use of org.forgerock.json.jose.jwt.JwtClaimsSet in project OpenAM by OpenRock.
the class OpenIdConnect method process.
@Override
public int process(Callback[] callbacks, int state) throws LoginException {
final HttpServletRequest request = getHttpServletRequest();
final String jwtValue = request.getHeader(config.getHeaderName());
if (jwtValue == null || jwtValue.isEmpty()) {
logger.error("No OpenIdConnect ID Token referenced by header value: " + config.getHeaderName());
throw new AuthLoginException(RESOURCE_BUNDLE_NAME, BUNDLE_KEY_MISSING_HEADER, null);
}
JwtClaimsSet jwtClaims = jwtHandler.validateJwt(jwtValue);
if (!JwtHandler.isIntendedForAudience(config.getAudienceName(), jwtClaims)) {
logger.error("ID token is not for this audience.");
throw new AuthLoginException(RESOURCE_BUNDLE_NAME, BUNDLE_KEY_ID_TOKEN_BAD_AUDIENCE, null);
}
if (JwtHandler.jwtHasAuthorizedPartyClaim(jwtClaims)) {
if (!JwtHandler.isFromValidAuthorizedParty(config.getAcceptedAuthorizedParties(), jwtClaims)) {
logger.error("ID token was received from invalid authorized party.");
throw new AuthLoginException(RESOURCE_BUNDLE_NAME, BUNDLE_KEY_INVALID_AUTHORIZED_PARTY, null);
}
}
principalName = mapPrincipal(jwtClaims);
return ISAuthConstants.LOGIN_SUCCEED;
}
use of org.forgerock.json.jose.jwt.JwtClaimsSet in project OpenAM by OpenRock.
the class OpenIdConnect method mapPrincipal.
private String mapPrincipal(JwtClaimsSet jwtClaimsSet) throws AuthLoginException {
AttributeMapper<JwtClaimsSet> principalMapper = instantiatePrincipalMapper();
AccountProvider accountProvider = instantiateAccountProvider();
Map<String, Set<String>> lookupAttrs = principalMapper.getAttributes(config.getJwkToLocalAttributeMappings(), jwtClaimsSet);
if (lookupAttrs.isEmpty()) {
logger.error("None of the attributes specified in the mappings could be found in the Id Token.");
throw new AuthLoginException(RESOURCE_BUNDLE_NAME, BUNDLE_KEY_NO_ATTRIBUTES_MAPPED, null);
}
return accountProvider.searchUser(getAMIdentityRepository(getRequestOrg()), lookupAttrs).getName();
}
use of org.forgerock.json.jose.jwt.JwtClaimsSet in project OpenAM by OpenRock.
the class JwtAttributeMapperTest method initialize.
@BeforeTest
public void initialize() {
jwtMappings = new HashMap<String, Object>();
jwtMappings.put(SUB, SUBJECT_VALUE);
jwtMappings.put(ISS, ISSUER);
jwtMappings.put(EMAIL, EMAIL_VALUE);
attributeMappings = new HashMap<String, String>();
attributeMappings.put(SUB, UID);
attributeMappings.put(EMAIL, AM_EMAIL);
claimsSet = new JwtClaimsSet(jwtMappings);
defaultPrincipalMapper = new JwtAttributeMapper("uid", "prefix-");
}
use of org.forgerock.json.jose.jwt.JwtClaimsSet in project OpenAM by OpenRock.
the class JwtHandler method validateJwt.
/**
* Validate the integrity of the JWT OIDC token, according to the spec
* (http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation). Specifically check that the issuer is
* the expected issuer, the token has not expired, the token has at least one audience claim, and if there is an
* authorized party claim ("azp"), does it appear in the audience list contained within the token?
*
* @param jwtValue The encoded JWT string.
* @return The validated JWT claims.
* @throws AuthLoginException
*/
public JwtClaimsSet validateJwt(String jwtValue) throws AuthLoginException {
final SignedJwt signedJwt = getSignedJwt(jwtValue);
JwtClaimsSet jwtClaimSet = signedJwt.getClaimsSet();
final String jwtClaimSetIssuer = jwtClaimSet.getIssuer();
if (!config.getConfiguredIssuer().equals(jwtClaimSetIssuer)) {
logger.error("The issuer configured for the module, " + config.getConfiguredIssuer() + ", and the " + "issuer found in the token, " + jwtClaimSetIssuer + ", do not match. This means that the token " + "authentication was directed at the wrong module, or the targeted module is mis-configured.");
throw new AuthLoginException(RESOURCE_BUNDLE_NAME, BUNDLE_KEY_TOKEN_ISSUER_MISMATCH, null);
}
// See if a resolver is present corresponding to jwt issuer, and if not, add, then dispatch validation to
// resolver.
