Example 1 with JwtClaims
use of org.apache.cxf.rs.security.jose.jwt.JwtClaims in project cxf by apache.
the class JwsCompactReaderWriterTest method doTestWriteJwsWithJwkSignedByMac.
private void doTestWriteJwsWithJwkSignedByMac(Object jsonWebKey) throws Exception {
JwsHeaders headers = new JwsHeaders();
headers.setType(JoseType.JWT);
headers.setSignatureAlgorithm(SignatureAlgorithm.HS256);
headers.setHeader(JoseConstants.HEADER_JSON_WEB_KEY, jsonWebKey);
JwtClaims claims = new JwtClaims();
claims.setIssuer("joe");
claims.setExpiryTime(1300819380L);
claims.setClaim("http://example.com/is_root", Boolean.TRUE);
JwtToken token = new JwtToken(headers, claims);
JwsCompactProducer jws = new JwsJwtCompactProducer(token, getWriter());
jws.signWith(new HmacJwsSignatureProvider(ENCODED_MAC_KEY, SignatureAlgorithm.HS256));
assertEquals(ENCODED_TOKEN_WITH_JSON_KEY_SIGNED_BY_MAC, jws.getSignedEncodedJws());
}Example 2 with JwtClaims
use of org.apache.cxf.rs.security.jose.jwt.JwtClaims in project cxf by apache.
the class JwtRequestCodeFilter method process.
@Override
public MultivaluedMap<String, String> process(MultivaluedMap<String, String> params, UserSubject endUser, Client client) {
String requestToken = params.getFirst(REQUEST_PARAM);
if (requestToken == null) {
String requestUri = params.getFirst(REQUEST_URI_PARAM);
if (isRequestUriValid(client, requestUri)) {
requestToken = WebClient.create(requestUri).get(String.class);
}
}
if (requestToken != null) {
JweDecryptionProvider theDecryptor = super.getInitializedDecryptionProvider(client.getClientSecret());
JwsSignatureVerifier theSigVerifier = getInitializedSigVerifier(client);
JwtToken jwt = getJwtToken(requestToken, theDecryptor, theSigVerifier);
JwtClaims claims = jwt.getClaims();
// Check issuer
String iss = issuer != null ? issuer : client.getClientId();
if (!iss.equals(claims.getIssuer())) {
throw new SecurityException();
}
// Check client_id - if present it must match the client_id specified in the request
if (claims.getClaim(OAuthConstants.CLIENT_ID) != null && !claims.getStringProperty(OAuthConstants.CLIENT_ID).equals(client.getClientId())) {
throw new SecurityException();
}
// Check response_type - if present it must match the response_type specified in the request
String tokenResponseType = (String) claims.getClaim(OAuthConstants.RESPONSE_TYPE);
if (tokenResponseType != null && !tokenResponseType.equals(params.getFirst(OAuthConstants.RESPONSE_TYPE))) {
throw new SecurityException();
}
MultivaluedMap<String, String> newParams = new MetadataMap<String, String>(params);
Map<String, Object> claimsMap = claims.asMap();
for (Map.Entry<String, Object> entry : claimsMap.entrySet()) {
String key = entry.getKey();
Object value = entry.getValue();
if (value instanceof Map) {
Map<String, Object> map = CastUtils.cast((Map<?, ?>) value);
value = jsonHandler.toJson(map);
} else if (value instanceof List) {
List<Object> list = CastUtils.cast((List<?>) value);
value = jsonHandler.toJson(list);
}
newParams.putSingle(key, value.toString());
}
return newParams;
}
return params;
}
Also used :
JwtClaims(org.apache.cxf.rs.security.jose.jwt.JwtClaims)
JwsSignatureVerifier(org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier)
JwtToken(org.apache.cxf.rs.security.jose.jwt.JwtToken)
MetadataMap(org.apache.cxf.jaxrs.impl.MetadataMap)
JweDecryptionProvider(org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider)
List(java.util.List)
MetadataMap(org.apache.cxf.jaxrs.impl.MetadataMap)
MultivaluedMap(javax.ws.rs.core.MultivaluedMap)
Map(java.util.Map)
Example 3 with JwtClaims
use of org.apache.cxf.rs.security.jose.jwt.JwtClaims in project cxf by apache.
