/** * Build the configured {@link JwtDecoder}. * * @return the configured {@link JwtDecoder} */ public JWTProcessor<SecurityContext> build() { ResourceRetriever jwkSetRetriever = new RestOperationsResourceRetriever(this.restOperations); JWKSource<SecurityContext> jwkSource = new RemoteJWKSet<>(toURL(this.jwkSetUri), jwkSetRetriever); JWSKeySelector<SecurityContext> jwsKeySelector = new JWSVerificationKeySelector<>(this.jwsAlgorithm, jwkSource); ConfigurableJWTProcessor<SecurityContext> jwtProcessor = new DefaultJWTProcessor<>(); jwtProcessor.setJWSKeySelector(jwsKeySelector); // Spring Security validates the claim set independent from Nimbus jwtProcessor.setJWTClaimsSetVerifier((claims, context) -> { }); return jwtProcessor; }
jwkSet = updateJWKSetFromURL(); String soughtKeyID = getFirstSpecifiedKeyID(jwkSelector.getMatcher()); if (soughtKeyID == null) { jwkSet = updateJWKSetFromURL(); if (jwkSet == null) {
private Optional<String> tryToEncrypt(ResourceServerAndSecret resourceServerAndSecret) { Optional<String> encryptedSecret = Optional.empty(); ResourceServer resourceServer = resourceServerAndSecret.getResourceServer(); if(StringUtils.isBlank(resourceServer.getUserSecretClaimName())) return encryptedSecret; ResourceServerInfo serverInfo = new ResourceServerInfo(resourceRetriever, resourceServer); RemoteJWKSet<SecurityContext> jwkSource = serverInfo.getJWKSource(); List<JWK> keys; try { keys = jwkSource.get(encKeySelector, null); } catch (RemoteKeySourceException e) { LOGGER.warning("Can not access resource server encryption key. Secret will not be transmitted."); return encryptedSecret; } if(keys==null || keys.isEmpty()) return encryptedSecret; JWK jwk = keys.iterator().next(); String encrypted; try { encrypted = encryptionService.encrypt(jwk, resourceServerAndSecret.getRawSecret()); } catch(SecretEncryptionException e) { LOGGER.warning("Can not encrypt secret encryption key. Secret will not be transmitted."); return encryptedSecret; } return Optional.of(encrypted); }
private RemoteJWKSet<SecurityContext> makeJwkSource(JSONObject jsonObject, String key){ Object jwks_url = jsonObject.get(key); if(jwks_url!=null){ try { return new RemoteJWKSet<>(new URL(jwks_url.toString()), resourceRetriever); } catch (MalformedURLException e) { throw new IllegalStateException(e); } } return null; } }
/** * Create a new {@link UserPrincipalManager} based of the {@link ServiceEndpoints#getAadKeyDiscoveryUri()} and * {@link AADAuthenticationProperties#getEnvironment()}. * * @param serviceEndpointsProps - used to retrieve the JWKS URL * @param aadAuthProps - used to retrieve the environment. * @param resourceRetriever - configures the {@link RemoteJWKSet} call. */ public UserPrincipalManager(ServiceEndpointsProperties serviceEndpointsProps, AADAuthenticationProperties aadAuthProps, ResourceRetriever resourceRetriever) { try { keySource = new RemoteJWKSet<>(new URL(serviceEndpointsProps .getServiceEndpoints(aadAuthProps.getEnvironment()).getAadKeyDiscoveryUri()), resourceRetriever); } catch (MalformedURLException e) { log.error("Failed to parse active directory key discovery uri.", e); throw new IllegalStateException("Failed to parse active directory key discovery uri.", e); } }
public ResourceServerInfo(final ResourceRetriever resourceRetriever, final ResourceServer resourceServer) { if (resourceServer.getEndpointUrl() == null && resourceServer.getJwksUrl()==null) { throw new IllegalArgumentException("Either meta data URL or jwks_url must not be null"); } if (resourceRetriever == null) { throw new IllegalArgumentException("The resourceRetriever must not be null"); } this.resourceRetriever = resourceRetriever; this.resourceServer = resourceServer; if(resourceServer.getJwksUrl()!=null){ try { jwkSource = new RemoteJWKSet<>(new URL(resourceServer.getJwksUrl()), resourceRetriever); } catch (MalformedURLException e) { throw new IllegalStateException(e); } } }
/** * Create a new {@link UserPrincipalManager} based of the {@link ServiceEndpoints#getAadKeyDiscoveryUri()} and * {@link AADAuthenticationProperties#getEnvironment()}. * * @param serviceEndpointsProps - used to retrieve the JWKS URL * @param aadAuthProps - used to retrieve the environment. * @param resourceRetriever - configures the {@link RemoteJWKSet} call. */ public UserPrincipalManager(ServiceEndpointsProperties serviceEndpointsProps, AADAuthenticationProperties aadAuthProps, ResourceRetriever resourceRetriever) { try { keySource = new RemoteJWKSet<>(new URL(serviceEndpointsProps .getServiceEndpoints(aadAuthProps.getEnvironment()).getAadKeyDiscoveryUri()), resourceRetriever); } catch (MalformedURLException e) { log.error("Failed to parse active directory key discovery uri.", e); throw new IllegalStateException("Failed to parse active directory key discovery uri.", e); } }
