Skip to content

Set revocation token exception and configurable default values for connectTimeout, readTimeout jwks retriever #21

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
RafaelOm wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Set revocation token exception and configurable default values for connectTimeout, readTimeout jwks retriever #21

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
bc81bda
Add files via upload
RafaelOm Jul 18, 2022
514d1a3
Add files via upload
RafaelOm Jul 18, 2022
27df4c1
Update OAuthServiceImpl.java
RafaelOm Jul 18, 2022
ed97a2b
FIX ES_COMPARING_STRINGS_WITH_EQ
RafaelOm Mar 5, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 29 additions & 1 deletion src/main/java/org/seedstack/oauth/OAuthConfig.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
public class OAuthConfig {
@NotNull
private ProviderConfig provider = new ProviderConfig();
private RetrieverConfig retriever = new RetrieverConfig();
@NotNull
private AlgorithmConfig algorithms = new AlgorithmConfig();
private URI discoveryDocument;
Expand Down Expand Up @@ -223,7 +224,15 @@ public OAuthConfig setDiscloseUnauthorizedReason(boolean discloseUnauthorizedRea
return this;
}

@Config("provider")
public RetrieverConfig getRetriever() {
return retriever;
}

public void setRetriever(RetrieverConfig retriever) {
this.retriever = retriever;
}

@Config("provider")
public static class ProviderConfig {
private URI authorization;
private URI token;
Expand Down Expand Up @@ -318,4 +327,23 @@ public AlgorithmConfig setPlainTokenAllowed(boolean plainTokenAllowed) {
return this;
}
}
@Config("retriever")
public static class RetrieverConfig {
private String connectTimeout;
private String readTimeout;
public String getConnectTimeout() {
return connectTimeout;
}
public void setConnectTimeout(String connectTimeout) {
this.connectTimeout = connectTimeout;
}
public String getReadTimeout() {
return readTimeout;
}
public void setReadTimeout(String readTimeout) {
this.readTimeout = readTimeout;
}


}
}
31 changes: 24 additions & 7 deletions src/main/java/org/seedstack/oauth/internal/OAuthServiceImpl.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@
import com.nimbusds.jose.proc.JWSKeySelector;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jose.util.DefaultResourceRetriever;
import com.nimbusds.jwt.*;
import com.nimbusds.jwt.proc.ConfigurableJWTProcessor;
import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier;
Expand Down Expand Up @@ -178,14 +179,11 @@ private JWTClaimsSet validateJwtAccessToken(JWT accessToken, Algorithm algorithm

// Signing key selector
oauthProvider.getJwksEndpoint().ifPresent(jwksEndpoint -> {
try {
JWKSource<SecurityContext> keySource = new RemoteJWKSet<>(jwksEndpoint.toURL());
JWKSource<SecurityContext> keySource = getkeySource(jwksEndpoint);
JWSAlgorithm expectedAlg = JWSAlgorithm.parse(oauthConfig.algorithms().getAccessSigningAlgorithm());
JWSKeySelector<SecurityContext> keySelector = new JWSVerificationKeySelector<>(expectedAlg, keySource);
jwtProcessor.setJWSKeySelector(keySelector);
} catch (MalformedURLException e) {
throw new TokenValidationException("Invalid JWKS endpoint: " + e.getMessage());
}

});

// Claims verification
Expand Down Expand Up @@ -219,6 +217,24 @@ private JWTClaimsSet validateJwtAccessToken(JWT accessToken, Algorithm algorithm
throw new TokenValidationException("Unable to validate JWT access token: " + e.getMessage(), e);
}
}

private JWKSource<SecurityContext> getkeySource(URI jwksEndpoint){
try {
JWKSource<SecurityContext> keySource = new RemoteJWKSet<>(jwksEndpoint.toURL());
String connectTimeout =oauthConfig.getRetriever().getConnectTimeout();
String readTimeOut=oauthConfig.getRetriever().getReadTimeout();
if(connectTimeout!=null && ! connectTimeout.equals("") &&
readTimeOut!=null && ! readTimeOut.equals("")) {
DefaultResourceRetriever defaultResourceRetriever=
new DefaultResourceRetriever(Integer.parseInt(connectTimeout),
Integer.parseInt(readTimeOut));
keySource = new RemoteJWKSet<>(jwksEndpoint.toURL(),defaultResourceRetriever);
}
return keySource;
} catch (MalformedURLException e) {
throw new TokenValidationException("Invalid JWKS endpoint: " + e.getMessage());
}
}

private JWTClaimsSet validateOpaqueAccessToken(AccessToken accessToken) {
AccessTokenValidator accessTokenValidator = accessTokenValidatorProvider.get();
Expand Down Expand Up @@ -313,8 +329,9 @@ Optional<UserInfo> fetchUserInfo(String accessToken) {
if (userInfoResponse.indicatesSuccess()) {
return Optional.of(((UserInfoSuccessResponse) userInfoResponse).getUserInfo());
} else {
LOGGER.warn("Unable to fetch user info: {}", OAuthUtils.buildGenericError(((ErrorResponse) userInfoResponse)).getDescription());
return Optional.empty();
throw new TokenValidationException("Unable to validate the access token (HTTP status "
+ userInfoResponse.toErrorResponse().getErrorObject().getHTTPStatusCode() + "): " +
userInfoResponse.toErrorResponse().getErrorObject().getDescription());
}
}
return Optional.empty();
Expand Down