use of com.nimbusds.oauth2.sdk.id.JWTID in project di-authentication-api by alphagov.
the class DocAppCriService method constructTokenRequest.
public TokenRequest constructTokenRequest(String authCode) {
var codeGrant = new AuthorizationCodeGrant(new AuthorizationCode(authCode), configurationService.getDocAppAuthorisationCallbackURI());
var backendURI = configurationService.getDocAppBackendURI();
var tokenURI = buildURI(backendURI.toString(), "token");
var claimsSet = new JWTAuthenticationClaimsSet(new ClientID(configurationService.getDocAppAuthorisationClientId()), singletonList(new Audience(tokenURI)), NowHelper.nowPlus(PRIVATE_KEY_JWT_EXPIRY, ChronoUnit.MINUTES), NowHelper.now(), NowHelper.now(), new JWTID());
return new TokenRequest(tokenURI, generatePrivateKeyJwt(claimsSet), codeGrant, null, singletonList(tokenURI), Map.of("client_id", singletonList(configurationService.getDocAppAuthorisationClientId())));
}
use of com.nimbusds.oauth2.sdk.id.JWTID in project di-authentication-api by alphagov.
the class IPVTokenService method constructTokenRequest.
public TokenRequest constructTokenRequest(String authCode) {
var codeGrant = new AuthorizationCodeGrant(new AuthorizationCode(authCode), configurationService.getIPVAuthorisationCallbackURI());
var ipvBackendURI = configurationService.getIPVBackendURI();
var ipvTokenURI = ConstructUriHelper.buildURI(ipvBackendURI.toString(), "token");
var claimsSet = new JWTAuthenticationClaimsSet(new ClientID(configurationService.getIPVAuthorisationClientId()), singletonList(new Audience(configurationService.getIPVAudience())), NowHelper.nowPlus(PRIVATE_KEY_JWT_EXPIRY, ChronoUnit.MINUTES), NowHelper.now(), NowHelper.now(), new JWTID());
return new TokenRequest(ipvTokenURI, generatePrivateKeyJwt(claimsSet), codeGrant, null, singletonList(ipvTokenURI), Map.of("client_id", singletonList(configurationService.getIPVAuthorisationClientId())));
}
use of com.nimbusds.oauth2.sdk.id.JWTID in project di-authentication-api by alphagov.
the class UserInfoIntegrationTest method shouldReturn200WhenIdentityIsEnabledAndIdentityClaimsArePresent.
@Test
void shouldReturn200WhenIdentityIsEnabledAndIdentityClaimsArePresent() throws Json.JsonException, ParseException {
var configurationService = new UserInfoIntegrationTest.UserInfoConfigurationService();
handler = new UserInfoHandler(configurationService);
var claimsSetRequest = new ClaimsSetRequest().add(ValidClaims.CORE_IDENTITY_JWT.getValue()).add(ValidClaims.ADDRESS.getValue()).add(ValidClaims.PASSPORT.getValue());
var oidcValidClaimsRequest = new OIDCClaimsRequest().withUserInfoClaimsRequest(claimsSetRequest);
var claimsSet = new JWTClaimsSet.Builder().claim("scope", SCOPES).issuer("issuer-id").expirationTime(EXPIRY_DATE).issueTime(NowHelper.now()).claim("client_id", "client-id-one").subject(PUBLIC_SUBJECT.getValue()).jwtID(UUID.randomUUID().toString()).claim("claims", oidcValidClaimsRequest.getUserInfoClaimsRequest().getEntries().stream().map(ClaimsSetRequest.Entry::getClaimName).collect(Collectors.toList())).build();
var signedJWT = tokenSigner.signJwt(claimsSet);
var accessToken = new BearerAccessToken(signedJWT.serialize());
var accessTokenStore = new AccessTokenStore(accessToken.getValue(), INTERNAL_SUBJECT.getValue());
redis.addToRedis(ACCESS_TOKEN_PREFIX + CLIENT_ID + "." + PUBLIC_SUBJECT, objectMapper.writeValueAsString(accessTokenStore), 300L);
var signedCredential = SignedCredentialHelper.generateCredential();
setUpDynamo(signedCredential.serialize(), Map.of(ValidClaims.ADDRESS.getValue(), ADDRESS_CLAIM, ValidClaims.PASSPORT.getValue(), PASSPORT_CLAIM));
var response = makeRequest(Optional.empty(), Map.of("Authorization", accessToken.toAuthorizationHeader()), Map.of());
assertThat(response, hasStatus(200));
var userInfoResponse = UserInfo.parse(response.getBody());
assertThat(userInfoResponse.getEmailVerified(), equalTo(true));
assertThat(userInfoResponse.getEmailAddress(), equalTo(TEST_EMAIL_ADDRESS));
assertThat(userInfoResponse.getPhoneNumber(), equalTo(FORMATTED_PHONE_NUMBER));
assertThat(userInfoResponse.getPhoneNumberVerified(), equalTo(true));
assertThat(userInfoResponse.getSubject(), equalTo(PUBLIC_SUBJECT));
assertThat(userInfoResponse.getClaim(ValidClaims.ADDRESS.getValue()), equalTo(ADDRESS_CLAIM));
assertThat(userInfoResponse.getClaim(ValidClaims.PASSPORT.getValue()), equalTo(PASSPORT_CLAIM));
assertThat(userInfoResponse.getClaim(ValidClaims.CORE_IDENTITY_JWT.getValue()), equalTo(signedCredential.serialize()));
assertThat(userInfoResponse.toJWTClaimsSet().getClaims().size(), equalTo(8));
assertNoAuditEventsReceived(auditTopic);
}
use of com.nimbusds.oauth2.sdk.id.JWTID in project OpenConext-oidcng by OpenConext.
