Use clients preferred algorithm, if any, to sign

2013-08-02 14:35:35 -04:00 · 2013-08-02 14:35:35 -04:00 · f866e5addc
parent 99cd6068dc
commit f866e5addc
3 changed files with 36 additions and 7 deletions
--- a/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/JwtSigningAndValidationService.java
+++ b/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/JwtSigningAndValidationService.java
@ -72,8 +72,7 @@ public interface JwtSigningAndValidationService {
 	 * @param alg the name of the algorithm to use, as specified in JWS s.6
 	 * @return the signed jwt
 	 */
-	//TODO: implement later; only need signJwt(Jwt jwt) for now
+	public void signJwt(SignedJWT jwt, JWSAlgorithm alg);
 	//public Jwt signJwt(Jwt jwt, String alg);
 	/**
 	 * TODO: method to sign a jwt using a specified algorithm and a key id
--- a/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/DefaultJwtSigningAndValidationService.java
+++ b/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/DefaultJwtSigningAndValidationService.java
@ -215,6 +215,33 @@ public class DefaultJwtSigningAndValidationService implements JwtSigningAndValid
 	}
 	@Override
 	public void signJwt(SignedJWT jwt, JWSAlgorithm alg) {
 		JWSSigner signer = null;
 		for (JWSSigner s : signers.values()) {
 			if (s.supportedAlgorithms().contains(alg)) {
 				signer = s;
 				break;
 			}
 		}
 		if (signer == null) {
 			//If we can't find an algorithm that matches, we can't sign
 			logger.error("No matching algirthm found for alg=" + alg);
 		}
 		try {
 			jwt.sign(signer);
 		} catch (JOSEException e) {
 			logger.error("Failed to sign JWT, error was: ", e);
 		}
 	}
 	@Override
 	public boolean validateSignature(SignedJWT jwt) {
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java
@ -84,9 +84,14 @@ public class ConnectTokenEnhancer implements TokenEnhancer {
 		claims.setJWTID(UUID.randomUUID().toString()); // set a random NONCE in the middle of it
-		// TODO: use client's default signing algorithm
+		JWSAlgorithm signingAlg; 
-
+		JWSAlgorithm clientAlg = client.getIdTokenSignedResponseAlg().getAlgorithm();
-		JWSAlgorithm signingAlg = jwtService.getDefaultSigningAlgorithm();
+		if (clientAlg != JWSAlgorithm.NONE) {
 			signingAlg = clientAlg;
 		} else {
 			signingAlg = jwtService.getDefaultSigningAlgorithm();
 		}
 		SignedJWT signed = new SignedJWT(new JWSHeader(signingAlg), claims);
 		jwtService.signJwt(signed);
@ -156,8 +161,6 @@ public class ConnectTokenEnhancer implements TokenEnhancer {
 			SignedJWT idToken = new SignedJWT(new JWSHeader(signingAlg), idClaims);
 			//TODO: check for client's preferred signer alg and use that
 			jwtService.signJwt(idToken);
 			idTokenEntity.setJwt(idToken);