Examples with JWSBuilder org.keycloak.jose.jws.JWSBuilder used on opensource projects

Example 11 with JWSBuilder

use of org.keycloak.jose.jws.JWSBuilder in project keycloak by keycloak.

the class KeyPairVerifier method verify.

public static void verify(String privateKeyPem, String publicKeyPem) throws VerificationException {
    PrivateKey privateKey;
    try {
        privateKey = PemUtils.decodePrivateKey(privateKeyPem);
    } catch (Exception e) {
        throw new VerificationException("Failed to decode private key");
    }
    PublicKey publicKey;
    try {
        publicKey = PemUtils.decodePublicKey(publicKeyPem);
    } catch (Exception e) {
        throw new VerificationException("Failed to decode public key");
    }
    try {
        String jws = new JWSBuilder().content("content".getBytes()).rsa256(privateKey);
        if (!RSAProvider.verify(new JWSInput(jws), publicKey)) {
            throw new VerificationException("Keys don't match");
        }
    } catch (Exception e) {
        throw new VerificationException("Keys don't match");
    }
}

Example 12 with JWSBuilder

use of org.keycloak.jose.jws.JWSBuilder in project keycloak by keycloak.

the class DockerAuthV2Protocol method authenticated.

@Override
public Response authenticated(final AuthenticationSessionModel authSession, final UserSessionModel userSession, final ClientSessionContext clientSessionCtx) {
    // First, create a base response token with realm + user values populated
    final AuthenticatedClientSessionModel clientSession = clientSessionCtx.getClientSession();
    final ClientModel client = clientSession.getClient();
    DockerResponseToken responseToken = new DockerResponseToken().id(KeycloakModelUtils.generateId()).type(TokenUtil.TOKEN_TYPE_BEARER).issuer(authSession.getClientNote(DockerAuthV2Protocol.ISSUER)).subject(userSession.getUser().getUsername()).issuedNow().audience(client.getClientId()).issuedFor(client.getClientId());
    // since realm access token is given in seconds
    final int accessTokenLifespan = realm.getAccessTokenLifespan();
    responseToken.notBefore(responseToken.getIssuedAt()).expiration(responseToken.getIssuedAt() + accessTokenLifespan);
    // Next, allow mappers to decorate the token to add/remove scopes as appropriate
    AtomicReference<DockerResponseToken> finalResponseToken = new AtomicReference<>(responseToken);
    ProtocolMapperUtils.getSortedProtocolMappers(session, clientSessionCtx).filter(mapper -> mapper.getValue() instanceof DockerAuthV2AttributeMapper).filter(mapper -> ((DockerAuthV2AttributeMapper) mapper.getValue()).appliesTo(finalResponseToken.get())).forEach(mapper -> finalResponseToken.set(((DockerAuthV2AttributeMapper) mapper.getValue()).transformDockerResponseToken(finalResponseToken.get(), mapper.getKey(), session, userSession, clientSession)));
    responseToken = finalResponseToken.get();
    try {
        // Finally, construct the response to the docker client with the token + metadata
        if (event.getEvent() != null && EventType.LOGIN.equals(event.getEvent().getType())) {
            final KeyManager.ActiveRsaKey activeKey = session.keys().getActiveRsaKey(realm);
            final String encodedToken = new JWSBuilder().kid(new DockerKeyIdentifier(activeKey.getPublicKey()).toString()).type("JWT").jsonContent(responseToken).rsa256(activeKey.getPrivateKey());
            final String expiresInIso8601String = new SimpleDateFormat(ISO_8601_DATE_FORMAT).format(new Date(responseToken.getIssuedAt() * 1000L));
            final DockerResponse responseEntity = new DockerResponse().setToken(encodedToken).setExpires_in(accessTokenLifespan).setIssued_at(expiresInIso8601String);
            return new ResponseBuilderImpl().status(Response.Status.OK).header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON).entity(responseEntity).build();
        } else {
            logger.errorv("Unable to handle request for event type {0}.  Currently only LOGIN event types are supported by docker protocol.", event.getEvent() == null ? "null" : event.getEvent().getType());
            throw new ErrorResponseException("invalid_request", "Event type not supported", Response.Status.BAD_REQUEST);
        }
    } catch (final InstantiationException e) {
        logger.errorv("Error attempting to create Key ID for Docker JOSE header: ", e.getMessage());
        throw new ErrorResponseException("token_error", "Unable to construct JOSE header for JWT", Response.Status.INTERNAL_SERVER_ERROR);
    }
}

Example 13 with JWSBuilder

use of org.keycloak.jose.jws.JWSBuilder in project keycloak by keycloak.

the class AbstractClientPoliciesTest method createSignedRequestToken.