the class AbstractOAuthDataProvider method createJwtAccessToken.
protected JwtClaims createJwtAccessToken(ServerAccessToken at) {
JwtClaims claims = new JwtClaims();
claims.setTokenId(at.getTokenKey());
// 'client_id' or 'cid', default client_id
String clientIdClaimName = JwtTokenUtils.getClaimName(OAuthConstants.CLIENT_ID, OAuthConstants.CLIENT_ID, getJwtAccessTokenClaimMap());
claims.setClaim(clientIdClaimName, at.getClient().getClientId());
claims.setIssuedAt(at.getIssuedAt());
if (at.getExpiresIn() > 0) {
claims.setExpiryTime(at.getIssuedAt() + at.getExpiresIn());
}
UserSubject userSubject = at.getSubject();
if (userSubject != null) {
if (userSubject.getId() != null) {
claims.setSubject(userSubject.getId());
}
// 'username' by default to be consistent with the token introspection response
final String usernameProp = "username";
String usernameClaimName = JwtTokenUtils.getClaimName(usernameProp, usernameProp, getJwtAccessTokenClaimMap());
claims.setClaim(usernameClaimName, userSubject.getLogin());
}
if (at.getIssuer() != null) {
claims.setIssuer(at.getIssuer());
}
if (!at.getScopes().isEmpty()) {
claims.setClaim(OAuthConstants.SCOPE, OAuthUtils.convertPermissionsToScopeList(at.getScopes()));
}
// OAuth2 resource indicators (resource server audience)
if (!at.getAudiences().isEmpty()) {
List<String> resourceAudiences = at.getAudiences();
if (resourceAudiences.size() == 1) {
claims.setAudience(resourceAudiences.get(0));
} else {
claims.setAudiences(resourceAudiences);
}
}
if (!at.getExtraProperties().isEmpty()) {
Map<String, String> actualExtraProps = new HashMap<String, String>();
for (Map.Entry<String, String> entry : at.getExtraProperties().entrySet()) {
if (JoseConstants.HEADER_X509_THUMBPRINT_SHA256.equals(entry.getKey())) {
claims.setClaim(JwtConstants.CLAIM_CONFIRMATION, Collections.singletonMap(JoseConstants.HEADER_X509_THUMBPRINT_SHA256, entry.getValue()));
} else {
actualExtraProps.put(entry.getKey(), entry.getValue());
}
}
claims.setClaim("extra_properties", actualExtraProps);
}
// Can be used to check at RS/etc which grant was used to get this token issued
if (at.getGrantType() != null) {
claims.setClaim(OAuthConstants.GRANT_TYPE, at.getGrantType());
}
// code flow was used
if (at.getGrantCode() != null) {
claims.setClaim(OAuthConstants.AUTHORIZATION_CODE_GRANT, at.getGrantCode());
}
// to have a knowledge which client instance is using this token - might be handy at the RS/etc
if (at.getClientCodeVerifier() != null) {
claims.setClaim(OAuthConstants.AUTHORIZATION_CODE_VERIFIER, at.getClientCodeVerifier());
}
if (at.getNonce() != null) {
claims.setClaim(OAuthConstants.NONCE, at.getNonce());
}
return claims;
}
Also used :
UserSubject(org.apache.cxf.rs.security.oauth2.common.UserSubject)
JwtClaims(org.apache.cxf.rs.security.jose.jwt.JwtClaims)
HashMap(java.util.HashMap)
HashMap(java.util.HashMap)
MultivaluedMap(javax.ws.rs.core.MultivaluedMap)
Map(java.util.Map)
Example 4 with JwtClaims
use of org.apache.cxf.rs.security.jose.jwt.JwtClaims in project cxf by apache.
