diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JwtBearerAuthenticationProvider.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JwtBearerAuthenticationProvider.java index 38b037edd..5fdb0c45d 100644 --- a/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JwtBearerAuthenticationProvider.java +++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JwtBearerAuthenticationProvider.java @@ -53,8 +53,8 @@ public class JwtBearerAuthenticationProvider implements AuthenticationProvider { private static final Logger logger = LoggerFactory.getLogger(JwtBearerAuthenticationProvider.class); - // map of validators, load keys for clients - private Map validators = new HashMap(); + // map of verifiers, load keys for clients + private Map verifiers = new HashMap(); // Allow for time sync issues by having a window of X seconds. private int timeSkewAllowance = 300; @@ -79,19 +79,13 @@ public class JwtBearerAuthenticationProvider implements AuthenticationProvider { try { ClientDetailsEntity client = clientService.loadClientByClientId(jwtAuth.getClientId()); - // fetch our client's key - KeyFetcher keyFetch = new KeyFetcher(); - RSAPublicKey k2 = (RSAPublicKey) keyFetch.retrieveJwkKey(client.getJwkUrl()); - - // use Nimbus to verify the signature - JWSVerifier v2 = new RSASSAVerifier(k2); - - JWSObject j3 = JWSObject.parse(jwtAuth.getJwt().toString()); - Jwt jwt = jwtAuth.getJwt(); JwtClaims jwtClaims = jwt.getClaims(); - if (!j3.verify(v2)) { + // check the signature with nimbus + JWSVerifier verifier = getVerifierForClient(client); + JWSObject jws = JWSObject.parse(jwtAuth.getJwt().toString()); + if (verifier != null && !jws.verify(verifier)) { throw new AuthenticationServiceException("Invalid signature"); } @@ -161,10 +155,10 @@ public class JwtBearerAuthenticationProvider implements AuthenticationProvider { return (JwtBearerAssertionAuthenticationToken.class.isAssignableFrom(authentication)); } - protected JwtSigningAndValidationService getValidatorForClient(ClientDetailsEntity client) { + protected JWSVerifier getVerifierForClient(ClientDetailsEntity client) { - if(validators.containsKey(client)){ - return validators.get(client); + if(verifiers.containsKey(client)){ + return verifiers.get(client); } else { KeyFetcher keyFetch = new KeyFetcher(); @@ -182,27 +176,13 @@ public class JwtBearerAuthenticationProvider implements AuthenticationProvider { } if (signingKey != null) { - Map signers = new HashMap(); - - if (signingKey instanceof RSAPublicKey) { - - RSAPublicKey rsaKey = (RSAPublicKey)signingKey; - - // build an RSA signers - RsaSigner signer256 = new RsaSigner(JwsAlgorithm.RS256.getJwaName(), rsaKey, null); - RsaSigner signer384 = new RsaSigner(JwsAlgorithm.RS384.getJwaName(), rsaKey, null); - RsaSigner signer512 = new RsaSigner(JwsAlgorithm.RS512.getJwaName(), rsaKey, null); - signers.put(client.getClientId() + JwsAlgorithm.RS256.getJwaName(), signer256); - signers.put(client.getClientId() + JwsAlgorithm.RS384.getJwaName(), signer384); - signers.put(client.getClientId() + JwsAlgorithm.RS512.getJwaName(), signer512); - } - - JwtSigningAndValidationService signingAndValidationService = new DefaultJwtSigningAndValidationService(signers); + // TODO: this assumes RSA + JWSVerifier verifier = new RSASSAVerifier((RSAPublicKey) signingKey); - validators.put(client, signingAndValidationService); + verifiers.put(client, verifier); - return signingAndValidationService; + return verifier; } else { // there were either no keys returned or no URLs configured to fetch them, assume no checking on key signatures