Examples with JWTID com.nimbusds.oauth2.sdk.id.JWTID used on opensource projects

Search in sources :

Example 6 with JWTID

use of com.nimbusds.oauth2.sdk.id.JWTID in project di-authentication-api by alphagov.

the class DocAppCriService method constructTokenRequest.

public TokenRequest constructTokenRequest(String authCode) {
    var codeGrant = new AuthorizationCodeGrant(new AuthorizationCode(authCode), configurationService.getDocAppAuthorisationCallbackURI());
    var backendURI = configurationService.getDocAppBackendURI();
    var tokenURI = buildURI(backendURI.toString(), "token");
    var claimsSet = new JWTAuthenticationClaimsSet(new ClientID(configurationService.getDocAppAuthorisationClientId()), singletonList(new Audience(tokenURI)), NowHelper.nowPlus(PRIVATE_KEY_JWT_EXPIRY, ChronoUnit.MINUTES), NowHelper.now(), NowHelper.now(), new JWTID());
    return new TokenRequest(tokenURI, generatePrivateKeyJwt(claimsSet), codeGrant, null, singletonList(tokenURI), Map.of("client_id", singletonList(configurationService.getDocAppAuthorisationClientId())));
}
Also used : AuthorizationCode(com.nimbusds.oauth2.sdk.AuthorizationCode) AuthorizationCodeGrant(com.nimbusds.oauth2.sdk.AuthorizationCodeGrant) Audience(com.nimbusds.oauth2.sdk.id.Audience) TokenRequest(com.nimbusds.oauth2.sdk.TokenRequest) ClientID(com.nimbusds.oauth2.sdk.id.ClientID) JWTID(com.nimbusds.oauth2.sdk.id.JWTID) JWTAuthenticationClaimsSet(com.nimbusds.oauth2.sdk.auth.JWTAuthenticationClaimsSet)

Example 7 with JWTID

use of com.nimbusds.oauth2.sdk.id.JWTID in project di-authentication-api by alphagov.

the class IPVTokenService method constructTokenRequest.

public TokenRequest constructTokenRequest(String authCode) {
    var codeGrant = new AuthorizationCodeGrant(new AuthorizationCode(authCode), configurationService.getIPVAuthorisationCallbackURI());
    var ipvBackendURI = configurationService.getIPVBackendURI();
    var ipvTokenURI = ConstructUriHelper.buildURI(ipvBackendURI.toString(), "token");
    var claimsSet = new JWTAuthenticationClaimsSet(new ClientID(configurationService.getIPVAuthorisationClientId()), singletonList(new Audience(configurationService.getIPVAudience())), NowHelper.nowPlus(PRIVATE_KEY_JWT_EXPIRY, ChronoUnit.MINUTES), NowHelper.now(), NowHelper.now(), new JWTID());
    return new TokenRequest(ipvTokenURI, generatePrivateKeyJwt(claimsSet), codeGrant, null, singletonList(ipvTokenURI), Map.of("client_id", singletonList(configurationService.getIPVAuthorisationClientId())));
}
Also used : AuthorizationCode(com.nimbusds.oauth2.sdk.AuthorizationCode) AuthorizationCodeGrant(com.nimbusds.oauth2.sdk.AuthorizationCodeGrant) Audience(com.nimbusds.oauth2.sdk.id.Audience) TokenRequest(com.nimbusds.oauth2.sdk.TokenRequest) ClientID(com.nimbusds.oauth2.sdk.id.ClientID) JWTID(com.nimbusds.oauth2.sdk.id.JWTID) JWTAuthenticationClaimsSet(com.nimbusds.oauth2.sdk.auth.JWTAuthenticationClaimsSet)

Example 8 with JWTID

use of com.nimbusds.oauth2.sdk.id.JWTID in project di-authentication-api by alphagov.

the class UserInfoIntegrationTest method shouldReturn200WhenIdentityIsEnabledAndIdentityClaimsArePresent.

