Skip to content

Commit 7f956a5

Browse files
jricherjricher
authored
Merge pull request mitreid-connect#1355 from ocadotechnology/jwt_fix
Throwing exception on all other JWT types than SignedJWT
2 parents fcb119f + 37fba62 commit 7f956a5

File tree

2 files changed

+462
-45
lines changed

2 files changed

+462
-45
lines changed

openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JWTBearerAuthenticationProvider.java

Lines changed: 48 additions & 45 deletions
Original file line numberDiff line numberDiff line change
@@ -91,57 +91,60 @@ public Authentication authenticate(Authentication authentication) throws Authent
9191
JWT jwt = jwtAuth.getJwt();
9292
JWTClaimsSet jwtClaims = jwt.getJWTClaimsSet();
9393

94+
if (!(jwt instanceof SignedJWT)) {
95+
throw new AuthenticationServiceException("Unsupported JWT type: " + jwt.getClass().getName());
96+
}
97+
9498
// check the signature with nimbus
95-
if (jwt instanceof SignedJWT) {
96-
SignedJWT jws = (SignedJWT)jwt;
99+
SignedJWT jws = (SignedJWT) jwt;
100+
101+
JWSAlgorithm alg = jws.getHeader().getAlgorithm();
102+
103+
if (client.getTokenEndpointAuthSigningAlg() != null &&
104+
!client.getTokenEndpointAuthSigningAlg().equals(alg)) {
105+
throw new AuthenticationServiceException("Client's registered token endpoint signing algorithm (" + client.getTokenEndpointAuthSigningAlg()
106+
+ ") does not match token's actual algorithm (" + alg.getName() + ")");
107+
}
108+
109+
if (client.getTokenEndpointAuthMethod() == null ||
110+
client.getTokenEndpointAuthMethod().equals(AuthMethod.NONE) ||
111+
client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_BASIC) ||
112+
client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_POST)) {
113+
114+
// this client doesn't support this type of authentication
115+
throw new AuthenticationServiceException("Client does not support this authentication method.");
116+
117+
} else if ((client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY) &&
118+
(alg.equals(JWSAlgorithm.RS256)
119+
|| alg.equals(JWSAlgorithm.RS384)
120+
|| alg.equals(JWSAlgorithm.RS512)
121+
|| alg.equals(JWSAlgorithm.ES256)
122+
|| alg.equals(JWSAlgorithm.ES384)
123+
|| alg.equals(JWSAlgorithm.ES512)
124+
|| alg.equals(JWSAlgorithm.PS256)
125+
|| alg.equals(JWSAlgorithm.PS384)
126+
|| alg.equals(JWSAlgorithm.PS512)))
127+
|| (client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_JWT) &&
128+
(alg.equals(JWSAlgorithm.HS256)
129+
|| alg.equals(JWSAlgorithm.HS384)
130+
|| alg.equals(JWSAlgorithm.HS512)))) {
131+
132+
// double-check the method is asymmetrical if we're in HEART mode
133+
if (config.isHeartMode() && !client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY)) {
134+
throw new AuthenticationServiceException("[HEART mode] Invalid authentication method");
135+
}
97136

98-
JWSAlgorithm alg = jws.getHeader().getAlgorithm();
137+
JWTSigningAndValidationService validator = validators.getValidator(client, alg);
99138

100-
if (client.getTokenEndpointAuthSigningAlg() != null &&
101-
!client.getTokenEndpointAuthSigningAlg().equals(alg)) {
102-
throw new InvalidClientException("Client's registered request object signing algorithm (" + client.getRequestObjectSigningAlg() + ") does not match request object's actual algorithm (" + alg.getName() + ")");
139+
if (validator == null) {
140+
throw new AuthenticationServiceException("Unable to create signature validator for client " + client + " and algorithm " + alg);
103141
}
104142

105-
if (client.getTokenEndpointAuthMethod() == null ||
106-
client.getTokenEndpointAuthMethod().equals(AuthMethod.NONE) ||
107-
client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_BASIC) ||
108-
client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_POST)) {
109-
110-
// this client doesn't support this type of authentication
111-
throw new AuthenticationServiceException("Client does not support this authentication method.");
112-
113-
} else if ((client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY) &&
114-
(alg.equals(JWSAlgorithm.RS256)
115-
|| alg.equals(JWSAlgorithm.RS384)
116-
|| alg.equals(JWSAlgorithm.RS512)
117-
|| alg.equals(JWSAlgorithm.ES256)
118-
|| alg.equals(JWSAlgorithm.ES384)
119-
|| alg.equals(JWSAlgorithm.ES512)
120-
|| alg.equals(JWSAlgorithm.PS256)
121-
|| alg.equals(JWSAlgorithm.PS384)
122-
|| alg.equals(JWSAlgorithm.PS512)))
123-
|| (client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_JWT) &&
124-
(alg.equals(JWSAlgorithm.HS256)
125-
|| alg.equals(JWSAlgorithm.HS384)
126-
|| alg.equals(JWSAlgorithm.HS512)))) {
127-
128-
// double-check the method is asymmetrical if we're in HEART mode
129-
if (config.isHeartMode() && !client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY)) {
130-
throw new AuthenticationServiceException("[HEART mode] Invalid authentication method");
131-
}
132-
133-
JWTSigningAndValidationService validator = validators.getValidator(client, alg);
134-
135-
if (validator == null) {
136-
throw new AuthenticationServiceException("Unable to create signature validator for client " + client + " and algorithm " + alg);
137-
}
138-
139-
if (!validator.validateSignature(jws)) {
140-
throw new AuthenticationServiceException("Signature did not validate for presented JWT authentication.");
141-
}
142-
} else {
143-
throw new AuthenticationServiceException("Unable to create signature validator for method " + client.getTokenEndpointAuthMethod() + " and algorithm " + alg);
143+
if (!validator.validateSignature(jws)) {
144+
throw new AuthenticationServiceException("Signature did not validate for presented JWT authentication.");
144145
}
146+
} else {
147+
throw new AuthenticationServiceException("Unable to create signature validator for method " + client.getTokenEndpointAuthMethod() + " and algorithm " + alg);
145148
}
146149

147150
// check the issuer

0 commit comments

Comments
 (0)