cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: [CXF-6487] Basic self-issued token validation
Date Tue, 28 Jul 2015 11:00:02 GMT
Repository: cxf
Updated Branches:
  refs/heads/master f8f93728f -> 52c003020


[CXF-6487] Basic self-issued token validation


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/52c00302
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/52c00302
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/52c00302

Branch: refs/heads/master
Commit: 52c00302023640f8b81afeb43057c28fbb47fa2d
Parents: f8f9372
Author: Sergey Beryozkin <sberyozkin@talend.com>
Authored: Tue Jul 28 13:59:45 2015 +0300
Committer: Sergey Beryozkin <sberyozkin@talend.com>
Committed: Tue Jul 28 13:59:45 2015 +0300

----------------------------------------------------------------------
 .../oidc/rp/AbstractTokenValidator.java         | 46 +++++++++++++-------
 1 file changed, 31 insertions(+), 15 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/52c00302/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
index 84d7650..619bd10 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
@@ -26,6 +26,7 @@ import org.apache.cxf.rs.security.jose.jwe.JweJwtCompactConsumer;
 import org.apache.cxf.rs.security.jose.jwe.JweUtils;
 import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
 import org.apache.cxf.rs.security.jose.jwk.JsonWebKeys;
+import org.apache.cxf.rs.security.jose.jwk.JwkUtils;
 import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer;
 import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
 import org.apache.cxf.rs.security.jose.jws.JwsUtils;
@@ -132,24 +133,39 @@ public abstract class AbstractTokenValidator {
             return theJwsVerifier;
         }
         
-        String keyId = jwt.getHeaders().getKeyId();
-        JsonWebKey key = keyId != null ? keyMap.get(keyId) : null;
-        if (key == null) {
-            //TODO: check self-issued JWK 
-            if (jwkSetClient == null) {
-                throw new SecurityException("Provider Jwk Set Client is not available");
+        JsonWebKey key = null;
+        if (supportSelfIssuedProvider && SELF_ISSUED_ISSUER.equals(jwt.getClaim("issuer")))
{
+            String publicKeyJson = (String)jwt.getClaim("sub_jwk");
+            if (publicKeyJson != null) {
+                JsonWebKey publicKey = JwkUtils.readJwkKey(publicKeyJson);
+                String thumbprint = JwkUtils.getThumbprint(publicKey);
+                if (thumbprint.equals(jwt.getClaim("sub"))) {
+                    key = publicKey;
+                }
             }
-            JsonWebKeys keys = jwkSetClient.get(JsonWebKeys.class);
-            if (keyId != null) {
-                key = keys.getKey(keyId);
-            } else if (keys.getKeys().size() == 1) {
-                key = keys.getKeys().get(0);
+            if (key == null) {
+                throw new SecurityException("Self-issued JWK key is invalid or not available");
+            }
+        } else {
+            String keyId = jwt.getHeaders().getKeyId();
+            key = keyId != null ? keyMap.get(keyId) : null;
+            if (key == null) {
+                if (jwkSetClient == null) {
+                    throw new SecurityException("Provider Jwk Set Client is not available");
+                }
+                JsonWebKeys keys = jwkSetClient.get(JsonWebKeys.class);
+                if (keyId != null) {
+                    key = keys.getKey(keyId);
+                } else if (keys.getKeys().size() == 1) {
+                    key = keys.getKeys().get(0);
+                }
+                keyMap.putAll(keys.getKeyIdMap());
+            }
+            if (key == null) {
+                throw new SecurityException("JWK key with the key id: \"" + keyId + "\" is
not available");
             }
-            keyMap.putAll(keys.getKeyIdMap());
-        }
-        if (key == null) {
-            throw new SecurityException("JWK key with the key id: \"" + keyId + "\" is not
available");
         }
+        
         theJwsVerifier = JwsUtils.getSignatureVerifier(key);
         
         if (theJwsVerifier == null) {


Mime
View raw message