Example 6 with JSONWebKeySet
use of io.jans.as.model.jwk.JSONWebKeySet in project jans by JanssenProject.
the class JwtUtil method getJSONWebKeys.
public JSONWebKeySet getJSONWebKeys(String jwksUri) throws Exception {
log.debug("\n\n JwtUtil::getJSONWebKeys() - jwksUri = " + jwksUri + " \n");
JSONWebKeySet jsonWebKeySet = AuthClientFactory.getJSONWebKeys(jwksUri);
log.trace("\n\n JwtUtil::getJSONWebKeys() - jsonWebKeySet = " + jsonWebKeySet + " \n");
return jsonWebKeySet;
}
Also used :
JSONWebKeySet(io.jans.as.model.jwk.JSONWebKeySet)
Example 7 with JSONWebKeySet
use of io.jans.as.model.jwk.JSONWebKeySet in project jans by JanssenProject.
the class JwtUtil method validateToken.
public void validateToken(String token, List<String> resourceScopes) throws InvalidJwtException, Exception {
log.trace("Validate Jwt Token - token = " + token + " ,resourceScopes = " + resourceScopes + "\n");
try {
// Parse Token
Jwt jwt = this.parse(token);
log.trace("JwtUtil::validateToken() -JWT details : " + " jwt.getSigningInput() = " + jwt.getSigningInput() + " ,jwt.getEncodedSignature() = " + jwt.getEncodedSignature() + " ,jwt.getHeader().getKeyId() = " + jwt.getHeader().getKeyId() + " ,jwt.getHeader().getSignatureAlgorithm() = " + jwt.getHeader().getSignatureAlgorithm() + " ,jwt.getClaims().getClaimAsString(JwtHeaderName.ALGORITHM) = " + jwt.getClaims().getClaimAsString(JwtHeaderName.ALGORITHM) + " ,jwt.getClaims().getClaimAsString(JwtHeaderName.ENCRYPTION_METHOD) = " + jwt.getClaims().getClaimAsString(JwtHeaderName.ENCRYPTION_METHOD) + ".");
final Date expiresAt = jwt.getClaims().getClaimAsDate(JwtClaimName.EXPIRATION_TIME);
String issuer = jwt.getClaims().getClaimAsString(JwtClaimName.ISSUER);
List<String> scopes = jwt.getClaims().getClaimAsStringList("scope");
log.debug("\n\n JwtUtil::validateToken() - expiresAt = " + expiresAt + " , issuer =" + issuer + " , scopes = " + scopes + "\n");
// Validate token is not expired
log.info("Validate JWT");
final Date now = new Date();
if (now.after(expiresAt)) {
log.error("ID Token is expired. (It is after " + now + ").");
throw new WebApplicationException("ID Token is expired", Response.status(Response.Status.UNAUTHORIZED).build());
}
// Validate issuer
log.info("Validate JWT Issuer");
if (!authUtil.isValidIssuer(issuer)) {
throw new WebApplicationException("Jwt Issuer is Invalid.", Response.status(Response.Status.UNAUTHORIZED).build());
}
// Retrieve JSON Web Key Set Uri
log.info("Retrieve JSON Web Key Set URI");
String jwksUri = this.getJwksUri(issuer);
log.trace("\n\n JwtUtil::validateToken() - jwksUri = " + jwksUri);
// Retrieve JSON Web Key Set
log.info("Retrieve JSON Web Key Set");
JSONWebKeySet jsonWebKeySet = this.getJSONWebKeys(jwksUri);
log.trace("\n\n JwtUtil::validateToken() - jsonWebKeySet = " + jsonWebKeySet);
// Verify the signature used to sign the access token
log.info("Verify JWT signature");
boolean isJwtSignatureValid = this.validateSignature(jwt, jsonWebKeySet);
log.debug("\n\n JwtUtil::validateToken() - isJwtSignatureValid = " + isJwtSignatureValid + "\n\n");
if (!isJwtSignatureValid) {
throw new WebApplicationException("Jwt Signature is Invalid.", Response.status(Response.Status.UNAUTHORIZED).build());
}
// Validate Scopes
log.info("Validate token scopes");
if (!authUtil.validateScope(scopes, resourceScopes)) {
log.error("Insufficient scopes. Required scope: " + resourceScopes + ", token scopes: " + scopes);
throw new WebApplicationException("Insufficient scopes. Required scope", Response.status(Response.Status.UNAUTHORIZED).build());
}
} catch (InvalidJwtException exp) {
log.error("Not a valid Jwt token = " + exp);
throw exp;
}
}
Also used :
InvalidJwtException(io.jans.as.model.exception.InvalidJwtException)
WebApplicationException(javax.ws.rs.WebApplicationException)
JSONWebKeySet(io.jans.as.model.jwk.JSONWebKeySet)
Jwt(io.jans.as.model.jwt.Jwt)
Date(java.util.Date)
Example 8 with JSONWebKeySet
use of io.jans.as.model.jwk.JSONWebKeySet in project jans by JanssenProject.
