Examples with OAuthBearerToken - org.apache.kafka.common.security.oauthbearer.OAuthBearerToken

Example 1 with OAuthBearerToken

use of org.apache.kafka.common.security.oauthbearer.OAuthBearerToken in project kafka by apache.

the class ValidatorAccessTokenValidator method validate.

/**
 * Accepts an OAuth JWT access token in base-64 encoded format, validates, and returns an
 * OAuthBearerToken.
 *
 * @param accessToken Non-<code>null</code> JWT access token
 * @return {@link OAuthBearerToken}
 * @throws ValidateException Thrown on errors performing validation of given token
 */
@SuppressWarnings("unchecked")
public OAuthBearerToken validate(String accessToken) throws ValidateException {
    SerializedJwt serializedJwt = new SerializedJwt(accessToken);
    JwtContext jwt;
    try {
        jwt = jwtConsumer.process(serializedJwt.getToken());
    } catch (InvalidJwtException e) {
        throw new ValidateException(String.format("Could not validate the access token: %s", e.getMessage()), e);
    }
    JwtClaims claims = jwt.getJwtClaims();
    Object scopeRaw = getClaim(() -> claims.getClaimValue(scopeClaimName), scopeClaimName);
    Collection<String> scopeRawCollection;
    if (scopeRaw instanceof String)
        scopeRawCollection = Collections.singletonList((String) scopeRaw);
    else if (scopeRaw instanceof Collection)
        scopeRawCollection = (Collection<String>) scopeRaw;
    else
        scopeRawCollection = Collections.emptySet();
    NumericDate expirationRaw = getClaim(claims::getExpirationTime, ReservedClaimNames.EXPIRATION_TIME);
    String subRaw = getClaim(() -> claims.getStringClaimValue(subClaimName), subClaimName);
    NumericDate issuedAtRaw = getClaim(claims::getIssuedAt, ReservedClaimNames.ISSUED_AT);
    Set<String> scopes = ClaimValidationUtils.validateScopes(scopeClaimName, scopeRawCollection);
    long expiration = ClaimValidationUtils.validateExpiration(ReservedClaimNames.EXPIRATION_TIME, expirationRaw != null ? expirationRaw.getValueInMillis() : null);
    String sub = ClaimValidationUtils.validateSubject(subClaimName, subRaw);
    Long issuedAt = ClaimValidationUtils.validateIssuedAt(ReservedClaimNames.ISSUED_AT, issuedAtRaw != null ? issuedAtRaw.getValueInMillis() : null);
    OAuthBearerToken token = new BasicOAuthBearerToken(accessToken, scopes, expiration, sub, issuedAt);
    return token;
}

Also used : InvalidJwtException(org.jose4j.jwt.consumer.InvalidJwtException) NumericDate(org.jose4j.jwt.NumericDate) JwtClaims(org.jose4j.jwt.JwtClaims) JwtContext(org.jose4j.jwt.consumer.JwtContext) OAuthBearerToken(org.apache.kafka.common.security.oauthbearer.OAuthBearerToken) Collection(java.util.Collection)

Example 2 with OAuthBearerToken

use of org.apache.kafka.common.security.oauthbearer.OAuthBearerToken in project kafka by apache.

the class OAuthBearerLoginCallbackHandlerTest method testHandleTokenCallback.

@Test
public void testHandleTokenCallback() throws Exception {
    Map<String, ?> configs = getSaslConfigs();
    AccessTokenBuilder builder = new AccessTokenBuilder().jwk(createRsaJwk()).alg(AlgorithmIdentifiers.RSA_USING_SHA256);
    String accessToken = builder.build();
    AccessTokenRetriever accessTokenRetriever = () -> accessToken;
    OAuthBearerLoginCallbackHandler handler = createHandler(accessTokenRetriever, configs);
    try {
        OAuthBearerTokenCallback callback = new OAuthBearerTokenCallback();
        handler.handle(new Callback[] { callback });
        assertNotNull(callback.token());
        OAuthBearerToken token = callback.token();
        assertEquals(accessToken, token.value());
        assertEquals(builder.subject(), token.principalName());
        assertEquals(builder.expirationSeconds() * 1000, token.lifetimeMs());
        assertEquals(builder.issuedAtSeconds() * 1000, token.startTimeMs());
    } finally {
        handler.close();
    }
}

Also used : OAuthBearerTokenCallback(org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenCallback) OAuthBearerToken(org.apache.kafka.common.security.oauthbearer.OAuthBearerToken) Test(org.junit.jupiter.api.Test)

Example 3 with OAuthBearerToken

use of org.apache.kafka.common.security.oauthbearer.OAuthBearerToken in project kafka by apache.

the class OAuthBearerSaslServerTest method negotiatedProperty.

