Search in sources :

Example 1 with OpenIdClaims

use of io.micronaut.security.oauth2.endpoint.token.response.OpenIdClaims in project micronaut-security by micronaut-projects.

the class DefaultOpenIdAuthorizationResponseHandler method validateOpenIdTokenResponse.

/**
 * @param nonce Nonce
 * @param clientConfiguration The client configuration
 * @param openIdProviderMetadata The provider metadata
 * @param openIdTokenResponse OpenID token response
 * @param authenticationMapper The user details mapper
 * @param state State
 * @return An Authentication response if the open id token could  be validated
 * @throws ParseException If the payload of the JWT doesn't represent a valid JSON object and a JWT claims set.
 */
private Optional<AuthenticationResponse> validateOpenIdTokenResponse(String nonce, OauthClientConfiguration clientConfiguration, OpenIdProviderMetadata openIdProviderMetadata, OpenIdTokenResponse openIdTokenResponse, @Nullable OpenIdAuthenticationMapper authenticationMapper, @Nullable State state) throws ParseException {
    if (LOG.isTraceEnabled()) {
        LOG.trace("Token endpoint returned a success response. Validating the JWT");
    }
    Optional<JWT> jwt = tokenResponseValidator.validate(clientConfiguration, openIdProviderMetadata, openIdTokenResponse, nonce);
    if (jwt.isPresent()) {
        if (LOG.isTraceEnabled()) {
            LOG.trace("Token validation succeeded. Creating a user details");
        }
        OpenIdClaims claims = new JWTOpenIdClaims(jwt.get().getJWTClaimsSet());
        OpenIdAuthenticationMapper openIdAuthenticationMapper = authenticationMapper != null ? authenticationMapper : defaultAuthenticationMapper;
        return Optional.of(openIdAuthenticationMapper.createAuthenticationResponse(clientConfiguration.getName(), openIdTokenResponse, claims, state));
    }
    return Optional.empty();
}
Also used : JWT(com.nimbusds.jwt.JWT) JWTOpenIdClaims(io.micronaut.security.oauth2.endpoint.token.response.JWTOpenIdClaims) OpenIdClaims(io.micronaut.security.oauth2.endpoint.token.response.OpenIdClaims) JWTOpenIdClaims(io.micronaut.security.oauth2.endpoint.token.response.JWTOpenIdClaims) DefaultOpenIdAuthenticationMapper(io.micronaut.security.oauth2.endpoint.token.response.DefaultOpenIdAuthenticationMapper) OpenIdAuthenticationMapper(io.micronaut.security.oauth2.endpoint.token.response.OpenIdAuthenticationMapper)

Example 2 with OpenIdClaims

use of io.micronaut.security.oauth2.endpoint.token.response.OpenIdClaims in project micronaut-security by micronaut-projects.

the class DefaultOpenIdTokenResponseValidator method validateClaims.