the class JwtUtil method validateToken.
public List<String> validateToken(String token) throws InvalidJwtException, Exception {
try {
// Parse Token
Jwt jwt = this.parse(token);
log.trace("JwtUtil::validateToken() -JWT details : " + " jwt.getSigningInput() = " + jwt.getSigningInput() + " ,jwt.getEncodedSignature() = " + jwt.getEncodedSignature() + " ,jwt.getHeader().getKeyId() = " + jwt.getHeader().getKeyId() + " ,jwt.getHeader().getSignatureAlgorithm() = " + jwt.getHeader().getSignatureAlgorithm() + " ,jwt.getClaims().getClaimAsString(JwtHeaderName.ALGORITHM) = " + jwt.getClaims().getClaimAsString(JwtHeaderName.ALGORITHM) + " ,jwt.getClaims().getClaimAsString(JwtHeaderName.ENCRYPTION_METHOD) = " + jwt.getClaims().getClaimAsString(JwtHeaderName.ENCRYPTION_METHOD) + ".");
final Date expiresAt = jwt.getClaims().getClaimAsDate(JwtClaimName.EXPIRATION_TIME);
String issuer = jwt.getClaims().getClaimAsString(JwtClaimName.ISSUER);
List<String> scopes = jwt.getClaims().getClaimAsStringList("scope");
log.debug("\n\n JwtUtil::validateToken() - expiresAt = " + expiresAt + " , issuer =" + issuer + " , scopes = " + scopes + "\n");
// Validate token is not expired
log.info("Validate JWT");
final Date now = new Date();
if (now.after(expiresAt)) {
log.error("ID Token is expired. (It is after " + now + ").");
throw new WebApplicationException("ID Token is expired", Response.status(Response.Status.UNAUTHORIZED).build());
}
// Validate issuer
log.info("Validate JWT Issuer");
if (!authUtil.isValidIssuer(issuer)) {
throw new WebApplicationException("Jwt Issuer is Invalid.", Response.status(Response.Status.UNAUTHORIZED).build());
}
// Retrieve JSON Web Key Set Uri
log.info("Retrieve JSON Web Key Set URI");
String jwksUri = this.getJwksUri(issuer);
log.trace("\n\n JwtUtil::validateToken() - jwksUri = " + jwksUri);
// Retrieve JSON Web Key Set
log.info("Retrieve JSON Web Key Set");
JSONWebKeySet jsonWebKeySet = this.getJSONWebKeys(jwksUri);
log.trace("\n\n JwtUtil::validateToken() - jsonWebKeySet = " + jsonWebKeySet);
// Verify the signature used to sign the access token
log.info("Verify JWT signature");
boolean isJwtSignatureValid = this.validateSignature(jwt, jsonWebKeySet);
log.debug("\n\n JwtUtil::validateToken() - isJwtSignatureValid = " + isJwtSignatureValid + "\n\n");
if (!isJwtSignatureValid) {
throw new WebApplicationException("Jwt Signature is Invalid.", Response.status(Response.Status.UNAUTHORIZED).build());
}
return scopes;
} catch (InvalidJwtException exp) {
log.error("Not a valid Jwt token = " + exp);
throw exp;
}
}
Also used :
InvalidJwtException(io.jans.as.model.exception.InvalidJwtException)
WebApplicationException(javax.ws.rs.WebApplicationException)
JSONWebKeySet(io.jans.as.model.jwk.JSONWebKeySet)
Jwt(io.jans.as.model.jwt.Jwt)
Date(java.util.Date)
Example 9 with JSONWebKeySet
use of io.jans.as.model.jwk.JSONWebKeySet in project jans by JanssenProject.
