public Authentication authenticate(HttpServletRequest request) throws Exception { String idToken = request.getHeader(this.jwtConfiguration.getHttpHeader()); if (idToken != null) { JWKSource jwkSource = new RemoteJWKSet(new URL(jwkUrl)); JWSAlgorithm jwsAlgorithm = JWSAlgorithm.RS256; JWSKeySelector keySelector = new JWSVerificationKeySelector(jwsAlgorithm, jwkSource); configurableJWTProcessor.setJWSKeySelector(keySelector); JWTClaimsSet claims = this.configurableJWTProcessor.process(this.getBearerToken(idToken),null); validateIssuer(claims); verifyIfAccessToken(claims); String username = claims.getClaims().get("username").toString(); if (username != null) { List grantedAuthorities = of( new SimpleGrantedAuthority("ROLE_USER")); User user = new User(username, "", of()); return new CognitoJwtAuthentication(username, claims, grantedAuthorities); } } return null; } } private void validateIssuer(JWTClaimsSet claims) throws Exception { if (!claims.getIssuer().equals(userPoolId)) { throw new Exception(String.format("Issuer %s does not match cognito idp %s", claims.getIssuer(), this.jwtConfiguration.getUserPoolUrl())); } }
private void verifyIfAccessToken(JWTClaimsSet claims) throws Exception { if (!claims.getClaim("token_use").equals("access")) { throw new Exception("JWT Token is not an ID Token"); } }