Example 1 with JWEException
use of org.keycloak.jose.jwe.JWEException in project keycloak by keycloak.
the class CIBAAuthenticationRequest method deserialize.
/**
* Deserialize the given {@code jwe} to a {@link CIBAAuthenticationRequest} instance.
*
* @param session the session
* @param jwe the authentication request in JWE format.
* @return the authentication request instance
* @throws Exception
*/
public static CIBAAuthenticationRequest deserialize(KeycloakSession session, String jwe) {
SecretKey aesKey = session.keys().getActiveKey(session.getContext().getRealm(), KeyUse.ENC, Algorithm.AES).getSecretKey();
SecretKey hmacKey = session.keys().getActiveKey(session.getContext().getRealm(), KeyUse.SIG, Algorithm.HS256).getSecretKey();
try {
byte[] contentBytes = TokenUtil.jweDirectVerifyAndDecode(aesKey, hmacKey, jwe);
jwe = new String(contentBytes, "UTF-8");
} catch (JWEException | UnsupportedEncodingException e) {
throw new RuntimeException("Error decoding auth_req_id.", e);
}
return session.tokens().decode(jwe, CIBAAuthenticationRequest.class);
}
Also used :
SecretKey(javax.crypto.SecretKey)
JWEException(org.keycloak.jose.jwe.JWEException)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
Example 2 with JWEException
use of org.keycloak.jose.jwe.JWEException in project keycloak by keycloak.
the class DefaultTokenManager method decodeClientJWT.
@Override
public <T> T decodeClientJWT(String jwt, ClientModel client, BiConsumer<JOSE, ClientModel> jwtValidator, Class<T> clazz) {
if (jwt == null) {
return null;
}
JOSE joseToken = JOSEParser.parse(jwt);
jwtValidator.accept(joseToken, client);
if (joseToken instanceof JWE) {
try {
Optional<KeyWrapper> activeKey;
String kid = joseToken.getHeader().getKeyId();
Stream<KeyWrapper> keys = session.keys().getKeysStream(session.getContext().getRealm());
if (kid == null) {
activeKey = keys.filter(k -> KeyUse.ENC.equals(k.getUse()) && k.getPublicKey() != null).sorted(Comparator.comparingLong(KeyWrapper::getProviderPriority).reversed()).findFirst();
} else {
activeKey = keys.filter(k -> KeyUse.ENC.equals(k.getUse()) && k.getKid().equals(kid)).findAny();
}
JWE jwe = JWE.class.cast(joseToken);
Key privateKey = activeKey.map(KeyWrapper::getPrivateKey).orElseThrow(() -> new RuntimeException("Could not find private key for decrypting token"));
jwe.getKeyStorage().setDecryptionKey(privateKey);
byte[] content = jwe.verifyAndDecodeJwe().getContent();
try {
JOSE jws = JOSEParser.parse(new String(content));
if (jws instanceof JWSInput) {
jwtValidator.accept(jws, client);
return verifyJWS(client, clazz, (JWSInput) jws);
}
} catch (Exception ignore) {
// try to decrypt content as is
}
return JsonSerialization.readValue(content, clazz);
} catch (IOException cause) {
throw new RuntimeException("Failed to deserialize JWT", cause);
} catch (JWEException cause) {
throw new RuntimeException("Failed to decrypt JWT", cause);
}
}
return verifyJWS(client, clazz, (JWSInput) joseToken);
}
Also used :
KeyWrapper(org.keycloak.crypto.KeyWrapper)
ClientModel(org.keycloak.models.ClientModel)
KeycloakModelUtils(org.keycloak.models.utils.KeycloakModelUtils)
LogoutToken(org.keycloak.representations.LogoutToken)
Logger(org.jboss.logging.Logger)
SignatureSignerContext(org.keycloak.crypto.SignatureSignerContext)
Constants(org.keycloak.models.Constants)
Algorithm(org.keycloak.crypto.Algorithm)
JWEEncryptionProvider(org.keycloak.jose.jwe.enc.JWEEncryptionProvider)
Function(java.util.function.Function)
Supplier(java.util.function.Supplier)
Token(org.keycloak.Token)
SignatureProvider(org.keycloak.crypto.SignatureProvider)
TokenUtil(org.keycloak.util.TokenUtil)
UserModel(org.keycloak.models.UserModel)
ContentEncryptionProvider(org.keycloak.crypto.ContentEncryptionProvider)
JWEAlgorithmProvider(org.keycloak.jose.jwe.alg.JWEAlgorithmProvider)