the class MTLSService method processMTLS.
public boolean processMTLS(HttpServletRequest httpRequest, HttpServletResponse httpResponse, FilterChain filterChain, Client client) throws Exception {
log.debug("Trying to authenticate client {} via {} ...", client.getClientId(), client.getAuthenticationMethod());
final String clientCertAsPem = httpRequest.getHeader("X-ClientCert");
if (StringUtils.isBlank(clientCertAsPem)) {
log.debug("Client certificate is missed in `X-ClientCert` header, client_id: {}.", client.getClientId());
return false;
}
X509Certificate cert = CertUtils.x509CertificateFromPem(clientCertAsPem);
if (cert == null) {
log.debug("Failed to parse client certificate, client_id: {}.", client.getClientId());
return false;
}
final String cn = CertUtils.getCN(cert);
final String hashedCn = HashUtil.getHash(cn, SignatureAlgorithm.HS512);
if ((StringUtils.isBlank(cn) || StringUtils.isBlank(hashedCn)) || (!cn.equals(client.getClientId()) && !hashedCn.equals(HashUtil.getHash(client.getClientId(), SignatureAlgorithm.HS512)))) {
if (log.isTraceEnabled())
log.trace("Client certificate CN does not match clientId. Invoke registration script's isCertValidForClient, CN: {}, clientId: {}, hashedCn: {}", cn, client.getClientId(), hashedCn);
DynamicClientRegistrationContext context = new DynamicClientRegistrationContext(httpRequest, new JSONObject(), null, client);
boolean result = externalDynamicClientRegistrationService.isCertValidForClient(cert, context);
if (!result) {
log.error("Reject request. isCertValidForClient returned false.");
throw new WebApplicationException(Response.status(Response.Status.UNAUTHORIZED).entity(errorResponseFactory.getErrorAsJson(TokenErrorResponseType.INVALID_CLIENT, httpRequest.getParameter("state"), "")).build());
}
}
if (client.getAuthenticationMethod() == AuthenticationMethod.TLS_CLIENT_AUTH) {
log.debug("Authenticating with tls_client_auth ...");
final String subjectDn = client.getAttributes().getTlsClientAuthSubjectDn();
if (StringUtils.isBlank(subjectDn)) {
log.debug("SubjectDN is not set for client {} which is required to authenticate it via `tls_client_auth`.", client.getClientId());
return false;
}
// we check only `subjectDn`, the PKI certificate validation is performed by apache/httpd
if (CertUtils.equalsRdn(subjectDn, cert.getSubjectDN().getName())) {
log.debug("Client {} authenticated via `tls_client_auth`.", client.getClientId());
authenticatedSuccessfully(client, httpRequest);
filterChain.doFilter(httpRequest, httpResponse);
return true;
}
log.debug("Client's subject dn: {}, cert subject dn: {}", subjectDn, cert.getSubjectDN().getName());
}
if (client.getAuthenticationMethod() == AuthenticationMethod.SELF_SIGNED_TLS_CLIENT_AUTH) {
// disable it
log.debug("Authenticating with self_signed_tls_client_auth ...");
final PublicKey publicKey = cert.getPublicKey();
final byte[] encodedKey = publicKey.getEncoded();
JSONObject jsonWebKeys = Strings.isNullOrEmpty(client.getJwks()) ? JwtUtil.getJSONWebKeys(client.getJwksUri()) : new JSONObject(client.getJwks());
if (jsonWebKeys == null) {
log.debug("Unable to load json web keys for client: {}, jwks_uri: {}, jks: {}", client.getClientId(), client.getJwksUri(), client.getJwks());
return false;
}
final JSONWebKeySet keySet = JSONWebKeySet.fromJSONObject(jsonWebKeys);
for (JSONWebKey key : keySet.getKeys()) {
if (ArrayUtils.isEquals(encodedKey, cryptoProvider.getPublicKey(key.getKid(), jsonWebKeys, null).getEncoded())) {
log.debug("Client {} authenticated via `self_signed_tls_client_auth`, matched kid: {}.", client.getClientId(), key.getKid());
authenticatedSuccessfully(client, httpRequest);
filterChain.doFilter(httpRequest, httpResponse);
return true;
}
}
}
log.debug("MTLS authentication failed.");
return false;
}
Also used :
JSONWebKey(io.jans.as.model.jwk.JSONWebKey)
JSONObject(org.json.JSONObject)
WebApplicationException(javax.ws.rs.WebApplicationException)
JSONWebKeySet(io.jans.as.model.jwk.JSONWebKeySet)
PublicKey(java.security.PublicKey)
X509Certificate(java.security.cert.X509Certificate)
DynamicClientRegistrationContext(io.jans.as.server.service.external.context.DynamicClientRegistrationContext)
Example 10 with JSONWebKeySet
use of io.jans.as.model.jwk.JSONWebKeySet in project jans by JanssenProject.
