Search in sources :

Example 1 with OAuth2Jwt

use of org.forgerock.oauth2.core.OAuth2Jwt in project OpenAM by OpenRock.

the class ClientCredentialsReader method verifyJwtBearer.

private ClientCredentials verifyJwtBearer(OAuth2Request request, boolean basicAuth, String endpoint) throws InvalidClientException, InvalidRequestException, NotFoundException {
    final OAuth2Jwt jwt = OAuth2Jwt.create(request.<String>getParameter(CLIENT_ASSERTION));
    final ClientRegistration clientRegistration = clientRegistrationStore.get(jwt.getSubject(), request);
    if (jwt.isExpired()) {
        throw failureFactory.getException(request, "JWT has expired");
    }
    if (!clientRegistration.verifyJwtIdentity(jwt)) {
        throw failureFactory.getException(request, "JWT is not valid");
    }
    if (basicAuth && jwt.getSubject() != null) {
        logger.error("Client (" + jwt.getSubject() + ") using multiple authentication methods");
        throw failureFactory.getException(request, "Client authentication failed");
    }
    if (endpoint != null && !jwt.isIntendedForAudience(endpoint)) {
        throw failureFactory.getException(request, "Audience validation failed");
    }
    return new ClientCredentials(jwt.getSubject(), null, true, false);
}
Also used : OpenIdConnectClientRegistration(org.forgerock.openidconnect.OpenIdConnectClientRegistration) ClientRegistration(org.forgerock.oauth2.core.ClientRegistration) OAuth2Jwt(org.forgerock.oauth2.core.OAuth2Jwt)

Aggregations

ClientRegistration (org.forgerock.oauth2.core.ClientRegistration)1 OAuth2Jwt (org.forgerock.oauth2.core.OAuth2Jwt)1 OpenIdConnectClientRegistration (org.forgerock.openidconnect.OpenIdConnectClientRegistration)1