下面列出了怎么用io.jsonwebtoken.SigningKeyResolver的API类实例代码及写法,或者点击链接到github查看源代码。
public static LineIdToken parse(final String idTokenStr, final SigningKeyResolver signingKeyResolver)
throws Exception {
if (TextUtils.isEmpty(idTokenStr)) {
return null;
}
try {
final Claims claims = Jwts.parser()
.setAllowedClockSkewSeconds(ALLOWED_CLOCK_SKEW_SECONDS)
.setSigningKeyResolver(signingKeyResolver)
.parseClaimsJws(idTokenStr)
.getBody();
return buildIdToken(idTokenStr, claims);
} catch (final Exception e) {
Log.e(TAG, "failed to parse IdToken: " + idTokenStr, e);
throw e;
}
}
DefaultJwtParser(SigningKeyResolver signingKeyResolver,
Key key,
byte[] keyBytes,
Clock clock,
long allowedClockSkewMillis,
Claims expectedClaims,
Decoder<String, byte[]> base64UrlDecoder,
Deserializer<Map<String, ?>> deserializer,
CompressionCodecResolver compressionCodecResolver) {
this.signingKeyResolver = signingKeyResolver;
this.key = key;
this.keyBytes = keyBytes;
this.clock = clock;
this.allowedClockSkewMillis = allowedClockSkewMillis;
this.expectedClaims = expectedClaims;
this.base64UrlDecoder = base64UrlDecoder;
this.deserializer = deserializer;
this.compressionCodecResolver = compressionCodecResolver;
}
/**
* Create parser for DefaultOAuthJwtAccessToken
* @param keyStore key store get the JWT public keys
* @param jwksUrl JWKS URL to download the JWT public keys
* @throws IllegalArgumentException key store or JWKS error
*/
public DefaultOAuthJwtAccessTokenParser(KeyStore keyStore, String jwksUrl) throws IllegalArgumentException {
if (keyStore == null) {
throw new IllegalArgumentException("DefaultOAuthJwtAccessTokenParser: keyStore is null");
}
SigningKeyResolver signingKeyResolver = new KeyStoreJwkKeyResolver(keyStore, jwksUrl, null);
this.parser = Jwts.parserBuilder()
.setSigningKeyResolver(signingKeyResolver)
.setAllowedClockSkewSeconds(ALLOWED_CLOCK_SKEW_SECONDS)
.build();
}
@Override
public JwtParser setSigningKeyResolver(SigningKeyResolver signingKeyResolver) {
Assert.notNull(signingKeyResolver, "SigningKeyResolver cannot be null.");
this.signingKeyResolver = signingKeyResolver;
return this;
}
@Bean
@ConditionalOnMissingBean(name = "juiserForwardedUserJwtSigningKeyResolver")
public SigningKeyResolver juiserForwardedUserJwtSigningKeyResolver() {
return this.signingKeyResolver;
}
@Bean
@ConditionalOnMissingBean(name = "juiserForwardedUserJwsClaimsExtractor")
public Function<String, Claims> juiserForwardedUserJwsClaimsExtractor() {
final JwtConfig jwt = forwardedHeaderConfig.getJwt();
final JwkConfig jwk = jwt.getKey();
boolean keyEnabled = jwt.isEnabled() && jwk.isEnabled();
Key key = null;
if (keyEnabled) {
ResourceLoader resourceLoader = new SpringResourceLoader(appCtx);
ConfigJwkResolver keyFactory = new ConfigJwkResolver(resourceLoader);
key = keyFactory.apply(jwk);
}
SigningKeyResolver resolver = juiserForwardedUserJwtSigningKeyResolver();
if (keyEnabled && key == null && resolver == null) {
String msg = "JWT signature validation is enabled, but no SigningKeyResolver or default/fallback key has " +
"been configured.";
throw new IllegalArgumentException(msg);
}
JwsClaimsExtractor extractor;
if (resolver != null) {
if (key != null) {
resolver = new FallbackSigningKeyResolver(resolver, key);
}
extractor = new JwsClaimsExtractor(resolver);
} else {
if (key != null) {
extractor = new JwsClaimsExtractor(key);
} else {
extractor = new JwsClaimsExtractor();
}
}
Long allowedClockSkewSeconds = jwt.getAllowedClockSkewSeconds();
extractor.setAllowedClockSkewSeconds(allowedClockSkewSeconds);
return extractor;
}
public JwsClaimsExtractor(SigningKeyResolver signingKeyResolver) {
Assert.notNull(signingKeyResolver, "signingKeyResolver argument cannot be null.");
this.signingKeyResolver = signingKeyResolver;
this.signingKeyBytes = null;
this.signingKey = null;
}
public FallbackSigningKeyResolver(SigningKeyResolver delegate, Key fallbackKey) {
Assert.notNull(delegate, "SigningKeyResolver argument cannot be null.");
Assert.notNull(fallbackKey, "fallbackKey argument cannot be null.");
this.delegate = delegate;
this.fallbackKey = fallbackKey;
}
@Test
public void testResolveSigningKey() throws Exception {
// mocks
KeyStore keyStoreMock = Mockito.spy(baseKeyStore);
SigningKeyResolver jwksResolverMock = Mockito.spy(basejwksResolver);
// instance
KeyStoreJwkKeyResolver resolver = new KeyStoreJwkKeyResolver(null, "file:///", null);
Field keyStoreField = resolver.getClass().getDeclaredField("keyStore");
keyStoreField.setAccessible(true);
Field providerField = resolver.getClass().getDeclaredField("jwksResolver");
providerField.setAccessible(true);
providerField.set(resolver, jwksResolverMock);
// args
DefaultJwsHeader jwsHeader = new DefaultJwsHeader();
DefaultClaims claims = new DefaultClaims();
// 1. null key store, find in JWKS
PublicKey pk11 = Mockito.spy(basePublicKey);
Mockito.when(jwksResolverMock.resolveSigningKey(jwsHeader, claims)).thenReturn(pk11);
jwsHeader.setKeyId("11");
claims.setIssuer(null);
assertSame(resolver.resolveSigningKey(jwsHeader, claims), pk11);
// set key store mock
keyStoreField.set(resolver, keyStoreMock);
// 2. invalid issuer, find in JWKS
PublicKey pk21 = Mockito.spy(basePublicKey);
Mockito.when(jwksResolverMock.resolveSigningKey(jwsHeader, claims)).thenReturn(pk21);
jwsHeader.setKeyId("21");
claims.setIssuer(null);
assertSame(resolver.resolveSigningKey(jwsHeader, claims), pk21);
PublicKey pk22 = Mockito.spy(basePublicKey);
Mockito.when(jwksResolverMock.resolveSigningKey(jwsHeader, claims)).thenReturn(pk22);
jwsHeader.setKeyId("22");
claims.setIssuer("");
assertSame(resolver.resolveSigningKey(jwsHeader, claims), pk22);
PublicKey pk23 = Mockito.spy(basePublicKey);
Mockito.when(jwksResolverMock.resolveSigningKey(jwsHeader, claims)).thenReturn(pk23);
jwsHeader.setKeyId("23");
claims.setIssuer("domain23-----service23");
assertSame(resolver.resolveSigningKey(jwsHeader, claims), pk23);
// 2. invalid domain, find in JWKS
PublicKey pk24 = Mockito.spy(basePublicKey);
Mockito.when(jwksResolverMock.resolveSigningKey(jwsHeader, claims)).thenReturn(pk24);
jwsHeader.setKeyId("24");
claims.setIssuer("domain24.service24");
assertSame(resolver.resolveSigningKey(jwsHeader, claims), pk24);
// 3. found in key store, skip JWKS
PublicKey pk31 = null;
try (PemReader reader = new PemReader(new FileReader(this.classLoader.getResource("jwt_public.key").getFile()))) {
pk31 = KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(reader.readPemObject().getContent()));
}
Mockito.when(jwksResolverMock.resolveSigningKey(jwsHeader, claims)).thenReturn(pk31);
Mockito.when(keyStoreMock.getPublicKey("sys.auth", "service31", "31")).thenReturn("-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAy3c3TEePZZPaxqNU2xV4\nortsXrw1EXTNQj2QUgL8UOPaQS0lbHJtD1cbcCFnzfXRXTOGqh8l+XWTRIOlt4yU\n+mEhgR0/JKILTPwmS0fj3D1PT6IjZShuNyd4USVdcjfCRBRb9ExIptJyeTTUu0Uu\njWNEcGOWAkUZcsonmiEz7bIMVkGy5uYnWGbsKP51Zf/PFMb96RcHeE0ZUitIB4YK\n1bgHLyAEBJIka5mRC/jWq/mlq3jiP5RaVWbzQiJbrjuYWd1Vps/xnrABx6/4Ft/M\n0AnSQN0SYjc/nWT1yGPpCwtWmWUU5NNHd+w6TdgOjdu00wownwblovtEYED+rncb\n913qfBM98kNHyj357BSzlvhiwEH5Ayo9DTnx1j9HuJGZXzymVypuQXLu/tkHMEt+\nc4kytKJNi6MLiauy9xtXGLXgOvZUM8V0Z27Z6CTfCzWZ0nwnEWDdH+NJyusL6pJg\nEGUBh6E9fdJInV7YOCF+P9/19imPHrZ0blTXK1TDfKS/pCLOXO/OmmH+p+UxQ77O\npeP5wlt5Jem0ErSisl/Qxhh1OtJcLwFdA7uC7rOTMrSEGLO++5+CatsXj7BEK2l+\n3As8fJEkoWXd1+4KOUMfV/fnT/z6U8+bcsYn0nvWPl8XuMbwNWjqHYgqhl1RLA7M\n17HCydWCF50HI2XojtGgRN0CAwEAAQ==\n-----END PUBLIC KEY-----\n");
jwsHeader.setKeyId("31");
claims.setIssuer("sys.auth.service31");
assertEquals(resolver.resolveSigningKey(jwsHeader, claims), pk31);
// 3. NOT found in key store, find in JWKS
PublicKey pk32 = Mockito.spy(basePublicKey);
Mockito.when(jwksResolverMock.resolveSigningKey(jwsHeader, claims)).thenReturn(pk32);
Mockito.when(keyStoreMock.getPublicKey("sys.auth", "service32", "32")).thenReturn(null);
jwsHeader.setKeyId("32");
claims.setIssuer("sys.auth.service32");
assertSame(resolver.resolveSigningKey(jwsHeader, claims), pk32);
// 3. found in key store but public key invalid, find in JWKS
PublicKey pk33 = Mockito.spy(basePublicKey);
Mockito.when(jwksResolverMock.resolveSigningKey(jwsHeader, claims)).thenReturn(pk33);
Mockito.when(keyStoreMock.getPublicKey("sys.auth", "service33", "33")).thenReturn("");
jwsHeader.setKeyId("33");
claims.setIssuer("sys.auth.service33");
assertSame(resolver.resolveSigningKey(jwsHeader, claims), pk33);
PublicKey pk34 = Mockito.spy(basePublicKey);
Mockito.when(jwksResolverMock.resolveSigningKey(jwsHeader, claims)).thenReturn(pk34);
Mockito.when(keyStoreMock.getPublicKey("sys.auth", "service34", "34")).thenReturn("-----BEGIN PUBLIC KEY-----\ninvalid\n-----END PUBLIC KEY-----\n");
jwsHeader.setKeyId("34");
claims.setIssuer("sys.auth.service34");
assertSame(resolver.resolveSigningKey(jwsHeader, claims), pk34);
// 4. both NOT found
jwsHeader.setKeyId("41");
claims.setIssuer("sys.auth.service41");
Mockito.when(jwksResolverMock.resolveSigningKey(jwsHeader, claims)).thenReturn(null);
Mockito.when(keyStoreMock.getPublicKey("sys.auth", "service41", "41")).thenReturn(null);
assertNull(resolver.resolveSigningKey(jwsHeader, claims));
// 5. skip, empty key ID
jwsHeader.setKeyId(null);
claims.setIssuer(null);
assertNull(resolver.resolveSigningKey(jwsHeader, claims));
jwsHeader.setKeyId("");
claims.setIssuer(null);
assertNull(resolver.resolveSigningKey(jwsHeader, claims));
}
@Override
public JwtParser setSigningKeyResolver(SigningKeyResolver signingKeyResolver) {
throw doNotMutate();
}
@Override
public JwtParser setSigningKeyResolver(SigningKeyResolver signingKeyResolver) {
Assert.notNull(signingKeyResolver, "SigningKeyResolver cannot be null.");
this.signingKeyResolver = signingKeyResolver;
return this;
}
@Override
public JwtParserBuilder setSigningKeyResolver(SigningKeyResolver signingKeyResolver) {
Assert.notNull(signingKeyResolver, "SigningKeyResolver cannot be null.");
this.signingKeyResolver = signingKeyResolver;
return this;
}
public SigningKeyResolver getSigningKeyResolver() {
return signingKeyResolver;
}