From 1dc204f97599f011bd51fa74bf0cf5f86bc38f08 Mon Sep 17 00:00:00 2001
From: Christopher Elkins <chrise@esha.com>
Date: Fri, 13 Jun 2014 14:59:15 -0700
Subject: [PATCH] Validate HMAC-signed ID tokens

---
 .../connect/client/OIDCAuthenticationFilter.java       | 10 ++++++++++
 .../jwt/signer/service/impl/SymmetricCacheService.java |  2 +-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationFilter.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationFilter.java
index 663711ec2..7a4fcf3cd 100644
--- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationFilter.java
+++ b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationFilter.java
@@ -444,6 +444,16 @@ public class OIDCAuthenticationFilter extends AbstractAuthenticationProcessingFi
 
 				// check the signature
 				JwtSigningAndValidationService jwtValidator = validationServices.getValidator(serverConfig.getJwksUri());
+				if (jwtValidator == null) {
+					JWSAlgorithm alg = idToken.getHeader().getAlgorithm();
+					if (alg.equals(JWSAlgorithm.HS256)
+						|| alg.equals(JWSAlgorithm.HS384)
+						|| alg.equals(JWSAlgorithm.HS512)) {
+
+						// generate one based on client secret
+						jwtValidator = symmetricCacheService.getSymmetricValidtor(clientConfig.getClient());
+					}
+				}
 				if (jwtValidator != null) {
 					if(!jwtValidator.validateSignature(idToken)) {
 						throw new AuthenticationServiceException("Signature validation failed");
diff --git a/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/SymmetricCacheService.java b/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/SymmetricCacheService.java
index 77e8b3af1..46a3304b4 100644
--- a/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/SymmetricCacheService.java
+++ b/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/SymmetricCacheService.java
@@ -98,7 +98,7 @@ public class SymmetricCacheService {
 
 				String id = "SYMMETRIC-KEY";
 
-				JWK jwk = new OctetSequenceKey(Base64URL.encode(key), Use.SIGNATURE, null, id, null, null, null);
+				JWK jwk = new OctetSequenceKey(new Base64URL(key), Use.SIGNATURE, null, id, null, null, null);
 				Map<String, JWK> keys = ImmutableMap.of(id, jwk);
 				JwtSigningAndValidationService service = new DefaultJwtSigningAndValidationService(keys);