Search in sources :

Example 1 with JwtClaims

use of org.apache.cxf.rs.security.jose.jwt.JwtClaims in project cxf by apache.

the class JwsCompactReaderWriterTest method doTestWriteJwsWithJwkSignedByMac.

private void doTestWriteJwsWithJwkSignedByMac(Object jsonWebKey) throws Exception {
    JwsHeaders headers = new JwsHeaders();
    headers.setType(JoseType.JWT);
    headers.setSignatureAlgorithm(SignatureAlgorithm.HS256);
    headers.setHeader(JoseConstants.HEADER_JSON_WEB_KEY, jsonWebKey);
    JwtClaims claims = new JwtClaims();
    claims.setIssuer("joe");
    claims.setExpiryTime(1300819380L);
    claims.setClaim("http://example.com/is_root", Boolean.TRUE);
    JwtToken token = new JwtToken(headers, claims);
    JwsCompactProducer jws = new JwsJwtCompactProducer(token, getWriter());
    jws.signWith(new HmacJwsSignatureProvider(ENCODED_MAC_KEY, SignatureAlgorithm.HS256));
    assertEquals(ENCODED_TOKEN_WITH_JSON_KEY_SIGNED_BY_MAC, jws.getSignedEncodedJws());
}
Also used : JwtToken(org.apache.cxf.rs.security.jose.jwt.JwtToken) JwtClaims(org.apache.cxf.rs.security.jose.jwt.JwtClaims)

Example 2 with JwtClaims

use of org.apache.cxf.rs.security.jose.jwt.JwtClaims in project cxf by apache.

the class JwtRequestCodeFilter method process.

@Override
public MultivaluedMap<String, String> process(MultivaluedMap<String, String> params, UserSubject endUser, Client client) {
    String requestToken = params.getFirst(REQUEST_PARAM);
    if (requestToken == null) {
        String requestUri = params.getFirst(REQUEST_URI_PARAM);
        if (isRequestUriValid(client, requestUri)) {
            requestToken = WebClient.create(requestUri).get(String.class);
        }
    }
    if (requestToken != null) {
        JweDecryptionProvider theDecryptor = super.getInitializedDecryptionProvider(client.getClientSecret());
        JwsSignatureVerifier theSigVerifier = getInitializedSigVerifier(client);
        JwtToken jwt = getJwtToken(requestToken, theDecryptor, theSigVerifier);
        JwtClaims claims = jwt.getClaims();
        // Check issuer
        String iss = issuer != null ? issuer : client.getClientId();
        if (!iss.equals(claims.getIssuer())) {
            throw new SecurityException();
        }
        // Check client_id - if present it must match the client_id specified in the request
        if (claims.getClaim(OAuthConstants.CLIENT_ID) != null && !claims.getStringProperty(OAuthConstants.CLIENT_ID).equals(client.getClientId())) {
            throw new SecurityException();
        }
        // Check response_type - if present it must match the response_type specified in the request
        String tokenResponseType = (String) claims.getClaim(OAuthConstants.RESPONSE_TYPE);
        if (tokenResponseType != null && !tokenResponseType.equals(params.getFirst(OAuthConstants.RESPONSE_TYPE))) {
            throw new SecurityException();
        }
        MultivaluedMap<String, String> newParams = new MetadataMap<String, String>(params);
        Map<String, Object> claimsMap = claims.asMap();
        for (Map.Entry<String, Object> entry : claimsMap.entrySet()) {
            String key = entry.getKey();
            Object value = entry.getValue();
            if (value instanceof Map) {
                Map<String, Object> map = CastUtils.cast((Map<?, ?>) value);
                value = jsonHandler.toJson(map);
            } else if (value instanceof List) {
                List<Object> list = CastUtils.cast((List<?>) value);
                value = jsonHandler.toJson(list);
            }
            newParams.putSingle(key, value.toString());
        }
        return newParams;
    }
    return params;
}
Also used : JwtClaims(org.apache.cxf.rs.security.jose.jwt.JwtClaims) JwsSignatureVerifier(org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier) JwtToken(org.apache.cxf.rs.security.jose.jwt.JwtToken) MetadataMap(org.apache.cxf.jaxrs.impl.MetadataMap) JweDecryptionProvider(org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider) List(java.util.List) MetadataMap(org.apache.cxf.jaxrs.impl.MetadataMap) MultivaluedMap(javax.ws.rs.core.MultivaluedMap) Map(java.util.Map)

