You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2015/11/04 18:54:33 UTC
[02/14] cxf git commit: Split JWT headers into signature and
encryption headers
Split JWT headers into signature and encryption headers
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/3dbe9321
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/3dbe9321
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/3dbe9321
Branch: refs/heads/3.0.x-fixes
Commit: 3dbe932107e08bfc01403d8e5ca8dc77cee6dd20
Parents: 1870f95
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Nov 4 12:19:35 2015 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Wed Nov 4 17:53:37 2015 +0000
----------------------------------------------------------------------
.../jaxrs/JwtAuthenticationClientFilter.java | 3 --
.../jose/jaxrs/JwtAuthenticationFilter.java | 4 +-
.../jose/jwe/JweJwtCompactProducer.java | 2 +-
.../jose/jws/JwsJwtCompactProducer.java | 3 +-
.../jose/jwt/AbstractJoseJwtConsumer.java | 18 +++++----
.../cxf/rs/security/jose/jwt/JwtToken.java | 39 ++++++++++++++------
.../jose/jws/JwsCompactReaderWriterTest.java | 15 ++++----
.../grants/jwt/JwtBearerGrantHandler.java | 2 +-
.../oidc/rp/AbstractTokenValidator.java | 2 +-
.../cxf/rs/security/oidc/utils/OidcUtils.java | 4 +-
10 files changed, 53 insertions(+), 39 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/3dbe9321/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationClientFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationClientFilter.java b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationClientFilter.java
index a0946ce..a2ce5d1 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationClientFilter.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationClientFilter.java
@@ -33,7 +33,6 @@ import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.phase.PhaseInterceptorChain;
import org.apache.cxf.rs.security.jose.common.JoseException;
-import org.apache.cxf.rs.security.jose.common.JoseUtils;
import org.apache.cxf.rs.security.jose.jwe.JweHeaders;
import org.apache.cxf.rs.security.jose.jwt.AbstractJoseJwtProducer;
import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
@@ -64,8 +63,6 @@ public class JwtAuthenticationClientFilter extends AbstractJoseJwtProducer
if (jwt == null) {
throw new JoseException("JWT token is not available");
}
- JoseUtils.setJoseMessageContextProperty(jwt.getHeaders(),
- getContextPropertyValue());
String data = super.processJwt(jwt);
requestContext.getHeaders().putSingle(HttpHeaders.AUTHORIZATION,
authScheme + " " + data);
http://git-wip-us.apache.org/repos/asf/cxf/blob/3dbe9321/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
index 0a7c98f..4f590c9 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
@@ -34,7 +34,6 @@ import org.apache.cxf.message.Message;
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.rs.security.jose.common.JoseConstants;
import org.apache.cxf.rs.security.jose.common.JoseException;
-import org.apache.cxf.rs.security.jose.common.JoseUtils;
import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
import org.apache.cxf.rs.security.jose.jwt.AbstractJoseJwtConsumer;
import org.apache.cxf.rs.security.jose.jwt.JwtToken;
@@ -60,7 +59,6 @@ public class JwtAuthenticationFilter extends AbstractJoseJwtConsumer implements
throw new JoseException(expectedAuthScheme + " scheme is expected");
}
JwtToken token = super.getJwtToken(parts[1]);
- JoseUtils.setMessageContextProperty(token.getHeaders());
SecurityContext securityContext = configureSecurityContext(token);
if (securityContext != null) {
@@ -83,7 +81,7 @@ public class JwtAuthenticationFilter extends AbstractJoseJwtConsumer implements
private boolean isVerifiedWithAPublicKey(JwtToken jwt) {
if (isJwsRequired()) {
- String alg = (String)jwt.getHeader(JoseConstants.HEADER_ALGORITHM);
+ String alg = (String)jwt.getJwsHeader(JoseConstants.HEADER_ALGORITHM);
SignatureAlgorithm sigAlg = SignatureAlgorithm.getAlgorithm(alg);
return SignatureAlgorithm.isPublicKeyAlgorithm(sigAlg);
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/3dbe9321/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJwtCompactProducer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJwtCompactProducer.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJwtCompactProducer.java
index f52f9e2..d35cd0a 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJwtCompactProducer.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJwtCompactProducer.java
@@ -32,7 +32,7 @@ public class JweJwtCompactProducer {
private JweHeaders headers;
private String claimsJson;
public JweJwtCompactProducer(JwtToken token) {
- this(new JweHeaders(token.getHeaders()), token.getClaims());
+ this(new JweHeaders(token.getJweHeaders()), token.getClaims());
}
public JweJwtCompactProducer(JwtClaims claims) {
this(new JweHeaders(), claims);
http://git-wip-us.apache.org/repos/asf/cxf/blob/3dbe9321/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJwtCompactProducer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJwtCompactProducer.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJwtCompactProducer.java
index 3ac6021..8b73b02 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJwtCompactProducer.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJwtCompactProducer.java
@@ -17,6 +17,7 @@
* under the License.
*/
package org.apache.cxf.rs.security.jose.jws;
+
import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
import org.apache.cxf.rs.security.jose.jwt.JwtToken;
import org.apache.cxf.rs.security.jose.jwt.JwtTokenReaderWriter;
@@ -35,7 +36,7 @@ public class JwsJwtCompactProducer extends JwsCompactProducer {
this(new JwtToken(headers, claims), null);
}
protected JwsJwtCompactProducer(JwtToken token, JwtTokenReaderWriter w) {
- super(new JwsHeaders(token.getHeaders()), w,
+ super(new JwsHeaders(token.getJwsHeaders()), w,
JwtUtils.claimsToJson(token.getClaims(), w));
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/3dbe9321/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtConsumer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtConsumer.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtConsumer.java
index daea97b..df482b8 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtConsumer.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtConsumer.java
@@ -19,9 +19,10 @@
package org.apache.cxf.rs.security.jose.jwt;
import org.apache.cxf.rs.security.jose.common.AbstractJoseConsumer;
+import org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput;
import org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider;
+import org.apache.cxf.rs.security.jose.jwe.JweHeaders;
import org.apache.cxf.rs.security.jose.jwe.JweJwtCompactConsumer;
-import org.apache.cxf.rs.security.jose.jws.JwsHeaders;
import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer;
import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
import org.apache.cxf.rs.security.jose.jws.JwsUtils;
@@ -41,6 +42,7 @@ public abstract class AbstractJoseJwtConsumer extends AbstractJoseConsumer {
throw new JwtException("Unable to process JWT");
}
+ JweHeaders jweHeaders = new JweHeaders();
if (isJweRequired()) {
if (jweDecryptor == null) {
jweDecryptor = getInitializedDecryptionProvider();
@@ -52,12 +54,16 @@ public abstract class AbstractJoseJwtConsumer extends AbstractJoseConsumer {
if (!isJwsRequired()) {
return new JweJwtCompactConsumer(wrappedJwtToken).decryptWith(jweDecryptor);
}
- wrappedJwtToken = jweDecryptor.decrypt(wrappedJwtToken).getContentText();
+ JweDecryptionOutput decOutput = jweDecryptor.decrypt(wrappedJwtToken);
+ wrappedJwtToken = decOutput.getContentText();
+ jweHeaders = decOutput.getHeaders();
}
-
JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(wrappedJwtToken);
JwtToken jwt = jwtConsumer.getJwtToken();
+ // Store the encryption headers as well
+ jwt = new JwtToken(jwt.getJwsHeaders(), jweHeaders, jwt.getClaims());
+
if (isJwsRequired()) {
if (theSigVerifier == null) {
theSigVerifier = getInitializedSignatureVerifier(jwt);
@@ -79,11 +85,7 @@ public abstract class AbstractJoseJwtConsumer extends AbstractJoseConsumer {
return super.getJwsVerifier();
}
- if (jwt.getHeaders() instanceof JwsHeaders) {
- return JwsUtils.loadSignatureVerifier((JwsHeaders)jwt.getHeaders(), false);
- }
-
- return super.getInitializedSignatureVerifier();
+ return JwsUtils.loadSignatureVerifier(jwt.getJwsHeaders(), false);
}
protected void validateToken(JwtToken jwt) {
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/3dbe9321/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtToken.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtToken.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtToken.java
index 069b8f2..6780e78 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtToken.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtToken.java
@@ -18,39 +18,56 @@
*/
package org.apache.cxf.rs.security.jose.jwt;
-import org.apache.cxf.rs.security.jose.common.JoseHeaders;
+import org.apache.cxf.rs.security.jose.jwe.JweHeaders;
+import org.apache.cxf.rs.security.jose.jws.JwsHeaders;
public class JwtToken {
- private JoseHeaders headers;
+ private JwsHeaders jwsHeaders;
+ private JweHeaders jweHeaders;
