@@ -91,57 +91,60 @@ public Authentication authenticate(Authentication authentication) throws Authent
9191JWT jwt = jwtAuth .getJwt ();
9292JWTClaimsSet jwtClaims = jwt .getJWTClaimsSet ();
9393
94+ if (!(jwt instanceof SignedJWT )) {
95+ throw new AuthenticationServiceException ("Unsupported JWT type: " + jwt .getClass ().getName ());
96+ }
97+
9498// check the signature with nimbus
95- if (jwt instanceof SignedJWT ) {
96- SignedJWT jws = (SignedJWT )jwt ;
99+ SignedJWT jws = (SignedJWT ) jwt ;
100+
101+ JWSAlgorithm alg = jws .getHeader ().getAlgorithm ();
102+
103+ if (client .getTokenEndpointAuthSigningAlg () != null &&
104+ !client .getTokenEndpointAuthSigningAlg ().equals (alg )) {
105+ throw new AuthenticationServiceException ("Client's registered token endpoint signing algorithm (" + client .getTokenEndpointAuthSigningAlg ()
106+ + ") does not match token's actual algorithm (" + alg .getName () + ")" );
107+ }
108+
109+ if (client .getTokenEndpointAuthMethod () == null ||
110+ client .getTokenEndpointAuthMethod ().equals (AuthMethod .NONE ) ||
111+ client .getTokenEndpointAuthMethod ().equals (AuthMethod .SECRET_BASIC ) ||
112+ client .getTokenEndpointAuthMethod ().equals (AuthMethod .SECRET_POST )) {
113+
114+ // this client doesn't support this type of authentication
115+ throw new AuthenticationServiceException ("Client does not support this authentication method." );
116+
117+ } else if ((client .getTokenEndpointAuthMethod ().equals (AuthMethod .PRIVATE_KEY ) &&
118+ (alg .equals (JWSAlgorithm .RS256 )
119+ || alg .equals (JWSAlgorithm .RS384 )
120+ || alg .equals (JWSAlgorithm .RS512 )
121+ || alg .equals (JWSAlgorithm .ES256 )
122+ || alg .equals (JWSAlgorithm .ES384 )
123+ || alg .equals (JWSAlgorithm .ES512 )
124+ || alg .equals (JWSAlgorithm .PS256 )
125+ || alg .equals (JWSAlgorithm .PS384 )
126+ || alg .equals (JWSAlgorithm .PS512 )))
127+ || (client .getTokenEndpointAuthMethod ().equals (AuthMethod .SECRET_JWT ) &&
128+ (alg .equals (JWSAlgorithm .HS256 )
129+ || alg .equals (JWSAlgorithm .HS384 )
130+ || alg .equals (JWSAlgorithm .HS512 )))) {
131+
132+ // double-check the method is asymmetrical if we're in HEART mode
133+ if (config .isHeartMode () && !client .getTokenEndpointAuthMethod ().equals (AuthMethod .PRIVATE_KEY )) {
134+ throw new AuthenticationServiceException ("[HEART mode] Invalid authentication method" );
135+ }
97136
98- JWSAlgorithm alg = jws . getHeader (). getAlgorithm ( );
137+ JWTSigningAndValidationService validator = validators . getValidator ( client , alg );
99138
100- if (client .getTokenEndpointAuthSigningAlg () != null &&
101- !client .getTokenEndpointAuthSigningAlg ().equals (alg )) {
102- throw new InvalidClientException ("Client's registered request object signing algorithm (" + client .getRequestObjectSigningAlg () + ") does not match request object's actual algorithm (" + alg .getName () + ")" );
139+ if (validator == null ) {
140+ throw new AuthenticationServiceException ("Unable to create signature validator for client " + client + " and algorithm " + alg );
103141}
104142
105- if (client .getTokenEndpointAuthMethod () == null ||
106- client .getTokenEndpointAuthMethod ().equals (AuthMethod .NONE ) ||
107- client .getTokenEndpointAuthMethod ().equals (AuthMethod .SECRET_BASIC ) ||
108- client .getTokenEndpointAuthMethod ().equals (AuthMethod .SECRET_POST )) {
109-
110- // this client doesn't support this type of authentication
111- throw new AuthenticationServiceException ("Client does not support this authentication method." );
112-
113- } else if ((client .getTokenEndpointAuthMethod ().equals (AuthMethod .PRIVATE_KEY ) &&
114- (alg .equals (JWSAlgorithm .RS256 )
115- || alg .equals (JWSAlgorithm .RS384 )
116- || alg .equals (JWSAlgorithm .RS512 )
117- || alg .equals (JWSAlgorithm .ES256 )
118- || alg .equals (JWSAlgorithm .ES384 )
119- || alg .equals (JWSAlgorithm .ES512 )
120- || alg .equals (JWSAlgorithm .PS256 )
121- || alg .equals (JWSAlgorithm .PS384 )
122- || alg .equals (JWSAlgorithm .PS512 )))
123- || (client .getTokenEndpointAuthMethod ().equals (AuthMethod .SECRET_JWT ) &&
124- (alg .equals (JWSAlgorithm .HS256 )
125- || alg .equals (JWSAlgorithm .HS384 )
126- || alg .equals (JWSAlgorithm .HS512 )))) {
127-
128- // double-check the method is asymmetrical if we're in HEART mode
129- if (config .isHeartMode () && !client .getTokenEndpointAuthMethod ().equals (AuthMethod .PRIVATE_KEY )) {
130- throw new AuthenticationServiceException ("[HEART mode] Invalid authentication method" );
131- }
132-
133- JWTSigningAndValidationService validator = validators .getValidator (client , alg );
134-
135- if (validator == null ) {
136- throw new AuthenticationServiceException ("Unable to create signature validator for client " + client + " and algorithm " + alg );
137- }
138-
139- if (!validator .validateSignature (jws )) {
140- throw new AuthenticationServiceException ("Signature did not validate for presented JWT authentication." );
141- }
142- } else {
143- throw new AuthenticationServiceException ("Unable to create signature validator for method " + client .getTokenEndpointAuthMethod () + " and algorithm " + alg );
143+ if (!validator .validateSignature (jws )) {
144+ throw new AuthenticationServiceException ("Signature did not validate for presented JWT authentication." );
144145}
146+ } else {
147+ throw new AuthenticationServiceException ("Unable to create signature validator for method " + client .getTokenEndpointAuthMethod () + " and algorithm " + alg );
145148}
146149
147150// check the issuer
0 commit comments