use of org.forgerock.oauth2.core.OAuth2Jwt in project OpenAM by OpenRock.
the class ClientCredentialsReader method verifyJwtBearer.
private ClientCredentials verifyJwtBearer(OAuth2Request request, boolean basicAuth, String endpoint) throws InvalidClientException, InvalidRequestException, NotFoundException {
final OAuth2Jwt jwt = OAuth2Jwt.create(request.<String>getParameter(CLIENT_ASSERTION));
final ClientRegistration clientRegistration = clientRegistrationStore.get(jwt.getSubject(), request);
if (jwt.isExpired()) {
throw failureFactory.getException(request, "JWT has expired");
}
if (!clientRegistration.verifyJwtIdentity(jwt)) {
throw failureFactory.getException(request, "JWT is not valid");
}
if (basicAuth && jwt.getSubject() != null) {
logger.error("Client (" + jwt.getSubject() + ") using multiple authentication methods");
throw failureFactory.getException(request, "Client authentication failed");
}
if (endpoint != null && !jwt.isIntendedForAudience(endpoint)) {
throw failureFactory.getException(request, "Audience validation failed");
}
return new ClientCredentials(jwt.getSubject(), null, true, false);
}
Aggregations