github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

refactored validator checks to cascade better, throw an authentication exception if we can't find a validator for the ID Token

pull/627/head
Justin Richer 2014-06-18 18:17:14 -04:00
parent a465559ac5
commit 9f9b49fc63
1 changed files with 14 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationFilter.java
View File

@ -443,23 +443,27 @@ public class OIDCAuthenticationFilter extends AbstractAuthenticationProcessingFi
ReadOnlyJWTClaimsSet idClaims = idToken.getJWTClaimsSet(); ReadOnlyJWTClaimsSet idClaims = idToken.getJWTClaimsSet();
// check the signature // check the signature
JwtSigningAndValidationService jwtValidator = validationServices.getValidator(serverConfig.getJwksUri()); JwtSigningAndValidationService jwtValidator = null;
if (jwtValidator == null) {
JWSAlgorithm alg = idToken.getHeader().getAlgorithm();
if (alg.equals(JWSAlgorithm.HS256)
|| alg.equals(JWSAlgorithm.HS384)
|| alg.equals(JWSAlgorithm.HS512)) {
// generate one based on client secret JWSAlgorithm alg = idToken.getHeader().getAlgorithm();
jwtValidator = symmetricCacheService.getSymmetricValidtor(clientConfig.getClient()); if (alg.equals(JWSAlgorithm.HS256)
} || alg.equals(JWSAlgorithm.HS384)
|| alg.equals(JWSAlgorithm.HS512)) {
// generate one based on client secret
jwtValidator = symmetricCacheService.getSymmetricValidtor(clientConfig.getClient());
} else {
// otherwise load from the server's public key
jwtValidator = validationServices.getValidator(serverConfig.getJwksUri());
} }
if (jwtValidator != null) { if (jwtValidator != null) {
if(!jwtValidator.validateSignature(idToken)) { if(!jwtValidator.validateSignature(idToken)) {
throw new AuthenticationServiceException("Signature validation failed"); throw new AuthenticationServiceException("Signature validation failed");
} }
} else { } else {
logger.info("No validation service found. Skipping signature validation"); logger.error("No validation service found. Skipping signature validation");
throw new AuthenticationServiceException("Unable to find an appropriate signature validator for ID Token.");
} }
// check the issuer // check the issuer