the class AccountsServlet method processRequest.
/**
* Processes requests for both HTTP <code>GET</code> and <code>POST</code>
* methods.
*
* @param servletRequest servlet request
* @param httpResponse servlet response
*/
protected void processRequest(HttpServletRequest servletRequest, HttpServletResponse httpResponse) {
log.info("Starting processRequest method of get Account Servlet***********************************************************************");
String authFromReq = null;
String xfapiinteractionid = null;
String tempaccess_token = null;
httpResponse.setCharacterEncoding("UTF-8");
httpResponse.setContentType(Constants.CONTENT_TYPE_APPLICATION_JSON_UTF_8);
try (PrintWriter out = httpResponse.getWriter()) {
xfapiinteractionid = servletRequest.getHeader("x-fapi-interaction-id");
tempaccess_token = servletRequest.getParameter("access_token");
if (xfapiinteractionid != null) {
httpResponse.addHeader("x-fapi-interaction-id", xfapiinteractionid);
} else {
xfapiinteractionid = UUID.randomUUID().toString();
httpResponse.addHeader("x-fapi-interaction-id", xfapiinteractionid);
}
if ((tempaccess_token != null) && (xfapiinteractionid != null)) {
if (tempaccess_token.startsWith("Bearer")) {
httpResponse.sendError(httpResponse.SC_BAD_REQUEST, "Bearer token in query is disallowed");
log.info("FAPI ACcount: Authorization Bearer Token is not allowed in query*********************************************");
// throw errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.ACCESS_DENIED, "FAPI: access_token in query is disallowed.");
} else {
httpResponse.sendError(httpResponse.SC_BAD_REQUEST, "token in query is disallowed");
log.info("FAPI: Authorization token is non-Bearer is not allowed in query*********************************************");
}
}
String clientCertAsPem = servletRequest.getHeader("X-ClientCert");
if (clientCertAsPem != null) {
log.info("FAPI Account: clientCertAsPem found*****************************************" + clientCertAsPem);
} else
log.info("FAPI Account: Nooooooooo clientCertAsPem *****************************************");
authFromReq = servletRequest.getHeader("Authorization");
String clientDn = null;
Client cl = null;
clientDn = tokenService.getClientDn(authFromReq);
X509Certificate cert = CertUtils.x509CertificateFromPem(clientCertAsPem);
AuthorizationGrant authorizationGrant = tokenService.getBearerAuthorizationGrant(authFromReq);
if (authorizationGrant == null || cert == null) {
sendError(httpResponse, authorizationGrant == null ? "Unable to find authorization grant." : "Failed to parse client certificate.");
return;
}
PublicKey publicKey = cert.getPublicKey();
byte[] encodedKey = publicKey.getEncoded();
if (clientDn != null) {
log.info("FAPI Account: ClientDn from Authoirization(tokenService) *********************************************" + clientDn);
cl = clientService.getClientByDn(clientDn);
JSONObject jsonWebKeys = new JSONObject(cl.getJwks());
if (jsonWebKeys == null) {
log.debug("FAPI Account:********************Unable to load json web keys for client: {}, jwks_uri: {}, jks: {}", cl.getClientId(), cl.getJwksUri(), cl.getJwks());
}
int matchctr = 0;
final JSONWebKeySet keySet = JSONWebKeySet.fromJSONObject(jsonWebKeys);
try {
for (JSONWebKey key : keySet.getKeys()) {
if (ArrayUtils.isEquals(encodedKey, cryptoProvider.getPublicKey(key.getKid(), jsonWebKeys, null).getEncoded())) {
