Source code

001/*******************************************************************************
002 * Copyright 2017 The MIT Internet Trust Consortium
003 *
004 * Portions copyright 2011-2013 The MITRE Corporation
005 *
006 * Licensed under the Apache License, Version 2.0 (the "License");
007 * you may not use this file except in compliance with the License.
008 * You may obtain a copy of the License at
009 *
010 *   http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 *******************************************************************************/
018/**
019 *
020 */
021package org.mitre.oauth2.token;
022
023import java.text.ParseException;
024
025import org.mitre.jwt.assertion.AssertionValidator;
026import org.mitre.oauth2.assertion.AssertionOAuth2RequestFactory;
027import org.mitre.oauth2.service.ClientDetailsEntityService;
028import org.mitre.oauth2.service.OAuth2TokenEntityService;
029import org.mitre.openid.connect.assertion.JWTBearerAssertionAuthenticationToken;
030import org.springframework.beans.factory.annotation.Autowired;
031import org.springframework.beans.factory.annotation.Qualifier;
032import org.springframework.security.core.AuthenticationException;
033import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
034import org.springframework.security.oauth2.provider.ClientDetails;
035import org.springframework.security.oauth2.provider.OAuth2Authentication;
036import org.springframework.security.oauth2.provider.OAuth2RequestFactory;
037import org.springframework.security.oauth2.provider.TokenRequest;
038import org.springframework.security.oauth2.provider.token.AbstractTokenGranter;
039import org.springframework.stereotype.Component;
040
041import com.nimbusds.jwt.JWT;
042import com.nimbusds.jwt.JWTParser;
043
044/**
045 * @author jricher
046 *
047 */
048@Component("jwtAssertionTokenGranter")
049public class JWTAssertionTokenGranter extends AbstractTokenGranter {
050
051        private static final String grantType = "urn:ietf:params:oauth:grant-type:jwt-bearer";
052
053        @Autowired
054        @Qualifier("jwtAssertionValidator")
055        private AssertionValidator validator;
056
057        @Autowired
058        private AssertionOAuth2RequestFactory assertionFactory;
059
060        @Autowired
061        public JWTAssertionTokenGranter(OAuth2TokenEntityService tokenServices, ClientDetailsEntityService clientDetailsService, OAuth2RequestFactory requestFactory) {
062                super(tokenServices, clientDetailsService, requestFactory, grantType);
063        }
064
065        /* (non-Javadoc)
066         * @see org.springframework.security.oauth2.provider.token.AbstractTokenGranter#getOAuth2Authentication(org.springframework.security.oauth2.provider.AuthorizationRequest)
067         */
068        @Override
069        protected OAuth2Authentication getOAuth2Authentication(ClientDetails client, TokenRequest tokenRequest) throws AuthenticationException, InvalidTokenException {
070                // read and load up the existing token
071                try {
072                        String incomingAssertionValue = tokenRequest.getRequestParameters().get("assertion");
073                        JWT assertion = JWTParser.parse(incomingAssertionValue);
074
075                        if (validator.isValid(assertion)) {
076
077                                // our validator says it's OK, time to make a token from it
078                                // the real work happens in the assertion factory and the token services
079                                return new OAuth2Authentication(assertionFactory.createOAuth2Request(client, tokenRequest, assertion),
080                                                new JWTBearerAssertionAuthenticationToken(assertion, client.getAuthorities()));
081
082                        } else {
083                                logger.warn("Incoming assertion did not pass validator, rejecting");
084                                return null;
085                        }
086
087                } catch (ParseException e) {
088                        logger.warn("Unable to parse incoming assertion");
089                }
090
091                // if we had made a token, we'd have returned it by now, so return null here to close out with no created token
092                return null;
093
094        }
095
096
097
098}