Example 3 with JwtClaims

use of org.apache.cxf.rs.security.jose.jwt.JwtClaims in project cxf by apache.

the class AbstractOAuthDataProvider method createJwtAccessToken.

protected JwtClaims createJwtAccessToken(ServerAccessToken at) {
    JwtClaims claims = new JwtClaims();
    claims.setTokenId(at.getTokenKey());
    // 'client_id' or 'cid', default client_id
    String clientIdClaimName = JwtTokenUtils.getClaimName(OAuthConstants.CLIENT_ID, OAuthConstants.CLIENT_ID, getJwtAccessTokenClaimMap());
    claims.setClaim(clientIdClaimName, at.getClient().getClientId());
    claims.setIssuedAt(at.getIssuedAt());
    if (at.getExpiresIn() > 0) {
        claims.setExpiryTime(at.getIssuedAt() + at.getExpiresIn());
    }
    UserSubject userSubject = at.getSubject();
    if (userSubject != null) {
        if (userSubject.getId() != null) {
            claims.setSubject(userSubject.getId());
        }
        // 'username' by default to be consistent with the token introspection response
        final String usernameProp = "username";
        String usernameClaimName = JwtTokenUtils.getClaimName(usernameProp, usernameProp, getJwtAccessTokenClaimMap());
        claims.setClaim(usernameClaimName, userSubject.getLogin());
    }
    if (at.getIssuer() != null) {
        claims.setIssuer(at.getIssuer());
    }
    if (!at.getScopes().isEmpty()) {
        claims.setClaim(OAuthConstants.SCOPE, OAuthUtils.convertPermissionsToScopeList(at.getScopes()));
    }
    // OAuth2 resource indicators (resource server audience)
    if (!at.getAudiences().isEmpty()) {
        List<String> resourceAudiences = at.getAudiences();
        if (resourceAudiences.size() == 1) {
            claims.setAudience(resourceAudiences.get(0));
        } else {
            claims.setAudiences(resourceAudiences);
        }
    }
    if (!at.getExtraProperties().isEmpty()) {
        Map<String, String> actualExtraProps = new HashMap<String, String>();
        for (Map.Entry<String, String> entry : at.getExtraProperties().entrySet()) {
            if (JoseConstants.HEADER_X509_THUMBPRINT_SHA256.equals(entry.getKey())) {
                claims.setClaim(JwtConstants.CLAIM_CONFIRMATION, Collections.singletonMap(JoseConstants.HEADER_X509_THUMBPRINT_SHA256, entry.getValue()));
            } else {
                actualExtraProps.put(entry.getKey(), entry.getValue());
            }
        }
        claims.setClaim("extra_properties", actualExtraProps);
    }
    // Can be used to check at RS/etc which grant was used to get this token issued
    if (at.getGrantType() != null) {
        claims.setClaim(OAuthConstants.GRANT_TYPE, at.getGrantType());
    }
    // code flow was used
    if (at.getGrantCode() != null) {
        claims.setClaim(OAuthConstants.AUTHORIZATION_CODE_GRANT, at.getGrantCode());
    }
    // to have a knowledge which client instance is using this token - might be handy at the RS/etc
    if (at.getClientCodeVerifier() != null) {
        claims.setClaim(OAuthConstants.AUTHORIZATION_CODE_VERIFIER, at.getClientCodeVerifier());
    }
    if (at.getNonce() != null) {
        claims.setClaim(OAuthConstants.NONCE, at.getNonce());
    }
    return claims;
}
Also used : UserSubject(org.apache.cxf.rs.security.oauth2.common.UserSubject) JwtClaims(org.apache.cxf.rs.security.jose.jwt.JwtClaims) HashMap(java.util.HashMap) HashMap(java.util.HashMap) MultivaluedMap(javax.ws.rs.core.MultivaluedMap) Map(java.util.Map)

