nxverma commented on a change in pull request #216: KNOX-2149 -
JWTTokenProvider - JWT verification with OIDC provider by invoking JWKS
verification url
URL: https://github.com/apache/knox/pull/216#discussion_r358900108
##########
File path:
gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java
##########
@@ -223,38 +239,60 @@ else if (t instanceof ServletException) {
}
}
}
-
protected Subject createSubjectFromToken(JWT token) {
- final String principal = token.getSubject();
+ String principal = token.getSubject();
+ String claimvalue = null;
+ if (expectedPrincipalClaim != null) {
+ claimvalue = token.getClaim(expectedPrincipalClaim);
+ }
+ if (claimvalue != null) {
+ principal = claimvalue.toLowerCase(Locale.ROOT);
+ }
@SuppressWarnings("rawtypes")
HashSet emptySet = new HashSet();
Set<Principal> principals = new HashSet<>();
Principal p = new PrimaryPrincipal(principal);
principals.add(p);
// The newly constructed Sets check whether this Subject has been set
read-only
- // before permitting subsequent modifications. The newly created Sets also
prevent
+ // before permitting subsequent modifications. The newly created Sets also
+ // prevent
// illegal modifications by ensuring that callers have sufficient
permissions.
//
- // To modify the Principals Set, the caller must have
AuthPermission("modifyPrincipals").
- // To modify the public credential Set, the caller must have
AuthPermission("modifyPublicCredentials").
- // To modify the private credential Set, the caller must have
AuthPermission("modifyPrivateCredentials").
+ // To modify the Principals Set, the caller must have
+ // AuthPermission("modifyPrincipals").
+ // To modify the public credential Set, the caller must have
+ // AuthPermission("modifyPublicCredentials").
+ // To modify the private credential Set, the caller must have
+ // AuthPermission("modifyPrivateCredentials").
return new Subject(true, principals, emptySet, emptySet);
}
- protected boolean validateToken(HttpServletRequest request,
HttpServletResponse response,
- FilterChain chain, JWT token)
- throws IOException, ServletException {
+ protected boolean validateToken(HttpServletRequest request,
HttpServletResponse response, FilterChain chain,
+ JWT token) throws IOException, ServletException {
boolean verified = false;
+
try {
- if (publicKey == null) {
- verified = authority.verifyToken(token);
- }
- else {
+ if (publicKey != null) {
verified = authority.verifyToken(token, publicKey);
+ } else if (expectedJWKSUrl != null) {
+ JWSAlgorithm expectedJWSAlg = JWSAlgorithm.parse(expectedSigAlg);
+ JWKSource<SecurityContext> keySource = new RemoteJWKSet<>(new
URL(expectedJWKSUrl));
+ JWSKeySelector<SecurityContext> keySelector = new
JWSVerificationKeySelector<>(expectedJWSAlg, keySource);
+ // Create a JWT processor for the access tokens
+ ConfigurableJWTProcessor<SecurityContext> jwtProcessor = new
DefaultJWTProcessor<>();
+ jwtProcessor.setJWSKeySelector(keySelector);
+ JWTClaimsSetVerifier<SecurityContext> claimsVerifier = new
DefaultJWTClaimsVerifier<>();
+ jwtProcessor.setJWTClaimsSetVerifier(claimsVerifier);
+ // Process the token
+ SecurityContext ctx = null; // optional context parameter, not
required here
+ jwtProcessor.process(token.toString(), ctx);
+ verified = true;
Review comment:
it is fixed
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
