Examples with SignedJwt io.helidon.security.jwt.SignedJwt used on opensource projects

Search in sources :

Example 16 with SignedJwt

use of io.helidon.security.jwt.SignedJwt in project helidon by oracle.

the class JwtProvider method propagate.

private OutboundSecurityResponse propagate(JwtOutboundTarget ot, Subject subject) {
    Map<String, List<String>> headers = new HashMap<>();
    Jwk jwk = signKeys.forKeyId(ot.jwkKid).orElseThrow(() -> new JwtException("Signing JWK with kid: " + ot.jwkKid + " is not defined."));
    Principal principal = subject.principal();
    Jwt.Builder builder = Jwt.builder();
    principal.abacAttributeNames().forEach(name -> {
        principal.abacAttribute(name).ifPresent(val -> builder.addPayloadClaim(name, val));
    });
    principal.abacAttribute("full_name").ifPresentOrElse(name -> builder.addPayloadClaim("name", name), () -> builder.removePayloadClaim("name"));
    builder.subject(principal.id()).preferredUsername(principal.getName()).issuer(issuer).algorithm(jwk.algorithm());
    ot.update(builder);
    Jwt jwt = builder.build();
    SignedJwt signed = SignedJwt.sign(jwt, jwk);
    ot.outboundHandler.header(headers, signed.tokenContent());
    return OutboundSecurityResponse.withHeaders(headers);
}
Also used : HashMap(java.util.HashMap) IdentityHashMap(java.util.IdentityHashMap) SignedJwt(io.helidon.security.jwt.SignedJwt) Jwt(io.helidon.security.jwt.Jwt) List(java.util.List) JwtException(io.helidon.security.jwt.JwtException) SignedJwt(io.helidon.security.jwt.SignedJwt) Principal(io.helidon.security.Principal) Jwk(io.helidon.security.jwt.jwk.Jwk)

Example 17 with SignedJwt

use of io.helidon.security.jwt.SignedJwt in project helidon by oracle.

the class JwtProvider method authenticateToken.

private AuthenticationResponse authenticateToken(String token) {
    SignedJwt signedJwt;
    try {
        signedJwt = SignedJwt.parseToken(token);
    } catch (Exception e) {
        // invalid token
        return failOrAbstain("Invalid token" + e);
    }
    if (verifySignature) {
        Errors errors = signedJwt.verifySignature(verifyKeys, defaultJwk);
        if (errors.isValid()) {
            Jwt jwt = signedJwt.getJwt();
            // verify the audience is correct
            Errors validate = jwt.validate(null, expectedAudience);
            if (validate.isValid()) {
                return AuthenticationResponse.success(buildSubject(jwt, signedJwt));
            } else {
                return failOrAbstain("Audience is invalid or missing: " + expectedAudience);
            }
        } else {
            return failOrAbstain(errors.toString());
        }
    } else {
        return AuthenticationResponse.success(buildSubject(signedJwt.getJwt(), signedJwt));
    }
}
Also used : Errors(io.helidon.common.Errors) SignedJwt(io.helidon.security.jwt.SignedJwt) Jwt(io.helidon.security.jwt.Jwt) SignedJwt(io.helidon.security.jwt.SignedJwt) JwtException(io.helidon.security.jwt.JwtException)

Example 18 with SignedJwt

use of io.helidon.security.jwt.SignedJwt in project helidon by oracle.

the class JwtProviderTest method testInvalidSignatureOk.

