public Principal createPrincipal() { final Set<String> roles = new HashSet<>(); final ReadOnlyJWTClaimsSet jwtClaimsSet = getJWTClaimsSet(); final String jwtId = jwtClaimsSet.getJWTID() == null ? "" : jwtClaimsSet.getJWTID(); if (roleClaims != null) { for (String roleClaim : roleClaims) { // TODO (JRG) if we cannot parse a list, we should just read a string final Object claim = jwtClaimsSet.getClaim(roleClaim); if (claim == null) { LOGGER.info(Oauth2Codes.UNABLE_TO_READ_CLAIM, format("Claim: %s is null, skipping. JWT ID: %s, Full JWT: %s", roleClaim, jwtId, token)); continue; } if (List.class.isInstance(claim)) { roles.addAll(List.class.cast(claim)); } if (String.class.isInstance(claim)) { roles.addAll(Arrays.asList(String.class.cast(claim).split(" *, *"))); } } } if (handler != null) { handler.info("bearer-profile", "Creating principal with roles " + roles); } return new TribestreamPrincipal(getUsername(), new ArrayList<>(roles)); }
public void validateClientMatchesRefreshToken(final AccessTokenRequest request) { final Account client = request.getClient(); if (client == null) return; final String grantType = request.getGrantType(); final String refreshToken = request.getRefreshToken(); if (StringUtils.isBlank(refreshToken) && !Constants.GRANT_TYPE_REFRESH_TOKEN.equals(grantType)) return; try { final ReadOnlyJWTClaimsSet claimSet = jwt.getClaimSet(null, refreshToken, false, (Key) null, null); final JSONObject object = (JSONObject) claimSet.getClaim("tag-internal"); final String clientId = (String) object.get("client-id"); if (StringUtils.isBlank(clientId)) return; if (StringUtils.isBlank(client.getName())) return; if (!clientId.equals(client.getName())) { throw new ValidationResponseException(OAuth2Validator.ValidationResponse.CLIENT_NOT_MATCHING); } } catch (final HttpResponseException e) { LOG.finest(Oauth2Codes.UPARSABLE_REFRESH_TOKEN, String.format("Unparsable refresh token %s.", refreshToken), e); throw new ValidationResponseException(OAuth2Validator.ValidationResponse.REVOKE_INVALID_JWT); } }
null); final String tokenType = String.valueOf(claims.getClaim(Claims.TOKEN_TYPE.getName())); if (!tokenTypes.contains(tokenType)) { throw new ValidationResponseException(OAuth2Validator.ValidationResponse.TOKEN_TYPE_INVALID);
final JSONObject tagInternal = (JSONObject) jwt.getJWTClaimsSet().getClaim("tag-internal"); final String innerToken = (String) tagInternal.get("inner-jwt"); return SignedJWT.parse(innerToken);
final JSONObject internal = JSONObjectUtils.parseJSONObject(String.valueOf(claims.getClaim(Claims.TAG_INTERNAL.getName())));
final SignedJWT signedPreviousRT = SignedJWT.parse(previousRT); final ReadOnlyJWTClaimsSet previousCS = signedPreviousRT.getJWTClaimsSet(); final String tagInternalPayload = String.valueOf(previousCS.getClaim(Claims.TAG_INTERNAL.getName())); final JSONObject tagInternal = JSONObjectUtils.parseJSONObject(tagInternalPayload);