Example 1 with MacAlgorithm
use of org.springframework.security.oauth2.jose.jws.MacAlgorithm in project spring-security by spring-projects.
the class NimbusReactiveJwtDecoderTests method decodeWhenSecretKeyAndAlgorithmMismatchThenThrowsJwtException.
@Test
public void decodeWhenSecretKeyAndAlgorithmMismatchThenThrowsJwtException() throws Exception {
SecretKey secretKey = TestKeys.DEFAULT_SECRET_KEY;
MacAlgorithm macAlgorithm = MacAlgorithm.HS256;
JWTClaimsSet claimsSet = new JWTClaimsSet.Builder().subject("test-subject").expirationTime(Date.from(Instant.now().plusSeconds(60))).build();
SignedJWT signedJWT = signedJwt(secretKey, macAlgorithm, claimsSet);
// @formatter:off
this.decoder = NimbusReactiveJwtDecoder.withSecretKey(secretKey).macAlgorithm(MacAlgorithm.HS512).build();
assertThatExceptionOfType(BadJwtException.class).isThrownBy(() -> this.decoder.decode(signedJWT.serialize()).block());
// @formatter:on
}
Also used :
MacAlgorithm(org.springframework.security.oauth2.jose.jws.MacAlgorithm)
SecretKey(javax.crypto.SecretKey)
JWTClaimsSet(com.nimbusds.jwt.JWTClaimsSet)
SignedJWT(com.nimbusds.jwt.SignedJWT)
Test(org.junit.jupiter.api.Test)
Example 2 with MacAlgorithm
use of org.springframework.security.oauth2.jose.jws.MacAlgorithm in project spring-security by spring-projects.
the class OidcIdTokenDecoderFactory method buildDecoder.
private NimbusJwtDecoder buildDecoder(ClientRegistration clientRegistration) {
JwsAlgorithm jwsAlgorithm = this.jwsAlgorithmResolver.apply(clientRegistration);
if (jwsAlgorithm != null && SignatureAlgorithm.class.isAssignableFrom(jwsAlgorithm.getClass())) {
// https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
//
// 6. If the ID Token is received via direct communication between the Client
// and the Token Endpoint (which it is in this flow),
// the TLS server validation MAY be used to validate the issuer in place of
// checking the token signature.
// The Client MUST validate the signature of all other ID Tokens according to
// JWS [JWS]
// using the algorithm specified in the JWT alg Header Parameter.
// The Client MUST use the keys provided by the Issuer.
//
// 7. The alg value SHOULD be the default of RS256 or the algorithm sent by
// the Client
// in the id_token_signed_response_alg parameter during Registration.
String jwkSetUri = clientRegistration.getProviderDetails().getJwkSetUri();
if (!StringUtils.hasText(jwkSetUri)) {
OAuth2Error oauth2Error = new OAuth2Error(MISSING_SIGNATURE_VERIFIER_ERROR_CODE, "Failed to find a Signature Verifier for Client Registration: '" + clientRegistration.getRegistrationId() + "'. Check to ensure you have configured the JwkSet URI.", null);
throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
}
return NimbusJwtDecoder.withJwkSetUri(jwkSetUri).jwsAlgorithm((SignatureAlgorithm) jwsAlgorithm).build();
}
if (jwsAlgorithm != null && MacAlgorithm.class.isAssignableFrom(jwsAlgorithm.getClass())) {
// https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
//
// 8. If the JWT alg Header Parameter uses a MAC based algorithm such as
// HS256, HS384, or HS512,
// the octets of the UTF-8 representation of the client_secret
// corresponding to the client_id contained in the aud (audience) Claim
// are used as the key to validate the signature.
// For MAC based algorithms, the behavior is unspecified if the aud is
// multi-valued or
// if an azp value is present that is different than the aud value.
String clientSecret = clientRegistration.getClientSecret();
if (!StringUtils.hasText(clientSecret)) {
OAuth2Error oauth2Error = new OAuth2Error(MISSING_SIGNATURE_VERIFIER_ERROR_CODE, "Failed to find a Signature Verifier for Client Registration: '" + clientRegistration.getRegistrationId() + "'. Check to ensure you have configured the client secret.", null);
throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
}
SecretKeySpec secretKeySpec = new SecretKeySpec(clientSecret.getBytes(StandardCharsets.UTF_8), JCA_ALGORITHM_MAPPINGS.get(jwsAlgorithm));
return NimbusJwtDecoder.withSecretKey(secretKeySpec).macAlgorithm((MacAlgorithm) jwsAlgorithm).build();
}
OAuth2Error oauth2Error = new OAuth2Error(MISSING_SIGNATURE_VERIFIER_ERROR_CODE, "Failed to find a Signature Verifier for Client Registration: '" + clientRegistration.getRegistrationId() + "'. Check to ensure you have configured a valid JWS Algorithm: '" + jwsAlgorithm + "'", null);
throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
}
Also used :
JwsAlgorithm(org.springframework.security.oauth2.jose.jws.JwsAlgorithm)
MacAlgorithm(org.springframework.security.oauth2.jose.jws.MacAlgorithm)
SecretKeySpec(javax.crypto.spec.SecretKeySpec)
OAuth2Error(org.springframework.security.oauth2.core.OAuth2Error)
SignatureAlgorithm(org.springframework.security.oauth2.jose.jws.SignatureAlgorithm)
OAuth2AuthenticationException(org.springframework.security.oauth2.core.OAuth2AuthenticationException)
Example 3 with MacAlgorithm
use of org.springframework.security.oauth2.jose.jws.MacAlgorithm in project spring-security by spring-projects.
