Search in sources :

Example 1 with OpenIdResolver

use of org.forgerock.jaspi.modules.openid.resolvers.OpenIdResolver in project OpenAM by OpenRock.

the class OpenIdResolverCacheImpl method createResolver.

/**
    It is possible that two callers are calling this method at once. I want to leverage the uncontested reads
    of the ConcurrentHashMap, and I don't want to synchronize the writes to the ConcurrentHashMap above the
    synchronization applied by the CHM in puts. The drawback of this approach is the possible redundant creation of
    a OpenIdResolver if two concurrent calls target the currently-uncreated OpenIdResolver, but the redundant creation will
    only occur once.
     @see org.forgerock.openam.authentication.modules.oidc.OpenIdResolverCache
     */
@Override
public OpenIdResolver createResolver(String issuerFromJwk, String cryptoContextType, String cryptoContextValue, URL cryptoContextValueUrl) throws FailedToLoadJWKException {
    OpenIdResolver newResolver;
    if (OpenIdConnectConfig.CRYPTO_CONTEXT_TYPE_CLIENT_SECRET.equals(cryptoContextType)) {
        newResolver = openIdResolverFactory.createSharedSecretResolver(issuerFromJwk, cryptoContextValue);
    } else if (OpenIdConnectConfig.CRYPTO_CONTEXT_TYPE_CONFIG_URL.equals(cryptoContextType)) {
        newResolver = openIdResolverFactory.createFromOpenIDConfigUrl(cryptoContextValueUrl);
        //check is only relevant in this block, as issuer is specified in the json blob referenced by url.
        if (!issuerFromJwk.equals(newResolver.getIssuer())) {
            throw new IllegalStateException("The specified issuer, " + issuerFromJwk + ", does not match the issuer, " + newResolver.getIssuer() + " referenced by the configuration url, " + cryptoContextValue);
        }
    } else if (OpenIdConnectConfig.CRYPTO_CONTEXT_TYPE_JWK_URL.equals(cryptoContextType)) {
        newResolver = openIdResolverFactory.createJWKResolver(issuerFromJwk, cryptoContextValueUrl, HttpURLConnectionManager.getReadTimeout(), HttpURLConnectionManager.getConnectTimeout());
    } else {
        /*
            Should not enter this block, as the cryptoContextType was validated to be of the three expected types in
            OpenIdModule.init, but all bases should be covered. This exception is not caught by the OpenIdConnect caller.
             */
        throw new IllegalArgumentException("The specified cryptoContextType, " + cryptoContextType + " was unexpected!");
    }
    OpenIdResolver oldResolver;
    if ((oldResolver = resolverMap.putIfAbsent(cryptoContextValue, newResolver)) != null) {
        return oldResolver;
    }
    return newResolver;
}
Also used : OpenIdResolver(org.forgerock.jaspi.modules.openid.resolvers.OpenIdResolver)

Example 2 with OpenIdResolver

use of org.forgerock.jaspi.modules.openid.resolvers.OpenIdResolver in project OpenAM by OpenRock.

the class JwtHandler method validateJwt.

