lti-demo/src/main/java/riomhaire/lti/adapters/token/JWKBasedJwtToMapAdapter.java

package riomhaire.lti.adapters.token;

import com.auth0.jwt.JWT;
import com.auth0.jwt.interfaces.DecodedJWT;
import lombok.Builder;
import lombok.extern.slf4j.Slf4j;
import org.jose4j.jwk.HttpsJwks;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwt.consumer.JwtConsumer;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.jose4j.keys.resolvers.HttpsJwksVerificationKeyResolver;
import riomhaire.lti.model.interfaces.DecodeException;
import riomhaire.lti.model.interfaces.Decoder;

import java.util.Map;

@Slf4j
@Builder
public class JWKBasedJwtToMapAdapter implements Decoder<Map<String, Object>,String> {

    protected String jwksUrl;
    protected boolean skipVerification;


    public Map<String, Object> decode(String token) throws DecodeException {
        DecodedJWT jwt = JWT.decode(token);
        JwtClaims verifiedClaims;


        String clientId = jwt.getClaim("aud").asString();


        try {
            // OK look up jwks and verify
            log.info("Using key:"+jwt.getKeyId()+" to search: "+jwksUrl);
            HttpsJwks httpsJkws = new HttpsJwks(jwksUrl);
            HttpsJwksVerificationKeyResolver httpsJwksKeyResolver = new HttpsJwksVerificationKeyResolver(httpsJkws);
            JwtConsumer jwtConsumer = new JwtConsumerBuilder()
                    .setVerificationKeyResolver(httpsJwksKeyResolver)
                    .setExpectedAudience(clientId)
                    .build();
            if( skipVerification )  { // Dont verify
                jwtConsumer.setSkipVerificationKeyResolutionOnNone(true);
            }
            verifiedClaims = jwtConsumer.processToClaims(token);
        } catch ( InvalidJwtException e) {
            throw new DecodeException();
        }
        // OK were here ... so valid
        return verifiedClaims.getClaimsMap();
    }
}