Joe Grandja
5 years ago
18 changed files with 1069 additions and 457 deletions
@ -1,123 +0,0 @@
@@ -1,123 +0,0 @@
|
||||
/* |
||||
* Copyright 2002-2021 the original author or authors. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
*/ |
||||
|
||||
package org.springframework.security.oauth2.client.endpoint; |
||||
|
||||
import org.junit.jupiter.api.Test; |
||||
|
||||
import org.springframework.security.oauth2.jose.JwaAlgorithm; |
||||
import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm; |
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat; |
||||
import static org.assertj.core.api.Assertions.assertThatExceptionOfType; |
||||
|
||||
/* |
||||
* NOTE: |
||||
* This originated in gh-9208 (JwtEncoder), |
||||
* which is required to realize the feature in gh-8175 (JWT Client Authentication). |
||||
* However, we decided not to merge gh-9208 as part of the 5.5.0 release |
||||
* and instead packaged it up privately with the gh-8175 feature. |
||||
* We MAY merge gh-9208 in a later release but that is yet to be determined. |
||||
* |
||||
* gh-9208 Introduce JwtEncoder |
||||
* https://github.com/spring-projects/spring-security/pull/9208
|
||||
* |
||||
* gh-8175 Support JWT for Client Authentication |
||||
* https://github.com/spring-projects/spring-security/issues/8175
|
||||
*/ |
||||
|
||||
/** |
||||
* Tests for {@link JoseHeader}. |
||||
* |
||||
* @author Joe Grandja |
||||
*/ |
||||
public class JoseHeaderTests { |
||||
|
||||
@Test |
||||
public void withAlgorithmWhenNullThenThrowIllegalArgumentException() { |
||||
assertThatExceptionOfType(IllegalArgumentException.class).isThrownBy(() -> JoseHeader.withAlgorithm(null)) |
||||
.isInstanceOf(IllegalArgumentException.class).withMessage("jwaAlgorithm cannot be null"); |
||||
} |
||||
|
||||
@Test |
||||
public void buildWhenAllHeadersProvidedThenAllHeadersAreSet() { |
||||
JoseHeader expectedJoseHeader = TestJoseHeaders.joseHeader().build(); |
||||
|
||||
// @formatter:off
|
||||
JoseHeader joseHeader = JoseHeader.withAlgorithm(expectedJoseHeader.getAlgorithm()) |
||||
.jwkSetUrl(expectedJoseHeader.getJwkSetUrl().toExternalForm()) |
||||
.jwk(expectedJoseHeader.getJwk()) |
||||
.keyId(expectedJoseHeader.getKeyId()) |
||||
.x509Url(expectedJoseHeader.getX509Url().toExternalForm()) |
||||
.x509CertificateChain(expectedJoseHeader.getX509CertificateChain()) |
||||
.x509SHA1Thumbprint(expectedJoseHeader.getX509SHA1Thumbprint()) |
||||
.x509SHA256Thumbprint(expectedJoseHeader.getX509SHA256Thumbprint()) |
||||
.type(expectedJoseHeader.getType()) |
||||
.contentType(expectedJoseHeader.getContentType()) |
||||
.headers((headers) -> headers.put("custom-header-name", "custom-header-value")) |
||||
.build(); |
||||
// @formatter:on
|
||||
|
||||
assertThat(joseHeader.<JwaAlgorithm>getAlgorithm()).isEqualTo(expectedJoseHeader.getAlgorithm()); |
||||
assertThat(joseHeader.getJwkSetUrl()).isEqualTo(expectedJoseHeader.getJwkSetUrl()); |
||||
assertThat(joseHeader.getJwk()).isEqualTo(expectedJoseHeader.getJwk()); |
||||
assertThat(joseHeader.getKeyId()).isEqualTo(expectedJoseHeader.getKeyId()); |
||||
assertThat(joseHeader.getX509Url()).isEqualTo(expectedJoseHeader.getX509Url()); |
||||
assertThat(joseHeader.getX509CertificateChain()).isEqualTo(expectedJoseHeader.getX509CertificateChain()); |
||||
assertThat(joseHeader.getX509SHA1Thumbprint()).isEqualTo(expectedJoseHeader.getX509SHA1Thumbprint()); |
||||
assertThat(joseHeader.getX509SHA256Thumbprint()).isEqualTo(expectedJoseHeader.getX509SHA256Thumbprint()); |
||||
assertThat(joseHeader.getType()).isEqualTo(expectedJoseHeader.getType()); |
||||
assertThat(joseHeader.getContentType()).isEqualTo(expectedJoseHeader.getContentType()); |
||||
assertThat(joseHeader.<String>getHeader("custom-header-name")).isEqualTo("custom-header-value"); |
||||
assertThat(joseHeader.getHeaders()).isEqualTo(expectedJoseHeader.getHeaders()); |
||||
} |
||||
|
||||
@Test |
||||
public void fromWhenNullThenThrowIllegalArgumentException() { |
||||
assertThatExceptionOfType(IllegalArgumentException.class).isThrownBy(() -> JoseHeader.from(null)) |
||||
.isInstanceOf(IllegalArgumentException.class).withMessage("headers cannot be null"); |
||||
} |
||||
|
||||
@Test |
||||
public void fromWhenHeadersProvidedThenCopied() { |
||||
JoseHeader expectedJoseHeader = TestJoseHeaders.joseHeader().build(); |
||||
JoseHeader joseHeader = JoseHeader.from(expectedJoseHeader).build(); |
||||
assertThat(joseHeader.getHeaders()).isEqualTo(expectedJoseHeader.getHeaders()); |
||||
} |
||||
|
||||
@Test |
||||
public void headerWhenNameNullThenThrowIllegalArgumentException() { |
||||
assertThatExceptionOfType(IllegalArgumentException.class) |