@Test
void shouldReturn200WhenIdentityIsEnabledAndIdentityClaimsArePresent() throws Json.JsonException, ParseException {
    var configurationService = new UserInfoIntegrationTest.UserInfoConfigurationService();
    handler = new UserInfoHandler(configurationService);
    var claimsSetRequest = new ClaimsSetRequest().add(ValidClaims.CORE_IDENTITY_JWT.getValue()).add(ValidClaims.ADDRESS.getValue()).add(ValidClaims.PASSPORT.getValue());
    var oidcValidClaimsRequest = new OIDCClaimsRequest().withUserInfoClaimsRequest(claimsSetRequest);
    var claimsSet = new JWTClaimsSet.Builder().claim("scope", SCOPES).issuer("issuer-id").expirationTime(EXPIRY_DATE).issueTime(NowHelper.now()).claim("client_id", "client-id-one").subject(PUBLIC_SUBJECT.getValue()).jwtID(UUID.randomUUID().toString()).claim("claims", oidcValidClaimsRequest.getUserInfoClaimsRequest().getEntries().stream().map(ClaimsSetRequest.Entry::getClaimName).collect(Collectors.toList())).build();
    var signedJWT = tokenSigner.signJwt(claimsSet);
    var accessToken = new BearerAccessToken(signedJWT.serialize());
    var accessTokenStore = new AccessTokenStore(accessToken.getValue(), INTERNAL_SUBJECT.getValue());
    redis.addToRedis(ACCESS_TOKEN_PREFIX + CLIENT_ID + "." + PUBLIC_SUBJECT, objectMapper.writeValueAsString(accessTokenStore), 300L);
    var signedCredential = SignedCredentialHelper.generateCredential();
    setUpDynamo(signedCredential.serialize(), Map.of(ValidClaims.ADDRESS.getValue(), ADDRESS_CLAIM, ValidClaims.PASSPORT.getValue(), PASSPORT_CLAIM));
    var response = makeRequest(Optional.empty(), Map.of("Authorization", accessToken.toAuthorizationHeader()), Map.of());
    assertThat(response, hasStatus(200));
    var userInfoResponse = UserInfo.parse(response.getBody());
    assertThat(userInfoResponse.getEmailVerified(), equalTo(true));
    assertThat(userInfoResponse.getEmailAddress(), equalTo(TEST_EMAIL_ADDRESS));
    assertThat(userInfoResponse.getPhoneNumber(), equalTo(FORMATTED_PHONE_NUMBER));
    assertThat(userInfoResponse.getPhoneNumberVerified(), equalTo(true));
    assertThat(userInfoResponse.getSubject(), equalTo(PUBLIC_SUBJECT));
    assertThat(userInfoResponse.getClaim(ValidClaims.ADDRESS.getValue()), equalTo(ADDRESS_CLAIM));
    assertThat(userInfoResponse.getClaim(ValidClaims.PASSPORT.getValue()), equalTo(PASSPORT_CLAIM));
    assertThat(userInfoResponse.getClaim(ValidClaims.CORE_IDENTITY_JWT.getValue()), equalTo(signedCredential.serialize()));
    assertThat(userInfoResponse.toJWTClaimsSet().getClaims().size(), equalTo(8));
    assertNoAuditEventsReceived(auditTopic);
}
Also used : ClaimsSetRequest(com.nimbusds.openid.connect.sdk.claims.ClaimsSetRequest) OIDCClaimsRequest(com.nimbusds.openid.connect.sdk.OIDCClaimsRequest) AccessTokenStore(uk.gov.di.authentication.shared.entity.AccessTokenStore) JWTClaimsSet(com.nimbusds.jwt.JWTClaimsSet) UserInfoHandler(uk.gov.di.authentication.oidc.lambda.UserInfoHandler) BearerAccessToken(com.nimbusds.oauth2.sdk.token.BearerAccessToken) Test(org.junit.jupiter.api.Test) ApiGatewayHandlerIntegrationTest(uk.gov.di.authentication.sharedtest.basetest.ApiGatewayHandlerIntegrationTest)

Example 9 with JWTID

use of com.nimbusds.oauth2.sdk.id.JWTID in project OpenConext-oidcng by OpenConext.

the class UserInfoEndpoint method userInfo.

