Search in sources :

Example 16 with JwtClaimsSet

use of org.forgerock.json.jose.jwt.JwtClaimsSet in project OpenAM by OpenRock.

the class JwtSessionMapper method fromJwt.

/**
     * Extract the SessionInfo stored in the provided JWT's serialized_session claim.
     *
     * @param jwtString Non-null, String which represents a JWT with SessionInfo state assigned to a serialized_session claim.
     *
     * @return SessionInfo A correctly parsed SessionInfo for the given JWT String.
     *
     * @throws JwtRuntimeException If there was a problem reconstructing the JWT
     */
public SessionInfo fromJwt(@Nonnull String jwtString) throws JwtRuntimeException {
    Reject.ifNull(jwtString, "jwtString must not be null.");
    SignedJwt signedJwt;
    if (encryptionKeyPair != null) {
        // could throw JwtRuntimeException
        SignedEncryptedJwt signedEncryptedJwt = jwtBuilderFactory.reconstruct(jwtString, SignedEncryptedJwt.class);
        signedEncryptedJwt.decrypt(encryptionKeyPair.getPrivate());
        signedJwt = signedEncryptedJwt;
    } else {
        // could throw JwtRuntimeException
        signedJwt = jwtBuilderFactory.reconstruct(jwtString, SignedJwt.class);
    }
    if (!doesJwtAlgorithmMatch(signedJwt) || !signedJwt.verify(verificationHandler)) {
        throw new JwtRuntimeException("Invalid JWT!");
    }
    JwtClaimsSet claimsSet = signedJwt.getClaimsSet();
    String serializedSession = claimsSet.getClaim(SERIALIZED_SESSION_CLAIM, String.class);
    return fromJson(serializedSession);
}
Also used : SignedEncryptedJwt(org.forgerock.json.jose.jws.SignedEncryptedJwt) JwtClaimsSet(org.forgerock.json.jose.jwt.JwtClaimsSet) JwtRuntimeException(org.forgerock.json.jose.exceptions.JwtRuntimeException) SignedJwt(org.forgerock.json.jose.jws.SignedJwt)

Example 17 with JwtClaimsSet

use of org.forgerock.json.jose.jwt.JwtClaimsSet in project OpenAM by OpenRock.

the class OpenIdConnectTokenGenerationImpl method asymmetricSign.

private SignedJwt asymmetricSign(STSOpenIdConnectToken openIdConnectToken, JwsAlgorithm jwsAlgorithm, KeyPair keyPair, OpenIdConnectTokenPublicKeyReferenceType publicKeyReferenceType) throws TokenCreationException {
    if (!JwsAlgorithmType.RSA.equals(jwsAlgorithm.getAlgorithmType())) {
        throw new TokenCreationException(ResourceException.BAD_REQUEST, "Exception in " + "OpenIdConnectTokenGenerationImpl#symmetricSign: algorithm type not RSA but " + jwsAlgorithm.getAlgorithmType());
    }
    final SigningHandler signingHandler = new SigningManager().newRsaSigningHandler(keyPair.getPrivate());
    JwsHeaderBuilder jwsHeaderBuilder = jwtBuilderFactory.jws(signingHandler).headers().alg(jwsAlgorithm);
    JwtClaimsSet claimsSet = jwtBuilderFactory.claims().claims(openIdConnectToken.asMap()).build();
    RSAPublicKey rsaPublicKey;
    try {
        rsaPublicKey = (RSAPublicKey) keyPair.getPublic();
    } catch (ClassCastException e) {
        throw new TokenCreationException(ResourceException.BAD_REQUEST, "Could not sign jwt with algorithm " + jwsAlgorithm + " because the PublicKey not of type RSAPublicKey but rather " + (keyPair.getPublic() != null ? keyPair.getPublic().getClass().getCanonicalName() : null));
    }
    handleKeyIdentification(jwsHeaderBuilder, publicKeyReferenceType, rsaPublicKey, jwsAlgorithm);
    return jwsHeaderBuilder.done().claims(claimsSet).asJwt();
}
Also used : JwtClaimsSet(org.forgerock.json.jose.jwt.JwtClaimsSet) RSAPublicKey(java.security.interfaces.RSAPublicKey) JwsHeaderBuilder(org.forgerock.json.jose.builders.JwsHeaderBuilder) TokenCreationException(org.forgerock.openam.sts.TokenCreationException) SigningHandler(org.forgerock.json.jose.jws.handlers.SigningHandler) SigningManager(org.forgerock.json.jose.jws.SigningManager)

