cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [2/5] cxf git commit: Split JWT headers into signature and encryption headers
Date Wed, 04 Nov 2015 14:45:25 GMT
Split JWT headers into signature and encryption headers


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/b8895931
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/b8895931
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/b8895931

Branch: refs/heads/master
Commit: b8895931ae59c9baa1b44a3eb4d86904afffa405
Parents: 55f11ca
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Wed Nov 4 12:19:35 2015 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Wed Nov 4 12:19:35 2015 +0000

----------------------------------------------------------------------
 .../jaxrs/JwtAuthenticationClientFilter.java    |  3 --
 .../jose/jaxrs/JwtAuthenticationFilter.java     |  4 +-
 .../jose/jwe/JweJwtCompactProducer.java         |  2 +-
 .../jose/jws/JwsJwtCompactProducer.java         |  3 +-
 .../jose/jwt/AbstractJoseJwtConsumer.java       | 18 +++++----
 .../cxf/rs/security/jose/jwt/JwtToken.java      | 39 ++++++++++++++------
 .../jose/jws/JwsCompactReaderWriterTest.java    | 15 ++++----
 .../grants/jwt/JwtBearerGrantHandler.java       |  2 +-
 .../oidc/rp/AbstractTokenValidator.java         |  2 +-
 .../cxf/rs/security/oidc/utils/OidcUtils.java   |  4 +-
 10 files changed, 53 insertions(+), 39 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/b8895931/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationClientFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationClientFilter.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationClientFilter.java
index 8fd87ab..0319e8b 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationClientFilter.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationClientFilter.java
@@ -32,7 +32,6 @@ import org.apache.cxf.jaxrs.utils.JAXRSUtils;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.phase.PhaseInterceptorChain;
 import org.apache.cxf.rs.security.jose.common.JoseException;
-import org.apache.cxf.rs.security.jose.common.JoseUtils;
 import org.apache.cxf.rs.security.jose.jwe.JweHeaders;
 import org.apache.cxf.rs.security.jose.jwt.AbstractJoseJwtProducer;
 import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
@@ -63,8 +62,6 @@ public class JwtAuthenticationClientFilter extends AbstractJoseJwtProducer
         if (jwt == null) {
             throw new JoseException("JWT token is not available");
         }
-        JoseUtils.setJoseMessageContextProperty(jwt.getHeaders(),
-                                                getContextPropertyValue());
         String data = super.processJwt(jwt);
         requestContext.getHeaders().putSingle(HttpHeaders.AUTHORIZATION, 
                                               authScheme + " " + data);

http://git-wip-us.apache.org/repos/asf/cxf/blob/b8895931/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
index 355bfb3..e52897c 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
@@ -34,7 +34,6 @@ import org.apache.cxf.message.Message;
 import org.apache.cxf.message.MessageUtils;
 import org.apache.cxf.rs.security.jose.common.JoseConstants;
 import org.apache.cxf.rs.security.jose.common.JoseException;
-import org.apache.cxf.rs.security.jose.common.JoseUtils;
 import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
 import org.apache.cxf.rs.security.jose.jwt.AbstractJoseJwtConsumer;
 import org.apache.cxf.rs.security.jose.jwt.JwtToken;
@@ -60,7 +59,6 @@ public class JwtAuthenticationFilter extends AbstractJoseJwtConsumer implements
             throw new JoseException(expectedAuthScheme + " scheme is expected");
         }
         JwtToken token = super.getJwtToken(parts[1]);
-        JoseUtils.setMessageContextProperty(token.getHeaders());
         
         SecurityContext securityContext = configureSecurityContext(token);
         if (securityContext != null) {
@@ -83,7 +81,7 @@ public class JwtAuthenticationFilter extends AbstractJoseJwtConsumer implements
     
     private boolean isVerifiedWithAPublicKey(JwtToken jwt) {
         if (isJwsRequired()) {
-            String alg = (String)jwt.getHeader(JoseConstants.HEADER_ALGORITHM);
+            String alg = (String)jwt.getJwsHeader(JoseConstants.HEADER_ALGORITHM);
             SignatureAlgorithm sigAlg = SignatureAlgorithm.getAlgorithm(alg);
             return SignatureAlgorithm.isPublicKeyAlgorithm(sigAlg);
         }

http://git-wip-us.apache.org/repos/asf/cxf/blob/b8895931/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJwtCompactProducer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJwtCompactProducer.java
b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJwtCompactProducer.java
index f52f9e2..d35cd0a 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJwtCompactProducer.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJwtCompactProducer.java
@@ -32,7 +32,7 @@ public class JweJwtCompactProducer  {
     private JweHeaders headers;
     private String claimsJson;
     public JweJwtCompactProducer(JwtToken token) {
-        this(new JweHeaders(token.getHeaders()), token.getClaims());
+        this(new JweHeaders(token.getJweHeaders()), token.getClaims());
     }
     public JweJwtCompactProducer(JwtClaims claims) {
         this(new JweHeaders(), claims);

