@Override public Mono<List<JWK>> get(JWKSelector jwkSelector) { return Mono.fromCallable(() -> this.source.get(jwkSelector, null)); } }
/** * Build the configured {@link JWTProcessor}. *mzRC * @return the configured {@link JWTProcessor} */ public JWTProcessor<SecurityContext> build() { if (!JWSAlgorithm.Family.RSA.contains(this.jwsAlgorithm)) { throw new IllegalStateException("The provided key is of type RSA; " + "however the signature algorithm is of some other type: " + this.jwsAlgorithm + ". Please indicate one of RS256, RS384, or RS512."); } JWKSet jwkSet = new JWKSet(this.key); JWKSource<SecurityContext> jwkSource = new ImmutableJWKSet<>(jwkSet); JWSKeySelector<SecurityContext> jwsKeySelector = new JWSVerificationKeySelector<>(this.jwsAlgorithm, jwkSource); DefaultJWTProcessor<SecurityContext> jwtProcessor = new DefaultJWTProcessor<>(); jwtProcessor.setJWSKeySelector(jwsKeySelector); // Spring Security validates the claim set independent from Nimbus jwtProcessor.setJWTClaimsSetVerifier((claims, context) -> { }); return jwtProcessor; } }
/** * Build the configured {@link JwtDecoder}. * * @return the configured {@link JwtDecoder} */ public JWTProcessor<SecurityContext> build() { ResourceRetriever jwkSetRetriever = new RestOperationsResourceRetriever(this.restOperations); JWKSource<SecurityContext> jwkSource = new RemoteJWKSet<>(toURL(this.jwkSetUri), jwkSetRetriever); JWSKeySelector<SecurityContext> jwsKeySelector = new JWSVerificationKeySelector<>(this.jwsAlgorithm, jwkSource); ConfigurableJWTProcessor<SecurityContext> jwtProcessor = new DefaultJWTProcessor<>(); jwtProcessor.setJWSKeySelector(jwsKeySelector); // Spring Security validates the claim set independent from Nimbus jwtProcessor.setJWTClaimsSetVerifier((claims, context) -> { }); return jwtProcessor; }
private JWKSource<SecurityContext> lookupJWKSource() throws IOException, ParseException { if(jwtConfiguration.getJwkResource() != null && !"".equals(jwtConfiguration.getJwkResource())) { URL resource = DefaultValidatingJWTProcessor.class.getResource(jwtConfiguration.getJwkResource()); try(InputStream stream = resource.openStream()) { String key = com.nimbusds.jose.util.IOUtils.readInputStreamToString(stream, Charset.defaultCharset()); return new ImmutableJWKSet<>(JWKSet.parse(key)); } } else if(jwtConfiguration.getJwkSourceUrl() != null && !"".equals(jwtConfiguration.getJwkSourceUrl())) { return new RemoteJWKSet<>(new URL(jwtConfiguration.getJwkSourceUrl())); } else { JWKSet jwkSet = JWKSet.load(new File(jwtConfiguration.getJwkSourceFile())); return new ImmutableJWKSet<>(jwkSet); } } }
JWKSet jwkSet = jwkSetCache.get(); if (jwkSet == null) { jwkSet = updateJWKSetFromURL(); String soughtKeyID = getFirstSpecifiedKeyID(jwkSelector.getMatcher()); if (soughtKeyID == null) { jwkSet = updateJWKSetFromURL(); if (jwkSet == null) {
/** * Returns the secret. * * @return The secret. */ public byte[] getSecret() { return ((OctetSequenceKey) getJWKSet().getKeys().get(0)).toByteArray(); }
@Override public JWKSet get() { if (isExpired()) { jwkSet = null; // clear } return jwkSet; }
/** * Returns the cached JWK set. * * @return The cached JWK set, {@code null} if none or expired. */ public JWKSet getCachedJWKSet() { return jwkSetCache.get(); }
this.jwkSetCache = jwkSetCache; } else { this.jwkSetCache = new DefaultJWKSetCache();
