Package org.forgerock.oauth.resolvers

Class PublicKeyOpenIdResolverImpl

java.lang.Object

org.forgerock.oauth.resolvers.BaseOpenIdResolver

org.forgerock.oauth.resolvers.PublicKeyOpenIdResolverImpl

All Implemented Interfaces:

GenericOpenIdResolver<SignedJwt>, OpenIdResolver

public class PublicKeyOpenIdResolverImpl
extends BaseOpenIdResolver

This class exists to allow functionality for those Open ID Connect providers which supply their signatures through asymmetric key algorithms (e.g. RSA). In these cases we want to use a public key (usually retrieved from a Trust Store) to verify the signature.

Field Summary

Fields inherited from interface org.forgerock.oauth.resolvers.OpenIdResolver

CLIENT_SECRET_KEY, ISSUER_KEY, JWK, KEY_ALIAS_KEY, KEYSTORE_LOCATION_KEY, KEYSTORE_PASS_KEY, KEYSTORE_TYPE_KEY, WELL_KNOWN_CONFIGURATION

Constructor Summary

Constructors

Constructor	Description
PublicKeyOpenIdResolverImpl(String issuer, PublicKey key)	Constructor for PublicKeyOpenIdResolverImpl.
PublicKeyOpenIdResolverImpl(BiPredicate<String,String> issuerComparator, String issuer, PublicKey key)	Constructor for PublicKeyOpenIdResolverImpl.

Method Summary

Modifier and Type	Method	Description
void	validateIdentity(SignedJwt idClaim)	Validates the supplied Jwt against this OpenId Connect Idp.
void	verifySignature(SignedJwt idClaim)	Verifies that the JWS was signed by the corresponding private key to this public key.

Methods inherited from class org.forgerock.oauth.resolvers.BaseOpenIdResolver

getIssuer

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.forgerock.oauth.resolvers.OpenIdResolver

getExpectedJwtType

Constructor Details

PublicKeyOpenIdResolverImpl

public PublicKeyOpenIdResolverImpl(String issuer,
 PublicKey key)

Constructor for PublicKeyOpenIdResolverImpl. Uses IssuerComparators.DEFAULT for comparing issuer values by exact string comparison.

Parameters:

issuer - The issuer (provider) of the Open Id Connect id token

key - The public key, used to verify a private-key signed signature

PublicKeyOpenIdResolverImpl

public PublicKeyOpenIdResolverImpl(BiPredicate<String,String> issuerComparator,
 String issuer,
 PublicKey key)

Constructor for PublicKeyOpenIdResolverImpl.

Parameters:

issuerComparator - The comparator for comparing the incoming issuer value against the expected value.

issuer - The issuer (provider) of the Open Id Connect id token

key - The public key, used to verify a private-key signed signature

Method Details

validateIdentity

public void validateIdentity(SignedJwt idClaim)
                      throws OpenIdConnectVerificationException

Validates the supplied Jwt against this OpenId Connect Idp.

Specified by:

validateIdentity in interface GenericOpenIdResolver<SignedJwt>

Overrides:

validateIdentity in class BaseOpenIdResolver

Parameters:

idClaim - The Jwt to test is authenticated

Throws:

OpenIdConnectVerificationException - If the Jwt is unable to be verified

verifySignature

public void verifySignature(SignedJwt idClaim)
                     throws InvalidSignatureException

Verifies that the JWS was signed by the corresponding private key to this public key.

Parameters:

idClaim - The JWS to verify

Throws:

InvalidSignatureException - If the JWS supplied does not match the key for this resolver