Package net.shibboleth.idp.plugin.authn.duo.impl

Class ValidateTokenSignature

java.lang.Object

net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

org.opensaml.profile.action.AbstractProfileAction

org.opensaml.profile.action.AbstractConditionalProfileAction

net.shibboleth.idp.profile.AbstractProfileAction

net.shibboleth.idp.authn.AbstractAuthenticationAction

net.shibboleth.idp.plugin.authn.duo.AbstractDuoAuthenticationAction

net.shibboleth.idp.plugin.authn.duo.impl.ValidateTokenSignature

All Implemented Interfaces:

Component, DestructableComponent, InitializableComponent, ProfileAction, Aware, MessageSource, MessageSourceAware, Action

public class ValidateTokenSignature
extends AbstractDuoAuthenticationAction

Action to validate the JWT signature. The JWT **must** be signed using the HMAC_SHA family, any other type, including 'none', emits an error back to the flow.

Event:

AuthnEventIds.NO_CREDENTIALS, AuthnEventIds.INVALID_AUTHN_CTX, AuthnEventIds.AUTHN_EXCEPTION

Precondition:

      ProfileRequestContext.getSubcontext(AuthenticationContext.class, false) != null
      

,

      AuthenticationContext.getSubcontext(DuoOIDCAuthenticationContext.class, false) != null
      

Field Summary

Fields

Modifier and Type	Field	Description
private com.nimbusds.jwt.JWTClaimsSet	claimSet	The parsed claimset.
private DuoOIDCIntegration	integration	The Duo integration appropriate for this request.
private org.slf4j.Logger	log	Class logger.
private com.nimbusds.jose.Algorithm	signatureAlgorithm	The signature algorithm used.
private static com.nimbusds.jose.JWSAlgorithm.Family	SUPPORTED_SIGNATURE_FAMILY	The HMAC 'family' of signature algorithms is the only supported, based on the shared secret in the client integration.
private com.nimbusds.jwt.JWT	token	The Duo authentication token.

Constructor Summary

Constructors

Constructor	Description
ValidateTokenSignature()	Constructor.

Method Summary

Modifier and Type	Method	Description
protected void	doExecute(ProfileRequestContext profileRequestContext, net.shibboleth.idp.authn.context.AuthenticationContext authenticationContext, DuoOIDCAuthenticationContext duoContext)
protected boolean	doPreExecute(ProfileRequestContext profileRequestContext, net.shibboleth.idp.authn.context.AuthenticationContext authenticationContext, DuoOIDCAuthenticationContext duoContext)
void	setSignatureAlgorithm(com.nimbusds.jose.JWSAlgorithm algo)	Set the signature algorithm to use.

Methods inherited from class net.shibboleth.idp.plugin.authn.duo.AbstractDuoAuthenticationAction

doExecute, doPreExecute, setDuoContextLookupStrategy

Methods inherited from class net.shibboleth.idp.authn.AbstractAuthenticationAction

doExecute, doPreExecute, setAuthenticationContextLookupStrategy

Methods inherited from class net.shibboleth.idp.profile.AbstractProfileAction

doExecute, execute, getMessage, getMessage, getMessage, getProfileContextLookupStrategy, getRequestContext, getResult, setMessageSource, setProfileContextLookupStrategy

Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction

getActivationCondition, setActivationCondition

Methods inherited from class org.opensaml.profile.action.AbstractProfileAction

doPostExecute, doPostExecute, execute, getHttpServletRequest, getHttpServletResponse, getLogPrefix, setHttpServletRequest, setHttpServletResponse

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

destroy, doDestroy, doInitialize, initialize, isDestroyed, isInitialized

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent

initialize, isInitialized

Field Detail

SUPPORTED_SIGNATURE_FAMILY

@Nonnull
private static final com.nimbusds.jose.JWSAlgorithm.Family SUPPORTED_SIGNATURE_FAMILY

The HMAC 'family' of signature algorithms is the only supported, based on the shared secret in the client integration.

log

@Nonnull
private final org.slf4j.Logger log

Class logger.

signatureAlgorithm

@Nonnull
private com.nimbusds.jose.Algorithm signatureAlgorithm

The signature algorithm used. This is fixed and not taken from the JWS. There is no reason, in the Duo case, to determine the algorithm from the JWS as HS512 is the only required algorithm.

token

@Nullable
private com.nimbusds.jwt.JWT token

The Duo authentication token.

claimSet

@Nullable
private com.nimbusds.jwt.JWTClaimsSet claimSet

The parsed claimset.

integration

@Nullable
private DuoOIDCIntegration integration

The Duo integration appropriate for this request.

Constructor Detail

ValidateTokenSignature

public ValidateTokenSignature()

Constructor.

Method Detail

setSignatureAlgorithm

public void setSignatureAlgorithm(@Nonnull
                                  com.nimbusds.jose.JWSAlgorithm algo)

Set the signature algorithm to use. Only supports one of the HMAC_SHA family.

Parameters:

algo - the JWS signature algorithm.

doPreExecute

protected boolean doPreExecute(@Nonnull
                               ProfileRequestContext profileRequestContext,
                               @Nonnull
                               net.shibboleth.idp.authn.context.AuthenticationContext authenticationContext,
                               @Nonnull
                               DuoOIDCAuthenticationContext duoContext)

Overrides:

doPreExecute in class AbstractDuoAuthenticationAction

doExecute

protected void doExecute(@Nonnull
                         ProfileRequestContext profileRequestContext,
                         @Nonnull
                         net.shibboleth.idp.authn.context.AuthenticationContext authenticationContext,
                         @Nonnull
                         DuoOIDCAuthenticationContext duoContext)

Overrides:

doExecute in class AbstractDuoAuthenticationAction