public JwtClaimEqualityVerifier(String claimName, Object expectedValue) { this.claimName = claimName; this.expectedValue = expectedValue; this.claimExistenceVerifier = new JwtClaimExistenceVerifier(claimName); }
public NimbusMacJwtReader(String issuer, String sharedSecret, Clock clock) { super(issuer, createMACVerifier(sharedSecret), clock); }
private JwtReader macVerifyingReader(String issuer, String sharedSecret, Clock clock) { return new NimbusMacJwtReader(issuer, sharedSecret, clock); }
private JwtReader getReader(String jwt, Clock clock) throws JwsUnsupportedAlgorithmException, JwtUnknownIssuerException, JwtParseException, JwtIssuerLacksSharedSecretException { SimpleUnverifiedJwt unverifiedJwt = new NimbusUnverifiedJwtReader().parse(jwt); SigningAlgorithm algorithm = validateAlgorithm(unverifiedJwt); String issuer = validateIssuer(unverifiedJwt); if (algorithm.requiresSharedSecret()) { return macVerifyingReader(issuer, jwtIssuerSharedSecretService.getSharedSecret(issuer), clock); } throw new JwsUnsupportedAlgorithmException(String.format("Expected a symmetric signing algorithm such as %s, and not %s. Try a symmetric algorithm.", SigningAlgorithm.HS256, algorithm.name())); }
private JwtReader getReader(String jwt, RSAPublicKey publicKey, Clock clock) throws JwsUnsupportedAlgorithmException, JwtParseException, JwtUnknownIssuerException { SimpleUnverifiedJwt unverifiedJwt = new NimbusUnverifiedJwtReader().parse(jwt); SigningAlgorithm algorithm = validateAlgorithm(unverifiedJwt); String issuer = validateIssuer(unverifiedJwt); if (algorithm.requiresKeyPair()) { return rsVerifyingReader(issuer, publicKey, clock); } throw new JwsUnsupportedAlgorithmException(String.format("Expected an asymmetric signing algorithm such as %s, and not %s. Try an asymmetric algorithm.", SigningAlgorithm.RS256, algorithm.name())); }
@Nonnull @Override public JwtReader getReader(@Nonnull String jwt, RSAPublicKey publicKey) throws JwsUnsupportedAlgorithmException, JwtParseException, JwtUnknownIssuerException { return getReader(jwt, publicKey, SystemClock.getInstance()); }
@Override public void verify(@Nonnull Object claim) throws JwtInvalidClaimException, JwtMissingClaimException { this.claimExistenceVerifier.verify(claim); if (isMismatch(claim)) { throw new JwtInvalidClaimException(String.format("Expecting claim '%s' to have value '%s' but instead it has the value '%s'", claimName, expectedValue, claim)); } }
public SimpleUnverifiedJwt parse(String jwt) throws JwtParseException { JWSObject jwsObject = parseJWSObject(jwt); try { JWTClaimsSet claims = JWTClaimsSet.parse(jwsObject.getPayload().toJSONObject()); return new SimpleUnverifiedJwt(jwsObject.getHeader().getAlgorithm().getName(), claims.getIssuer(), claims.getSubject(), jwsObject.getPayload().toString()); } catch (ParseException e) { throw new JwtParseException(e); } }
@Override @Nonnull public Jwt readUnverified(@Nonnull final String jwt) throws JwtParseException, JwtVerificationException { return read(jwt, null, false); }
private JwtReader rsVerifyingReader(String issuer, RSAPublicKey publicKey, Clock clock) { return new NimbusRsJwtReader(issuer, publicKey, clock); }
private SigningAlgorithm validateAlgorithm(SimpleUnverifiedJwt unverifiedJwt) throws JwsUnsupportedAlgorithmException { return SigningAlgorithm.forName(unverifiedJwt.getAlgorithm()); }
/** * Encapsulate the building of requirements that we place upon JWTs in incoming requests. * @param request incoming request * @return {@link Map} of claim name to verifier for claims upon which we place requirements * @throws UnsupportedEncodingException if {@link java.net.URLEncoder} cannot encode the request's characters * @throws NoSuchAlgorithmException if the hashing algorithm does not exist at runtime */ public static Map<String, ? extends JwtClaimVerifier> build(CanonicalHttpRequest request) throws UnsupportedEncodingException, NoSuchAlgorithmException { return Collections.singletonMap(JwtConstants.Claims.QUERY_HASH, new JwtClaimEqualityVerifier(JwtConstants.Claims.QUERY_HASH, HttpRequestCanonicalizer.computeCanonicalRequestHash(request))); } }
private Jwt verifyJwt(String jwtString, REQ request) throws JwtParseException, JwtVerificationException, JwtIssuerLacksSharedSecretException, JwtUnknownIssuerException, IOException, NoSuchAlgorithmException { CanonicalHttpRequest canonicalHttpRequest = jwtExtractor.getCanonicalHttpRequest(request); log.debug("Canonical request is: {}", CanonicalRequestUtil.toVerboseString(canonicalHttpRequest)); return verifyJwt(jwtString, JwtClaimVerifiersBuilder.build(canonicalHttpRequest)); }
public JwtTestVerifier(String sharedSecret, String clientId) { this.sharedSecret = sharedSecret; this.clientId = clientId; this.readerFactory = new NimbusJwtReaderFactory(new TestJwtIssuerValidator(clientId), new TestJwtIssuerSharedSecretService(sharedSecret)); }
@Nonnull @Override public JwtReader getReader(@Nonnull String jwt, @Nonnull Date date) throws JwsUnsupportedAlgorithmException, JwtUnknownIssuerException, JwtParseException, JwtIssuerLacksSharedSecretException { return getReader(jwt, StaticClock.at(date)); }
@Override @Nonnull public Jwt readAndVerify(@Nonnull final String jwt, @Nonnull final Map<String, ? extends JwtClaimVerifier> requiredClaims) throws JwtParseException, JwtVerificationException { return read(jwt, requiredClaims, true); }
@Nonnull @Override public JwtReader getReader(@Nonnull String jwt) throws JwtParseException, JwsUnsupportedAlgorithmException, JwtUnknownIssuerException, JwtIssuerLacksSharedSecretException { return getReader(jwt, SystemClock.getInstance()); }
@Nonnull @Override public JwtReader getReader(@Nonnull String jwt, RSAPublicKey publicKey, @Nonnull Date date) throws JwsUnsupportedAlgorithmException, JwtParseException, JwtUnknownIssuerException { return getReader(jwt, publicKey, StaticClock.at(date)); }
private Jwt getVerifiedJwt(String token) throws JwtVerificationException, JwtIssuerLacksSharedSecretException, JwtUnknownIssuerException, JwtParseException { return readerFactory.getReader(token).read(token, Maps.<String, JwtClaimEqualityVerifier>newHashMap()); }