AuthenticatedClientSessionModel(org.keycloak.models.AuthenticatedClientSessionModel)
OIDCAdvancedConfigWrapper(org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper)
BiConsumer(java.util.function.BiConsumer)
TokenManager(org.keycloak.models.TokenManager)
JOSEParser(org.keycloak.jose.JOSEParser)
RealmModel(org.keycloak.models.RealmModel)
JWE(org.keycloak.jose.jwe.JWE)
JWK(org.keycloak.jose.jwk.JWK)
Predicate(java.util.function.Predicate)
JWEException(org.keycloak.jose.jwe.JWEException)
PublicKeyStorageManager(org.keycloak.keys.loader.PublicKeyStorageManager)
KeycloakSession(org.keycloak.models.KeycloakSession)
IOException(java.io.IOException)
CekManagementProvider(org.keycloak.crypto.CekManagementProvider)
TokenCategory(org.keycloak.TokenCategory)
JsonSerialization(org.keycloak.util.JsonSerialization)
Key(java.security.Key)
OIDCConfigAttributes(org.keycloak.protocol.oidc.OIDCConfigAttributes)
Stream(java.util.stream.Stream)
KeyUse(org.keycloak.crypto.KeyUse)
PrivateKey(java.security.PrivateKey)
OIDCLoginProtocol(org.keycloak.protocol.oidc.OIDCLoginProtocol)
Optional(java.util.Optional)
JOSE(org.keycloak.jose.JOSE)
Comparator(java.util.Comparator)
ClientSignatureVerifierProvider(org.keycloak.crypto.ClientSignatureVerifierProvider)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
JWEException(org.keycloak.jose.jwe.JWEException)
IOException(java.io.IOException)
JWEException(org.keycloak.jose.jwe.JWEException)
IOException(java.io.IOException)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
KeyWrapper(org.keycloak.crypto.KeyWrapper)
JOSE(org.keycloak.jose.JOSE)
JWE(org.keycloak.jose.jwe.JWE)
Key(java.security.Key)
PrivateKey(java.security.PrivateKey)
Example 3 with JWEException
use of org.keycloak.jose.jwe.JWEException in project keycloak by keycloak.
the class DefaultTokenManager method getEncryptedToken.
private String getEncryptedToken(TokenCategory category, String encodedToken) {
String encryptedToken = null;
String algAlgorithm = cekManagementAlgorithm(category);
String encAlgorithm = encryptAlgorithm(category);
CekManagementProvider cekManagementProvider = session.getProvider(CekManagementProvider.class, algAlgorithm);
JWEAlgorithmProvider jweAlgorithmProvider = cekManagementProvider.jweAlgorithmProvider();
ContentEncryptionProvider contentEncryptionProvider = session.getProvider(ContentEncryptionProvider.class, encAlgorithm);
JWEEncryptionProvider jweEncryptionProvider = contentEncryptionProvider.jweEncryptionProvider();
ClientModel client = session.getContext().getClient();
KeyWrapper keyWrapper = PublicKeyStorageManager.getClientPublicKeyWrapper(session, client, JWK.Use.ENCRYPTION, algAlgorithm);
if (keyWrapper == null) {
throw new RuntimeException("can not get encryption KEK");
}
Key encryptionKek = keyWrapper.getPublicKey();
String encryptionKekId = keyWrapper.getKid();
try {
encryptedToken = TokenUtil.jweKeyEncryptionEncode(encryptionKek, encodedToken.getBytes("UTF-8"), algAlgorithm, encAlgorithm, encryptionKekId, jweAlgorithmProvider, jweEncryptionProvider);
} catch (JWEException | UnsupportedEncodingException e) {
throw new RuntimeException(e);
}
return encryptedToken;
}
Also used :
KeyWrapper(org.keycloak.crypto.KeyWrapper)
ClientModel(org.keycloak.models.ClientModel)
ContentEncryptionProvider(org.keycloak.crypto.ContentEncryptionProvider)
JWEAlgorithmProvider(org.keycloak.jose.jwe.alg.JWEAlgorithmProvider)
JWEException(org.keycloak.jose.jwe.JWEException)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
JWEEncryptionProvider(org.keycloak.jose.jwe.enc.JWEEncryptionProvider)
Key(java.security.Key)
PrivateKey(java.security.PrivateKey)
CekManagementProvider(org.keycloak.crypto.CekManagementProvider)
Example 4 with JWEException
use of org.keycloak.jose.jwe.JWEException in project keycloak by keycloak.
the class AuthorizationTokenEncryptionTest method testAuthorizationTokenSignatureAndEncryption.
