Fix issue resolving Org Issuer keys URL

Added implementation from major-rev branch and a test Fixes: #26
okta · Dec 11, 2018 · 2884e60 · 2884e60
1 parent 5e1c585
commit 2884e60
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 9 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,2 +1,3 @@
 target/
 *.iml
+.idea
diff --git a/verifier/src/main/java/com/okta/jwt/JwtHelper.java b/verifier/src/main/java/com/okta/jwt/JwtHelper.java
@@ -79,7 +79,7 @@ public JwtVerifier build() throws IOException {
         notEmpty(audience, "Audience cannot be empty");
 
         // Keys URI can be hard coded to avoid an extra call to the discovery endpoint
-        URL keysURI = URI.create(issuerUrl + "/v1/keys").toURL();
+        URL keysURI = URI.create(resolveKeysEndpoint(issuerUrl)).toURL();
 
         // Set up a JWT processor to parse the tokens and then check their signature
         // and validity time window (bounded by the "iat", "nbf" and "exp" claims)
@@ -121,4 +121,11 @@ private void notEmpty(String value, String message) {
             throw new IllegalArgumentException(message);
         }
     }
+
+    private static String resolveKeysEndpoint(String issuer) {
+    return  issuer.matches(".*/oauth2/.*")
+                ? issuer + "/v1/keys"
+                : issuer + "/oauth2/v1/keys";
+    }
+
 }
diff --git a/verifier/src/test/groovy/com/okta/jwt/JwtHelperTest.groovy b/verifier/src/test/groovy/com/okta/jwt/JwtHelperTest.groovy
@@ -42,13 +42,13 @@ class JwtHelperTest {
         }
 
         helper.setAudience(null)
-        helper.setIssuerUrl("https://example.com/issuer")
+        helper.setIssuerUrl("https://example.com/oauth2/issuer")
         expect(IllegalArgumentException) {
             helper.build()
         }
 
         helper.setAudience("my_audience")
-        helper.setIssuerUrl("https://example.com/issuer")
+        helper.setIssuerUrl("https://example.com/oauth2/issuer")
         JwtVerifier verifier = helper.build()
 
         assertThat(verifier, allOf(
@@ -63,8 +63,8 @@ class JwtHelperTest {
 
         assertThat(verifier.jwtProcessor.getJWTClaimsSetVerifier().audience, equalTo("my_audience"))
         assertThat(verifier.jwtProcessor.getJWTClaimsSetVerifier().clientId, equalTo("clientId"))
-        assertThat(verifier.jwtProcessor.getJWTClaimsSetVerifier().issuer, equalTo("https://example.com/issuer"))
-        assertThat(verifier.jwtProcessor.getJWSKeySelector().getJWKSource().getJWKSetURL().toString(), equalTo("https://example.com/issuer/v1/keys"))
+        assertThat(verifier.jwtProcessor.getJWTClaimsSetVerifier().issuer, equalTo("https://example.com/oauth2/issuer"))
+        assertThat(verifier.jwtProcessor.getJWSKeySelector().getJWKSource().getJWKSetURL().toString(), equalTo("https://example.com/oauth2/issuer/v1/keys"))
         assertConnectionTimeout(verifier, equalTo(1000))
         assertReadTimeout(verifier, equalTo(1000))
     }
@@ -73,17 +73,27 @@ class JwtHelperTest {
     void issuerTrailingSlashTest() {
         // the call to setIssuer() strips trailing slashes
         def helper = new JwtHelper()
-        helper.setIssuerUrl("https://example.com/issuer/")
+        helper.setIssuerUrl("https://example.com/oauth2/issuer/")
         JwtVerifier verifier = helper.build()
-        assertThat(verifier.jwtProcessor.getJWTClaimsSetVerifier().issuer, equalTo("https://example.com/issuer"))
-        assertThat(verifier.jwtProcessor.getJWSKeySelector().getJWKSource().getJWKSetURL().toString(), equalTo("https://example.com/issuer/v1/keys"))
+        assertThat(verifier.jwtProcessor.getJWTClaimsSetVerifier().issuer, equalTo("https://example.com/oauth2/issuer"))
+        assertThat(verifier.jwtProcessor.getJWSKeySelector().getJWKSource().getJWKSetURL().toString(), equalTo("https://example.com/oauth2/issuer/v1/keys"))
+    }
+
+    @Test
+    void testOrgIssuer() {
+        // the call to setIssuer() strips trailing slashes
+        def helper = new JwtHelper()
+        helper.setIssuerUrl("https://example.com")
+        JwtVerifier verifier = helper.build()
+        assertThat(verifier.jwtProcessor.getJWTClaimsSetVerifier().issuer, equalTo("https://example.com"))
+        assertThat(verifier.jwtProcessor.getJWSKeySelector().getJWKSource().getJWKSetURL().toString(), equalTo("https://example.com/oauth2/v1/keys"))
     }
 
     @Test
     void setTimeoutsTest() {
         def helper = new JwtHelper()
         helper.setAudience("my_audience")
-        helper.setIssuerUrl("https://example.com/issuer")
+        helper.setIssuerUrl("https://example.com/oauth2/issuer")
         helper.setConnectionTimeout(3000)
         helper.setReadTimeout(2500)
         JwtVerifier verifier = helper.build()