Search in sources :

Example 1 with JwtClaimsSetVerifier

use of org.springframework.security.oauth2.provider.token.store.JwtClaimsSetVerifier in project spring-security-oauth by spring-projects.

the class JwkTokenStoreITest method readAccessTokenWhenJwtHasInvalidIssuerClaimThenVerificationFails.

// gh-1114 Issuer claim verification
@Test(expected = InvalidTokenException.class)
public void readAccessTokenWhenJwtHasInvalidIssuerClaimThenVerificationFails() throws Exception {
    String issuer = "http://localhost:8180/auth/realms/Demo-2";
    this.setUpResponses(issuer);
    ProviderDiscoveryClient discoveryClient = new ProviderDiscoveryClient(this.server.url("").toString());
    ProviderConfiguration providerConfiguration = discoveryClient.discover();
    List<JwtClaimsSetVerifier> jwtClaimsSetVerifiers = new ArrayList<JwtClaimsSetVerifier>();
    jwtClaimsSetVerifiers.add(new IssuerClaimVerifier(providerConfiguration.getIssuer()));
    JwkTokenStore jwkTokenStore = new JwkTokenStore(providerConfiguration.getJwkSetUri().toString(), new DelegatingJwtClaimsSetVerifier(jwtClaimsSetVerifiers));
    // NOTE: The 'iss' claim in this JWT is http://localhost:8180/auth/realms/Demo
    String jwt = "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJfQ2kzLVZmVl9OMFlBRzIyTlFPZ09VcEZCRERjRGVfckp4cHU1Sks3MDJvIn0.eyJqdGkiOiIzOWQxMmU1NC00MjliLTRkZjUtOTM2OS01YWVlOTFkNzAwZjgiLCJleHAiOjE0ODg5MDk1NzMsIm5iZiI6MCwiaWF0IjoxNDg4OTA5MjczLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvRGVtbyIsImF1ZCI6ImJvb3QtYXBwIiwic3ViIjoiNGM5NjE5NDQtN2VkZC00ZDZiLTg2MGUtYmJiZGNhODk0MDU4IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiYm9vdC1hcHAiLCJhdXRoX3RpbWUiOjE0ODg5MDkyNzMsInNlc3Npb25fc3RhdGUiOiJiMjdjMDZlNi02ODgwLTQxZTEtOTM2MS1jZmEzYzY2ZjYyNjAiLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiIyYjA5NTFiOC1iMjdkLTRlYWMtYjUxOC1kZTQ5OTA5OTY2ZDgiLCJhbGxvd2VkLW9yaWdpbnMiOltdLCJyZXNvdXJjZV9hY2Nlc3MiOnsiYm9vdC1hcGkiOnsicm9sZXMiOlsiYm9vdC1hcGktcm9sZSJdfSwiYm9vdC1hcHAiOnsicm9sZXMiOlsiYm9vdC1yb2xlIl19fSwibmFtZSI6IkFsaWNlICIsInByZWZlcnJlZF91c2VybmFtZSI6ImFsaWNlIiwiZ2l2ZW5fbmFtZSI6IkFsaWNlIiwiZmFtaWx5X25hbWUiOiIiLCJlbWFpbCI6ImFsaWNlQGV4YW1wbGUubmV0In0.NfF5rPMabu8gaigUHZnX3gIzNGAxKpmPP206U5keNtexNqsmQEFO4KT2i1JYLwvNVFnRWCa8FmYokAtzeHgLvHk2B8CZXqL6GSMGQ26wPS5RIFTak9HjfHMhodqSIdy4wZTKmEcum_uYTaCdrVRSfWU8l94xAY6OzwElZX5ulkucvgWQnpFs0HB7X54kB07OqpN8L3i1jeQoEV0iJchtxZiEOSipqMNO7cujMqB_6lf9i78URPuyExfeLzAWyDbMWSJBp3zUoS7HakwE_4oC3eVEYTxDtMRL2yl2_8R0C0g2Dc0Qb9aezFxo3-SDNuy9aicDmibEEOpIoetlrIYbNA";
    OAuth2AccessToken accessToken = jwkTokenStore.readAccessToken(jwt);
    assertEquals(issuer, accessToken.getAdditionalInformation().get("iss"));
}
Also used : IssuerClaimVerifier(org.springframework.security.oauth2.provider.token.store.IssuerClaimVerifier) OAuth2AccessToken(org.springframework.security.oauth2.common.OAuth2AccessToken) DelegatingJwtClaimsSetVerifier(org.springframework.security.oauth2.provider.token.store.DelegatingJwtClaimsSetVerifier) ProviderDiscoveryClient(org.springframework.security.oauth2.client.discovery.ProviderDiscoveryClient) JwtClaimsSetVerifier(org.springframework.security.oauth2.provider.token.store.JwtClaimsSetVerifier) DelegatingJwtClaimsSetVerifier(org.springframework.security.oauth2.provider.token.store.DelegatingJwtClaimsSetVerifier) ArrayList(java.util.ArrayList) ProviderConfiguration(org.springframework.security.oauth2.client.discovery.ProviderConfiguration) Test(org.junit.Test)

Example 2 with JwtClaimsSetVerifier

use of org.springframework.security.oauth2.provider.token.store.JwtClaimsSetVerifier in project spring-security-oauth by spring-projects.

the class JwkTokenStoreTest method readAccessTokenWhenJwtClaimsSetVerifierIsSetThenVerifyIsCalled.

