Examples with OidcJsonWebKeyCacheKey org.apereo.cas.oidc.jwks.OidcJsonWebKeyCacheKey used on opensource projects

Example 1 with OidcJsonWebKeyCacheKey

use of org.apereo.cas.oidc.jwks.OidcJsonWebKeyCacheKey in project cas by apereo.

the class BaseOidcJsonWebKeyTokenSigningAndEncryptionService method getJsonWebKeySigningKey.

@Override
protected PublicJsonWebKey getJsonWebKeySigningKey() {
    val iss = issuerService.determineIssuer(Optional.empty());
    LOGGER.trace("Using issuer [{}] to locate JWK signing key", iss);
    val jwks = defaultJsonWebKeystoreCache.get(new OidcJsonWebKeyCacheKey(iss, OidcJsonWebKeyUsage.SIGNING));
    if (Objects.requireNonNull(jwks).isEmpty()) {
        throw new IllegalArgumentException("No signing key could be found for issuer " + iss);
    }
    return (PublicJsonWebKey) jwks.get().getJsonWebKeys().get(0);
}

Example 2 with OidcJsonWebKeyCacheKey

use of org.apereo.cas.oidc.jwks.OidcJsonWebKeyCacheKey in project cas by apereo.

the class OidcRegisteredServiceJwtAccessTokenCipherExecutor method getEncryptionKey.

@Override
public Optional<String> getEncryptionKey(final RegisteredService registeredService) {
    if (!isEncryptionEnabledForRegisteredService(registeredService)) {
        return Optional.empty();
    }
    val svc = (OAuthRegisteredService) registeredService;
    val result = super.getEncryptionKey(registeredService);
    if (result.isPresent()) {
        return result;
    }
    if (svc instanceof OidcRegisteredService) {
        val jwks = Objects.requireNonNull(serviceJsonWebKeystoreCache.get(new OidcJsonWebKeyCacheKey(svc, OidcJsonWebKeyUsage.ENCRYPTION)));
        if (jwks.isEmpty()) {
            LOGGER.warn("Service " + svc.getServiceId() + " with client id " + svc.getClientId() + " is configured to encrypt tokens, yet no JSON web key is available");
            return Optional.empty();
        }
        val jsonWebKey = jwks.get();
        LOGGER.debug("Found JSON web key to encrypt the token: [{}]", jsonWebKey);
        val keys = jsonWebKey.getJsonWebKeys().stream().filter(key -> key.getKey() != null).collect(Collectors.toList());
        if (keys.isEmpty()) {
            LOGGER.warn("No valid JSON web keys used to sign the token can be found");
            return Optional.empty();
        }
        return Optional.of(new JsonWebKeySet(keys).toJson());
    }
    return result;
}

Example 3 with OidcJsonWebKeyCacheKey

use of org.apereo.cas.oidc.jwks.OidcJsonWebKeyCacheKey in project cas by apereo.

the class OidcRegisteredServiceJwtAccessTokenCipherExecutor method getSigningKey.

@Override
public Optional<String> getSigningKey(final RegisteredService registeredService) {
    if (!isSigningEnabledForRegisteredService(registeredService)) {
        return Optional.empty();
    }
    val result = super.getSigningKey(registeredService);
    if (result.isPresent()) {
        return result;
    }
    val oidcRegisteredService = OidcRegisteredService.class.cast(registeredService);
    val issuer = oidcIssuerService.determineIssuer(Optional.of(oidcRegisteredService));
    LOGGER.trace("Using issuer [{}] to determine JWKS from default keystore cache", issuer);
    val jwks = Objects.requireNonNull(defaultJsonWebKeystoreCache.get(new OidcJsonWebKeyCacheKey(issuer, OidcJsonWebKeyUsage.SIGNING)));
    if (jwks.isEmpty()) {
        LOGGER.warn("No signing key could be found for issuer " + issuer);
        return Optional.empty();
    }
    return Optional.of(jwks.get().toJson(JsonWebKey.OutputControlLevel.INCLUDE_PRIVATE));
}

Example 4 with OidcJsonWebKeyCacheKey

use of org.apereo.cas.oidc.jwks.OidcJsonWebKeyCacheKey in project cas by apereo.

the class OidcRegisteredServiceJwtAccessTokenCipherExecutor method getEncryptionKeyForDecryption.

private Key getEncryptionKeyForDecryption(final RegisteredService registeredService) {
    val svc = (OAuthRegisteredService) registeredService;
    if (svc instanceof OidcRegisteredService) {
        val jwks = Objects.requireNonNull(this.serviceJsonWebKeystoreCache.get(new OidcJsonWebKeyCacheKey(svc, OidcJsonWebKeyUsage.ENCRYPTION)));
        if (jwks.isEmpty()) {
            LOGGER.warn("Service " + svc.getServiceId() + " with client id " + svc.getClientId() + " is configured to encrypt tokens, yet no JSON web key is available");
            return null;
        }
        val jsonWebKey = (PublicJsonWebKey) jwks.get().getJsonWebKeys().get(0);
        LOGGER.debug("Found JSON web key to encrypt the token: [{}]", jsonWebKey);
        if (jsonWebKey.getPrivateKey() == null) {
            LOGGER.warn("JSON web key used to sign the token has no associated private key");
            return null;
        }
        return jsonWebKey.getPrivateKey();
    }
    return null;
}

Example 5 with OidcJsonWebKeyCacheKey

use of org.apereo.cas.oidc.jwks.OidcJsonWebKeyCacheKey in project cas by apereo.

the class BaseOidcJsonWebKeyTokenSigningAndEncryptionService method getJsonWebKeyForEncryption.

/**
 * Gets json web key for encryption.
 *
 * @param svc the svc
 * @return the json web key for encryption
 */
protected PublicJsonWebKey getJsonWebKeyForEncryption(final OAuthRegisteredService svc) {
    LOGGER.debug("Service [{}] is set to encrypt tokens", svc);
    val jwks = serviceJsonWebKeystoreCache.get(new OidcJsonWebKeyCacheKey(svc, OidcJsonWebKeyUsage.ENCRYPTION));
    if (Objects.requireNonNull(jwks).isEmpty()) {
        throw new IllegalArgumentException("Service " + svc.getServiceId() + " with client id " + svc.getClientId() + " is configured to encrypt tokens, yet no JSON web key is available to handle encryption");
    }
    val jsonWebKey = jwks.get().getJsonWebKeys().stream().filter(key -> OidcJsonWebKeystoreRotationService.JsonWebKeyLifecycleStates.getJsonWebKeyState(key).isCurrent()).min(Comparator.comparing(JsonWebKey::getKeyId)).orElseThrow(() -> new IllegalArgumentException("Unable to locate JSON web key for encryption that is marked as current"));
    LOGGER.debug("Found JSON web key to encrypt the token: [{}]", jsonWebKey);
    Objects.requireNonNull(jsonWebKey.getKey(), "JSON web key used to encrypt the token has no associated public key");
    return (PublicJsonWebKey) jsonWebKey;
}