||||
.isThrownBy(() -> JoseHeader.withAlgorithm(SignatureAlgorithm.RS256).header(null, "value")) |
||||
.withMessage("name cannot be empty"); |
||||
} |
||||
|
||||
@Test |
||||
public void headerWhenValueNullThenThrowIllegalArgumentException() { |
||||
assertThatExceptionOfType(IllegalArgumentException.class) |
||||
.isThrownBy(() -> JoseHeader.withAlgorithm(SignatureAlgorithm.RS256).header("name", null)) |
||||
.withMessage("value cannot be null"); |
||||
} |
||||
|
||||
@Test |
||||
public void getHeaderWhenNullThenThrowIllegalArgumentException() { |
||||
JoseHeader joseHeader = TestJoseHeaders.joseHeader().build(); |
||||
|
||||
assertThatExceptionOfType(IllegalArgumentException.class).isThrownBy(() -> joseHeader.getHeader(null)) |
||||
.isInstanceOf(IllegalArgumentException.class).withMessage("name cannot be empty"); |
||||
} |
||||
|
||||
} |
||||
@ -0,0 +1,90 @@
@@ -0,0 +1,90 @@
|
||||
/* |
||||
* Copyright 2002-2021 the original author or authors. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
*/ |
||||
|
||||
package org.springframework.security.oauth2.jwt; |
||||
|
||||
import java.util.Map; |
||||
|
||||
import org.springframework.security.oauth2.jose.jws.JwsAlgorithm; |
||||
import org.springframework.util.Assert; |
||||
|
||||
/** |
||||
* The JSON Web Signature (JWS) header is a JSON object representing the header parameters |
||||
* of a JSON Web Token, that describe the cryptographic operations used to digitally sign |
||||
* or create a MAC of the contents of the JWS Protected Header and JWS Payload. |
||||
* |
||||
* @author Joe Grandja |
||||
* @since 5.6 |
||||
* @see <a target="_blank" href="https://tools.ietf.org/html/rfc7515#section-4">JWS JOSE |
||||
* Header</a> |
||||
*/ |
||||
public final class JwsHeader extends JoseHeader { |
||||
|
||||
private JwsHeader(Map<String, Object> headers) { |
||||
super(headers); |
||||
} |
||||
|
||||
@SuppressWarnings("unchecked") |
||||
@Override |
||||
public JwsAlgorithm getAlgorithm() { |
||||
return super.getAlgorithm(); |
||||
} |
||||
|
||||
/** |
||||
* Returns a new {@link Builder}, initialized with the provided {@link JwsAlgorithm}. |
||||
* @param jwsAlgorithm the {@link JwsAlgorithm} |
||||
* @return the {@link Builder} |
||||
*/ |
||||
public static Builder with(JwsAlgorithm jwsAlgorithm) { |
||||
return new Builder(jwsAlgorithm); |
||||
} |
||||
|
||||
/** |
||||
* Returns a new {@link Builder}, initialized with the provided {@code headers}. |
||||
* @param headers the headers |
||||
* @return the {@link Builder} |
||||
*/ |
||||
public static Builder from(JwsHeader headers) { |
||||
return new Builder(headers); |
||||
} |
||||
|
||||
/** |
||||
* A builder for {@link JwsHeader}. |
||||
*/ |
||||
public static final class Builder extends AbstractBuilder<JwsHeader, Builder> { |
||||
|
||||
private Builder(JwsAlgorithm jwsAlgorithm) { |
||||
Assert.notNull(jwsAlgorithm, "jwsAlgorithm cannot be null"); |
||||
algorithm(jwsAlgorithm); |
||||
} |
||||
|
||||
private Builder(JwsHeader headers) { |
||||
Assert.notNull(headers, "headers cannot be null"); |
||||
getHeaders().putAll(headers.getHeaders()); |
||||
} |
||||
|
||||
/** |
||||
* Builds a new {@link JwsHeader}. |
||||
* @return a {@link JwsHeader} |
||||
*/ |
||||
@Override |
||||
public JwsHeader build() { |
||||
return new JwsHeader(getHeaders()); |
||||
} |
||||
|
||||
} |
||||
|
||||
} |
||||
@ -0,0 +1,57 @@
@@ -0,0 +1,57 @@
|
||||
/* |
||||
* Copyright 2002-2021 the original author or authors. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
*/ |
||||
|
||||
package org.springframework.security.oauth2.jwt; |
||||
|
||||
/** |
||||
* Implementations of this interface are responsible for encoding a JSON Web Token (JWT) |
||||
* to it's compact claims representation format. |
||||
* |
||||
* <p> |
||||
* JWTs may be represented using the JWS Compact Serialization format for a JSON Web |
||||
* Signature (JWS) structure or JWE Compact Serialization format for a JSON Web Encryption |
||||
* (JWE) structure. Therefore, implementors are responsible for signing a JWS and/or |
||||
* encrypting a JWE. |
||||
* |
||||
* @author Anoop Garlapati |
||||
* @author Joe Grandja |
||||
* @since 5.6 |
||||
* @see Jwt |
||||
* @see JwtEncoderParameters |
||||
* @see JwtDecoder |
||||
* @see <a target="_blank" href="https://tools.ietf.org/html/rfc7519">JSON Web Token |
||||
* (JWT)</a> |
||||
* @see <a target="_blank" href="https://tools.ietf.org/html/rfc7515">JSON Web Signature |
||||
* (JWS)</a> |
||||
* @see <a target="_blank" href="https://tools.ietf.org/html/rfc7516">JSON Web Encryption |
||||
* (JWE)</a> |
||||
