Java源码示例:com.google.api.client.json.webtoken.JsonWebToken
示例1
private boolean verifyJwt(String jwtToken, String expectedAudience) {
TokenVerifier tokenVerifier = TokenVerifier.newBuilder()
.setAudience(expectedAudience)
.setIssuer(IAP_ISSUER_URL)
.build();
try {
JsonWebToken jsonWebToken = tokenVerifier.verify(jwtToken);
// Verify that the token contain subject and email claims
JsonWebToken.Payload payload = jsonWebToken.getPayload();
return payload.getSubject() != null && payload.get("email") != null;
} catch (TokenVerifier.VerificationException e) {
System.out.println(e.getMessage());
return false;
}
}
示例2
public static JsonWebSignature getJsonWebSignature() throws IOException {
if (jsonWebSignature == null) {
JsonWebSignature.Header header = new JsonWebSignature.Header();
header.setAlgorithm("RS256");
List<String> certificates = Lists.newArrayList();
certificates.add(FOO_BAR_COM_CERT.getBase64Der());
certificates.add(CA_CERT.getBase64Der());
header.setX509Certificates(certificates);
JsonWebToken.Payload payload = new JsonWebToken.Payload();
payload.set("foo", "bar");
int firstDot = JWS_SIGNATURE.indexOf('.');
int secondDot = JWS_SIGNATURE.indexOf('.', firstDot + 1);
byte[] signatureBytes = Base64.decodeBase64(JWS_SIGNATURE.substring(secondDot + 1));
byte[] signedContentBytes = StringUtils.getBytesUtf8(JWS_SIGNATURE.substring(0, secondDot));
JsonWebSignature signature =
new JsonWebSignature(header, payload, signatureBytes, signedContentBytes);
jsonWebSignature = signature;
}
return jsonWebSignature;
}
示例3
public String createToken(JsonWebSignature.Header header, JsonWebToken.Payload payload) {
try {
return JsonWebSignature.signUsingRsaSha256(privateKey, JSON_FACTORY, header, payload);
} catch (GeneralSecurityException | IOException e) {
throw new RuntimeException("Failed to create test token", e);
}
}
示例4
public JsonWebToken.Payload createTokenPayload() {
JsonWebToken.Payload payload = new JsonWebToken.Payload();
payload.setIssuer(issuer);
payload.setAudience(PROJECT_ID);
payload.setIssuedAtTimeSeconds(CLOCK.currentTimeMillis() / 1000);
payload.setExpirationTimeSeconds(CLOCK.currentTimeMillis() / 1000 + 3600);
payload.setSubject(UID);
return payload;
}
示例5
private String createAssertion(Type type, long currentTimeMillis) {
JsonWebSignature.Header header = new JsonWebSignature.Header();
header.setAlgorithm("RS256");
header.setType("JWT");
header.setKeyId(credentials.getPrivateKeyId());
long currentTimeSecs = TimeUnit.MILLISECONDS.toSeconds(currentTimeMillis);
JsonWebToken.Payload payload = new JsonWebToken.Payload();
String serviceAccount =
MoreObjects.firstNonNull(credentials.getServiceAccountUser(), credentials.getClientEmail());
payload.setIssuer(serviceAccount);
payload.setAudience(AUDIENCE);
payload.setIssuedAtTimeSeconds(currentTimeSecs);
payload.setExpirationTimeSeconds(currentTimeSecs + 3600);
payload.setSubject(serviceAccount);
payload.put(
"scope",
type == Type.ID_TOKEN
? credentials.getClientEmail()
: String.join(" ", credentials.getScopes()));
String assertion;
try {
assertion =
JsonWebSignature.signUsingRsaSha256(
credentials.getPrivateKey(), JacksonFactory.getDefaultInstance(), header, payload);
} catch (GeneralSecurityException | IOException e) {
throw new IllegalStateException(
"Error signing service account access token request with private key.", e);
}
return assertion;
}
示例6
private String getServiceAccountIdTokenUsingAccessToken(GoogleCredentials credentials,
String serviceAccount, String targetAudience)
throws IOException {
final String tokenServerUrl = "https://oauth2.googleapis.com/token";
final Header header = jwtHeader();
final JsonWebToken.Payload payload = jwtPayload(
targetAudience, serviceAccount, tokenServerUrl);
final Iam iam = new Iam.Builder(httpTransport, JSON_FACTORY,
new HttpCredentialsAdapter(withScopes(credentials, IamScopes.all()))).build();
final String content = Base64.encodeBase64URLSafeString(JSON_FACTORY.toByteArray(header)) + "."