http://git-wip-us.apache.org/repos/asf/cxf/blob/b8895931/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJwtCompactProducer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJwtCompactProducer.java
b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJwtCompactProducer.java
index 3ac6021..8b73b02 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJwtCompactProducer.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJwtCompactProducer.java
@@ -17,6 +17,7 @@
  * under the License.
  */
 package org.apache.cxf.rs.security.jose.jws;
+
 import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
 import org.apache.cxf.rs.security.jose.jwt.JwtToken;
 import org.apache.cxf.rs.security.jose.jwt.JwtTokenReaderWriter;
@@ -35,7 +36,7 @@ public class JwsJwtCompactProducer extends JwsCompactProducer {
         this(new JwtToken(headers, claims), null);
     }
     protected JwsJwtCompactProducer(JwtToken token, JwtTokenReaderWriter w) {
-        super(new JwsHeaders(token.getHeaders()), w, 
+        super(new JwsHeaders(token.getJwsHeaders()), w, 
               JwtUtils.claimsToJson(token.getClaims(), w));
     }
     

http://git-wip-us.apache.org/repos/asf/cxf/blob/b8895931/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtConsumer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtConsumer.java
b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtConsumer.java
index daea97b..df482b8 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtConsumer.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtConsumer.java
@@ -19,9 +19,10 @@
 package org.apache.cxf.rs.security.jose.jwt;
 
 import org.apache.cxf.rs.security.jose.common.AbstractJoseConsumer;
+import org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput;
 import org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider;
+import org.apache.cxf.rs.security.jose.jwe.JweHeaders;
 import org.apache.cxf.rs.security.jose.jwe.JweJwtCompactConsumer;
-import org.apache.cxf.rs.security.jose.jws.JwsHeaders;
 import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer;
 import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
 import org.apache.cxf.rs.security.jose.jws.JwsUtils;
@@ -41,6 +42,7 @@ public abstract class AbstractJoseJwtConsumer extends AbstractJoseConsumer
{
             throw new JwtException("Unable to process JWT");
         }
         
+        JweHeaders jweHeaders = new JweHeaders();
         if (isJweRequired()) {
             if (jweDecryptor == null) {
                 jweDecryptor = getInitializedDecryptionProvider();
@@ -52,12 +54,16 @@ public abstract class AbstractJoseJwtConsumer extends AbstractJoseConsumer
{
             if (!isJwsRequired()) {
                 return new JweJwtCompactConsumer(wrappedJwtToken).decryptWith(jweDecryptor);
   
             }
-            wrappedJwtToken = jweDecryptor.decrypt(wrappedJwtToken).getContentText();
+            JweDecryptionOutput decOutput = jweDecryptor.decrypt(wrappedJwtToken);
+            wrappedJwtToken = decOutput.getContentText();
+            jweHeaders = decOutput.getHeaders();
         }
         
-
         JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(wrappedJwtToken);
         JwtToken jwt = jwtConsumer.getJwtToken();
+        // Store the encryption headers as well
+        jwt = new JwtToken(jwt.getJwsHeaders(), jweHeaders, jwt.getClaims());
+        
         if (isJwsRequired()) {
             if (theSigVerifier == null) {
                 theSigVerifier = getInitializedSignatureVerifier(jwt);
@@ -79,11 +85,7 @@ public abstract class AbstractJoseJwtConsumer extends AbstractJoseConsumer
{
             return super.getJwsVerifier();    
         }
         
-        if (jwt.getHeaders() instanceof JwsHeaders) {
-            return JwsUtils.loadSignatureVerifier((JwsHeaders)jwt.getHeaders(), false);
-        }
-        
-        return super.getInitializedSignatureVerifier();
+        return JwsUtils.loadSignatureVerifier(jwt.getJwsHeaders(), false);
     }
     protected void validateToken(JwtToken jwt) {
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/b8895931/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtToken.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtToken.java
b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtToken.java
index 069b8f2..6780e78 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtToken.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtToken.java
@@ -18,39 +18,56 @@
  */
 package org.apache.cxf.rs.security.jose.jwt;
 
-import org.apache.cxf.rs.security.jose.common.JoseHeaders;
+import org.apache.cxf.rs.security.jose.jwe.JweHeaders;
+import org.apache.cxf.rs.security.jose.jws.JwsHeaders;
 