* @see <a target="_blank" href="https://tools.ietf.org/html/rfc7515#section-3.1">JWS |
||||
* Compact Serialization</a> |
||||
* @see <a target="_blank" href="https://tools.ietf.org/html/rfc7516#section-3.1">JWE |
||||
* Compact Serialization</a> |
||||
*/ |
||||
@FunctionalInterface |
||||
public interface JwtEncoder { |
||||
|
||||
/** |
||||
* Encode the JWT to it's compact claims representation format. |
||||
* @param parameters the parameters containing the JOSE header and JWT Claims Set |
||||
* @return a {@link Jwt} |
||||
* @throws JwtEncodingException if an error occurs while attempting to encode the JWT |
||||
*/ |
||||
Jwt encode(JwtEncoderParameters parameters) throws JwtEncodingException; |
||||
|
||||
} |
||||
@ -0,0 +1,83 @@
@@ -0,0 +1,83 @@
|
||||
/* |
||||
* Copyright 2002-2021 the original author or authors. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
*/ |
||||
|
||||
package org.springframework.security.oauth2.jwt; |
||||
|
||||
import org.springframework.lang.Nullable; |
||||
import org.springframework.util.Assert; |
||||
|
||||
/** |
||||
* A holder of parameters containing the JWS headers and JWT Claims Set. |
||||
* |
||||
* @author Joe Grandja |
||||
* @since 5.6 |
||||
* @see JwsHeader |
||||
* @see JwtClaimsSet |
||||
* @see JwtEncoder |
||||
*/ |
||||
public final class JwtEncoderParameters { |
||||
|
||||
private final JwsHeader jwsHeader; |
||||
|
||||
private final JwtClaimsSet claims; |
||||
|
||||
private JwtEncoderParameters(JwsHeader jwsHeader, JwtClaimsSet claims) { |
||||
this.jwsHeader = jwsHeader; |
||||
this.claims = claims; |
||||
} |
||||
|
||||
/** |
||||
* Returns a new {@link JwtEncoderParameters}, initialized with the provided |
||||
* {@link JwtClaimsSet}. |
||||
* @param claims the {@link JwtClaimsSet} |
||||
* @return the {@link JwtEncoderParameters} |
||||
*/ |
||||
public static JwtEncoderParameters from(JwtClaimsSet claims) { |
||||
Assert.notNull(claims, "claims cannot be null"); |
||||
return new JwtEncoderParameters(null, claims); |
||||
} |
||||
|
||||
/** |
||||
* Returns a new {@link JwtEncoderParameters}, initialized with the provided |
||||
* {@link JwsHeader} and {@link JwtClaimsSet}. |
||||
* @param jwsHeader the {@link JwsHeader} |
||||
* @param claims the {@link JwtClaimsSet} |
||||
* @return the {@link JwtEncoderParameters} |
||||
*/ |
||||
public static JwtEncoderParameters from(JwsHeader jwsHeader, JwtClaimsSet claims) { |
||||
Assert.notNull(jwsHeader, "jwsHeader cannot be null"); |
||||
Assert.notNull(claims, "claims cannot be null"); |
||||
return new JwtEncoderParameters(jwsHeader, claims); |
||||
} |
||||
|
||||
/** |
||||
* Returns the {@link JwsHeader JWS headers}. |
||||
* @return the {@link JwsHeader}, or {@code null} if not specified |
||||
*/ |
||||
@Nullable |
||||
public JwsHeader getJwsHeader() { |
||||
return this.jwsHeader; |
||||
} |
||||
|
||||
/** |
||||
* Returns the {@link JwtClaimsSet claims}. |
||||
* @return the {@link JwtClaimsSet} |
||||
*/ |
||||
public JwtClaimsSet getClaims() { |
||||
return this.claims; |
||||
} |
||||
|
||||
} |
||||
@ -0,0 +1,111 @@
@@ -0,0 +1,111 @@
|
||||
/* |
||||
* Copyright 2002-2021 the original author or authors. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
*/ |
||||
|
||||
package org.springframework.security.oauth2.jwt; |
||||
|
||||
import org.junit.jupiter.api.Test; |
||||
|
||||
import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm; |
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat; |
||||
import static org.assertj.core.api.Assertions.assertThatExceptionOfType; |
||||
|
||||
/** |
||||
* Tests for {@link JwsHeader}. |
||||
* |
||||
* @author Joe Grandja |
||||
*/ |
||||
public class JwsHeaderTests { |
||||
|
||||
@Test |
||||
public void withWhenNullThenThrowIllegalArgumentException() { |
||||
assertThatExceptionOfType(IllegalArgumentException.class).isThrownBy(() -> JwsHeader.with(null)) |
||||
.withMessage("jwsAlgorithm cannot be null"); |
||||
} |
||||
|
||||
@Test |
||||
public void fromWhenNullThenThrowIllegalArgumentException() { |
||||
assertThatExceptionOfType(IllegalArgumentException.class).isThrownBy(() -> JwsHeader.from(null)) |
||||
.withMessage("headers cannot be null"); |
||||
} |
||||
|
||||
@Test |
||||
public void fromWhenHeadersProvidedThenCopied() { |
||||
JwsHeader expectedJwsHeader = TestJwsHeaders.jwsHeader().build(); |
||||
JwsHeader jwsHeader = JwsHeader.from(expectedJwsHeader).build(); |
||||
assertThat(jwsHeader.getHeaders()).isEqualTo(expectedJwsHeader.getHeaders()); |
||||
} |
||||
|
||||
@Test |
||||
public void buildWhenAllHeadersProvidedThenAllHeadersAreSet() { |
||||
JwsHeader expectedJwsHeader = TestJwsHeaders.jwsHeader().build(); |
