@Override public Collection<? extends GrantedAuthority> mapAuthorities(JWT idToken, UserInfo userInfo) { Set<GrantedAuthority> out = new HashSet<>(); try { JWTClaimsSet claims = idToken.getJWTClaimsSet(); SubjectIssuerGrantedAuthority authority = new SubjectIssuerGrantedAuthority(claims.getSubject(), claims.getIssuer()); out.add(authority); if (admins.contains(authority)) { out.add(ROLE_ADMIN); } // everybody's a user by default out.add(ROLE_USER); } catch (ParseException e) { logger.error("Unable to parse ID Token inside of authorities mapper (huh?)"); } return out; }
/** * Create an unauthenticated token with the given subject and jwt * @param subject * @param jwt */ public JWTBearerAssertionAuthenticationToken(JWT jwt) { super(null); try { // save the subject of the JWT in case the credentials get erased later this.subject = jwt.getJWTClaimsSet().getSubject(); } catch (ParseException e) { // TODO Auto-generated catch block e.printStackTrace(); } this.jwt = jwt; setAuthenticated(false); }
/** * Create an authenticated token with the given clientID, jwt, and authorities set * @param subject * @param jwt * @param authorities */ public JWTBearerAssertionAuthenticationToken(JWT jwt, Collection<? extends GrantedAuthority> authorities) { super(authorities); try { // save the subject of the JWT in case the credentials get erased later this.subject = jwt.getJWTClaimsSet().getSubject(); } catch (ParseException e) { // TODO Auto-generated catch block e.printStackTrace(); } this.jwt = jwt; setAuthenticated(true); }
/** * Pull the assertion out of the request and send it up to the auth manager for processing. */ @Override public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException { // check for appropriate parameters String assertionType = request.getParameter("client_assertion_type"); String assertion = request.getParameter("client_assertion"); try { JWT jwt = JWTParser.parse(assertion); String clientId = jwt.getJWTClaimsSet().getSubject(); Authentication authRequest = new JWTBearerAssertionAuthenticationToken(jwt); return this.getAuthenticationManager().authenticate(authRequest); } catch (ParseException e) { throw new BadCredentialsException("Invalid JWT credential: " + assertion); } }
String subject = idTokenClaims.getSubject();
/** * Extracts the authentication from the token and verify it. * * @param jwt signed jwt string * @return the user authentication * @throws ParseException if the payload of the jwt doesn't represent a valid json object and a jwt claims set * @throws JOSEException if the JWS object couldn't be verified */ public String getAuthenticationFromToken(final String jwt) throws ParseException, JOSEException { if (!configuration.isKnoxEnabled()) { throw new IllegalStateException("Apache Knox SSO is not enabled."); } // attempt to parse the signed jwt final SignedJWT signedJwt = SignedJWT.parse(jwt); // validate the token if (validateToken(signedJwt)) { final JWTClaimsSet claimsSet = signedJwt.getJWTClaimsSet(); if (claimsSet == null) { logger.info("Claims set is missing from Knox JWT."); throw new InvalidAuthenticationException("The Knox JWT token is not valid."); } // extract the user identity from the token return claimsSet.getSubject(); } else { throw new InvalidAuthenticationException("The Knox JWT token is not valid."); } }
PendingOIDCAuthenticationToken token = new PendingOIDCAuthenticationToken(idClaims.getSubject(), idClaims.getIssuer(), serverConfig, idToken, accessTokenValue, refreshTokenValue);
try { jwtToken = SignedJWT.parse(serializedJWT); String userName = jwtToken.getJWTClaimsSet().getSubject(); LOG.info("SSO login user : {} ", userName); if (isValid(jwtToken, userName)) {
Preconditions.checkNotNull(claims.getSubject()); Preconditions.checkNotNull(claims.getClaim("email"));
public String getSubject() { return jwtClaimsSet == null ? null : jwtClaimsSet.getSubject(); }
public String getSubject() { return jwtClaimsSet == null ? null : jwtClaimsSet.getSubject(); }
private String resolveSubject(JWTClaimsSet claimsSet) { return claimsSet.getSubject(); }
