Search in sources :

Example 1 with X509VerificationKeyResolver

use of org.jose4j.keys.resolvers.X509VerificationKeyResolver in project light-4j by networknt.

the class JwtHelper method verifyJwt.

/**
 * Verify JWT token signature as well as expiry.
 *
 * @param jwt String of Json web token
 * @return JwtClaims object
 * @throws InvalidJwtException InvalidJwtException
 * @throws ExpiredTokenException ExpiredTokenException
 */
public static JwtClaims verifyJwt(String jwt) throws InvalidJwtException, ExpiredTokenException {
    JwtClaims claims;
    if (Boolean.TRUE.equals(enableJwtCache)) {
        claims = cache.getIfPresent(jwt);
        if (claims != null) {
            try {
                // and it will never expired here. However, we need to handle other clients.
                if ((NumericDate.now().getValue() - secondsOfAllowedClockSkew) >= claims.getExpirationTime().getValue()) {
                    logger.info("Cached jwt token is expired!");
                    throw new ExpiredTokenException("Token is expired");
                }
            } catch (MalformedClaimException e) {
                // This is cached token and it is impossible to have this exception
                logger.error("MalformedClaimException:", e);
            }
            return claims;
        }
    }
    JwtConsumer consumer = new JwtConsumerBuilder().setSkipAllValidators().setDisableRequireSignature().setSkipSignatureVerification().build();
    JwtContext jwtContext = consumer.process(jwt);
    JwtClaims jwtClaims = jwtContext.getJwtClaims();
    JsonWebStructure structure = jwtContext.getJoseObjects().get(0);
    String kid = structure.getKeyIdHeaderValue();
    // so we do expiration check here manually as we have the claim already for kid
    try {
        if ((NumericDate.now().getValue() - secondsOfAllowedClockSkew) >= jwtClaims.getExpirationTime().getValue()) {
            logger.info("jwt token is expired!");
            throw new ExpiredTokenException("Token is expired");
        }
    } catch (MalformedClaimException e) {
        logger.error("MalformedClaimException:", e);
        throw new InvalidJwtException("MalformedClaimException", new ErrorCodeValidator.Error(ErrorCodes.MALFORMED_CLAIM, "Invalid ExpirationTime Format"), e, jwtContext);
    }
    // get the public key certificate from the cache that is loaded from security.yml if it is not there,
    // go to OAuth2 server /oauth2/key endpoint to get the public key certificate with kid as parameter.
    X509Certificate certificate = certMap == null ? null : certMap.get(kid);
    if (certificate == null) {
        certificate = getCertFromOauth(kid);
        // null if bootstrapFromKeyService is true
        if (certMap == null)
            certMap = new HashMap<>();
        certMap.put(kid, certificate);
    }
    X509VerificationKeyResolver x509VerificationKeyResolver = new X509VerificationKeyResolver(certificate);
    x509VerificationKeyResolver.setTryAllOnNoThumbHeader(true);
    consumer = new JwtConsumerBuilder().setRequireExpirationTime().setAllowedClockSkewInSeconds(secondsOfAllowedClockSkew).setSkipDefaultAudienceValidation().setVerificationKeyResolver(x509VerificationKeyResolver).build();
    // Validate the JWT and process it to the Claims
    jwtContext = consumer.process(jwt);
    claims = jwtContext.getJwtClaims();
    if (Boolean.TRUE.equals(enableJwtCache)) {
        cache.put(jwt, claims);
    }
    return claims;
}
Also used : ExpiredTokenException(com.networknt.exception.ExpiredTokenException) JwtClaims(org.jose4j.jwt.JwtClaims) HashMap(java.util.HashMap) X509Certificate(java.security.cert.X509Certificate) MalformedClaimException(org.jose4j.jwt.MalformedClaimException) X509VerificationKeyResolver(org.jose4j.keys.resolvers.X509VerificationKeyResolver) JsonWebStructure(org.jose4j.jwx.JsonWebStructure)

Aggregations

ExpiredTokenException (com.networknt.exception.ExpiredTokenException)1 X509Certificate (java.security.cert.X509Certificate)1 HashMap (java.util.HashMap)1 JwtClaims (org.jose4j.jwt.JwtClaims)1 MalformedClaimException (org.jose4j.jwt.MalformedClaimException)1 JsonWebStructure (org.jose4j.jwx.JsonWebStructure)1 X509VerificationKeyResolver (org.jose4j.keys.resolvers.X509VerificationKeyResolver)1