• Home
• no.nav.common
• oidc-security
• 1.2019.05.06-16.41-4ec0c495e90a
• source code
• SecurityTokenServiceOidcProvider.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

no.nav.brukerdialog.security.oidc.provider.SecurityTokenServiceOidcProvider Maven / Gradle / Ivy

package no.nav.brukerdialog.security.oidc.provider;

import no.nav.brukerdialog.security.domain.IdentType;
import no.nav.brukerdialog.security.domain.OidcCredential;
import no.nav.brukerdialog.security.jwks.CacheMissAction;
import no.nav.brukerdialog.security.jwks.JsonWebKeyCache;
import no.nav.brukerdialog.security.jwks.JwtHeader;
import no.nav.brukerdialog.security.oidc.OidcTokenValidator;
import no.nav.sbl.rest.RestUtils;
import no.nav.sbl.util.EnumUtils;

import javax.servlet.http.HttpServletRequest;
import java.security.Key;
import java.util.Optional;

import static no.nav.brukerdialog.security.jaspic.TokenLocator.getTokenFromHeader;
import static no.nav.brukerdialog.security.oidc.OidcTokenUtils.getStringFieldFromToken;
import static no.nav.sbl.util.StringUtils.assertNotNullOrEmpty;

public class SecurityTokenServiceOidcProvider implements OidcProvider {

    private final String expectedIssuer;
    private final JsonWebKeyCache keyCache;

    public SecurityTokenServiceOidcProvider(SecurityTokenServiceOidcProviderConfig securityTokenServiceOidcProviderConfig) {
        Configuration configuration = RestUtils.withClient(c -> c.target(securityTokenServiceOidcProviderConfig.discoveryUrl).request().get(Configuration.class));
        this.expectedIssuer = assertNotNullOrEmpty(configuration.issuer);
        this.keyCache = new JsonWebKeyCache(configuration.jwks_uri, true);
    }

    @Override
    public Optional getToken(HttpServletRequest httpServletRequest) {
        return getTokenFromHeader(httpServletRequest);
    }

    @Override
    public Optional getRefreshToken(HttpServletRequest httpServletRequest) {
        return Optional.empty(); // not supported
    }

    @Override
    public OidcCredential getFreshToken(String refreshToken, String requestToken) {
        throw new IllegalStateException("not supported");
    }

    @Override
    public Optional getVerificationKey(JwtHeader header, CacheMissAction cacheMissAction) {
        return keyCache.getVerificationKey(header, cacheMissAction);
    }

    @Override
    public String getExpectedIssuer() {
        return expectedIssuer;
    }

    @Override
    public String getExpectedAudience(String token) {
        return null;  // We intentionally expect any or no audience when validating internal oidc tokens
    }

    @Override
    public IdentType getIdentType(String token) {
        String identType = getStringFieldFromToken(token, "identType");
        return EnumUtils.valueOf(IdentType.class, identType).orElseThrow(() -> new IllegalStateException("invalid identType: " + identType));
    }

    @SuppressWarnings("unused")
    private static class Configuration {
        private String issuer;
        private String jwks_uri;
    }

}