@Override public Collection<? extends GrantedAuthority> mapAuthorities(JWT idToken, UserInfo userInfo) { Set<GrantedAuthority> out = new HashSet<>(); try { JWTClaimsSet claims = idToken.getJWTClaimsSet(); SubjectIssuerGrantedAuthority authority = new SubjectIssuerGrantedAuthority(claims.getSubject(), claims.getIssuer()); out.add(authority); if (admins.contains(authority)) { out.add(ROLE_ADMIN); } // everybody's a user by default out.add(ROLE_USER); } catch (ParseException e) { logger.error("Unable to parse ID Token inside of authorities mapper (huh?)"); } return out; }
@Override protected UserDto fetchUserDto(JWTClaimsSet claims) { String username = claims.getSubject(); U user = userDetailsService.findUserByUsername(username) .orElseThrow(() -> new UsernameNotFoundException(username)); log.debug("User found ..."); LemonUtils.ensureCredentialsUpToDate(claims, user); UserDto userDto = user.toUserDto(); userDto.setPassword(null); return userDto; } }
@Override protected Mono<UserDto> fetchUserDto(JWTClaimsSet claims) { String username = claims.getSubject(); return userDetailsService.findUserByUsername(username) .switchIfEmpty(Mono.defer(() -> Mono.error(new UsernameNotFoundException(username)))) .doOnNext(user -> { log.debug("User found ..."); LerUtils.ensureCredentialsUpToDate(claims, user); }) .map(AbstractMongoUser::toUserDto); } }
public IdentityReference deserialize(String token) throws Exception { String sToken = new String(Base64.getDecoder().decode(token)); // Parse the JWE string JWEObject jweObject = JWEObject.parse(sToken); // Decrypt with shared key jweObject.decrypt(new DirectDecrypter(secretKey.getEncoded())); // Extract payload SignedJWT signedJWT = jweObject.getPayload().toSignedJWT(); // Check the HMAC signedJWT.verify(new MACVerifier(secretKey.getEncoded())); // Retrieve the JWT claims return new IdentityReference(signedJWT.getJWTClaimsSet().getIssuer(), signedJWT.getJWTClaimsSet().getSubject()); } }
public IdentityReference deserialize(String token) throws Exception { String sToken = new String(Base64.getDecoder().decode(token)); // Parse the JWE string JWEObject jweObject = JWEObject.parse(sToken); // Decrypt with shared key jweObject.decrypt(new DirectDecrypter(secretKey.getEncoded())); // Extract payload SignedJWT signedJWT = jweObject.getPayload().toSignedJWT(); // Check the HMAC signedJWT.verify(new MACVerifier(secretKey.getEncoded())); // Retrieve the JWT claims return new IdentityReference(signedJWT.getJWTClaimsSet().getIssuer(), signedJWT.getJWTClaimsSet().getSubject()); } }
protected U validateChangeEmail(Tuple2<U, MultiValueMap<String, String>> tuple) { U user = tuple.getT1(); String code = tuple.getT2().getFirst("code"); LexUtils.validate(StringUtils.isNotBlank(code), "com.naturalprogrammer.spring.blank", "code").go(); LexUtils.validate(StringUtils.isNotBlank(user.getNewEmail()), "com.naturalprogrammer.spring.blank.newEmail").go(); JWTClaimsSet claims = greenTokenService.parseToken(code, GreenTokenService.CHANGE_EMAIL_AUDIENCE, user.getCredentialsUpdatedMillis()); LecUtils.ensureAuthority( claims.getSubject().equals(user.getId().toString()) && claims.getClaim("newEmail").equals(user.getNewEmail()), "com.naturalprogrammer.spring.wrong.changeEmailCode"); return user; }
@Nonnull @Override public Jwt parse(String jwt) throws JwtParseException { JWSObject jwsObject = parseJWSObject(jwt); try { JWTClaimsSet claims = JWTClaimsSet.parse(jwsObject.getPayload().toJSONObject()); return new SimpleJwt(claims.getIssuer(), claims.getSubject(), jwsObject.getPayload().toString()); } catch (ParseException e) { throw new JwtParseException(e); } }
public SimpleUnverifiedJwt parse(String jwt) throws JwtParseException { JWSObject jwsObject = parseJWSObject(jwt); try { JWTClaimsSet claims = JWTClaimsSet.parse(jwsObject.getPayload().toJSONObject()); return new SimpleUnverifiedJwt(jwsObject.getHeader().getAlgorithm().getName(), claims.getIssuer(), claims.getSubject(), jwsObject.getPayload().toString()); } catch (ParseException e) { throw new JwtParseException(e); } }