Example 1 with NimbusReactiveJwtDecoder
use of org.springframework.security.oauth2.jwt.NimbusReactiveJwtDecoder in project spring-security by spring-projects.
the class ReactiveOidcIdTokenDecoderFactory method createDecoder.
@Override
public ReactiveJwtDecoder createDecoder(ClientRegistration clientRegistration) {
Assert.notNull(clientRegistration, "clientRegistration cannot be null");
return this.jwtDecoders.computeIfAbsent(clientRegistration.getRegistrationId(), (key) -> {
NimbusReactiveJwtDecoder jwtDecoder = buildDecoder(clientRegistration);
jwtDecoder.setJwtValidator(this.jwtValidatorFactory.apply(clientRegistration));
Converter<Map<String, Object>, Map<String, Object>> claimTypeConverter = this.claimTypeConverterFactory.apply(clientRegistration);
if (claimTypeConverter != null) {
jwtDecoder.setClaimSetConverter(claimTypeConverter);
}
return jwtDecoder;
});
}
Also used :
NimbusReactiveJwtDecoder(org.springframework.security.oauth2.jwt.NimbusReactiveJwtDecoder)
HashMap(java.util.HashMap)
Map(java.util.Map)
ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap)
Example 2 with NimbusReactiveJwtDecoder
use of org.springframework.security.oauth2.jwt.NimbusReactiveJwtDecoder in project spring-security by spring-projects.
the class ReactiveOidcIdTokenDecoderFactory method buildDecoder.
private NimbusReactiveJwtDecoder buildDecoder(ClientRegistration clientRegistration) {
JwsAlgorithm jwsAlgorithm = this.jwsAlgorithmResolver.apply(clientRegistration);
if (jwsAlgorithm != null && SignatureAlgorithm.class.isAssignableFrom(jwsAlgorithm.getClass())) {
// https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
//
// 6. If the ID Token is received via direct communication between the Client
// and the Token Endpoint (which it is in this flow),
// the TLS server validation MAY be used to validate the issuer in place of
// checking the token signature.
// The Client MUST validate the signature of all other ID Tokens according to
// JWS [JWS]
// using the algorithm specified in the JWT alg Header Parameter.
// The Client MUST use the keys provided by the Issuer.
//
// 7. The alg value SHOULD be the default of RS256 or the algorithm sent by
// the Client
// in the id_token_signed_response_alg parameter during Registration.
String jwkSetUri = clientRegistration.getProviderDetails().getJwkSetUri();
if (!StringUtils.hasText(jwkSetUri)) {
OAuth2Error oauth2Error = new OAuth2Error(MISSING_SIGNATURE_VERIFIER_ERROR_CODE, "Failed to find a Signature Verifier for Client Registration: '" + clientRegistration.getRegistrationId() + "'. Check to ensure you have configured the JwkSet URI.", null);
throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
}
return NimbusReactiveJwtDecoder.withJwkSetUri(jwkSetUri).jwsAlgorithm((SignatureAlgorithm) jwsAlgorithm).build();
}
if (jwsAlgorithm != null && MacAlgorithm.class.isAssignableFrom(jwsAlgorithm.getClass())) {
// https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
//
// 8. If the JWT alg Header Parameter uses a MAC based algorithm such as
// HS256, HS384, or HS512,
// the octets of the UTF-8 representation of the client_secret
// corresponding to the client_id contained in the aud (audience) Claim
// are used as the key to validate the signature.
// For MAC based algorithms, the behavior is unspecified if the aud is
// multi-valued or
// if an azp value is present that is different than the aud value.
