github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

genericized nimbus code, added caching

pull/263/head
Justin Richer 2013-01-18 14:54:05 -05:00
parent 2d21a72e7e
commit 6ef4dc817e
1 changed files with 13 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JwtBearerAuthenticationProvider.java
View File

@ -53,8 +53,8 @@ public class JwtBearerAuthenticationProvider implements AuthenticationProvider {
private static final Logger logger = LoggerFactory.getLogger(JwtBearerAuthenticationProvider.class); private static final Logger logger = LoggerFactory.getLogger(JwtBearerAuthenticationProvider.class);
// map of validators, load keys for clients // map of verifiers, load keys for clients
private Map<ClientDetailsEntity, JwtSigningAndValidationService> validators = new HashMap<ClientDetailsEntity, JwtSigningAndValidationService>(); private Map<ClientDetailsEntity, JWSVerifier> verifiers = new HashMap<ClientDetailsEntity, JWSVerifier>();
// Allow for time sync issues by having a window of X seconds. // Allow for time sync issues by having a window of X seconds.
private int timeSkewAllowance = 300; private int timeSkewAllowance = 300;
@ -79,19 +79,13 @@ public class JwtBearerAuthenticationProvider implements AuthenticationProvider {
try { try {
ClientDetailsEntity client = clientService.loadClientByClientId(jwtAuth.getClientId()); ClientDetailsEntity client = clientService.loadClientByClientId(jwtAuth.getClientId());
// fetch our client's key
KeyFetcher keyFetch = new KeyFetcher();
RSAPublicKey k2 = (RSAPublicKey) keyFetch.retrieveJwkKey(client.getJwkUrl());
// use Nimbus to verify the signature
JWSVerifier v2 = new RSASSAVerifier(k2);
JWSObject j3 = JWSObject.parse(jwtAuth.getJwt().toString());
Jwt jwt = jwtAuth.getJwt(); Jwt jwt = jwtAuth.getJwt();
JwtClaims jwtClaims = jwt.getClaims(); JwtClaims jwtClaims = jwt.getClaims();
if (!j3.verify(v2)) { // check the signature with nimbus
JWSVerifier verifier = getVerifierForClient(client);
JWSObject jws = JWSObject.parse(jwtAuth.getJwt().toString());
if (verifier != null && !jws.verify(verifier)) {
throw new AuthenticationServiceException("Invalid signature"); throw new AuthenticationServiceException("Invalid signature");
} }
@ -161,10 +155,10 @@ public class JwtBearerAuthenticationProvider implements AuthenticationProvider {
return (JwtBearerAssertionAuthenticationToken.class.isAssignableFrom(authentication)); return (JwtBearerAssertionAuthenticationToken.class.isAssignableFrom(authentication));
} }
protected JwtSigningAndValidationService getValidatorForClient(ClientDetailsEntity client) { protected JWSVerifier getVerifierForClient(ClientDetailsEntity client) {
if(validators.containsKey(client)){ if(verifiers.containsKey(client)){
return validators.get(client); return verifiers.get(client);
} else { } else {
KeyFetcher keyFetch = new KeyFetcher(); KeyFetcher keyFetch = new KeyFetcher();
@ -182,27 +176,13 @@ public class JwtBearerAuthenticationProvider implements AuthenticationProvider {
} }
if (signingKey != null) { if (signingKey != null) {
Map<String, JwtSigner> signers = new HashMap<String, JwtSigner>();
if (signingKey instanceof RSAPublicKey) { // TODO: this assumes RSA
JWSVerifier verifier = new RSASSAVerifier((RSAPublicKey) signingKey);
RSAPublicKey rsaKey = (RSAPublicKey)signingKey; verifiers.put(client, verifier);
// build an RSA signers return verifier;
RsaSigner signer256 = new RsaSigner(JwsAlgorithm.RS256.getJwaName(), rsaKey, null);
RsaSigner signer384 = new RsaSigner(JwsAlgorithm.RS384.getJwaName(), rsaKey, null);
RsaSigner signer512 = new RsaSigner(JwsAlgorithm.RS512.getJwaName(), rsaKey, null);
signers.put(client.getClientId() + JwsAlgorithm.RS256.getJwaName(), signer256);
signers.put(client.getClientId() + JwsAlgorithm.RS384.getJwaName(), signer384);
signers.put(client.getClientId() + JwsAlgorithm.RS512.getJwaName(), signer512);
}
JwtSigningAndValidationService signingAndValidationService = new DefaultJwtSigningAndValidationService(signers);
validators.put(client, signingAndValidationService);
return signingAndValidationService;
} else { } else {
// there were either no keys returned or no URLs configured to fetch them, assume no checking on key signatures // there were either no keys returned or no URLs configured to fetch them, assume no checking on key signatures