private ResponseEntity<Map<String, Object>> userInfo(HttpServletRequest request) throws ParseException, IOException, java.text.ParseException {
    HTTPRequest httpRequest = ServletUtils.createHTTPRequest(request);
    UserInfoRequest userInfoRequest = UserInfoRequest.parse(httpRequest);
    String accessTokenValue = userInfoRequest.getAccessToken().getValue();
    MDCContext.mdcContext("action", "Userinfo", "accessTokenValue", accessTokenValue);
    Optional<SignedJWT> optionalSignedJWT = tokenGenerator.parseAndValidateSignedJWT(accessTokenValue);
    if (!optionalSignedJWT.isPresent()) {
        return errorResponse("Access Token not found");
    }
    SignedJWT signedJWT = optionalSignedJWT.get();
    String jwtId = signedJWT.getJWTClaimsSet().getJWTID();
    Optional<AccessToken> optionalAccessToken = accessTokenRepository.findByJwtId(jwtId);
    if (!optionalAccessToken.isPresent()) {
        return errorResponse("Access Token not found");
    }
    AccessToken accessToken = optionalAccessToken.get();
    if (accessToken.isExpired(Clock.systemDefaultZone())) {
        return errorResponse("Access Token expired");
    }
    if (accessToken.isClientCredentials()) {
        throw new InvalidGrantException("UserEndpoint not allowed for Client Credentials");
    }
    User user = tokenGenerator.decryptAccessTokenWithEmbeddedUserInfo(signedJWT);
    MDCContext.mdcContext(user);
    Map<String, Object> attributes = user.getAttributes();
    List<String> acrClaims = user.getAcrClaims();
    if (!CollectionUtils.isEmpty(acrClaims)) {
        attributes.put("acr", String.join(" ", acrClaims));
    }
    attributes.put("updated_at", user.getUpdatedAt());
    attributes.put("sub", user.getSub());
    return ResponseEntity.ok(new TreeMap(attributes));
}
Also used : HTTPRequest(com.nimbusds.oauth2.sdk.http.HTTPRequest) User(oidc.model.User) UserInfoRequest(com.nimbusds.openid.connect.sdk.UserInfoRequest) SignedJWT(com.nimbusds.jwt.SignedJWT) TreeMap(java.util.TreeMap) InvalidGrantException(oidc.exceptions.InvalidGrantException) AccessToken(oidc.model.AccessToken)

Example 10 with JWTID

use of com.nimbusds.oauth2.sdk.id.JWTID in project di-authentication-api by alphagov.

the class IdentityIntegrationTest method shouldReturn204WhenCallingIdentityLambda.

