Example 1 with JWE
use of org.keycloak.jose.jwe.JWE in project keycloak by keycloak.
the class TokenUtil method jweKeyEncryptionVerifyAndDecode.
public static byte[] jweKeyEncryptionVerifyAndDecode(Key decryptionKEK, String encodedContent) throws JWEException {
JWE jwe = new JWE();
jwe.getKeyStorage().setDecryptionKey(decryptionKEK);
jwe.verifyAndDecodeJwe(encodedContent);
return jwe.getContent();
}
Also used :
JWE(org.keycloak.jose.jwe.JWE)
Example 2 with JWE
use of org.keycloak.jose.jwe.JWE in project keycloak by keycloak.
the class TokenUtil method jweKeyEncryptionEncode.
private static String jweKeyEncryptionEncode(Key encryptionKEK, byte[] contentBytes, JWEHeader jweHeader, JWEAlgorithmProvider jweAlgorithmProvider, JWEEncryptionProvider jweEncryptionProvider) throws JWEException {
JWE jwe = new JWE().header(jweHeader).content(contentBytes);
jwe.getKeyStorage().setEncryptionKey(encryptionKEK);
String encodedContent = jwe.encodeJwe(jweAlgorithmProvider, jweEncryptionProvider);
return encodedContent;
}
Also used :
JWE(org.keycloak.jose.jwe.JWE)
Example 3 with JWE
use of org.keycloak.jose.jwe.JWE in project keycloak by keycloak.
the class TokenUtil method jweKeyEncryptionVerifyAndDecode.
public static byte[] jweKeyEncryptionVerifyAndDecode(Key decryptionKEK, String encodedContent, JWEAlgorithmProvider algorithmProvider, JWEEncryptionProvider encryptionProvider) throws JWEException {
JWE jwe = new JWE();
jwe.getKeyStorage().setDecryptionKey(decryptionKEK);
jwe.verifyAndDecodeJwe(encodedContent, algorithmProvider, encryptionProvider);
return jwe.getContent();
}
Also used :
JWE(org.keycloak.jose.jwe.JWE)
Example 4 with JWE
use of org.keycloak.jose.jwe.JWE in project keycloak by keycloak.
the class DefaultTokenManager method decodeClientJWT.
@Override
public <T> T decodeClientJWT(String jwt, ClientModel client, BiConsumer<JOSE, ClientModel> jwtValidator, Class<T> clazz) {
if (jwt == null) {
return null;
}
JOSE joseToken = JOSEParser.parse(jwt);
jwtValidator.accept(joseToken, client);
if (joseToken instanceof JWE) {
try {
Optional<KeyWrapper> activeKey;
String kid = joseToken.getHeader().getKeyId();
Stream<KeyWrapper> keys = session.keys().getKeysStream(session.getContext().getRealm());
if (kid == null) {
activeKey = keys.filter(k -> KeyUse.ENC.equals(k.getUse()) && k.getPublicKey() != null).sorted(Comparator.comparingLong(KeyWrapper::getProviderPriority).reversed()).findFirst();
} else {
activeKey = keys.filter(k -> KeyUse.ENC.equals(k.getUse()) && k.getKid().equals(kid)).findAny();
}
JWE jwe = JWE.class.cast(joseToken);
Key privateKey = activeKey.map(KeyWrapper::getPrivateKey).orElseThrow(() -> new RuntimeException("Could not find private key for decrypting token"));
jwe.getKeyStorage().setDecryptionKey(privateKey);
byte[] content = jwe.verifyAndDecodeJwe().getContent();
try {
JOSE jws = JOSEParser.parse(new String(content));
if (jws instanceof JWSInput) {
jwtValidator.accept(jws, client);
return verifyJWS(client, clazz, (JWSInput) jws);
}
} catch (Exception ignore) {
// try to decrypt content as is
}
return JsonSerialization.readValue(content, clazz);
} catch (IOException cause) {
throw new RuntimeException("Failed to deserialize JWT", cause);
} catch (JWEException cause) {
throw new RuntimeException("Failed to decrypt JWT", cause);
}
}
return verifyJWS(client, clazz, (JWSInput) joseToken);
}
Also used :
KeyWrapper(org.keycloak.crypto.KeyWrapper)
ClientModel(org.keycloak.models.ClientModel)
KeycloakModelUtils(org.keycloak.models.utils.KeycloakModelUtils)
LogoutToken(org.keycloak.representations.LogoutToken)
Logger(org.jboss.logging.Logger)
SignatureSignerContext(org.keycloak.crypto.SignatureSignerContext)
Constants(org.keycloak.models.Constants)
Algorithm(org.keycloak.crypto.Algorithm)
JWEEncryptionProvider(org.keycloak.jose.jwe.enc.JWEEncryptionProvider)
Function(java.util.function.Function)
Supplier(java.util.function.Supplier)
Token(org.keycloak.Token)
SignatureProvider(org.keycloak.crypto.SignatureProvider)
TokenUtil(org.keycloak.util.TokenUtil)
UserModel(org.keycloak.models.UserModel)
ContentEncryptionProvider(org.keycloak.crypto.ContentEncryptionProvider)
JWEAlgorithmProvider(org.keycloak.jose.jwe.alg.JWEAlgorithmProvider)
AuthenticatedClientSessionModel(org.keycloak.models.AuthenticatedClientSessionModel)
OIDCAdvancedConfigWrapper(org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper)
BiConsumer(java.util.function.BiConsumer)
TokenManager(org.keycloak.models.TokenManager)
JOSEParser(org.keycloak.jose.JOSEParser)
RealmModel(org.keycloak.models.RealmModel)
JWE(org.keycloak.jose.jwe.JWE)
