updates to track Nimbus JOSE API changes to audience and date fields

openid-connect-client/src/main/java/org/mitre/openid/connect/client/AbstractOIDCAuthenticationFilter.java

@@ -24,6 +24,7 @@ import java.security.interfaces.RSAPublicKey;
 import java.text.ParseException;
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.Date;
 import java.util.Enumeration;
 import java.util.HashMap;
 import java.util.List;
@@ -356,52 +357,47 @@ public class AbstractOIDCAuthenticationFilter extends
 	            }
 	            
 	            // check the issuer
-	            if (idClaims.getIssuerClaim() == null) {
+	            if (idClaims.getIssuer() == null) {
 	            	throw new AuthenticationServiceException("Id Token Issuer is null");
-	            } else if (!idClaims.getIssuerClaim().equals(serverConfig.getIssuer())){
+	            } else if (!idClaims.getIssuer().equals(serverConfig.getIssuer())){
-	            	throw new AuthenticationServiceException("Issuers do not match, expected " + serverConfig.getIssuer() + " got " + idClaims.getIssuerClaim());
+	            	throw new AuthenticationServiceException("Issuers do not match, expected " + serverConfig.getIssuer() + " got " + idClaims.getIssuer());
 	            }
 	            
 	            // check expiration
-	            // FIXME: Nimbus Date Fields
+	            if (idClaims.getExpirationTime() == null) {
-	            /*
-	            if (idClaims.getExpirationTimeClaim() == 0) {
 	            	throw new AuthenticationServiceException("Id Token does not have required expiration claim");
 	            } else {
 	            	// it's not null, see if it's expired
 	            	Date now = new Date(System.currentTimeMillis() - (timeSkewAllowance * 1000));
-	            	if (now.after(new Date(idClaims.getExpirationTimeClaim()))) {
+	            	if (now.after(idClaims.getExpirationTime())) {
-	            		throw new AuthenticationServiceException("Id Token is expired: " + idClaims.getExpirationTimeClaim());
+	            		throw new AuthenticationServiceException("Id Token is expired: " + idClaims.getExpirationTime());
 	            	}
 	            }
 	            
 	            // check not before
-	            // FIXME: Nimbus Date Fields
+	            if (idClaims.getNotBeforeTime() != null) {
-	            if (idClaims.getNotBefore() != null) {
 	            	Date now = new Date(System.currentTimeMillis() + (timeSkewAllowance * 1000));
-	            	if (now.before(idClaims.getNotBefore())){
+	            	if (now.before(idClaims.getNotBeforeTime())){
-	            		throw new AuthenticationServiceException("Id Token not valid untill: " + idClaims.getNotBefore());
+	            		throw new AuthenticationServiceException("Id Token not valid untill: " + idClaims.getNotBeforeTime());
 	            	}
 	            }
 	            
 	            // check issued at
-	            if (idClaims.getIssuedAt() == null) {
+	            if (idClaims.getIssueTime() == null) {
 	            	throw new AuthenticationServiceException("Id Token does not have required issued-at claim");				
 	            } else {
 	            	// since it's not null, see if it was issued in the future
 	            	Date now = new Date(System.currentTimeMillis() + (timeSkewAllowance * 1000));
-	            	if (now.before(idClaims.getIssuedAt())) {
+	            	if (now.before(idClaims.getIssueTime())) {
-	            		throw new AuthenticationServiceException("Id Token was issued in the future: " + idClaims.getIssuedAt());
+	            		throw new AuthenticationServiceException("Id Token was issued in the future: " + idClaims.getIssueTime());
 	            	}
 	            }
-	             */
 	            
 	            // check audience
-	            // FIXME: Nimbus audience collection
+	            if (idClaims.getAudience() == null) {
-	            if (idClaims.getAudienceClaim() == null) {
 	            	throw new AuthenticationServiceException("Id token audience is null");
-	            } else if (!Arrays.asList(idClaims.getAudienceClaim()).contains(serverConfig.getClientId())) {
+	            } else if (!idClaims.getAudience().contains(serverConfig.getClientId())) {
-	            	throw new AuthenticationServiceException("Audience does not match, expected " + serverConfig.getClientId() + " got " + idClaims.getAudienceClaim());
+	            	throw new AuthenticationServiceException("Audience does not match, expected " + serverConfig.getClientId() + " got " + idClaims.getAudience());
 	            }
 	            
 	            // compare the nonce to our stored claim
@@ -426,11 +422,11 @@ public class AbstractOIDCAuthenticationFilter extends
 
 	            // pull the subject (user id) out as a claim on the id_token
 	            
-	            String userId = idClaims.getSubjectClaim();
+	            String userId = idClaims.getSubject();
 	            
 	            // construct an OIDCAuthenticationToken and return a Authentication object w/the userId and the idToken
 	            
