Search in sources :

Example 1 with ClientService

use of org.xdi.oxauth.service.ClientService in project oxAuth by GluuFederation.

the class JwtAuthorizationRequest method validateSignature.

private boolean validateSignature(SignatureAlgorithm signatureAlgorithm, Client client, String signingInput, String signature) throws Exception {
    ClientService clientService = CdiUtil.bean(ClientService.class);
    String sharedSecret = clientService.decryptSecret(client.getClientSecret());
    JSONObject jwks = Strings.isNullOrEmpty(client.getJwks()) ? JwtUtil.getJSONWebKeys(client.getJwksUri()) : new JSONObject(client.getJwks());
    AbstractCryptoProvider cryptoProvider = CryptoProviderFactory.getCryptoProvider(appConfiguration);
    boolean validSignature = cryptoProvider.verifySignature(signingInput, signature, keyId, jwks, sharedSecret, signatureAlgorithm);
    return validSignature;
}
Also used : JSONObject(org.codehaus.jettison.json.JSONObject) ClientService(org.xdi.oxauth.service.ClientService) AbstractCryptoProvider(org.xdi.oxauth.model.crypto.AbstractCryptoProvider)

Example 2 with ClientService

use of org.xdi.oxauth.service.ClientService in project oxAuth by GluuFederation.

the class JwtSigner method newJwtSigner.

public static JwtSigner newJwtSigner(AppConfiguration appConfiguration, JSONWebKeySet webKeys, Client client) throws Exception {
    Preconditions.checkNotNull(client);
    SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.fromString(appConfiguration.getDefaultSignatureAlgorithm());
    if (client.getIdTokenSignedResponseAlg() != null) {
        signatureAlgorithm = SignatureAlgorithm.fromString(client.getIdTokenSignedResponseAlg());
    }
    ClientService clientService = CdiUtil.bean(ClientService.class);
    return new JwtSigner(appConfiguration, webKeys, signatureAlgorithm, client.getClientId(), clientService.decryptSecret(client.getClientSecret()));
}
Also used : ClientService(org.xdi.oxauth.service.ClientService) SignatureAlgorithm(org.xdi.oxauth.model.crypto.signature.SignatureAlgorithm)

Example 3 with ClientService

use of org.xdi.oxauth.service.ClientService in project oxAuth by GluuFederation.

the class ClientAssertion method load.