JWK(org.keycloak.jose.jwk.JWK)
Predicate(java.util.function.Predicate)
JWEException(org.keycloak.jose.jwe.JWEException)
PublicKeyStorageManager(org.keycloak.keys.loader.PublicKeyStorageManager)
KeycloakSession(org.keycloak.models.KeycloakSession)
IOException(java.io.IOException)
CekManagementProvider(org.keycloak.crypto.CekManagementProvider)
TokenCategory(org.keycloak.TokenCategory)
JsonSerialization(org.keycloak.util.JsonSerialization)
Key(java.security.Key)
OIDCConfigAttributes(org.keycloak.protocol.oidc.OIDCConfigAttributes)
Stream(java.util.stream.Stream)
KeyUse(org.keycloak.crypto.KeyUse)
PrivateKey(java.security.PrivateKey)
OIDCLoginProtocol(org.keycloak.protocol.oidc.OIDCLoginProtocol)
Optional(java.util.Optional)
JOSE(org.keycloak.jose.JOSE)
Comparator(java.util.Comparator)
ClientSignatureVerifierProvider(org.keycloak.crypto.ClientSignatureVerifierProvider)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
JWEException(org.keycloak.jose.jwe.JWEException)
IOException(java.io.IOException)
JWEException(org.keycloak.jose.jwe.JWEException)
IOException(java.io.IOException)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
KeyWrapper(org.keycloak.crypto.KeyWrapper)
JOSE(org.keycloak.jose.JOSE)
JWE(org.keycloak.jose.jwe.JWE)
Key(java.security.Key)
PrivateKey(java.security.PrivateKey)
Example 5 with JWE
use of org.keycloak.jose.jwe.JWE in project keycloak by keycloak.
the class OIDCAdvancedRequestParamsTest method assertRequestObjectEncryption.
private void assertRequestObjectEncryption(JWEHeader jweHeader) throws Exception {
TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject requestObject = new TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject();
requestObject.id(KeycloakModelUtils.generateId());
requestObject.iat(Long.valueOf(Time.currentTime()));
requestObject.exp(requestObject.getIat() + Long.valueOf(300));
requestObject.nbf(requestObject.getIat());
requestObject.setClientId(oauth.getClientId());
requestObject.setResponseType("code");
requestObject.setRedirectUriParam(oauth.getRedirectUri());
requestObject.setScope("openid");
byte[] contentBytes = JsonSerialization.writeValueAsBytes(requestObject);
try (CloseableHttpClient httpClient = HttpClientBuilder.create().build()) {
OIDCConfigurationRepresentation representation = SimpleHttp.doGet(getAuthServerRoot().toString() + "realms/" + oauth.getRealm() + "/.well-known/openid-configuration", httpClient).asJson(OIDCConfigurationRepresentation.class);
String jwksUri = representation.getJwksUri();
JSONWebKeySet jsonWebKeySet = SimpleHttp.doGet(jwksUri, httpClient).asJson(JSONWebKeySet.class);
Map<String, PublicKey> keysForUse = JWKSUtils.getKeysForUse(jsonWebKeySet, JWK.Use.ENCRYPTION);
String keyId = jweHeader.getKeyId();
if (keyId == null) {
KeysMetadataRepresentation.KeyMetadataRepresentation encKey = KeyUtils.getActiveEncKey(testRealm().keys().getKeyMetadata(), org.keycloak.crypto.Algorithm.PS256);
keyId = encKey.getKid();
}
PublicKey decryptionKEK = keysForUse.get(keyId);
JWE jwe = new JWE().header(jweHeader).content(contentBytes);
jwe.getKeyStorage().setEncryptionKey(decryptionKEK);
oauth = oauth.request(jwe.encodeJwe());
oauth.doLogin("test-user@localhost", "password");
events.expectLogin().assertEvent();
}
}
Also used :
KeysMetadataRepresentation(org.keycloak.representations.idm.KeysMetadataRepresentation)
CloseableHttpClient(org.apache.http.impl.client.CloseableHttpClient)
JSONWebKeySet(org.keycloak.jose.jwk.JSONWebKeySet)
PublicKey(java.security.PublicKey)
JWE(org.keycloak.jose.jwe.JWE)
TestingOIDCEndpointsApplicationResource(org.keycloak.testsuite.rest.resource.TestingOIDCEndpointsApplicationResource)
OIDCConfigurationRepresentation(org.keycloak.protocol.oidc.representations.OIDCConfigurationRepresentation)
Aggregations
JWE (org.keycloak.jose.jwe.JWE)9
IOException (java.io.IOException)2
PublicKey (java.security.PublicKey)2
CloseableHttpClient (org.apache.http.impl.client.CloseableHttpClient)2
JWEHeader (org.keycloak.jose.jwe.JWEHeader)2
JSONWebKeySet (org.keycloak.jose.jwk.JSONWebKeySet)2
JsonNode (com.fasterxml.jackson.databind.JsonNode)1
UnsupportedEncodingException (java.io.UnsupportedEncodingException)1
Key (java.security.Key)1
PrivateKey (java.security.PrivateKey)1
Comparator (java.util.Comparator)1
Optional (java.util.Optional)1
BiConsumer (java.util.function.BiConsumer)1
Function (java.util.function.Function)1
Predicate (java.util.function.Predicate)1
Supplier (java.util.function.Supplier)1
Stream (java.util.stream.Stream)1
Logger (org.jboss.logging.Logger)1
Token (org.keycloak.Token)1
TokenCategory (org.keycloak.TokenCategory)1
