fusionauth support

Author: skjolber

build.gradle

@@ -1,7 +1,7 @@
 plugins {
     id 'me.champeau.gradle.jmh' version '0.4.8' apply false
-    id 'com.github.ben-manes.versions' version '0.20.0' apply false
-    id 'org.owasp.dependencycheck' version '4.0.2' apply false
+    id 'com.github.ben-manes.versions' version '0.27.0' apply false
+    id 'org.owasp.dependencycheck' version '5.2.2' apply false
     id 'com.github.spotbugs' version '1.6.9' apply false    
     id 'io.morethan.jmhreport' version '0.9.0' apply false
 }
@@ -17,12 +17,13 @@ subprojects {
     targetCompatibility = 1.8
 
     ext {
-        javaJwtVersion = '3.7.0'
-        jwksRsaVersion = '0.7.0'
+        javaJwtVersion = '3.8.3'
+        jwksRsaVersion = '0.9.0'
         jjwtVersion = '0.9.1'
         jmhVersion = '1.21'
         oktaVersion = '0.4.0'
-        junitJupiterVersion  = '5.3.2'
+        fusionAuthVersion = '3.1.4'
+        junitJupiterVersion  = '5.5.2'
     }
 
     repositories {

frameworks/fusionauth-jwt-bench/README.md

@@ -0,0 +1,4 @@
+# fusionauth-jwt-bench
+Benchmark configuration for [fusionauth-jwt].
+
+[fusionauth-jwt]:			https://github.com/FusionAuth/fusionauth-jwt

frameworks/fusionauth-jwt-bench/build.gradle

@@ -0,0 +1,6 @@
+dependencies {
+    compile project(":jmh-utils")
+    compile("io.fusionauth:fusionauth-jwt:${fusionAuthVersion}")
+}
+
+

frameworks/fusionauth-jwt-bench/src/main/java/com/github/skjolber/bench/fusionauth/FusionAuthJsonWebTokenVerifier.java

@@ -0,0 +1,64 @@
+package com.github.skjolber.bench.fusionauth;
+
+import java.security.KeyPair;
+
+import com.github.skjolber.bench.utils.JsonWebTokenVerifier;
+
+import io.fusionauth.jwt.InvalidJWTException;
+import io.fusionauth.jwt.JWTDecoder;
+import io.fusionauth.jwt.Verifier;
+import io.fusionauth.jwt.domain.Algorithm;
+import io.fusionauth.jwt.domain.JWT;
+import io.fusionauth.jwt.rsa.RSAVerifier;
+import io.fusionauth.pem.domain.PEM;
+
+public class FusionAuthJsonWebTokenVerifier implements JsonWebTokenVerifier<JWT> {
+
+	private final static Verifier nullVerifier = new Verifier() {
+		
+		@Override
+		public void verify(Algorithm algorithm, byte[] message, byte[] signature) {
+			// noop
+		}
+		
+		@Override
+		public boolean canVerify(Algorithm algorithm) {
+			return true;
+		}
+	};
+	
+	private final RSAVerifier verifier;
+	private final JWTDecoder decoder;
+	private final String issuer;
+	private final String audience;
+
+	public FusionAuthJsonWebTokenVerifier(KeyPair keyPair, String issuer, String audience) {
+		this.issuer = issuer;
+		this.audience = audience;
+		
+		String encode = PEM.encode(keyPair.getPublic());
+		
+		decoder = JWT.getDecoder();
+		verifier = RSAVerifier.newVerifier(encode);
+	} 
+	
+	@Override
+	public JWT verifyJsonWebToken(String token) {
+		JWT jwt =  decoder.decode(token, verifier);
+
+		// lets add some claim verification here; the other implementations do this already
+		if(!issuer.equals(jwt.getString("iss"))) {
+			throw new InvalidJWTException("Unexpected issuer");
+		}
+
+		if(!audience.equals(jwt.getString("aud"))) {
+			throw new InvalidJWTException("Unexpected audience");
+		}
+
+		return jwt;
+	}
+
+	public JWT parseToken(String token) throws Exception {
+		return decoder.decode(token, nullVerifier);
+	}
+}

frameworks/fusionauth-jwt-bench/src/test/java/com/github/skjolber/bench/fusionauth/FustionAuthJsonWebTokenVerifierTest.java