the class ReactiveOidcIdTokenDecoderFactory method buildDecoder.
private NimbusReactiveJwtDecoder buildDecoder(ClientRegistration clientRegistration) {
JwsAlgorithm jwsAlgorithm = this.jwsAlgorithmResolver.apply(clientRegistration);
if (jwsAlgorithm != null && SignatureAlgorithm.class.isAssignableFrom(jwsAlgorithm.getClass())) {
// https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
//
// 6. If the ID Token is received via direct communication between the Client
// and the Token Endpoint (which it is in this flow),
// the TLS server validation MAY be used to validate the issuer in place of
// checking the token signature.
// The Client MUST validate the signature of all other ID Tokens according to
// JWS [JWS]
// using the algorithm specified in the JWT alg Header Parameter.
// The Client MUST use the keys provided by the Issuer.
//
// 7. The alg value SHOULD be the default of RS256 or the algorithm sent by
// the Client
// in the id_token_signed_response_alg parameter during Registration.
String jwkSetUri = clientRegistration.getProviderDetails().getJwkSetUri();
if (!StringUtils.hasText(jwkSetUri)) {
OAuth2Error oauth2Error = new OAuth2Error(MISSING_SIGNATURE_VERIFIER_ERROR_CODE, "Failed to find a Signature Verifier for Client Registration: '" + clientRegistration.getRegistrationId() + "'. Check to ensure you have configured the JwkSet URI.", null);
throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
}
return NimbusReactiveJwtDecoder.withJwkSetUri(jwkSetUri).jwsAlgorithm((SignatureAlgorithm) jwsAlgorithm).build();
}
if (jwsAlgorithm != null && MacAlgorithm.class.isAssignableFrom(jwsAlgorithm.getClass())) {
// https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
//
// 8. If the JWT alg Header Parameter uses a MAC based algorithm such as
// HS256, HS384, or HS512,
// the octets of the UTF-8 representation of the client_secret
// corresponding to the client_id contained in the aud (audience) Claim
// are used as the key to validate the signature.
// For MAC based algorithms, the behavior is unspecified if the aud is
// multi-valued or
// if an azp value is present that is different than the aud value.
String clientSecret = clientRegistration.getClientSecret();
if (!StringUtils.hasText(clientSecret)) {
OAuth2Error oauth2Error = new OAuth2Error(MISSING_SIGNATURE_VERIFIER_ERROR_CODE, "Failed to find a Signature Verifier for Client Registration: '" + clientRegistration.getRegistrationId() + "'. Check to ensure you have configured the client secret.", null);
throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
}
SecretKeySpec secretKeySpec = new SecretKeySpec(clientSecret.getBytes(StandardCharsets.UTF_8), JCA_ALGORITHM_MAPPINGS.get(jwsAlgorithm));
return NimbusReactiveJwtDecoder.withSecretKey(secretKeySpec).macAlgorithm((MacAlgorithm) jwsAlgorithm).build();
}
OAuth2Error oauth2Error = new OAuth2Error(MISSING_SIGNATURE_VERIFIER_ERROR_CODE, "Failed to find a Signature Verifier for Client Registration: '" + clientRegistration.getRegistrationId() + "'. Check to ensure you have configured a valid JWS Algorithm: '" + jwsAlgorithm + "'", null);
throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
}
Also used :
JwsAlgorithm(org.springframework.security.oauth2.jose.jws.JwsAlgorithm)
MacAlgorithm(org.springframework.security.oauth2.jose.jws.MacAlgorithm)
SecretKeySpec(javax.crypto.spec.SecretKeySpec)
OAuth2Error(org.springframework.security.oauth2.core.OAuth2Error)
SignatureAlgorithm(org.springframework.security.oauth2.jose.jws.SignatureAlgorithm)
OAuth2AuthenticationException(org.springframework.security.oauth2.core.OAuth2AuthenticationException)
Example 4 with MacAlgorithm
use of org.springframework.security.oauth2.jose.jws.MacAlgorithm in project spring-security by spring-projects.
the class NimbusJwtDecoderTests method decodeWhenUsingSecretKeyThenSuccessfullyDecodes.
