use of com.nimbusds.oauth2.sdk in project di-authentication-api by alphagov.
the class TokenServiceTest method shouldOnlyIncludeIdentityClaimsInAccessTokenWhenRequested.
@Test
void shouldOnlyIncludeIdentityClaimsInAccessTokenWhenRequested() throws ParseException, JOSEException, Json.JsonException, com.nimbusds.oauth2.sdk.ParseException {
var claimsSetRequest = new ClaimsSetRequest().add("nickname").add("birthdate");
var oidcClaimsRequest = new OIDCClaimsRequest().withUserInfoClaimsRequest(claimsSetRequest);
when(configurationService.getTokenSigningKeyAlias()).thenReturn(KEY_ID);
createSignedIdToken();
createSignedAccessToken();
Map<String, Object> additionalTokenClaims = new HashMap<>();
additionalTokenClaims.put("nonce", nonce);
Set<String> claimsForListOfScopes = ValidScopes.getClaimsForListOfScopes(SCOPES_OFFLINE_ACCESS.toStringList());
OIDCTokenResponse tokenResponse = tokenService.generateTokenResponse(CLIENT_ID, INTERNAL_SUBJECT, SCOPES_OFFLINE_ACCESS, additionalTokenClaims, PUBLIC_SUBJECT, VOT, Collections.singletonList(new ClientConsent(CLIENT_ID, claimsForListOfScopes, LocalDateTime.now(ZoneId.of("UTC")).toString())), false, oidcClaimsRequest, false);
assertSuccessfullTokenResponse(tokenResponse);
assertNotNull(tokenResponse.getOIDCTokens().getRefreshToken());
assertNull(SignedJWT.parse(tokenResponse.getOIDCTokens().getRefreshToken().getValue()).getJWTClaimsSet().getClaim("claims"));
JSONArray jsonarray = JSONArrayUtils.parse(SignedJWT.parse(tokenResponse.getOIDCTokens().getAccessToken().getValue()).getJWTClaimsSet().getClaim("claims").toString());
assertTrue(jsonarray.contains("nickname"));
assertTrue(jsonarray.contains("birthdate"));
RefreshTokenStore refreshTokenStore = new RefreshTokenStore(tokenResponse.getOIDCTokens().getRefreshToken().getValue(), INTERNAL_SUBJECT.getValue());
ArgumentCaptor<String> redisKey = ArgumentCaptor.forClass(String.class);
verify(redisConnectionService).saveWithExpiry(redisKey.capture(), eq(objectMapper.writeValueAsString(refreshTokenStore)), eq(300L));
var refreshToken = SignedJWT.parse(tokenResponse.getOIDCTokens().getRefreshToken().getValue());
var jti = refreshToken.getJWTClaimsSet().getJWTID();
assertThat(redisKey.getValue(), startsWith(REFRESH_TOKEN_PREFIX));
assertThat(redisKey.getValue().split(":")[1], equalTo(jti));
}
use of com.nimbusds.oauth2.sdk in project di-authentication-api by alphagov.
the class AccessTokenService method parse.
public AccessTokenInfo parse(String authorizationHeader, boolean identityEnabled) throws AccessTokenException {
AccessToken accessToken;
try {
accessToken = AccessToken.parse(authorizationHeader, AccessTokenType.BEARER);
} catch (com.nimbusds.oauth2.sdk.ParseException e) {
LOG.warn("Unable to parse AccessToken");
throw new AccessTokenException("Unable to parse AccessToken", BearerTokenError.INVALID_TOKEN);
}
SignedJWT signedJWT;
try {
signedJWT = SignedJWT.parse(accessToken.getValue());
var currentDateTime = NowHelper.now();
if (DateUtils.isBefore(signedJWT.getJWTClaimsSet().getExpirationTime(), currentDateTime, 0)) {
LOG.warn("Access Token has expired. Access Token expires at: {}. CurrentDateTime is: {}", signedJWT.getJWTClaimsSet().getExpirationTime(), currentDateTime);
throw new AccessTokenException(INVALID_ACCESS_TOKEN, BearerTokenError.INVALID_TOKEN);
}
if (!tokenValidationService.validateAccessTokenSignature(accessToken)) {
LOG.warn("Unable to validate AccessToken signature");
throw new AccessTokenException("Unable to validate AccessToken signature", BearerTokenError.INVALID_TOKEN);
}
var clientID = signedJWT.getJWTClaimsSet().getStringClaim("client_id");
var client = clientService.getClient(clientID);
attachLogFieldToLogs(CLIENT_ID, clientID);
if (client.isEmpty()) {
LOG.warn("Client not found");
throw new AccessTokenException("Client not found", BearerTokenError.INVALID_TOKEN);
}
var scopes = JSONArrayUtils.parse(signedJWT.getJWTClaimsSet().getClaim("scope").toString()).stream().map(Objects::toString).collect(Collectors.toList());
if (!areScopesValid(scopes) || !client.get().getScopes().containsAll(scopes)) {
LOG.warn("Invalid Scopes: {}", scopes);
throw new AccessTokenException("Invalid Scopes", OAuth2Error.INVALID_SCOPE);
}
List<String> identityClaims = null;
if (identityEnabled) {
identityClaims = getIdentityClaims(signedJWT.getJWTClaimsSet());
}
var subject = signedJWT.getJWTClaimsSet().getSubject();
var accessTokenStore = getAccessTokenStore(clientID, subject);
if (accessTokenStore.isEmpty()) {
LOG.warn("Access Token Store is empty. Access Token expires at: {}. CurrentDateTime is: {}. JWTID in Access Token sent in request: {}", signedJWT.getJWTClaimsSet().getExpirationTime(), currentDateTime, signedJWT.getJWTClaimsSet().getJWTID());
throw new AccessTokenException(INVALID_ACCESS_TOKEN, BearerTokenError.INVALID_TOKEN);
}
if (!accessTokenStore.get().getToken().equals(accessToken.getValue())) {
LOG.warn("Access Token in Access Token Store is different to Access Token sent in request");
var storeJwtId = SignedJWT.parse(accessTokenStore.get().getToken()).getJWTClaimsSet().getJWTID();
LOG.warn("JWTID in AccessTokenStore: {} compared to JWTID in Access Token sent in request: {}", storeJwtId, signedJWT.getJWTClaimsSet().getJWTID());
throw new AccessTokenException(INVALID_ACCESS_TOKEN, BearerTokenError.INVALID_TOKEN);
}
return new AccessTokenInfo(accessTokenStore.get(), subject, scopes, identityClaims);
} catch (ParseException e) {
LOG.warn("Unable to parse AccessToken to SignedJWT");
throw new AccessTokenException("Unable to parse AccessToken to SignedJWT", BearerTokenError.INVALID_TOKEN);
} catch (com.nimbusds.oauth2.sdk.ParseException e) {
LOG.warn("Unable to parse ClaimSet in AccessToken");
throw new AccessTokenException("Unable to parse ClaimSet in AccessToken", BearerTokenError.INVALID_TOKEN);
}
}
Aggregations