@@ -0,0 +1,29 @@
+package com.github.skjolber.bench.fusionauth;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import org.junit.jupiter.api.Test;
+
+import com.github.skjolber.bench.fusionauth.FusionAuthJsonWebTokenVerifier;
+import com.github.skjolber.bench.utils.JsonWebTokenGenerator;
+
+public class FustionAuthJsonWebTokenVerifierTest {
+
+    @Test
+    public void testVerifier() throws Exception {
+        JsonWebTokenGenerator generator = new JsonWebTokenGenerator();
+        
+        Map<String, Object> map = new HashMap<>();
+        map.put("test", "value"); 
+        
+        String issuer = "https://test";
+        String audience = "https://audience";
+        
+        String token = generator.createJsonWebToken(map, issuer, audience);
+
+        FusionAuthJsonWebTokenVerifier verifier = new FusionAuthJsonWebTokenVerifier(generator.getKeyPair(), issuer, audience);
+        
+        verifier.verifyJsonWebToken(token);
+    }
+}

frameworks/java-jwt-bench/src/main/java/com/auth0/jwt/Auth0TokenVerifier.java

@@ -10,18 +10,24 @@
 public class Auth0TokenVerifier implements JsonWebTokenVerifier<DecodedJWT> {
 
 	private final JWTVerifier verifier;
+	private final JWT jwt;
 
 	public Auth0TokenVerifier(KeyPair keyPair, String issuer, String audience) {
         verifier = JWT
         			.require(Algorithm.RSA256(new KeyProvider(keyPair)))
         			.withIssuer(issuer)
         			.withAudience(audience)
         			.build();
+        jwt = new JWT();        
 	}
 
 	@Override
 	public DecodedJWT verifyJsonWebToken(String token) throws Exception {
 		return verifier.verify(token);
 	}
 
+	public DecodedJWT parseToken(String token) {
+		return jwt.decodeJwt(token);
+	}
+
 }

jmh-benchmark/build.gradle

@@ -6,5 +6,6 @@ dependencies {
     jmh project(":frameworks:jjwt-bench")
     jmh project(":frameworks:java-jwt-bench")
     jmh project(":frameworks:okta-jwt-verifier-bench")
+    jmh project(":frameworks:fusionauth-jwt-bench")
 }
 

jmh-benchmark/src/jmh/java/com/auth0/jwt/JwtParseBenchmark.java

@@ -1,4 +1,4 @@
-package com.auth0.jwt;
+package com.github.skjolber.jwt;
 
 import java.util.HashMap;
 import java.util.Map;
@@ -8,6 +8,8 @@
 import org.openjdk.jmh.annotations.Setup;
 import org.openjdk.jmh.annotations.State;
 
+import com.auth0.jwt.Auth0TokenVerifier;
+import com.github.skjolber.bench.fusionauth.FusionAuthJsonWebTokenVerifier;
 import com.github.skjolber.bench.jjwt.JavaJsonWebTokenVerifier;
 import com.github.skjolber.bench.okta.OktaJsonWebTokenVerifier;
 import com.github.skjolber.bench.utils.JsonWebTokenGenerator;
@@ -17,6 +19,7 @@ public class BenchmarkState {
 
 	private String token;
 
