UserInfoJWTView.java

  1. /*******************************************************************************
  2.  * Copyright 2017 The MIT Internet Trust Consortium
  3.  *
  4.  * Licensed under the Apache License, Version 2.0 (the "License");
  5.  * you may not use this file except in compliance with the License.
  6.  * You may obtain a copy of the License at
  7.  *
  8.  *   http://www.apache.org/licenses/LICENSE-2.0
  9.  *
  10.  * Unless required by applicable law or agreed to in writing, software
  11.  * distributed under the License is distributed on an "AS IS" BASIS,
  12.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13.  * See the License for the specific language governing permissions and
  14.  * limitations under the License.
  15.  *******************************************************************************/
  16. /**
  17.  *
  18.  */
  19. package org.mitre.openid.connect.view;

  21. import java.io.IOException;
  22. import java.io.StringWriter;
  23. import java.io.Writer;
  24. import java.text.ParseException;
  25. import java.util.Date;
  26. import java.util.Map;
  27. import java.util.UUID;

  29. import javax.servlet.http.HttpServletRequest;
  30. import javax.servlet.http.HttpServletResponse;

  32. import org.mitre.jwt.encryption.service.JWTEncryptionAndDecryptionService;
  33. import org.mitre.jwt.signer.service.JWTSigningAndValidationService;
  34. import org.mitre.jwt.signer.service.impl.ClientKeyCacheService;
  35. import org.mitre.jwt.signer.service.impl.SymmetricKeyJWTValidatorCacheService;
  36. import org.mitre.oauth2.model.ClientDetailsEntity;
  37. import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
  38. import org.slf4j.Logger;
  39. import org.slf4j.LoggerFactory;
  40. import org.springframework.beans.factory.annotation.Autowired;
  41. import org.springframework.http.MediaType;
  42. import org.springframework.stereotype.Component;

  44. import com.google.common.base.Strings;
  45. import com.google.common.collect.Lists;
  46. import com.google.gson.JsonObject;
  47. import com.nimbusds.jose.Algorithm;
  48. import com.nimbusds.jose.JWEHeader;
  49. import com.nimbusds.jose.JWSAlgorithm;
  50. import com.nimbusds.jose.JWSHeader;
  51. import com.nimbusds.jwt.EncryptedJWT;
  52. import com.nimbusds.jwt.JWTClaimsSet;
  53. import com.nimbusds.jwt.SignedJWT;

  55. /**
  56.  * @author jricher
  57.  *
  58.  */
  59. @Component(UserInfoJWTView.VIEWNAME)
  60. public class UserInfoJWTView extends UserInfoView {

  62.     public static final String CLIENT = "client";

  64.     /**
  65.      * Logger for this class
  66.      */
  67.     private static final Logger logger = LoggerFactory.getLogger(UserInfoJWTView.class);

  69.     public static final String VIEWNAME = "userInfoJwtView";

  71.     public static final String JOSE_MEDIA_TYPE_VALUE = "application/jwt";
  72.     public static final MediaType JOSE_MEDIA_TYPE = new MediaType("application", "jwt");


  75.     @Autowired
  76.     private JWTSigningAndValidationService jwtService;

  78.     @Autowired
  79.     private ConfigurationPropertiesBean config;

  81.     @Autowired
  82.     private ClientKeyCacheService encrypters;

  84.     @Autowired
  85.     private SymmetricKeyJWTValidatorCacheService symmetricCacheService;

  87.     @Override
  88.     protected void writeOut(JsonObject json, Map<String, Object> model,
  89.             HttpServletRequest request, HttpServletResponse response) {

  91.         try {
  92.             ClientDetailsEntity client = (ClientDetailsEntity)model.get(CLIENT);

  94.             // use the parser to import the user claims into the object
  95.             StringWriter writer = new StringWriter();
  96.             gson.toJson(json, writer);

  98.             response.setContentType(JOSE_MEDIA_TYPE_VALUE);

  100.             JWTClaimsSet claims = new JWTClaimsSet.Builder(JWTClaimsSet.parse(writer.toString()))
  101.                     .audience(Lists.newArrayList(client.getClientId()))
  102.                     .issuer(config.getIssuer())
  103.                     .issueTime(new Date())
  104.                     .jwtID(UUID.randomUUID().toString()) // set a random NONCE in the middle of it
  105.                     .build();


  108.             if (client.getUserInfoEncryptedResponseAlg() != null && !client.getUserInfoEncryptedResponseAlg().equals(Algorithm.NONE)
  109.                     && client.getUserInfoEncryptedResponseEnc() != null && !client.getUserInfoEncryptedResponseEnc().equals(Algorithm.NONE)
  110.                     && (!Strings.isNullOrEmpty(client.getJwksUri()) || client.getJwks() != null)) {

  112.                 // encrypt it to the client's key

  114.                 JWTEncryptionAndDecryptionService encrypter = encrypters.getEncrypter(client);

  116.                 if (encrypter != null) {

  118.                     EncryptedJWT encrypted = new EncryptedJWT(new JWEHeader(client.getUserInfoEncryptedResponseAlg(), client.getUserInfoEncryptedResponseEnc()), claims);

  120.                     encrypter.encryptJwt(encrypted);


  123.                     Writer out = response.getWriter();
  124.                     out.write(encrypted.serialize());

  126.                 } else {
  127.                     logger.error("Couldn't find encrypter for client: " + client.getClientId());
  128.                 }
  129.             } else {

  131.                 JWSAlgorithm signingAlg = jwtService.getDefaultSigningAlgorithm(); // default to the server's preference
  132.                 if (client.getUserInfoSignedResponseAlg() != null) {
  133.                     signingAlg = client.getUserInfoSignedResponseAlg(); // override with the client's preference if available
  134.                 }
  135.                 JWSHeader header = new JWSHeader(signingAlg, null, null, null, null, null, null, null, null, null,
  136.                         jwtService.getDefaultSignerKeyId(),
  137.                         null, null);
  138.                 SignedJWT signed = new SignedJWT(header, claims);

  140.                 if (signingAlg.equals(JWSAlgorithm.HS256)
  141.                         || signingAlg.equals(JWSAlgorithm.HS384)
  142.                         || signingAlg.equals(JWSAlgorithm.HS512)) {

  144.                     // sign it with the client's secret
  145.                     JWTSigningAndValidationService signer = symmetricCacheService.getSymmetricValidtor(client);
  146.                     signer.signJwt(signed);

  148.                 } else {
  149.                     // sign it with the server's key
  150.                     jwtService.signJwt(signed);
  151.                 }

  153.                 Writer out = response.getWriter();
  154.                 out.write(signed.serialize());
  155.             }
  156.         } catch (IOException e) {
  157.             logger.error("IO Exception in UserInfoJwtView", e);
  158.         } catch (ParseException e) {
  159.             // TODO Auto-generated catch block
  160.             e.printStackTrace();
  161.         }

  163.     }
  164. }
Created with JaCoCo 0.7.9.201702052155