use of org.jose4j.keys.resolvers.X509VerificationKeyResolver in project light-4j by networknt.
the class JwtHelper method verifyJwt.
/**
* Verify JWT token signature as well as expiry.
*
* @param jwt String of Json web token
* @return JwtClaims object
* @throws InvalidJwtException InvalidJwtException
* @throws ExpiredTokenException ExpiredTokenException
*/
public static JwtClaims verifyJwt(String jwt) throws InvalidJwtException, ExpiredTokenException {
JwtClaims claims;
if (Boolean.TRUE.equals(enableJwtCache)) {
claims = cache.getIfPresent(jwt);
if (claims != null) {
try {
// and it will never expired here. However, we need to handle other clients.
if ((NumericDate.now().getValue() - secondsOfAllowedClockSkew) >= claims.getExpirationTime().getValue()) {
logger.info("Cached jwt token is expired!");
throw new ExpiredTokenException("Token is expired");
}
} catch (MalformedClaimException e) {
// This is cached token and it is impossible to have this exception
logger.error("MalformedClaimException:", e);
}
return claims;
}
}
JwtConsumer consumer = new JwtConsumerBuilder().setSkipAllValidators().setDisableRequireSignature().setSkipSignatureVerification().build();
JwtContext jwtContext = consumer.process(jwt);
JwtClaims jwtClaims = jwtContext.getJwtClaims();
JsonWebStructure structure = jwtContext.getJoseObjects().get(0);
String kid = structure.getKeyIdHeaderValue();
// so we do expiration check here manually as we have the claim already for kid
try {
if ((NumericDate.now().getValue() - secondsOfAllowedClockSkew) >= jwtClaims.getExpirationTime().getValue()) {
logger.info("jwt token is expired!");
throw new ExpiredTokenException("Token is expired");
}
} catch (MalformedClaimException e) {
logger.error("MalformedClaimException:", e);
throw new InvalidJwtException("MalformedClaimException", new ErrorCodeValidator.Error(ErrorCodes.MALFORMED_CLAIM, "Invalid ExpirationTime Format"), e, jwtContext);
}
// get the public key certificate from the cache that is loaded from security.yml if it is not there,
// go to OAuth2 server /oauth2/key endpoint to get the public key certificate with kid as parameter.
X509Certificate certificate = certMap == null ? null : certMap.get(kid);
if (certificate == null) {
certificate = getCertFromOauth(kid);
// null if bootstrapFromKeyService is true
if (certMap == null)
certMap = new HashMap<>();
certMap.put(kid, certificate);
}
X509VerificationKeyResolver x509VerificationKeyResolver = new X509VerificationKeyResolver(certificate);
x509VerificationKeyResolver.setTryAllOnNoThumbHeader(true);
consumer = new JwtConsumerBuilder().setRequireExpirationTime().setAllowedClockSkewInSeconds(secondsOfAllowedClockSkew).setSkipDefaultAudienceValidation().setVerificationKeyResolver(x509VerificationKeyResolver).build();
// Validate the JWT and process it to the Claims
jwtContext = consumer.process(jwt);
claims = jwtContext.getJwtClaims();
if (Boolean.TRUE.equals(enableJwtCache)) {
cache.put(jwt, claims);
}
return claims;
}
Aggregations