Examples with JwtToken - org.apache.cxf.rs.security.jose.jwt.JwtToken

Example 6 with JwtToken

use of org.apache.cxf.rs.security.jose.jwt.JwtToken in project cxf by apache.

the class JwtRequestCodeFilter method process.

@Override
public MultivaluedMap<String, String> process(MultivaluedMap<String, String> params, UserSubject endUser, Client client) {
    String requestToken = params.getFirst(REQUEST_PARAM);
    if (requestToken == null) {
        String requestUri = params.getFirst(REQUEST_URI_PARAM);
        if (isRequestUriValid(client, requestUri)) {
            requestToken = WebClient.create(requestUri).get(String.class);
        }
    }
    if (requestToken != null) {
        JweDecryptionProvider theDecryptor = super.getInitializedDecryptionProvider(client.getClientSecret());
        JwsSignatureVerifier theSigVerifier = getInitializedSigVerifier(client);
        JwtToken jwt = getJwtToken(requestToken, theDecryptor, theSigVerifier);
        JwtClaims claims = jwt.getClaims();
        // Check issuer
        String iss = issuer != null ? issuer : client.getClientId();
        if (!iss.equals(claims.getIssuer())) {
            throw new SecurityException();
        }
        // Check client_id - if present it must match the client_id specified in the request
        if (claims.getClaim(OAuthConstants.CLIENT_ID) != null && !claims.getStringProperty(OAuthConstants.CLIENT_ID).equals(client.getClientId())) {
            throw new SecurityException();
        }
        // Check response_type - if present it must match the response_type specified in the request
        String tokenResponseType = (String) claims.getClaim(OAuthConstants.RESPONSE_TYPE);
        if (tokenResponseType != null && !tokenResponseType.equals(params.getFirst(OAuthConstants.RESPONSE_TYPE))) {
            throw new SecurityException();
        }
        MultivaluedMap<String, String> newParams = new MetadataMap<String, String>(params);
        Map<String, Object> claimsMap = claims.asMap();
        for (Map.Entry<String, Object> entry : claimsMap.entrySet()) {
            String key = entry.getKey();
            Object value = entry.getValue();
            if (value instanceof Map) {
                Map<String, Object> map = CastUtils.cast((Map<?, ?>) value);
                value = jsonHandler.toJson(map);
            } else if (value instanceof List) {
                List<Object> list = CastUtils.cast((List<?>) value);
                value = jsonHandler.toJson(list);
            }
            newParams.putSingle(key, value.toString());
        }
        return newParams;
    }
    return params;
}

Also used : JwtClaims(org.apache.cxf.rs.security.jose.jwt.JwtClaims) JwsSignatureVerifier(org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier) JwtToken(org.apache.cxf.rs.security.jose.jwt.JwtToken) MetadataMap(org.apache.cxf.jaxrs.impl.MetadataMap) JweDecryptionProvider(org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider) List(java.util.List) MetadataMap(org.apache.cxf.jaxrs.impl.MetadataMap) MultivaluedMap(javax.ws.rs.core.MultivaluedMap) Map(java.util.Map)

Example 7 with JwtToken

use of org.apache.cxf.rs.security.jose.jwt.JwtToken in project cxf by apache.

the class JwtBearerGrantHandler method createAccessToken.

@Override
public ServerAccessToken createAccessToken(Client client, MultivaluedMap<String, String> params) throws OAuthServiceException {
    String assertion = params.getFirst(Constants.CLIENT_GRANT_ASSERTION_PARAM);
    if (assertion == null) {
        throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
    }
    try {
        JwsJwtCompactConsumer jwsReader = getJwsReader(assertion);
        JwtToken jwtToken = jwsReader.getJwtToken();
        validateSignature(new JwsHeaders(jwtToken.getJwsHeaders()), jwsReader.getUnsignedEncodedSequence(), jwsReader.getDecodedSignature());
        validateClaims(client, jwtToken.getClaims());
        UserSubject grantSubject = new UserSubject(jwtToken.getClaims().getSubject());
        return doCreateAccessToken(client, grantSubject, Constants.JWT_BEARER_GRANT, OAuthUtils.parseScope(params.getFirst(OAuthConstants.SCOPE)));
    } catch (OAuthServiceException ex) {
        throw ex;
    } catch (Exception ex) {
        throw new OAuthServiceException(OAuthConstants.INVALID_GRANT, ex);
    }
}

Also used : JwtToken(org.apache.cxf.rs.security.jose.jwt.JwtToken) JwsHeaders(org.apache.cxf.rs.security.jose.jws.JwsHeaders) UserSubject(org.apache.cxf.rs.security.oauth2.common.UserSubject) OAuthServiceException(org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException) JwsJwtCompactConsumer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer) OAuthServiceException(org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException)

Example 8 with JwtToken

use of org.apache.cxf.rs.security.jose.jwt.JwtToken in project cxf by apache.

the class OidcImplicitService method processIdToken.