@Test
public void negotiatedProperty() throws Exception {
    saslServer.evaluateResponse(clientInitialResponse(USER));
    OAuthBearerToken token = (OAuthBearerToken) saslServer.getNegotiatedProperty("OAUTHBEARER.token");
    assertNotNull(token);
    assertEquals(token.lifetimeMs(), saslServer.getNegotiatedProperty(SaslInternalConfigs.CREDENTIAL_LIFETIME_MS_SASL_NEGOTIATED_PROPERTY_KEY));
}

Also used : OAuthBearerToken(org.apache.kafka.common.security.oauthbearer.OAuthBearerToken) Test(org.junit.jupiter.api.Test)

Example 4 with OAuthBearerToken

use of org.apache.kafka.common.security.oauthbearer.OAuthBearerToken in project kafka by apache.

the class BasicOAuthBearerTokenTest method negativeLifetime.

@Test
public void negativeLifetime() {
    OAuthBearerToken token = new BasicOAuthBearerToken("not.valid.token", Collections.emptySet(), -1L, "jdoe", 0L);
    assertEquals("not.valid.token", token.value());
    assertTrue(token.scope().isEmpty());
    assertEquals(-1L, token.lifetimeMs());
    assertEquals("jdoe", token.principalName());
    assertEquals(0L, token.startTimeMs());
}

Also used : OAuthBearerToken(org.apache.kafka.common.security.oauthbearer.OAuthBearerToken) Test(org.junit.jupiter.api.Test)

Example 5 with OAuthBearerToken

use of org.apache.kafka.common.security.oauthbearer.OAuthBearerToken in project kafka by apache.

the class BasicOAuthBearerTokenTest method basic.

@Test
public void basic() {
    OAuthBearerToken token = new BasicOAuthBearerToken("not.valid.token", Collections.emptySet(), 0L, "jdoe", 0L);
    assertEquals("not.valid.token", token.value());
    assertTrue(token.scope().isEmpty());
    assertEquals(0L, token.lifetimeMs());
    assertEquals("jdoe", token.principalName());
    assertEquals(0L, token.startTimeMs());
}

Also used : OAuthBearerToken(org.apache.kafka.common.security.oauthbearer.OAuthBearerToken) Test(org.junit.jupiter.api.Test)

Aggregations

OAuthBearerToken (org.apache.kafka.common.security.oauthbearer.OAuthBearerToken)15 Test (org.junit.jupiter.api.Test)6 IOException (java.io.IOException)2 Collection (java.util.Collection)2 TreeSet (java.util.TreeSet)2 SaslExtensions (org.apache.kafka.common.security.auth.SaslExtensions)2 OAuthBearerTokenCallback (org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenCallback)2 OAuthBearerValidatorCallback (org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallback)2 Date (java.util.Date)1 Set (java.util.Set)1 Subject (javax.security.auth.Subject)1 UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)1 SaslAuthenticationException (org.apache.kafka.common.errors.SaslAuthenticationException)1 ExpiringCredential (org.apache.kafka.common.security.oauthbearer.internals.expiring.ExpiringCredential)1 ExpiringCredentialRefreshConfig (org.apache.kafka.common.security.oauthbearer.internals.expiring.ExpiringCredentialRefreshConfig)1 ExpiringCredentialRefreshingLogin (org.apache.kafka.common.security.oauthbearer.internals.expiring.ExpiringCredentialRefreshingLogin)1 OAuthBearerIllegalTokenException (org.apache.kafka.common.security.oauthbearer.internals.unsecured.OAuthBearerIllegalTokenException)1 JwtClaims (org.jose4j.jwt.JwtClaims)1 NumericDate (org.jose4j.jwt.NumericDate)1 InvalidJwtException (org.jose4j.jwt.consumer.InvalidJwtException)1