||||
|
||||
// @formatter:off
|
||||
JwsHeader jwsHeader = JwsHeader.with(expectedJwsHeader.getAlgorithm()) |
||||
.jwkSetUrl(expectedJwsHeader.getJwkSetUrl().toExternalForm()) |
||||
.jwk(expectedJwsHeader.getJwk()) |
||||
.keyId(expectedJwsHeader.getKeyId()) |
||||
.x509Url(expectedJwsHeader.getX509Url().toExternalForm()) |
||||
.x509CertificateChain(expectedJwsHeader.getX509CertificateChain()) |
||||
.x509SHA1Thumbprint(expectedJwsHeader.getX509SHA1Thumbprint()) |
||||
.x509SHA256Thumbprint(expectedJwsHeader.getX509SHA256Thumbprint()) |
||||
.type(expectedJwsHeader.getType()) |
||||
.contentType(expectedJwsHeader.getContentType()) |
||||
.criticalHeader("critical-header1-name", "critical-header1-value") |
||||
.criticalHeader("critical-header2-name", "critical-header2-value") |
||||
.headers((headers) -> headers.put("custom-header-name", "custom-header-value")) |
||||
.build(); |
||||
// @formatter:on
|
||||
|
||||
assertThat(jwsHeader.getAlgorithm()).isEqualTo(expectedJwsHeader.getAlgorithm()); |
||||
assertThat(jwsHeader.getJwkSetUrl()).isEqualTo(expectedJwsHeader.getJwkSetUrl()); |
||||
assertThat(jwsHeader.getJwk()).isEqualTo(expectedJwsHeader.getJwk()); |
||||
assertThat(jwsHeader.getKeyId()).isEqualTo(expectedJwsHeader.getKeyId()); |
||||
assertThat(jwsHeader.getX509Url()).isEqualTo(expectedJwsHeader.getX509Url()); |
||||
assertThat(jwsHeader.getX509CertificateChain()).isEqualTo(expectedJwsHeader.getX509CertificateChain()); |
||||
assertThat(jwsHeader.getX509SHA1Thumbprint()).isEqualTo(expectedJwsHeader.getX509SHA1Thumbprint()); |
||||
assertThat(jwsHeader.getX509SHA256Thumbprint()).isEqualTo(expectedJwsHeader.getX509SHA256Thumbprint()); |
||||
assertThat(jwsHeader.getType()).isEqualTo(expectedJwsHeader.getType()); |
||||
assertThat(jwsHeader.getContentType()).isEqualTo(expectedJwsHeader.getContentType()); |
||||
assertThat(jwsHeader.getCritical()).containsExactlyInAnyOrder("critical-header1-name", "critical-header2-name"); |
||||
assertThat(jwsHeader.<String>getHeader("critical-header1-name")).isEqualTo("critical-header1-value"); |
||||
assertThat(jwsHeader.<String>getHeader("critical-header2-name")).isEqualTo("critical-header2-value"); |
||||
assertThat(jwsHeader.<String>getHeader("custom-header-name")).isEqualTo("custom-header-value"); |
||||
} |
||||
|
||||
@Test |
||||
public void headerWhenNameNullThenThrowIllegalArgumentException() { |
||||
assertThatExceptionOfType(IllegalArgumentException.class) |
||||
.isThrownBy(() -> JwsHeader.with(SignatureAlgorithm.RS256).header(null, "value")) |
||||
.withMessage("name cannot be empty"); |
||||
} |
||||
|
||||
@Test |
||||
public void headerWhenValueNullThenThrowIllegalArgumentException() { |
||||
assertThatExceptionOfType(IllegalArgumentException.class) |
||||
.isThrownBy(() -> JwsHeader.with(SignatureAlgorithm.RS256).header("name", null)) |
||||
.withMessage("value cannot be null"); |
||||
} |
||||
|
||||
@Test |
||||
public void getHeaderWhenNullThenThrowIllegalArgumentException() { |
||||
JwsHeader jwsHeader = TestJwsHeaders.jwsHeader().build(); |
||||
|
||||
assertThatExceptionOfType(IllegalArgumentException.class).isThrownBy(() -> jwsHeader.getHeader(null)) |
||||
.withMessage("name cannot be empty"); |
||||
} |
||||
|
||||
} |
||||
@ -0,0 +1,518 @@
@@ -0,0 +1,518 @@
|
||||
/* |
||||
* Copyright 2002-2021 the original author or authors. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
*/ |
||||
|
||||
package org.springframework.security.oauth2.jwt; |
||||
|
||||
import java.net.URL; |
||||
import java.time.Instant; |
||||
import java.util.ArrayList; |
||||
import java.util.Date; |
||||
import java.util.HashMap; |
||||
import java.util.List; |
||||
import java.util.Map; |
||||
import java.util.Set; |
||||
import java.util.function.Consumer; |
||||
import java.util.stream.Collectors; |
||||
|
||||
import com.nimbusds.jose.EncryptionMethod; |
||||
import com.nimbusds.jose.JOSEException; |
||||
import com.nimbusds.jose.JOSEObjectType; |
||||
import com.nimbusds.jose.JWEAlgorithm; |
||||
import com.nimbusds.jose.JWEHeader; |
||||
import com.nimbusds.jose.JWEObject; |
||||
import com.nimbusds.jose.Payload; |
||||
import com.nimbusds.jose.crypto.RSAEncrypter; |
||||
import com.nimbusds.jose.jwk.JWK; |
||||
import com.nimbusds.jose.jwk.JWKMatcher; |
||||
import com.nimbusds.jose.jwk.JWKSelector; |
||||
import com.nimbusds.jose.jwk.JWKSet; |
||||
import com.nimbusds.jose.jwk.KeyType; |
||||
import com.nimbusds.jose.jwk.KeyUse; |
||||
import com.nimbusds.jose.jwk.RSAKey; |
||||
import com.nimbusds.jose.jwk.source.JWKSource; |
||||
import com.nimbusds.jose.proc.SecurityContext; |
||||
import com.nimbusds.jose.util.Base64; |
