if (idClaims.getNotBeforeTime() != null) { Date now = new Date(System.currentTimeMillis() + (timeSkewAllowance * 1000)); if (now.before(idClaims.getNotBeforeTime())){ throw new AuthenticationServiceException("Id Token not valid untill: " + idClaims.getNotBeforeTime());
if (jwtClaims.getNotBeforeTime() != null) { Date now = new Date(System.currentTimeMillis() + (timeSkewAllowance * 1000)); if (now.before(jwtClaims.getNotBeforeTime())){ throw new AuthenticationServiceException("Assertion Token not valid untill: " + jwtClaims.getNotBeforeTime());
/** * Validates a Knox token with expiration and begin times and verifies the token with a public Knox key. * @param jwtToken Knox token * @param userName User name associated with the token * @return Whether a token is valid or not * @throws ParseException JWT Token could not be parsed. */ protected boolean isValid(SignedJWT jwtToken, String userName) throws ParseException { // Verify the user name is present if (userName == null || userName.isEmpty()) { LOG.info("Could not find user name in SSO token"); return false; } Date now = new Date(); // Verify the token has not expired Date expirationTime = jwtToken.getJWTClaimsSet().getExpirationTime(); if (expirationTime != null && now.after(expirationTime)) { LOG.info("SSO token expired: {} ", userName); return false; } // Verify the token is not before time Date notBeforeTime = jwtToken.getJWTClaimsSet().getNotBeforeTime(); if (notBeforeTime != null && now.before(notBeforeTime)) { LOG.info("SSO token not yet valid: {} ", userName); return false; } return validateSignature(jwtToken); }
@Override public boolean verify(final JWSHeader header, final byte[] signingInput, final Base64URL signature) throws JOSEException { boolean value = super.verify(header, signingInput, signature); long time = System.currentTimeMillis(); return value && claimsSet.getNotBeforeTime().getTime() <= time && time < claimsSet.getExpirationTime().getTime(); } }
private boolean verifyExpiration(JWT jwtToken) throws IOException { try { Date expire = jwtToken.getJWTClaimsSet().getExpirationTime(); if (expire != null && new Date().after(expire)) { return false; } Date notBefore = jwtToken.getJWTClaimsSet().getNotBeforeTime(); if (notBefore != null && new Date().before(notBefore)) { return false; } } catch (ParseException e) { throw new IOException("Failed to get JWT claims set", e); } return true; }
private boolean verifyExpiration(JWT jwtToken) throws IOException { try { Date expire = jwtToken.getJWTClaimsSet().getExpirationTime(); if (expire != null && new Date().after(expire)) { return false; } Date notBefore = jwtToken.getJWTClaimsSet().getNotBeforeTime(); if (notBefore != null && new Date().before(notBefore)) { return false; } } catch (ParseException e) { throw new IOException("Failed to get JWT claims set", e); } return true; }
@Override public Date getNotBeforeDate() { Date date = null; try { date = jwt.getJWTClaimsSet().getNotBeforeTime(); } catch (ParseException e) { log.unableToParseToken(e); } return date; }
@Override public Date getNotBeforeDate() { Date date = null; try { date = jwt.getJWTClaimsSet().getNotBeforeTime(); } catch (ParseException e) { log.unableToParseToken(e); } return date; }
/** * Validates a JWT token. * @param secret secret used for generating the token * @param jwt token to validate * @return true if token is valid */ public static boolean isValidJWToken(String secret, SignedJWT jwt) { try { if (secret != null && jwt != null) { JWSVerifier verifier = new MACVerifier(secret); if (jwt.verify(verifier)) { Date referenceTime = new Date(); JWTClaimsSet claims = jwt.getJWTClaimsSet(); Date expirationTime = claims.getExpirationTime(); Date notBeforeTime = claims.getNotBeforeTime(); boolean expired = expirationTime == null || expirationTime.before(referenceTime); boolean notYetValid = notBeforeTime == null || notBeforeTime.after(referenceTime); return !(expired || notYetValid); } } } catch (JOSEException e) { logger.warn(null, e); } catch (ParseException ex) { logger.warn(null, ex); } return false; }
/** * Validates a JWT token. * @param secret secret used for generating the token * @param jwt token to validate * @return true if token is valid */ public static boolean isValidJWToken(String secret, SignedJWT jwt) { try { if (secret != null && jwt != null) { JWSVerifier verifier = new MACVerifier(secret); if (jwt.verify(verifier)) { Date referenceTime = new Date(); JWTClaimsSet claims = jwt.getJWTClaimsSet(); Date expirationTime = claims.getExpirationTime(); Date notBeforeTime = claims.getNotBeforeTime(); boolean expired = expirationTime == null || expirationTime.before(referenceTime); boolean notYetValid = notBeforeTime == null || notBeforeTime.after(referenceTime); return !(expired || notYetValid); } } } catch (JOSEException e) { logger.warn(null, e); } catch (ParseException ex) { logger.warn(null, ex); } return false; }