// gh-1111
@Test
public void readAccessTokenWhenJwtClaimsSetVerifierIsSetThenVerifyIsCalled() throws Exception {
    JwkDefinition jwkDefinition = mock(JwkDefinition.class);
    when(jwkDefinition.getAlgorithm()).thenReturn(JwkDefinition.CryptoAlgorithm.RS256);
    JwkDefinitionSource.JwkDefinitionHolder jwkDefinitionHolder = mock(JwkDefinitionSource.JwkDefinitionHolder.class);
    when(jwkDefinitionHolder.getJwkDefinition()).thenReturn(jwkDefinition);
    when(jwkDefinitionHolder.getSignatureVerifier()).thenReturn(mock(SignatureVerifier.class));
    JwkDefinitionSource jwkDefinitionSource = mock(JwkDefinitionSource.class);
    when(jwkDefinitionSource.getDefinitionLoadIfNecessary(anyString())).thenReturn(jwkDefinitionHolder);
    JwkVerifyingJwtAccessTokenConverter jwtVerifyingAccessTokenConverter = new JwkVerifyingJwtAccessTokenConverter(jwkDefinitionSource);
    JwtClaimsSetVerifier jwtClaimsSetVerifier = mock(JwtClaimsSetVerifier.class);
    jwtVerifyingAccessTokenConverter.setJwtClaimsSetVerifier(jwtClaimsSetVerifier);
    JwkTokenStore spy = spy(this.jwkTokenStore);
    JwtTokenStore delegate = new JwtTokenStore(jwtVerifyingAccessTokenConverter);
    Field field = ReflectionUtils.findField(spy.getClass(), "delegate");
    field.setAccessible(true);
    ReflectionUtils.setField(field, spy, delegate);
    OAuth2AccessToken accessToken = spy.readAccessToken("eyJhbGciOiJSUzI1NiIsImtpZCI6IjEifQ==.eyJ1c2VyX25hbWUiOiJ0ZXN0MiIsImp0aSI6IkZPTyIsImNsaWVudF9pZCI6ImZvbyJ9.b43ob1ALSIwr_J2oEnfMhsXvYkr1qVBNhigNH2zlaE1OQLhLfT-DMlFtHcyUlyap0C2n0q61SPaGE_z715TV0uTAv2YKDN4fKZz2bMR7eHLsvaaCuvs7KCOi_aSROaUG");
    verify(jwtClaimsSetVerifier).verify(anyMap());
}
Also used : Field(java.lang.reflect.Field) JwtTokenStore(org.springframework.security.oauth2.provider.token.store.JwtTokenStore) OAuth2AccessToken(org.springframework.security.oauth2.common.OAuth2AccessToken) JwtClaimsSetVerifier(org.springframework.security.oauth2.provider.token.store.JwtClaimsSetVerifier) SignatureVerifier(org.springframework.security.jwt.crypto.sign.SignatureVerifier) Test(org.junit.Test) PrepareForTest(org.powermock.core.classloader.annotations.PrepareForTest)

Example 3 with JwtClaimsSetVerifier

use of org.springframework.security.oauth2.provider.token.store.JwtClaimsSetVerifier in project spring-security-oauth by spring-projects.

the class JwkTokenStoreITest method readAccessTokenWhenJwtHasValidIssuerClaimThenVerificationSucceeds.

