Merge pull request #1134 from stormpath/Issue-1132

Issue 1132

Author: Jose Luis Barrueta

api/src/main/java/com/stormpath/sdk/lang/Strings.java

@@ -16,6 +16,7 @@
 package com.stormpath.sdk.lang;
 
 import java.nio.charset.Charset;
+import java.nio.charset.StandardCharsets;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
@@ -1264,4 +1265,34 @@ public static String arrayToCommaDelimitedString(Object[] arr) {
         return arrayToDelimitedString(arr, ",");
     }
 
+    /**
+     * Calls {@link String#getBytes(Charset)}
+     *
+     * @param string  The string to encode (if null, return null).
+     * @param charset The {@link Charset} to encode the <code>String</code>
+     * @return the encoded bytes
+     * @since 1.2.1
+     */
+    private static byte[] getBytes(final String string, final Charset charset) {
+        if (string == null) {
+            return null;
+        }
+        return string.getBytes(charset);
+    }
+
+    /**
+     * Encodes the given string into a sequence of bytes using the UTF-8 charset, storing the result into a new byte
+     * array.
+     *
+     * @param string the String to encode, may be <code>null</code>
+     * @return encoded bytes, or <code>null</code> if the input string was <code>null</code>
+     * @throws NullPointerException Thrown if {@link StandardCharsets#UTF_8} is not initialized, which should never happen since it is
+     *                              required by the Java platform specification.
+     * @see <a href="http://download.oracle.com/javase/6/docs/api/java/nio/charset/Charset.html">Standard charsets</a>
+     * @since 1.2.1
+     */
+    public static byte[] getBytesUtf8(final String string) {
+        return getBytes(string, StandardCharsets.UTF_8);
+    }
+
 }

ci/before_install.sh

@@ -14,7 +14,7 @@ export IS_RELEASE="$([ ${RELEASE_VERSION/SNAPSHOT} == $RELEASE_VERSION ] && [ $T
 export BUILD_DOCS="$([ $TRAVIS_JDK_VERSION == 'oraclejdk8' ] && echo 'true')"
 export RUN_ITS="$([ $TRAVIS_JDK_VERSION == 'openjdk7' ] && echo 'true')"
 #Install Maven 3.3.9 since Travis uses 3.2 by default
-wget https://archive.apache.org/dist/maven/maven-3/3.3.9/binaries/apache-maven-3.3.9-bin.zip
+wget http://mirror.cc.columbia.edu/pub/software/apache/maven/maven-3/3.3.9/binaries/apache-maven-3.3.9-bin.zip
 unzip -qq apache-maven-3.3.9-bin.zip
 export M2_HOME=$PWD/apache-maven-3.3.9
 export PATH=$M2_HOME/bin:$PATH

extensions/httpclient/src/test/groovy/com/stormpath/sdk/impl/application/webconfig/WebConfigurationIT.groovy

@@ -27,9 +27,18 @@ import com.stormpath.sdk.application.webconfig.MeConfig
 import com.stormpath.sdk.application.webconfig.MeExpansionConfig
 import com.stormpath.sdk.application.webconfig.Oauth2Config
 import com.stormpath.sdk.application.webconfig.VerifyEmailConfig
+import com.stormpath.sdk.cache.Caches
 import com.stormpath.sdk.client.Client
 import com.stormpath.sdk.client.ClientIT
+import com.stormpath.sdk.client.Clients
 import com.stormpath.sdk.directory.Directory
+import com.stormpath.sdk.oauth.AccessToken
+import com.stormpath.sdk.oauth.Authenticators
+import com.stormpath.sdk.oauth.OAuthBearerRequestAuthentication
+import com.stormpath.sdk.oauth.OAuthPasswordGrantRequestAuthentication
+import com.stormpath.sdk.oauth.OAuthRequestAuthenticator
+import com.stormpath.sdk.oauth.OAuthRequests
+import com.stormpath.sdk.oauth.RefreshToken
 import org.testng.annotations.Test
 
 import static org.testng.Assert.*
@@ -185,6 +194,42 @@ class WebConfigurationIT extends ClientIT {
         }
     }
 