/**
     * Validate the integrity of the JWT OIDC token, according to the spec
     * (http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation). Specifically check that the issuer is
     * the expected issuer, the token has not expired, the token has at least one audience claim, and if there is an
     * authorized party claim ("azp"), does it appear in the audience list contained within the token?
     *
     * @param jwtValue The encoded JWT string.
     * @return The validated JWT claims.
     * @throws AuthLoginException
     */
public JwtClaimsSet validateJwt(String jwtValue) throws AuthLoginException {
    final SignedJwt signedJwt = getSignedJwt(jwtValue);
    JwtClaimsSet jwtClaimSet = signedJwt.getClaimsSet();
    final String jwtClaimSetIssuer = jwtClaimSet.getIssuer();
    if (!config.getConfiguredIssuer().equals(jwtClaimSetIssuer)) {
        logger.error("The issuer configured for the module, " + config.getConfiguredIssuer() + ", and the " + "issuer found in the token, " + jwtClaimSetIssuer + ", do not match. This means that the token " + "authentication was directed at the wrong module, or the targeted module is mis-configured.");
        throw new AuthLoginException(RESOURCE_BUNDLE_NAME, BUNDLE_KEY_TOKEN_ISSUER_MISMATCH, null);
    }
    // See if a resolver is present corresponding to jwt issuer, and if not, add, then dispatch validation to
    // resolver.
    OpenIdResolver resolver = openIdResolverCache.getResolverForIssuer(config.getCryptoContextValue());
    if (resolver == null) {
        if (logger.messageEnabled()) {
            if (CRYPTO_CONTEXT_TYPE_CLIENT_SECRET.equals(config.getCryptoContextType())) {
                logger.message("Creating OpenIdResolver for issuer " + jwtClaimSetIssuer + " using client secret");
            } else {
                logger.message("Creating OpenIdResolver for issuer " + jwtClaimSetIssuer + " using config url " + config.getCryptoContextValue());
            }
        }
        try {
            resolver = openIdResolverCache.createResolver(jwtClaimSetIssuer, config.getCryptoContextType(), config.getCryptoContextValue(), config.getCryptoContextUrlValue());
        } catch (IllegalStateException e) {
            logger.error("Could not create OpenIdResolver for issuer " + jwtClaimSetIssuer + " using crypto context value " + config.getCryptoContextValue() + " :" + e);
            throw new AuthLoginException(RESOURCE_BUNDLE_NAME, BUNDLE_KEY_ISSUER_MISMATCH, null);
        } catch (FailedToLoadJWKException e) {
            logger.error("Could not create OpenIdResolver for issuer " + jwtClaimSetIssuer + " using crypto context value " + config.getCryptoContextValue() + " :" + e, e);
            throw new AuthLoginException(RESOURCE_BUNDLE_NAME, BUNDLE_KEY_JWK_NOT_LOADED, null);
        }
    }
    try {
        resolver.validateIdentity(signedJwt);
        List<String> audienceClaim = jwtClaimSet.getAudience();
        if (!jwtHasAudienceClaim(jwtClaimSet)) {
            logger.error("No audience claim present in ID token.");
            throw new AuthLoginException(RESOURCE_BUNDLE_NAME, BUNDLE_KEY_NO_AUDIENCE_CLAIM, null);
        }
        if (jwtHasAuthorizedPartyClaim(jwtClaimSet)) {
            String authorizedPartyClaim = (String) jwtClaimSet.getClaim(AUTHORIZED_PARTY_CLAIM_KEY);
            if (!audienceClaim.contains(authorizedPartyClaim)) {
                logger.error("Authorized party was present in ID token, but its value was not found in the " + "audience claim.");
                throw new AuthLoginException(RESOURCE_BUNDLE_NAME, BUNDLE_KEY_AUTHORIZED_PARTY_NOT_IN_AUDIENCE, null);
            }
        }
    } catch (OpenIdConnectVerificationException oice) {
        logger.warning("Verification of ID Token failed: " + oice);
        throw new AuthLoginException(RESOURCE_BUNDLE_NAME, BUNDLE_KEY_VERIFICATION_FAILED, null);
    } catch (JwsSigningException jse) {
        logger.error("JwsSigningException", jse);
        throw new AuthLoginException(RESOURCE_BUNDLE_NAME, BUNDLE_KEY_JWS_SIGNING_EXCEPTION, null);
    }
    return jwtClaimSet;
}
Also used : JwsSigningException(org.forgerock.json.jose.exceptions.JwsSigningException) JwtClaimsSet(org.forgerock.json.jose.jwt.JwtClaimsSet) OpenIdResolver(org.forgerock.jaspi.modules.openid.resolvers.OpenIdResolver) FailedToLoadJWKException(org.forgerock.jaspi.modules.openid.exceptions.FailedToLoadJWKException) AuthLoginException(com.sun.identity.authentication.spi.AuthLoginException) SignedJwt(org.forgerock.json.jose.jws.SignedJwt) OpenIdConnectVerificationException(org.forgerock.jaspi.modules.openid.exceptions.OpenIdConnectVerificationException)

Example 3 with OpenIdResolver

use of org.forgerock.jaspi.modules.openid.resolvers.OpenIdResolver in project OpenAM by OpenRock.

the class OpenIdResolverCacheImplTest method testBasicCreation.

@Test
public void testBasicCreation() throws MalformedURLException, FailedToLoadJWKException {
    OpenIdResolver localConfigResolver = createConfigResolver();
    assertTrue(localConfigResolver == configResolver);
    OpenIdResolver localJwkResolver = createJwtResolver();
    assertTrue(localJwkResolver == jwkResolver);
    OpenIdResolver localClientSecretResolver = createSecretResolver();
    assertTrue(localClientSecretResolver == clientSecretResolver);
}
Also used : OpenIdResolver(org.forgerock.jaspi.modules.openid.resolvers.OpenIdResolver) Test(org.testng.annotations.Test) BeforeTest(org.testng.annotations.BeforeTest)

Example 4 with OpenIdResolver

use of org.forgerock.jaspi.modules.openid.resolvers.OpenIdResolver in project OpenAM by OpenRock.

the class OpenIdResolverCacheImplTest method testBasicLookup.

@Test
public void testBasicLookup() throws MalformedURLException, FailedToLoadJWKException {
    createConfigResolver();
    createJwtResolver();
    createSecretResolver();
    OpenIdResolver localConfigResolver = cache.getResolverForIssuer(FAUX_CONIFIG_URL_STRING);
    assertTrue(localConfigResolver == configResolver);
    OpenIdResolver localJwkResolver = cache.getResolverForIssuer(FAUX_JWK_URL_STRING);
    assertTrue(localJwkResolver == jwkResolver);
    OpenIdResolver localClientSecretResolver = cache.getResolverForIssuer(FAUX_CLIENT_SECRET);
    assertTrue(localClientSecretResolver == clientSecretResolver);
}
Also used : OpenIdResolver(org.forgerock.jaspi.modules.openid.resolvers.OpenIdResolver) Test(org.testng.annotations.Test) BeforeTest(org.testng.annotations.BeforeTest)

Aggregations

OpenIdResolver (org.forgerock.jaspi.modules.openid.resolvers.OpenIdResolver)4 BeforeTest (org.testng.annotations.BeforeTest)2 Test (org.testng.annotations.Test)2 AuthLoginException (com.sun.identity.authentication.spi.AuthLoginException)1 FailedToLoadJWKException (org.forgerock.jaspi.modules.openid.exceptions.FailedToLoadJWKException)1 OpenIdConnectVerificationException (org.forgerock.jaspi.modules.openid.exceptions.OpenIdConnectVerificationException)1 JwsSigningException (org.forgerock.json.jose.exceptions.JwsSigningException)1 SignedJwt (org.forgerock.json.jose.jws.SignedJwt)1 JwtClaimsSet (org.forgerock.json.jose.jwt.JwtClaimsSet)1