Search in sources :

Example 1 with JwtClaimsSet

use of org.forgerock.json.jose.jwt.JwtClaimsSet in project OpenAM by OpenRock.

the class OpenIdConnect method process.

@Override
public int process(Callback[] callbacks, int state) throws LoginException {
    final HttpServletRequest request = getHttpServletRequest();
    final String jwtValue = request.getHeader(config.getHeaderName());
    if (jwtValue == null || jwtValue.isEmpty()) {
        logger.error("No OpenIdConnect ID Token referenced by header value: " + config.getHeaderName());
        throw new AuthLoginException(RESOURCE_BUNDLE_NAME, BUNDLE_KEY_MISSING_HEADER, null);
    }
    JwtClaimsSet jwtClaims = jwtHandler.validateJwt(jwtValue);
    if (!JwtHandler.isIntendedForAudience(config.getAudienceName(), jwtClaims)) {
        logger.error("ID token is not for this audience.");
        throw new AuthLoginException(RESOURCE_BUNDLE_NAME, BUNDLE_KEY_ID_TOKEN_BAD_AUDIENCE, null);
    }
    if (JwtHandler.jwtHasAuthorizedPartyClaim(jwtClaims)) {
        if (!JwtHandler.isFromValidAuthorizedParty(config.getAcceptedAuthorizedParties(), jwtClaims)) {
            logger.error("ID token was received from invalid authorized party.");
            throw new AuthLoginException(RESOURCE_BUNDLE_NAME, BUNDLE_KEY_INVALID_AUTHORIZED_PARTY, null);
        }
    }
    principalName = mapPrincipal(jwtClaims);
    return ISAuthConstants.LOGIN_SUCCEED;
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) JwtClaimsSet(org.forgerock.json.jose.jwt.JwtClaimsSet) AuthLoginException(com.sun.identity.authentication.spi.AuthLoginException)

Example 2 with JwtClaimsSet

use of org.forgerock.json.jose.jwt.JwtClaimsSet in project OpenAM by OpenRock.

the class OpenIdConnect method mapPrincipal.

private String mapPrincipal(JwtClaimsSet jwtClaimsSet) throws AuthLoginException {
    AttributeMapper<JwtClaimsSet> principalMapper = instantiatePrincipalMapper();
    AccountProvider accountProvider = instantiateAccountProvider();
    Map<String, Set<String>> lookupAttrs = principalMapper.getAttributes(config.getJwkToLocalAttributeMappings(), jwtClaimsSet);
    if (lookupAttrs.isEmpty()) {
        logger.error("None of the attributes specified in the mappings could be found in the Id Token.");
        throw new AuthLoginException(RESOURCE_BUNDLE_NAME, BUNDLE_KEY_NO_ATTRIBUTES_MAPPED, null);
    }
    return accountProvider.searchUser(getAMIdentityRepository(getRequestOrg()), lookupAttrs).getName();
}
Also used : JwtClaimsSet(org.forgerock.json.jose.jwt.JwtClaimsSet) JwtClaimsSet(org.forgerock.json.jose.jwt.JwtClaimsSet) Set(java.util.Set) AuthLoginException(com.sun.identity.authentication.spi.AuthLoginException) AccountProvider(org.forgerock.openam.authentication.modules.common.mapping.AccountProvider)

Example 3 with JwtClaimsSet

use of org.forgerock.json.jose.jwt.JwtClaimsSet in project OpenAM by OpenRock.

the class JwtAttributeMapperTest method initialize.

@BeforeTest
public void initialize() {
    jwtMappings = new HashMap<String, Object>();
    jwtMappings.put(SUB, SUBJECT_VALUE);
    jwtMappings.put(ISS, ISSUER);
    jwtMappings.put(EMAIL, EMAIL_VALUE);
    attributeMappings = new HashMap<String, String>();
    attributeMappings.put(SUB, UID);
    attributeMappings.put(EMAIL, AM_EMAIL);
    claimsSet = new JwtClaimsSet(jwtMappings);
    defaultPrincipalMapper = new JwtAttributeMapper("uid", "prefix-");
}
Also used : JwtClaimsSet(org.forgerock.json.jose.jwt.JwtClaimsSet) BeforeTest(org.testng.annotations.BeforeTest)

Example 4 with JwtClaimsSet

use of org.forgerock.json.jose.jwt.JwtClaimsSet in project OpenAM by OpenRock.

the class JwtHandler method validateJwt.