Example 18 with JwtClaimsSet

use of org.forgerock.json.jose.jwt.JwtClaimsSet in project OpenAM by OpenRock.

the class OpenIdConnectTokenGenerationImpl method symmetricSign.

private SignedJwt symmetricSign(STSOpenIdConnectToken openIdConnectToken, JwsAlgorithm jwsAlgorithm, byte[] clientSecret) throws TokenCreationException {
    if (!JwsAlgorithmType.HMAC.equals(jwsAlgorithm.getAlgorithmType())) {
        throw new TokenCreationException(ResourceException.BAD_REQUEST, "Exception in " + "OpenIdConnectTokenGenerationImpl#symmetricSign: algorithm type not HMAC but " + jwsAlgorithm.getAlgorithmType());
    }
    final SigningHandler signingHandler = new SigningManager().newHmacSigningHandler(clientSecret);
    JwsHeaderBuilder builder = jwtBuilderFactory.jws(signingHandler).headers().alg(jwsAlgorithm);
    JwtClaimsSet claimsSet = jwtBuilderFactory.claims().claims(openIdConnectToken.asMap()).build();
    return builder.done().claims(claimsSet).asJwt();
}
Also used : JwtClaimsSet(org.forgerock.json.jose.jwt.JwtClaimsSet) JwsHeaderBuilder(org.forgerock.json.jose.builders.JwsHeaderBuilder) TokenCreationException(org.forgerock.openam.sts.TokenCreationException) SigningHandler(org.forgerock.json.jose.jws.handlers.SigningHandler) SigningManager(org.forgerock.json.jose.jws.SigningManager)

Example 19 with JwtClaimsSet

use of org.forgerock.json.jose.jwt.JwtClaimsSet in project OpenAM by OpenRock.

the class OpenIdConnectTokenGenerationImplTest method testHMACOpenIdConnectTokenGeneration.

@Test
public void testHMACOpenIdConnectTokenGeneration() throws TokenCreationException {
    SSOTokenIdentity mockSSOTokenIdentity = mock(SSOTokenIdentity.class);
    when(mockSSOTokenIdentity.validateAndGetTokenPrincipal(any(SSOToken.class))).thenReturn(SUBJECT_NAME);
    SSOToken mockSSOToken = mock(SSOToken.class);
    STSInstanceState mockSTSInstanceState = mock(STSInstanceState.class);
    STSInstanceConfig mockSTSInstanceConfig = mock(STSInstanceConfig.class);
    when(mockSTSInstanceState.getConfig()).thenReturn(mockSTSInstanceConfig);
    OpenIdConnectTokenConfig openIdConnectTokenConfig = buildHMACOpenIdConnectTokenConfig();
    when(mockSTSInstanceConfig.getOpenIdConnectTokenConfig()).thenReturn(openIdConnectTokenConfig);
    TokenGenerationServiceInvocationState mockTokenGenerationInvocationState = mock(TokenGenerationServiceInvocationState.class);
    OpenIdConnectTokenClaimMapperProvider mockClaimMapperProvider = mock(OpenIdConnectTokenClaimMapperProvider.class);
    OpenIdConnectTokenClaimMapper mockClaimMapper = mock(OpenIdConnectTokenClaimMapper.class);
    when(mockClaimMapperProvider.getClaimMapper(any(OpenIdConnectTokenConfig.class))).thenReturn(mockClaimMapper);
    when(mockClaimMapper.getCustomClaims(mockSSOToken, mappedClaimConfig)).thenReturn(mappedClaimAttributes);
    long authTime = System.currentTimeMillis() / 1000;
    OpenIdConnectTokenGenerationState openIdConnectTokenGenerationState = buildOpenIdConnectTokenGenerationState(authTime);
    when(mockTokenGenerationInvocationState.getOpenIdConnectTokenGenerationState()).thenReturn(openIdConnectTokenGenerationState);
    String oidcToken = new OpenIdConnectTokenGenerationImpl(mockSSOTokenIdentity, new JwtBuilderFactory(), mockClaimMapperProvider, mock(CTSTokenPersistence.class), mock(Logger.class)).generate(mockSSOToken, mockSTSInstanceState, mockTokenGenerationInvocationState);
    SignedJwt signedJwt = reconstructSignedJwt(oidcToken);
    JwtClaimsSet jwtClaimsSet = signedJwt.getClaimsSet();
    assertEquals(SUBJECT_NAME, jwtClaimsSet.getSubject());
    assertEquals(AUDIENCE, jwtClaimsSet.getAudience().get(0));
    assertEquals(AUTHN_CLASS_REFERENCE, jwtClaimsSet.getClaim("acr", String.class));
    assertEquals(ISSUER, jwtClaimsSet.getIssuer());
    assertEquals(EMAIL_CLAIM_VALUE, jwtClaimsSet.get(EMAIL_CLAIM_KEY).asString());
    assertTrue(verifyHMACSignature(signedJwt));
}
Also used : JwtBuilderFactory(org.forgerock.json.jose.builders.JwtBuilderFactory) SSOToken(com.iplanet.sso.SSOToken) STSInstanceState(org.forgerock.openam.sts.tokengeneration.state.STSInstanceState) SignedJwt(org.forgerock.json.jose.jws.SignedJwt) OpenIdConnectTokenConfig(org.forgerock.openam.sts.config.user.OpenIdConnectTokenConfig) TokenGenerationServiceInvocationState(org.forgerock.openam.sts.service.invocation.TokenGenerationServiceInvocationState) JwtClaimsSet(org.forgerock.json.jose.jwt.JwtClaimsSet) SSOTokenIdentity(org.forgerock.openam.sts.tokengeneration.SSOTokenIdentity) OpenIdConnectTokenGenerationState(org.forgerock.openam.sts.service.invocation.OpenIdConnectTokenGenerationState) STSInstanceConfig(org.forgerock.openam.sts.config.user.STSInstanceConfig) Test(org.testng.annotations.Test)