+    @Test
+    void testGetAccessTokenSignedWithDifferentKey() {
+
+        def app = createTempApp()
+
+        def account = createTestAccount(app)
+
+        OAuthPasswordGrantRequestAuthentication grantRequest = OAuthRequests.OAUTH_PASSWORD_GRANT_REQUEST.builder()
+                .setLogin(account.email).setPassword("Changeme1!").build()
+
+        OAuthRequestAuthenticator authenticator = Authenticators.OAUTH_PASSWORD_GRANT_REQUEST_AUTHENTICATOR.forApplication(app)
+
+        def accessTokenResult = authenticator.authenticate(grantRequest)
+
+        def webConfigApiKey = app.getWebConfig().getSigningApiKey()
+
+        def client = Clients.builder().setBaseUrl(baseUrl).setCacheManager(Caches.newDisabledCacheManager()).setApiKey(webConfigApiKey).build()
+
+        def newClientApp = client.getResource(app.href, Application)
+
+        // Authenticate token against Stormpath
+        OAuthBearerRequestAuthentication authRequest = OAuthRequests.OAUTH_BEARER_REQUEST.builder().setJwt(accessTokenResult.getAccessTokenString()).build()
+        def authResultRemote = Authenticators.OAUTH_BEARER_REQUEST_AUTHENTICATOR.forApplication(newClientApp).authenticate(authRequest)
+
+        assertEquals authResultRemote.getApplication().getHref(), app.href
+        assertEquals authResultRemote.getAccount().getHref(), account.href
+
+        def accessToken = client.getResource(accessTokenResult.accessTokenHref, AccessToken)
+
+        assertNotNull accessToken
+
+        def refreshToken = client.getResource(accessTokenResult.refreshToken.href, RefreshToken)
+
+        assertNotNull refreshToken
+    }
+
     ApiKey createTmpApiKey(Application application) {
         def directory = client.instantiate(Directory)
         directory.setName(uniquify("Admins"))

impl/src/main/java/com/stormpath/sdk/impl/oauth/AbstractBaseOAuthToken.java

@@ -19,7 +19,9 @@
 import com.stormpath.sdk.tenant.Tenant;
 import io.jsonwebtoken.Claims;
 import io.jsonwebtoken.Jws;
+import io.jsonwebtoken.JwsHeader;
 import io.jsonwebtoken.Jwts;
+import io.jsonwebtoken.SigningKeyResolverAdapter;
 
 import java.util.Date;
 import java.util.Map;
@@ -102,8 +104,26 @@ public void revoke() {
         OAuthTokenRevocators.OAUTH_TOKEN_REVOCATOR.forApplication(getApplication()).revoke(revocationRequest);
     }
 
-    protected static Jws<Claims> parseJws(String token, ApiKey apiKey) {
-        return Jwts.parser().setSigningKey(apiKey.getSecret().getBytes(Strings.UTF_8)).parseClaimsJws(token);
+    /**
+     * @since 1.2.1
+     */
+    protected static Jws<Claims> parseJws(String token, final InternalDataStore dataStore) {
+
+        final ApiKey clientApiKey = dataStore.getApiKey();
+
+        return Jwts.parser().setSigningKeyResolver(new SigningKeyResolverAdapter() {
+            @Override
+            public byte[] resolveSigningKeyBytes(JwsHeader header, Claims claims) {
+                String keyId = header.getKeyId();
+
+                if (Strings.hasText(keyId) && !clientApiKey.getId().equals(keyId)) {
+                    String url = dataStore.getBaseUrl() + "/apiKeys/" + keyId;
+                    ApiKey apiKey = dataStore.getResource(url, ApiKey.class);
+                    return Strings.getBytesUtf8(apiKey.getSecret());
+                }
+                return Strings.getBytesUtf8(clientApiKey.getSecret());
+            }
+        }).parseClaimsJws(token);
     }
 
     protected abstract TokenTypeHint getTokenTypeHint();

impl/src/main/java/com/stormpath/sdk/impl/oauth/DefaultAccessToken.java

@@ -47,8 +47,7 @@ private void ensureAccessToken() {
         if(isMaterialized()) {
             try {
 
-                ApiKey apiKey = getDataStore().getApiKey();
-                JwsHeader header = AbstractBaseOAuthToken.parseJws(getString(JWT), apiKey).getHeader();
+                JwsHeader header = AbstractBaseOAuthToken.parseJws(getString(JWT), getDataStore()).getHeader();
 
                 String tokenType = (String) header.get("stt");
                 Assert.isTrue(tokenType.equals("access"));

impl/src/main/java/com/stormpath/sdk/impl/oauth/DefaultGrantAuthenticationToken.java

@@ -88,7 +88,7 @@ public RefreshToken getAsRefreshToken() {
             return null;
         }
 
-        Jws<Claims> jws = AbstractBaseOAuthToken.parseJws(refreshToken, getDataStore().getApiKey());
+        Jws<Claims> jws = AbstractBaseOAuthToken.parseJws(refreshToken, getDataStore());
         Map<String, Object> props = new LinkedHashMap<String, Object>(1);
         String refreshTokenID = jws.getBody().getId();
         props.put("href", getDataStore().getBaseUrl() + "/refreshTokens/" + refreshTokenID);