/**
     * Validate the integrity of the JWT OIDC token, according to the spec
     * (http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation). Specifically check that the issuer is
     * the expected issuer, the token has not expired, the token has at least one audience claim, and if there is an
     * authorized party claim ("azp"), does it appear in the audience list contained within the token?
     *
     * @param jwtValue The encoded JWT string.
     * @return The validated JWT claims.
     * @throws AuthLoginException
     */
public JwtClaimsSet validateJwt(String jwtValue) throws AuthLoginException {
    final SignedJwt signedJwt = getSignedJwt(jwtValue);
    JwtClaimsSet jwtClaimSet = signedJwt.getClaimsSet();
    final String jwtClaimSetIssuer = jwtClaimSet.getIssuer();
    if (!config.getConfiguredIssuer().equals(jwtClaimSetIssuer)) {
        logger.error("The issuer configured for the module, " + config.getConfiguredIssuer() + ", and the " + "issuer found in the token, " + jwtClaimSetIssuer + ", do not match. This means that the token " + "authentication was directed at the wrong module, or the targeted module is mis-configured.");
        throw new AuthLoginException(RESOURCE_BUNDLE_NAME, BUNDLE_KEY_TOKEN_ISSUER_MISMATCH, null);
    }
    // See if a resolver is present corresponding to jwt issuer, and if not, add, then dispatch validation to
    // resolver.
    OpenIdResolver resolver = openIdResolverCache.getResolverForIssuer(config.getCryptoContextValue());
    if (resolver == null) {
        if (logger.messageEnabled()) {
            if (CRYPTO_CONTEXT_TYPE_CLIENT_SECRET.equals(config.getCryptoContextType())) {
                logger.message("Creating OpenIdResolver for issuer " + jwtClaimSetIssuer + " using client secret");
            } else {
                logger.message("Creating OpenIdResolver for issuer " + jwtClaimSetIssuer + " using config url " + config.getCryptoContextValue());
            }
        }
        try {
            resolver = openIdResolverCache.createResolver(jwtClaimSetIssuer, config.getCryptoContextType(), config.getCryptoContextValue(), config.getCryptoContextUrlValue());
        } catch (IllegalStateException e) {
            logger.error("Could not create OpenIdResolver for issuer " + jwtClaimSetIssuer + " using crypto context value " + config.getCryptoContextValue() + " :" + e);
            throw new AuthLoginException(RESOURCE_BUNDLE_NAME, BUNDLE_KEY_ISSUER_MISMATCH, null);
        } catch (FailedToLoadJWKException e) {
            logger.error("Could not create OpenIdResolver for issuer " + jwtClaimSetIssuer + " using crypto context value " + config.getCryptoContextValue() + " :" + e, e);
            throw new AuthLoginException(RESOURCE_BUNDLE_NAME, BUNDLE_KEY_JWK_NOT_LOADED, null);
        }
    }
    try {
        resolver.validateIdentity(signedJwt);
        List<String> audienceClaim = jwtClaimSet.getAudience();
        if (!jwtHasAudienceClaim(jwtClaimSet)) {
            logger.error("No audience claim present in ID token.");
            throw new AuthLoginException(RESOURCE_BUNDLE_NAME, BUNDLE_KEY_NO_AUDIENCE_CLAIM, null);
        }
        if (jwtHasAuthorizedPartyClaim(jwtClaimSet)) {
            String authorizedPartyClaim = (String) jwtClaimSet.getClaim(AUTHORIZED_PARTY_CLAIM_KEY);
            if (!audienceClaim.contains(authorizedPartyClaim)) {
                logger.error("Authorized party was present in ID token, but its value was not found in the " + "audience claim.");
                throw new AuthLoginException(RESOURCE_BUNDLE_NAME, BUNDLE_KEY_AUTHORIZED_PARTY_NOT_IN_AUDIENCE, null);
            }
        }
    } catch (OpenIdConnectVerificationException oice) {
        logger.warning("Verification of ID Token failed: " + oice);
        throw new AuthLoginException(RESOURCE_BUNDLE_NAME, BUNDLE_KEY_VERIFICATION_FAILED, null);
    } catch (JwsSigningException jse) {
        logger.error("JwsSigningException", jse);
        throw new AuthLoginException(RESOURCE_BUNDLE_NAME, BUNDLE_KEY_JWS_SIGNING_EXCEPTION, null);
    }
    return jwtClaimSet;
}
Also used : JwsSigningException(org.forgerock.json.jose.exceptions.JwsSigningException) JwtClaimsSet(org.forgerock.json.jose.jwt.JwtClaimsSet) OpenIdResolver(org.forgerock.jaspi.modules.openid.resolvers.OpenIdResolver) FailedToLoadJWKException(org.forgerock.jaspi.modules.openid.exceptions.FailedToLoadJWKException) AuthLoginException(com.sun.identity.authentication.spi.AuthLoginException) SignedJwt(org.forgerock.json.jose.jws.SignedJwt) OpenIdConnectVerificationException(org.forgerock.jaspi.modules.openid.exceptions.OpenIdConnectVerificationException)

