use of org.springframework.security.oauth2.jwt.JwtTimestampValidator in project spring-security by spring-projects.
the class JwtTimestampValidatorTests method validateWhenJwtIsTooEarlyThenErrorMessageIndicatesNotBeforeTime.
@Test
public void validateWhenJwtIsTooEarlyThenErrorMessageIndicatesNotBeforeTime() {
Instant oneHourFromNow = Instant.now().plusSeconds(3600);
Jwt jwt = TestJwts.jwt().notBefore(oneHourFromNow).build();
JwtTimestampValidator jwtValidator = new JwtTimestampValidator();
Collection<OAuth2Error> details = jwtValidator.validate(jwt).getErrors();
// @formatter:off
Collection<String> messages = details.stream().map(OAuth2Error::getDescription).collect(Collectors.toList());
// @formatter:on
assertThat(messages).contains("Jwt used before " + oneHourFromNow);
assertThat(details).allMatch((error) -> Objects.equals(error.getErrorCode(), OAuth2ErrorCodes.INVALID_TOKEN));
}
use of org.springframework.security.oauth2.jwt.JwtTimestampValidator in project spring-cloud-gcp by spring-cloud.
the class FirebaseAuthenticationAutoConfiguration method firebaseJwtDelegatingValidator.
@Bean
@ConditionalOnMissingBean(name = "firebaseJwtDelegatingValidator")
public DelegatingOAuth2TokenValidator<Jwt> firebaseJwtDelegatingValidator(JwtIssuerValidator jwtIssuerValidator, GcpProjectIdProvider gcpProjectIdProvider) {
List<OAuth2TokenValidator<Jwt>> validators = new ArrayList<>();
validators.add(new JwtTimestampValidator());
validators.add(jwtIssuerValidator);
validators.add(new FirebaseTokenValidator(projectId));
return new DelegatingOAuth2TokenValidator<>(validators);
}
use of org.springframework.security.oauth2.jwt.JwtTimestampValidator in project spring-cloud-gcp by spring-cloud.
the class IapAuthenticationAutoConfiguration method iapJwtDelegatingValidator.
@Bean
@ConditionalOnMissingBean(name = "iapJwtDelegatingValidator")
public DelegatingOAuth2TokenValidator<Jwt> iapJwtDelegatingValidator(IapAuthenticationProperties properties, AudienceValidator audienceValidator) {
List<OAuth2TokenValidator<Jwt>> validators = new ArrayList<>();
validators.add(new JwtTimestampValidator());
validators.add(new JwtIssuerValidator(properties.getIssuer()));
validators.add(audienceValidator);
if (LOGGER.isInfoEnabled()) {
LOGGER.info("Audience configured for IAP JWT validation: " + audienceValidator.getAudience());
}
return new DelegatingOAuth2TokenValidator<>(validators);
}
use of org.springframework.security.oauth2.jwt.JwtTimestampValidator in project spring-cloud-gcp by spring-cloud.
the class FirebaseJwtTokenDecoderTests method invalidIssuedAt.
@Test
public void invalidIssuedAt() throws Exception {
JWSHeader header = new JWSHeader.Builder(JWSAlgorithm.RS256).keyID("one").build();
JWTClaimsSet claimsSet = new JWTClaimsSet.Builder().subject("test-subject").audience("123456").expirationTime(Date.from(Instant.now().plusSeconds(36000))).issuer("https://securetoken.google.com/123456").issueTime(Date.from(Instant.now().plusSeconds(3600))).claim("auth_time", Instant.now().minusSeconds(3600).getEpochSecond()).build();
SignedJWT signedJWT = signedJwt(keyGeneratorUtils.getPrivateKey(), header, claimsSet);
List<OAuth2TokenValidator<Jwt>> validators = new ArrayList<>();
validators.add(new JwtTimestampValidator());
validators.add(new JwtIssuerValidator("https://securetoken.google.com/123456"));
validators.add(new FirebaseTokenValidator("123456"));
DelegatingOAuth2TokenValidator<Jwt> validator = new DelegatingOAuth2TokenValidator<Jwt>(validators);
RestOperations operations = mockRestOperations();
FirebaseJwtTokenDecoder decoder = new FirebaseJwtTokenDecoder(operations, "https://spring.local", validator);
assertThatExceptionOfType(JwtException.class).isThrownBy(() -> decoder.decode(signedJWT.serialize())).withMessageStartingWith("An error occurred while attempting to decode the Jwt: iat claim header must be in the past");
}
use of org.springframework.security.oauth2.jwt.JwtTimestampValidator in project spring-cloud-gcp by spring-cloud.
the class FirebaseJwtTokenDecoderTests method invalidSubject.
@Test
public void invalidSubject() throws Exception {
JWSHeader header = new JWSHeader.Builder(JWSAlgorithm.RS256).keyID("one").build();
JWTClaimsSet claimsSet = new JWTClaimsSet.Builder().audience("123456").expirationTime(Date.from(Instant.now().plusSeconds(36000))).issuer("https://securetoken.google.com/123456").issueTime(Date.from(Instant.now().minusSeconds(3600))).claim("auth_time", Instant.now().minusSeconds(3600).getEpochSecond()).build();
SignedJWT signedJWT = signedJwt(keyGeneratorUtils.getPrivateKey(), header, claimsSet);
List<OAuth2TokenValidator<Jwt>> validators = new ArrayList<>();
validators.add(new JwtTimestampValidator());
validators.add(new JwtIssuerValidator("https://securetoken.google.com/123456"));
validators.add(new FirebaseTokenValidator("123456"));
DelegatingOAuth2TokenValidator<Jwt> validator = new DelegatingOAuth2TokenValidator<Jwt>(validators);
RestOperations operations = mockRestOperations();
FirebaseJwtTokenDecoder decoder = new FirebaseJwtTokenDecoder(operations, "https://spring.local", validator);
assertThatExceptionOfType(JwtException.class).isThrownBy(() -> decoder.decode(signedJWT.serialize())).withMessageStartingWith("An error occurred while attempting to decode the Jwt: sub claim can not be empty");
}
Aggregations