public static IDToken extractIdToken(String idToken) { if (idToken == null) return null; try { JWSInput input = new JWSInput(idToken); return input.readJsonContent(IDToken.class); } catch (JWSInputException e) { throw new RuntimeException(e); } }
public static RefreshToken getRefreshToken(String refreshToken) throws JWSInputException { byte[] encodedContent = new JWSInput(refreshToken).getContent(); return getRefreshToken(encodedContent); }
public static boolean verify(JWSInput input, SecretKey key) { try { byte[] signature = sign(input.getEncodedSignatureInput().getBytes("UTF-8"), input.getHeader().getAlgorithm(), key); return MessageDigest.isEqual(signature, Base64Url.decode(input.getEncodedSignature())); } catch (Exception e) { throw new RuntimeException(e); } }
private void logToken(String name, String token) { try { JWSInput jwsInput = new JWSInput(token); String wireString = jwsInput.getWireString(); log.tracef("\t%s: %s", name, wireString.substring(0, wireString.lastIndexOf(".")) + ".signature"); } catch (JWSInputException e) { log.errorf(e, "Failed to parse %s: %s", name, token); } } }
public static void verify(String privateKeyPem, String publicKeyPem) throws VerificationException { PrivateKey privateKey; try { privateKey = PemUtils.decodePrivateKey(privateKeyPem); } catch (Exception e) { throw new VerificationException("Failed to decode private key"); } PublicKey publicKey; try { publicKey = PemUtils.decodePublicKey(publicKeyPem); } catch (Exception e) { throw new VerificationException("Failed to decode public key"); } try { String jws = new JWSBuilder().content("content".getBytes()).rsa256(privateKey); if (!RSAProvider.verify(new JWSInput(jws), publicKey)) { throw new VerificationException("Keys don't match"); } } catch (Exception e) { throw new VerificationException("Keys don't match"); } }
protected void handleTestAvailable() { if (log.isTraceEnabled()) { log.trace("K_TEST_AVAILABLE sent"); } try { JWSInput token = verifyAdminRequest(); if (token == null) { return; } TestAvailabilityAction action = JsonSerialization.readValue(token.getContent(), TestAvailabilityAction.class); validateAction(action); } catch (Exception e) { throw new RuntimeException(e); } }
if (log.isTraceEnabled()) { try { JWSInput jwsInput = new JWSInput(tokenString); String wireString = jwsInput.getWireString(); log.tracef("\taccess_token: %s", wireString.substring(0, wireString.lastIndexOf(".")) + ".signature"); } catch (JWSInputException e) {
protected JWSInput verifyAdminRequest() throws Exception { if (!facade.getRequest().isSecure() && deployment.getSslRequired().isRequired(facade.getRequest().getRemoteAddr())) { log.warn("SSL is required for adapter admin action"); facade.getResponse().sendError(403, "ssl required"); return null; } String token = StreamUtil.readString(facade.getRequest().getInputStream()); if (token == null) { log.warn("admin request failed, no token"); facade.getResponse().sendError(403, "no token"); return null; } try { // Check just signature. Other things checked in validateAction TokenVerifier tokenVerifier = AdapterTokenVerifier.createVerifier(token, deployment, false, JsonWebToken.class); tokenVerifier.verify(); return new JWSInput(token); } catch (VerificationException ignore) { log.warn("admin request failed, unable to verify token: " + ignore.getMessage()); if (log.isDebugEnabled()) { log.debug(ignore.getMessage(), ignore); } facade.getResponse().sendError(403, "token failed verification"); return null; } }
protected void handlePushNotBefore() { if (log.isTraceEnabled()) { log.trace("K_PUSH_NOT_BEFORE sent"); } try { JWSInput token = verifyAdminRequest(); if (token == null) { return; } PushNotBeforeAction action = JsonSerialization.readValue(token.getContent(), PushNotBeforeAction.class); if (!validateAction(action)) return; deployment.updateNotBefore(action.getNotBefore()); } catch (Exception e) { throw new RuntimeException(e); } }
@POST @Consumes(MediaType.TEXT_PLAIN) @Path("/admin/k_logout") public void adminLogout(String data) throws JWSInputException { adminLogoutActions.add(new JWSInput(data).readJsonContent(LogoutAction.class)); }
