Example 1 with ClientID
use of com.nimbusds.oauth2.sdk.id.ClientID in project pac4j by pac4j.
the class OidcProfileCreator method internalInit.
@Override
protected void internalInit() {
assertNotNull("configuration", configuration);
// check algorithms
final List<JWSAlgorithm> metadataAlgorithms = configuration.findProviderMetadata().getIDTokenJWSAlgs();
CommonHelper.assertTrue(CommonHelper.isNotEmpty(metadataAlgorithms), "There must at least one JWS algorithm supported on the OpenID Connect provider side");
JWSAlgorithm jwsAlgorithm;
final JWSAlgorithm preferredAlgorithm = configuration.getPreferredJwsAlgorithm();
if (metadataAlgorithms.contains(preferredAlgorithm)) {
jwsAlgorithm = preferredAlgorithm;
} else {
jwsAlgorithm = metadataAlgorithms.get(0);
logger.warn("Preferred JWS algorithm: {} not available. Defaulting to: {}", preferredAlgorithm, jwsAlgorithm);
}
if ("none".equals(jwsAlgorithm.getName())) {
jwsAlgorithm = null;
}
final ClientID _clientID = new ClientID(configuration.getClientId());
final Secret _secret = new Secret(configuration.getSecret());
// Init IDTokenVerifier
if (jwsAlgorithm == null) {
this.idTokenValidator = new IDTokenValidator(configuration.findProviderMetadata().getIssuer(), _clientID);
} else if (CommonHelper.isNotBlank(configuration.getSecret()) && (JWSAlgorithm.HS256.equals(jwsAlgorithm) || JWSAlgorithm.HS384.equals(jwsAlgorithm) || JWSAlgorithm.HS512.equals(jwsAlgorithm))) {
this.idTokenValidator = createHMACTokenValidator(jwsAlgorithm, _clientID, _secret);
} else {
this.idTokenValidator = createRSATokenValidator(jwsAlgorithm, _clientID);
}
this.idTokenValidator.setMaxClockSkew(configuration.getMaxClockSkew());
defaultProfileDefinition(new OidcProfileDefinition<>());
}
Also used :
Secret(com.nimbusds.oauth2.sdk.auth.Secret)
ClientID(com.nimbusds.oauth2.sdk.id.ClientID)
JWSAlgorithm(com.nimbusds.jose.JWSAlgorithm)
IDTokenValidator(com.nimbusds.openid.connect.sdk.validators.IDTokenValidator)
Example 2 with ClientID
use of com.nimbusds.oauth2.sdk.id.ClientID in project nifi by apache.
the class StandardOidcIdentityProvider method exchangeAuthorizationCode.
@Override
public String exchangeAuthorizationCode(final AuthorizationGrant authorizationGrant) throws IOException {
if (!isOidcEnabled()) {
throw new IllegalStateException(OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED);
}
final ClientAuthentication clientAuthentication;
if (oidcProviderMetadata.getTokenEndpointAuthMethods().contains(ClientAuthenticationMethod.CLIENT_SECRET_POST)) {
clientAuthentication = new ClientSecretPost(clientId, clientSecret);
} else {
clientAuthentication = new ClientSecretBasic(clientId, clientSecret);
}
try {
// build the token request
final TokenRequest request = new TokenRequest(oidcProviderMetadata.getTokenEndpointURI(), clientAuthentication, authorizationGrant, getScope());
final HTTPRequest tokenHttpRequest = request.toHTTPRequest();
tokenHttpRequest.setConnectTimeout(oidcConnectTimeout);
tokenHttpRequest.setReadTimeout(oidcReadTimeout);
// get the token response
final TokenResponse response = OIDCTokenResponseParser.parse(tokenHttpRequest.send());
if (response.indicatesSuccess()) {
final OIDCTokenResponse oidcTokenResponse = (OIDCTokenResponse) response;
final OIDCTokens oidcTokens = oidcTokenResponse.getOIDCTokens();
final JWT oidcJwt = oidcTokens.getIDToken();
// validate the token - no nonce required for authorization code flow
final IDTokenClaimsSet claimsSet = tokenValidator.validate(oidcJwt, null);
// attempt to extract the email from the id token if possible
