Search in sources :

Example 1 with OAuthJwtAccessTokenException

use of com.yahoo.athenz.auth.oauth.token.OAuthJwtAccessTokenException in project athenz by yahoo.

the class OAuthCertBoundJwtAccessTokenAuthority method authenticate.

/**
 * Process the authenticate request based on http request object.
 * Skip if access token not exists or cannot be extracted.
 * Fail if it is not mTLS.
 * @param request http servlet request
 * @param errMsg will contain error message if authenticate fails
 * @return the Principal for the certificate, or null in case of failure.
 */
@Override
public Principal authenticate(HttpServletRequest request, StringBuilder errMsg) {
    errMsg = errMsg == null ? new StringBuilder(512) : errMsg;
    // extract credentials from request
    String jwsString = OAuthAuthorityUtils.extractHeaderToken(request);
    // skip when no credentials provided
    if (jwsString == null) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("OAuthCertBoundJwtAccessTokenAuthority:authenticate: no credentials, skip...");
        }
        return null;
    }
    // parse certificate
    CertificateIdentity certificateIdentity = null;
    try {
        certificateIdentity = this.certificateIdentityParser.parse(request);
    } catch (CertificateIdentityException e) {
        this.reportError("OAuthCertBoundJwtAccessTokenAuthority:authenticate: invalid certificate: " + e.getMessage(), errMsg);
        return null;
    }
    X509Certificate clientCert = certificateIdentity.getX509Certificate();
    String clientCertPrincipal = certificateIdentity.getPrincipalName();
    // parse JWT
    OAuthJwtAccessToken at = null;
    try {
        at = this.parser.parse(jwsString);
    } catch (OAuthJwtAccessTokenException e) {
        this.reportError("OAuthCertBoundJwtAccessTokenAuthority:authenticate: invalid JWT: " + e.getMessage(), errMsg);
        return null;
    }
    // validate JWT
    try {
        this.validator.validate(at);
        this.validator.validateClientId(at, clientCertPrincipal);
        if (this.shouldVerifyCertThumbprint) {
            String clientCertThumbprint = this.validator.getX509CertificateThumbprint(clientCert);
            this.validator.validateCertificateBinding(at, clientCertThumbprint);
        }
    } catch (CertificateEncodingException | CryptoException | OAuthJwtAccessTokenException e) {
        this.reportError("OAuthCertBoundJwtAccessTokenAuthority:authenticate: invalid JWT: " + e.getMessage(), errMsg);
        return null;
    }
    // create principal
    String[] ds = AthenzUtils.splitPrincipalName(at.getSubject());
    if (ds == null) {
        errMsg.append("OAuthCertBoundJwtAccessTokenAuthority:authenticate: sub is not a valid service identity: got=").append(at.getSubject());
        return null;
    }
    String domain = ds[0];
    String service = ds[1];
    SimplePrincipal principal = (SimplePrincipal) SimplePrincipal.create(domain, service, jwsString, at.getIssuedAt(), this);
    principal.setUnsignedCreds(at.toString());
    principal.setX509Certificate(clientCert);
    // principal.setRoles(at.getScopes());
    principal.setApplicationId(clientCertPrincipal);
    principal.setAuthorizedService(this.authorizedServices.getOrDefault(clientCertPrincipal, clientCertPrincipal));
    if (LOG.isDebugEnabled()) {
        LOG.debug("OAuthCertBoundJwtAccessTokenAuthority.authenticate: client certificate name={}", clientCertPrincipal);
        LOG.debug("OAuthCertBoundJwtAccessTokenAuthority.authenticate: valid user={}", principal.toString());
        LOG.debug("OAuthCertBoundJwtAccessTokenAuthority.authenticate: unsignedCredentials={}", principal.getUnsignedCredentials());
        LOG.debug("OAuthCertBoundJwtAccessTokenAuthority.authenticate: credentials={}", principal.getCredentials());
    }
    return principal;
}
Also used : OAuthJwtAccessToken(com.yahoo.athenz.auth.oauth.token.OAuthJwtAccessToken) CertificateIdentity(com.yahoo.athenz.auth.impl.CertificateIdentity) OAuthJwtAccessTokenException(com.yahoo.athenz.auth.oauth.token.OAuthJwtAccessTokenException) CertificateEncodingException(java.security.cert.CertificateEncodingException) CryptoException(com.yahoo.athenz.auth.util.CryptoException) CertificateIdentityException(com.yahoo.athenz.auth.impl.CertificateIdentityException) X509Certificate(java.security.cert.X509Certificate) SimplePrincipal(com.yahoo.athenz.auth.impl.SimplePrincipal)