private void testAuthorizationTokenSignatureAndEncryption(String sigAlgorithm, String algAlgorithm, String encAlgorithm) {
ClientResource clientResource;
ClientRepresentation clientRep;
try {
// generate and register encryption key onto client
TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints();
oidcClientEndpointsResource.generateKeys(algAlgorithm);
clientResource = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app");
clientRep = clientResource.toRepresentation();
// set authorization response signature algorithm and encryption algorithms
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setAuthorizationSignedResponseAlg(sigAlgorithm);
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setAuthorizationEncryptedResponseAlg(algAlgorithm);
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setAuthorizationEncryptedResponseEnc(encAlgorithm);
// use and set jwks_url
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setUseJwksUrl(true);
String jwksUrl = TestApplicationResourceUrls.clientJwksUri();
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setJwksUrl(jwksUrl);
clientResource.update(clientRep);
// get authorization response
oauth.responseMode("jwt");
oauth.stateParamHardcoded("OpenIdConnect.AuthenticationProperties=2302984sdlk");
OAuthClient.AuthorizationEndpointResponse response = oauth.doLogin("test-user@localhost", "password");
// parse JWE and JOSE Header
String jweStr = response.getResponse();
String[] parts = jweStr.split("\\.");
Assert.assertEquals(parts.length, 5);
// get decryption key
// not publickey , use privateKey
Map<String, String> keyPair = oidcClientEndpointsResource.getKeysAsPem();
PrivateKey decryptionKEK = PemUtils.decodePrivateKey(keyPair.get("privateKey"));
// verify and decrypt JWE
JWEAlgorithmProvider algorithmProvider = getJweAlgorithmProvider(algAlgorithm);
JWEEncryptionProvider encryptionProvider = getJweEncryptionProvider(encAlgorithm);
byte[] decodedString = TokenUtil.jweKeyEncryptionVerifyAndDecode(decryptionKEK, jweStr, algorithmProvider, encryptionProvider);
String authorizationTokenString = new String(decodedString, "UTF-8");
// a nested JWT (signed and encrypted JWT) needs to set "JWT" to its JOSE Header's "cty" field
JWEHeader jweHeader = (JWEHeader) getHeader(parts[0]);
Assert.assertEquals("JWT", jweHeader.getContentType());
// verify JWS
AuthorizationResponseToken authorizationToken = oauth.verifyAuthorizationResponseToken(authorizationTokenString);
Assert.assertEquals("test-app", authorizationToken.getAudience()[0]);
Assert.assertEquals("OpenIdConnect.AuthenticationProperties=2302984sdlk", authorizationToken.getOtherClaims().get("state"));
Assert.assertNotNull(authorizationToken.getOtherClaims().get("code"));
} catch (JWEException | UnsupportedEncodingException e) {
Assert.fail();
} finally {
clientResource = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app");
clientRep = clientResource.toRepresentation();
// revert id token signature algorithm and encryption algorithms
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setAuthorizationSignedResponseAlg(Algorithm.RS256);
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setAuthorizationEncryptedResponseAlg(null);
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setAuthorizationEncryptedResponseEnc(null);
// revert jwks_url settings
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setUseJwksUrl(false);
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setJwksUrl(null);
clientResource.update(clientRep);
}
}
Also used :
AuthorizationResponseToken(org.keycloak.representations.AuthorizationResponseToken)
PrivateKey(java.security.PrivateKey)
TestOIDCEndpointsApplicationResource(org.keycloak.testsuite.client.resources.TestOIDCEndpointsApplicationResource)
JWEAlgorithmProvider(org.keycloak.jose.jwe.alg.JWEAlgorithmProvider)
OAuthClient(org.keycloak.testsuite.util.OAuthClient)
JWEException(org.keycloak.jose.jwe.JWEException)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
JWEEncryptionProvider(org.keycloak.jose.jwe.enc.JWEEncryptionProvider)
ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation)
JWEHeader(org.keycloak.jose.jwe.JWEHeader)
ClientResource(org.keycloak.admin.client.resource.ClientResource)
Example 5 with JWEException
use of org.keycloak.jose.jwe.JWEException in project keycloak by keycloak.
the class IdTokenEncryptionTest method testIdTokenSignatureAndEncryption.