private JwtClaims claims;
+
public JwtToken(JwtClaims claims) {
- this(new JoseHeaders() { }, claims);
+ this(new JwsHeaders() { }, new JweHeaders() { }, claims);
+ }
+ public JwtToken(JwsHeaders jwsHeaders, JwtClaims claims) {
+ this(jwsHeaders, new JweHeaders() { }, claims);
+ }
+ public JwtToken(JweHeaders jweHeaders, JwtClaims claims) {
+ this(new JwsHeaders() { }, jweHeaders, claims);
}
- public JwtToken(JoseHeaders headers, JwtClaims claims) {
- this.headers = headers;
+ public JwtToken(JwsHeaders jwsHeaders, JweHeaders jweHeaders, JwtClaims claims) {
+ this.jwsHeaders = jwsHeaders;
+ this.jweHeaders = jweHeaders;
this.claims = claims;
}
- public JoseHeaders getHeaders() {
- return headers;
+ public JwsHeaders getJwsHeaders() {
+ return jwsHeaders;
+ }
+ public JweHeaders getJweHeaders() {
+ return jweHeaders;
}
public JwtClaims getClaims() {
return claims;
}
- public Object getHeader(String name) {
- return headers.getHeader(name);
+ public Object getJwsHeader(String name) {
+ return jwsHeaders.getHeader(name);
+ }
+ public Object getJweHeader(String name) {
+ return jweHeaders.getHeader(name);
}
public Object getClaim(String name) {
return claims.getClaim(name);
}
public int hashCode() {
- return headers.hashCode() + 37 * claims.hashCode();
+ return jwsHeaders.hashCode() + 37 * claims.hashCode() + 37 * jweHeaders.hashCode();
}
public boolean equals(Object obj) {
return obj instanceof JwtToken
- && ((JwtToken)obj).headers.equals(this.headers)
+ && ((JwtToken)obj).jwsHeaders.equals(this.jwsHeaders)
+ && ((JwtToken)obj).jweHeaders.equals(this.jweHeaders)
&& ((JwtToken)obj).claims.equals(this.claims);
}
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/3dbe9321/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsCompactReaderWriterTest.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsCompactReaderWriterTest.java b/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsCompactReaderWriterTest.java
index 4624dd4..0e6c7ba 100644
--- a/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsCompactReaderWriterTest.java
+++ b/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsCompactReaderWriterTest.java
@@ -29,7 +29,6 @@ import java.util.List;
import java.util.Map;
import org.apache.cxf.rs.security.jose.common.JoseConstants;
-import org.apache.cxf.rs.security.jose.common.JoseHeaders;
import org.apache.cxf.rs.security.jose.common.JoseType;
import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
@@ -170,7 +169,7 @@ public class JwsCompactReaderWriterTest extends Assert {
assertTrue(jws.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY,
SignatureAlgorithm.HS256)));
JwtToken token = jws.getJwtToken();
- JwsHeaders headers = new JwsHeaders(token.getHeaders());
+ JwsHeaders headers = new JwsHeaders(token.getJwsHeaders());
assertEquals(JoseType.JWT, headers.getType());
assertEquals(SignatureAlgorithm.HS256, headers.getSignatureAlgorithm());
validateSpecClaim(token.getClaims());
@@ -218,7 +217,7 @@ public class JwsCompactReaderWriterTest extends Assert {
assertTrue(jws.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY,
SignatureAlgorithm.HS256)));
JwtToken token = jws.getJwtToken();
- JwsHeaders headers = new JwsHeaders(token.getHeaders());
+ JwsHeaders headers = new JwsHeaders(token.getJwsHeaders());
assertEquals(JoseType.JWT, headers.getType());
assertEquals(SignatureAlgorithm.HS256, headers.getSignatureAlgorithm());
@@ -263,7 +262,7 @@ public class JwsCompactReaderWriterTest extends Assert {
RSAPublicKey key = CryptoUtils.getRSAPublicKey(RSA_MODULUS_ENCODED, RSA_PUBLIC_EXPONENT_ENCODED);
assertTrue(jws.verifySignatureWith(new PublicKeyJwsSignatureVerifier(key, SignatureAlgorithm.PS256)));
JwtToken token = jws.getJwtToken();
- JwsHeaders inHeaders = new JwsHeaders(token.getHeaders());
+ JwsHeaders inHeaders = new JwsHeaders(token.getJwsHeaders());
assertEquals(SignatureAlgorithm.PS256,