private boolean load(AppConfiguration appConfiguration, String clientId, ClientAssertionType clientAssertionType, String encodedAssertion) throws Exception {
    boolean result;
    if (clientAssertionType == ClientAssertionType.JWT_BEARER) {
        if (StringUtils.isNotBlank(encodedAssertion)) {
            jwt = Jwt.parse(encodedAssertion);
            // TODO: Store jti this value to check for duplicates
            // Validate clientId
            String issuer = jwt.getClaims().getClaimAsString(JwtClaimName.ISSUER);
            String subject = jwt.getClaims().getClaimAsString(JwtClaimName.SUBJECT_IDENTIFIER);
            List<String> audience = jwt.getClaims().getClaimAsStringList(JwtClaimName.AUDIENCE);
            Date expirationTime = jwt.getClaims().getClaimAsDate(JwtClaimName.EXPIRATION_TIME);
            //SignatureAlgorithm algorithm = SignatureAlgorithm.fromName(jwt.getHeader().getClaimAsString(JwtHeaderName.ALGORITHM));
            if ((clientId == null && StringUtils.isNotBlank(issuer) && StringUtils.isNotBlank(subject) && issuer.equals(subject)) || (StringUtils.isNotBlank(clientId) && StringUtils.isNotBlank(issuer) && StringUtils.isNotBlank(subject) && clientId.equals(issuer) && issuer.equals(subject))) {
                // Validate audience
                String tokenUrl = appConfiguration.getTokenEndpoint();
                if (audience != null && audience.contains(tokenUrl)) {
                    // Validate expiration
                    if (expirationTime.after(new Date())) {
                        ClientService clientService = CdiUtil.bean(ClientService.class);
                        Client client = clientService.getClient(subject);
                        // Validate client
                        if (client != null) {
                            JwtType jwtType = JwtType.fromString(jwt.getHeader().getClaimAsString(JwtHeaderName.TYPE));
                            AuthenticationMethod authenticationMethod = client.getAuthenticationMethod();
                            SignatureAlgorithm signatureAlgorithm = jwt.getHeader().getAlgorithm();
                            if (jwtType == null && signatureAlgorithm != null) {
                                jwtType = signatureAlgorithm.getJwtType();
                            }
                            if (jwtType != null && signatureAlgorithm != null && signatureAlgorithm.getFamily() != null && ((authenticationMethod == AuthenticationMethod.CLIENT_SECRET_JWT && signatureAlgorithm.getFamily().equals("HMAC")) || (authenticationMethod == AuthenticationMethod.PRIVATE_KEY_JWT && (signatureAlgorithm.getFamily().equals("RSA") || signatureAlgorithm.getFamily().equals("EC"))))) {
                                clientSecret = clientService.decryptSecret(client.getClientSecret());
                                // Validate the crypto segment
                                String keyId = jwt.getHeader().getKeyId();
                                JSONObject jwks = Strings.isNullOrEmpty(client.getJwks()) ? JwtUtil.getJSONWebKeys(client.getJwksUri()) : new JSONObject(client.getJwks());
                                String sharedSecret = clientService.decryptSecret(client.getClientSecret());
                                AbstractCryptoProvider cryptoProvider = CryptoProviderFactory.getCryptoProvider(appConfiguration);
                                boolean validSignature = cryptoProvider.verifySignature(jwt.getSigningInput(), jwt.getEncodedSignature(), keyId, jwks, sharedSecret, signatureAlgorithm);
                                if (validSignature) {
                                    result = true;
                                } else {
                                    throw new InvalidJwtException("Invalid cryptographic segment");
                                }
                            } else {
                                throw new InvalidJwtException("Invalid authentication method");
                            }
                        } else {
                            throw new InvalidJwtException("Invalid client");
                        }
                    } else {
                        throw new InvalidJwtException("JWT has expired");
                    }
                } else {
                    throw new InvalidJwtException("Invalid audience: " + audience + ", tokenUrl: " + tokenUrl);
                }
            } else {
                throw new InvalidJwtException("Invalid clientId");
            }
        } else {
            throw new InvalidJwtException("The Client Assertion is null or empty");
        }
    } else {
        throw new InvalidJwtException("Invalid Client Assertion Type");
    }
    return result;
}
Also used : InvalidJwtException(org.xdi.oxauth.model.exception.InvalidJwtException) JSONObject(org.codehaus.jettison.json.JSONObject) ClientService(org.xdi.oxauth.service.ClientService) JwtType(org.xdi.oxauth.model.jwt.JwtType) SignatureAlgorithm(org.xdi.oxauth.model.crypto.signature.SignatureAlgorithm) AbstractCryptoProvider(org.xdi.oxauth.model.crypto.AbstractCryptoProvider) AuthenticationMethod(org.xdi.oxauth.model.common.AuthenticationMethod) Client(org.xdi.oxauth.model.registration.Client) Date(java.util.Date)

Aggregations

ClientService (org.xdi.oxauth.service.ClientService)3 JSONObject (org.codehaus.jettison.json.JSONObject)2 AbstractCryptoProvider (org.xdi.oxauth.model.crypto.AbstractCryptoProvider)2 SignatureAlgorithm (org.xdi.oxauth.model.crypto.signature.SignatureAlgorithm)2 Date (java.util.Date)1 AuthenticationMethod (org.xdi.oxauth.model.common.AuthenticationMethod)1 InvalidJwtException (org.xdi.oxauth.model.exception.InvalidJwtException)1 JwtType (org.xdi.oxauth.model.jwt.JwtType)1 Client (org.xdi.oxauth.model.registration.Client)1