String email = claimsSet.getStringClaim(EMAIL_CLAIM_NAME);
if (StringUtils.isBlank(email)) {
// extract the bearer access token
final BearerAccessToken bearerAccessToken = oidcTokens.getBearerAccessToken();
if (bearerAccessToken == null) {
throw new IllegalStateException("No access token found in the ID tokens");
}
// invoke the UserInfo endpoint
email = lookupEmail(bearerAccessToken);
}
// extract expiration details from the claims set
final Calendar now = Calendar.getInstance();
final Date expiration = claimsSet.getExpirationTime();
final long expiresIn = expiration.getTime() - now.getTimeInMillis();
// convert into a nifi jwt for retrieval later
final LoginAuthenticationToken loginToken = new LoginAuthenticationToken(email, email, expiresIn, claimsSet.getIssuer().getValue());
return jwtService.generateSignedToken(loginToken);
} else {
final TokenErrorResponse errorResponse = (TokenErrorResponse) response;
throw new RuntimeException("An error occurred while invoking the Token endpoint: " + errorResponse.getErrorObject().getDescription());
}
} catch (final ParseException | JOSEException | BadJOSEException e) {
throw new RuntimeException("Unable to parse the response from the Token request: " + e.getMessage());
}
}
Also used :
HTTPRequest(com.nimbusds.oauth2.sdk.http.HTTPRequest)
JWT(com.nimbusds.jwt.JWT)
OIDCTokenResponse(com.nimbusds.openid.connect.sdk.OIDCTokenResponse)
Calendar(java.util.Calendar)
IDTokenClaimsSet(com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet)
ClientSecretBasic(com.nimbusds.oauth2.sdk.auth.ClientSecretBasic)
Date(java.util.Date)
TokenErrorResponse(com.nimbusds.oauth2.sdk.TokenErrorResponse)
ClientSecretPost(com.nimbusds.oauth2.sdk.auth.ClientSecretPost)
OIDCTokenResponse(com.nimbusds.openid.connect.sdk.OIDCTokenResponse)
TokenResponse(com.nimbusds.oauth2.sdk.TokenResponse)
BadJOSEException(com.nimbusds.jose.proc.BadJOSEException)
OIDCTokens(com.nimbusds.openid.connect.sdk.token.OIDCTokens)
LoginAuthenticationToken(org.apache.nifi.web.security.token.LoginAuthenticationToken)
TokenRequest(com.nimbusds.oauth2.sdk.TokenRequest)
BearerAccessToken(com.nimbusds.oauth2.sdk.token.BearerAccessToken)
ParseException(com.nimbusds.oauth2.sdk.ParseException)
ClientAuthentication(com.nimbusds.oauth2.sdk.auth.ClientAuthentication)
JOSEException(com.nimbusds.jose.JOSEException)
BadJOSEException(com.nimbusds.jose.proc.BadJOSEException)
Aggregations
JOSEException (com.nimbusds.jose.JOSEException)1
JWSAlgorithm (com.nimbusds.jose.JWSAlgorithm)1
BadJOSEException (com.nimbusds.jose.proc.BadJOSEException)1
JWT (com.nimbusds.jwt.JWT)1
ParseException (com.nimbusds.oauth2.sdk.ParseException)1
TokenErrorResponse (com.nimbusds.oauth2.sdk.TokenErrorResponse)1
TokenRequest (com.nimbusds.oauth2.sdk.TokenRequest)1
TokenResponse (com.nimbusds.oauth2.sdk.TokenResponse)1
ClientAuthentication (com.nimbusds.oauth2.sdk.auth.ClientAuthentication)1
ClientSecretBasic (com.nimbusds.oauth2.sdk.auth.ClientSecretBasic)1
ClientSecretPost (com.nimbusds.oauth2.sdk.auth.ClientSecretPost)1
Secret (com.nimbusds.oauth2.sdk.auth.Secret)1
HTTPRequest (com.nimbusds.oauth2.sdk.http.HTTPRequest)1
ClientID (com.nimbusds.oauth2.sdk.id.ClientID)1
BearerAccessToken (com.nimbusds.oauth2.sdk.token.BearerAccessToken)1
OIDCTokenResponse (com.nimbusds.openid.connect.sdk.OIDCTokenResponse)1
IDTokenClaimsSet (com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet)1
OIDCTokens (com.nimbusds.openid.connect.sdk.token.OIDCTokens)1
IDTokenValidator (com.nimbusds.openid.connect.sdk.validators.IDTokenValidator)1
Calendar (java.util.Calendar)1
