@@ -69,11 +69,9 @@ public class OAuthJwtAuthenticatorImpl extends AbstractOAuthAuthenticator {
6969 APIConstants .EMAIL_DOMAIN_SEPARATOR + MultitenantConstants .SUPER_TENANT_DOMAIN_NAME ;
7070 private boolean isRESTApiTokenCacheEnabled ;
7171 private Map <String , TokenIssuerDto > tokenIssuers ;
72- private java .util .Map <String , List <String >> audiencesMap ;
7372
7473 public OAuthJwtAuthenticatorImpl () {
7574 tokenIssuers = getTokenIssuers ();
76- audiencesMap = getRestApiJWTAuthAudiences ();
7775 }
7876
7977 /**
@@ -228,71 +226,52 @@ private JWTValidationInfo validateJWTToken(SignedJWTInfo signedJWTInfo, String j
228226
229227 if (StringUtils .isNotEmpty (issuer )) {
230228 //validate Issuer
231- List <String > tokenAudiences = signedJWTInfo .getJwtClaimsSet ().getAudience ();
232229 if (tokenIssuers != null && tokenIssuers .containsKey (issuer )) {
233- //validate audience
234- if (audiencesMap != null && audiencesMap .get (basePath .getPath ()) != null &&
235- tokenAudiences .stream ().anyMatch (audiencesMap .get (basePath .getPath ())::contains )) {
236- if (isRESTApiTokenCacheEnabled ) {
237- JWTValidationInfo tempJWTValidationInfo = (JWTValidationInfo ) getRESTAPITokenCache ().get (jti );
238- if (tempJWTValidationInfo != null ) {
239- Boolean isExpired = checkTokenExpiration (new Date (tempJWTValidationInfo .getExpiryTime ()));
240- if (isExpired ) {
241- tempJWTValidationInfo .setValid (false );
242- getRESTAPITokenCache ().remove (jti );
243- getRESTAPIInvalidTokenCache ().put (jti , tempJWTValidationInfo );
244- log .error ("JWT token validation failed. Reason: Expired Token. " + maskedToken );
245- return tempJWTValidationInfo ;
246- }
247- //check accessToken
248- if (!tempJWTValidationInfo .getRawPayload ().equals (accessToken )) {
249- tempJWTValidationInfo .setValid (false );
250- getRESTAPITokenCache ().remove (jti );
251- getRESTAPIInvalidTokenCache ().put (jti , tempJWTValidationInfo );
252- log .error ("JWT token validation failed. Reason: Invalid Token. " + maskedToken );
253- return tempJWTValidationInfo ;
254- }
230+ if (isRESTApiTokenCacheEnabled ) {
231+ JWTValidationInfo tempJWTValidationInfo = (JWTValidationInfo ) getRESTAPITokenCache ().get (jti );
232+ if (tempJWTValidationInfo != null ) {
233+ boolean isExpired = checkTokenExpiration (new Date (tempJWTValidationInfo .getExpiryTime ()));
234+ if (isExpired ) {
235+ tempJWTValidationInfo .setValid (false );
236+ getRESTAPITokenCache ().remove (jti );
237+ getRESTAPIInvalidTokenCache ().put (jti , tempJWTValidationInfo );
238+ log .error ("JWT token validation failed. Reason: Expired Token. " + maskedToken );
255239 return tempJWTValidationInfo ;
256-
257- } else if (getRESTAPIInvalidTokenCache ().get (jti ) != null ) {
258- if (log .isDebugEnabled ()) {
259- log .debug ("Token retrieved from the invalid token cache. Token: " + maskedToken );
260- }
261- return (JWTValidationInfo ) getRESTAPIInvalidTokenCache ().get (jti );
262240 }
263- }
264- //info not in cache. validate signature and exp
265- JWTValidator jwtValidator = APIMConfigUtil .getJWTValidatorMap ().get (issuer );
266- jwtValidationInfo = jwtValidator .validateToken (signedJWTInfo );
267- if (jwtValidationInfo .isValid ()) {
268- //valid token
269- if (isRESTApiTokenCacheEnabled ) {
270- getRESTAPITokenCache ().put (jti , jwtValidationInfo );
241+ //check accessToken
242+ if (!tempJWTValidationInfo .getRawPayload ().equals (accessToken )) {
243+ tempJWTValidationInfo .setValid (false );
244+ getRESTAPITokenCache ().remove (jti );
245+ getRESTAPIInvalidTokenCache ().put (jti , tempJWTValidationInfo );
246+ log .error ("JWT token validation failed. Reason: Invalid Token. " + maskedToken );
247+ return tempJWTValidationInfo ;
271248 }
272- } else {
273- //put in invalid cache
274- if (isRESTApiTokenCacheEnabled ) {
275- getRESTAPIInvalidTokenCache ().put (jti , jwtValidationInfo );
249+ return tempJWTValidationInfo ;
250+
251+ } else if (getRESTAPIInvalidTokenCache ().get (jti ) != null ) {
252+ if (log .isDebugEnabled ()) {
253+ log .debug ("Token retrieved from the invalid token cache. Token: " + maskedToken );
276254 }
277- //invalid credentials : 900901 error code
278- log .error ("JWT token validation failed. Reason: Invalid Credentials. " +
279- "Make sure you have provided the correct security credentials in the token :"
280- + maskedToken );
255+ return (JWTValidationInfo ) getRESTAPIInvalidTokenCache ().get (jti );
256+ }
257+ }
258+ //info not in cache. validate signature and exp
259+ JWTValidator jwtValidator = APIMConfigUtil .getJWTValidatorMap ().get (issuer );
260+ jwtValidationInfo = jwtValidator .validateToken (signedJWTInfo );
261+ if (jwtValidationInfo .isValid ()) {
262+ //valid token
263+ if (isRESTApiTokenCacheEnabled ) {
264+ getRESTAPITokenCache ().put (jti , jwtValidationInfo );
281265 }
282266 } else {
283- if (audiencesMap == null ) {
284- log .error ("JWT token audience validation failed. Reason: No audiences registered " +
285- "in the server" );
286- } else if (audiencesMap .get (basePath .getPath ()) == null ) {
287- log .error ("JWT token audience validation failed. Reason: No audiences registered " +
288- "in the server for the base path (" + basePath .getPath () + ")" );
289- } else {
290- log .error ("JWT token audience validation failed. Reason: None of the aud present "
291- + "in the JWT (" + tokenAudiences .toString () +
292- ") matches the intended audience (" + audiencesMap .get (basePath .getPath ())
293- .toString () + ") for base path ( " + basePath .getPath () + " )." );
267+ //put in invalid cache
268+ if (isRESTApiTokenCacheEnabled ) {
269+ getRESTAPIInvalidTokenCache ().put (jti , jwtValidationInfo );
294270 }
295- return null ;
271+ //invalid credentials : 900901 error code
272+ log .error ("JWT token validation failed. Reason: Invalid Credentials. " +
273+ "Make sure you have provided the correct security credentials in the token :"
274+ + maskedToken );
296275 }
297276 } else {
298277 //invalid issuer. invalid token
0 commit comments