Package org.forgerock.oauth.resolvers
Class JWKOpenIdResolverImpl
- java.lang.Object
-
- org.forgerock.oauth.resolvers.BaseOpenIdResolver
-
- org.forgerock.oauth.resolvers.JWKOpenIdResolverImpl
-
- All Implemented Interfaces:
GenericOpenIdResolver<SignedJwt>
,OpenIdResolver
public class JWKOpenIdResolverImpl extends BaseOpenIdResolver
This class exists to allow Open Id Providers to supply or promote a JWK exposure point for their public keys. We convert the exposed keys they provide according to the algorithm defined by their JWK and offer their keys in a map key'd on their keyId. The map of keys is loaded on construction, and reloaded each time an Open Id token is passed in to this resolver whose keyId does not exist within the list that we currently have. This means that we will cache the keys for as long as they are valid, and as soon as we receive a request to verify using a key which we don't have we discard our current keys and re-fill our map.
-
-
Field Summary
-
Fields inherited from interface org.forgerock.oauth.resolvers.OpenIdResolver
CLIENT_SECRET_KEY, ISSUER_KEY, JWK, KEY_ALIAS_KEY, KEYSTORE_LOCATION_KEY, KEYSTORE_PASS_KEY, KEYSTORE_TYPE_KEY, WELL_KNOWN_CONFIGURATION
-
-
Constructor Summary
Constructors Constructor Description JWKOpenIdResolverImpl(String issuer, JwksStore jwksStore)
Constructs a JWKOpenIdResolverImpl.JWKOpenIdResolverImpl(BiPredicate<String,String> issuerComparator, String issuer, JwksStore jwksStore)
Constructs a JWKOpenIdResolverImpl.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description void
validateIdentity(SignedJwt idClaim)
Validates the supplied Jwt against this OpenId Connect Idp.void
verifySignature(SignedJwt idClaim)
Verifies that the JWS was signed by the supplied key.-
Methods inherited from class org.forgerock.oauth.resolvers.BaseOpenIdResolver
getIssuer
-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface org.forgerock.oauth.resolvers.OpenIdResolver
getExpectedJwtType
-
-
-
-
Constructor Detail
-
JWKOpenIdResolverImpl
public JWKOpenIdResolverImpl(String issuer, JwksStore jwksStore) throws FailedToLoadJWKException
Constructs a JWKOpenIdResolverImpl. UsesIssuerComparators.DEFAULT
for comparing issuer values by exact string comparison.- Parameters:
issuer
- The issuer (provider) of the Open Id Connect id tokenjwksStore
- The jwks store- Throws:
FailedToLoadJWKException
- if there were issues resolving or parsing the JWK
-
JWKOpenIdResolverImpl
public JWKOpenIdResolverImpl(BiPredicate<String,String> issuerComparator, String issuer, JwksStore jwksStore) throws FailedToLoadJWKException
Constructs a JWKOpenIdResolverImpl.- Parameters:
issuerComparator
- The comparator for comparing the incoming issuer value against the expected value.issuer
- The issuer (provider) of the Open Id Connect id tokenjwksStore
- The jwks store- Throws:
FailedToLoadJWKException
- if there were issues resolving or parsing the JWK
-
-
Method Detail
-
validateIdentity
public void validateIdentity(SignedJwt idClaim) throws OpenIdConnectVerificationException
Description copied from class:BaseOpenIdResolver
Validates the supplied Jwt against this OpenId Connect Idp.- Specified by:
validateIdentity
in interfaceGenericOpenIdResolver<SignedJwt>
- Overrides:
validateIdentity
in classBaseOpenIdResolver
- Parameters:
idClaim
- The Jwt to test is authenticated- Throws:
OpenIdConnectVerificationException
- If the Jwt is unable to be verified
-
verifySignature
public void verifySignature(SignedJwt idClaim) throws InvalidSignatureException, FailedToLoadJWKException
Verifies that the JWS was signed by the supplied key. Throws an exception otherwise.- Parameters:
idClaim
- The JWS to verify- Throws:
InvalidSignatureException
- If the JWS supplied does not match the key for this resolverFailedToLoadJWKException
- If the JWK supplied cannot be loaded from its remote location
-
-