use of org.forgerock.json.jose.jwt.JwtClaimsSet in project OpenAM by OpenRock.
the class JwtSessionMapper method fromJwt.
/**
* Extract the SessionInfo stored in the provided JWT's serialized_session claim.
*
* @param jwtString Non-null, String which represents a JWT with SessionInfo state assigned to a serialized_session claim.
*
* @return SessionInfo A correctly parsed SessionInfo for the given JWT String.
*
* @throws JwtRuntimeException If there was a problem reconstructing the JWT
*/
public SessionInfo fromJwt(@Nonnull String jwtString) throws JwtRuntimeException {
Reject.ifNull(jwtString, "jwtString must not be null.");
SignedJwt signedJwt;
if (encryptionKeyPair != null) {
// could throw JwtRuntimeException
SignedEncryptedJwt signedEncryptedJwt = jwtBuilderFactory.reconstruct(jwtString, SignedEncryptedJwt.class);
signedEncryptedJwt.decrypt(encryptionKeyPair.getPrivate());
signedJwt = signedEncryptedJwt;
} else {
// could throw JwtRuntimeException
signedJwt = jwtBuilderFactory.reconstruct(jwtString, SignedJwt.class);
}
if (!doesJwtAlgorithmMatch(signedJwt) || !signedJwt.verify(verificationHandler)) {
throw new JwtRuntimeException("Invalid JWT!");
}
JwtClaimsSet claimsSet = signedJwt.getClaimsSet();
String serializedSession = claimsSet.getClaim(SERIALIZED_SESSION_CLAIM, String.class);
return fromJson(serializedSession);
}
use of org.forgerock.json.jose.jwt.JwtClaimsSet in project OpenAM by OpenRock.
the class OpenIdConnectTokenGenerationImpl method asymmetricSign.
private SignedJwt asymmetricSign(STSOpenIdConnectToken openIdConnectToken, JwsAlgorithm jwsAlgorithm, KeyPair keyPair, OpenIdConnectTokenPublicKeyReferenceType publicKeyReferenceType) throws TokenCreationException {
if (!JwsAlgorithmType.RSA.equals(jwsAlgorithm.getAlgorithmType())) {
throw new TokenCreationException(ResourceException.BAD_REQUEST, "Exception in " + "OpenIdConnectTokenGenerationImpl#symmetricSign: algorithm type not RSA but " + jwsAlgorithm.getAlgorithmType());
}
final SigningHandler signingHandler = new SigningManager().newRsaSigningHandler(keyPair.getPrivate());
JwsHeaderBuilder jwsHeaderBuilder = jwtBuilderFactory.jws(signingHandler).headers().alg(jwsAlgorithm);
JwtClaimsSet claimsSet = jwtBuilderFactory.claims().claims(openIdConnectToken.asMap()).build();
RSAPublicKey rsaPublicKey;
try {
rsaPublicKey = (RSAPublicKey) keyPair.getPublic();
} catch (ClassCastException e) {
throw new TokenCreationException(ResourceException.BAD_REQUEST, "Could not sign jwt with algorithm " + jwsAlgorithm + " because the PublicKey not of type RSAPublicKey but rather " + (keyPair.getPublic() != null ? keyPair.getPublic().getClass().getCanonicalName() : null));
}
handleKeyIdentification(jwsHeaderBuilder, publicKeyReferenceType, rsaPublicKey, jwsAlgorithm);
return jwsHeaderBuilder.done().claims(claimsSet).asJwt();
}
use of org.forgerock.json.jose.jwt.JwtClaimsSet in project OpenAM by OpenRock.
the class OpenIdConnectTokenGenerationImpl method symmetricSign.