/**
 * @param clientConfiguration The OAuth 2.0 client configuration
 * @param openIdProviderMetadata The OpenID provider metadata
 * @param jwt JWT with valida signature
 * @param nonce The persisted nonce value
 * @return the same JWT supplied as a parameter if the claims validation were succesful or empty if not.
 */
@NonNull
protected Optional<JWT> validateClaims(@NonNull OauthClientConfiguration clientConfiguration, @NonNull OpenIdProviderMetadata openIdProviderMetadata, @NonNull JWT jwt, @Nullable String nonce) {
    try {
        JWTClaimsSet claimsSet = jwt.getJWTClaimsSet();
        OpenIdClaims claims = new JWTOpenIdClaims(claimsSet);
        if (genericJwtClaimsValidators.stream().allMatch(validator -> validator.validate(claims, null))) {
            if (openIdClaimsValidators.stream().allMatch(validator -> validator.validate(claims, clientConfiguration, openIdProviderMetadata))) {
                if (nonceClaimValidator == null) {
                    if (LOG.isTraceEnabled()) {
                        LOG.trace("Skipping nonce validation because no bean of type {} present. ", NonceClaimValidator.class.getSimpleName());
                    }
                    return Optional.of(jwt);
                }
                if (nonceClaimValidator.validate(claims, clientConfiguration, openIdProviderMetadata, nonce)) {
                    return Optional.of(jwt);
                } else if (LOG.isErrorEnabled()) {
                    LOG.error("Nonce {} validation failed for claims {}", nonce, claims.getClaims().keySet().stream().map(key -> key + "=" + claims.getClaims().get(key)).collect(Collectors.joining(", ", "{", "}")));
                }
            } else if (LOG.isErrorEnabled()) {
                LOG.error("JWT OpenID specific claims validation failed for provider [{}]", clientConfiguration.getName());
            }
        } else if (LOG.isErrorEnabled()) {
            LOG.error("JWT generic claims validation failed for provider [{}]", clientConfiguration.getName());
        }
    } catch (ParseException e) {
        if (LOG.isErrorEnabled()) {
            LOG.error("Failed to parse the JWT returned from provider [{}]", clientConfiguration.getName(), e);
        }
    }
    return Optional.empty();
}
Also used : JwkValidator(io.micronaut.security.token.jwt.signature.jwks.JwkValidator) Logger(org.slf4j.Logger) Collection(java.util.Collection) JWTOpenIdClaims(io.micronaut.security.oauth2.endpoint.token.response.JWTOpenIdClaims) ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap) LoggerFactory(org.slf4j.LoggerFactory) JWTClaimsSet(com.nimbusds.jwt.JWTClaimsSet) JwksSignatureConfigurationProperties(io.micronaut.security.token.jwt.signature.jwks.JwksSignatureConfigurationProperties) Singleton(jakarta.inject.Singleton) OauthClientConfiguration(io.micronaut.security.oauth2.configuration.OauthClientConfiguration) JwksSignature(io.micronaut.security.token.jwt.signature.jwks.JwksSignature) Collectors(java.util.stream.Collectors) OpenIdProviderMetadata(io.micronaut.security.oauth2.client.OpenIdProviderMetadata) NonNull(io.micronaut.core.annotation.NonNull) OpenIdClaims(io.micronaut.security.oauth2.endpoint.token.response.OpenIdClaims) GenericJwtClaimsValidator(io.micronaut.security.token.jwt.validator.GenericJwtClaimsValidator) JWT(com.nimbusds.jwt.JWT) Nullable(io.micronaut.core.annotation.Nullable) JwtValidator(io.micronaut.security.token.jwt.validator.JwtValidator) Map(java.util.Map) OpenIdTokenResponse(io.micronaut.security.oauth2.endpoint.token.response.OpenIdTokenResponse) Optional(java.util.Optional) ParseException(java.text.ParseException) JWTClaimsSet(com.nimbusds.jwt.JWTClaimsSet) JWTOpenIdClaims(io.micronaut.security.oauth2.endpoint.token.response.JWTOpenIdClaims) OpenIdClaims(io.micronaut.security.oauth2.endpoint.token.response.OpenIdClaims) JWTOpenIdClaims(io.micronaut.security.oauth2.endpoint.token.response.JWTOpenIdClaims) ParseException(java.text.ParseException) NonNull(io.micronaut.core.annotation.NonNull)

Aggregations

JWT (com.nimbusds.jwt.JWT)2 JWTOpenIdClaims (io.micronaut.security.oauth2.endpoint.token.response.JWTOpenIdClaims)2 OpenIdClaims (io.micronaut.security.oauth2.endpoint.token.response.OpenIdClaims)2 JWTClaimsSet (com.nimbusds.jwt.JWTClaimsSet)1 NonNull (io.micronaut.core.annotation.NonNull)1 Nullable (io.micronaut.core.annotation.Nullable)1 OpenIdProviderMetadata (io.micronaut.security.oauth2.client.OpenIdProviderMetadata)1 OauthClientConfiguration (io.micronaut.security.oauth2.configuration.OauthClientConfiguration)1 DefaultOpenIdAuthenticationMapper (io.micronaut.security.oauth2.endpoint.token.response.DefaultOpenIdAuthenticationMapper)1 OpenIdAuthenticationMapper (io.micronaut.security.oauth2.endpoint.token.response.OpenIdAuthenticationMapper)1 OpenIdTokenResponse (io.micronaut.security.oauth2.endpoint.token.response.OpenIdTokenResponse)1 JwkValidator (io.micronaut.security.token.jwt.signature.jwks.JwkValidator)1 JwksSignature (io.micronaut.security.token.jwt.signature.jwks.JwksSignature)1 JwksSignatureConfigurationProperties (io.micronaut.security.token.jwt.signature.jwks.JwksSignatureConfigurationProperties)1 GenericJwtClaimsValidator (io.micronaut.security.token.jwt.validator.GenericJwtClaimsValidator)1 JwtValidator (io.micronaut.security.token.jwt.validator.JwtValidator)1 Singleton (jakarta.inject.Singleton)1 ParseException (java.text.ParseException)1 Collection (java.util.Collection)1 Map (java.util.Map)1