org.xdi.oxauth.model.token.ClientAssertion 連携図

公開メンバ関数
	ClientAssertion (AppConfiguration appConfiguration, String clientId, ClientAssertionType clientAssertionType, String encodedAssertion) throws InvalidJwtException

String	getSubjectIdentifier ()

String	getClientSecret ()

非公開メンバ関数
boolean	load (AppConfiguration appConfiguration, String clientId, ClientAssertionType clientAssertionType, String encodedAssertion) throws Exception

非公開変数類
Jwt	jwt

String	clientSecret

詳解

著者: Javier Rojas Blum

バージョン: August 28, 2017

構築子と解体子

◆ ClientAssertion()

org.xdi.oxauth.model.token.ClientAssertion.ClientAssertion	(	AppConfiguration	appConfiguration,
		String	clientId,
		ClientAssertionType	clientAssertionType,
		String	encodedAssertion
	)		throws InvalidJwtException

inline

                                        {
         try {
             if (!load(appConfiguration, clientId, clientAssertionType, encodedAssertion)) {
                 throw new InvalidJwtException("Cannot load the JWT");
             }
         } catch (StringEncrypter.EncryptionException e) {
             throw new InvalidJwtException(e.getMessage(), e);
         } catch (Exception e) {
             throw new InvalidJwtException("Cannot verify the JWT", e);
         }
     }

関数詳解

◆ getClientSecret()

String org.xdi.oxauth.model.token.ClientAssertion.getClientSecret ( )

inline

                                     {
         return clientSecret;
     }

◆ getSubjectIdentifier()

String org.xdi.oxauth.model.token.ClientAssertion.getSubjectIdentifier ( )

inline

                                          {
         return jwt.getClaims().getClaimAsString(JwtClaimName.SUBJECT_IDENTIFIER);
     }

◆ load()

boolean org.xdi.oxauth.model.token.ClientAssertion.load	(	AppConfiguration	appConfiguration,
		String	clientId,
		ClientAssertionType	clientAssertionType,
		String	encodedAssertion
	)		throws Exception

inlineprivate

                              {
         boolean result;
 
         if (clientAssertionType == ClientAssertionType.JWT_BEARER) {
             if (StringUtils.isNotBlank(encodedAssertion)) {
                 jwt = Jwt.parse(encodedAssertion);
 
                 // TODO: Store jti this value to check for duplicates
 
                 // Validate clientId
                 String issuer = jwt.getClaims().getClaimAsString(JwtClaimName.ISSUER);
                 String subject = jwt.getClaims().getClaimAsString(JwtClaimName.SUBJECT_IDENTIFIER);
                 List<String> audience = jwt.getClaims().getClaimAsStringList(JwtClaimName.AUDIENCE);
                 Date expirationTime = jwt.getClaims().getClaimAsDate(JwtClaimName.EXPIRATION_TIME);
                 //SignatureAlgorithm algorithm = SignatureAlgorithm.fromName(jwt.getHeader().getClaimAsString(JwtHeaderName.ALGORITHM));
                 if ((clientId == null && StringUtils.isNotBlank(issuer) && StringUtils.isNotBlank(subject) && issuer.equals(subject))
                         || (StringUtils.isNotBlank(clientId) && StringUtils.isNotBlank(issuer)
                         && StringUtils.isNotBlank(subject) && clientId.equals(issuer) && issuer.equals(subject))) {
 
                     // Validate audience
                     String tokenUrl = appConfiguration.getTokenEndpoint();
                     if (audience != null && audience.contains(tokenUrl)) {
 
                         // Validate expiration
                         if (expirationTime.after(new Date())) {
                             ClientService clientService = CdiUtil.bean(ClientService.class);
                             Client client = clientService.getClient(subject);
 
                             // Validate client
                             if (client != null) {
                                 JwtType jwtType = JwtType.fromString(jwt.getHeader().getClaimAsString(JwtHeaderName.TYPE));
                                 AuthenticationMethod authenticationMethod = client.getAuthenticationMethod();
                                 SignatureAlgorithm signatureAlgorithm = jwt.getHeader().getAlgorithm();
 
                                 if (jwtType == null && signatureAlgorithm != null) {
                                     jwtType = signatureAlgorithm.getJwtType();
                                 }
 
                                 if (jwtType != null && signatureAlgorithm != null && signatureAlgorithm.getFamily() != null &&
                                         ((authenticationMethod == AuthenticationMethod.CLIENT_SECRET_JWT && SignatureAlgorithmFamily.HMAC.equals(signatureAlgorithm.getFamily()))
                                                 || (authenticationMethod == AuthenticationMethod.PRIVATE_KEY_JWT && (SignatureAlgorithmFamily.RSA.equals(signatureAlgorithm.getFamily()) || SignatureAlgorithmFamily.EC.equals(signatureAlgorithm.getFamily()))))) {
                                     if (client.getTokenEndpointAuthSigningAlg() == null || SignatureAlgorithm.fromString(client.getTokenEndpointAuthSigningAlg()).equals(signatureAlgorithm)) {
                                         clientSecret = clientService.decryptSecret(client.getClientSecret());
 
                                         // Validate the crypto segment
                                         String keyId = jwt.getHeader().getKeyId();
                                         JSONObject jwks = Strings.isNullOrEmpty(client.getJwks()) ?
                                                 JwtUtil.getJSONWebKeys(client.getJwksUri()) :
                                                 new JSONObject(client.getJwks());
                                         String sharedSecret = clientService.decryptSecret(client.getClientSecret());
                                         AbstractCryptoProvider cryptoProvider = CryptoProviderFactory.getCryptoProvider(
                                                 appConfiguration);
                                         boolean validSignature = cryptoProvider.verifySignature(jwt.getSigningInput(), jwt.getEncodedSignature(),
                                                 keyId, jwks, sharedSecret, signatureAlgorithm);
 
                                         if (validSignature) {
                                             result = true;
                                         } else {
                                             throw new InvalidJwtException("Invalid cryptographic segment");
                                         }
                                     } else {
                                         throw new InvalidJwtException("Invalid signing algorithm");
                                     }
                                 } else {
                                     throw new InvalidJwtException("Invalid authentication method");
                                 }
                             } else {
                                 throw new InvalidJwtException("Invalid client");
                             }
                         } else {
                             throw new InvalidJwtException("JWT has expired");
                         }
                     } else {
                         throw new InvalidJwtException("Invalid audience: " + audience + ", tokenUrl: " + tokenUrl);
                     }
                 } else {
                     throw new InvalidJwtException("Invalid clientId");
                 }
             } else {
                 throw new InvalidJwtException("The Client Assertion is null or empty");
             }
         } else {
             throw new InvalidJwtException("Invalid Client Assertion Type");
         }
 
         return result;
     }

メンバ詳解

◆ clientSecret

String org.xdi.oxauth.model.token.ClientAssertion.clientSecret

private

◆ jwt

Jwt org.xdi.oxauth.model.token.ClientAssertion.jwt

private

このクラス詳解は次のファイルから抽出されました:

D:/AppData/OpenId/gluu/src/oxAuth/Server/src/main/java/org/xdi/oxauth/model/token/ClientAssertion.java

公開メンバ関数

非公開メンバ関数

非公開変数類

詳解

構築子と解体子

◆ ClientAssertion()

関数詳解

◆ getClientSecret()

◆ getSubjectIdentifier()

◆ load()

メンバ詳解

◆ clientSecret

◆ jwt