@Test
@DisplayName("RSA Invalid Signature: verify-signature = false")
public void testInvalidSignatureOk() {
    String username = "user1";
    String userId = "user1-id";
    String email = "user1@example.org";
    String familyName = "Novak";
    String givenName = "Standa";
    String fullName = "Standa Novak";
    Locale locale = Locale.CANADA_FRENCH;
    Principal principal = Principal.builder().name(username).id(userId).addAttribute("email", email).addAttribute("email_verified", true).addAttribute("family_name", familyName).addAttribute("given_name", givenName).addAttribute("full_name", fullName).addAttribute("locale", locale).build();
    Subject subject = Subject.create(principal);
    JwtProvider provider = JwtProvider.create(providersConfig.get("jwt-no-verification"));
    SecurityContext context = Mockito.mock(SecurityContext.class);
    when(context.user()).thenReturn(Optional.of(subject));
    ProviderRequest request = mock(ProviderRequest.class);
    when(request.securityContext()).thenReturn(context);
    SecurityEnvironment outboundEnv = SecurityEnvironment.builder().path("/rsa").transport("http").targetUri(URI.create("http://localhost:8080/rsa")).build();
    EndpointConfig outboundEp = EndpointConfig.create();
    assertThat(provider.isOutboundSupported(request, outboundEnv, outboundEp), is(true));
    OutboundSecurityResponse response = provider.syncOutbound(request, outboundEnv, outboundEp);
    String signedToken = response.requestHeaders().get("Authorization").get(0);
    signedToken = signedToken.substring("bearer ".length());
    // the token is headers.body.signature
    int lastDot = signedToken.lastIndexOf('.') + 1;
    signedToken = signedToken.substring(0, lastDot) + Base64.getEncoder().encodeToString("invalidSignature".getBytes());
    SignedJwt signedJwt = SignedJwt.parseToken(signedToken);
    assertThat("Should not be valid signature (wrong length)", signedJwt.verifySignature(verifyKeys).isValid(), is(false));
    // now we need to use the same token to invoke authentication
    ProviderRequest atnRequest = mock(ProviderRequest.class);
    SecurityEnvironment se = SecurityEnvironment.builder().header("Authorization", "bearer " + signedToken).build();
    when(atnRequest.env()).thenReturn(se);
    AuthenticationResponse authenticationResponse = provider.syncAuthenticate(atnRequest);
    authenticationResponse.user().map(Subject::principal).ifPresentOrElse(atnPrincipal -> {
        assertThat(atnPrincipal.id(), is(userId));
        assertThat(atnPrincipal.getName(), is(username));
        assertThat(atnPrincipal.abacAttribute("email"), is(Optional.of(email)));
        assertThat(atnPrincipal.abacAttribute("email_verified"), is(Optional.of(true)));
        assertThat(atnPrincipal.abacAttribute("family_name"), is(Optional.of(familyName)));
        assertThat(atnPrincipal.abacAttribute("given_name"), is(Optional.of(givenName)));
        assertThat(atnPrincipal.abacAttribute("full_name"), is(Optional.of(fullName)));
        assertThat(atnPrincipal.abacAttribute("locale"), is(Optional.of(locale)));
    }, () -> fail("User must be present in response"));
}
Also used : Locale(java.util.Locale) SecurityEnvironment(io.helidon.security.SecurityEnvironment) SignedJwt(io.helidon.security.jwt.SignedJwt) AuthenticationResponse(io.helidon.security.AuthenticationResponse) Subject(io.helidon.security.Subject) ProviderRequest(io.helidon.security.ProviderRequest) OutboundSecurityResponse(io.helidon.security.OutboundSecurityResponse) SecurityContext(io.helidon.security.SecurityContext) Principal(io.helidon.security.Principal) EndpointConfig(io.helidon.security.EndpointConfig) Test(org.junit.jupiter.api.Test) DisplayName(org.junit.jupiter.api.DisplayName)

Example 19 with SignedJwt

use of io.helidon.security.jwt.SignedJwt in project helidon by oracle.

the class JwtAuthProvider method propagate.

