mitreid-connect
公開メンバ関数 | 非公開変数類 | 静的非公開変数類 | 全メンバ一覧
org.mitre.openid.connect.assertion.JWTBearerAuthenticationProvider クラス
org.mitre.openid.connect.assertion.JWTBearerAuthenticationProvider の継承関係図
Inheritance graph
org.mitre.openid.connect.assertion.JWTBearerAuthenticationProvider 連携図
Collaboration graph

公開メンバ関数

Authentication authenticate (Authentication authentication) throws AuthenticationException
 
boolean supports (Class<?> authentication)
 

非公開変数類

ClientKeyCacheService validators
 
int timeSkewAllowance = 300
 
ClientDetailsEntityService clientService
 
ConfigurationPropertiesBean config
 

静的非公開変数類

static final Logger logger = LoggerFactory.getLogger(JWTBearerAuthenticationProvider.class)
 
static final GrantedAuthority ROLE_CLIENT = new SimpleGrantedAuthority("ROLE_CLIENT")
 

詳解

著者
jricher

関数詳解

◆ authenticate()

Authentication org.mitre.openid.connect.assertion.JWTBearerAuthenticationProvider.authenticate ( Authentication  authentication) throws AuthenticationException
inline

Try to validate the client credentials by parsing and validating the JWT.

83  {
84 
85  JWTBearerAssertionAuthenticationToken jwtAuth = (JWTBearerAssertionAuthenticationToken)authentication;
86 
87 
88  try {
89  ClientDetailsEntity client = clientService.loadClientByClientId(jwtAuth.getName());
90 
91  JWT jwt = jwtAuth.getJwt();
92  JWTClaimsSet jwtClaims = jwt.getJWTClaimsSet();
93 
94  // check the signature with nimbus
95  if (jwt instanceof SignedJWT) {
96  SignedJWT jws = (SignedJWT)jwt;
97 
98  JWSAlgorithm alg = jws.getHeader().getAlgorithm();
99 
100  if (client.getTokenEndpointAuthSigningAlg() != null &&
101  !client.getTokenEndpointAuthSigningAlg().equals(alg)) {
102  throw new InvalidClientException("Client's registered request object signing algorithm (" + client.getRequestObjectSigningAlg() + ") does not match request object's actual algorithm (" + alg.getName() + ")");
103  }
104 
105  if (client.getTokenEndpointAuthMethod() == null ||
106  client.getTokenEndpointAuthMethod().equals(AuthMethod.NONE) ||
107  client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_BASIC) ||
108  client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_POST)) {
109 
110  // this client doesn't support this type of authentication
111  throw new AuthenticationServiceException("Client does not support this authentication method.");
112 
113  } else if ((client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY) &&
114  (alg.equals(JWSAlgorithm.RS256)
115  || alg.equals(JWSAlgorithm.RS384)
116  || alg.equals(JWSAlgorithm.RS512)
117  || alg.equals(JWSAlgorithm.ES256)
118  || alg.equals(JWSAlgorithm.ES384)
119  || alg.equals(JWSAlgorithm.ES512)
120  || alg.equals(JWSAlgorithm.PS256)
121  || alg.equals(JWSAlgorithm.PS384)
122  || alg.equals(JWSAlgorithm.PS512)))
123  || (client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_JWT) &&
124  (alg.equals(JWSAlgorithm.HS256)
125  || alg.equals(JWSAlgorithm.HS384)
126  || alg.equals(JWSAlgorithm.HS512)))) {
127 
128  // double-check the method is asymmetrical if we're in HEART mode
129  if (config.isHeartMode() && !client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY)) {
130  throw new AuthenticationServiceException("[HEART mode] Invalid authentication method");
131  }
132 
133  JWTSigningAndValidationService validator = validators.getValidator(client, alg);
134 
135  if (validator == null) {
136  throw new AuthenticationServiceException("Unable to create signature validator for client " + client + " and algorithm " + alg);
137  }
138 
139  if (!validator.validateSignature(jws)) {
140  throw new AuthenticationServiceException("Signature did not validate for presented JWT authentication.");
141  }
142  } else {
143  throw new AuthenticationServiceException("Unable to create signature validator for method " + client.getTokenEndpointAuthMethod() + " and algorithm " + alg);
144  }
145  }
146 
147  // check the issuer
148  if (jwtClaims.getIssuer() == null) {
149  throw new AuthenticationServiceException("Assertion Token Issuer is null");
150  } else if (!jwtClaims.getIssuer().equals(client.getClientId())){
151  throw new AuthenticationServiceException("Issuers do not match, expected " + client.getClientId() + " got " + jwtClaims.getIssuer());
152  }
153 
154  // check expiration
155  if (jwtClaims.getExpirationTime() == null) {
156  throw new AuthenticationServiceException("Assertion Token does not have required expiration claim");
157  } else {
158  // it's not null, see if it's expired
159  Date now = new Date(System.currentTimeMillis() - (timeSkewAllowance * 1000));
160  if (now.after(jwtClaims.getExpirationTime())) {
161  throw new AuthenticationServiceException("Assertion Token is expired: " + jwtClaims.getExpirationTime());
162  }
163  }
164 
165  // check not before
166  if (jwtClaims.getNotBeforeTime() != null) {
167  Date now = new Date(System.currentTimeMillis() + (timeSkewAllowance * 1000));
168  if (now.before(jwtClaims.getNotBeforeTime())){
169  throw new AuthenticationServiceException("Assertion Token not valid untill: " + jwtClaims.getNotBeforeTime());
170  }
171  }
172 
173  // check issued at
174  if (jwtClaims.getIssueTime() != null) {
175  // since it's not null, see if it was issued in the future
176  Date now = new Date(System.currentTimeMillis() + (timeSkewAllowance * 1000));
177  if (now.before(jwtClaims.getIssueTime())) {
178  throw new AuthenticationServiceException("Assertion Token was issued in the future: " + jwtClaims.getIssueTime());
179  }
180  }
181 
182  // check audience
183  if (jwtClaims.getAudience() == null) {
184  throw new AuthenticationServiceException("Assertion token audience is null");
185  } else if (!(jwtClaims.getAudience().contains(config.getIssuer()) || jwtClaims.getAudience().contains(config.getIssuer() + "token"))) {
186  throw new AuthenticationServiceException("Audience does not match, expected " + config.getIssuer() + " or " + (config.getIssuer() + "token") + " got " + jwtClaims.getAudience());
187  }
188 
189  // IFF we managed to get all the way down here, the token is valid
190 
191  // add in the ROLE_CLIENT authority
192  Set<GrantedAuthority> authorities = new HashSet<>(client.getAuthorities());
193  authorities.add(ROLE_CLIENT);
194 
195  return new JWTBearerAssertionAuthenticationToken(jwt, authorities);
196 
197  } catch (InvalidClientException e) {
198  throw new UsernameNotFoundException("Could not find client: " + jwtAuth.getName());
199  } catch (ParseException e) {
200 
201  logger.error("Failure during authentication, error was: ", e);
202 
203  throw new AuthenticationServiceException("Invalid JWT format");
204  }
205  }
org.mitre.openid.connect.assertion.JWTBearerAuthenticationProvider.config
ConfigurationPropertiesBean config
Definition: JWTBearerAuthenticationProvider.java:77
org.mitre.openid.connect.assertion.JWTBearerAuthenticationProvider.logger
static final Logger logger
Definition: JWTBearerAuthenticationProvider.java:60
org.mitre.jwt.signer.service.impl.ClientKeyCacheService.getValidator
JWTSigningAndValidationService getValidator(ClientDetailsEntity client, JWSAlgorithm alg)
Definition: ClientKeyCacheService.java:77
org.mitre.openid.connect.assertion.JWTBearerAuthenticationProvider.validators
ClientKeyCacheService validators
Definition: JWTBearerAuthenticationProvider.java:66
org.mitre.openid.connect.assertion.JWTBearerAuthenticationProvider.ROLE_CLIENT
static final GrantedAuthority ROLE_CLIENT
Definition: JWTBearerAuthenticationProvider.java:62
org.mitre.openid.connect.assertion.JWTBearerAuthenticationProvider.clientService
ClientDetailsEntityService clientService
Definition: JWTBearerAuthenticationProvider.java:73
org.mitre.oauth2.service.ClientDetailsEntityService.loadClientByClientId
ClientDetailsEntity loadClientByClientId(String clientId)
org.mitre.openid.connect.config.ConfigurationPropertiesBean.getIssuer
String getIssuer()
Definition: ConfigurationPropertiesBean.java:100
org.mitre.openid.connect.config.ConfigurationPropertiesBean.isHeartMode
boolean isHeartMode()
Definition: ConfigurationPropertiesBean.java:250
org.mitre.openid.connect.assertion.JWTBearerAuthenticationProvider.timeSkewAllowance
int timeSkewAllowance
Definition: JWTBearerAuthenticationProvider.java:69