@Test
public void decodeWhenUsingSecretKeyThenSuccessfullyDecodes() throws Exception {
SecretKey secretKey = TestKeys.DEFAULT_SECRET_KEY;
MacAlgorithm macAlgorithm = MacAlgorithm.HS256;
// @formatter:off
JWTClaimsSet claimsSet = new JWTClaimsSet.Builder().subject("test-subject").expirationTime(Date.from(Instant.now().plusSeconds(60))).build();
// @formatter:on
SignedJWT signedJWT = signedJwt(secretKey, macAlgorithm, claimsSet);
// @formatter:off
NimbusJwtDecoder decoder = NimbusJwtDecoder.withSecretKey(secretKey).macAlgorithm(macAlgorithm).build();
assertThat(decoder.decode(signedJWT.serialize())).extracting(Jwt::getSubject).isEqualTo("test-subject");
// @formatter:on
}
Also used :
MacAlgorithm(org.springframework.security.oauth2.jose.jws.MacAlgorithm)
SecretKey(javax.crypto.SecretKey)
JWTClaimsSet(com.nimbusds.jwt.JWTClaimsSet)
SignedJWT(com.nimbusds.jwt.SignedJWT)
Test(org.junit.jupiter.api.Test)
Example 5 with MacAlgorithm
use of org.springframework.security.oauth2.jose.jws.MacAlgorithm in project spring-security by spring-projects.
the class NimbusJwtDecoderTests method decodeWhenUsingSecretKeyAndIncorrectAlgorithmThenThrowsJwtException.
@Test
public void decodeWhenUsingSecretKeyAndIncorrectAlgorithmThenThrowsJwtException() throws Exception {
SecretKey secretKey = TestKeys.DEFAULT_SECRET_KEY;
MacAlgorithm macAlgorithm = MacAlgorithm.HS256;
// @formatter:off
JWTClaimsSet claimsSet = new JWTClaimsSet.Builder().subject("test-subject").expirationTime(Date.from(Instant.now().plusSeconds(60))).build();
// @formatter:on
SignedJWT signedJWT = signedJwt(secretKey, macAlgorithm, claimsSet);
// @formatter:off
NimbusJwtDecoder decoder = NimbusJwtDecoder.withSecretKey(secretKey).macAlgorithm(MacAlgorithm.HS512).build();
assertThatExceptionOfType(BadJwtException.class).isThrownBy(() -> decoder.decode(signedJWT.serialize()));
// @formatter:on
}
Also used :
MacAlgorithm(org.springframework.security.oauth2.jose.jws.MacAlgorithm)
SecretKey(javax.crypto.SecretKey)
JWTClaimsSet(com.nimbusds.jwt.JWTClaimsSet)
SignedJWT(com.nimbusds.jwt.SignedJWT)
Test(org.junit.jupiter.api.Test)
Aggregations
MacAlgorithm (org.springframework.security.oauth2.jose.jws.MacAlgorithm)7
JWTClaimsSet (com.nimbusds.jwt.JWTClaimsSet)5
SignedJWT (com.nimbusds.jwt.SignedJWT)5
SecretKey (javax.crypto.SecretKey)5
Test (org.junit.jupiter.api.Test)5
OAuth2Error (org.springframework.security.oauth2.core.OAuth2Error)3
SignatureAlgorithm (org.springframework.security.oauth2.jose.jws.SignatureAlgorithm)3
SecretKeySpec (javax.crypto.spec.SecretKeySpec)2
OAuth2AuthenticationException (org.springframework.security.oauth2.core.OAuth2AuthenticationException)2
JwsAlgorithm (org.springframework.security.oauth2.jose.jws.JwsAlgorithm)2
JOSEObjectType (com.nimbusds.jose.JOSEObjectType)1
JWSAlgorithm (com.nimbusds.jose.JWSAlgorithm)1
JWSHeader (com.nimbusds.jose.JWSHeader)1
JWSSigner (com.nimbusds.jose.JWSSigner)1
MACSigner (com.nimbusds.jose.crypto.MACSigner)1
RSASSASigner (com.nimbusds.jose.crypto.RSASSASigner)1
JWKSource (com.nimbusds.jose.jwk.source.JWKSource)1
BadJOSEException (com.nimbusds.jose.proc.BadJOSEException)1
DefaultJOSEObjectTypeVerifier (com.nimbusds.jose.proc.DefaultJOSEObjectTypeVerifier)1
JWSKeySelector (com.nimbusds.jose.proc.JWSKeySelector)1
