View Javadoc
1   /*
2    * Copyright (c) 2002-2015, Mairie de Paris
3    * All rights reserved.
4    *
5    * Redistribution and use in source and binary forms, with or without
6    * modification, are permitted provided that the following conditions
7    * are met:
8    *
9    *  1. Redistributions of source code must retain the above copyright notice
10   *     and the following disclaimer.
11   *
12   *  2. Redistributions in binary form must reproduce the above copyright notice
13   *     and the following disclaimer in the documentation and/or other materials
14   *     provided with the distribution.
15   *
16   *  3. Neither the name of 'Mairie de Paris' nor 'Lutece' nor the names of its
17   *     contributors may be used to endorse or promote products derived from
18   *     this software without specific prior written permission.
19   *
20   * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21   * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22   * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23   * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
24   * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25   * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26   * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27   * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28   * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29   * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30   * POSSIBILITY OF SUCH DAMAGE.
31   *
32   * License 1.0
33   */
34  package fr.paris.lutece.plugins.franceconnect.oidc.jwt;
35  
36  import fr.paris.lutece.plugins.franceconnect.oidc.AuthClientConf;
37  import fr.paris.lutece.plugins.franceconnect.oidc.AuthServerConf;
38  import fr.paris.lutece.plugins.franceconnect.oidc.IDToken;
39  import fr.paris.lutece.plugins.franceconnect.oidc.Token;
40  import fr.paris.lutece.plugins.franceconnect.web.Constants;
41  
42  import io.jsonwebtoken.Claims;
43  import io.jsonwebtoken.ExpiredJwtException;
44  import io.jsonwebtoken.Jwt;
45  import io.jsonwebtoken.JwtParser;
46  import io.jsonwebtoken.Jwts;
47  import io.jsonwebtoken.SignatureException;
48  
49  import org.apache.log4j.Logger;
50  
51  import java.io.UnsupportedEncodingException;
52  
53  
54  /**
55   * Jjwt JWTParser
56   */
57  public class JjwtJWTParser implements JWTParser
58  {
59      /**
60       * {@inheritDoc }
61       */
62      @Override
63      public void parseJWT( Token token, AuthClientConf clientConfig, AuthServerConf serverConfig, String strStoredNonce,
64          Logger logger ) throws TokenValidationException
65      {
66          String strCompactJwt = token.getIdTokenString(  );
67  
68          try
69          {
70              JwtParser parser = Jwts.parser(  );
71              parser.setSigningKey( clientConfig.getClientSecret(  ).getBytes( "UTF-8" ) );
72  
73              Jwt jwt = parser.parse( strCompactJwt );
74              Claims claims = (Claims) jwt.getBody(  );
75  
76              IDToken idToken = new IDToken(  );
77              idToken.setAudience( claims.getAudience(  ) );
78              idToken.setIssuer( claims.getIssuer(  ) );
79              idToken.setSubject( claims.getSubject(  ) );
80  
81              // Claims that should be verified
82              idToken.setNonce( getVerifiedNonce( claims, strStoredNonce ) );
83              idToken.setExpiration( getExpiration( claims ) );
84              idToken.setIssueAt( getIssueAt( claims ) );
85  
86              // Extra claims for FranceConnect
87              idToken.setIdProvider( (String) claims.get( Constants.CLAIM_IDP ) );
88              idToken.setAcr( (String) claims.get( Constants.CLAIM_ACR ) );
89  
90              logger.debug( "ID Token retrieved by JJWT parser implementation : " + idToken );
91  
92              token.setIdToken( idToken );
93          }
94          catch ( SignatureException ex )
95          {
96              throw new TokenValidationException( ex.getMessage(  ), ex );
97          }
98          catch ( ExpiredJwtException ex )
99          {
100             throw new TokenValidationException( ex.getMessage(  ), ex );
101         }
102         catch ( UnsupportedEncodingException ex )
103         {
104             throw new TokenValidationException( ex.getMessage(  ), ex );
105         }
106     }
107 
108     /**
109      * Retrieve and check the nonce
110      * @param claims Claims set
111      * @param strStoredNonce The stored nonce
112      * @return The verified nonce
113      * @throws TokenValidationException if the nonce is not valid
114      */
115     private String getVerifiedNonce( Claims claims, String strStoredNonce )
116         throws TokenValidationException
117     {
118         // Check nonce
119         String strNonce = (String) claims.get( Constants.CLAIM_NONCE );
120 
121         if ( strNonce == null )
122         {
123             throw new TokenValidationException( "The token doesn't contains the nonce info." );
124         }
125 
126         if ( !strNonce.equals( strStoredNonce ) )
127         {
128             throw new TokenValidationException( "The nonce info has not the value expected." );
129         }
130 
131         return strNonce;
132     }
133 
134     /**
135      * Retrieve the expiration date
136      * @param claims Claims set
137      * @return The expiration date
138      */
139     private String getExpiration( Claims claims )
140     {
141         long lExpiration = claims.getExpiration(  ).getTime(  );
142 
143         return String.valueOf( lExpiration / 1000L );
144     }
145 
146     /**
147      * Retrieve the issue at date
148      * @param claims Claims set
149      * @return The issue at date
150      */
151     private String getIssueAt( Claims claims )
152     {
153         long lIssueAt = claims.getIssuedAt(  ).getTime(  );
154 
155         return String.valueOf( lIssueAt / 1000L );
156     }
157 }