org.springframework.security.oauth2.provider.token.store.jwk

Class JwkTokenStore

java.lang.Object

org.springframework.security.oauth2.provider.token.store.jwk.JwkTokenStore

All Implemented Interfaces:

TokenStore

public final class JwkTokenStore
extends Object
implements TokenStore

A TokenStore implementation that provides support for verifying the JSON Web Signature (JWS) for a JSON Web Token (JWT) using a JSON Web Key (JWK).

This TokenStore implementation is exclusively meant to be used by a Resource Server as it's sole responsibility is to decode a JWT and verify it's signature (JWS) using the corresponding JWK.

NOTE: There are a few operations defined by TokenStore that are not applicable for a Resource Server. In these cases, the method implementation will explicitly throw a JwkException reporting "This operation is not supported".

The unsupported operations are as follows:

• storeAccessToken(OAuth2AccessToken, OAuth2Authentication)
• removeAccessToken(OAuth2AccessToken)
• storeRefreshToken(OAuth2RefreshToken, OAuth2Authentication)
• readRefreshToken(String)
• readAuthenticationForRefreshToken(OAuth2RefreshToken)
• removeRefreshToken(OAuth2RefreshToken)
• removeAccessTokenUsingRefreshToken(OAuth2RefreshToken)
• getAccessToken(OAuth2Authentication)
• findTokensByClientIdAndUserName(String, String)
• findTokensByClientId(String)

This implementation delegates to an internal instance of a JwtTokenStore which uses a specialized extension of JwtAccessTokenConverter. This specialized JwtAccessTokenConverter is capable of fetching (and caching) the JWK Set (a set of JWKs) from the URL supplied to the constructor of this implementation.

The JwtAccessTokenConverter will verify the JWS in the following step sequence:

1. Extract the "kid" parameter from the JWT header.
2. Find the matching JWK with the corresponding "kid" attribute.
3. Obtain the SignatureVerifier associated with the JWK and verify the signature.

NOTE: The algorithms currently supported by this implementation are: RS256, RS384 and RS512.

Author:

Joe Grandja

See Also:

JwtTokenStore, JSON Web Key (JWK), JSON Web Token (JWT), JSON Web Signature (JWS)

Constructor Summary

Constructors

Constructor and Description
JwkTokenStore(List<String> jwkSetUrls) Creates a new instance using the provided URLs as the location for the JWK Sets.
JwkTokenStore(List<String> jwkSetUrls, AccessTokenConverter accessTokenConverter, JwtClaimsSetVerifier jwtClaimsSetVerifier) Creates a new instance using the provided URLs as the location for the JWK Sets and a custom AccessTokenConverter and JwtClaimsSetVerifier.
JwkTokenStore(String jwkSetUrl) Creates a new instance using the provided URL as the location for the JWK Set.
JwkTokenStore(String jwkSetUrl, AccessTokenConverter accessTokenConverter) Creates a new instance using the provided URL as the location for the JWK Set and a custom AccessTokenConverter.
JwkTokenStore(String jwkSetUrl, AccessTokenConverter accessTokenConverter, JwtClaimsSetVerifier jwtClaimsSetVerifier) Creates a new instance using the provided URL as the location for the JWK Set and a custom AccessTokenConverter and JwtClaimsSetVerifier.
JwkTokenStore(String jwkSetUrl, JwtClaimsSetVerifier jwtClaimsSetVerifier) Creates a new instance using the provided URL as the location for the JWK Set and a custom JwtClaimsSetVerifier.

