Skip to content

Commit

Permalink
token signature as key
Browse files Browse the repository at this point in the history
  • Loading branch information
@AmaliMatharaarachchi
AmaliMatharaarachchi committed Oct 10, 2023
1 parent b66e027 commit f96524a
Show file tree
Hide file tree
Showing 3 changed files with 29 additions and 9 deletions.
9 changes: 9 additions & 0 deletions ...k.enforcer.commons/src/main/java/org/wso2/apk/enforcer/commons/dto/JWTValidationInfo.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ public class JWTValidationInfo implements Serializable {
private String keyManager;
private String identifier;
private JWTClaimsSet jwtClaimsSet;
private String token;

public JWTValidationInfo() {

Expand All @@ -58,6 +59,14 @@ public JWTValidationInfo(JWTValidationInfo jwtValidationInfo) {
this.keyManager = jwtValidationInfo.getKeyManager();
}

public String getToken() {
return token;
}

public void setToken(String token) {
this.token = token;
}

public String getIdentifier() {
return identifier;
}
Expand Down
26 changes: 18 additions & 8 deletions ....wso2.apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/JWTAuthenticator.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -464,26 +464,34 @@ private JSONObject validateSubscriptionFromClaim(String name, String version, JW
*/
private JWTValidationInfo getJwtValidationInfo(String jwtToken, String organization) throws APISecurityException {
if (isGatewayTokenCacheEnabled) {
String[] jwtParts = jwtToken.split("\\.");
String signature = jwtParts[2];
Object validCacheToken = CacheProviderUtil.getOrganizationCache(organization).getGatewayKeyCache()
.getIfPresent(jwtToken);
.getIfPresent(signature);
if (validCacheToken != null) {
JWTValidationInfo validationInfo = (JWTValidationInfo) validCacheToken;
if (!isJWTExpired(validationInfo)) {
if (!StringUtils.equals(validationInfo.getToken(), jwtToken)) {
log.warn("Suspected tampered token; a JWT token with the same signature is " +
"already available in the cache. Tampered token: " + FilterUtils.getMaskedToken(jwtToken));
throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(),
APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid JWT token");
}
if (RevokedJWTDataHolder.isJWTTokenSignatureExistsInRevokedMap(validationInfo.getIdentifier())) {
log.debug("Token found in the revoked jwt token map.");
throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(),
APISecurityConstants.API_AUTH_INVALID_CREDENTIALS, "Invalid JWT token");
}
return validationInfo;
} else {
CacheProviderUtil.getOrganizationCache(organization).getGatewayKeyCache().invalidate(jwtToken);
CacheProviderUtil.getOrganizationCache(organization).getInvalidTokenCache().put(jwtToken, true);
CacheProviderUtil.getOrganizationCache(organization).getGatewayKeyCache().invalidate(signature);
CacheProviderUtil.getOrganizationCache(organization).getInvalidTokenCache().put(signature, true);
throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(),
APISecurityConstants.API_AUTH_INVALID_CREDENTIALS,
APISecurityConstants.API_AUTH_INVALID_CREDENTIALS_MESSAGE);
}
} else if (CacheProviderUtil.getOrganizationCache(organization).getInvalidTokenCache()
.getIfPresent(jwtToken) != null) {
.getIfPresent(signature) != null) {
throw new APISecurityException(APIConstants.StatusCodes.UNAUTHENTICATED.getCode(),
APISecurityConstants.API_AUTH_INVALID_CREDENTIALS,
APISecurityConstants.API_AUTH_INVALID_CREDENTIALS_MESSAGE);
Expand Down Expand Up @@ -519,8 +527,9 @@ private JWTValidationInfo getJwtValidationInfo(String jwtToken, String organizat
}
}

String signature = signedJWT.getSignature().toString();
String jwtTokenIdentifier = StringUtils.isNotEmpty(jwtClaimsSet.getJWTID()) ? jwtClaimsSet.getJWTID() :
signedJWT.getSignature().toString();
signature;

// check whether the token is revoked
String jwtHeader = signedJWT.getHeader().toString();
Expand All @@ -543,13 +552,14 @@ private JWTValidationInfo getJwtValidationInfo(String jwtToken, String organizat
APISecurityConstants.API_AUTH_INVALID_CREDENTIALS_MESSAGE);
}

JWTValidationInfo jwtValidationInfo = jwtValidator.validateToken(signedJWTInfo);
JWTValidationInfo jwtValidationInfo = jwtValidator.validateToken(jwtToken, signedJWTInfo);
if (isGatewayTokenCacheEnabled) {
// Add token to tenant token cache
if (jwtValidationInfo.isValid()) {
CacheProviderUtil.getOrganizationCache(organization).getGatewayKeyCache().put(jwtToken, jwtValidationInfo);
CacheProviderUtil.getOrganizationCache(organization).getGatewayKeyCache().put(signature,
jwtValidationInfo);
} else {
CacheProviderUtil.getOrganizationCache(organization).getInvalidTokenCache().put(jwtToken, true);
CacheProviderUtil.getOrganizationCache(organization).getInvalidTokenCache().put(signature, true);
}
}
return jwtValidationInfo;
Expand Down
3 changes: 2 additions & 1 deletion ...apk.enforcer/src/main/java/org/wso2/apk/enforcer/security/jwt/validator/JWTValidator.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ public JWTValidator(ExtendedTokenIssuerDto tokenIssuer) throws EnforcerException
}
}

public JWTValidationInfo validateToken(SignedJWTInfo signedJWTInfo) throws EnforcerException {
public JWTValidationInfo validateToken(String token, SignedJWTInfo signedJWTInfo) throws EnforcerException {
JWTValidationInfo jwtValidationInfo = new JWTValidationInfo();
boolean state;
try {
Expand All @@ -91,6 +91,7 @@ public JWTValidationInfo validateToken(SignedJWTInfo signedJWTInfo) throws Enfor
jwtValidationInfo.setKeyManager(tokenIssuer.getName());
jwtValidationInfo.setIdentifier(JWTUtils.getJWTTokenIdentifier(signedJWTInfo));
jwtValidationInfo.setJwtClaimsSet(signedJWTInfo.getJwtClaimsSet());
jwtValidationInfo.setToken(token);
return jwtValidationInfo;
}
logger.debug("Token is expired.");
Expand Down

0 comments on commit f96524a

Please sign in to comment.