-	            OIDCAuthenticationToken token = new OIDCAuthenticationToken(userId, idClaims.getIssuerClaim(), serverConfig, idTokenValue, accessTokenValue, refreshTokenValue);
+	            OIDCAuthenticationToken token = new OIDCAuthenticationToken(userId, idClaims.getIssuer(), serverConfig, idTokenValue, accessTokenValue, refreshTokenValue);
 
 	            Authentication authentication = this.getAuthenticationManager().authenticate(token);
 

openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java

@@ -124,12 +124,11 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
 	    		if (client.getRefreshTokenValiditySeconds() != null) {
 		    		Date expiration = new Date(System.currentTimeMillis() + (client.getRefreshTokenValiditySeconds() * 1000L));
 		    		refreshToken.setExpiration(expiration);
-		    		// FIXME: nimbus date fields
+		    		refreshClaims.setExpirationTime(expiration);
-		    		refreshClaims.setExpirationTimeClaim(expiration.getTime());
 	    		}
 	    		
 	    		// set a random identifier
-	    		refreshClaims.setJWTIDClaim(UUID.randomUUID().toString());
+	    		refreshClaims.setJWTID(UUID.randomUUID().toString());
 
 	    		// TODO: add issuer fields, signature to JWT
 	    		

openid-connect-server/src/main/java/org/mitre/oauth2/token/JwtAssertionTokenGranter.java

@@ -103,12 +103,10 @@ public class JwtAssertionTokenGranter extends AbstractTokenGranter {
 	    		// update expiration and issued-at claims
 				if (client.getIdTokenValiditySeconds() != null) {
 					Date expiration = new Date(System.currentTimeMillis() + (client.getIdTokenValiditySeconds() * 1000L));
-					// FIXME: Nimbus-JOSE Date fields
+					claims.setExpirationTime(expiration);
-					claims.setExpirationTimeClaim(expiration.getTime());
 					newIdTokenEntity.setExpiration(expiration);
 				}
-				// FIXME: Nimbus-JOSE Date fields
+				claims.setIssueTime(new Date());
-				claims.setIssuedAtClaim(new Date().getTime());
 
 				
 				SignedJWT newIdToken = new SignedJWT((JWSHeader) idToken.getHeader(), claims);

openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JwtBearerAuthenticationProvider.java

@@ -6,7 +6,7 @@ package org.mitre.openid.connect.assertion;
 import java.security.PublicKey;
 import java.security.interfaces.RSAPublicKey;
 import java.text.ParseException;
-import java.util.Arrays;
+import java.util.Date;
 import java.util.HashMap;
 import java.util.Map;
 
@@ -76,49 +76,45 @@ public class JwtBearerAuthenticationProvider implements AuthenticationProvider {
     		}
     		
 			// check the issuer
-			if (jwtClaims.getIssuerClaim() == null) {
+			if (jwtClaims.getIssuer() == null) {
 				throw new AuthenticationServiceException("Assertion Token Issuer is null");
-			} else if (!jwtClaims.getIssuerClaim().equals(client.getClientId())){
+			} else if (!jwtClaims.getIssuer().equals(client.getClientId())){
-				throw new AuthenticationServiceException("Issuers do not match, expected " + client.getClientId() + " got " + jwtClaims.getIssuerClaim());
+				throw new AuthenticationServiceException("Issuers do not match, expected " + client.getClientId() + " got " + jwtClaims.getIssuer());
 			}
 			
 			// check expiration
-			/*
+			if (jwtClaims.getExpirationTime() == null) {
-			 * FIXME: re-institute date check for Nimbus
-			if (jwtClaims.getExpirationTimeClaim() == null) {
 				throw new AuthenticationServiceException("Assertion Token does not have required expiration claim");
 			} else {
 				// it's not null, see if it's expired
 				Date now = new Date(System.currentTimeMillis() - (timeSkewAllowance * 1000));
-				if (now.after(jwtClaims.getExpirationTimeClaim())) {
+				if (now.after(jwtClaims.getExpirationTime())) {
-					throw new AuthenticationServiceException("Assertion Token is expired: " + jwtClaims.getExpirationTimeClaim());
+					throw new AuthenticationServiceException("Assertion Token is expired: " + jwtClaims.getExpirationTime());
 				}
 			}
 			
 			// check not before
-			if (jwtClaims.getNotBefore() != null) {
+			if (jwtClaims.getNotBeforeTime() != null) {
 				Date now = new Date(System.currentTimeMillis() + (timeSkewAllowance * 1000));
-				if (now.before(jwtClaims.getNotBefore())){
+				if (now.before(jwtClaims.getNotBeforeTime())){
-					throw new AuthenticationServiceException("Assertion Token not valid untill: " + jwtClaims.getNotBefore());
+					throw new AuthenticationServiceException("Assertion Token not valid untill: " + jwtClaims.getNotBeforeTime());
 				}
 			}
 			
