Example 1 with JOSE
use of org.keycloak.jose.JOSE in project keycloak by keycloak.
the class DefaultTokenManager method decodeClientJWT.
@Override
public <T> T decodeClientJWT(String jwt, ClientModel client, BiConsumer<JOSE, ClientModel> jwtValidator, Class<T> clazz) {
if (jwt == null) {
return null;
}
JOSE joseToken = JOSEParser.parse(jwt);
jwtValidator.accept(joseToken, client);
if (joseToken instanceof JWE) {
try {
Optional<KeyWrapper> activeKey;
String kid = joseToken.getHeader().getKeyId();
Stream<KeyWrapper> keys = session.keys().getKeysStream(session.getContext().getRealm());
if (kid == null) {
activeKey = keys.filter(k -> KeyUse.ENC.equals(k.getUse()) && k.getPublicKey() != null).sorted(Comparator.comparingLong(KeyWrapper::getProviderPriority).reversed()).findFirst();
} else {
activeKey = keys.filter(k -> KeyUse.ENC.equals(k.getUse()) && k.getKid().equals(kid)).findAny();
}
JWE jwe = JWE.class.cast(joseToken);
Key privateKey = activeKey.map(KeyWrapper::getPrivateKey).orElseThrow(() -> new RuntimeException("Could not find private key for decrypting token"));
jwe.getKeyStorage().setDecryptionKey(privateKey);
byte[] content = jwe.verifyAndDecodeJwe().getContent();
try {
JOSE jws = JOSEParser.parse(new String(content));
if (jws instanceof JWSInput) {
jwtValidator.accept(jws, client);
return verifyJWS(client, clazz, (JWSInput) jws);
}
} catch (Exception ignore) {
// try to decrypt content as is
}
return JsonSerialization.readValue(content, clazz);
} catch (IOException cause) {
throw new RuntimeException("Failed to deserialize JWT", cause);
} catch (JWEException cause) {
throw new RuntimeException("Failed to decrypt JWT", cause);
}
}
return verifyJWS(client, clazz, (JWSInput) joseToken);
}
Also used :
KeyWrapper(org.keycloak.crypto.KeyWrapper)
ClientModel(org.keycloak.models.ClientModel)
KeycloakModelUtils(org.keycloak.models.utils.KeycloakModelUtils)
LogoutToken(org.keycloak.representations.LogoutToken)
Logger(org.jboss.logging.Logger)
SignatureSignerContext(org.keycloak.crypto.SignatureSignerContext)
Constants(org.keycloak.models.Constants)
Algorithm(org.keycloak.crypto.Algorithm)
JWEEncryptionProvider(org.keycloak.jose.jwe.enc.JWEEncryptionProvider)
Function(java.util.function.Function)
Supplier(java.util.function.Supplier)
Token(org.keycloak.Token)
SignatureProvider(org.keycloak.crypto.SignatureProvider)
TokenUtil(org.keycloak.util.TokenUtil)
UserModel(org.keycloak.models.UserModel)
ContentEncryptionProvider(org.keycloak.crypto.ContentEncryptionProvider)
JWEAlgorithmProvider(org.keycloak.jose.jwe.alg.JWEAlgorithmProvider)
AuthenticatedClientSessionModel(org.keycloak.models.AuthenticatedClientSessionModel)
OIDCAdvancedConfigWrapper(org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper)
BiConsumer(java.util.function.BiConsumer)
TokenManager(org.keycloak.models.TokenManager)
JOSEParser(org.keycloak.jose.JOSEParser)
RealmModel(org.keycloak.models.RealmModel)
JWE(org.keycloak.jose.jwe.JWE)
JWK(org.keycloak.jose.jwk.JWK)
Predicate(java.util.function.Predicate)
JWEException(org.keycloak.jose.jwe.JWEException)
PublicKeyStorageManager(org.keycloak.keys.loader.PublicKeyStorageManager)
KeycloakSession(org.keycloak.models.KeycloakSession)
IOException(java.io.IOException)
CekManagementProvider(org.keycloak.crypto.CekManagementProvider)
TokenCategory(org.keycloak.TokenCategory)
JsonSerialization(org.keycloak.util.JsonSerialization)
Key(java.security.Key)
OIDCConfigAttributes(org.keycloak.protocol.oidc.OIDCConfigAttributes)
Stream(java.util.stream.Stream)
KeyUse(org.keycloak.crypto.KeyUse)
PrivateKey(java.security.PrivateKey)
OIDCLoginProtocol(org.keycloak.protocol.oidc.OIDCLoginProtocol)
Optional(java.util.Optional)
JOSE(org.keycloak.jose.JOSE)
Comparator(java.util.Comparator)
ClientSignatureVerifierProvider(org.keycloak.crypto.ClientSignatureVerifierProvider)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
JWEException(org.keycloak.jose.jwe.JWEException)
IOException(java.io.IOException)
JWEException(org.keycloak.jose.jwe.JWEException)
IOException(java.io.IOException)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
KeyWrapper(org.keycloak.crypto.KeyWrapper)
JOSE(org.keycloak.jose.JOSE)
JWE(org.keycloak.jose.jwe.JWE)
Key(java.security.Key)
PrivateKey(java.security.PrivateKey)
Aggregations
IOException (java.io.IOException)1
UnsupportedEncodingException (java.io.UnsupportedEncodingException)1
Key (java.security.Key)1
PrivateKey (java.security.PrivateKey)1
Comparator (java.util.Comparator)1
Optional (java.util.Optional)1
BiConsumer (java.util.function.BiConsumer)1
Function (java.util.function.Function)1
Predicate (java.util.function.Predicate)1
Supplier (java.util.function.Supplier)1
Stream (java.util.stream.Stream)1
Logger (org.jboss.logging.Logger)1
Token (org.keycloak.Token)1
TokenCategory (org.keycloak.TokenCategory)1
Algorithm (org.keycloak.crypto.Algorithm)1
CekManagementProvider (org.keycloak.crypto.CekManagementProvider)1
ClientSignatureVerifierProvider (org.keycloak.crypto.ClientSignatureVerifierProvider)1
ContentEncryptionProvider (org.keycloak.crypto.ContentEncryptionProvider)1
KeyUse (org.keycloak.crypto.KeyUse)1
KeyWrapper (org.keycloak.crypto.KeyWrapper)1
