Low-level Nimbus Jwt Decoder

Introduces a JwtDecoder which takes a raw Nimbus JWTProcessor
configuration.

Fixes: gh-5648

Author: jzheaux

oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtDecoder.java

@@ -0,0 +1,150 @@
+/*
+ * Copyright 2002-2018 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth2.jwt;
+
+import java.text.ParseException;
+import java.time.Instant;
+import java.util.Collections;
+import java.util.LinkedHashMap;
+import java.util.Map;
+
+import com.nimbusds.jose.RemoteKeySourceException;
+import com.nimbusds.jose.proc.SecurityContext;
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.jwt.JWTParser;
+import com.nimbusds.jwt.SignedJWT;
+import com.nimbusds.jwt.proc.JWTProcessor;
+
+import org.springframework.core.convert.converter.Converter;
+import org.springframework.security.oauth2.core.OAuth2TokenValidator;
+import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
+import org.springframework.util.Assert;
+
+/**
+ * A low-level Nimbus implementation of {@link JwtDecoder} which takes a raw Nimbus configuration.
+ *
+ * @author Josh Cummings
+ * @since 5.2
+ */
+public final class NimbusJwtDecoder implements JwtDecoder {
+	private static final String DECODING_ERROR_MESSAGE_TEMPLATE =
+			"An error occurred while attempting to decode the Jwt: %s";
+
+	private final JWTProcessor<SecurityContext> jwtProcessor;
+
+	private Converter<Map<String, Object>, Map<String, Object>> claimSetConverter =
+			MappedJwtClaimSetConverter.withDefaults(Collections.emptyMap());
+	private OAuth2TokenValidator<Jwt> jwtValidator = JwtValidators.createDefault();
+
+	/**
+	 * Configures a {@link NimbusJwtDecoder} with the given parameters
+	 *
+	 * @param jwtProcessor - the {@link JWTProcessor} to use
+	 */
+	public NimbusJwtDecoder(JWTProcessor<SecurityContext> jwtProcessor) {
+		Assert.notNull(jwtProcessor, "jwtProcessor cannot be null");
+		this.jwtProcessor = jwtProcessor;
+	}
+
+	/**
+	 * Use this {@link Jwt} Validator
+	 *
+	 * @param jwtValidator - the Jwt Validator to use
+	 */
+	public void setJwtValidator(OAuth2TokenValidator<Jwt> jwtValidator) {
+		Assert.notNull(jwtValidator, "jwtValidator cannot be null");
+		this.jwtValidator = jwtValidator;
+	}
+
+	/**
+	 * Use the following {@link Converter} for manipulating the JWT's claim set
+	 *
+	 * @param claimSetConverter the {@link Converter} to use
+	 */
+	public void setClaimSetConverter(Converter<Map<String, Object>, Map<String, Object>> claimSetConverter) {
+		Assert.notNull(claimSetConverter, "claimSetConverter cannot be null");
+		this.claimSetConverter = claimSetConverter;
+	}
+
+	/**
+	 * Decode and validate the JWT from its compact claims representation format
+	 *
+	 * @param token the JWT value
+	 * @return a validated {@link Jwt}
+	 * @throws JwtException
+	 */
+	@Override
+	public Jwt decode(String token) throws JwtException {
+		JWT jwt = parse(token);
+		if (jwt instanceof SignedJWT) {
+			Jwt createdJwt = createJwt(token, jwt);
+			return validateJwt(createdJwt);
+		}
+		throw new JwtException("Unsupported algorithm of " + jwt.getHeader().getAlgorithm());
+	}
+
+	private JWT parse(String token) {
+		try {
+			return JWTParser.parse(token);
+		} catch (Exception ex) {
+			throw new JwtException(String.format(DECODING_ERROR_MESSAGE_TEMPLATE, ex.getMessage()), ex);
+		}
+	}
+
+	private Jwt createJwt(String token, JWT parsedJwt) {
+		Jwt jwt;
+
+		try {
+			// Verify the signature
+			JWTClaimsSet jwtClaimsSet = this.jwtProcessor.process(parsedJwt, null);
+
+			Map<String, Object> headers = new LinkedHashMap<>(parsedJwt.getHeader().toJSONObject());
+			Map<String, Object> claims = this.claimSetConverter.convert(jwtClaimsSet.getClaims());
+
+			Instant expiresAt = (Instant) claims.get(JwtClaimNames.EXP);
+			Instant issuedAt = (Instant) claims.get(JwtClaimNames.IAT);
+			jwt = new Jwt(token, issuedAt, expiresAt, headers, claims);
+		} catch (RemoteKeySourceException ex) {
+			if (ex.getCause() instanceof ParseException) {
+				throw new JwtException(String.format(DECODING_ERROR_MESSAGE_TEMPLATE, "Malformed Jwk set"));
+			} else {
+				throw new JwtException(String.format(DECODING_ERROR_MESSAGE_TEMPLATE, ex.getMessage()), ex);
+			}
+		} catch (Exception ex) {
+			if (ex.getCause() instanceof ParseException) {
+				throw new JwtException(String.format(DECODING_ERROR_MESSAGE_TEMPLATE, "Malformed payload"));
+			} else {
+				throw new JwtException(String.format(DECODING_ERROR_MESSAGE_TEMPLATE, ex.getMessage()), ex);
+			}
+		}
+
+		return jwt;
+	}
+
+	private Jwt validateJwt(Jwt jwt){
+		OAuth2TokenValidatorResult result = this.jwtValidator.validate(jwt);
+		if (result.hasErrors()) {
+			String description = result.getErrors().iterator().next().getDescription();
+			throw new JwtValidationException(
+					String.format(DECODING_ERROR_MESSAGE_TEMPLATE, description),
+					result.getErrors());
+		}
+
+		return jwt;
+	}
+}

oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtDecoderJwkSupport.java

@@ -18,25 +18,17 @@
 import java.io.IOException;
 import java.net.MalformedURLException;
 import java.net.URL;
-import java.text.ParseException;
-import java.time.Instant;
 import java.util.Collections;
-import java.util.LinkedHashMap;
 import java.util.Map;
 
 import com.nimbusds.jose.JWSAlgorithm;
-import com.nimbusds.jose.RemoteKeySourceException;
 import com.nimbusds.jose.jwk.source.JWKSource;
 import com.nimbusds.jose.jwk.source.RemoteJWKSet;
 import com.nimbusds.jose.proc.JWSKeySelector;
 import com.nimbusds.jose.proc.JWSVerificationKeySelector;
 import com.nimbusds.jose.proc.SecurityContext;
 import com.nimbusds.jose.util.Resource;
 import com.nimbusds.jose.util.ResourceRetriever;
-import com.nimbusds.jwt.JWT;
-import com.nimbusds.jwt.JWTClaimsSet;
-import com.nimbusds.jwt.JWTParser;
-import com.nimbusds.jwt.SignedJWT;
 import com.nimbusds.jwt.proc.ConfigurableJWTProcessor;
 import com.nimbusds.jwt.proc.DefaultJWTProcessor;
 
@@ -47,7 +39,6 @@
 import org.springframework.http.RequestEntity;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.oauth2.core.OAuth2TokenValidator;
-import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
 import org.springframework.security.oauth2.jose.jws.JwsAlgorithms;
 import org.springframework.util.Assert;
 import org.springframework.web.client.RestOperations;
@@ -62,27 +53,24 @@
  * <p>
  * <b>NOTE:</b> This implementation uses the Nimbus JOSE + JWT SDK internally.
  *
+ * @deprecated Use {@link NimbusJwtDecoder} instead
+ *
  * @author Joe Grandja
  * @author Josh Cummings
  * @since 5.0
  * @see JwtDecoder
+ * @see NimbusJwtDecoder
  * @see <a target="_blank" href="https://tools.ietf.org/html/rfc7519">JSON Web Token (JWT)</a>
  * @see <a target="_blank" href="https://tools.ietf.org/html/rfc7515">JSON Web Signature (JWS)</a>
  * @see <a target="_blank" href="https://tools.ietf.org/html/rfc7517">JSON Web Key (JWK)</a>
  * @see <a target="_blank" href="https://connect2id.com/products/nimbus-jose-jwt">Nimbus JOSE + JWT SDK</a>
  */
+@Deprecated
 public final class NimbusJwtDecoderJwkSupport implements JwtDecoder {
-	private static final String DECODING_ERROR_MESSAGE_TEMPLATE =
-			"An error occurred while attempting to decode the Jwt: %s";
-
 	private final JWSAlgorithm jwsAlgorithm;
-	private final ConfigurableJWTProcessor<SecurityContext> jwtProcessor;
 	private final RestOperationsResourceRetriever jwkSetRetriever = new RestOperationsResourceRetriever();
 
-	private Converter<Map<String, Object>, Map<String, Object>> claimSetConverter =
-			MappedJwtClaimSetConverter.withDefaults(Collections.emptyMap());
-	private OAuth2TokenValidator<Jwt> jwtValidator = JwtValidators.createDefault();
-
+	private NimbusJwtDecoder delegate;
 
 	/**
 	 * Constructs a {@code NimbusJwtDecoderJwkSupport} using the provided parameters.
@@ -111,21 +99,18 @@ public NimbusJwtDecoderJwkSupport(String jwkSetUrl, String jwsAlgorithm) {
 		this.jwsAlgorithm = JWSAlgorithm.parse(jwsAlgorithm);
 		JWSKeySelector<SecurityContext> jwsKeySelector =
 			new JWSVerificationKeySelector<>(this.jwsAlgorithm, jwkSource);
-		this.jwtProcessor = new DefaultJWTProcessor<>();
-		this.jwtProcessor.setJWSKeySelector(jwsKeySelector);
+		ConfigurableJWTProcessor<SecurityContext> jwtProcessor = new DefaultJWTProcessor<>();
+		jwtProcessor.setJWSKeySelector(jwsKeySelector);
 
 		// Spring Security validates the claim set independent from Nimbus
-		this.jwtProcessor.setJWTClaimsSetVerifier((claims, context) -> {});
+		jwtProcessor.setJWTClaimsSetVerifier((claims, context) -> {});
+
+		this.delegate = new NimbusJwtDecoder(jwtProcessor);
 	}
 
 	@Override
 	public Jwt decode(String token) throws JwtException {
-		JWT jwt = this.parse(token);
-		if (jwt instanceof SignedJWT) {
-			Jwt createdJwt = this.createJwt(token, jwt);
-			return this.validateJwt(createdJwt);
-		}
-		throw new JwtException("Unsupported algorithm of " + jwt.getHeader().getAlgorithm());
+		return this.delegate.decode(token);
 	}
 
 	/**
@@ -135,7 +120,7 @@ public Jwt decode(String token) throws JwtException {
 	 */
 	public void setJwtValidator(OAuth2TokenValidator<Jwt> jwtValidator) {
 		Assert.notNull(jwtValidator, "jwtValidator cannot be null");
-		this.jwtValidator = jwtValidator;
+		this.delegate.setJwtValidator(jwtValidator);
 	}
 
 	/**
@@ -145,57 +130,7 @@ public void setJwtValidator(OAuth2TokenValidator<Jwt> jwtValidator) {
 	 */
 	public final void setClaimSetConverter(Converter<Map<String, Object>, Map<String, Object>> claimSetConverter) {
 		Assert.notNull(claimSetConverter, "claimSetConverter cannot be null");
-		this.claimSetConverter = claimSetConverter;
-	}
-
-	private JWT parse(String token) {
-		try {
-			return JWTParser.parse(token);
-		} catch (Exception ex) {
-			throw new JwtException(String.format(DECODING_ERROR_MESSAGE_TEMPLATE, ex.getMessage()), ex);
-		}
-	}
-
-	private Jwt createJwt(String token, JWT parsedJwt) {
-		Jwt jwt;
-
-		try {
-			// Verify the signature
-			JWTClaimsSet jwtClaimsSet = this.jwtProcessor.process(parsedJwt, null);
-
-			Map<String, Object> headers = new LinkedHashMap<>(parsedJwt.getHeader().toJSONObject());
-			Map<String, Object> claims = this.claimSetConverter.convert(jwtClaimsSet.getClaims());
-
-			Instant expiresAt = (Instant) claims.get(JwtClaimNames.EXP);
-			Instant issuedAt = (Instant) claims.get(JwtClaimNames.IAT);
-			jwt = new Jwt(token, issuedAt, expiresAt, headers, claims);
-		} catch (RemoteKeySourceException ex) {
-			if (ex.getCause() instanceof ParseException) {
-				throw new JwtException(String.format(DECODING_ERROR_MESSAGE_TEMPLATE, "Malformed Jwk set"));
-			} else {
-				throw new JwtException(String.format(DECODING_ERROR_MESSAGE_TEMPLATE, ex.getMessage()), ex);
-			}
-		} catch (Exception ex) {
-			if (ex.getCause() instanceof ParseException) {
-				throw new JwtException(String.format(DECODING_ERROR_MESSAGE_TEMPLATE, "Malformed payload"));
-			} else {
-				throw new JwtException(String.format(DECODING_ERROR_MESSAGE_TEMPLATE, ex.getMessage()), ex);
-			}
-		}
-
-		return jwt;
-	}
-
-	private Jwt validateJwt(Jwt jwt){
-		OAuth2TokenValidatorResult result = this.jwtValidator.validate(jwt);
-		if (result.hasErrors()) {
-			String description = result.getErrors().iterator().next().getDescription();
-			throw new JwtValidationException(
-					String.format(DECODING_ERROR_MESSAGE_TEMPLATE, description),
-					result.getErrors());
-		}
-
-		return jwt;
+		this.delegate.setClaimSetConverter(claimSetConverter);
 	}
 
 	/**