 
 
 public class JwtToken {
-    private JoseHeaders headers;
+    private JwsHeaders jwsHeaders;
+    private JweHeaders jweHeaders;
     private JwtClaims claims;
+    
     public JwtToken(JwtClaims claims) {
-        this(new JoseHeaders() { }, claims);
+        this(new JwsHeaders() { }, new JweHeaders() { }, claims);
+    }
+    public JwtToken(JwsHeaders jwsHeaders, JwtClaims claims) {
+        this(jwsHeaders, new JweHeaders() { }, claims);
+    }
+    public JwtToken(JweHeaders jweHeaders, JwtClaims claims) {
+        this(new JwsHeaders() { }, jweHeaders, claims);
     }
-    public JwtToken(JoseHeaders headers, JwtClaims claims) {
-        this.headers = headers;
+    public JwtToken(JwsHeaders jwsHeaders, JweHeaders jweHeaders, JwtClaims claims) {
+        this.jwsHeaders = jwsHeaders;
+        this.jweHeaders = jweHeaders;
         this.claims = claims;
     }
-    public JoseHeaders getHeaders() {
-        return headers;
+    public JwsHeaders getJwsHeaders() {
+        return jwsHeaders;
+    }
+    public JweHeaders getJweHeaders() {
+        return jweHeaders;
     }
     public JwtClaims getClaims() {
         return claims;
     }
-    public Object getHeader(String name) {
-        return headers.getHeader(name);
+    public Object getJwsHeader(String name) {
+        return jwsHeaders.getHeader(name);
+    }
+    public Object getJweHeader(String name) {
+        return jweHeaders.getHeader(name);
     }
     public Object getClaim(String name) {
         return claims.getClaim(name);
     }
     public int hashCode() { 
-        return headers.hashCode() + 37 * claims.hashCode();
+        return jwsHeaders.hashCode() + 37 * claims.hashCode() + 37 * jweHeaders.hashCode();
     }
     
     public boolean equals(Object obj) {
         return obj instanceof JwtToken 
-            && ((JwtToken)obj).headers.equals(this.headers)
+            && ((JwtToken)obj).jwsHeaders.equals(this.jwsHeaders)
+            && ((JwtToken)obj).jweHeaders.equals(this.jweHeaders)
             && ((JwtToken)obj).claims.equals(this.claims);
     }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/b8895931/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsCompactReaderWriterTest.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsCompactReaderWriterTest.java
b/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsCompactReaderWriterTest.java
index ed10a10..9554dde 100644
--- a/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsCompactReaderWriterTest.java
+++ b/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsCompactReaderWriterTest.java
@@ -29,7 +29,6 @@ import java.util.List;
 import java.util.Map;
 
 import org.apache.cxf.rs.security.jose.common.JoseConstants;
-import org.apache.cxf.rs.security.jose.common.JoseHeaders;
 import org.apache.cxf.rs.security.jose.common.JoseType;
 import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
 import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
@@ -164,7 +163,7 @@ public class JwsCompactReaderWriterTest extends Assert {
         assertTrue(jws.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY,
                                                                         SignatureAlgorithm.HS256)));
         JwtToken token = jws.getJwtToken();
-        JwsHeaders headers = new JwsHeaders(token.getHeaders());
+        JwsHeaders headers = new JwsHeaders(token.getJwsHeaders());
         assertEquals(JoseType.JWT, headers.getType());
         assertEquals(SignatureAlgorithm.HS256, headers.getSignatureAlgorithm());
         validateSpecClaim(token.getClaims());
@@ -212,7 +211,7 @@ public class JwsCompactReaderWriterTest extends Assert {
         assertTrue(jws.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY,
                                                                         SignatureAlgorithm.HS256)));
         JwtToken token = jws.getJwtToken();
-        JwsHeaders headers = new JwsHeaders(token.getHeaders());
+        JwsHeaders headers = new JwsHeaders(token.getJwsHeaders());
         assertEquals(JoseType.JWT, headers.getType());
         assertEquals(SignatureAlgorithm.HS256, headers.getSignatureAlgorithm());
         