Example 4 with JwtClaims

use of org.apache.cxf.rs.security.jose.jwt.JwtClaims in project cxf by apache.

the class AbstractOAuthDataProvider method doCreateAccessToken.

protected ServerAccessToken doCreateAccessToken(AccessTokenRegistration atReg) {
    ServerAccessToken at = createNewAccessToken(atReg.getClient(), atReg.getSubject());
    at.setAudiences(atReg.getAudiences());
    at.setGrantType(atReg.getGrantType());
    List<String> theScopes = atReg.getApprovedScope();
    List<OAuthPermission> thePermissions = convertScopeToPermissions(atReg.getClient(), theScopes);
    at.setScopes(thePermissions);
    at.setSubject(atReg.getSubject());
    at.setClientCodeVerifier(atReg.getClientCodeVerifier());
    at.setNonce(atReg.getNonce());
    at.setResponseType(atReg.getResponseType());
    at.setGrantCode(atReg.getGrantCode());
    at.getExtraProperties().putAll(atReg.getExtraProperties());
    if (messageContext != null) {
        String certCnf = (String) messageContext.get(JoseConstants.HEADER_X509_THUMBPRINT_SHA256);
        if (certCnf != null) {
            // At a later stage we will likely introduce a dedicate Confirmation bean (as it is used in POP etc)
            at.getExtraProperties().put(JoseConstants.HEADER_X509_THUMBPRINT_SHA256, certCnf);
        }
    }
    if (isUseJwtFormatForAccessTokens()) {
        JwtClaims claims = createJwtAccessToken(at);
        String jose = processJwtAccessToken(claims);
        at.setTokenKey(jose);
    }
    return at;
}
Also used : OAuthPermission(org.apache.cxf.rs.security.oauth2.common.OAuthPermission) ServerAccessToken(org.apache.cxf.rs.security.oauth2.common.ServerAccessToken) JwtClaims(org.apache.cxf.rs.security.jose.jwt.JwtClaims)

Example 5 with JwtClaims

use of org.apache.cxf.rs.security.jose.jwt.JwtClaims in project cxf by apache.

the class JwsJwtCompactConsumer method getJwtToken.

public JwtToken getJwtToken() {
    if (token == null) {
        JwsHeaders theHeaders = super.getJwsHeaders();
        JwtClaims theClaims = new JwtClaims(getReader().fromJson(getDecodedJwsPayload()));
        token = new JwtToken(theHeaders, theClaims);
    }
    return token;
}
Also used : JwtToken(org.apache.cxf.rs.security.jose.jwt.JwtToken) JwtClaims(org.apache.cxf.rs.security.jose.jwt.JwtClaims)

Aggregations

JwtClaims (org.apache.cxf.rs.security.jose.jwt.JwtClaims)56 JwtToken (org.apache.cxf.rs.security.jose.jwt.JwtToken)42 WebClient (org.apache.cxf.jaxrs.client.WebClient)40 URL (java.net.URL)38 Response (javax.ws.rs.core.Response)34 Book (org.apache.cxf.systest.jaxrs.security.Book)34 HashMap (java.util.HashMap)33 JacksonJsonProvider (com.fasterxml.jackson.jaxrs.json.JacksonJsonProvider)32 ArrayList (java.util.ArrayList)32 JwtAuthenticationClientFilter (org.apache.cxf.rs.security.jose.jaxrs.JwtAuthenticationClientFilter)32 ZonedDateTime (java.time.ZonedDateTime)10 JwsHeaders (org.apache.cxf.rs.security.jose.jws.JwsHeaders)7 JwsJwtCompactProducer (org.apache.cxf.rs.security.jose.jws.JwsJwtCompactProducer)7 AuthorizationCodeParameters (org.apache.cxf.systest.jaxrs.security.oauth2.common.OAuth2TestUtils.AuthorizationCodeParameters)4 Instant (java.time.Instant)3 ResponseProcessingException (javax.ws.rs.client.ResponseProcessingException)3 Map (java.util.Map)2 Properties (java.util.Properties)2 MultivaluedMap (javax.ws.rs.core.MultivaluedMap)2 JweHeaders (org.apache.cxf.rs.security.jose.jwe.JweHeaders)2