Package org.forgerock.oauth.resolvers

Class JWKOpenIdResolverImpl

java.lang.Object

org.forgerock.oauth.resolvers.BaseOpenIdResolver

org.forgerock.oauth.resolvers.JWKOpenIdResolverImpl

All Implemented Interfaces:

GenericOpenIdResolver<SignedJwt>, OpenIdResolver

public class JWKOpenIdResolverImpl
extends BaseOpenIdResolver

This class exists to allow Open Id Providers to supply or promote a JWK exposure point for their public keys. We convert the exposed keys they provide according to the algorithm defined by their JWK and offer their keys in a map key'd on their keyId. The map of keys is loaded on construction, and reloaded each time an Open Id token is passed in to this resolver whose keyId does not exist within the list that we currently have. This means that we will cache the keys for as long as they are valid, and as soon as we receive a request to verify using a key which we don't have we discard our current keys and re-fill our map.

Field Summary

Fields inherited from interface org.forgerock.oauth.resolvers.OpenIdResolver

CLIENT_SECRET_KEY, ISSUER_KEY, JWK, KEY_ALIAS_KEY, KEYSTORE_LOCATION_KEY, KEYSTORE_PASS_KEY, KEYSTORE_TYPE_KEY, WELL_KNOWN_CONFIGURATION

Constructor Summary

Constructors

Constructor	Description
JWKOpenIdResolverImpl(String issuer, JwksStore jwksStore)	Constructs a JWKOpenIdResolverImpl.
JWKOpenIdResolverImpl(BiPredicate<String,String> issuerComparator, String issuer, JwksStore jwksStore)	Constructs a JWKOpenIdResolverImpl.

Method Summary

Modifier and Type	Method	Description
void	validateIdentity(SignedJwt idClaim)	Validates the supplied Jwt against this OpenId Connect Idp.
void	verifySignature(SignedJwt idClaim)	Verifies that the JWS was signed by the supplied key.

Methods inherited from class org.forgerock.oauth.resolvers.BaseOpenIdResolver

getIssuer

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.forgerock.oauth.resolvers.OpenIdResolver

getExpectedJwtType

Constructor Details

JWKOpenIdResolverImpl

public JWKOpenIdResolverImpl(String issuer,
 JwksStore jwksStore)
                      throws FailedToLoadJWKException

Constructs a JWKOpenIdResolverImpl. Uses IssuerComparators.DEFAULT for comparing issuer values by exact string comparison.

Parameters:

issuer - The issuer (provider) of the Open Id Connect id token

jwksStore - The jwks store

Throws:

FailedToLoadJWKException - if there were issues resolving or parsing the JWK

JWKOpenIdResolverImpl

public JWKOpenIdResolverImpl(BiPredicate<String,String> issuerComparator,
 String issuer,
 JwksStore jwksStore)
                      throws FailedToLoadJWKException

Constructs a JWKOpenIdResolverImpl.

Parameters:

issuerComparator - The comparator for comparing the incoming issuer value against the expected value.

issuer - The issuer (provider) of the Open Id Connect id token

jwksStore - The jwks store

Throws:

FailedToLoadJWKException - if there were issues resolving or parsing the JWK

Method Details

validateIdentity

public void validateIdentity(SignedJwt idClaim)
                      throws OpenIdConnectVerificationException

Description copied from class: BaseOpenIdResolver

Validates the supplied Jwt against this OpenId Connect Idp.

Specified by:

validateIdentity in interface GenericOpenIdResolver<SignedJwt>

Overrides:

validateIdentity in class BaseOpenIdResolver

Parameters:

idClaim - The Jwt to test is authenticated

Throws:

OpenIdConnectVerificationException - If the Jwt is unable to be verified

verifySignature

public void verifySignature(SignedJwt idClaim)
                     throws InvalidSignatureException,
FailedToLoadJWKException

Verifies that the JWS was signed by the supplied key. Throws an exception otherwise.

Parameters:

idClaim - The JWS to verify

Throws:

InvalidSignatureException - If the JWS supplied does not match the key for this resolver

FailedToLoadJWKException - If the JWK supplied cannot be loaded from its remote location