private void testIdTokenSignatureAndEncryption(String sigAlgorithm, String algAlgorithm, String encAlgorithm) {
ClientResource clientResource = null;
ClientRepresentation clientRep = null;
try {
// generate and register encryption key onto client
TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints();
oidcClientEndpointsResource.generateKeys(algAlgorithm);
clientResource = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app");
clientRep = clientResource.toRepresentation();
// set id token signature algorithm and encryption algorithms
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setIdTokenSignedResponseAlg(sigAlgorithm);
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setIdTokenEncryptedResponseAlg(algAlgorithm);
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setIdTokenEncryptedResponseEnc(encAlgorithm);
// use and set jwks_url
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setUseJwksUrl(true);
String jwksUrl = TestApplicationResourceUrls.clientJwksUri();
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setJwksUrl(jwksUrl);
clientResource.update(clientRep);
// get id token
OAuthClient.AuthorizationEndpointResponse response = oauth.doLogin("test-user@localhost", "password");
String code = response.getCode();
OAuthClient.AccessTokenResponse tokenResponse = oauth.doAccessTokenRequest(code, "password");
// parse JWE and JOSE Header
String jweStr = tokenResponse.getIdToken();
String[] parts = jweStr.split("\\.");
Assert.assertEquals(parts.length, 5);
// get decryption key
// not publickey , use privateKey
Map<String, String> keyPair = oidcClientEndpointsResource.getKeysAsPem();
PrivateKey decryptionKEK = PemUtils.decodePrivateKey(keyPair.get("privateKey"));
// a nested JWT (signed and encrypted JWT) needs to set "JWT" to its JOSE Header's "cty" field
JWEHeader jweHeader = (JWEHeader) getHeader(parts[0]);
Assert.assertEquals("JWT", jweHeader.getContentType());
// verify and decrypt JWE
JWEAlgorithmProvider algorithmProvider = getJweAlgorithmProvider(algAlgorithm);
JWEEncryptionProvider encryptionProvider = getJweEncryptionProvider(encAlgorithm);
byte[] decodedString = TokenUtil.jweKeyEncryptionVerifyAndDecode(decryptionKEK, jweStr, algorithmProvider, encryptionProvider);
String idTokenString = new String(decodedString, "UTF-8");
// verify JWS
IDToken idToken = oauth.verifyIDToken(idTokenString);
Assert.assertEquals("test-user@localhost", idToken.getPreferredUsername());
Assert.assertEquals("test-app", idToken.getIssuedFor());
} catch (JWEException | UnsupportedEncodingException e) {
Assert.fail();
} finally {
clientResource = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app");
clientRep = clientResource.toRepresentation();
// revert id token signature algorithm and encryption algorithms
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setIdTokenSignedResponseAlg(Algorithm.RS256);
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setIdTokenEncryptedResponseAlg(null);
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setIdTokenEncryptedResponseEnc(null);
// revert jwks_url settings
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setUseJwksUrl(false);
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setJwksUrl(null);
clientResource.update(clientRep);
}
}
Also used :
PrivateKey(java.security.PrivateKey)
TestOIDCEndpointsApplicationResource(org.keycloak.testsuite.client.resources.TestOIDCEndpointsApplicationResource)
JWEAlgorithmProvider(org.keycloak.jose.jwe.alg.JWEAlgorithmProvider)
OAuthClient(org.keycloak.testsuite.util.OAuthClient)
JWEException(org.keycloak.jose.jwe.JWEException)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
JWEEncryptionProvider(org.keycloak.jose.jwe.enc.JWEEncryptionProvider)
ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation)
JWEHeader(org.keycloak.jose.jwe.JWEHeader)
AccessTokenResponse(org.keycloak.testsuite.util.OAuthClient.AccessTokenResponse)
ClientResource(org.keycloak.admin.client.resource.ClientResource)
IDToken(org.keycloak.representations.IDToken)
Aggregations
UnsupportedEncodingException (java.io.UnsupportedEncodingException)6
JWEException (org.keycloak.jose.jwe.JWEException)6
PrivateKey (java.security.PrivateKey)4
JWEAlgorithmProvider (org.keycloak.jose.jwe.alg.JWEAlgorithmProvider)4
JWEEncryptionProvider (org.keycloak.jose.jwe.enc.JWEEncryptionProvider)4
Key (java.security.Key)2
SecretKey (javax.crypto.SecretKey)2
ClientResource (org.keycloak.admin.client.resource.ClientResource)2
CekManagementProvider (org.keycloak.crypto.CekManagementProvider)2
ContentEncryptionProvider (org.keycloak.crypto.ContentEncryptionProvider)2
KeyWrapper (org.keycloak.crypto.KeyWrapper)2
SignatureProvider (org.keycloak.crypto.SignatureProvider)2
SignatureSignerContext (org.keycloak.crypto.SignatureSignerContext)2
JWEHeader (org.keycloak.jose.jwe.JWEHeader)2
ClientModel (org.keycloak.models.ClientModel)2
ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)2
TestOIDCEndpointsApplicationResource (org.keycloak.testsuite.client.resources.TestOIDCEndpointsApplicationResource)2
OAuthClient (org.keycloak.testsuite.util.OAuthClient)2
IOException (java.io.IOException)1
Comparator (java.util.Comparator)1
