refactored code to use the more generic JWT declaration.

openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/SignedAuthRequestUrlBuilder.java

@@ -31,8 +31,11 @@ import org.mitre.openid.connect.config.ServerConfiguration;
 import org.springframework.security.authentication.AuthenticationServiceException;
 
 import com.google.common.base.Joiner;
+import com.nimbusds.jose.JWSAlgorithm;
 import com.nimbusds.jose.JWSHeader;
+import com.nimbusds.jwt.JWT;
 import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.jwt.PlainJWT;
 import com.nimbusds.jwt.SignedJWT;
 
 /**
@@ -71,9 +74,15 @@ public class SignedAuthRequestUrlBuilder implements AuthRequestUrlBuilder {
             claims.setClaim(option.getKey(), option.getValue());
         }
 
+		JWSAlgorithm alg = signingAndValidationService.getDefaultSigningAlgorithm();
 		
-
-		SignedJWT jwt = new SignedJWT(new JWSHeader(signingAndValidationService.getDefaultSigningAlgorithm()), claims);
+		JWT jwt;
+		
+		if (alg.equals(JWSAlgorithm.NONE)) { // alg:none
+			jwt = new PlainJWT(claims);
+		} else { // signature needed
+			jwt = new SignedJWT(new JWSHeader(alg), claims);
+		}
 
 		signingAndValidationService.signJwt(jwt);
 

openid-connect-common/src/main/java/org/mitre/jwt/signer/service/JwtSigningAndValidationService.java

@@ -22,7 +22,7 @@ import java.util.Map;
 
 import com.nimbusds.jose.JWSAlgorithm;
 import com.nimbusds.jose.jwk.JWK;
-import com.nimbusds.jwt.SignedJWT;
+import com.nimbusds.jwt.JWT;
 
 public interface JwtSigningAndValidationService {
 
@@ -32,15 +32,16 @@ public interface JwtSigningAndValidationService {
 	public Map<String, JWK> getAllPublicKeys();
 
 	/**
-	 * Checks the signature of the given JWT against all configured signers,
-	 * returns true if at least one of the signers validates it.
+	 * If alg:none is the default algorithm, verifies that the signature part is empty. 
+	 * Otherwise, checks the signature of the given JWT against all configured non-plain signers,
+	 * returns true if at least one of the non-plain signers validates it.
 	 * 
 	 * @param jwtString
 	 *            the string representation of the JWT as sent on the wire
 	 * @return true if the signature is valid, false if not
 	 * @throws NoSuchAlgorithmException
 	 */
-	public boolean validateSignature(SignedJWT jwtString);
+	public boolean validateSignature(JWT jwtString);
 
 	/**
 	 * Called to sign a jwt in place for a client that hasn't registered a preferred signing algorithm.
@@ -50,7 +51,7 @@ public interface JwtSigningAndValidationService {
 	 * @return the signed jwt
 	 * @throws NoSuchAlgorithmException
 	 */
-	public void signJwt(SignedJWT jwt);
+	public void signJwt(JWT jwt);
 
 	/**
 	 * Get the default signing algorithm for use when nothing else has been specified.
@@ -72,7 +73,7 @@ public interface JwtSigningAndValidationService {
 	 * @param alg the name of the algorithm to use, as specified in JWS s.6
 	 * @return the signed jwt
 	 */
-	public void signJwt(SignedJWT jwt, JWSAlgorithm alg);
+	public void signJwt(JWT jwt, JWSAlgorithm alg);
 
 	/**
 	 * TODO: method to sign a jwt using a specified algorithm and a key id

openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java

@@ -20,8 +20,6 @@ import java.util.Date;
 import java.util.Set;
 import java.util.UUID;
 
-import javax.servlet.http.HttpSession;
-
 import org.mitre.jwt.signer.service.JwtSigningAndValidationService;
 import org.mitre.oauth2.model.ClientDetailsEntity;
 import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
@@ -39,8 +37,6 @@ import org.springframework.security.oauth2.provider.OAuth2Authentication;
 import org.springframework.security.oauth2.provider.OAuth2Request;
 import org.springframework.security.oauth2.provider.token.TokenEnhancer;
 import org.springframework.stereotype.Service;
-import org.springframework.web.context.request.RequestContextHolder;
-import org.springframework.web.context.request.ServletRequestAttributes;
 
 import com.google.common.base.Strings;
 import com.google.common.collect.Lists;
@@ -48,7 +44,9 @@ import com.google.common.collect.Sets;
 import com.nimbusds.jose.JWSAlgorithm;
 import com.nimbusds.jose.JWSHeader;
 import com.nimbusds.jose.util.Base64URL;
+import com.nimbusds.jwt.JWT;
 import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.jwt.PlainJWT;
 import com.nimbusds.jwt.SignedJWT;
 
 @Service
@@ -94,11 +92,17 @@ public class ConnectTokenEnhancer implements TokenEnhancer {
 			signingAlg = client.getIdTokenSignedResponseAlg().getAlgorithm();
 		}
 		
-		SignedJWT signed = new SignedJWT(new JWSHeader(signingAlg), claims);
+		JWT jwt;
+		
+		if (signingAlg.equals(JWSAlgorithm.NONE)) { // alg:none
+			jwt = new PlainJWT(claims);
+		} else { // signature needed
+			jwt = new SignedJWT(new JWSHeader(signingAlg), claims);
+		}
 
-		jwtService.signJwt(signed);
+		jwtService.signJwt(jwt);
 
-		token.setJwt(signed);
+		token.setJwt(jwt);
 
 		/**
 		 * Authorization request scope MUST include "openid" in OIDC, but access token request

openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientDynamicRegistrationEndpoint.java

@@ -57,7 +57,9 @@ import com.google.common.collect.Maps;
 import com.google.common.collect.Sets;
 import com.nimbusds.jose.JWSAlgorithm;
 import com.nimbusds.jose.JWSHeader;
+import com.nimbusds.jwt.JWT;
 import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.jwt.PlainJWT;
 import com.nimbusds.jwt.SignedJWT;
 
 @Controller
@@ -363,11 +365,18 @@ public class ClientDynamicRegistrationEndpoint {
 
 		// TODO: use client's default signing algorithm
 		JWSAlgorithm signingAlg = jwtService.getDefaultSigningAlgorithm();
-		SignedJWT signed = new SignedJWT(new JWSHeader(signingAlg), claims);
+		
+		JWT jwt;
+		
+		if (signingAlg.equals(JWSAlgorithm.NONE)) { // alg:none
+			jwt = new PlainJWT(claims);
+		} else { // signature needed
+			jwt = new SignedJWT(new JWSHeader(signingAlg), claims);
+		}
 
-		jwtService.signJwt(signed);
+		jwtService.signJwt(jwt);
 
-		token.setJwt(signed);
+		token.setJwt(jwt);
 
 		tokenService.saveAccessToken(token);