 			// check issued at
-			if (jwtClaims.getIssuedAt() != null) {
+			if (jwtClaims.getIssueTime() != null) {
 				// since it's not null, see if it was issued in the future
 				Date now = new Date(System.currentTimeMillis() + (timeSkewAllowance * 1000));
-				if (now.before(jwtClaims.getIssuedAt())) {
+				if (now.before(jwtClaims.getIssueTime())) {
-					throw new AuthenticationServiceException("Assertion Token was issued in the future: " + jwtClaims.getIssuedAt());
+					throw new AuthenticationServiceException("Assertion Token was issued in the future: " + jwtClaims.getIssueTime());
 				}
 			}
 			
-			 */
-			
 			// check audience
-			if (jwtClaims.getAudienceClaim() == null) {
+			if (jwtClaims.getAudience() == null) {
 				throw new AuthenticationServiceException("Assertion token audience is null"); 
-			} else if (!Arrays.asList(jwtClaims.getAudienceClaim()).contains(config.getIssuer())) { // FIXME: change back to list.contains() check after Nimbus update
+			} else if (!jwtClaims.getAudience().contains(config.getIssuer())) {
-				throw new AuthenticationServiceException("Audience does not match, expected " + config.getIssuer() + " got " + jwtClaims.getAudienceClaim());
+				throw new AuthenticationServiceException("Audience does not match, expected " + config.getIssuer() + " got " + jwtClaims.getAudience());
 			}
 			
     		// IFF we managed to get all the way down here, the token is valid

openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JwtBearerClientAssertionTokenEndpointFilter.java

@@ -50,7 +50,7 @@ public class JwtBearerClientAssertionTokenEndpointFilter extends ClientCredentia
     	try {
     		JWT jwt = JWTParser.parse(assertion);
     	
-    		String clientId = jwt.getJWTClaimsSet().getSubjectClaim();
+    		String clientId = jwt.getJWTClaimsSet().getSubject();
     		
     		Authentication authRequest = new JwtBearerAssertionAuthenticationToken(clientId, jwt);
     	

openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java

@@ -34,6 +34,7 @@ import org.springframework.security.oauth2.provider.token.TokenEnhancer;
 import org.springframework.stereotype.Service;
 
 import com.google.common.base.Strings;
+import com.google.common.collect.Lists;
 import com.google.common.collect.Sets;
 import com.nimbusds.jose.JWSHeader;
 import com.nimbusds.jwt.JWTClaimsSet;
@@ -62,18 +63,15 @@ public class ConnectTokenEnhancer implements TokenEnhancer {
 		
 		JWTClaimsSet claims = new JWTClaimsSet();
 		
-		// FIXME: Nimbus should do collections
+		claims.setAudience(Lists.newArrayList(clientId));
-		claims.setAudienceClaim(new String[] {clientId});
 		
-		claims.setIssuerClaim(configBean.getIssuer());
+		claims.setIssuer(configBean.getIssuer());
 
-		// FIXME: Nimbus Dates
+		claims.setIssueTime(new Date());
-		claims.setIssuedAtClaim(new Date().getTime());
 		
-		// FIXME: Nimbus dates
+		claims.setExpirationTime(token.getExpiration());
-		claims.setExpirationTimeClaim(token.getExpiration().getTime());
 
-		claims.setJWTIDClaim(UUID.randomUUID().toString()); // set a random NONCE in the middle of it
+		claims.setJWTID(UUID.randomUUID().toString()); // set a random NONCE in the middle of it
 		
 		SignedJWT signed = new SignedJWT(new JWSHeader(configBean.getDefaultSigningAlgorithm()), claims);
 		
@@ -106,22 +104,19 @@ public class ConnectTokenEnhancer implements TokenEnhancer {
 			
 			idClaims.setCustomClaim("auth_time", new Date().getTime());
 			
-			// FIXME: nimbus date fields
+			idClaims.setIssueTime(new Date());
-			idClaims.setIssuedAtClaim(new Date().getTime());
 			
 			ClientDetailsEntity client = clientService.loadClientByClientId(clientId);
 			
 			if (client.getIdTokenValiditySeconds() != null) {
 				Date expiration = new Date(System.currentTimeMillis() + (client.getIdTokenValiditySeconds() * 1000L));
-				// FIXME: nimbus date fields
+				idClaims.setExpirationTime(expiration);
-				idClaims.setExpirationTimeClaim(expiration.getTime());
 				idTokenEntity.setExpiration(expiration);
 			}
 			
-			idClaims.setIssuerClaim(configBean.getIssuer());
+			idClaims.setIssuer(configBean.getIssuer());
-			idClaims.setSubjectClaim(userId);
+			idClaims.setSubject(userId);
-			// FIXME: Nimbus audience as collection
+			idClaims.setAudience(Lists.newArrayList(clientId));
-			idClaims.setAudienceClaim(new String[] { clientId });
 			
 			
 			String nonce = authentication.getAuthorizationRequest().getAuthorizationParameters().get("nonce");