@Test
void shouldReturn204WhenCallingIdentityLambda() throws JsonProcessingException {
    Subject internalSubject = new Subject();
    Subject publicSubject = new Subject();
    LocalDateTime localDateTime = LocalDateTime.now().plusMinutes(10);
    Date expiryDate = Date.from(localDateTime.atZone(ZoneId.of("UTC")).toInstant());
    List<String> scopes = new ArrayList<>();
    scopes.add("email");
    scopes.add("phone");
    scopes.add("openid");
    var claimsSetRequest = new ClaimsSetRequest().add("name").add("birthdate");
    var oidcValidClaimsRequest = new OIDCClaimsRequest().withUserInfoClaimsRequest(claimsSetRequest);
    JWTClaimsSet claimsSet = new JWTClaimsSet.Builder().claim("scope", scopes).issuer("issuer-id").expirationTime(expiryDate).issueTime(Date.from(LocalDateTime.now().atZone(ZoneId.of("UTC")).toInstant())).claim("client_id", "client-id-one").subject(publicSubject.getValue()).jwtID(UUID.randomUUID().toString()).claim("claims", oidcValidClaimsRequest.getUserInfoClaimsRequest().getEntries().stream().map(ClaimsSetRequest.Entry::getClaimName).collect(Collectors.toList())).build();
    SignedJWT signedJWT = tokenSigner.signJwt(claimsSet);
    AccessToken accessToken = new BearerAccessToken(signedJWT.serialize());
    AccessTokenStore accessTokenStore = new AccessTokenStore(accessToken.getValue(), internalSubject.getValue());
    String accessTokenStoreString = new ObjectMapper().writeValueAsString(accessTokenStore);
    redis.addToRedis(ACCESS_TOKEN_PREFIX + CLIENT_ID + "." + publicSubject, accessTokenStoreString, 300L);
    SignedJWT signedCredential = SignedCredentialHelper.generateCredential();
    setUpDynamo(publicSubject.getValue(), signedCredential.serialize());
    var response = makeRequest(Optional.empty(), Map.of("Authorization", accessToken.toAuthorizationHeader()), Map.of());
    assertThat(response, hasStatus(200));
    IdentityResponse identityResponse = new ObjectMapper().readValue(response.getBody(), IdentityResponse.class);
    assertThat(identityResponse.getSub(), equalTo(publicSubject.getValue()));
    assertThat(identityResponse.getIdentityCredential(), equalTo(signedCredential.serialize()));
    assertThat(spotStore.getSpotCredential(publicSubject.getValue()), equalTo(Optional.empty()));
}
Also used : LocalDateTime(java.time.LocalDateTime) ClaimsSetRequest(com.nimbusds.openid.connect.sdk.claims.ClaimsSetRequest) IdentityResponse(uk.gov.di.authentication.oidc.entity.IdentityResponse) ArrayList(java.util.ArrayList) SignedJWT(com.nimbusds.jwt.SignedJWT) Subject(com.nimbusds.oauth2.sdk.id.Subject) Date(java.util.Date) OIDCClaimsRequest(com.nimbusds.openid.connect.sdk.OIDCClaimsRequest) AccessTokenStore(uk.gov.di.authentication.shared.entity.AccessTokenStore) JWTClaimsSet(com.nimbusds.jwt.JWTClaimsSet) AccessToken(com.nimbusds.oauth2.sdk.token.AccessToken) BearerAccessToken(com.nimbusds.oauth2.sdk.token.BearerAccessToken) BearerAccessToken(com.nimbusds.oauth2.sdk.token.BearerAccessToken) ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper) Test(org.junit.jupiter.api.Test) ApiGatewayHandlerIntegrationTest(uk.gov.di.authentication.sharedtest.basetest.ApiGatewayHandlerIntegrationTest)

Aggregations

SignedJWT (com.nimbusds.jwt.SignedJWT)9 JWTClaimsSet (com.nimbusds.jwt.JWTClaimsSet)6 ClientID (com.nimbusds.oauth2.sdk.id.ClientID)5 JWTAuthenticationClaimsSet (com.nimbusds.oauth2.sdk.auth.JWTAuthenticationClaimsSet)4 Audience (com.nimbusds.oauth2.sdk.id.Audience)4 JWTID (com.nimbusds.oauth2.sdk.id.JWTID)4 AccessToken (com.nimbusds.oauth2.sdk.token.AccessToken)4 BearerAccessToken (com.nimbusds.oauth2.sdk.token.BearerAccessToken)4 Date (java.util.Date)4 AccessTokenStore (uk.gov.di.authentication.shared.entity.AccessTokenStore)4 Test (org.junit.jupiter.api.Test)3 ApiGatewayHandlerIntegrationTest (uk.gov.di.authentication.sharedtest.basetest.ApiGatewayHandlerIntegrationTest)3 SignRequest (com.amazonaws.services.kms.model.SignRequest)2 SignResult (com.amazonaws.services.kms.model.SignResult)2 ObjectMapper (com.fasterxml.jackson.databind.ObjectMapper)2 ECDSASigner (com.nimbusds.jose.crypto.ECDSASigner)2 ECKeyGenerator (com.nimbusds.jose.jwk.gen.ECKeyGenerator)2 AuthorizationCode (com.nimbusds.oauth2.sdk.AuthorizationCode)2 AuthorizationCodeGrant (com.nimbusds.oauth2.sdk.AuthorizationCodeGrant)2 TokenRequest (com.nimbusds.oauth2.sdk.TokenRequest)2
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial