Search in sources :

Example 1 with EncryptionConfiguration

use of org.pac4j.jwt.config.encryption.EncryptionConfiguration in project pac4j by pac4j.

the class JwtAuthenticator method validate.

@Override
public void validate(final TokenCredentials credentials, final WebContext context) {
    init();
    final String token = credentials.getToken();
    if (context != null) {
        // set the www-authenticate in case of error
        context.setResponseHeader(HttpConstants.AUTHENTICATE_HEADER, "Bearer realm=\"" + realmName + "\"");
    }
    try {
        // Parse the token
        JWT jwt = JWTParser.parse(token);
        if (jwt instanceof PlainJWT) {
            if (signatureConfigurations.isEmpty()) {
                logger.debug("JWT is not signed and no signature configurations -> verified");
            } else {
                throw new CredentialsException("A non-signed JWT cannot be accepted as signature configurations have been defined");
            }
        } else {
            SignedJWT signedJWT = null;
            if (jwt instanceof SignedJWT) {
                signedJWT = (SignedJWT) jwt;
            }
            // encrypted?
            if (jwt instanceof EncryptedJWT) {
                logger.debug("JWT is encrypted");
                final EncryptedJWT encryptedJWT = (EncryptedJWT) jwt;
                boolean found = false;
                final JWEHeader header = encryptedJWT.getHeader();
                final JWEAlgorithm algorithm = header.getAlgorithm();
                final EncryptionMethod method = header.getEncryptionMethod();
                for (final EncryptionConfiguration config : encryptionConfigurations) {
                    if (config.supports(algorithm, method)) {
                        logger.debug("Using encryption configuration: {}", config);
                        try {
                            config.decrypt(encryptedJWT);
                            signedJWT = encryptedJWT.getPayload().toSignedJWT();
                            if (signedJWT != null) {
                                jwt = signedJWT;
                            }
                            found = true;
                            break;
                        } catch (final JOSEException e) {
                            logger.debug("Decryption fails with encryption configuration: {}, passing to the next one", config);
                        }
                    }
                }
                if (!found) {
                    throw new CredentialsException("No encryption algorithm found for JWT: " + token);
                }
            }
            // signed?
            if (signedJWT != null) {
                logger.debug("JWT is signed");
                boolean verified = false;
                boolean found = false;
                final JWSAlgorithm algorithm = signedJWT.getHeader().getAlgorithm();
                for (final SignatureConfiguration config : signatureConfigurations) {
                    if (config.supports(algorithm)) {
                        logger.debug("Using signature configuration: {}", config);
                        try {
                            verified = config.verify(signedJWT);
                            found = true;
                            if (verified) {
                                break;
                            }
                        } catch (final JOSEException e) {
                            logger.debug("Verification fails with signature configuration: {}, passing to the next one", config);
                        }
                    }
                }
                if (!found) {
                    throw new CredentialsException("No signature algorithm found for JWT: " + token);
                }
                if (!verified) {
                    throw new CredentialsException("JWT verification failed: " + token);
                }
            }
        }
        createJwtProfile(credentials, jwt);
    } catch (final ParseException e) {
        throw new CredentialsException("Cannot decrypt / verify JWT", e);
    }
}
Also used : PlainJWT(com.nimbusds.jwt.PlainJWT) SignatureConfiguration(org.pac4j.jwt.config.signature.SignatureConfiguration) EncryptionConfiguration(org.pac4j.jwt.config.encryption.EncryptionConfiguration) PlainJWT(com.nimbusds.jwt.PlainJWT) JWT(com.nimbusds.jwt.JWT) SignedJWT(com.nimbusds.jwt.SignedJWT) EncryptedJWT(com.nimbusds.jwt.EncryptedJWT) SignedJWT(com.nimbusds.jwt.SignedJWT) EncryptionMethod(com.nimbusds.jose.EncryptionMethod) CredentialsException(org.pac4j.core.exception.CredentialsException) JWSAlgorithm(com.nimbusds.jose.JWSAlgorithm) JWEHeader(com.nimbusds.jose.JWEHeader) JWEAlgorithm(com.nimbusds.jose.JWEAlgorithm) ParseException(java.text.ParseException) EncryptedJWT(com.nimbusds.jwt.EncryptedJWT) JOSEException(com.nimbusds.jose.JOSEException)

Example 2 with EncryptionConfiguration

use of org.pac4j.jwt.config.encryption.EncryptionConfiguration in project pac4j by pac4j.

the class JwtTests method testGenerateAuthenticateDifferentSecrets.