String clientSecret = clientRegistration.getClientSecret();
if (!StringUtils.hasText(clientSecret)) {
OAuth2Error oauth2Error = new OAuth2Error(MISSING_SIGNATURE_VERIFIER_ERROR_CODE, "Failed to find a Signature Verifier for Client Registration: '" + clientRegistration.getRegistrationId() + "'. Check to ensure you have configured the client secret.", null);
throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
}
SecretKeySpec secretKeySpec = new SecretKeySpec(clientSecret.getBytes(StandardCharsets.UTF_8), JCA_ALGORITHM_MAPPINGS.get(jwsAlgorithm));
return NimbusReactiveJwtDecoder.withSecretKey(secretKeySpec).macAlgorithm((MacAlgorithm) jwsAlgorithm).build();
}
OAuth2Error oauth2Error = new OAuth2Error(MISSING_SIGNATURE_VERIFIER_ERROR_CODE, "Failed to find a Signature Verifier for Client Registration: '" + clientRegistration.getRegistrationId() + "'. Check to ensure you have configured a valid JWS Algorithm: '" + jwsAlgorithm + "'", null);
throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
}
Also used :
JwsAlgorithm(org.springframework.security.oauth2.jose.jws.JwsAlgorithm)
MacAlgorithm(org.springframework.security.oauth2.jose.jws.MacAlgorithm)
SecretKeySpec(javax.crypto.spec.SecretKeySpec)
OAuth2Error(org.springframework.security.oauth2.core.OAuth2Error)
SignatureAlgorithm(org.springframework.security.oauth2.jose.jws.SignatureAlgorithm)
OAuth2AuthenticationException(org.springframework.security.oauth2.core.OAuth2AuthenticationException)
Example 3 with NimbusReactiveJwtDecoder
use of org.springframework.security.oauth2.jwt.NimbusReactiveJwtDecoder in project spring-security by spring-projects.
the class NimbusReactiveJwtDecoderTests method withJwkSetUriWhenUsingCustomTypeHeaderThenRefuseOmittedType.
// gh-8730
@Test
public void withJwkSetUriWhenUsingCustomTypeHeaderThenRefuseOmittedType() {
WebClient webClient = mockJwkSetResponse(this.jwkSet);
// @formatter:off
NimbusReactiveJwtDecoder decoder = NimbusReactiveJwtDecoder.withJwkSetUri(this.jwkSetUri).webClient(webClient).jwtProcessorCustomizer((p) -> p.setJWSTypeVerifier(new DefaultJOSEObjectTypeVerifier<>(new JOSEObjectType("JWS")))).build();
assertThatExceptionOfType(BadJwtException.class).isThrownBy(() -> decoder.decode(this.messageReadToken).block()).havingRootCause().withMessage("Required JOSE header typ (type) parameter is missing");
// @formatter:on
}
Also used :
BeforeEach(org.junit.jupiter.api.BeforeEach)
JWKSecurityContext(com.nimbusds.jose.proc.JWKSecurityContext)
EncodedKeySpec(java.security.spec.EncodedKeySpec)
Date(java.util.Date)
Assertions.assertThat(org.assertj.core.api.Assertions.assertThat)
WebClient(org.springframework.web.reactive.function.client.WebClient)
JWKSet(com.nimbusds.jose.jwk.JWKSet)
OAuth2TokenValidator(org.springframework.security.oauth2.core.OAuth2TokenValidator)
MacAlgorithm(org.springframework.security.oauth2.jose.jws.MacAlgorithm)
RSAPublicKey(java.security.interfaces.RSAPublicKey)
BeforeAll(org.junit.jupiter.api.BeforeAll)
BDDMockito.given(org.mockito.BDDMockito.given)
Map(java.util.Map)
MockWebServer(okhttp3.mockwebserver.MockWebServer)
ParseException(java.text.ParseException)
JWKSource(com.nimbusds.jose.jwk.source.JWKSource)
JWSAlgorithm(com.nimbusds.jose.JWSAlgorithm)
Instant(java.time.Instant)
X509EncodedKeySpec(java.security.spec.X509EncodedKeySpec)
JWSHeader(com.nimbusds.jose.JWSHeader)
SignedJWT(com.nimbusds.jwt.SignedJWT)
KeyFactory(java.security.KeyFactory)
Test(org.junit.jupiter.api.Test)
