Search in sources :

Example 1 with JwtIssuerValidator

use of org.springframework.security.oauth2.jwt.JwtIssuerValidator in project spring-cloud-gcp by spring-cloud.

the class FirebaseAuthenticationAutoConfiguration method firebaseJwtDelegatingValidator.

@Bean
@ConditionalOnMissingBean(name = "firebaseJwtDelegatingValidator")
public DelegatingOAuth2TokenValidator<Jwt> firebaseJwtDelegatingValidator(JwtIssuerValidator jwtIssuerValidator, GcpProjectIdProvider gcpProjectIdProvider) {
    List<OAuth2TokenValidator<Jwt>> validators = new ArrayList<>();
    validators.add(new JwtTimestampValidator());
    validators.add(jwtIssuerValidator);
    validators.add(new FirebaseTokenValidator(projectId));
    return new DelegatingOAuth2TokenValidator<>(validators);
}
Also used : FirebaseTokenValidator(org.springframework.cloud.gcp.security.firebase.FirebaseTokenValidator) DelegatingOAuth2TokenValidator(org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator) OAuth2TokenValidator(org.springframework.security.oauth2.core.OAuth2TokenValidator) ArrayList(java.util.ArrayList) JwtTimestampValidator(org.springframework.security.oauth2.jwt.JwtTimestampValidator) DelegatingOAuth2TokenValidator(org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator) ConditionalOnMissingBean(org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean) ConditionalOnMissingBean(org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean) Bean(org.springframework.context.annotation.Bean)

Example 2 with JwtIssuerValidator

use of org.springframework.security.oauth2.jwt.JwtIssuerValidator in project spring-cloud-gcp by spring-cloud.

the class IapAuthenticationAutoConfiguration method iapJwtDelegatingValidator.

@Bean
@ConditionalOnMissingBean(name = "iapJwtDelegatingValidator")
public DelegatingOAuth2TokenValidator<Jwt> iapJwtDelegatingValidator(IapAuthenticationProperties properties, AudienceValidator audienceValidator) {
    List<OAuth2TokenValidator<Jwt>> validators = new ArrayList<>();
    validators.add(new JwtTimestampValidator());
    validators.add(new JwtIssuerValidator(properties.getIssuer()));
    validators.add(audienceValidator);
    if (LOGGER.isInfoEnabled()) {
        LOGGER.info("Audience configured for IAP JWT validation: " + audienceValidator.getAudience());
    }
    return new DelegatingOAuth2TokenValidator<>(validators);
}
Also used : OAuth2TokenValidator(org.springframework.security.oauth2.core.OAuth2TokenValidator) DelegatingOAuth2TokenValidator(org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator) JwtIssuerValidator(org.springframework.security.oauth2.jwt.JwtIssuerValidator) ArrayList(java.util.ArrayList) JwtTimestampValidator(org.springframework.security.oauth2.jwt.JwtTimestampValidator) DelegatingOAuth2TokenValidator(org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator) ConditionalOnMissingBean(org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean) ConditionalOnMissingBean(org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean) Bean(org.springframework.context.annotation.Bean)

Example 3 with JwtIssuerValidator

use of org.springframework.security.oauth2.jwt.JwtIssuerValidator in project spring-cloud-gcp by spring-cloud.

the class FirebaseJwtTokenDecoderTests method invalidIssuedAt.

