Example 1 with OpenIdProviderMetadata
use of io.micronaut.security.oauth2.client.OpenIdProviderMetadata in project micronaut-security by micronaut-projects.
the class DefaultOpenIdAuthorizationResponseHandler method validateOpenIdTokenResponse.
/**
* @param nonce Nonce
* @param clientConfiguration The client configuration
* @param openIdProviderMetadata The provider metadata
* @param openIdTokenResponse OpenID token response
* @param authenticationMapper The user details mapper
* @param state State
* @return An Authentication response if the open id token could be validated
* @throws ParseException If the payload of the JWT doesn't represent a valid JSON object and a JWT claims set.
*/
private Optional<AuthenticationResponse> validateOpenIdTokenResponse(String nonce, OauthClientConfiguration clientConfiguration, OpenIdProviderMetadata openIdProviderMetadata, OpenIdTokenResponse openIdTokenResponse, @Nullable OpenIdAuthenticationMapper authenticationMapper, @Nullable State state) throws ParseException {
if (LOG.isTraceEnabled()) {
LOG.trace("Token endpoint returned a success response. Validating the JWT");
}
Optional<JWT> jwt = tokenResponseValidator.validate(clientConfiguration, openIdProviderMetadata, openIdTokenResponse, nonce);
if (jwt.isPresent()) {
if (LOG.isTraceEnabled()) {
LOG.trace("Token validation succeeded. Creating a user details");
}
OpenIdClaims claims = new JWTOpenIdClaims(jwt.get().getJWTClaimsSet());
OpenIdAuthenticationMapper openIdAuthenticationMapper = authenticationMapper != null ? authenticationMapper : defaultAuthenticationMapper;
return Optional.of(openIdAuthenticationMapper.createAuthenticationResponse(clientConfiguration.getName(), openIdTokenResponse, claims, state));
}
return Optional.empty();
}
Also used :
JWT(com.nimbusds.jwt.JWT)
JWTOpenIdClaims(io.micronaut.security.oauth2.endpoint.token.response.JWTOpenIdClaims)
OpenIdClaims(io.micronaut.security.oauth2.endpoint.token.response.OpenIdClaims)
JWTOpenIdClaims(io.micronaut.security.oauth2.endpoint.token.response.JWTOpenIdClaims)
DefaultOpenIdAuthenticationMapper(io.micronaut.security.oauth2.endpoint.token.response.DefaultOpenIdAuthenticationMapper)
OpenIdAuthenticationMapper(io.micronaut.security.oauth2.endpoint.token.response.OpenIdAuthenticationMapper)
Example 2 with OpenIdProviderMetadata
use of io.micronaut.security.oauth2.client.OpenIdProviderMetadata in project micronaut-security by micronaut-projects.
the class OpenIdClientFactory method openIdClient.
/**
* Creates an {@link OpenIdClient} from the provided parameters.
*
* @param openIdClientConfiguration The openid client configuration
* @param clientConfiguration The client configuration
* @param openIdProviderMetadata The open id provider metadata
* @param authenticationMapper The user details mapper
* @param redirectUrlBuilder The redirect URL builder
* @param authorizationResponseHandler The authorization response handler
* @param endSessionEndpointResolver The end session resolver
* @param endSessionCallbackUrlBuilder The end session callback URL builder
* @return The OpenID client, or null if the client configuration does not allow it
*/
@EachBean(OpenIdClientConfiguration.class)
@Requires(condition = OpenIdClientCondition.class)
@SuppressWarnings("java:S107")
DefaultOpenIdClient openIdClient(@Parameter OpenIdClientConfiguration openIdClientConfiguration, @Parameter OauthClientConfiguration clientConfiguration, @Parameter BeanProvider<DefaultOpenIdProviderMetadata> openIdProviderMetadata, @Parameter @Nullable OpenIdAuthenticationMapper authenticationMapper, AuthorizationRedirectHandler redirectUrlBuilder, OpenIdAuthorizationResponseHandler authorizationResponseHandler, EndSessionEndpointResolver endSessionEndpointResolver, EndSessionCallbackUrlBuilder endSessionCallbackUrlBuilder) {
Supplier<OpenIdProviderMetadata> metadataSupplier = SupplierUtil.memoized(openIdProviderMetadata::get);
EndSessionEndpoint endSessionEndpoint = null;
if (openIdClientConfiguration.getEndSession().isEnabled()) {
endSessionEndpoint = endSessionEndpointResolver.resolve(clientConfiguration, metadataSupplier, endSessionCallbackUrlBuilder).orElse(null);
}
return new DefaultOpenIdClient(clientConfiguration, metadataSupplier, authenticationMapper, redirectUrlBuilder, authorizationResponseHandler, beanContext, endSessionEndpoint);
}
Also used :
EndSessionEndpoint(io.micronaut.security.oauth2.endpoint.endsession.request.EndSessionEndpoint)
Requires(io.micronaut.context.annotation.Requires)
EachBean(io.micronaut.context.annotation.EachBean)
Example 3 with OpenIdProviderMetadata
use of io.micronaut.security.oauth2.client.OpenIdProviderMetadata in project micronaut-security by micronaut-projects.
the class DefaultOpenIdTokenResponseValidator method validateClaims.
/**
* @param clientConfiguration The OAuth 2.0 client configuration
* @param openIdProviderMetadata The OpenID provider metadata
* @param jwt JWT with valida signature
* @param nonce The persisted nonce value
* @return the same JWT supplied as a parameter if the claims validation were succesful or empty if not.