OpenIdResolver resolver = openIdResolverCache.getResolverForIssuer(config.getCryptoContextValue());
if (resolver == null) {
if (logger.messageEnabled()) {
if (CRYPTO_CONTEXT_TYPE_CLIENT_SECRET.equals(config.getCryptoContextType())) {
logger.message("Creating OpenIdResolver for issuer " + jwtClaimSetIssuer + " using client secret");
} else {
logger.message("Creating OpenIdResolver for issuer " + jwtClaimSetIssuer + " using config url " + config.getCryptoContextValue());
}
}
try {
resolver = openIdResolverCache.createResolver(jwtClaimSetIssuer, config.getCryptoContextType(), config.getCryptoContextValue(), config.getCryptoContextUrlValue());
} catch (IllegalStateException e) {
logger.error("Could not create OpenIdResolver for issuer " + jwtClaimSetIssuer + " using crypto context value " + config.getCryptoContextValue() + " :" + e);
throw new AuthLoginException(RESOURCE_BUNDLE_NAME, BUNDLE_KEY_ISSUER_MISMATCH, null);
} catch (FailedToLoadJWKException e) {
logger.error("Could not create OpenIdResolver for issuer " + jwtClaimSetIssuer + " using crypto context value " + config.getCryptoContextValue() + " :" + e, e);
throw new AuthLoginException(RESOURCE_BUNDLE_NAME, BUNDLE_KEY_JWK_NOT_LOADED, null);
}
}
try {
resolver.validateIdentity(signedJwt);
List<String> audienceClaim = jwtClaimSet.getAudience();
if (!jwtHasAudienceClaim(jwtClaimSet)) {
logger.error("No audience claim present in ID token.");
throw new AuthLoginException(RESOURCE_BUNDLE_NAME, BUNDLE_KEY_NO_AUDIENCE_CLAIM, null);
}
if (jwtHasAuthorizedPartyClaim(jwtClaimSet)) {
String authorizedPartyClaim = (String) jwtClaimSet.getClaim(AUTHORIZED_PARTY_CLAIM_KEY);
if (!audienceClaim.contains(authorizedPartyClaim)) {
logger.error("Authorized party was present in ID token, but its value was not found in the " + "audience claim.");
throw new AuthLoginException(RESOURCE_BUNDLE_NAME, BUNDLE_KEY_AUTHORIZED_PARTY_NOT_IN_AUDIENCE, null);
}
}
} catch (OpenIdConnectVerificationException oice) {
logger.warning("Verification of ID Token failed: " + oice);
throw new AuthLoginException(RESOURCE_BUNDLE_NAME, BUNDLE_KEY_VERIFICATION_FAILED, null);
} catch (JwsSigningException jse) {
logger.error("JwsSigningException", jse);
throw new AuthLoginException(RESOURCE_BUNDLE_NAME, BUNDLE_KEY_JWS_SIGNING_EXCEPTION, null);
}
return jwtClaimSet;
}
use of org.forgerock.json.jose.jwt.JwtClaimsSet in project OpenAM by OpenRock.
the class PersistentCookieAuthModuleTest method shouldEnforceClientIPOnLoginWhenClientIPIsDifferent.
@Test(expectedExceptions = AuthLoginException.class)
public void shouldEnforceClientIPOnLoginWhenClientIPIsDifferent() throws LoginException {
//Given
MessageInfo messageInfo = mock(MessageInfo.class);
Subject clientSubject = new Subject();
Callback[] callbacks = new Callback[0];
Jwt jwt = mock(Jwt.class);
JwtClaimsSet claimsSet = mock(JwtClaimsSet.class);
Map<String, Object> claimsSetContext = new HashMap<String, Object>();
HttpServletRequest request = mock(HttpServletRequest.class);
Map options = new HashMap();
options.put("openam-auth-persistent-cookie-enforce-ip", Collections.singleton("true"));
persistentCookieAuthModule.initialize(null, null, options);
given(jwtSessionModule.validateJwtSessionCookie(messageInfo)).willReturn(jwt);
given(jwt.getClaimsSet()).willReturn(claimsSet);
given(claimsSet.getClaim(AuthenticationFramework.ATTRIBUTE_AUTH_CONTEXT, Map.class)).willReturn(claimsSetContext);
claimsSetContext.put("openam.rlm", "REALM");
given(amLoginModuleBinder.getRequestOrg()).willReturn("REALM");
claimsSetContext.put("openam-auth-persistent-cookie-enforce-ip", "CLIENT_IP");
given(amLoginModuleBinder.getHttpServletRequest()).willReturn(request);
given(request.getRemoteAddr()).willReturn("CLIENT_IP_2");
//When
persistentCookieAuthModule.process(messageInfo, clientSubject, callbacks);
//Then
fail();
}
Aggregations