JWSInput token = null; try { token = new JWSInput(input); } catch (JWSInputException e) { logger.warn("Failed to verify logout request"); action = JsonSerialization.readValue(token.getContent(), LogoutAction.class); } catch (IOException e) { throw new RuntimeException(e);
protected void handleLogout() { if (log.isTraceEnabled()) { log.trace("K_LOGOUT sent"); } try { JWSInput token = verifyAdminRequest(); if (token == null) { return; } LogoutAction action = JsonSerialization.readValue(token.getContent(), LogoutAction.class); if (!validateAction(action)) return; if (action.getAdapterSessionIds() != null) { userSessionManagement.logoutHttpSessions(action.getAdapterSessionIds()); } else { log.debugf("logout of all sessions for application '%s'", action.getResource()); if (action.getNotBefore() > deployment.getNotBefore()) { deployment.updateNotBefore(action.getNotBefore()); } userSessionManagement.logoutAll(); } } catch (Exception e) { throw new RuntimeException(e); } }
public static boolean verify(JWSInput input, byte[] sharedSecret) { try { byte[] signature = sign(input.getEncodedSignatureInput().getBytes("UTF-8"), input.getHeader().getAlgorithm(), sharedSecret); return MessageDigest.isEqual(signature, Base64Url.decode(input.getEncodedSignature())); } catch (Exception e) { throw new RuntimeException(e); } }
@POST @Consumes(MediaType.TEXT_PLAIN) @Path("/admin/k_push_not_before") public void adminPushNotBefore(String data) throws JWSInputException { adminPushNotBeforeActions.add(new JWSInput(data).readJsonContent(PushNotBeforeAction.class)); }
String refreshTokenValue = clientToken.getRefreshToken(); try { RefreshToken refreshToken = JsonSerialization.readValue(new JWSInput(refreshTokenValue).getContent(), RefreshToken.class); if (!refreshToken.isActive() || !isTokenTimeToLiveSufficient(refreshToken)) { log.debug("Refresh token is expired."); AccessToken accessToken = JsonSerialization.readValue(new JWSInput(token).getContent(), AccessToken.class);
@POST @Consumes(MediaType.TEXT_PLAIN) @Path("/admin/k_test_available") public void testAvailable(String data) throws JWSInputException { adminTestAvailabilityAction.add(new JWSInput(data).readJsonContent(TestAvailabilityAction.class)); }
public TokenVerifier<T> parse() throws VerificationException { if (jws == null) { if (tokenString == null) { throw new VerificationException("Token not set"); } try { jws = new JWSInput(tokenString); } catch (JWSInputException e) { throw new VerificationException("Failed to parse JWT", e); } try { token = jws.readJsonContent(clazz); } catch (JWSInputException e) { throw new VerificationException("Failed to read access token from JWT", e); } } return this; }
private void parseAccessToken(AccessTokenResponse tokenResponse) throws VerificationException { tokenString = tokenResponse.getToken(); refreshToken = tokenResponse.getRefreshToken(); idTokenString = tokenResponse.getIdToken(); token = RSATokenVerifier.verifyToken(tokenString, deployment.getRealmKey(), deployment.getRealm()); if (idTokenString != null) { JWSInput input = new JWSInput(idTokenString); try { idToken = input.readJsonContent(IDToken.class); } catch (IOException e) { throw new VerificationException(); } } }
public static boolean validPasswordToken(RealmModel realm, UserModel user, String encodedPasswordToken) { try { JWSInput jws = new JWSInput(encodedPasswordToken); if (!RSAProvider.verify(jws, realm.getPublicKey())) { return false; } PasswordToken passwordToken = jws.readJsonContent(PasswordToken.class); if (!passwordToken.getRealm().equals(realm.getName())) { return false; } if (!passwordToken.getUser().equals(user.getId())) { return false; } if (Time.currentTime() - passwordToken.getTimestamp() > realm.getAccessCodeLifespanUserAction()) { return false; } return true; } catch (JWSInputException e) { return false; } }
if (idTokenString != null && idTokenString.length() > 0) { try { JWSInput input = new JWSInput(idTokenString); idToken = input.readJsonContent(IDToken.class); } catch (JWSInputException e) { throw new VerificationException(e);