||||
import com.nimbusds.jose.util.Base64URL; |
||||
import com.nimbusds.jwt.JWTClaimsSet; |
||||
import org.junit.jupiter.api.BeforeEach; |
||||
import org.junit.jupiter.api.Test; |
||||
|
||||
import org.springframework.core.convert.converter.Converter; |
||||
import org.springframework.security.oauth2.jose.JwaAlgorithm; |
||||
import org.springframework.security.oauth2.jose.TestJwks; |
||||
import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm; |
||||
import org.springframework.util.Assert; |
||||
import org.springframework.util.CollectionUtils; |
||||
import org.springframework.util.StringUtils; |
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat; |
||||
|
||||
/** |
||||
* Tests for proofing out future support of JWE. |
||||
* |
||||
* @author Joe Grandja |
||||
*/ |
||||
public class NimbusJweEncoderTests { |
||||
|
||||
// @formatter:off
|
||||
private static final JweHeader DEFAULT_JWE_HEADER = |
||||
JweHeader.with(JweAlgorithm.RSA_OAEP_256, EncryptionMethod.A256GCM.getName()).build(); |
||||
// @formatter:on
|
||||
|
||||
private List<JWK> jwkList; |
||||
|
||||
private JWKSource<SecurityContext> jwkSource; |
||||
|
||||
private NimbusJweEncoder jweEncoder; |
||||
|
||||
@BeforeEach |
||||
public void setUp() { |
||||
this.jwkList = new ArrayList<>(); |
||||
this.jwkSource = (jwkSelector, securityContext) -> jwkSelector.select(new JWKSet(this.jwkList)); |
||||
this.jweEncoder = new NimbusJweEncoder(this.jwkSource); |
||||
} |
||||
|
||||
@Test |
||||
public void encodeWhenJwtClaimsSetThenEncodes() { |
||||
RSAKey rsaJwk = TestJwks.DEFAULT_RSA_JWK; |
||||
this.jwkList.add(rsaJwk); |
||||
|
||||
JwtClaimsSet jwtClaimsSet = TestJwtClaimsSets.jwtClaimsSet().build(); |
||||
|
||||
// @formatter:off
|
||||
// **********************
|
||||
// Assume future API:
|
||||
// JwtEncoderParameters.with(JweHeader jweHeader, JwtClaimsSet claims)
|
||||
// **********************
|
||||
// @formatter:on
|
||||
Jwt encodedJwe = this.jweEncoder.encode(JwtEncoderParameters.from(jwtClaimsSet)); |
||||
|
||||
assertThat(encodedJwe.getHeaders().get(JoseHeaderNames.ALG)).isEqualTo(DEFAULT_JWE_HEADER.getAlgorithm()); |
||||
assertThat(encodedJwe.getHeaders().get("enc")).isEqualTo(DEFAULT_JWE_HEADER.<String>getHeader("enc")); |
||||
assertThat(encodedJwe.getHeaders().get(JoseHeaderNames.JKU)).isNull(); |
||||
assertThat(encodedJwe.getHeaders().get(JoseHeaderNames.JWK)).isNull(); |
||||
assertThat(encodedJwe.getHeaders().get(JoseHeaderNames.KID)).isEqualTo(rsaJwk.getKeyID()); |
||||
assertThat(encodedJwe.getHeaders().get(JoseHeaderNames.X5U)).isNull(); |
||||
assertThat(encodedJwe.getHeaders().get(JoseHeaderNames.X5C)).isNull(); |
||||
assertThat(encodedJwe.getHeaders().get(JoseHeaderNames.X5T)).isNull(); |
||||
assertThat(encodedJwe.getHeaders().get(JoseHeaderNames.X5T_S256)).isNull(); |
||||
assertThat(encodedJwe.getHeaders().get(JoseHeaderNames.TYP)).isNull(); |
||||
assertThat(encodedJwe.getHeaders().get(JoseHeaderNames.CTY)).isNull(); |
||||
assertThat(encodedJwe.getHeaders().get(JoseHeaderNames.CRIT)).isNull(); |
||||
|
||||
assertThat(encodedJwe.getIssuer()).isEqualTo(jwtClaimsSet.getIssuer()); |
||||
assertThat(encodedJwe.getSubject()).isEqualTo(jwtClaimsSet.getSubject()); |
||||
assertThat(encodedJwe.getAudience()).isEqualTo(jwtClaimsSet.getAudience()); |
||||
assertThat(encodedJwe.getExpiresAt()).isEqualTo(jwtClaimsSet.getExpiresAt()); |
||||
assertThat(encodedJwe.getNotBefore()).isEqualTo(jwtClaimsSet.getNotBefore()); |
||||
assertThat(encodedJwe.getIssuedAt()).isEqualTo(jwtClaimsSet.getIssuedAt()); |
||||
assertThat(encodedJwe.getId()).isEqualTo(jwtClaimsSet.getId()); |
||||
assertThat(encodedJwe.<String>getClaim("custom-claim-name")).isEqualTo("custom-claim-value"); |
||||
|
||||
assertThat(encodedJwe.getTokenValue()).isNotNull(); |
||||
} |
||||
|
||||
@Test |
||||
public void encodeWhenNestedJwsThenEncodes() { |
||||
// See Nimbus example -> Nested signed and encrypted JWT
|
||||
// https://connect2id.com/products/nimbus-jose-jwt/examples/signed-and-encrypted-jwt
|
||||
|
||||
RSAKey rsaJwk = TestJwks.DEFAULT_RSA_JWK; |
||||
this.jwkList.add(rsaJwk); |
||||
|
||||
JwsHeader jwsHeader = JwsHeader.with(SignatureAlgorithm.RS256).build(); |
||||
JwtClaimsSet jwtClaimsSet = TestJwtClaimsSets.jwtClaimsSet().build(); |
||||
|
||||
// @formatter:off
|
||||
// **********************
|
||||
// Assume future API:
|
||||
// JwtEncoderParameters.with(JwsHeader jwsHeader, JweHeader jweHeader, JwtClaimsSet claims)
|
||||
// **********************
|
||||
// @formatter:on
|
||||
Jwt encodedJweNestedJws = this.jweEncoder.encode(JwtEncoderParameters.from(jwsHeader, jwtClaimsSet)); |
||||