// gh-1114 Issuer claim verification
@Test
public void readAccessTokenWhenJwtHasValidIssuerClaimThenVerificationSucceeds() throws Exception {
    String issuer = "http://localhost:8180/auth/realms/Demo";
    this.setUpResponses(issuer);
    ProviderDiscoveryClient discoveryClient = new ProviderDiscoveryClient(this.server.url("").toString());
    ProviderConfiguration providerConfiguration = discoveryClient.discover();
    List<JwtClaimsSetVerifier> jwtClaimsSetVerifiers = new ArrayList<JwtClaimsSetVerifier>();
    jwtClaimsSetVerifiers.add(new IssuerClaimVerifier(providerConfiguration.getIssuer()));
    JwkTokenStore jwkTokenStore = new JwkTokenStore(providerConfiguration.getJwkSetUri().toString(), new DelegatingJwtClaimsSetVerifier(jwtClaimsSetVerifiers));
    // NOTE: The 'iss' claim in this JWT is http://localhost:8180/auth/realms/Demo
    String jwt = "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJfQ2kzLVZmVl9OMFlBRzIyTlFPZ09VcEZCRERjRGVfckp4cHU1Sks3MDJvIn0.eyJqdGkiOiIzOWQxMmU1NC00MjliLTRkZjUtOTM2OS01YWVlOTFkNzAwZjgiLCJleHAiOjE0ODg5MDk1NzMsIm5iZiI6MCwiaWF0IjoxNDg4OTA5MjczLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvRGVtbyIsImF1ZCI6ImJvb3QtYXBwIiwic3ViIjoiNGM5NjE5NDQtN2VkZC00ZDZiLTg2MGUtYmJiZGNhODk0MDU4IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiYm9vdC1hcHAiLCJhdXRoX3RpbWUiOjE0ODg5MDkyNzMsInNlc3Npb25fc3RhdGUiOiJiMjdjMDZlNi02ODgwLTQxZTEtOTM2MS1jZmEzYzY2ZjYyNjAiLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiIyYjA5NTFiOC1iMjdkLTRlYWMtYjUxOC1kZTQ5OTA5OTY2ZDgiLCJhbGxvd2VkLW9yaWdpbnMiOltdLCJyZXNvdXJjZV9hY2Nlc3MiOnsiYm9vdC1hcGkiOnsicm9sZXMiOlsiYm9vdC1hcGktcm9sZSJdfSwiYm9vdC1hcHAiOnsicm9sZXMiOlsiYm9vdC1yb2xlIl19fSwibmFtZSI6IkFsaWNlICIsInByZWZlcnJlZF91c2VybmFtZSI6ImFsaWNlIiwiZ2l2ZW5fbmFtZSI6IkFsaWNlIiwiZmFtaWx5X25hbWUiOiIiLCJlbWFpbCI6ImFsaWNlQGV4YW1wbGUubmV0In0.NfF5rPMabu8gaigUHZnX3gIzNGAxKpmPP206U5keNtexNqsmQEFO4KT2i1JYLwvNVFnRWCa8FmYokAtzeHgLvHk2B8CZXqL6GSMGQ26wPS5RIFTak9HjfHMhodqSIdy4wZTKmEcum_uYTaCdrVRSfWU8l94xAY6OzwElZX5ulkucvgWQnpFs0HB7X54kB07OqpN8L3i1jeQoEV0iJchtxZiEOSipqMNO7cujMqB_6lf9i78URPuyExfeLzAWyDbMWSJBp3zUoS7HakwE_4oC3eVEYTxDtMRL2yl2_8R0C0g2Dc0Qb9aezFxo3-SDNuy9aicDmibEEOpIoetlrIYbNA";
    OAuth2AccessToken accessToken = jwkTokenStore.readAccessToken(jwt);
    assertEquals(issuer, accessToken.getAdditionalInformation().get("iss"));
}
Also used : IssuerClaimVerifier(org.springframework.security.oauth2.provider.token.store.IssuerClaimVerifier) OAuth2AccessToken(org.springframework.security.oauth2.common.OAuth2AccessToken) DelegatingJwtClaimsSetVerifier(org.springframework.security.oauth2.provider.token.store.DelegatingJwtClaimsSetVerifier) ProviderDiscoveryClient(org.springframework.security.oauth2.client.discovery.ProviderDiscoveryClient) JwtClaimsSetVerifier(org.springframework.security.oauth2.provider.token.store.JwtClaimsSetVerifier) DelegatingJwtClaimsSetVerifier(org.springframework.security.oauth2.provider.token.store.DelegatingJwtClaimsSetVerifier) ArrayList(java.util.ArrayList) ProviderConfiguration(org.springframework.security.oauth2.client.discovery.ProviderConfiguration) Test(org.junit.Test)

Aggregations

Test (org.junit.Test)3 OAuth2AccessToken (org.springframework.security.oauth2.common.OAuth2AccessToken)3 JwtClaimsSetVerifier (org.springframework.security.oauth2.provider.token.store.JwtClaimsSetVerifier)3 ArrayList (java.util.ArrayList)2 ProviderConfiguration (org.springframework.security.oauth2.client.discovery.ProviderConfiguration)2 ProviderDiscoveryClient (org.springframework.security.oauth2.client.discovery.ProviderDiscoveryClient)2 DelegatingJwtClaimsSetVerifier (org.springframework.security.oauth2.provider.token.store.DelegatingJwtClaimsSetVerifier)2 IssuerClaimVerifier (org.springframework.security.oauth2.provider.token.store.IssuerClaimVerifier)2 Field (java.lang.reflect.Field)1 PrepareForTest (org.powermock.core.classloader.annotations.PrepareForTest)1 SignatureVerifier (org.springframework.security.jwt.crypto.sign.SignatureVerifier)1 JwtTokenStore (org.springframework.security.oauth2.provider.token.store.JwtTokenStore)1