use of io.micronaut.security.oauth2.endpoint.token.response.JWTOpenIdClaims in project micronaut-security by micronaut-projects.
the class DefaultOpenIdAuthorizationResponseHandler method validateOpenIdTokenResponse.
/**
* @param nonce Nonce
* @param clientConfiguration The client configuration
* @param openIdProviderMetadata The provider metadata
* @param openIdTokenResponse OpenID token response
* @param authenticationMapper The user details mapper
* @param state State
* @return An Authentication response if the open id token could be validated
* @throws ParseException If the payload of the JWT doesn't represent a valid JSON object and a JWT claims set.
*/
private Optional<AuthenticationResponse> validateOpenIdTokenResponse(String nonce, OauthClientConfiguration clientConfiguration, OpenIdProviderMetadata openIdProviderMetadata, OpenIdTokenResponse openIdTokenResponse, @Nullable OpenIdAuthenticationMapper authenticationMapper, @Nullable State state) throws ParseException {
if (LOG.isTraceEnabled()) {
LOG.trace("Token endpoint returned a success response. Validating the JWT");
}
Optional<JWT> jwt = tokenResponseValidator.validate(clientConfiguration, openIdProviderMetadata, openIdTokenResponse, nonce);
if (jwt.isPresent()) {
if (LOG.isTraceEnabled()) {
LOG.trace("Token validation succeeded. Creating a user details");
}
OpenIdClaims claims = new JWTOpenIdClaims(jwt.get().getJWTClaimsSet());
OpenIdAuthenticationMapper openIdAuthenticationMapper = authenticationMapper != null ? authenticationMapper : defaultAuthenticationMapper;
return Optional.of(openIdAuthenticationMapper.createAuthenticationResponse(clientConfiguration.getName(), openIdTokenResponse, claims, state));
}
return Optional.empty();
}
use of io.micronaut.security.oauth2.endpoint.token.response.JWTOpenIdClaims in project micronaut-security by micronaut-projects.
the class DefaultOpenIdTokenResponseValidator method validateClaims.
/**
* @param clientConfiguration The OAuth 2.0 client configuration
* @param openIdProviderMetadata The OpenID provider metadata
* @param jwt JWT with valida signature
* @param nonce The persisted nonce value
* @return the same JWT supplied as a parameter if the claims validation were succesful or empty if not.
*/
@NonNull
protected Optional<JWT> validateClaims(@NonNull OauthClientConfiguration clientConfiguration, @NonNull OpenIdProviderMetadata openIdProviderMetadata, @NonNull JWT jwt, @Nullable String nonce) {
try {
JWTClaimsSet claimsSet = jwt.getJWTClaimsSet();
OpenIdClaims claims = new JWTOpenIdClaims(claimsSet);
if (genericJwtClaimsValidators.stream().allMatch(validator -> validator.validate(claims, null))) {
if (openIdClaimsValidators.stream().allMatch(validator -> validator.validate(claims, clientConfiguration, openIdProviderMetadata))) {
if (nonceClaimValidator == null) {
if (LOG.isTraceEnabled()) {
LOG.trace("Skipping nonce validation because no bean of type {} present. ", NonceClaimValidator.class.getSimpleName());
}
return Optional.of(jwt);
}
if (nonceClaimValidator.validate(claims, clientConfiguration, openIdProviderMetadata, nonce)) {
return Optional.of(jwt);
} else if (LOG.isErrorEnabled()) {
LOG.error("Nonce {} validation failed for claims {}", nonce, claims.getClaims().keySet().stream().map(key -> key + "=" + claims.getClaims().get(key)).collect(Collectors.joining(", ", "{", "}")));
}
} else if (LOG.isErrorEnabled()) {
LOG.error("JWT OpenID specific claims validation failed for provider [{}]", clientConfiguration.getName());
}
} else if (LOG.isErrorEnabled()) {
LOG.error("JWT generic claims validation failed for provider [{}]", clientConfiguration.getName());
}
} catch (ParseException e) {
if (LOG.isErrorEnabled()) {
LOG.error("Failed to parse the JWT returned from provider [{}]", clientConfiguration.getName(), e);
}
}
return Optional.empty();
}
Aggregations