|
||||
assertThat(encodedJweNestedJws.getHeaders().get(JoseHeaderNames.ALG)) |
||||
.isEqualTo(DEFAULT_JWE_HEADER.getAlgorithm()); |
||||
assertThat(encodedJweNestedJws.getHeaders().get("enc")).isEqualTo(DEFAULT_JWE_HEADER.<String>getHeader("enc")); |
||||
assertThat(encodedJweNestedJws.getHeaders().get(JoseHeaderNames.JKU)).isNull(); |
||||
assertThat(encodedJweNestedJws.getHeaders().get(JoseHeaderNames.JWK)).isNull(); |
||||
assertThat(encodedJweNestedJws.getHeaders().get(JoseHeaderNames.KID)).isEqualTo(rsaJwk.getKeyID()); |
||||
assertThat(encodedJweNestedJws.getHeaders().get(JoseHeaderNames.X5U)).isNull(); |
||||
assertThat(encodedJweNestedJws.getHeaders().get(JoseHeaderNames.X5C)).isNull(); |
||||
assertThat(encodedJweNestedJws.getHeaders().get(JoseHeaderNames.X5T)).isNull(); |
||||
assertThat(encodedJweNestedJws.getHeaders().get(JoseHeaderNames.X5T_S256)).isNull(); |
||||
assertThat(encodedJweNestedJws.getHeaders().get(JoseHeaderNames.TYP)).isNull(); |
||||
assertThat(encodedJweNestedJws.getHeaders().get(JoseHeaderNames.CTY)).isEqualTo("JWT"); |
||||
assertThat(encodedJweNestedJws.getHeaders().get(JoseHeaderNames.CRIT)).isNull(); |
||||
|
||||
assertThat(encodedJweNestedJws.getIssuer()).isEqualTo(jwtClaimsSet.getIssuer()); |
||||
assertThat(encodedJweNestedJws.getSubject()).isEqualTo(jwtClaimsSet.getSubject()); |
||||
assertThat(encodedJweNestedJws.getAudience()).isEqualTo(jwtClaimsSet.getAudience()); |
||||
assertThat(encodedJweNestedJws.getExpiresAt()).isEqualTo(jwtClaimsSet.getExpiresAt()); |
||||
assertThat(encodedJweNestedJws.getNotBefore()).isEqualTo(jwtClaimsSet.getNotBefore()); |
||||
assertThat(encodedJweNestedJws.getIssuedAt()).isEqualTo(jwtClaimsSet.getIssuedAt()); |
||||
assertThat(encodedJweNestedJws.getId()).isEqualTo(jwtClaimsSet.getId()); |
||||
assertThat(encodedJweNestedJws.<String>getClaim("custom-claim-name")).isEqualTo("custom-claim-value"); |
||||
|
||||
assertThat(encodedJweNestedJws.getTokenValue()).isNotNull(); |
||||
} |
||||
|
||||
enum JweAlgorithm implements JwaAlgorithm { |
||||
|
||||
RSA_OAEP_256("RSA-OAEP-256"); |
||||
|
||||
private final String name; |
||||
|
||||
JweAlgorithm(String name) { |
||||
this.name = name; |
||||
} |
||||
|
||||
@Override |
||||
public String getName() { |
||||
return this.name; |
||||
} |
||||
|
||||
} |
||||
|
||||
private static final class JweHeader extends JoseHeader { |
||||
|
||||
private JweHeader(Map<String, Object> headers) { |
||||
super(headers); |
||||
} |
||||
|
||||
@SuppressWarnings("unchecked") |
||||
@Override |
||||
public JweAlgorithm getAlgorithm() { |
||||
return super.getAlgorithm(); |
||||
} |
||||
|
||||
private static Builder with(JweAlgorithm jweAlgorithm, String enc) { |
||||
return new Builder(jweAlgorithm, enc); |
||||
} |
||||
|
||||
private static Builder from(JweHeader headers) { |
||||
return new Builder(headers); |
||||
} |
||||
|
||||
private static final class Builder extends AbstractBuilder<JweHeader, Builder> { |
||||
|
||||
private Builder(JweAlgorithm jweAlgorithm, String enc) { |
||||
Assert.notNull(jweAlgorithm, "jweAlgorithm cannot be null"); |
||||
Assert.hasText(enc, "enc cannot be empty"); |
||||
algorithm(jweAlgorithm); |
||||
header("enc", enc); |
||||
} |
||||
|
||||
private Builder(JweHeader headers) { |
||||
Assert.notNull(headers, "headers cannot be null"); |
||||
Consumer<Map<String, Object>> headersConsumer = (h) -> h.putAll(headers.getHeaders()); |
||||
headers(headersConsumer); |
||||
} |
||||
|
||||
@Override |
||||
public JweHeader build() { |
||||
return new JweHeader(getHeaders()); |
||||
} |
||||
|
||||
} |
||||
|
||||
} |
||||
|
||||
private static final class NimbusJweEncoder implements JwtEncoder { |
||||
|
||||
private static final String ENCODING_ERROR_MESSAGE_TEMPLATE = "An error occurred while attempting to encode the Jwt: %s"; |
||||
|
||||
private static final Converter<JweHeader, JWEHeader> JWE_HEADER_CONVERTER = new JweHeaderConverter(); |
||||
|
||||
private static final Converter<JwtClaimsSet, JWTClaimsSet> JWT_CLAIMS_SET_CONVERTER = new JwtClaimsSetConverter(); |
||||
|
||||
private final JWKSource<SecurityContext> jwkSource; |
||||
|
||||
private final JwtEncoder jwsEncoder; |
||||
|
||||
private NimbusJweEncoder(JWKSource<SecurityContext> jwkSource) { |
||||
Assert.notNull(jwkSource, "jwkSource cannot be null"); |
||||
this.jwkSource = jwkSource; |
||||
this.jwsEncoder = new NimbusJwtEncoder(jwkSource); |
||||
} |
||||
|
||||
@Override |
||||
public Jwt encode(JwtEncoderParameters parameters) throws JwtEncodingException { |
||||
Assert.notNull(parameters, "parameters cannot be null"); |
||||
|
||||
// @formatter:off
|
||||
// **********************