the class UserInfoEndpoint method userInfo.
private ResponseEntity<Map<String, Object>> userInfo(HttpServletRequest request) throws ParseException, IOException, java.text.ParseException {
HTTPRequest httpRequest = ServletUtils.createHTTPRequest(request);
UserInfoRequest userInfoRequest = UserInfoRequest.parse(httpRequest);
String accessTokenValue = userInfoRequest.getAccessToken().getValue();
MDCContext.mdcContext("action", "Userinfo", "accessTokenValue", accessTokenValue);
Optional<SignedJWT> optionalSignedJWT = tokenGenerator.parseAndValidateSignedJWT(accessTokenValue);
if (!optionalSignedJWT.isPresent()) {
return errorResponse("Access Token not found");
}
SignedJWT signedJWT = optionalSignedJWT.get();
String jwtId = signedJWT.getJWTClaimsSet().getJWTID();
Optional<AccessToken> optionalAccessToken = accessTokenRepository.findByJwtId(jwtId);
if (!optionalAccessToken.isPresent()) {
return errorResponse("Access Token not found");
}
AccessToken accessToken = optionalAccessToken.get();
if (accessToken.isExpired(Clock.systemDefaultZone())) {
return errorResponse("Access Token expired");
}
if (accessToken.isClientCredentials()) {
throw new InvalidGrantException("UserEndpoint not allowed for Client Credentials");
}
User user = tokenGenerator.decryptAccessTokenWithEmbeddedUserInfo(signedJWT);
MDCContext.mdcContext(user);
Map<String, Object> attributes = user.getAttributes();
List<String> acrClaims = user.getAcrClaims();
if (!CollectionUtils.isEmpty(acrClaims)) {
attributes.put("acr", String.join(" ", acrClaims));
}
attributes.put("updated_at", user.getUpdatedAt());
attributes.put("sub", user.getSub());
return ResponseEntity.ok(new TreeMap(attributes));
}
use of com.nimbusds.oauth2.sdk.id.JWTID in project di-authentication-api by alphagov.
the class IdentityIntegrationTest method shouldReturn204WhenCallingIdentityLambda.
@Test
void shouldReturn204WhenCallingIdentityLambda() throws JsonProcessingException {
Subject internalSubject = new Subject();
Subject publicSubject = new Subject();
LocalDateTime localDateTime = LocalDateTime.now().plusMinutes(10);
Date expiryDate = Date.from(localDateTime.atZone(ZoneId.of("UTC")).toInstant());
List<String> scopes = new ArrayList<>();
scopes.add("email");
scopes.add("phone");
scopes.add("openid");
var claimsSetRequest = new ClaimsSetRequest().add("name").add("birthdate");
var oidcValidClaimsRequest = new OIDCClaimsRequest().withUserInfoClaimsRequest(claimsSetRequest);
JWTClaimsSet claimsSet = new JWTClaimsSet.Builder().claim("scope", scopes).issuer("issuer-id").expirationTime(expiryDate).issueTime(Date.from(LocalDateTime.now().atZone(ZoneId.of("UTC")).toInstant())).claim("client_id", "client-id-one").subject(publicSubject.getValue()).jwtID(UUID.randomUUID().toString()).claim("claims", oidcValidClaimsRequest.getUserInfoClaimsRequest().getEntries().stream().map(ClaimsSetRequest.Entry::getClaimName).collect(Collectors.toList())).build();
SignedJWT signedJWT = tokenSigner.signJwt(claimsSet);
AccessToken accessToken = new BearerAccessToken(signedJWT.serialize());
AccessTokenStore accessTokenStore = new AccessTokenStore(accessToken.getValue(), internalSubject.getValue());
String accessTokenStoreString = new ObjectMapper().writeValueAsString(accessTokenStore);
redis.addToRedis(ACCESS_TOKEN_PREFIX + CLIENT_ID + "." + publicSubject, accessTokenStoreString, 300L);
SignedJWT signedCredential = SignedCredentialHelper.generateCredential();
setUpDynamo(publicSubject.getValue(), signedCredential.serialize());
var response = makeRequest(Optional.empty(), Map.of("Authorization", accessToken.toAuthorizationHeader()), Map.of());
assertThat(response, hasStatus(200));
IdentityResponse identityResponse = new ObjectMapper().readValue(response.getBody(), IdentityResponse.class);
assertThat(identityResponse.getSub(), equalTo(publicSubject.getValue()));
assertThat(identityResponse.getIdentityCredential(), equalTo(signedCredential.serialize()));
assertThat(spotStore.getSpotCredential(publicSubject.getValue()), equalTo(Optional.empty()));
}
Aggregations