◆ supports()

boolean org.mitre.openid.connect.assertion.JWTBearerAuthenticationProvider.supports ( Class<?>  authentication)
inline

We support JWTBearerAssertionAuthenticationTokens only.

211  {
212  return (JWTBearerAssertionAuthenticationToken.class.isAssignableFrom(authentication));
213  }

メンバ詳解

◆ clientService

ClientDetailsEntityService org.mitre.openid.connect.assertion.JWTBearerAuthenticationProvider.clientService
private

◆ config

ConfigurationPropertiesBean org.mitre.openid.connect.assertion.JWTBearerAuthenticationProvider.config
private

◆ logger

final Logger org.mitre.openid.connect.assertion.JWTBearerAuthenticationProvider.logger = LoggerFactory.getLogger(JWTBearerAuthenticationProvider.class)
staticprivate

Logger for this class

◆ ROLE_CLIENT

final GrantedAuthority org.mitre.openid.connect.assertion.JWTBearerAuthenticationProvider.ROLE_CLIENT = new SimpleGrantedAuthority("ROLE_CLIENT")
staticprivate

◆ timeSkewAllowance

int org.mitre.openid.connect.assertion.JWTBearerAuthenticationProvider.timeSkewAllowance = 300
private

◆ validators

ClientKeyCacheService org.mitre.openid.connect.assertion.JWTBearerAuthenticationProvider.validators
private
このクラス詳解は次のファイルから抽出されました:
2018年09月27日(木) 21時26分33秒作成 - mitreid-connect / 構成:   doxygen 1.8.13