org.forgerock.oauth.resolvers

Class JWKOpenIdResolverImpl

java.lang.Object

org.forgerock.oauth.resolvers.BaseOpenIdResolver

org.forgerock.oauth.resolvers.JWKOpenIdResolverImpl

All Implemented Interfaces:

OpenIdResolver

public class JWKOpenIdResolverImpl
extends BaseOpenIdResolver

This class exists to allow Open Id Providers to supply or promote a JWK exposure point for their public keys. We convert the exposed keys they provide according to the algorithm defined by their JWK and offer their keys in a map key'd on their keyId. The map of keys is loaded on construction, and reloaded each time an Open Id token is passed in to this resolver whose keyId does not exist within the list that we currently have. This means that we will cache the keys for as long as they are valid, and as soon as we receive a request to verify using a key which we don't have we discard our current keys and re-fill our map.

Field Summary

Fields inherited from interface org.forgerock.oauth.resolvers.OpenIdResolver

CLIENT_SECRET_KEY, ISSUER_KEY, JWK, KEY_ALIAS_KEY, KEYSTORE_LOCATION_KEY, KEYSTORE_PASS_KEY, KEYSTORE_TYPE_KEY, WELL_KNOWN_CONFIGURATION

Constructor Summary

Constructors

Constructor and Description
JWKOpenIdResolverImpl(String issuer, JwksStore jwksStore) Constructor using provided timeout values to generate the SimpleHTTPClient used for communicating over HTTP.

Method Summary

Modifier and Type	Method and Description
void	validateIdentity(SignedJwt idClaim) Validates the supplied Jwt against this OpenId Connect Idp.
void	verifySignature(SignedJwt idClaim) Verifies that the JWS was signed by the supplied key.

Methods inherited from class org.forgerock.oauth.resolvers.BaseOpenIdResolver

getIssuer

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

JWKOpenIdResolverImpl

public JWKOpenIdResolverImpl(String issuer,
                             JwksStore jwksStore)
                      throws FailedToLoadJWKException

Constructor using provided timeout values to generate the SimpleHTTPClient used for communicating over HTTP.

Parameters:

issuer - The issuer (provider) of the Open Id Connect id token

jwksStore - The jwks store

Throws:

FailedToLoadJWKException - if there were issues resolving or parsing the JWK

Method Detail

validateIdentity

public void validateIdentity(SignedJwt idClaim)
                      throws OpenIdConnectVerificationException

Description copied from class: BaseOpenIdResolver

Validates the supplied Jwt against this OpenId Connect Idp.

Specified by:

validateIdentity in interface OpenIdResolver

Overrides:

validateIdentity in class BaseOpenIdResolver

Parameters:

idClaim - The Jwt to test is authenticated from this issuer

Throws:

OpenIdConnectVerificationException - If the Jwt is unable to be verified

verifySignature

public void verifySignature(SignedJwt idClaim)
                     throws InvalidSignatureException,
                            FailedToLoadJWKException

Verifies that the JWS was signed by the supplied key. Throws an exception otherwise.

Parameters:

idClaim - The JWS to verify

Throws:

InvalidSignatureException - If the JWS supplied does not match the key for this resolver

FailedToLoadJWKException - If the JWK supplied cannot be loaded from its remote location