*/
@NonNull
protected Optional<JWT> validateClaims(@NonNull OauthClientConfiguration clientConfiguration, @NonNull OpenIdProviderMetadata openIdProviderMetadata, @NonNull JWT jwt, @Nullable String nonce) {
try {
JWTClaimsSet claimsSet = jwt.getJWTClaimsSet();
OpenIdClaims claims = new JWTOpenIdClaims(claimsSet);
if (genericJwtClaimsValidators.stream().allMatch(validator -> validator.validate(claims, null))) {
if (openIdClaimsValidators.stream().allMatch(validator -> validator.validate(claims, clientConfiguration, openIdProviderMetadata))) {
if (nonceClaimValidator == null) {
if (LOG.isTraceEnabled()) {
LOG.trace("Skipping nonce validation because no bean of type {} present. ", NonceClaimValidator.class.getSimpleName());
}
return Optional.of(jwt);
}
if (nonceClaimValidator.validate(claims, clientConfiguration, openIdProviderMetadata, nonce)) {
return Optional.of(jwt);
} else if (LOG.isErrorEnabled()) {
LOG.error("Nonce {} validation failed for claims {}", nonce, claims.getClaims().keySet().stream().map(key -> key + "=" + claims.getClaims().get(key)).collect(Collectors.joining(", ", "{", "}")));
}
} else if (LOG.isErrorEnabled()) {
LOG.error("JWT OpenID specific claims validation failed for provider [{}]", clientConfiguration.getName());
}
} else if (LOG.isErrorEnabled()) {
LOG.error("JWT generic claims validation failed for provider [{}]", clientConfiguration.getName());
}
} catch (ParseException e) {
if (LOG.isErrorEnabled()) {
LOG.error("Failed to parse the JWT returned from provider [{}]", clientConfiguration.getName(), e);
}
}
return Optional.empty();
}
Also used :
JwkValidator(io.micronaut.security.token.jwt.signature.jwks.JwkValidator)
Logger(org.slf4j.Logger)
Collection(java.util.Collection)
JWTOpenIdClaims(io.micronaut.security.oauth2.endpoint.token.response.JWTOpenIdClaims)
ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap)
LoggerFactory(org.slf4j.LoggerFactory)
JWTClaimsSet(com.nimbusds.jwt.JWTClaimsSet)
JwksSignatureConfigurationProperties(io.micronaut.security.token.jwt.signature.jwks.JwksSignatureConfigurationProperties)
Singleton(jakarta.inject.Singleton)
OauthClientConfiguration(io.micronaut.security.oauth2.configuration.OauthClientConfiguration)
JwksSignature(io.micronaut.security.token.jwt.signature.jwks.JwksSignature)
Collectors(java.util.stream.Collectors)
OpenIdProviderMetadata(io.micronaut.security.oauth2.client.OpenIdProviderMetadata)
NonNull(io.micronaut.core.annotation.NonNull)
OpenIdClaims(io.micronaut.security.oauth2.endpoint.token.response.OpenIdClaims)
GenericJwtClaimsValidator(io.micronaut.security.token.jwt.validator.GenericJwtClaimsValidator)
JWT(com.nimbusds.jwt.JWT)
Nullable(io.micronaut.core.annotation.Nullable)
JwtValidator(io.micronaut.security.token.jwt.validator.JwtValidator)
Map(java.util.Map)
OpenIdTokenResponse(io.micronaut.security.oauth2.endpoint.token.response.OpenIdTokenResponse)
Optional(java.util.Optional)
ParseException(java.text.ParseException)
JWTClaimsSet(com.nimbusds.jwt.JWTClaimsSet)
JWTOpenIdClaims(io.micronaut.security.oauth2.endpoint.token.response.JWTOpenIdClaims)
OpenIdClaims(io.micronaut.security.oauth2.endpoint.token.response.OpenIdClaims)
JWTOpenIdClaims(io.micronaut.security.oauth2.endpoint.token.response.JWTOpenIdClaims)
ParseException(java.text.ParseException)
NonNull(io.micronaut.core.annotation.NonNull)
Aggregations
JWT (com.nimbusds.jwt.JWT)2
JWTOpenIdClaims (io.micronaut.security.oauth2.endpoint.token.response.JWTOpenIdClaims)2
OpenIdClaims (io.micronaut.security.oauth2.endpoint.token.response.OpenIdClaims)2
JWTClaimsSet (com.nimbusds.jwt.JWTClaimsSet)1
EachBean (io.micronaut.context.annotation.EachBean)1
Requires (io.micronaut.context.annotation.Requires)1
NonNull (io.micronaut.core.annotation.NonNull)1
Nullable (io.micronaut.core.annotation.Nullable)1
OpenIdProviderMetadata (io.micronaut.security.oauth2.client.OpenIdProviderMetadata)1
OauthClientConfiguration (io.micronaut.security.oauth2.configuration.OauthClientConfiguration)1
EndSessionEndpoint (io.micronaut.security.oauth2.endpoint.endsession.request.EndSessionEndpoint)1
DefaultOpenIdAuthenticationMapper (io.micronaut.security.oauth2.endpoint.token.response.DefaultOpenIdAuthenticationMapper)1
OpenIdAuthenticationMapper (io.micronaut.security.oauth2.endpoint.token.response.OpenIdAuthenticationMapper)1
OpenIdTokenResponse (io.micronaut.security.oauth2.endpoint.token.response.OpenIdTokenResponse)1
JwkValidator (io.micronaut.security.token.jwt.signature.jwks.JwkValidator)1
JwksSignature (io.micronaut.security.token.jwt.signature.jwks.JwksSignature)1
JwksSignatureConfigurationProperties (io.micronaut.security.token.jwt.signature.jwks.JwksSignatureConfigurationProperties)1
GenericJwtClaimsValidator (io.micronaut.security.token.jwt.validator.GenericJwtClaimsValidator)1
JwtValidator (io.micronaut.security.token.jwt.validator.JwtValidator)1
Singleton (jakarta.inject.Singleton)1