|
||||
// Assume future API:
|
||||
// JwtEncoderParameters.getJweHeader()
|
||||
// **********************
|
||||
// @formatter:on
|
||||
JweHeader jweHeader = DEFAULT_JWE_HEADER; // Assume this is accessed via
|
||||
// JwtEncoderParameters.getJweHeader()
|
||||
|
||||
JwsHeader jwsHeader = parameters.getJwsHeader(); |
||||
JwtClaimsSet claims = parameters.getClaims(); |
||||
|
||||
JWK jwk = selectJwk(jweHeader); |
||||
jweHeader = addKeyIdentifierHeadersIfNecessary(jweHeader, jwk); |
||||
|
||||
JWEHeader jweHeader2 = JWE_HEADER_CONVERTER.convert(jweHeader); |
||||
JWTClaimsSet jwtClaimsSet = JWT_CLAIMS_SET_CONVERTER.convert(claims); |
||||
|
||||
String payload; |
||||
if (jwsHeader != null) { |
||||
// Sign then encrypt
|
||||
Jwt jws = this.jwsEncoder.encode(JwtEncoderParameters.from(jwsHeader, claims)); |
||||
payload = jws.getTokenValue(); |
||||
|
||||
// @formatter:off
|
||||
jweHeader = JweHeader.from(jweHeader) |
||||
.contentType("JWT") // Indicates Nested JWT (REQUIRED)
|
||||
.build(); |
||||
// @formatter:on
|
||||
} |
||||
else { |
||||
// Encrypt only
|
||||
payload = jwtClaimsSet.toString(); |
||||
} |
||||
|
||||
JWEObject jweObject = new JWEObject(jweHeader2, new Payload(payload)); |
||||
try { |
||||
// FIXME
|
||||
// Resolve type of JWEEncrypter using the JWK key type
|
||||
// For now, assuming RSA key type
|
||||
jweObject.encrypt(new RSAEncrypter(jwk.toRSAKey())); |
||||
} |
||||
catch (JOSEException ex) { |
||||
throw new JwtEncodingException(String.format(ENCODING_ERROR_MESSAGE_TEMPLATE, |
||||
"Failed to encrypt the JWT -> " + ex.getMessage()), ex); |
||||
} |
||||
String jwe = jweObject.serialize(); |
||||
|
||||
// NOTE:
|
||||
// For the Nested JWS use case, we lose access to the JWS Header in the
|
||||
// returned JWT.
|
||||
// If this is needed, we can simply add the new method Jwt.getNestedHeaders().
|
||||
return new Jwt(jwe, claims.getIssuedAt(), claims.getExpiresAt(), jweHeader.getHeaders(), |
||||
claims.getClaims()); |
||||
} |
||||
|
||||
private JWK selectJwk(JweHeader headers) { |
||||
List<JWK> jwks; |
||||
try { |
||||
JWKSelector jwkSelector = new JWKSelector(createJwkMatcher(headers)); |
||||
jwks = this.jwkSource.get(jwkSelector, null); |
||||
} |
||||
catch (Exception ex) { |
||||
throw new JwtEncodingException(String.format(ENCODING_ERROR_MESSAGE_TEMPLATE, |
||||
"Failed to select a JWK encryption key -> " + ex.getMessage()), ex); |
||||
} |
||||
|
||||
if (jwks.size() > 1) { |
||||
throw new JwtEncodingException(String.format(ENCODING_ERROR_MESSAGE_TEMPLATE, |
||||
"Found multiple JWK encryption keys for algorithm '" + headers.getAlgorithm().getName() + "'")); |
||||
} |
||||
|
||||
if (jwks.isEmpty()) { |
||||
throw new JwtEncodingException( |
||||
String.format(ENCODING_ERROR_MESSAGE_TEMPLATE, "Failed to select a JWK encryption key")); |
||||
} |
||||
|
||||
return jwks.get(0); |
||||
} |
||||
|
||||
private static JWKMatcher createJwkMatcher(JweHeader headers) { |
||||
JWEAlgorithm jweAlgorithm = JWEAlgorithm.parse(headers.getAlgorithm().getName()); |
||||
|
||||
// @formatter:off
|
||||
return new JWKMatcher.Builder() |
||||
.keyType(KeyType.forAlgorithm(jweAlgorithm)) |
||||
.keyID(headers.getKeyId()) |
||||
.keyUses(KeyUse.ENCRYPTION, null) |
||||
.algorithms(jweAlgorithm, null) |
||||
.x509CertSHA256Thumbprint(Base64URL.from(headers.getX509SHA256Thumbprint())) |
||||
.build(); |
||||
// @formatter:on
|
||||
} |
||||
|
||||
private static JweHeader addKeyIdentifierHeadersIfNecessary(JweHeader headers, JWK jwk) { |
||||
// Check if headers have already been added
|
||||
if (StringUtils.hasText(headers.getKeyId()) && StringUtils.hasText(headers.getX509SHA256Thumbprint())) { |
||||
return headers; |
||||
} |
||||
// Check if headers can be added from JWK
|
||||
if (!StringUtils.hasText(jwk.getKeyID()) && jwk.getX509CertSHA256Thumbprint() == null) { |
||||
return headers; |
||||
} |
||||
|
||||
JweHeader.Builder headersBuilder = JweHeader.from(headers); |
||||
if (!StringUtils.hasText(headers.getKeyId()) && StringUtils.hasText(jwk.getKeyID())) { |
||||
headersBuilder.keyId(jwk.getKeyID()); |
||||
} |
||||
if (!StringUtils.hasText(headers.getX509SHA256Thumbprint()) && jwk.getX509CertSHA256Thumbprint() != null) { |
||||
headersBuilder.x509SHA256Thumbprint(jwk.getX509CertSHA256Thumbprint().toString()); |
||||
} |
||||
|
||||
return headersBuilder.build(); |
||||
} |
||||
|
||||
} |
||||
|
||||
private static class JweHeaderConverter implements Converter<JweHeader, JWEHeader> { |
||||
|
||||
@Override |
||||
public JWEHeader convert(JweHeader headers) { |
||||
JWEAlgorithm jweAlgorithm = JWEAlgorithm.parse(headers.getAlgorithm().getName()); |