protected String processIdToken(OAuthRedirectionState state, IdToken idToken) {
    OAuthJoseJwtProducer processor = idTokenHandler == null ? new OAuthJoseJwtProducer() : idTokenHandler;
    String code = (String) JAXRSUtils.getCurrentMessage().getExchange().get(OAuthConstants.AUTHORIZATION_CODE_VALUE);
    if (code != null) {
        // this service is invoked as part of the hybrid flow
        Properties props = JwsUtils.loadSignatureOutProperties(false);
        SignatureAlgorithm sigAlgo = null;
        if (processor.isSignWithClientSecret()) {
            sigAlgo = OAuthUtils.getClientSecretSignatureAlgorithm(props);
        } else {
            sigAlgo = JwsUtils.getSignatureAlgorithm(props, SignatureAlgorithm.RS256);
        }
        idToken.setAuthorizationCodeHash(OidcUtils.calculateAuthorizationCodeHash(code, sigAlgo));
    }
    idToken.setNonce(state.getNonce());
    return processor.processJwt(new JwtToken(idToken));
}

Also used : JwtToken(org.apache.cxf.rs.security.jose.jwt.JwtToken) OAuthJoseJwtProducer(org.apache.cxf.rs.security.oauth2.provider.OAuthJoseJwtProducer) SignatureAlgorithm(org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm) Properties(java.util.Properties)

Example 9 with JwtToken

use of org.apache.cxf.rs.security.jose.jwt.JwtToken in project cxf by apache.

the class UserInfoService method getUserInfo.

@GET
@Produces({ "application/json", "application/jwt" })
public Response getUserInfo() {
    OAuthContext oauth = OAuthContextUtils.getContext(mc);
    UserInfo userInfo = null;
    if (userInfoProvider != null) {
        userInfo = userInfoProvider.getUserInfo(oauth.getClientId(), oauth.getSubject(), OAuthUtils.convertPermissionsToScopeList(oauth.getPermissions()));
    } else if (oauth.getSubject() instanceof OidcUserSubject) {
        OidcUserSubject oidcUserSubject = (OidcUserSubject) oauth.getSubject();
        userInfo = oidcUserSubject.getUserInfo();
        if (userInfo == null) {
            userInfo = createFromIdToken(oidcUserSubject.getIdToken());
        }
    }
    if (userInfo == null) {
        // Consider customizing the error code in case of UserInfo being not available
        return Response.serverError().build();
    }
    Object responseEntity = null;
    // UserInfo may be returned in a clear form as JSON
    if (super.isJwsRequired() || super.isJweRequired()) {
        Client client = null;
        if (oauthDataProvider != null) {
            client = oauthDataProvider.getClient(oauth.getClientId());
        }
        responseEntity = super.processJwt(new JwtToken(userInfo), client);
    } else {
        responseEntity = convertUserInfoToResponseEntity(userInfo);
    }
    return Response.ok(responseEntity).build();
}

Also used : JwtToken(org.apache.cxf.rs.security.jose.jwt.JwtToken) OAuthContext(org.apache.cxf.rs.security.oauth2.common.OAuthContext) UserInfo(org.apache.cxf.rs.security.oidc.common.UserInfo) Client(org.apache.cxf.rs.security.oauth2.common.Client) Produces(javax.ws.rs.Produces) GET(javax.ws.rs.GET)

Example 10 with JwtToken

use of org.apache.cxf.rs.security.jose.jwt.JwtToken in project cxf by apache.

the class IdTokenReader method getIdJwtToken.

public JwtToken getIdJwtToken(ClientAccessToken at, String code, Consumer client) {
    String idJwtToken = at.getParameters().get(OidcUtils.ID_TOKEN);
    JwtToken jwt = getIdJwtToken(idJwtToken, client);
    OidcUtils.validateAccessTokenHash(at, jwt, requireAtHash);
    OidcUtils.validateCodeHash(code, jwt, requireCodeHash);
    return jwt;
}

Also used : JwtToken(org.apache.cxf.rs.security.jose.jwt.JwtToken)

Aggregations

JwtToken (org.apache.cxf.rs.security.jose.jwt.JwtToken)102 JwsJwtCompactConsumer (org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer)47 WebClient (org.apache.cxf.jaxrs.client.WebClient)42 JwtClaims (org.apache.cxf.rs.security.jose.jwt.JwtClaims)42 URL (java.net.URL)41 ArrayList (java.util.ArrayList)37 Response (javax.ws.rs.core.Response)35 JWTTokenProvider (org.apache.cxf.sts.token.provider.jwt.JWTTokenProvider)33 HashMap (java.util.HashMap)31 JacksonJsonProvider (com.fasterxml.jackson.jaxrs.json.JacksonJsonProvider)28 JwtAuthenticationClientFilter (org.apache.cxf.rs.security.jose.jaxrs.JwtAuthenticationClientFilter)28 Book (org.apache.cxf.systest.jaxrs.security.Book)28 JAXBElement (javax.xml.bind.JAXBElement)13 Crypto (org.apache.wss4j.common.crypto.Crypto)13 Element (org.w3c.dom.Element)12 ClaimsHandler (org.apache.cxf.sts.claims.ClaimsHandler)10 ClaimsManager (org.apache.cxf.sts.claims.ClaimsManager)10 CustomClaimsHandler (org.apache.cxf.sts.common.CustomClaimsHandler)10 CustomTokenPrincipal (org.apache.wss4j.common.principal.CustomTokenPrincipal)10 TokenProvider (org.apache.cxf.sts.token.provider.TokenProvider)9