in services/idp-core/src/main/java/org/apache/cxf/fediz/service/idp/protocols/TrustedIdpOIDCProtocolHandler.java [270:318]
private boolean validateSignature(TrustedIdp trustedIdp, JwsJwtCompactConsumer jwtConsumer)
throws CertificateException, WSSecurityException, ProcessingException, IOException {
// Validate the Signature
String sigAlgo = getProperty(trustedIdp, SIGNATURE_ALGORITHM);
if (sigAlgo == null || sigAlgo.isEmpty()) {
sigAlgo = "RS256";
}
JwtToken jwt = jwtConsumer.getJwtToken();
String jwksUri = getProperty(trustedIdp, JWKS_URI);
JsonWebKey verifyingKey = null;
if (jwksUri != null && jwt.getJwsHeaders() != null
&& jwt.getJwsHeaders().containsHeader(JoseConstants.HEADER_KEY_ID)) {
String kid = (String)jwt.getJwsHeaders().getHeader(JoseConstants.HEADER_KEY_ID);
LOG.debug("Attemping to retrieve key id {} from uri {}", kid, jwksUri);
List<Object> jsonKeyProviders = new ArrayList<>();
jsonKeyProviders.add(new JsonWebKeysProvider());
WebClient client =
WebClient.create(jwksUri, jsonKeyProviders, "cxf-tls.xml");
client.accept("application/json");
ClientConfiguration config = WebClient.getConfig(client);
if (LOG.isDebugEnabled()) {
config.getOutInterceptors().add(new LoggingOutInterceptor());
config.getInInterceptors().add(new LoggingInInterceptor());
}
Response response = client.get();
JsonWebKeys jsonWebKeys = response.readEntity(JsonWebKeys.class);
if (jsonWebKeys != null) {
verifyingKey = jsonWebKeys.getKey(kid);
}
}
if (verifyingKey != null) {
return jwtConsumer.verifySignatureWith(verifyingKey, SignatureAlgorithm.getAlgorithm(sigAlgo));
}
X509Certificate validatingCert = CertsUtils.parseX509Certificate(trustedIdp.getCertificate());
if (validatingCert != null) {
return jwtConsumer.verifySignatureWith(validatingCert, SignatureAlgorithm.getAlgorithm(sigAlgo));
}
LOG.warn("No key supplied to verify the signature of the IdToken");
return false;
}