public LemonJweService(String secret) throws KeyLengthException { byte[] secretKey = secret.getBytes(); encrypter = new DirectEncrypter(secretKey); jwtProcessor = new DefaultJWTProcessor<SimpleSecurityContext>(); // The JWE key source JWKSource<SimpleSecurityContext> jweKeySource = new ImmutableSecret<SimpleSecurityContext>(secretKey); // Configure a key selector to handle the decryption phase JWEKeySelector<SimpleSecurityContext> jweKeySelector = new JWEDecryptionKeySelector<SimpleSecurityContext>(JWEAlgorithm.DIR, EncryptionMethod.A128CBC_HS256, jweKeySource); jwtProcessor.setJWEKeySelector(jweKeySelector); }
private RemoteJWKSet<SecurityContext> makeJwkSource(JSONObject jsonObject, String key){ Object jwks_url = jsonObject.get(key); if(jwks_url!=null){ try { return new RemoteJWKSet<>(new URL(jwks_url.toString()), resourceRetriever); } catch (MalformedURLException e) { throw new IllegalStateException(e); } } return null; } }
public NimbusReactiveJwtDecoder(RSAPublicKey publicKey) { JWSAlgorithm algorithm = JWSAlgorithm.parse(JwsAlgorithms.RS256); RSAKey rsaKey = rsaKey(publicKey); JWKSet jwkSet = new JWKSet(rsaKey); JWKSource jwkSource = new ImmutableJWKSet<>(jwkSet); JWSKeySelector<JWKContext> jwsKeySelector = new JWSVerificationKeySelector<>(algorithm, jwkSource); DefaultJWTProcessor jwtProcessor = new DefaultJWTProcessor<>(); jwtProcessor.setJWSKeySelector(jwsKeySelector); jwtProcessor.setJWTClaimsSetVerifier((claims, context) -> {}); this.jwtProcessor = jwtProcessor; this.reactiveJwkSource = new ReactiveJWKSourceAdapter(jwkSource); this.jwkSelectorFactory = new JWKSelectorFactory(algorithm); }
@Override public Mono<List<JWK>> get(JWKSelector jwkSelector) { return Mono.fromCallable(() -> this.source.get(jwkSelector, null)); } }
/** * Returns the secret key. * * @return The secret key. */ public SecretKey getSecretKey() { return ((OctetSequenceKey) getJWKSet().getKeys().get(0)).toSecretKey(); } }
public ResourceServerInfo(final ResourceRetriever resourceRetriever, final ResourceServer resourceServer) { if (resourceServer.getEndpointUrl() == null && resourceServer.getJwksUrl()==null) { throw new IllegalArgumentException("Either meta data URL or jwks_url must not be null"); } if (resourceRetriever == null) { throw new IllegalArgumentException("The resourceRetriever must not be null"); } this.resourceRetriever = resourceRetriever; this.resourceServer = resourceServer; if(resourceServer.getJwksUrl()!=null){ try { jwkSource = new RemoteJWKSet<>(new URL(resourceServer.getJwksUrl()), resourceRetriever); } catch (MalformedURLException e) { throw new IllegalStateException(e); } } }
public NimbusReactiveJwtDecoder(RSAPublicKey publicKey) { JWSAlgorithm algorithm = JWSAlgorithm.parse(JwsAlgorithms.RS256); RSAKey rsaKey = rsaKey(publicKey); JWKSet jwkSet = new JWKSet(rsaKey); JWKSource jwkSource = new ImmutableJWKSet<>(jwkSet); JWSKeySelector<JWKContext> jwsKeySelector = new JWSVerificationKeySelector<>(algorithm, jwkSource); DefaultJWTProcessor jwtProcessor = new DefaultJWTProcessor<>(); jwtProcessor.setJWSKeySelector(jwsKeySelector); jwtProcessor.setJWTClaimsSetVerifier((claims, context) -> {}); this.jwtProcessor = jwtProcessor; this.reactiveJwkSource = new ReactiveJWKSourceAdapter(jwkSource); this.jwkSelectorFactory = new JWKSelectorFactory(algorithm); }