private SignedJwt symmetricSign(STSOpenIdConnectToken openIdConnectToken, JwsAlgorithm jwsAlgorithm, byte[] clientSecret) throws TokenCreationException {
if (!JwsAlgorithmType.HMAC.equals(jwsAlgorithm.getAlgorithmType())) {
throw new TokenCreationException(ResourceException.BAD_REQUEST, "Exception in " + "OpenIdConnectTokenGenerationImpl#symmetricSign: algorithm type not HMAC but " + jwsAlgorithm.getAlgorithmType());
}
final SigningHandler signingHandler = new SigningManager().newHmacSigningHandler(clientSecret);
JwsHeaderBuilder builder = jwtBuilderFactory.jws(signingHandler).headers().alg(jwsAlgorithm);
JwtClaimsSet claimsSet = jwtBuilderFactory.claims().claims(openIdConnectToken.asMap()).build();
return builder.done().claims(claimsSet).asJwt();
}
use of org.forgerock.json.jose.jwt.JwtClaimsSet in project OpenAM by OpenRock.
the class OpenIdConnectTokenGenerationImplTest method testHMACOpenIdConnectTokenGeneration.
@Test
public void testHMACOpenIdConnectTokenGeneration() throws TokenCreationException {
SSOTokenIdentity mockSSOTokenIdentity = mock(SSOTokenIdentity.class);
when(mockSSOTokenIdentity.validateAndGetTokenPrincipal(any(SSOToken.class))).thenReturn(SUBJECT_NAME);
SSOToken mockSSOToken = mock(SSOToken.class);
STSInstanceState mockSTSInstanceState = mock(STSInstanceState.class);
STSInstanceConfig mockSTSInstanceConfig = mock(STSInstanceConfig.class);
when(mockSTSInstanceState.getConfig()).thenReturn(mockSTSInstanceConfig);
OpenIdConnectTokenConfig openIdConnectTokenConfig = buildHMACOpenIdConnectTokenConfig();
when(mockSTSInstanceConfig.getOpenIdConnectTokenConfig()).thenReturn(openIdConnectTokenConfig);
TokenGenerationServiceInvocationState mockTokenGenerationInvocationState = mock(TokenGenerationServiceInvocationState.class);
OpenIdConnectTokenClaimMapperProvider mockClaimMapperProvider = mock(OpenIdConnectTokenClaimMapperProvider.class);
OpenIdConnectTokenClaimMapper mockClaimMapper = mock(OpenIdConnectTokenClaimMapper.class);
when(mockClaimMapperProvider.getClaimMapper(any(OpenIdConnectTokenConfig.class))).thenReturn(mockClaimMapper);
when(mockClaimMapper.getCustomClaims(mockSSOToken, mappedClaimConfig)).thenReturn(mappedClaimAttributes);
long authTime = System.currentTimeMillis() / 1000;
OpenIdConnectTokenGenerationState openIdConnectTokenGenerationState = buildOpenIdConnectTokenGenerationState(authTime);
when(mockTokenGenerationInvocationState.getOpenIdConnectTokenGenerationState()).thenReturn(openIdConnectTokenGenerationState);
String oidcToken = new OpenIdConnectTokenGenerationImpl(mockSSOTokenIdentity, new JwtBuilderFactory(), mockClaimMapperProvider, mock(CTSTokenPersistence.class), mock(Logger.class)).generate(mockSSOToken, mockSTSInstanceState, mockTokenGenerationInvocationState);
SignedJwt signedJwt = reconstructSignedJwt(oidcToken);
JwtClaimsSet jwtClaimsSet = signedJwt.getClaimsSet();
assertEquals(SUBJECT_NAME, jwtClaimsSet.getSubject());
assertEquals(AUDIENCE, jwtClaimsSet.getAudience().get(0));
assertEquals(AUTHN_CLASS_REFERENCE, jwtClaimsSet.getClaim("acr", String.class));
assertEquals(ISSUER, jwtClaimsSet.getIssuer());
assertEquals(EMAIL_CLAIM_VALUE, jwtClaimsSet.get(EMAIL_CLAIM_KEY).asString());
assertTrue(verifyHMACSignature(signedJwt));
}
use of org.forgerock.json.jose.jwt.JwtClaimsSet in project OpenAM by OpenRock.
the class PolicyRequestTest method getJwtSubject.
private Jwt getJwtSubject(final String subjectName) {
JwsHeader header = new JwsHeader(Collections.<String, Object>emptyMap());
JwtClaimsSet claims = new JwtClaimsSet();
claims.setSubject(subjectName);
SigningHandler handler = new NOPSigningHandler();
return new SignedJwt(header, claims, handler);
}
Aggregations