-
Notifications
You must be signed in to change notification settings - Fork 72
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(agama): add utility classes for inbound identity (#2280)
* docs: add new property to table #2197 * feat: allow client_secret_post authn method for token endpoint #2197 * feat: add SIWA flow #2198
- Loading branch information
1 parent
cea10ff
commit ca6fdc9
Showing
11 changed files
with
142 additions
and
11 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
72 changes: 72 additions & 0 deletions
72
agama/inboundID/src/main/java/io/jans/inbound/JwtUtil.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,72 @@ | ||
package io.jans.inbound; | ||
|
||
import com.nimbusds.jose.*; | ||
import com.nimbusds.jose.crypto.*; | ||
import com.nimbusds.jose.jwk.*; | ||
import com.nimbusds.jwt.*; | ||
|
||
import java.security.KeyFactory; | ||
import java.security.NoSuchAlgorithmException; | ||
import java.security.PrivateKey; | ||
import java.security.spec.EncodedKeySpec; | ||
import java.security.spec.InvalidKeySpecException; | ||
import java.security.spec.PKCS8EncodedKeySpec; | ||
|
||
import java.text.ParseException; | ||
import java.util.Base64; | ||
import java.util.Date; | ||
import java.util.Optional; | ||
import java.util.Map; | ||
|
||
public class JwtUtil { | ||
|
||
private static final Base64.Decoder decoder = Base64.getDecoder(); | ||
|
||
//ECDSA using P-256 (secp256r1) curve and SHA-256 hash algorithm | ||
public static String mkES256SignedJWT(String privateKeyPEM, String kid, String iss, String aud, String sub, int expGap) | ||
throws JOSEException, NoSuchAlgorithmException, InvalidKeySpecException { | ||
|
||
byte[] keyData = decoder.decode(privateKeyPEM); | ||
EncodedKeySpec privKeySpec = new PKCS8EncodedKeySpec(keyData); | ||
KeyFactory kf = KeyFactory.getInstance("EC"); | ||
PrivateKey privKey = kf.generatePrivate(privKeySpec); | ||
|
||
JWSSigner signer = new ECDSASigner(privKey, Curve.P_256); | ||
long now = System.currentTimeMillis(); | ||
|
||
JWTClaimsSet claimsSet = new JWTClaimsSet.Builder() | ||
.issuer(iss) | ||
.issueTime(new Date(now)) | ||
.expirationTime(new Date(now + expGap * 1000L)) | ||
.audience(aud) | ||
.subject(sub) | ||
.build(); | ||
|
||
SignedJWT signedJWT = new SignedJWT( | ||
new JWSHeader.Builder(JWSAlgorithm.ES256).keyID(kid).type(JOSEObjectType.JWT).build(), | ||
claimsSet); | ||
signedJWT.sign(signer); | ||
return signedJWT.serialize(); | ||
|
||
} | ||
|
||
public static Map<String, Object> partialVerifyJWT(String jwt, String iss, String aud) | ||
throws ParseException, JOSEException { | ||
|
||
JWTClaimsSet claims = SignedJWT.parse(jwt).getJWTClaimsSet(); | ||
|
||
//Apply some validations | ||
if (!iss.equals(claims.getIssuer())) throw new JOSEException("Unexpected issuer value in id_token"); | ||
|
||
if (claims.getAudience().stream().filter(aud::equals).findFirst().isEmpty()) | ||
throw new JOSEException("id_token does not contain the expected audience " + aud); | ||
|
||
long now = System.currentTimeMillis(); | ||
if (Optional.ofNullable(claims.getExpirationTime()).map(Date::getTime).orElse(0L) < now) | ||
throw new JOSEException("Expired id_token"); | ||
|
||
return claims.toJSONObject(); | ||
|
||
} | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
18 changes: 18 additions & 0 deletions
18
docs/script-catalog/agama/inboundID/apple/io.jans.inbound.Apple
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
Flow io.jans.inbound.Apple | ||
Basepath "" | ||
Configs p | ||
|
||
issuer = "https://appleid.apple.com" | ||
//See https://developer.apple.com/documentation/sign_in_with_apple/generate_and_validate_tokens#create-the-client-secret | ||
p.clientSecret = Call io.jans.inbound.JwtUtil#mkES256SignedJWT p.key p.keyId p.teamId issuer p.clientId 60 | ||
|
||
obj = Trigger io.jans.inbound.oauth2.AuthzCode p | ||
When obj.success is false | ||
Finish obj | ||
|
||
//See https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api/verifying_a_user#verify-the-identity-token | ||
claims = Call io.jans.inbound.JwtUtil#partialVerifyJWT obj.data.id_token issuer p.clientId | ||
|
||
//Most claims don't carry profile data, e.g. iss, iat, exp, ... | ||
obj = { success: true, data: { sub: claims.sub, email: claims.email } } | ||
Finish obj |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters