From ac38232a9ec16ceaeee22ccc9c2efee584876ae7 Mon Sep 17 00:00:00 2001 From: Joe Grandja Date: Tue, 11 Jun 2019 16:11:48 -0400 Subject: [PATCH] ID Token validation uses JwtTimestampValidator Fixes gh-6964 --- .../DefaultOidcIdTokenValidatorFactory.java | 38 +++++++++++++++++++ .../OidcIdTokenDecoderFactory.java | 5 ++- .../ReactiveOidcIdTokenDecoderFactory.java | 5 ++- 3 files changed, 44 insertions(+), 4 deletions(-) create mode 100644 oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/authentication/DefaultOidcIdTokenValidatorFactory.java diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/authentication/DefaultOidcIdTokenValidatorFactory.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/authentication/DefaultOidcIdTokenValidatorFactory.java new file mode 100644 index 0000000000..70c5a6749c --- /dev/null +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/authentication/DefaultOidcIdTokenValidatorFactory.java @@ -0,0 +1,38 @@ +/* + * Copyright 2002-2019 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.springframework.security.oauth2.client.oidc.authentication; + +import org.springframework.security.oauth2.client.registration.ClientRegistration; +import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator; +import org.springframework.security.oauth2.core.OAuth2TokenValidator; +import org.springframework.security.oauth2.jwt.Jwt; +import org.springframework.security.oauth2.jwt.JwtTimestampValidator; + +import java.util.function.Function; + +/** + * + * @author Joe Grandja + * @since 5.2 + */ +class DefaultOidcIdTokenValidatorFactory implements Function> { + + @Override + public OAuth2TokenValidator apply(ClientRegistration clientRegistration) { + return new DelegatingOAuth2TokenValidator<>( + new JwtTimestampValidator(), new OidcIdTokenValidator(clientRegistration)); + } +} diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/authentication/OidcIdTokenDecoderFactory.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/authentication/OidcIdTokenDecoderFactory.java index 4ac42d2d79..c2f7b33039 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/authentication/OidcIdTokenDecoderFactory.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/authentication/OidcIdTokenDecoderFactory.java @@ -32,6 +32,7 @@ import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm; import org.springframework.security.oauth2.jwt.Jwt; import org.springframework.security.oauth2.jwt.JwtDecoder; import org.springframework.security.oauth2.jwt.JwtDecoderFactory; +import org.springframework.security.oauth2.jwt.JwtTimestampValidator; import org.springframework.security.oauth2.jwt.NimbusJwtDecoder; import org.springframework.util.Assert; import org.springframework.util.StringUtils; @@ -73,7 +74,7 @@ public final class OidcIdTokenDecoderFactory implements JwtDecoderFactory, Map> DEFAULT_CLAIM_TYPE_CONVERTER = new ClaimTypeConverter(createDefaultClaimTypeConverters()); private final Map jwtDecoders = new ConcurrentHashMap<>(); - private Function> jwtValidatorFactory = OidcIdTokenValidator::new; + private Function> jwtValidatorFactory = new DefaultOidcIdTokenValidatorFactory(); private Function jwsAlgorithmResolver = clientRegistration -> SignatureAlgorithm.RS256; private Function, Map>> claimTypeConverterFactory = clientRegistration -> DEFAULT_CLAIM_TYPE_CONVERTER; @@ -189,7 +190,7 @@ public final class OidcIdTokenDecoderFactory implements JwtDecoderFactory, Map> DEFAULT_CLAIM_TYPE_CONVERTER = new ClaimTypeConverter(createDefaultClaimTypeConverters()); private final Map jwtDecoders = new ConcurrentHashMap<>(); - private Function> jwtValidatorFactory = OidcIdTokenValidator::new; + private Function> jwtValidatorFactory = new DefaultOidcIdTokenValidatorFactory(); private Function jwsAlgorithmResolver = clientRegistration -> SignatureAlgorithm.RS256; private Function, Map>> claimTypeConverterFactory = clientRegistration -> DEFAULT_CLAIM_TYPE_CONVERTER; @@ -189,7 +190,7 @@ public final class ReactiveOidcIdTokenDecoderFactory implements ReactiveJwtDecod /** * Sets the factory that provides an {@link OAuth2TokenValidator}, which is used by the {@link ReactiveJwtDecoder}. - * The default is {@link OidcIdTokenValidator}. + * The default composes {@link JwtTimestampValidator} and {@link OidcIdTokenValidator}. * * @param jwtValidatorFactory the factory that provides an {@link OAuth2TokenValidator} */