Method Summary

Modifier and Type	Method and Description
Collection<OAuth2AccessToken>	findTokensByClientId(String clientId) This operation is not applicable for a Resource Server and if called, will throw a JwkException.
Collection<OAuth2AccessToken>	findTokensByClientIdAndUserName(String clientId, String userName) This operation is not applicable for a Resource Server and if called, will throw a JwkException.
OAuth2AccessToken	getAccessToken(OAuth2Authentication authentication) This operation is not applicable for a Resource Server and if called, will throw a JwkException.
OAuth2AccessToken	readAccessToken(String tokenValue) Delegates to the internal instance JwtTokenStore.readAccessToken(String).
OAuth2Authentication	readAuthentication(OAuth2AccessToken token) Delegates to the internal instance JwtTokenStore.readAuthentication(OAuth2AccessToken).
OAuth2Authentication	readAuthentication(String tokenValue) Delegates to the internal instance JwtTokenStore.readAuthentication(String).
OAuth2Authentication	readAuthenticationForRefreshToken(OAuth2RefreshToken token) This operation is not applicable for a Resource Server and if called, will throw a JwkException.
OAuth2RefreshToken	readRefreshToken(String tokenValue) This operation is not applicable for a Resource Server and if called, will throw a JwkException.
void	removeAccessToken(OAuth2AccessToken token) Delegates to the internal instance JwtTokenStore.removeAccessToken(OAuth2AccessToken).
void	removeAccessTokenUsingRefreshToken(OAuth2RefreshToken refreshToken) This operation is not applicable for a Resource Server and if called, will throw a JwkException.
void	removeRefreshToken(OAuth2RefreshToken token) This operation is not applicable for a Resource Server and if called, will throw a JwkException.
void	storeAccessToken(OAuth2AccessToken token, OAuth2Authentication authentication) This operation is not applicable for a Resource Server and if called, will throw a JwkException.
void	storeRefreshToken(OAuth2RefreshToken refreshToken, OAuth2Authentication authentication) This operation is not applicable for a Resource Server and if called, will throw a JwkException.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

JwkTokenStore

public JwkTokenStore(String jwkSetUrl)

Creates a new instance using the provided URL as the location for the JWK Set.

Parameters:

jwkSetUrl - the JWK Set URL

JwkTokenStore

public JwkTokenStore(List<String> jwkSetUrls)

Creates a new instance using the provided URLs as the location for the JWK Sets.

Parameters:

jwkSetUrls - the JWK Set URLs

JwkTokenStore

public JwkTokenStore(String jwkSetUrl,
                     AccessTokenConverter accessTokenConverter)

Creates a new instance using the provided URL as the location for the JWK Set and a custom AccessTokenConverter.

Parameters:

jwkSetUrl - the JWK Set URL

accessTokenConverter - a custom AccessTokenConverter

JwkTokenStore

public JwkTokenStore(String jwkSetUrl,
                     JwtClaimsSetVerifier jwtClaimsSetVerifier)

Creates a new instance using the provided URL as the location for the JWK Set and a custom JwtClaimsSetVerifier.

Parameters:

jwkSetUrl - the JWK Set URL

jwtClaimsSetVerifier - a custom JwtClaimsSetVerifier

JwkTokenStore

public JwkTokenStore(String jwkSetUrl,
                     AccessTokenConverter accessTokenConverter,
                     JwtClaimsSetVerifier jwtClaimsSetVerifier)

Creates a new instance using the provided URL as the location for the JWK Set and a custom AccessTokenConverter and JwtClaimsSetVerifier.

Parameters:

jwkSetUrl - the JWK Set URL

accessTokenConverter - a custom AccessTokenConverter

jwtClaimsSetVerifier - a custom JwtClaimsSetVerifier

JwkTokenStore

public JwkTokenStore(List<String> jwkSetUrls,
                     AccessTokenConverter accessTokenConverter,
                     JwtClaimsSetVerifier jwtClaimsSetVerifier)

Creates a new instance using the provided URLs as the location for the JWK Sets and a custom AccessTokenConverter and JwtClaimsSetVerifier.

Parameters:

jwkSetUrls - the JWK Set URLs

accessTokenConverter - a custom AccessTokenConverter

jwtClaimsSetVerifier - a custom JwtClaimsSetVerifier

Method Detail

readAuthentication

public OAuth2Authentication readAuthentication(OAuth2AccessToken token)

Delegates to the internal instance JwtTokenStore.readAuthentication(OAuth2AccessToken).

Specified by:

readAuthentication in interface TokenStore

Parameters:

token - the access token

Returns:

the OAuth2Authentication representation of the access token

readAuthentication

public OAuth2Authentication readAuthentication(String tokenValue)

Delegates to the internal instance JwtTokenStore.readAuthentication(String).

