All Downloads are FREE. Search and download functionalities are using the official Maven repository.

io.stargate.auth.jwt.AuthJWTServiceActivator Maven / Gradle / Ivy

/*
 * Copyright The Stargate Authors
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package io.stargate.auth.jwt;

import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.source.JWKSource;
import com.nimbusds.jose.jwk.source.RemoteJWKSet;
import com.nimbusds.jose.proc.JWSKeySelector;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jwt.proc.ConfigurableJWTProcessor;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import io.stargate.auth.AuthenticationService;
import io.stargate.auth.AuthorizationService;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.Hashtable;
import net.jcip.annotations.GuardedBy;
import org.osgi.framework.BundleActivator;
import org.osgi.framework.BundleContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

public class AuthJWTServiceActivator implements BundleActivator {

  private static final Logger log = LoggerFactory.getLogger(AuthJWTServiceActivator.class);

  public static final String AUTH_JWT_IDENTIFIER = "AuthJwtService";

  @SuppressWarnings("JdkObsolete")
  private static final Hashtable props = new Hashtable<>();

  static {
    props.put("AuthIdentifier", AUTH_JWT_IDENTIFIER);
  }

  @GuardedBy("this")
  private AuthnJwtService authnJwtService;

  @GuardedBy("this")
  private AuthzJwtService authzJwtService;

  @Override
  public synchronized void start(BundleContext context) {
    if (AUTH_JWT_IDENTIFIER.equals(System.getProperty("stargate.auth_id"))) {
      log.info("Registering authnJwtService and authzJwtService in AuthnJwtService");

      String urlProvider = System.getProperty("stargate.auth.jwt_provider_url");
      if (urlProvider == null || urlProvider.equals("")) {
        throw new RuntimeException("Property `stargate.auth.jwt_provider_url` must be set");
      }

      ConfigurableJWTProcessor jwtProcessor = new DefaultJWTProcessor<>();
      // Pull the public RSA keys from the provided well-known URL to validate the JWT signature.
      JWKSource keySource;
      try {
        // by default this will cache the JWK for 15 minutes
        keySource = new RemoteJWKSet<>(new URL(urlProvider));
      } catch (MalformedURLException e) {
        log.error("Failed to create JwtValidator", e);
        throw new RuntimeException("Failed to create JwtValidator: " + e.getMessage(), e);
      }

      // The expected JWS algorithm of the access tokens
      JWSAlgorithm expectedJWSAlg = JWSAlgorithm.RS256;

      JWSKeySelector keySelector =
          new JWSVerificationKeySelector<>(expectedJWSAlg, keySource);
      jwtProcessor.setJWSKeySelector(keySelector);

      authnJwtService = new AuthnJwtService(jwtProcessor);
      context.registerService(AuthenticationService.class.getName(), authnJwtService, props);

      authzJwtService = new AuthzJwtService();
      context.registerService(AuthorizationService.class.getName(), authzJwtService, props);
    }
  }

  @Override
  public void stop(BundleContext context) {}
}




© 2015 - 2025 Weber Informatics LLC | Privacy Policy