Example 20 with JwtClaimsSet

use of org.forgerock.json.jose.jwt.JwtClaimsSet in project OpenAM by OpenRock.

the class PolicyRequestTest method getJwtSubject.

private Jwt getJwtSubject(final String subjectName) {
    JwsHeader header = new JwsHeader(Collections.<String, Object>emptyMap());
    JwtClaimsSet claims = new JwtClaimsSet();
    claims.setSubject(subjectName);
    SigningHandler handler = new NOPSigningHandler();
    return new SignedJwt(header, claims, handler);
}
Also used : JwtClaimsSet(org.forgerock.json.jose.jwt.JwtClaimsSet) JwsHeader(org.forgerock.json.jose.jws.JwsHeader) NOPSigningHandler(org.forgerock.json.jose.jws.handlers.NOPSigningHandler) SignedJwt(org.forgerock.json.jose.jws.SignedJwt) NOPSigningHandler(org.forgerock.json.jose.jws.handlers.NOPSigningHandler) SigningHandler(org.forgerock.json.jose.jws.handlers.SigningHandler)

Aggregations

JwtClaimsSet (org.forgerock.json.jose.jwt.JwtClaimsSet)35 Test (org.testng.annotations.Test)16 SigningHandler (org.forgerock.json.jose.jws.handlers.SigningHandler)11 SignedJwt (org.forgerock.json.jose.jws.SignedJwt)8 AuthLoginException (com.sun.identity.authentication.spi.AuthLoginException)7 Callback (javax.security.auth.callback.Callback)7 HttpServletRequest (javax.servlet.http.HttpServletRequest)7 JwsHeader (org.forgerock.json.jose.jws.JwsHeader)7 NOPSigningHandler (org.forgerock.json.jose.jws.handlers.NOPSigningHandler)7 Jwt (org.forgerock.json.jose.jwt.Jwt)7 HashMap (java.util.HashMap)6 Map (java.util.Map)5 SigningManager (org.forgerock.json.jose.jws.SigningManager)5 Set (java.util.Set)4 Subject (javax.security.auth.Subject)4 MessageInfo (javax.security.auth.message.MessageInfo)4 JwsHeaderBuilder (org.forgerock.json.jose.builders.JwsHeaderBuilder)4 JwtBuilderFactory (org.forgerock.json.jose.builders.JwtBuilderFactory)4 SSOToken (com.iplanet.sso.SSOToken)3 SSOException (com.iplanet.sso.SSOException)2