@Test
public void invalidIssuedAt() throws Exception {
    JWSHeader header = new JWSHeader.Builder(JWSAlgorithm.RS256).keyID("one").build();
    JWTClaimsSet claimsSet = new JWTClaimsSet.Builder().subject("test-subject").audience("123456").expirationTime(Date.from(Instant.now().plusSeconds(36000))).issuer("https://securetoken.google.com/123456").issueTime(Date.from(Instant.now().plusSeconds(3600))).claim("auth_time", Instant.now().minusSeconds(3600).getEpochSecond()).build();
    SignedJWT signedJWT = signedJwt(keyGeneratorUtils.getPrivateKey(), header, claimsSet);
    List<OAuth2TokenValidator<Jwt>> validators = new ArrayList<>();
    validators.add(new JwtTimestampValidator());
    validators.add(new JwtIssuerValidator("https://securetoken.google.com/123456"));
    validators.add(new FirebaseTokenValidator("123456"));
    DelegatingOAuth2TokenValidator<Jwt> validator = new DelegatingOAuth2TokenValidator<Jwt>(validators);
    RestOperations operations = mockRestOperations();
    FirebaseJwtTokenDecoder decoder = new FirebaseJwtTokenDecoder(operations, "https://spring.local", validator);
    assertThatExceptionOfType(JwtException.class).isThrownBy(() -> decoder.decode(signedJWT.serialize())).withMessageStartingWith("An error occurred while attempting to decode the Jwt: iat claim header must be in the past");
}
Also used : JwtIssuerValidator(org.springframework.security.oauth2.jwt.JwtIssuerValidator) Jwt(org.springframework.security.oauth2.jwt.Jwt) ArrayList(java.util.ArrayList) SignedJWT(com.nimbusds.jwt.SignedJWT) DelegatingOAuth2TokenValidator(org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator) OAuth2TokenValidator(org.springframework.security.oauth2.core.OAuth2TokenValidator) DelegatingOAuth2TokenValidator(org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator) JWTClaimsSet(com.nimbusds.jwt.JWTClaimsSet) JwtTimestampValidator(org.springframework.security.oauth2.jwt.JwtTimestampValidator) RestOperations(org.springframework.web.client.RestOperations) JWSHeader(com.nimbusds.jose.JWSHeader) Test(org.junit.Test)

Example 4 with JwtIssuerValidator

use of org.springframework.security.oauth2.jwt.JwtIssuerValidator in project spring-cloud-gcp by spring-cloud.

the class FirebaseJwtTokenDecoderTests method invalidSubject.

@Test
public void invalidSubject() throws Exception {
    JWSHeader header = new JWSHeader.Builder(JWSAlgorithm.RS256).keyID("one").build();
    JWTClaimsSet claimsSet = new JWTClaimsSet.Builder().audience("123456").expirationTime(Date.from(Instant.now().plusSeconds(36000))).issuer("https://securetoken.google.com/123456").issueTime(Date.from(Instant.now().minusSeconds(3600))).claim("auth_time", Instant.now().minusSeconds(3600).getEpochSecond()).build();
    SignedJWT signedJWT = signedJwt(keyGeneratorUtils.getPrivateKey(), header, claimsSet);
    List<OAuth2TokenValidator<Jwt>> validators = new ArrayList<>();
    validators.add(new JwtTimestampValidator());
    validators.add(new JwtIssuerValidator("https://securetoken.google.com/123456"));
    validators.add(new FirebaseTokenValidator("123456"));
    DelegatingOAuth2TokenValidator<Jwt> validator = new DelegatingOAuth2TokenValidator<Jwt>(validators);
    RestOperations operations = mockRestOperations();
    FirebaseJwtTokenDecoder decoder = new FirebaseJwtTokenDecoder(operations, "https://spring.local", validator);
    assertThatExceptionOfType(JwtException.class).isThrownBy(() -> decoder.decode(signedJWT.serialize())).withMessageStartingWith("An error occurred while attempting to decode the Jwt: sub claim can not be empty");
}
Also used : JwtIssuerValidator(org.springframework.security.oauth2.jwt.JwtIssuerValidator) Jwt(org.springframework.security.oauth2.jwt.Jwt) ArrayList(java.util.ArrayList) SignedJWT(com.nimbusds.jwt.SignedJWT) DelegatingOAuth2TokenValidator(org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator) OAuth2TokenValidator(org.springframework.security.oauth2.core.OAuth2TokenValidator) DelegatingOAuth2TokenValidator(org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator) JWTClaimsSet(com.nimbusds.jwt.JWTClaimsSet) JwtTimestampValidator(org.springframework.security.oauth2.jwt.JwtTimestampValidator) RestOperations(org.springframework.web.client.RestOperations) JWSHeader(com.nimbusds.jose.JWSHeader) Test(org.junit.Test)

