Skip to content

Commit 5b5957e

Browse files
rfc3092rfc3092
committed
Both decoders refactored (identical code).
1 parent 353c686 commit 5b5957e

File tree

2 files changed

+51
-29
lines changed

2 files changed

+51
-29
lines changed

libs/servlet-insecure-security/src/main/java/no/nav/testnav/libs/standalone/servletsecurity/jwt/MultipleIssuersJwtDecoder.java

+3-3
Original file line numberDiff line numberDiff line change
@@ -24,11 +24,11 @@ class MultipleIssuersJwtDecoder implements JwtDecoder {
2424
.stream()
2525
.collect(Collectors.toMap(
2626
ResourceServerProperties::getIssuerUri,
27-
this::getValidatingDecoder
27+
MultipleIssuersJwtDecoder::getValidatingDecoder
2828
));
2929
}
3030

31-
private NimbusJwtDecoder getValidatingDecoder(ResourceServerProperties properties) {
31+
private static NimbusJwtDecoder getValidatingDecoder(ResourceServerProperties properties) {
3232
NimbusJwtDecoder jwtDecoder = JwtDecoders.fromIssuerLocation(properties.getIssuerUri());
3333
jwtDecoder.setJwtValidator(oAuth2TokenValidator(properties));
3434
return jwtDecoder;
@@ -61,7 +61,7 @@ public Jwt decode(String token) throws JwtException {
6161
}
6262
}
6363

64-
private OAuth2TokenValidator<Jwt> oAuth2TokenValidator(ResourceServerProperties properties) {
64+
private static OAuth2TokenValidator<Jwt> oAuth2TokenValidator(ResourceServerProperties properties) {
6565
return new DelegatingOAuth2TokenValidator<>(
6666
issuerValidator(properties.getIssuerUri()),
6767
audienceValidator(properties.getAcceptedAudience())

libs/servlet-security/src/main/java/no/nav/testnav/libs/servletsecurity/jwt/MultipleIssuersJwtDecoder.java

+48-26
Original file line numberDiff line numberDiff line change
@@ -16,54 +16,76 @@
1616

1717
@Slf4j
1818
class MultipleIssuersJwtDecoder implements JwtDecoder {
19+
1920
private final Map<String, NimbusJwtDecoder> decoderMap;
2021

2122
MultipleIssuersJwtDecoder(List<ResourceServerProperties> properties) {
22-
this.decoderMap = properties.stream().collect(Collectors.toMap(
23-
ResourceServerProperties::getIssuerUri,
24-
props -> {
25-
NimbusJwtDecoder jwtDecoder = JwtDecoders.fromIssuerLocation(props.getIssuerUri());
26-
jwtDecoder.setJwtValidator(oAuth2TokenValidator(props));
27-
return jwtDecoder;
28-
}
29-
));
23+
decoderMap = properties
24+
.stream()
25+
.collect(Collectors.toMap(
26+
ResourceServerProperties::getIssuerUri,
27+
MultipleIssuersJwtDecoder::getValidatingDecoder
28+
));
29+
}
30+
31+
private static NimbusJwtDecoder getValidatingDecoder(ResourceServerProperties properties) {
32+
NimbusJwtDecoder jwtDecoder = JwtDecoders.fromIssuerLocation(properties.getIssuerUri());
33+
jwtDecoder.setJwtValidator(oAuth2TokenValidator(properties));
34+
return jwtDecoder;
3035
}
3136

3237
@Override
3338
public Jwt decode(String token) throws JwtException {
3439
try {
40+
3541
var issuer = JWTParser
3642
.parse(token)
3743
.getJWTClaimsSet()
3844
.getIssuer();
39-
return decoderMap
40-
.get(issuer)
41-
.decode(token);
45+
if (issuer == null || !decoderMap.containsKey(issuer)) {
46+
throw new JwtException("JWT decoder for issuer %s not found".formatted(issuer));
47+
}
48+
var decoder = decoderMap.get(issuer);
49+
log.info("Decoding token with issuer {} using decoder {}", issuer, decoder.getClass().getSimpleName());
50+
return decoder.decode(token);
51+
4252
} catch (ParseException e) {
43-
log.error("Feil ved parsing av token", e);
53+
log.error("Error in offset {} when parsing token", e.getErrorOffset(), e);
4454
throw new JwtException("Feil ved parsing av token", e);
4555
} catch (JwtValidationException e) {
46-
log.error("Feil ved validering av token", e);
56+
log.error("Error(s) validating token: {}", e.getErrors(), e);
4757
throw e;
4858
} catch (Exception e) {
49-
log.error("Ukjent feil", e);
50-
throw e;
59+
log.error("Unexpected failure", e);
60+
throw new JwtException("Unexpected failure", e);
5161
}
5262
}
5363

54-
private OAuth2TokenValidator<Jwt> oAuth2TokenValidator(ResourceServerProperties properties) {
55-
OAuth2TokenValidator<Jwt> issuerValidator = JwtValidators.createDefaultWithIssuer(properties.getIssuerUri());
56-
OAuth2TokenValidator<Jwt> audienceValidator = token ->
57-
token.getAudience().stream().anyMatch(audience -> properties.getAcceptedAudience().contains(audience)) ?
58-
OAuth2TokenValidatorResult.success() :
59-
OAuth2TokenValidatorResult.failure(createError(
60-
String.format("Fant ikke påkrevd audience %s i tokenet.", properties.getAcceptedAudience())
61-
));
62-
return new DelegatingOAuth2TokenValidator<>(issuerValidator, audienceValidator);
64+
private static OAuth2TokenValidator<Jwt> oAuth2TokenValidator(ResourceServerProperties properties) {
65+
return new DelegatingOAuth2TokenValidator<>(
66+
issuerValidator(properties.getIssuerUri()),
67+
audienceValidator(properties.getAcceptedAudience())
68+
);
69+
}
70+
71+
private static OAuth2TokenValidator<Jwt> issuerValidator(String issuerUri) {
72+
return JwtValidators.createDefaultWithIssuer(issuerUri); // Note that this creates and adds a default audience validator.
6373
}
6474

65-
private OAuth2Error createError(String msg) {
66-
return new OAuth2Error("invalid_token", msg, null);
75+
private static OAuth2TokenValidator<Jwt> audienceValidator(List<String> acceptedAudience) {
76+
return token -> {
77+
var audience = token.getAudience();
78+
var audienceIsAccepted = audience
79+
.stream()
80+
.anyMatch(acceptedAudience::contains);
81+
if (audienceIsAccepted) {
82+
log.info("Token audience {} is accepted by {}", audience, acceptedAudience);
83+
return OAuth2TokenValidatorResult.success();
84+
}
85+
var message = "Token audience %s is not accepted by %s".formatted(audience, acceptedAudience);
86+
log.warn(message);
87+
return OAuth2TokenValidatorResult.failure(new OAuth2Error("invalid_token", message, null));
88+
};
6789
}
6890

6991
}

0 commit comments

Comments
 (0)