Example 2 with OAuthJwtAccessTokenException

use of com.yahoo.athenz.auth.oauth.token.OAuthJwtAccessTokenException in project athenz by yahoo.

the class DefaultOAuthJwtAccessTokenParser method parse.

@Override
public OAuthJwtAccessToken parse(String jwtString) throws OAuthJwtAccessTokenException {
    OAuthJwtAccessToken accessToken = null;
    try {
        Jws<Claims> jws = this.parser.parseClaimsJws(jwtString);
        accessToken = new DefaultOAuthJwtAccessToken(jws);
    } catch (Exception ex) {
        throw new OAuthJwtAccessTokenException(ex);
    }
    return accessToken;
}
Also used : Claims(io.jsonwebtoken.Claims) DefaultOAuthJwtAccessToken(com.yahoo.athenz.auth.oauth.token.DefaultOAuthJwtAccessToken) OAuthJwtAccessToken(com.yahoo.athenz.auth.oauth.token.OAuthJwtAccessToken) DefaultOAuthJwtAccessToken(com.yahoo.athenz.auth.oauth.token.DefaultOAuthJwtAccessToken) OAuthJwtAccessTokenException(com.yahoo.athenz.auth.oauth.token.OAuthJwtAccessTokenException) OAuthJwtAccessTokenException(com.yahoo.athenz.auth.oauth.token.OAuthJwtAccessTokenException)

Example 3 with OAuthJwtAccessTokenException

use of com.yahoo.athenz.auth.oauth.token.OAuthJwtAccessTokenException in project athenz by yahoo.

the class OAuthJwtAccessTokenValidator method validateCertificateBinding.

/**
 * validate certificate binding of the JWT
 * @param  jwt                          jwt object
 * @param  x509Certificate              the bound certificate
 * @throws OAuthJwtAccessTokenException throws when the certificate thumbprint in the JWT is invalid
 */
public default void validateCertificateBinding(OAuthJwtAccessToken jwt, X509Certificate x509Certificate) throws OAuthJwtAccessTokenException {
    String certificateThumbprint;
    try {
        certificateThumbprint = this.getX509CertificateThumbprint(x509Certificate);
    } catch (CertificateEncodingException | CryptoException e) {
        throw new OAuthJwtAccessTokenException(e);
    }
    this.validateCertificateBinding(jwt, certificateThumbprint);
}
Also used : CertificateEncodingException(java.security.cert.CertificateEncodingException) OAuthJwtAccessTokenException(com.yahoo.athenz.auth.oauth.token.OAuthJwtAccessTokenException) CryptoException(com.yahoo.athenz.auth.util.CryptoException)

Aggregations

OAuthJwtAccessTokenException (com.yahoo.athenz.auth.oauth.token.OAuthJwtAccessTokenException)3 OAuthJwtAccessToken (com.yahoo.athenz.auth.oauth.token.OAuthJwtAccessToken)2 CryptoException (com.yahoo.athenz.auth.util.CryptoException)2 CertificateEncodingException (java.security.cert.CertificateEncodingException)2 CertificateIdentity (com.yahoo.athenz.auth.impl.CertificateIdentity)1 CertificateIdentityException (com.yahoo.athenz.auth.impl.CertificateIdentityException)1 SimplePrincipal (com.yahoo.athenz.auth.impl.SimplePrincipal)1 DefaultOAuthJwtAccessToken (com.yahoo.athenz.auth.oauth.token.DefaultOAuthJwtAccessToken)1 Claims (io.jsonwebtoken.Claims)1 X509Certificate (java.security.cert.X509Certificate)1