Example 5 with JwtIssuerValidator

use of org.springframework.security.oauth2.jwt.JwtIssuerValidator in project spring-cloud-gcp by spring-cloud.

the class FirebaseJwtTokenDecoderTests method validTokenTests.

@Test
public void validTokenTests() throws Exception {
    JWSHeader header = new JWSHeader.Builder(JWSAlgorithm.RS256).keyID("one").build();
    JWTClaimsSet claimsSet = new JWTClaimsSet.Builder().subject("test-subject").audience("123456").expirationTime(Date.from(Instant.now().plusSeconds(36000))).issuer("https://securetoken.google.com/123456").issueTime(Date.from(Instant.now().minusSeconds(3600))).claim("auth_time", Instant.now().minusSeconds(3600).getEpochSecond()).build();
    SignedJWT signedJWT = signedJwt(keyGeneratorUtils.getPrivateKey(), header, claimsSet);
    List<OAuth2TokenValidator<Jwt>> validators = new ArrayList<>();
    validators.add(new JwtTimestampValidator());
    validators.add(new JwtIssuerValidator("https://securetoken.google.com/123456"));
    validators.add(new FirebaseTokenValidator("123456"));
    DelegatingOAuth2TokenValidator<Jwt> validator = new DelegatingOAuth2TokenValidator<Jwt>(validators);
    RestOperations operations = mockRestOperations();
    FirebaseJwtTokenDecoder decoder = new FirebaseJwtTokenDecoder(operations, "https://spring.local", validator);
    Jwt jwt = decoder.decode(signedJWT.serialize());
    assertThat(jwt.getClaims()).isNotEmpty();
}
Also used : JwtIssuerValidator(org.springframework.security.oauth2.jwt.JwtIssuerValidator) Jwt(org.springframework.security.oauth2.jwt.Jwt) ArrayList(java.util.ArrayList) SignedJWT(com.nimbusds.jwt.SignedJWT) DelegatingOAuth2TokenValidator(org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator) OAuth2TokenValidator(org.springframework.security.oauth2.core.OAuth2TokenValidator) DelegatingOAuth2TokenValidator(org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator) JWTClaimsSet(com.nimbusds.jwt.JWTClaimsSet) JwtTimestampValidator(org.springframework.security.oauth2.jwt.JwtTimestampValidator) RestOperations(org.springframework.web.client.RestOperations) JWSHeader(com.nimbusds.jose.JWSHeader) Test(org.junit.Test)

Aggregations

ArrayList (java.util.ArrayList)7 DelegatingOAuth2TokenValidator (org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator)7 OAuth2TokenValidator (org.springframework.security.oauth2.core.OAuth2TokenValidator)7 JwtTimestampValidator (org.springframework.security.oauth2.jwt.JwtTimestampValidator)7 JwtIssuerValidator (org.springframework.security.oauth2.jwt.JwtIssuerValidator)6 JWSHeader (com.nimbusds.jose.JWSHeader)5 JWTClaimsSet (com.nimbusds.jwt.JWTClaimsSet)5 SignedJWT (com.nimbusds.jwt.SignedJWT)5 Test (org.junit.Test)5 Jwt (org.springframework.security.oauth2.jwt.Jwt)5 RestOperations (org.springframework.web.client.RestOperations)5 ConditionalOnMissingBean (org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean)2 Bean (org.springframework.context.annotation.Bean)2 FirebaseTokenValidator (org.springframework.cloud.gcp.security.firebase.FirebaseTokenValidator)1