in app/auth/BearerTokenAuth.scala [268:314]
def validateToken(token:LoginResultOK[String]):Either[LoginResult,LoginResultOK[JWTClaimsSet]] = {
logger.debug(s"validating token $token")
parseTokenContent(token.content) match {
case Success(signedJWT) =>
if ((System.currentTimeMillis / 1000) - loadTime > config.get[Int]("oAuth.keyTimeOut")) {
logger.debug(s"Keys too old. Attempting key refresh.")
maybeVerifiers = loadInKey() match {
case Failure(err)=>
if(!sys.env.contains("CI")) logger.warn(s"Could not load keys. Error was ${err.getMessage}")
None
case Success(jwk)=>
Some(jwk)
}
}
getVerifier(Option(signedJWT.getHeader.getKeyID)) match {
case Some(verifier) =>
if (signedJWT.verify(verifier)) {
logger.debug("verified JWT")
//logger.debug(s"${signedJWT.getJWTClaimsSet.toJSONObject(true).toJSONString}")
val claimsSet = signedJWT.getJWTClaimsSet
(checkAudience(claimsSet), checkUserRoles(claimsSet)) match {
case (Left(audErr), Left(userErr))=>
logger.error(s"JWT is not valid: $audErr, $userErr")
Left(audErr)
case (Left(audErr), _)=>
logger.error(s"JWT audience is not valid: $audErr")
Left(audErr)
case (_, Left(userErr))=>
logger.error(s"User ${claimsSet.getSubject} is not allowed to login in: $userErr")
Left(userErr)
case (valid@Right(claims), Right(_))=>
valid
}
} else {
logger.error(s"JWT did not verify")
Left(LoginResultInvalid(token.content))
}
case None =>
logger.error("No signing cert has been configured so it's impossible to validate any logins")
Left(LoginResultMisconfigured("No signing cert configured"))
}
case Failure(err) =>
logger.error(s"Failed to validate token for ${token.content}: ${err.getMessage}")
Left(LoginResultInvalid("Authentication not valid"))
}
}