inHeaders.getSignatureAlgorithm());
validateSpecClaim(token.getClaims());
@@ -293,7 +292,7 @@ public class JwsCompactReaderWriterTest extends Assert {
assertTrue(jwsConsumer.verifySignatureWith(new EcDsaJwsSignatureVerifier(publicKey,
SignatureAlgorithm.ES256)));
JwtToken token = jwsConsumer.getJwtToken();
- JwsHeaders headersReceived = new JwsHeaders(token.getHeaders());
+ JwsHeaders headersReceived = new JwsHeaders(token.getJwsHeaders());
assertEquals(SignatureAlgorithm.ES256, headersReceived.getSignatureAlgorithm());
validateSpecClaim(token.getClaims());
}
@@ -304,19 +303,19 @@ public class JwsCompactReaderWriterTest extends Assert {
RSAPublicKey key = CryptoUtils.getRSAPublicKey(RSA_MODULUS_ENCODED, RSA_PUBLIC_EXPONENT_ENCODED);
assertTrue(jws.verifySignatureWith(new PublicKeyJwsSignatureVerifier(key, SignatureAlgorithm.RS256)));
JwtToken token = jws.getJwtToken();
- JwsHeaders headers = new JwsHeaders(token.getHeaders());
+ JwsHeaders headers = new JwsHeaders(token.getJwsHeaders());
assertEquals(SignatureAlgorithm.RS256, headers.getSignatureAlgorithm());
validateSpecClaim(token.getClaims());
}
- private JwsCompactProducer initSpecJwtTokenWriter(JoseHeaders headers) throws Exception {
+ private JwsCompactProducer initSpecJwtTokenWriter(JwsHeaders jwsHeaders) throws Exception {
JwtClaims claims = new JwtClaims();
claims.setIssuer("joe");
claims.setExpiryTime(1300819380L);
claims.setClaim("http://example.com/is_root", Boolean.TRUE);
- JwtToken token = new JwtToken(headers, claims);
+ JwtToken token = new JwtToken(jwsHeaders, claims);
return new JwsJwtCompactProducer(token, getWriter());
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/3dbe9321/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/JwtBearerGrantHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/JwtBearerGrantHandler.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/JwtBearerGrantHandler.java
index a5935b0..5bef103 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/JwtBearerGrantHandler.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/JwtBearerGrantHandler.java
@@ -58,7 +58,7 @@ public class JwtBearerGrantHandler extends AbstractJwtHandler {
try {
JwsJwtCompactConsumer jwsReader = getJwsReader(assertion);
JwtToken jwtToken = jwsReader.getJwtToken();
- validateSignature(new JwsHeaders(jwtToken.getHeaders()),
+ validateSignature(new JwsHeaders(jwtToken.getJwsHeaders()),
jwsReader.getUnsignedEncodedSequence(),
jwsReader.getDecodedSignature());
http://git-wip-us.apache.org/repos/asf/cxf/blob/3dbe9321/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
index 40e1c80..3ff74e9 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
@@ -113,7 +113,7 @@ public abstract class AbstractTokenValidator extends AbstractOAuthJoseJwtConsume
throw new SecurityException("Self-issued JWK key is invalid or not available");
}
} else {
- String keyId = jwt.getHeaders().getKeyId();
+ String keyId = jwt.getJwsHeaders().getKeyId();
key = keyId != null ? keyMap.get(keyId) : null;
if (key == null && jwkSetClient != null) {
JsonWebKeys keys = jwkSetClient.get(JsonWebKeys.class);
http://git-wip-us.apache.org/repos/asf/cxf/blob/3dbe9321/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java
index ccad6d7..7ced717 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java
@@ -95,7 +95,7 @@ public final class OidcUtils {
if (required) {
validateHash(at.getTokenKey(),
(String)jwt.getClaims().getClaim("at_hash"),
- jwt.getHeaders().getAlgorithm());
+ jwt.getJwsHeaders().getAlgorithm());
}
}
public static void validateCodeHash(String code, JwtToken jwt) {
@@ -105,7 +105,7 @@ public final class OidcUtils {
if (required) {
validateHash(code,
(String)jwt.getClaims().getClaim("c_hash"),
- jwt.getHeaders().getAlgorithm());
+ jwt.getJwsHeaders().getAlgorithm());
}
}
private static void validateHash(String value, String theHash, String joseAlgo) {