Example 5 with JwtClaimsSet

use of org.forgerock.json.jose.jwt.JwtClaimsSet in project OpenAM by OpenRock.

the class PersistentCookieAuthModuleTest method shouldEnforceClientIPOnLoginWhenClientIPIsDifferent.

@Test(expectedExceptions = AuthLoginException.class)
public void shouldEnforceClientIPOnLoginWhenClientIPIsDifferent() throws LoginException {
    //Given
    MessageInfo messageInfo = mock(MessageInfo.class);
    Subject clientSubject = new Subject();
    Callback[] callbacks = new Callback[0];
    Jwt jwt = mock(Jwt.class);
    JwtClaimsSet claimsSet = mock(JwtClaimsSet.class);
    Map<String, Object> claimsSetContext = new HashMap<String, Object>();
    HttpServletRequest request = mock(HttpServletRequest.class);
    Map options = new HashMap();
    options.put("openam-auth-persistent-cookie-enforce-ip", Collections.singleton("true"));
    persistentCookieAuthModule.initialize(null, null, options);
    given(jwtSessionModule.validateJwtSessionCookie(messageInfo)).willReturn(jwt);
    given(jwt.getClaimsSet()).willReturn(claimsSet);
    given(claimsSet.getClaim(AuthenticationFramework.ATTRIBUTE_AUTH_CONTEXT, Map.class)).willReturn(claimsSetContext);
    claimsSetContext.put("openam.rlm", "REALM");
    given(amLoginModuleBinder.getRequestOrg()).willReturn("REALM");
    claimsSetContext.put("openam-auth-persistent-cookie-enforce-ip", "CLIENT_IP");
    given(amLoginModuleBinder.getHttpServletRequest()).willReturn(request);
    given(request.getRemoteAddr()).willReturn("CLIENT_IP_2");
    //When
    persistentCookieAuthModule.process(messageInfo, clientSubject, callbacks);
    //Then
    fail();
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) JwtClaimsSet(org.forgerock.json.jose.jwt.JwtClaimsSet) Callback(javax.security.auth.callback.Callback) HashMap(java.util.HashMap) Jwt(org.forgerock.json.jose.jwt.Jwt) HashMap(java.util.HashMap) Map(java.util.Map) Subject(javax.security.auth.Subject) MessageInfo(javax.security.auth.message.MessageInfo) Test(org.testng.annotations.Test)

Aggregations

JwtClaimsSet (org.forgerock.json.jose.jwt.JwtClaimsSet)35 Test (org.testng.annotations.Test)16 SigningHandler (org.forgerock.json.jose.jws.handlers.SigningHandler)11 SignedJwt (org.forgerock.json.jose.jws.SignedJwt)8 AuthLoginException (com.sun.identity.authentication.spi.AuthLoginException)7 Callback (javax.security.auth.callback.Callback)7 HttpServletRequest (javax.servlet.http.HttpServletRequest)7 JwsHeader (org.forgerock.json.jose.jws.JwsHeader)7 NOPSigningHandler (org.forgerock.json.jose.jws.handlers.NOPSigningHandler)7 Jwt (org.forgerock.json.jose.jwt.Jwt)7 HashMap (java.util.HashMap)6 Map (java.util.Map)5 SigningManager (org.forgerock.json.jose.jws.SigningManager)5 Set (java.util.Set)4 Subject (javax.security.auth.Subject)4 MessageInfo (javax.security.auth.message.MessageInfo)4 JwsHeaderBuilder (org.forgerock.json.jose.builders.JwsHeaderBuilder)4 JwtBuilderFactory (org.forgerock.json.jose.builders.JwtBuilderFactory)4 SSOToken (com.iplanet.sso.SSOToken)3 SSOException (com.iplanet.sso.SSOException)2