use of org.springframework.security.oauth2.core.OAuth2Error in project spring-security by spring-projects.
the class NimbusJwtDecoderJwkSupportTests method decodeWhenJwtFailsValidationThenReturnsCorrespondingErrorMessage.
@Test
public void decodeWhenJwtFailsValidationThenReturnsCorrespondingErrorMessage() throws Exception {
try (MockWebServer server = new MockWebServer()) {
server.enqueue(new MockResponse().setBody(JWK_SET));
String jwkSetUrl = server.url("/.well-known/jwks.json").toString();
NimbusJwtDecoderJwkSupport decoder = new NimbusJwtDecoderJwkSupport(jwkSetUrl);
OAuth2Error failure = new OAuth2Error("mock-error", "mock-description", "mock-uri");
OAuth2TokenValidator<Jwt> jwtValidator = mock(OAuth2TokenValidator.class);
given(jwtValidator.validate(any(Jwt.class))).willReturn(OAuth2TokenValidatorResult.failure(failure));
decoder.setJwtValidator(jwtValidator);
// @formatter:off
assertThatExceptionOfType(JwtValidationException.class).isThrownBy(() -> decoder.decode(SIGNED_JWT)).withMessageContaining("mock-description");
// @formatter:on
}
}
use of org.springframework.security.oauth2.core.OAuth2Error in project spring-security by spring-projects.
the class JwtTimestampValidatorTests method validateWhenJwtIsExpiredThenErrorMessageIndicatesExpirationTime.
@Test
public void validateWhenJwtIsExpiredThenErrorMessageIndicatesExpirationTime() {
Instant oneHourAgo = Instant.now().minusSeconds(3600);
Jwt jwt = TestJwts.jwt().expiresAt(oneHourAgo).build();
JwtTimestampValidator jwtValidator = new JwtTimestampValidator();
Collection<OAuth2Error> details = jwtValidator.validate(jwt).getErrors();
// @formatter:off
Collection<String> messages = details.stream().map(OAuth2Error::getDescription).collect(Collectors.toList());
// @formatter:on
assertThat(messages).contains("Jwt expired at " + oneHourAgo);
assertThat(details).allMatch((error) -> Objects.equals(error.getErrorCode(), OAuth2ErrorCodes.INVALID_TOKEN));
}
use of org.springframework.security.oauth2.core.OAuth2Error in project spring-security by spring-projects.
the class JwtTimestampValidatorTests method validateWhenConfiguredWithClockSkewThenValidatesUsingThatSkew.
@Test
public void validateWhenConfiguredWithClockSkewThenValidatesUsingThatSkew() {
Duration oneDayOff = Duration.ofDays(1);
JwtTimestampValidator jwtValidator = new JwtTimestampValidator(oneDayOff);
Instant now = Instant.now();
Instant almostOneDayAgo = now.minus(oneDayOff).plusSeconds(10);
Instant almostOneDayFromNow = now.plus(oneDayOff).minusSeconds(10);
Instant justOverOneDayAgo = now.minus(oneDayOff).minusSeconds(10);
Instant justOverOneDayFromNow = now.plus(oneDayOff).plusSeconds(10);
Jwt jwt = TestJwts.jwt().expiresAt(almostOneDayAgo).notBefore(almostOneDayFromNow).build();
assertThat(jwtValidator.validate(jwt).hasErrors()).isFalse();
jwt = TestJwts.jwt().expiresAt(justOverOneDayAgo).build();
OAuth2TokenValidatorResult result = jwtValidator.validate(jwt);
// @formatter:off
Collection<String> messages = result.getErrors().stream().map(OAuth2Error::getDescription).collect(Collectors.toList());
// @formatter:on
assertThat(result.hasErrors()).isTrue();
assertThat(messages).contains("Jwt expired at " + justOverOneDayAgo);
jwt = TestJwts.jwt().notBefore(justOverOneDayFromNow).build();
result = jwtValidator.validate(jwt);
// @formatter:off
messages = result.getErrors().stream().map(OAuth2Error::getDescription).collect(Collectors.toList());
// @formatter:on
assertThat(result.hasErrors()).isTrue();
assertThat(result.getErrors().iterator().next().getErrorCode()).isEqualTo(OAuth2ErrorCodes.INVALID_TOKEN);
assertThat(messages).contains("Jwt used before " + justOverOneDayFromNow);
}
use of org.springframework.security.oauth2.core.OAuth2Error in project spring-security by spring-projects.
the class JwtTimestampValidator method validate.
@Override
public OAuth2TokenValidatorResult validate(Jwt jwt) {
Assert.notNull(jwt, "jwt cannot be null");
Instant expiry = jwt.getExpiresAt();
if (expiry != null) {
if (Instant.now(this.clock).minus(this.clockSkew).isAfter(expiry)) {
OAuth2Error oAuth2Error = createOAuth2Error(String.format("Jwt expired at %s", jwt.getExpiresAt()));
return OAuth2TokenValidatorResult.failure(oAuth2Error);
}
}
Instant notBefore = jwt.getNotBefore();
if (notBefore != null) {
if (Instant.now(this.clock).plus(this.clockSkew).isBefore(notBefore)) {
OAuth2Error oAuth2Error = createOAuth2Error(String.format("Jwt used before %s", jwt.getNotBefore()));
return OAuth2TokenValidatorResult.failure(oAuth2Error);
}
}
return OAuth2TokenValidatorResult.success();
}
use of org.springframework.security.oauth2.core.OAuth2Error in project spring-security by spring-projects.
the class NimbusReactiveJwtDecoder method validateJwt.
private Jwt validateJwt(Jwt jwt) {
OAuth2TokenValidatorResult result = this.jwtValidator.validate(jwt);
if (result.hasErrors()) {
Collection<OAuth2Error> errors = result.getErrors();
String validationErrorString = getJwtValidationExceptionMessage(errors);
throw new JwtValidationException(validationErrorString, errors);
}
return jwt;
}
Aggregations