@Override public void verify(final JWTClaimsSet claimsSet, final C context) throws BadJWTException { final Date now = new Date(); final Date exp = claimsSet.getExpirationTime(); if (exp != null) { if (! DateUtils.isAfter(exp, now, maxClockSkew)) { throw EXPIRED_JWT_EXCEPTION; } } final Date nbf = claimsSet.getNotBeforeTime(); if (nbf != null) { if (! DateUtils.isBefore(nbf, now, maxClockSkew)) { throw JWT_BEFORE_USE_EXCEPTION; } } } }
Date nowPlusLeeway = calendar.getTime(); if (null != claims.getNotBeforeTime()) { if (!claims.getExpirationTime().after(claims.getNotBeforeTime())) { throw new JwtInvalidClaimException(String.format("The expiration time must be after the not-before time but exp=%s and nbf=%s", claims.getExpirationTime(), claims.getNotBeforeTime())); if (claims.getNotBeforeTime().after(nowPlusLeeway)) { throw new JwtTooEarlyException(claims.getNotBeforeTime(), now, TIME_CLAIM_LEEWAY_SECONDS);
Date nowPlusLeeway = calendar.getTime(); if (null != claims.getNotBeforeTime()) if (!claims.getExpirationTime().after(claims.getNotBeforeTime())) throw new JwtInvalidClaimException(String.format("The expiration time must be after the not-before time but exp=%s and nbf=%s", claims.getExpirationTime(), claims.getNotBeforeTime())); if (claims.getNotBeforeTime().after(nowPlusLeeway)) throw new JwtTooEarlyException(claims.getNotBeforeTime(), now, JwtConstants.TIME_CLAIM_LEEWAY_SECONDS);
if (idClaims.getNotBeforeTime() != null) { Date now = new Date(System.currentTimeMillis() + (OIDCConstants. TIME_SKEW_ALLOWANCE * 1000)); if (now.before(idClaims.getNotBeforeTime())) { isValid = false; log.error("Id Token not valid untill: " + idClaims.getNotBeforeTime());
if (idClaims.getNotBeforeTime() != null) { Date now = new Date(System.currentTimeMillis() + (timeSkewAllowance * 1000)); if (now.before(idClaims.getNotBeforeTime())){ throw new AuthenticationServiceException("Id Token not valid untill: " + idClaims.getNotBeforeTime());
if (idClaims.getNotBeforeTime() != null) { Date now = new Date(System.currentTimeMillis() + (timeSkewAllowance * 1000)); if (now.before(idClaims.getNotBeforeTime())){ throw new AuthenticationServiceException("Id Token not valid untill: " + idClaims.getNotBeforeTime());
.issueTime(new Date()) .jwtID(UUID.randomUUID().toString()) .notBeforeTime(subjectTokenClaims.getNotBeforeTime()) .claim("typ", "Bearer") .claim("acr", subjectTokenClaims.getClaim("acr"))
if (jwtClaims.getNotBeforeTime() != null) { Date now = new Date(System.currentTimeMillis() + (timeSkewAllowance * 1000)); if (now.before(jwtClaims.getNotBeforeTime())){ throw new AuthenticationServiceException("Assertion Token not valid untill: " + jwtClaims.getNotBeforeTime());
/** * Factory method to create a signature verifiable jwt. * * @param jwsObject a json web signature object * @param claims jwt claims set * @return a signature verifiable jwt * @throws UnsupportedAlgorithmException if the signing algorithm is not supported */ public static VerifiableJwt buildVerifiableJwt(JWSObject jwsObject, JWTClaimsSet claims) throws UnsupportedAlgorithmException { Jwt unverifiedJwt = JwtBuilder.newJwt() .algorithm(getSigningAlgorithm(jwsObject.getHeader().getAlgorithm().getName())) .keyId(jwsObject.getHeader().getKeyID()) .issuer(claims.getIssuer()) .subject(option(claims.getSubject())) .audience(claims.getAudience()) .expirationTime(DATE_TO_DATETIME.apply(claims.getExpirationTime())) .issuedAt(DATE_TO_DATETIME.apply(claims.getIssueTime())) .notBefore(option(claims.getNotBeforeTime()).map(DATE_TO_DATETIME)) .build(); return new NimbusVerifiableJwt(unverifiedJwt, jwsObject); }
@Override public boolean validateAccessToken(OAuth2TokenValidationMessageContext validationReqDTO) throws IdentityOAuth2Exception { if (!isJWT(validationReqDTO.getRequestDTO().getAccessToken().getIdentifier())) { return false; } try { SignedJWT signedJWT = getSignedJWT(validationReqDTO); JWTClaimsSet claimsSet = signedJWT.getJWTClaimsSet(); if (claimsSet == null) { throw new IdentityOAuth2Exception("Claim values are empty in the given Token."); } validateRequiredFields(claimsSet); IdentityProvider identityProvider = getResidentIDPForIssuer(claimsSet.getIssuer()); if (!validateSignature(signedJWT, identityProvider)) { return false; } if (!checkExpirationTime(claimsSet.getExpirationTime())) { return false; } checkNotBeforeTime(claimsSet.getNotBeforeTime()); } catch (JOSEException | ParseException e) { throw new IdentityOAuth2Exception("Error while validating Token.", e); } return true; }