/** * Create a new {@link UserPrincipalManager} based of the {@link ServiceEndpoints#getAadKeyDiscoveryUri()} and * {@link AADAuthenticationProperties#getEnvironment()}. * * @param serviceEndpointsProps - used to retrieve the JWKS URL * @param aadAuthProps - used to retrieve the environment. * @param resourceRetriever - configures the {@link RemoteJWKSet} call. */ public UserPrincipalManager(ServiceEndpointsProperties serviceEndpointsProps, AADAuthenticationProperties aadAuthProps, ResourceRetriever resourceRetriever) { try { keySource = new RemoteJWKSet<>(new URL(serviceEndpointsProps .getServiceEndpoints(aadAuthProps.getEnvironment()).getAadKeyDiscoveryUri()), resourceRetriever); } catch (MalformedURLException e) { log.error("Failed to parse active directory key discovery uri.", e); throw new IllegalStateException("Failed to parse active directory key discovery uri.", e); } }
/** * Create a new {@link UserPrincipalManager} based of the {@link ServiceEndpoints#getAadKeyDiscoveryUri()} and * {@link AADAuthenticationProperties#getEnvironment()}. * * @param serviceEndpointsProps - used to retrieve the JWKS URL * @param aadAuthProps - used to retrieve the environment. * @param resourceRetriever - configures the {@link RemoteJWKSet} call. */ public UserPrincipalManager(ServiceEndpointsProperties serviceEndpointsProps, AADAuthenticationProperties aadAuthProps, ResourceRetriever resourceRetriever) { try { keySource = new RemoteJWKSet<>(new URL(serviceEndpointsProps .getServiceEndpoints(aadAuthProps.getEnvironment()).getAadKeyDiscoveryUri()), resourceRetriever); } catch (MalformedURLException e) { log.error("Failed to parse active directory key discovery uri.", e); throw new IllegalStateException("Failed to parse active directory key discovery uri.", e); } }
/** * Retrieve JWKS from jwks_uri. * * @param jwksUri Identity provider's jwks_uri. * @return RemoteJWKSet * @throws MalformedURLException for invalid URL. */ private RemoteJWKSet<SecurityContext> retrieveJWKSFromJWKSEndpoint(String jwksUri) throws MalformedURLException { // Retrieve HTTP endpoint configurations. int connectionTimeout = readHTTPConnectionConfigValue(HTTP_CONNECTION_TIMEOUT_XPATH); int readTimeout = readHTTPConnectionConfigValue(HTTP_READ_TIMEOUT_XPATH); int sizeLimit = readHTTPConnectionConfigValue(HTTP_SIZE_LIMIT_XPATH); if (connectionTimeout <= 0) { connectionTimeout = DEFAULT_HTTP_CONNECTION_TIMEOUT; } if (readTimeout <= 0) { readTimeout = DEFAULT_HTTP_READ_TIMEOUT; } if (sizeLimit <= 0) { sizeLimit = RemoteJWKSet.DEFAULT_HTTP_SIZE_LIMIT; } DefaultResourceRetriever resourceRetriever = new DefaultResourceRetriever( connectionTimeout, readTimeout, sizeLimit); return new RemoteJWKSet<>(new URL(jwksUri), resourceRetriever); }
@Bean public ConfigurableJWTProcessor configurableJWTProcessor() throws MalformedURLException { ResourceRetriever resourceRetriever = new DefaultResourceRetriever(jwtConfiguration.getConnectionTimeout(), jwtConfiguration.getReadTimeout()); URL jwkSetURL = new URL(jwtConfiguration.getJwkUrl()); JWKSource keySource = new RemoteJWKSet(jwkSetURL, resourceRetriever); ConfigurableJWTProcessor jwtProcessor = new DefaultJWTProcessor(); JWSKeySelector keySelector = new JWSVerificationKeySelector(RS256, keySource); jwtProcessor.setJWSKeySelector(keySelector); return jwtProcessor; }