+ Base64.encodeBase64URLSafeString(JSON_FACTORY.toByteArray(payload));
byte[] contentBytes = StringUtils.getBytesUtf8(content);
final SignBlobResponse signResponse;
try {
signResponse = iam.projects().serviceAccounts()
.signBlob("projects/-/serviceAccounts/" + serviceAccount, new SignBlobRequest()
.encodeBytesToSign(contentBytes))
.execute();
} catch (GoogleJsonResponseException e) {
if (e.getStatusCode() == 403) {
throw new IOException(
"Unable to sign request for id token, missing Service Account Token Creator role for self on "
+ serviceAccount + " or IAM api not enabled?", e);
}
throw e;
}
final String assertion = content + "." + signResponse.getSignature();
final TokenRequest request = new TokenRequest(
httpTransport, JSON_FACTORY,
new GenericUrl(tokenServerUrl),
"urn:ietf:params:oauth:grant-type:jwt-bearer");
request.put("assertion", assertion);
final TokenResponse tokenResponse = request.execute();
return (String) tokenResponse.get("id_token");
}
示例7
private JsonWebToken.Payload jwtPayload() {
var currentTime = System.currentTimeMillis();
var payload = new JsonWebToken.Payload();
payload.setIssuer(getServiceAccountId());
payload.setAudience(getTokenServerEncodedUrl());
payload.setIssuedAtTimeSeconds(currentTime / 1000);
payload.setExpirationTimeSeconds(currentTime / 1000 + 3600);
payload.setSubject(getServiceAccountUser());
payload.put("scope", Joiner.on(' ').join(getServiceAccountScopes()));
return payload;
}
示例8
private String signJwt(String serviceAccount, JsonWebToken.Payload payload) throws IOException {
var fullServiceAccountName = "projects/-/serviceAccounts/" + serviceAccount;
var request = new SignJwtRequest()
.setPayload(Utils.getDefaultJsonFactory().toString(payload));
return iam.projects().serviceAccounts()
.signJwt(fullServiceAccountName, request)
.execute()
.getSignedJwt();
}
示例9
@Override
protected TokenResponse executeRefreshToken() throws IOException {
if (getServiceAccountPrivateKey() == null) {
return super.executeRefreshToken();
}
// service accounts: no refresh token; instead use private key to request new access token
JsonWebSignature.Header header =
new JsonWebSignature.Header()
.setAlgorithm("RS256")
.setType("JWT")
.setKeyId(getServiceAccountPrivateKeyId());
long currentTime = getClock().currentTimeMillis();
JsonWebToken.Payload payload =
new JsonWebToken.Payload()
.setIssuer(getServiceAccountId())
.setAudience(getTokenServerEncodedUrl())
.setIssuedAtTimeSeconds(currentTime / 1000)
.setExpirationTimeSeconds(currentTime / 1000 + DEFAULT_TOKEN_EXPIRATION_SECONDS)
.setSubject(getServiceAccountUser());
payload.put("scope", WHITESPACE_JOINER.join(getServiceAccountScopes()));
try {
String assertion =
JsonWebSignature.signUsingRsaSha256(
getServiceAccountPrivateKey(), getJsonFactory(), header, payload);
TokenRequest request =
new TokenRequest(
getTransport(),
getJsonFactory(),
new GenericUrl(getTokenServerEncodedUrl()),
"urn:ietf:params:oauth:grant-type:jwt-bearer")
.setRequestInitializer(getRequestInitializer());
request.put("assertion", assertion);
return request.execute();
} catch (GeneralSecurityException e) {
throw new IOException("Failed to refresh token", e);
}
}
示例10
@Override
@Beta
protected TokenResponse executeRefreshToken() throws IOException {
if (serviceAccountPrivateKey == null) {
return super.executeRefreshToken();
}
// service accounts: no refresh token; instead use private key to request new access token
JsonWebSignature.Header header = new JsonWebSignature.Header();
header.setAlgorithm("RS256");
header.setType("JWT");
header.setKeyId(serviceAccountPrivateKeyId);
JsonWebToken.Payload payload = new JsonWebToken.Payload();
long currentTime = getClock().currentTimeMillis();
payload.setIssuer(serviceAccountId);
payload.setAudience(getTokenServerEncodedUrl());
payload.setIssuedAtTimeSeconds(currentTime / 1000);
payload.setExpirationTimeSeconds(currentTime / 1000 + 3600);
payload.setSubject(serviceAccountUser);
payload.put("scope", Joiner.on(' ').join(serviceAccountScopes));
try {
String assertion = JsonWebSignature.signUsingRsaSha256(
serviceAccountPrivateKey, getJsonFactory(), header, payload);
TokenRequest request = new TokenRequest(
getTransport(), getJsonFactory(), new GenericUrl(getTokenServerEncodedUrl()),
"urn:ietf:params:oauth:grant-type:jwt-bearer");
request.put("assertion", assertion);
return request.execute();
} catch (GeneralSecurityException exception) {
IOException e = new IOException();
e.initCause(exception);
throw e;
}
}
