrivateKey) pair.getPrivate();
    final RSAPublicKey publicKey = (RSAPublicKey) pair.getPublic();
    final JWTAuthenticationClaimsSet claimsSet = getAuthenticationClaimsSet(subject, "incorrect-audience", expiration);
    final PrivateKeyJWT privateKeyJWT = new PrivateKeyJWT(claimsSet, JWSAlgorithm.RS256, privateKey, null, null);
    final KnoxConfiguration configuration = getConfiguration(publicKey);
    final KnoxService service = new KnoxService(configuration);
    Assert.assertEquals(subject, service.getAuthenticationFromToken(privateKeyJWT.getClientAssertion().serialize()));
}
Also used : KeyPair(java.security.KeyPair) RSAPublicKey(java.security.interfaces.RSAPublicKey) PrivateKeyJWT(com.nimbusds.oauth2.sdk.auth.PrivateKeyJWT) JWTAuthenticationClaimsSet(com.nimbusds.oauth2.sdk.auth.JWTAuthenticationClaimsSet) KeyPairGenerator(java.security.KeyPairGenerator) RSAPrivateKey(java.security.interfaces.RSAPrivateKey) Date(java.util.Date) Test(org.junit.Test)

Aggregations

JWTAuthenticationClaimsSet (com.nimbusds.oauth2.sdk.auth.JWTAuthenticationClaimsSet)5 PrivateKeyJWT (com.nimbusds.oauth2.sdk.auth.PrivateKeyJWT)5 KeyPair (java.security.KeyPair)5 KeyPairGenerator (java.security.KeyPairGenerator)5 RSAPrivateKey (java.security.interfaces.RSAPrivateKey)5 RSAPublicKey (java.security.interfaces.RSAPublicKey)5 Date (java.util.Date)5 Test (org.junit.Test)5 ErrorObject (com.nimbusds.oauth2.sdk.ErrorObject)2 Audience (com.nimbusds.oauth2.sdk.id.Audience)2 Instant (java.time.Instant)2 ArrayList (java.util.ArrayList)2 GrantedAuthority (org.springframework.security.core.GrantedAuthority)2 SimpleGrantedAuthority (org.springframework.security.core.authority.SimpleGrantedAuthority)2