adb014 commented on code in PR #1198:
URL: https://github.com/apache/guacamole-client/pull/1198#discussion_r3062167479
##########
extensions/guacamole-auth-sso/modules/guacamole-auth-sso-openid/src/main/java/org/apache/guacamole/auth/openid/token/TokenValidationService.java:
##########
@@ -131,6 +138,119 @@ public JwtClaims validateToken(String token) throws
GuacamoleException {
return null;
}
+ /**
+ * Validates the given ID token, using code flow, returning the JwtClaims
+ * contained therein. If the ID token is invalid, null is returned.
+ *
+ * @param code
+ * The code to validate and receive the id_token.
+ *
+ * @param verifier
+ * A PKCE verifier or null if not used.
+ *
+ * @return
+ * The JWT claims contained within the given ID token if it passes
tests,
+ * or null if the token is not valid.
+ *
+ * @throws GuacamoleException
+ * If guacamole.properties could not be parsed.
+ */
+ public JwtClaims validateCode(String code, String verifier) throws
GuacamoleException {
+ // Validating the token requires a JWKS key resolver
+ HttpsJwks jwks = new
HttpsJwks(confService.getJWKSEndpoint().toString());
+ HttpsJwksVerificationKeyResolver resolver = new
HttpsJwksVerificationKeyResolver(jwks);
+
+ /* Exchange code → token */
+ String token = exchangeCode(code, verifier);
+
+ // Create JWT consumer for validating received token
+ JwtConsumer jwtConsumer = new JwtConsumerBuilder()
+ .setRequireExpirationTime()
+
.setMaxFutureValidityInMinutes(confService.getMaxTokenValidity())
+
.setAllowedClockSkewInSeconds(confService.getAllowedClockSkew())
+ .setRequireSubject()
+ .setExpectedIssuer(confService.getIssuer())
+ .setExpectedAudience(confService.getClientID())
+ .setVerificationKeyResolver(resolver)
+ .build();
+
+ try {
+ // Validate JWT
+ return jwtConsumer.processToClaims(token);
+ }
+ // Log any failures to validate/parse the JWT
+ catch (InvalidJwtException e) {
+ logger.info("Rejected invalid OpenID token: {}", e.getMessage(),
e);
+ }
+
+ return null;
+ }
Review Comment:
There is a nonce in the existing method in the call to jwtConsumer. Treating
that with an if/then in the jwtConsumerBuilder seemed that I end up making the
code sufficiently different that a new validateToken method was better. Pretty
much a matter of choice. Ok I,ll dedup it.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