public NimbusJwtDecoderJwkSupport(String jwkSetUrl, String jwsAlgorithm) { Assert.hasText(jwkSetUrl, "jwkSetUrl cannot be empty"); Assert.hasText(jwsAlgorithm, "jwsAlgorithm cannot be empty"); try { this.jwkSetUrl = new URL(jwkSetUrl); } catch (MalformedURLException ex) { throw new IllegalArgumentException("Invalid JWK Set URL: " + ex.getMessage(), ex); } this.jwsAlgorithm = JWSAlgorithm.parse(jwsAlgorithm); ResourceRetriever jwkSetRetriever = new DefaultResourceRetriever(30000, 30000); JWKSource jwkSource = new RemoteJWKSet(this.jwkSetUrl, jwkSetRetriever); JWSKeySelector<SecurityContext> jwsKeySelector = new JWSVerificationKeySelector<SecurityContext>(this.jwsAlgorithm, jwkSource); this.jwtProcessor = new DefaultJWTProcessor<>(); this.jwtProcessor.setJWSKeySelector(jwsKeySelector); }
/** * Constructs a {@code NimbusJwtDecoderJwkSupport} using the provided parameters. * * @param jwkSetUrl the JSON Web Key (JWK) Set {@code URL} * @param jwsAlgorithm the JSON Web Algorithm (JWA) used for verifying the digital signatures */ public NimbusJwtDecoderJwkSupport(String jwkSetUrl, String jwsAlgorithm) { Assert.hasText(jwkSetUrl, "jwkSetUrl cannot be empty"); Assert.hasText(jwsAlgorithm, "jwsAlgorithm cannot be empty"); JWKSource jwkSource; try { jwkSource = new RemoteJWKSet(new URL(jwkSetUrl), this.jwkSetRetriever); } catch (MalformedURLException ex) { throw new IllegalArgumentException("Invalid JWK Set URL \"" + jwkSetUrl + "\" : " + ex.getMessage(), ex); } this.jwsAlgorithm = JWSAlgorithm.parse(jwsAlgorithm); JWSKeySelector<SecurityContext> jwsKeySelector = new JWSVerificationKeySelector<>(this.jwsAlgorithm, jwkSource); this.jwtProcessor = new DefaultJWTProcessor<>(); this.jwtProcessor.setJWSKeySelector(jwsKeySelector); // Spring Security validates the claim set independent from Nimbus this.jwtProcessor.setJWTClaimsSetVerifier((claims, context) -> {}); }
/** * Retrieve JWKS from jwks_uri. * * @param jwksUri Identity provider's jwks_uri. * @return RemoteJWKSet * @throws MalformedURLException for invalid URL. */ private RemoteJWKSet<SecurityContext> retrieveJWKSFromJWKSEndpoint(String jwksUri) throws MalformedURLException { // Retrieve HTTP endpoint configurations. int connectionTimeout = readHTTPConnectionConfigValue(HTTP_CONNECTION_TIMEOUT_XPATH); int readTimeout = readHTTPConnectionConfigValue(HTTP_READ_TIMEOUT_XPATH); int sizeLimit = readHTTPConnectionConfigValue(HTTP_SIZE_LIMIT_XPATH); if (connectionTimeout <= 0) { connectionTimeout = DEFAULT_HTTP_CONNECTION_TIMEOUT; } if (readTimeout <= 0) { readTimeout = DEFAULT_HTTP_READ_TIMEOUT; } if (sizeLimit <= 0) { sizeLimit = RemoteJWKSet.DEFAULT_HTTP_SIZE_LIMIT; } DefaultResourceRetriever resourceRetriever = new DefaultResourceRetriever( connectionTimeout, readTimeout, sizeLimit); return new RemoteJWKSet<>(new URL(jwksUri), resourceRetriever); }
jwkSource = new RemoteJWKSet<>(new URL(resourceServer.getEndpointUrl()), resourceRetriever); return jwkSource; } catch (java.text.ParseException e) {
@Bean public ConfigurableJWTProcessor configurableJWTProcessor() throws MalformedURLException { ResourceRetriever resourceRetriever = new DefaultResourceRetriever(jwtConfiguration.getConnectionTimeout(), jwtConfiguration.getReadTimeout()); URL jwkSetURL = new URL(jwtConfiguration.getJwkUrl()); JWKSource keySource = new RemoteJWKSet(jwkSetURL, resourceRetriever); ConfigurableJWTProcessor jwtProcessor = new DefaultJWTProcessor(); JWSKeySelector keySelector = new JWSVerificationKeySelector(RS256, keySource); jwtProcessor.setJWSKeySelector(keySelector); return jwtProcessor; }
private JWKSource<SecurityContext> lookupJWKSource() throws IOException, ParseException { if(jwtConfiguration.getJwkResource() != null && !"".equals(jwtConfiguration.getJwkResource())) { URL resource = DefaultValidatingJWTProcessor.class.getResource(jwtConfiguration.getJwkResource()); try(InputStream stream = resource.openStream()) { String key = com.nimbusds.jose.util.IOUtils.readInputStreamToString(stream, Charset.defaultCharset()); return new ImmutableJWKSet<>(JWKSet.parse(key)); } } else if(jwtConfiguration.getJwkSourceUrl() != null && !"".equals(jwtConfiguration.getJwkSourceUrl())) { return new RemoteJWKSet<>(new URL(jwtConfiguration.getJwkSourceUrl())); } else { JWKSet jwkSet = JWKSet.load(new File(jwtConfiguration.getJwkSourceFile())); return new ImmutableJWKSet<>(jwkSet); } } }
RemoteJWKSet.DEFAULT_HTTP_SIZE_LIMIT); JWKSource<SecurityContext> jwksSource = new RemoteJWKSet<>(jwksUrl, resourceRetriever);