||||
EncryptionMethod encryptionMethod = EncryptionMethod.parse(headers.getHeader("enc")); |
||||
JWEHeader.Builder builder = new JWEHeader.Builder(jweAlgorithm, encryptionMethod); |
||||
|
||||
URL jwkSetUri = headers.getJwkSetUrl(); |
||||
if (jwkSetUri != null) { |
||||
try { |
||||
builder.jwkURL(jwkSetUri.toURI()); |
||||
} |
||||
catch (Exception ex) { |
||||
throw new IllegalArgumentException( |
||||
"Unable to convert '" + JoseHeaderNames.JKU + "' JOSE header to a URI", ex); |
||||
} |
||||
} |
||||
|
||||
Map<String, Object> jwk = headers.getJwk(); |
||||
if (!CollectionUtils.isEmpty(jwk)) { |
||||
try { |
||||
builder.jwk(JWK.parse(jwk)); |
||||
} |
||||
catch (Exception ex) { |
||||
throw new IllegalArgumentException("Unable to convert '" + JoseHeaderNames.JWK + "' JOSE header", |
||||
ex); |
||||
} |
||||
} |
||||
|
||||
String keyId = headers.getKeyId(); |
||||
if (StringUtils.hasText(keyId)) { |
||||
builder.keyID(keyId); |
||||
} |
||||
|
||||
URL x509Uri = headers.getX509Url(); |
||||
if (x509Uri != null) { |
||||
try { |
||||
builder.x509CertURL(x509Uri.toURI()); |
||||
} |
||||
catch (Exception ex) { |
||||
throw new IllegalArgumentException( |
||||
"Unable to convert '" + JoseHeaderNames.X5U + "' JOSE header to a URI", ex); |
||||
} |
||||
} |
||||
|
||||
List<String> x509CertificateChain = headers.getX509CertificateChain(); |
||||
if (!CollectionUtils.isEmpty(x509CertificateChain)) { |
||||
builder.x509CertChain(x509CertificateChain.stream().map(Base64::new).collect(Collectors.toList())); |
||||
} |
||||
|
||||
String x509SHA1Thumbprint = headers.getX509SHA1Thumbprint(); |
||||
if (StringUtils.hasText(x509SHA1Thumbprint)) { |
||||
builder.x509CertThumbprint(new Base64URL(x509SHA1Thumbprint)); |
||||
} |
||||
|
||||
String x509SHA256Thumbprint = headers.getX509SHA256Thumbprint(); |
||||
if (StringUtils.hasText(x509SHA256Thumbprint)) { |
||||
builder.x509CertSHA256Thumbprint(new Base64URL(x509SHA256Thumbprint)); |
||||
} |
||||
|
||||
String type = headers.getType(); |
||||
if (StringUtils.hasText(type)) { |
||||
builder.type(new JOSEObjectType(type)); |
||||
} |
||||
|
||||
String contentType = headers.getContentType(); |
||||
if (StringUtils.hasText(contentType)) { |
||||
builder.contentType(contentType); |
||||
} |
||||
|
||||
Set<String> critical = headers.getCritical(); |
||||
if (!CollectionUtils.isEmpty(critical)) { |
||||
builder.criticalParams(critical); |
||||
} |
||||
|
||||
Map<String, Object> customHeaders = headers.getHeaders().entrySet().stream() |
||||
.filter((header) -> !JWEHeader.getRegisteredParameterNames().contains(header.getKey())) |
||||
.collect(Collectors.toMap(Map.Entry::getKey, Map.Entry::getValue)); |
||||
if (!CollectionUtils.isEmpty(customHeaders)) { |
||||
builder.customParams(customHeaders); |
||||
} |
||||
|
||||
return builder.build(); |
||||
} |
||||
|
||||
} |
||||
|
||||
private static class JwtClaimsSetConverter implements Converter<JwtClaimsSet, JWTClaimsSet> { |
||||
|
||||
@Override |
||||
public JWTClaimsSet convert(JwtClaimsSet claims) { |
||||
JWTClaimsSet.Builder builder = new JWTClaimsSet.Builder(); |
||||
|
||||
// NOTE: The value of the 'iss' claim is a String or URL (StringOrURI).
|
||||
Object issuer = claims.getClaim(JwtClaimNames.ISS); |
||||
if (issuer != null) { |
||||
builder.issuer(issuer.toString()); |
||||
} |
||||
|
||||
String subject = claims.getSubject(); |
||||
if (StringUtils.hasText(subject)) { |
||||
builder.subject(subject); |
||||
} |
||||
|
||||
List<String> audience = claims.getAudience(); |
||||
if (!CollectionUtils.isEmpty(audience)) { |
||||
builder.audience(audience); |
||||
} |
||||
|
||||
Instant expiresAt = claims.getExpiresAt(); |
||||
if (expiresAt != null) { |
||||
builder.expirationTime(Date.from(expiresAt)); |
||||
} |
||||
|
||||
Instant notBefore = claims.getNotBefore(); |
||||
if (notBefore != null) { |
||||
builder.notBeforeTime(Date.from(notBefore)); |
||||
} |
||||
|
||||
Instant issuedAt = claims.getIssuedAt(); |
||||
if (issuedAt != null) { |
||||
builder.issueTime(Date.from(issuedAt)); |
||||
} |
||||
|
||||
String jwtId = claims.getId(); |
||||
if (StringUtils.hasText(jwtId)) { |
||||
builder.jwtID(jwtId); |
||||
} |
||||
|
||||
Map<String, Object> customClaims = new HashMap<>(); |
||||
claims.getClaims().forEach((name, value) -> { |
||||
if (!JWTClaimsSet.getRegisteredNames().contains(name)) { |
||||
customClaims.put(name, value); |
||||
} |
||||
}); |
||||
if (!customClaims.isEmpty()) { |
||||
customClaims.forEach(builder::claim); |
||||
} |
||||
|
||||
return builder.build(); |
||||
} |
||||
|
||||
} |
||||
|
||||
} |
||||
Loading…
Reference in new issue