Base64(java.util.Base64)
JWSVerificationKeySelector(com.nimbusds.jose.proc.JWSVerificationKeySelector)
JWSSigner(com.nimbusds.jose.JWSSigner)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
JOSEObjectType(com.nimbusds.jose.JOSEObjectType)
SecretKey(javax.crypto.SecretKey)
MockResponse(okhttp3.mockwebserver.MockResponse)
OAuth2TokenValidatorResult(org.springframework.security.oauth2.core.OAuth2TokenValidatorResult)
Mockito.mock(org.mockito.Mockito.mock)
ArgumentMatchers.any(org.mockito.ArgumentMatchers.any)
JWSKeySelector(com.nimbusds.jose.proc.JWSKeySelector)
InvalidKeySpecException(java.security.spec.InvalidKeySpecException)
JWTClaimsSet(com.nimbusds.jwt.JWTClaimsSet)
Mockito.spy(org.mockito.Mockito.spy)
Assertions.assertThatExceptionOfType(org.assertj.core.api.Assertions.assertThatExceptionOfType)
MACSigner(com.nimbusds.jose.crypto.MACSigner)
Converter(org.springframework.core.convert.converter.Converter)
Assertions.assertThatIllegalStateException(org.assertj.core.api.Assertions.assertThatIllegalStateException)
ConfigurableJWTProcessor(com.nimbusds.jwt.proc.ConfigurableJWTProcessor)
TestKeys(org.springframework.security.oauth2.jose.TestKeys)
Mono(reactor.core.publisher.Mono)
UnknownHostException(java.net.UnknownHostException)
Mockito.verify(org.mockito.Mockito.verify)
Consumer(java.util.function.Consumer)
Flux(reactor.core.publisher.Flux)
AfterEach(org.junit.jupiter.api.AfterEach)
DefaultJOSEObjectTypeVerifier(com.nimbusds.jose.proc.DefaultJOSEObjectTypeVerifier)
SignatureAlgorithm(org.springframework.security.oauth2.jose.jws.SignatureAlgorithm)
Assertions.assertThatIllegalArgumentException(org.assertj.core.api.Assertions.assertThatIllegalArgumentException)
OAuth2Error(org.springframework.security.oauth2.core.OAuth2Error)
Collections(java.util.Collections)
JOSEObjectType(com.nimbusds.jose.JOSEObjectType)
WebClient(org.springframework.web.reactive.function.client.WebClient)
Test(org.junit.jupiter.api.Test)
Example 4 with NimbusReactiveJwtDecoder
use of org.springframework.security.oauth2.jwt.NimbusReactiveJwtDecoder in project spring-security by spring-projects.
the class NimbusReactiveJwtDecoderTests method withSecretKeyWhenUsingCustomTypeHeaderThenRefuseOmittedType.
// gh-8730
@Test
public void withSecretKeyWhenUsingCustomTypeHeaderThenRefuseOmittedType() {
SecretKey secretKey = TestKeys.DEFAULT_SECRET_KEY;
// @formatter:off
NimbusReactiveJwtDecoder decoder = NimbusReactiveJwtDecoder.withSecretKey(secretKey).jwtProcessorCustomizer((p) -> p.setJWSTypeVerifier(new DefaultJOSEObjectTypeVerifier<>(new JOSEObjectType("JWS")))).build();
assertThatExceptionOfType(BadJwtException.class).isThrownBy(() -> decoder.decode(this.messageReadToken).block()).havingRootCause().withMessage("Required JOSE header typ (type) parameter is missing");
// @formatter:on
}
Also used :
BeforeEach(org.junit.jupiter.api.BeforeEach)
JWKSecurityContext(com.nimbusds.jose.proc.JWKSecurityContext)
EncodedKeySpec(java.security.spec.EncodedKeySpec)
Date(java.util.Date)
Assertions.assertThat(org.assertj.core.api.Assertions.assertThat)
WebClient(org.springframework.web.reactive.function.client.WebClient)
JWKSet(com.nimbusds.jose.jwk.JWKSet)
OAuth2TokenValidator(org.springframework.security.oauth2.core.OAuth2TokenValidator)
MacAlgorithm(org.springframework.security.oauth2.jose.jws.MacAlgorithm)
RSAPublicKey(java.security.interfaces.RSAPublicKey)
BeforeAll(org.junit.jupiter.api.BeforeAll)
BDDMockito.given(org.mockito.BDDMockito.given)