Specified by:

readAuthentication in interface TokenStore

Parameters:

tokenValue - the access token value

Returns:

the OAuth2Authentication representation of the access token

storeAccessToken

public void storeAccessToken(OAuth2AccessToken token,
                             OAuth2Authentication authentication)

This operation is not applicable for a Resource Server and if called, will throw a JwkException.

Specified by:

storeAccessToken in interface TokenStore

Parameters:

token - The token to store.

authentication - The authentication associated with the token.

Throws:

JwkException - reporting this operation is not supported

readAccessToken

public OAuth2AccessToken readAccessToken(String tokenValue)

Delegates to the internal instance JwtTokenStore.readAccessToken(String).

Specified by:

readAccessToken in interface TokenStore

Parameters:

tokenValue - the access token value

Returns:

the OAuth2AccessToken representation of the access token value

removeAccessToken

public void removeAccessToken(OAuth2AccessToken token)

Delegates to the internal instance JwtTokenStore.removeAccessToken(OAuth2AccessToken).

Specified by:

removeAccessToken in interface TokenStore

Parameters:

token - the access token

storeRefreshToken

public void storeRefreshToken(OAuth2RefreshToken refreshToken,
                              OAuth2Authentication authentication)

This operation is not applicable for a Resource Server and if called, will throw a JwkException.

Specified by:

storeRefreshToken in interface TokenStore

Parameters:

refreshToken - The refresh token to store.

authentication - The authentication associated with the refresh token.

Throws:

JwkException - reporting this operation is not supported

readRefreshToken

public OAuth2RefreshToken readRefreshToken(String tokenValue)

This operation is not applicable for a Resource Server and if called, will throw a JwkException.

Specified by:

readRefreshToken in interface TokenStore

Parameters:

tokenValue - The value of the token to read.

Returns:

The token.

Throws:

JwkException - reporting this operation is not supported

readAuthenticationForRefreshToken

public OAuth2Authentication readAuthenticationForRefreshToken(OAuth2RefreshToken token)

This operation is not applicable for a Resource Server and if called, will throw a JwkException.

Specified by:

readAuthenticationForRefreshToken in interface TokenStore

Parameters:

token - a refresh token

Returns:

the authentication originally used to grant the refresh token

Throws:

JwkException - reporting this operation is not supported

removeRefreshToken

public void removeRefreshToken(OAuth2RefreshToken token)

This operation is not applicable for a Resource Server and if called, will throw a JwkException.

Specified by:

removeRefreshToken in interface TokenStore

Parameters:

token - The token to remove from the database.

Throws:

JwkException - reporting this operation is not supported

removeAccessTokenUsingRefreshToken

public void removeAccessTokenUsingRefreshToken(OAuth2RefreshToken refreshToken)

This operation is not applicable for a Resource Server and if called, will throw a JwkException.

Specified by:

removeAccessTokenUsingRefreshToken in interface TokenStore

Parameters:

refreshToken - The refresh token.

Throws:

JwkException - reporting this operation is not supported

getAccessToken

public OAuth2AccessToken getAccessToken(OAuth2Authentication authentication)

This operation is not applicable for a Resource Server and if called, will throw a JwkException.

Specified by:

getAccessToken in interface TokenStore

Parameters:

authentication - the authentication key for the access token

Returns:

the access token or null if there was none

Throws:

JwkException - reporting this operation is not supported

findTokensByClientIdAndUserName

public Collection<OAuth2AccessToken> findTokensByClientIdAndUserName(String clientId,
                                                                     String userName)

This operation is not applicable for a Resource Server and if called, will throw a JwkException.

Specified by:

findTokensByClientIdAndUserName in interface TokenStore

Parameters:

clientId - the client id to search

userName - the user name to search

Returns:

a collection of access tokens

Throws:

JwkException - reporting this operation is not supported

findTokensByClientId

public Collection<OAuth2AccessToken> findTokensByClientId(String clientId)

This operation is not applicable for a Resource Server and if called, will throw a JwkException.

Specified by:

findTokensByClientId in interface TokenStore

Parameters:

clientId - the client id to search

Returns:

a collection of access tokens

Throws:

JwkException - reporting this operation is not supported