// Signed JWT for client authentication utility
protected String createSignedRequestToken(String clientId, PrivateKey privateKey, PublicKey publicKey, String algorithm) {
    JsonWebToken jwt = createRequestToken(clientId, getRealmInfoUrl());
    String kid = KeyUtils.createKeyId(publicKey);
    SignatureSignerContext signer = oauth.createSigner(privateKey, kid, algorithm);
    return new JWSBuilder().kid(kid).jsonContent(jwt).sign(signer);
}

Example 14 with JWSBuilder

use of org.keycloak.jose.jws.JWSBuilder in project keycloak by keycloak.

the class RestartCookieTest method testRestartCookieBackwardsCompatible_Keycloak25.

// KEYCLOAK-5440 -- migration from Keycloak 3.1.0
@Test
public void testRestartCookieBackwardsCompatible_Keycloak25() throws IOException {
    String oldRestartCookie = testingClient.server().fetchString((KeycloakSession session) -> {
        try {
            String cookieVal = OLD_RESTART_COOKIE_JSON.replace("\n", "").replace(" ", "");
            RealmModel realm = session.realms().getRealmByName("test");
            KeyManager.ActiveHmacKey activeKey = session.keys().getActiveHmacKey(realm);
            String encodedToken = new JWSBuilder().kid(activeKey.getKid()).content(cookieVal.getBytes("UTF-8")).hmac256(activeKey.getSecretKey());
            return encodedToken;
        } catch (IOException ioe) {
            throw new RuntimeException(ioe);
        }
    });
    oauth.openLoginForm();
    driver.manage().deleteAllCookies();
    driver.manage().addCookie(new Cookie(RestartLoginCookie.KC_RESTART, oldRestartCookie));
    loginPage.login("foo", "bar");
    loginPage.assertCurrent();
    Assert.assertEquals("Your login attempt timed out. Login will start from the beginning.", loginPage.getError());
    events.expectLogin().user((String) null).session((String) null).error(Errors.EXPIRED_CODE).clearDetails().detail(Details.RESTART_AFTER_TIMEOUT, "true").client((String) null).assertEvent();
}

Example 15 with JWSBuilder

use of org.keycloak.jose.jws.JWSBuilder in project keycloak by keycloak.

the class RestartCookieTest method testRestartCookieBackwardsCompatible_Keycloak19.

// KEYCLOAK-7158 -- migration from Keycloak 1.9.8
@Test
public void testRestartCookieBackwardsCompatible_Keycloak19() throws IOException {
    String oldRestartCookie = testingClient.server().fetchString((KeycloakSession session) -> {
        try {
            String cookieVal = OLD_RESTART_COOKIE_JSON.replace("\n", "").replace(" ", "");
            RealmModel realm = session.realms().getRealmByName("test");
            KeyManager.ActiveHmacKey activeKey = session.keys().getActiveHmacKey(realm);
            // There was no KID in the token in Keycloak 1.9.8
            String encodedToken = new JWSBuilder().content(cookieVal.getBytes("UTF-8")).hmac256(activeKey.getSecretKey());
            return encodedToken;
        } catch (IOException ioe) {
            throw new RuntimeException(ioe);
        }
    });
    oauth.openLoginForm();
    driver.manage().deleteAllCookies();
    driver.manage().addCookie(new Cookie(RestartLoginCookie.KC_RESTART, oldRestartCookie));
    loginPage.login("foo", "bar");
    loginPage.assertCurrent();
    Assert.assertEquals("Your login attempt timed out. Login will start from the beginning.", loginPage.getError());
    events.expectLogin().user((String) null).session((String) null).error(Errors.EXPIRED_CODE).clearDetails().detail(Details.RESTART_AFTER_TIMEOUT, "true").client((String) null).assertEvent();
}