diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/AbstractOIDCAuthenticationFilter.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/AbstractOIDCAuthenticationFilter.java index a498904fb..5d0214467 100644 --- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/AbstractOIDCAuthenticationFilter.java +++ b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/AbstractOIDCAuthenticationFilter.java @@ -489,7 +489,6 @@ public class AbstractOIDCAuthenticationFilter extends if(jwtValidator.validateSignature(jsonRoot.getAsJsonObject().get("id_token").getAsString()) && idToken.getClaims().getIssuer() != null && idToken.getClaims().getIssuer().equals(serverConfig.getIssuer()) - && idToken.getClaims().getIssuer().equals(serverConfig.getClientId()) && !jwtValidator.isJwtExpired(idToken) && jwtValidator.validateIssuedAt(idToken)){ diff --git a/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/JwtSigningAndValidationService.java b/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/JwtSigningAndValidationService.java index 8281501db..aed3c8fb3 100644 --- a/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/JwtSigningAndValidationService.java +++ b/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/JwtSigningAndValidationService.java @@ -20,6 +20,7 @@ import java.security.PublicKey; import java.util.Map; import org.mitre.jwt.model.Jwt; +import org.mitre.jwt.signer.JwtSigner; public interface JwtSigningAndValidationService { @@ -28,7 +29,7 @@ public interface JwtSigningAndValidationService { * * @return */ - public Map getAllPublicKeys(); + public Map getAllSigners(); /** * Check to see if this JWT has expired or not diff --git a/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/AbstractJwtSigningAndValidationService.java b/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/AbstractJwtSigningAndValidationService.java index f14f3b80e..697b93f54 100644 --- a/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/AbstractJwtSigningAndValidationService.java +++ b/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/AbstractJwtSigningAndValidationService.java @@ -50,7 +50,8 @@ public abstract class AbstractJwtSigningAndValidationService implements JwtSigni Date issuedAt = jwt.getClaims().getIssuedAt(); if (issuedAt != null) { - return new Date().before(issuedAt); + // make sure the token was issued in the past + return new Date().after(issuedAt); } else { return false; } diff --git a/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/JwtSigningAndValidationServiceDefault.java b/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/JwtSigningAndValidationServiceDefault.java index f1078ce75..cf8dc9cb6 100644 --- a/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/JwtSigningAndValidationServiceDefault.java +++ b/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/JwtSigningAndValidationServiceDefault.java @@ -77,34 +77,20 @@ public class JwtSigningAndValidationServiceDefault extends AbstractJwtSigningAnd } - /* - * (non-Javadoc) + /** + * + * Returns a copy of the collection of signers. * * @see * org.mitre.jwt.signer.service.JwtSigningAndValidationService#getAllPublicKeys * () */ @Override - public Map getAllPublicKeys() { + public Map getAllSigners() { - Map map = new HashMap(); + Map map = new HashMap(); - for (String signerId : signers.keySet()) { - - JwtSigner signer = signers.get(signerId); - - if (signer instanceof RsaSigner) { - - RsaSigner rsa = (RsaSigner)signer; - - PublicKey publicKey = rsa.getPublicKey(); - - if (publicKey != null) { - map.put(signerId, publicKey); - } - - } - } + map.putAll(signers); return map; } @@ -165,23 +151,4 @@ public class JwtSigningAndValidationServiceDefault extends AbstractJwtSigningAnd return signers; } - @Override - public boolean validateIssuedAt(Jwt jwt) { - Date issuedAt = jwt.getClaims().getIssuedAt(); - - if (issuedAt != null) - return new Date().before(issuedAt); - else - return false; - } - - @Override - public boolean validateNonce(Jwt jwt, String nonce) { - if(nonce.equals(jwt.getClaims().getNonce())){ - return true; - } - else{ - return false; - } - } } diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/view/JwkKeyListView.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/view/JwkKeyListView.java index c9f3a6de4..8467e5cd1 100644 --- a/openid-connect-server/src/main/java/org/mitre/openid/connect/view/JwkKeyListView.java +++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/view/JwkKeyListView.java @@ -30,6 +30,8 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.commons.codec.binary.Base64; +import org.mitre.jwt.signer.JwtSigner; +import org.mitre.jwt.signer.impl.RsaSigner; import org.springframework.validation.BeanPropertyBindingResult; import org.springframework.web.servlet.view.AbstractView; @@ -77,19 +79,22 @@ public class JwkKeyListView extends AbstractView { Writer out = response.getWriter(); - BiMap keyMap = (BiMap) model.get("keys"); + //BiMap keyMap = (BiMap) model.get("keys"); + Map signers = (Map) model.get("signers"); JsonObject obj = new JsonObject(); JsonArray keys = new JsonArray(); obj.add("keys", keys); - for (String keyId : keyMap.keySet()) { + for (String keyId : signers.keySet()) { - PublicKey src = keyMap.get(keyId); + JwtSigner src = signers.get(keyId); - if (src instanceof RSAPublicKey) { + if (src instanceof RsaSigner) { - RSAPublicKey rsa = (RSAPublicKey)src; + RsaSigner rsaSigner = (RsaSigner) src; + + RSAPublicKey rsa = (RSAPublicKey) rsaSigner.getPublicKey(); // we're sure this is an RSAPublicKey b/c this is an RsaSigner BigInteger mod = rsa.getModulus(); @@ -101,13 +106,13 @@ public class JwkKeyListView extends AbstractView { JsonObject o = new JsonObject(); o.addProperty("use", "sig"); // since we don't do encryption yet - o.addProperty("alg", "RS" + rsa.getModulus().bitLength()); // we know this is RSA + o.addProperty("alg", rsaSigner.getAlgorithm()); // we know this is RSA o.addProperty("mod", m64); o.addProperty("exp", e64); o.addProperty("kid", keyId); keys.add(o); - } + } // TODO: deal with non-RSA key types } gson.toJson(obj, out); diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/JsonWebKeyEndpoint.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/JsonWebKeyEndpoint.java index 938c46858..e351716e4 100644 --- a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/JsonWebKeyEndpoint.java +++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/JsonWebKeyEndpoint.java @@ -21,6 +21,7 @@ import java.util.HashMap; import java.util.List; import java.util.Map; +import org.mitre.jwt.signer.JwtSigner; import org.mitre.jwt.signer.service.JwtSigningAndValidationService; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Controller; @@ -40,16 +41,12 @@ public class JsonWebKeyEndpoint { @RequestMapping("/jwk") public ModelAndView getJwk() { - // get all public keys for display - // map from key id to public key for that signer - Map keys = jwtService.getAllPublicKeys(); - - // put them into a bidirectional map to get at key IDs - BiMap biKeys = HashBiMap.create(keys); + // map from key id to signer + Map signers = jwtService.getAllSigners(); // TODO: check if keys are empty, return a 404 here or just an empty list? - return new ModelAndView("jwkKeyList", "keys", biKeys); + return new ModelAndView("jwkKeyList", "signers", signers); } }