@Test
public void testGenerateAuthenticateDifferentSecrets() {
    final SignatureConfiguration signatureConfiguration = new SecretSignatureConfiguration(MAC_SECRET);
    final EncryptionConfiguration encryptionConfiguration = new SecretEncryptionConfiguration(KEY2);
    final JwtGenerator<FacebookProfile> generator = new JwtGenerator<>(signatureConfiguration, encryptionConfiguration);
    final FacebookProfile profile = createProfile();
    final String token = generator.generate(profile);
    assertToken(profile, token, new JwtAuthenticator(signatureConfiguration, encryptionConfiguration));
}
Also used : JwtGenerator(org.pac4j.jwt.profile.JwtGenerator) SecretSignatureConfiguration(org.pac4j.jwt.config.signature.SecretSignatureConfiguration) SignatureConfiguration(org.pac4j.jwt.config.signature.SignatureConfiguration) ECSignatureConfiguration(org.pac4j.jwt.config.signature.ECSignatureConfiguration) SecretEncryptionConfiguration(org.pac4j.jwt.config.encryption.SecretEncryptionConfiguration) EncryptionConfiguration(org.pac4j.jwt.config.encryption.EncryptionConfiguration) JwtAuthenticator(org.pac4j.jwt.credentials.authenticator.JwtAuthenticator) SecretEncryptionConfiguration(org.pac4j.jwt.config.encryption.SecretEncryptionConfiguration) SecretSignatureConfiguration(org.pac4j.jwt.config.signature.SecretSignatureConfiguration) FacebookProfile(org.pac4j.oauth.profile.facebook.FacebookProfile) Test(org.junit.Test)

Example 3 with EncryptionConfiguration

use of org.pac4j.jwt.config.encryption.EncryptionConfiguration in project pac4j by pac4j.

the class JwtTests method testGenerateAuthenticateUselessSignatureConfiguration.

@Test
public void testGenerateAuthenticateUselessSignatureConfiguration() {
    final SignatureConfiguration signatureConfiguration = new SecretSignatureConfiguration(KEY2);
    final SignatureConfiguration signatureConfiguration2 = new SecretSignatureConfiguration(MAC_SECRET);
    final EncryptionConfiguration encryptionConfiguration = new SecretEncryptionConfiguration(MAC_SECRET);
    final JwtGenerator<FacebookProfile> generator = new JwtGenerator<>(signatureConfiguration, encryptionConfiguration);
    final FacebookProfile profile = createProfile();
    final String token = generator.generate(profile);
    final JwtAuthenticator jwtAuthenticator = new JwtAuthenticator();
    jwtAuthenticator.addSignatureConfiguration(signatureConfiguration);
    jwtAuthenticator.addSignatureConfiguration(signatureConfiguration2);
    jwtAuthenticator.setEncryptionConfiguration(encryptionConfiguration);
    assertToken(profile, token, jwtAuthenticator);
}
Also used : JwtGenerator(org.pac4j.jwt.profile.JwtGenerator) SecretSignatureConfiguration(org.pac4j.jwt.config.signature.SecretSignatureConfiguration) SignatureConfiguration(org.pac4j.jwt.config.signature.SignatureConfiguration) ECSignatureConfiguration(org.pac4j.jwt.config.signature.ECSignatureConfiguration) SecretEncryptionConfiguration(org.pac4j.jwt.config.encryption.SecretEncryptionConfiguration) EncryptionConfiguration(org.pac4j.jwt.config.encryption.EncryptionConfiguration) JwtAuthenticator(org.pac4j.jwt.credentials.authenticator.JwtAuthenticator) SecretEncryptionConfiguration(org.pac4j.jwt.config.encryption.SecretEncryptionConfiguration) SecretSignatureConfiguration(org.pac4j.jwt.config.signature.SecretSignatureConfiguration) FacebookProfile(org.pac4j.oauth.profile.facebook.FacebookProfile) Test(org.junit.Test)

Aggregations

EncryptionConfiguration (org.pac4j.jwt.config.encryption.EncryptionConfiguration)3 SignatureConfiguration (org.pac4j.jwt.config.signature.SignatureConfiguration)3 Test (org.junit.Test)2 SecretEncryptionConfiguration (org.pac4j.jwt.config.encryption.SecretEncryptionConfiguration)2 ECSignatureConfiguration (org.pac4j.jwt.config.signature.ECSignatureConfiguration)2 SecretSignatureConfiguration (org.pac4j.jwt.config.signature.SecretSignatureConfiguration)2 JwtAuthenticator (org.pac4j.jwt.credentials.authenticator.JwtAuthenticator)2 JwtGenerator (org.pac4j.jwt.profile.JwtGenerator)2 FacebookProfile (org.pac4j.oauth.profile.facebook.FacebookProfile)2 EncryptionMethod (com.nimbusds.jose.EncryptionMethod)1 JOSEException (com.nimbusds.jose.JOSEException)1 JWEAlgorithm (com.nimbusds.jose.JWEAlgorithm)1 JWEHeader (com.nimbusds.jose.JWEHeader)1 JWSAlgorithm (com.nimbusds.jose.JWSAlgorithm)1 EncryptedJWT (com.nimbusds.jwt.EncryptedJWT)1 JWT (com.nimbusds.jwt.JWT)1 PlainJWT (com.nimbusds.jwt.PlainJWT)1 SignedJWT (com.nimbusds.jwt.SignedJWT)1 ParseException (java.text.ParseException)1 CredentialsException (org.pac4j.core.exception.CredentialsException)1