Map(java.util.Map)
MockWebServer(okhttp3.mockwebserver.MockWebServer)
ParseException(java.text.ParseException)
JWKSource(com.nimbusds.jose.jwk.source.JWKSource)
JWSAlgorithm(com.nimbusds.jose.JWSAlgorithm)
Instant(java.time.Instant)
X509EncodedKeySpec(java.security.spec.X509EncodedKeySpec)
JWSHeader(com.nimbusds.jose.JWSHeader)
SignedJWT(com.nimbusds.jwt.SignedJWT)
KeyFactory(java.security.KeyFactory)
Test(org.junit.jupiter.api.Test)
Base64(java.util.Base64)
JWSVerificationKeySelector(com.nimbusds.jose.proc.JWSVerificationKeySelector)
JWSSigner(com.nimbusds.jose.JWSSigner)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
JOSEObjectType(com.nimbusds.jose.JOSEObjectType)
SecretKey(javax.crypto.SecretKey)
MockResponse(okhttp3.mockwebserver.MockResponse)
OAuth2TokenValidatorResult(org.springframework.security.oauth2.core.OAuth2TokenValidatorResult)
Mockito.mock(org.mockito.Mockito.mock)
ArgumentMatchers.any(org.mockito.ArgumentMatchers.any)
JWSKeySelector(com.nimbusds.jose.proc.JWSKeySelector)
InvalidKeySpecException(java.security.spec.InvalidKeySpecException)
JWTClaimsSet(com.nimbusds.jwt.JWTClaimsSet)
Mockito.spy(org.mockito.Mockito.spy)
Assertions.assertThatExceptionOfType(org.assertj.core.api.Assertions.assertThatExceptionOfType)
MACSigner(com.nimbusds.jose.crypto.MACSigner)
Converter(org.springframework.core.convert.converter.Converter)
Assertions.assertThatIllegalStateException(org.assertj.core.api.Assertions.assertThatIllegalStateException)
ConfigurableJWTProcessor(com.nimbusds.jwt.proc.ConfigurableJWTProcessor)
TestKeys(org.springframework.security.oauth2.jose.TestKeys)
Mono(reactor.core.publisher.Mono)
UnknownHostException(java.net.UnknownHostException)
Mockito.verify(org.mockito.Mockito.verify)
Consumer(java.util.function.Consumer)
Flux(reactor.core.publisher.Flux)
AfterEach(org.junit.jupiter.api.AfterEach)
DefaultJOSEObjectTypeVerifier(com.nimbusds.jose.proc.DefaultJOSEObjectTypeVerifier)
SignatureAlgorithm(org.springframework.security.oauth2.jose.jws.SignatureAlgorithm)
Assertions.assertThatIllegalArgumentException(org.assertj.core.api.Assertions.assertThatIllegalArgumentException)
OAuth2Error(org.springframework.security.oauth2.core.OAuth2Error)
Collections(java.util.Collections)
JOSEObjectType(com.nimbusds.jose.JOSEObjectType)
SecretKey(javax.crypto.SecretKey)
Test(org.junit.jupiter.api.Test)
Aggregations
Map (java.util.Map)3
OAuth2Error (org.springframework.security.oauth2.core.OAuth2Error)3
MacAlgorithm (org.springframework.security.oauth2.jose.jws.MacAlgorithm)3
SignatureAlgorithm (org.springframework.security.oauth2.jose.jws.SignatureAlgorithm)3
JOSEObjectType (com.nimbusds.jose.JOSEObjectType)2
JWSAlgorithm (com.nimbusds.jose.JWSAlgorithm)2
JWSHeader (com.nimbusds.jose.JWSHeader)2
JWSSigner (com.nimbusds.jose.JWSSigner)2
MACSigner (com.nimbusds.jose.crypto.MACSigner)2
JWKSet (com.nimbusds.jose.jwk.JWKSet)2
JWKSource (com.nimbusds.jose.jwk.source.JWKSource)2
DefaultJOSEObjectTypeVerifier (com.nimbusds.jose.proc.DefaultJOSEObjectTypeVerifier)2
JWKSecurityContext (com.nimbusds.jose.proc.JWKSecurityContext)2
JWSKeySelector (com.nimbusds.jose.proc.JWSKeySelector)2
JWSVerificationKeySelector (com.nimbusds.jose.proc.JWSVerificationKeySelector)2
JWTClaimsSet (com.nimbusds.jwt.JWTClaimsSet)2
SignedJWT (com.nimbusds.jwt.SignedJWT)2
ConfigurableJWTProcessor (com.nimbusds.jwt.proc.ConfigurableJWTProcessor)2
UnknownHostException (java.net.UnknownHostException)2
KeyFactory (java.security.KeyFactory)2