@@ -257,7 +256,7 @@ public class JwsCompactReaderWriterTest extends Assert {
             RSAPublicKey key = CryptoUtils.getRSAPublicKey(RSA_MODULUS_ENCODED, RSA_PUBLIC_EXPONENT_ENCODED);
             assertTrue(jws.verifySignatureWith(new PublicKeyJwsSignatureVerifier(key, SignatureAlgorithm.PS256)));
             JwtToken token = jws.getJwtToken();
-            JwsHeaders inHeaders = new JwsHeaders(token.getHeaders());
+            JwsHeaders inHeaders = new JwsHeaders(token.getJwsHeaders());
             assertEquals(SignatureAlgorithm.PS256, 
                          inHeaders.getSignatureAlgorithm());
             validateSpecClaim(token.getClaims());
@@ -283,7 +282,7 @@ public class JwsCompactReaderWriterTest extends Assert {
         assertTrue(jwsConsumer.verifySignatureWith(new EcDsaJwsSignatureVerifier(publicKey,
                                                    SignatureAlgorithm.ES256)));
         JwtToken token = jwsConsumer.getJwtToken();
-        JwsHeaders headersReceived = new JwsHeaders(token.getHeaders());
+        JwsHeaders headersReceived = new JwsHeaders(token.getJwsHeaders());
         assertEquals(SignatureAlgorithm.ES256, headersReceived.getSignatureAlgorithm());
         validateSpecClaim(token.getClaims());
     }
@@ -294,19 +293,19 @@ public class JwsCompactReaderWriterTest extends Assert {
         RSAPublicKey key = CryptoUtils.getRSAPublicKey(RSA_MODULUS_ENCODED, RSA_PUBLIC_EXPONENT_ENCODED);
         assertTrue(jws.verifySignatureWith(new PublicKeyJwsSignatureVerifier(key, SignatureAlgorithm.RS256)));
         JwtToken token = jws.getJwtToken();
-        JwsHeaders headers = new JwsHeaders(token.getHeaders());
+        JwsHeaders headers = new JwsHeaders(token.getJwsHeaders());
         assertEquals(SignatureAlgorithm.RS256, headers.getSignatureAlgorithm());
         validateSpecClaim(token.getClaims());
     }
     
-    private JwsCompactProducer initSpecJwtTokenWriter(JoseHeaders headers) throws Exception
{
+    private JwsCompactProducer initSpecJwtTokenWriter(JwsHeaders jwsHeaders) throws Exception
{
         
         JwtClaims claims = new JwtClaims();
         claims.setIssuer("joe");
         claims.setExpiryTime(1300819380L);
         claims.setClaim("http://example.com/is_root", Boolean.TRUE);
         
-        JwtToken token = new JwtToken(headers, claims);
+        JwtToken token = new JwtToken(jwsHeaders, claims);
         return new JwsJwtCompactProducer(token, getWriter());
     }
 

http://git-wip-us.apache.org/repos/asf/cxf/blob/b8895931/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/JwtBearerGrantHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/JwtBearerGrantHandler.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/JwtBearerGrantHandler.java
index a5935b0..5bef103 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/JwtBearerGrantHandler.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/JwtBearerGrantHandler.java
@@ -58,7 +58,7 @@ public class JwtBearerGrantHandler extends AbstractJwtHandler {
         try {
             JwsJwtCompactConsumer jwsReader = getJwsReader(assertion);
             JwtToken jwtToken = jwsReader.getJwtToken();
-            validateSignature(new JwsHeaders(jwtToken.getHeaders()),
+            validateSignature(new JwsHeaders(jwtToken.getJwsHeaders()),
                                   jwsReader.getUnsignedEncodedSequence(), 
                                   jwsReader.getDecodedSignature());
             

http://git-wip-us.apache.org/repos/asf/cxf/blob/b8895931/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
index 40e1c80..3ff74e9 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
@@ -113,7 +113,7 @@ public abstract class AbstractTokenValidator extends AbstractOAuthJoseJwtConsume
                 throw new SecurityException("Self-issued JWK key is invalid or not available");
             }
         } else {
-            String keyId = jwt.getHeaders().getKeyId();
+            String keyId = jwt.getJwsHeaders().getKeyId();
             key = keyId != null ? keyMap.get(keyId) : null;
             if (key == null && jwkSetClient != null) {
                 JsonWebKeys keys = jwkSetClient.get(JsonWebKeys.class);

http://git-wip-us.apache.org/repos/asf/cxf/blob/b8895931/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java
index ccad6d7..7ced717 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java
@@ -95,7 +95,7 @@ public final class OidcUtils {
         if (required) {
             validateHash(at.getTokenKey(),
                          (String)jwt.getClaims().getClaim("at_hash"),
-                         jwt.getHeaders().getAlgorithm());
+                         jwt.getJwsHeaders().getAlgorithm());
         }
     }
     public static void validateCodeHash(String code, JwtToken jwt) {
@@ -105,7 +105,7 @@ public final class OidcUtils {
         if (required) {
             validateHash(code,
                          (String)jwt.getClaims().getClaim("c_hash"),
-                         jwt.getHeaders().getAlgorithm());
+                         jwt.getJwsHeaders().getAlgorithm());
         }
     }
     private static void validateHash(String value, String theHash, String joseAlgo) {


Mime
View raw message