the class AbstractOAuthDataProvider method doCreateAccessToken.
protected ServerAccessToken doCreateAccessToken(AccessTokenRegistration atReg) {
ServerAccessToken at = createNewAccessToken(atReg.getClient(), atReg.getSubject());
at.setAudiences(atReg.getAudiences());
at.setGrantType(atReg.getGrantType());
List<String> theScopes = atReg.getApprovedScope();
List<OAuthPermission> thePermissions = convertScopeToPermissions(atReg.getClient(), theScopes);
at.setScopes(thePermissions);
at.setSubject(atReg.getSubject());
at.setClientCodeVerifier(atReg.getClientCodeVerifier());
at.setNonce(atReg.getNonce());
at.setResponseType(atReg.getResponseType());
at.setGrantCode(atReg.getGrantCode());
at.getExtraProperties().putAll(atReg.getExtraProperties());
if (messageContext != null) {
String certCnf = (String) messageContext.get(JoseConstants.HEADER_X509_THUMBPRINT_SHA256);
if (certCnf != null) {
// At a later stage we will likely introduce a dedicate Confirmation bean (as it is used in POP etc)
at.getExtraProperties().put(JoseConstants.HEADER_X509_THUMBPRINT_SHA256, certCnf);
}
}
if (isUseJwtFormatForAccessTokens()) {
JwtClaims claims = createJwtAccessToken(at);
String jose = processJwtAccessToken(claims);
at.setTokenKey(jose);
}
return at;
}
Also used :
OAuthPermission(org.apache.cxf.rs.security.oauth2.common.OAuthPermission)
ServerAccessToken(org.apache.cxf.rs.security.oauth2.common.ServerAccessToken)
JwtClaims(org.apache.cxf.rs.security.jose.jwt.JwtClaims)
Example 5 with JwtClaims
use of org.apache.cxf.rs.security.jose.jwt.JwtClaims in project cxf by apache.
the class JwsJwtCompactConsumer method getJwtToken.
public JwtToken getJwtToken() {
if (token == null) {
JwsHeaders theHeaders = super.getJwsHeaders();
JwtClaims theClaims = new JwtClaims(getReader().fromJson(getDecodedJwsPayload()));
token = new JwtToken(theHeaders, theClaims);
}
return token;
}Aggregations
JwtClaims (org.apache.cxf.rs.security.jose.jwt.JwtClaims)56
JwtToken (org.apache.cxf.rs.security.jose.jwt.JwtToken)42
WebClient (org.apache.cxf.jaxrs.client.WebClient)40
URL (java.net.URL)38
Response (javax.ws.rs.core.Response)34
Book (org.apache.cxf.systest.jaxrs.security.Book)34
HashMap (java.util.HashMap)33
JacksonJsonProvider (com.fasterxml.jackson.jaxrs.json.JacksonJsonProvider)32
ArrayList (java.util.ArrayList)32
JwtAuthenticationClientFilter (org.apache.cxf.rs.security.jose.jaxrs.JwtAuthenticationClientFilter)32
ZonedDateTime (java.time.ZonedDateTime)10
JwsHeaders (org.apache.cxf.rs.security.jose.jws.JwsHeaders)7
JwsJwtCompactProducer (org.apache.cxf.rs.security.jose.jws.JwsJwtCompactProducer)7
AuthorizationCodeParameters (org.apache.cxf.systest.jaxrs.security.oauth2.common.OAuth2TestUtils.AuthorizationCodeParameters)4
Instant (java.time.Instant)3
ResponseProcessingException (javax.ws.rs.client.ResponseProcessingException)3
Map (java.util.Map)2
Properties (java.util.Properties)2
MultivaluedMap (javax.ws.rs.core.MultivaluedMap)2
JweHeaders (org.apache.cxf.rs.security.jose.jwe.JweHeaders)2