private OutboundSecurityResponse propagate(JwtOutboundTarget ot, Subject subject) {
    Map<String, List<String>> headers = new HashMap<>();
    Jwk jwk = signKeys.forKeyId(ot.jwkKid).orElseThrow(() -> new JwtException("Signing JWK with kid: " + ot.jwkKid + " is not defined."));
    Principal principal = subject.principal();
    Jwt.Builder builder = Jwt.builder();
    principal.abacAttributeNames().forEach(name -> {
        principal.abacAttribute(name).ifPresent(val -> builder.addPayloadClaim(name, val));
    });
    principal.abacAttribute("full_name").ifPresentOrElse(name -> builder.addPayloadClaim("name", name), () -> builder.removePayloadClaim("name"));
    builder.subject(principal.id()).preferredUsername(principal.getName()).issuer(issuer).algorithm(jwk.algorithm());
    ot.update(builder);
    // MP specific
    if (!principal.abacAttribute("upn").isPresent()) {
        builder.userPrincipal(principal.getName());
    }
    Security.getRoles(subject).forEach(builder::addUserGroup);
    Jwt jwt = builder.build();
    SignedJwt signed = SignedJwt.sign(jwt, jwk);
    ot.outboundHandler.header(headers, signed.tokenContent());
    return OutboundSecurityResponse.withHeaders(headers);
}
Also used : IdentityHashMap(java.util.IdentityHashMap) HashMap(java.util.HashMap) EncryptedJwt(io.helidon.security.jwt.EncryptedJwt) SignedJwt(io.helidon.security.jwt.SignedJwt) Jwt(io.helidon.security.jwt.Jwt) List(java.util.List) LinkedList(java.util.LinkedList) JwtException(io.helidon.security.jwt.JwtException) SignedJwt(io.helidon.security.jwt.SignedJwt) Principal(io.helidon.security.Principal) Jwk(io.helidon.security.jwt.jwk.Jwk)

Example 20 with SignedJwt

use of io.helidon.security.jwt.SignedJwt in project helidon by oracle.

the class JwtAuthProvider method impersonate.

private OutboundSecurityResponse impersonate(JwtOutboundTarget ot, String username) {
    Map<String, List<String>> headers = new HashMap<>();
    Jwk jwk = signKeys.forKeyId(ot.jwkKid).orElseThrow(() -> new JwtException("Signing JWK with kid: " + ot.jwkKid + " is not defined."));
    Jwt.Builder builder = Jwt.builder();
    builder.addPayloadClaim("name", username);
    builder.subject(username).preferredUsername(username).issuer(issuer).algorithm(jwk.algorithm());
    ot.update(builder);
    Jwt jwt = builder.build();
    SignedJwt signed = SignedJwt.sign(jwt, jwk);
    ot.outboundHandler.header(headers, signed.tokenContent());
    return OutboundSecurityResponse.withHeaders(headers);
}
Also used : IdentityHashMap(java.util.IdentityHashMap) HashMap(java.util.HashMap) EncryptedJwt(io.helidon.security.jwt.EncryptedJwt) SignedJwt(io.helidon.security.jwt.SignedJwt) Jwt(io.helidon.security.jwt.Jwt) List(java.util.List) LinkedList(java.util.LinkedList) JwtException(io.helidon.security.jwt.JwtException) SignedJwt(io.helidon.security.jwt.SignedJwt) Jwk(io.helidon.security.jwt.jwk.Jwk)

Aggregations

SignedJwt (io.helidon.security.jwt.SignedJwt)22 Jwt (io.helidon.security.jwt.Jwt)20 Test (org.junit.jupiter.api.Test)13 Principal (io.helidon.security.Principal)12 Subject (io.helidon.security.Subject)11 AuthenticationResponse (io.helidon.security.AuthenticationResponse)10 EndpointConfig (io.helidon.security.EndpointConfig)10 OutboundSecurityResponse (io.helidon.security.OutboundSecurityResponse)10 ProviderRequest (io.helidon.security.ProviderRequest)10 SecurityEnvironment (io.helidon.security.SecurityEnvironment)10 SecurityContext (io.helidon.security.SecurityContext)8 JwtException (io.helidon.security.jwt.JwtException)7 Instant (java.time.Instant)7 HashMap (java.util.HashMap)6 List (java.util.List)6 Locale (java.util.Locale)6 Jwk (io.helidon.security.jwt.jwk.Jwk)5 IdentityHashMap (java.util.IdentityHashMap)5 Errors (io.helidon.common.Errors)4 JwkKeys (io.helidon.security.jwt.jwk.JwkKeys)4
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial