in kerby-provider/token-provider/src/main/java/org/apache/kerby/kerberos/provider/token/JwtTokenEncoder.java [77:134]
public String encodeAsString(AuthToken token) throws KrbException {
if (!(token instanceof JwtAuthToken)) {
throw new KrbException("Unexpected AuthToken, not JwtAuthToken");
}
JwtAuthToken jwtAuthToken = (JwtAuthToken) token;
JWT jwt = jwtAuthToken.getJwt();
String tokenStr = null;
if (signKey != null) {
// Create signer with the private key
JWSSigner signer = createSigner();
SignedJWT signedJWT = null;
try {
signedJWT = new SignedJWT(new JWSHeader(jwsAlgorithm), jwt.getJWTClaimsSet());
} catch (ParseException e) {
throw new KrbException("Failed to get JWT claims set", e);
}
try {
signedJWT.sign(signer);
} catch (JOSEException e) {
throw new KrbException("Failed to sign the Signed JWT", e);
}
// Encrypt
if (encryptionKey != null) {
// Create JWE object with signedJWT as payload
JWEObject jweObject = new JWEObject(
new JWEHeader.Builder(jweAlgorithm, encryptionMethod).contentType("JWT").build(),
new Payload(signedJWT));
try {
jweObject.encrypt(createEncryptor());
} catch (JOSEException e) {
throw new KrbException("Failed to encrypt the JWE object", e);
}
tokenStr = jweObject.serialize();
} else {
tokenStr = signedJWT.serialize();
}
} else if (encryptionKey != null) {
JWEHeader header = new JWEHeader(jweAlgorithm, encryptionMethod);
EncryptedJWT encryptedJWT = null;
try {
encryptedJWT = new EncryptedJWT(header, jwt.getJWTClaimsSet());
} catch (ParseException e) {
throw new KrbException("Failed to get JWT claims set", e);
}
try {
encryptedJWT.encrypt(createEncryptor());
} catch (JOSEException e) {
throw new KrbException("Failed to encrypt the encrypted JWT", e);
}
tokenStr = encryptedJWT.serialize();
} else {
tokenStr = jwt.serialize();
}
return tokenStr;
}