matchctr += 1;
log.debug("FAPI Account: ********************************Client {} authenticated via `self_signed_tls_client_auth`, matched kid: {}.", cl.getClientId(), key.getKid());
}
}
if (matchctr == 0) {
log.error("FAPI Account: Client certificate does not match clientId. clientId: " + cl.getClientId() + "*********************************************");
httpResponse.setStatus(401, "The resource owner or authorization server denied the request");
return;
// throw new WebApplicationException(Response.status(Response.Status.UNAUTHORIZED).entity(errorResponseFactory.getErrorAsJson(TokenErrorResponseType.INVALID_CLIENT, servletRequest.getParameter("state"), "")).build());
}
} catch (Exception e) {
log.info("FAPI Account: Exception while keymatching****************************************************************");
}
} else
log.info("FAPI Account: ClientDn from Authoirization(tokenService) is NULL*********************************************");
JSONObject jsonObj = new JSONObject();
JSONArray accounts = new JSONArray();
jsonObj.put("Links", new JSONObject().put("self", "/open-banking/v3.1/aisp/accounts"));
jsonObj.put("Meta", new JSONObject().put("TotalPages", 1));
accounts.put(getAccount("Account1", "GBP", "352413", "05 May 2021", "08 Jun 2021", "CurrentAccount", "Enabled", "Personal"));
accounts.put(getAccount("Account2", "GBP", "4736325", "25 Mar 2021", "23 Apr 2021", "CurrentAccount", "Enabled", "Personal"));
jsonObj.put("Data", new JSONObject().put("Account", accounts));
out.print(jsonObj.toString());
httpResponse.setStatus(200, "OK");
out.flush();
log.info("Finished processRequest method of get Account Servlet ***********************************************************************");
} catch (Exception e) {
log.error(e.getMessage(), e);
}
}
Also used :
JSONWebKeySet(io.jans.as.model.jwk.JSONWebKeySet)
PublicKey(java.security.PublicKey)
JSONArray(org.json.JSONArray)
X509Certificate(java.security.cert.X509Certificate)
ServletException(javax.servlet.ServletException)
IOException(java.io.IOException)
JSONWebKey(io.jans.as.model.jwk.JSONWebKey)
JSONObject(org.json.JSONObject)
Client(io.jans.as.common.model.registration.Client)
AuthorizationGrant(io.jans.as.server.model.common.AuthorizationGrant)
PrintWriter(java.io.PrintWriter)
Aggregations
JSONWebKeySet (io.jans.as.model.jwk.JSONWebKeySet)17
JSONObject (org.json.JSONObject)9
JSONWebKey (io.jans.as.model.jwk.JSONWebKey)6
CryptoProviderException (io.jans.as.model.exception.CryptoProviderException)4
HttpException (io.jans.ca.server.HttpException)4
PublicKey (java.security.PublicKey)4
KeyEncryptionAlgorithm (io.jans.as.model.crypto.encryption.KeyEncryptionAlgorithm)3
SignatureAlgorithm (io.jans.as.model.crypto.signature.SignatureAlgorithm)3
InvalidJwtException (io.jans.as.model.exception.InvalidJwtException)3
Algorithm (io.jans.as.model.jwk.Algorithm)3
Jwt (io.jans.as.model.jwt.Jwt)3
X509Certificate (java.security.cert.X509Certificate)3
JwkResponse (io.jans.as.client.JwkResponse)2
Client (io.jans.as.common.model.registration.Client)2
RSAPublicKey (io.jans.as.model.crypto.signature.RSAPublicKey)2
AuthorizationGrant (io.jans.as.server.model.common.AuthorizationGrant)2
IOException (java.io.IOException)2
PrintWriter (java.io.PrintWriter)2
Date (java.util.Date)2
ServletException (javax.servlet.ServletException)2