+	private FusionAuthJsonWebTokenVerifier fusionAuthJsonWebTokenVerifier;
 	private OktaJsonWebTokenVerifier oktaJsonWebTokenVerifier;
 	private JavaJsonWebTokenVerifier javaJsonWebTokenVerifier;
 	private Auth0TokenVerifier auth0TokenVerifier;
@@ -34,6 +37,8 @@ public void init() throws Exception {
         token = generator.createJsonWebToken(map, issuer, audience);
 
         oktaJsonWebTokenVerifier = new OktaJsonWebTokenVerifier(generator.getKeyPair(), issuer, audience);
+
+        fusionAuthJsonWebTokenVerifier = new FusionAuthJsonWebTokenVerifier(generator.getKeyPair(), issuer, audience);
         javaJsonWebTokenVerifier = new JavaJsonWebTokenVerifier(generator.getKeyPair(), issuer, audience);
         auth0TokenVerifier = new Auth0TokenVerifier(generator.getKeyPair(), issuer, audience);
 	}
@@ -50,6 +55,10 @@ public OktaJsonWebTokenVerifier getOktaJsonWebTokenVerifier() {
 		return oktaJsonWebTokenVerifier;
 	}
 
+	public FusionAuthJsonWebTokenVerifier getFusionAuthJsonWebTokenVerifier() {
+		return fusionAuthJsonWebTokenVerifier;
+	}
+	
 	public String getToken() {
 		return token;
 	}

jmh-benchmark/src/jmh/java/com/auth0/jwt/BenchmarkState.java renamed to jmh-benchmark/src/jmh/java/com/github/skjolber/jwt/BenchmarkState.java

@@ -1,4 +1,4 @@
-package com.auth0.jwt;
+package com.github.skjolber.jwt;
 
 import org.openjdk.jmh.annotations.Benchmark;
 
@@ -18,4 +18,9 @@ public Object auth0_claim(BenchmarkState state) throws Exception {
     public Object okta_claim(BenchmarkState state) throws Exception {
     	return state.getOktaJsonWebTokenVerifier().verifyJsonWebToken(state.getToken()).getClaims().get("test");
     }
+    
+    @Benchmark
+    public Object fusionauth_claim(BenchmarkState state) throws Exception {
+    	return state.getFusionAuthJsonWebTokenVerifier().verifyJsonWebToken(state.getToken()).getObject("test");
+    }    
 }

jmh-benchmark/src/jmh/java/com/auth0/jwt/JwtClaimBenchmark.java renamed to jmh-benchmark/src/jmh/java/com/github/skjolber/jwt/JwtClaimBenchmark.java

@@ -0,0 +1,21 @@
+package com.github.skjolber.jwt;
+
+import org.openjdk.jmh.annotations.Benchmark;
+
+import com.auth0.jwt.interfaces.DecodedJWT;
+
+import io.fusionauth.jwt.domain.JWT;
+
+public class JwtParseBenchmark {
+
+	@Benchmark
+    public JWT parse(BenchmarkState state) throws Exception {
+		return state.getFusionAuthJsonWebTokenVerifier().parseToken(state.getToken());
+    }
+
+	@Benchmark
+    public DecodedJWT auth0_parse(BenchmarkState state) {
+    	return state.getAuth0TokenVerifier().parseToken(state.getToken());
+    }
+
+}

jmh-benchmark/src/jmh/java/com/github/skjolber/jwt/JwtParseBenchmark.java

@@ -1,4 +1,4 @@
-package com.auth0.jwt;
+package com.github.skjolber.jwt;
 
 import org.openjdk.jmh.annotations.Benchmark;
 
@@ -18,4 +18,9 @@ public Object auth0_verify(BenchmarkState state) throws Exception {
     public Object okta_verify(BenchmarkState state) throws Exception {
     	return state.getOktaJsonWebTokenVerifier().verifyJsonWebToken(state.getToken());
     }
+    
+    @Benchmark
+    public Object fusionauth_verify(BenchmarkState state) throws Exception {
+    	return state.getFusionAuthJsonWebTokenVerifier().verifyJsonWebToken(state.getToken());
+    }     
 }

jmh-benchmark/src/jmh/java/com/auth0/jwt/JwtVerifyBenchmark.java renamed to jmh-benchmark/src/jmh/java/com/github/skjolber/jwt/JwtVerifyBenchmark.java

@@ -1 +1 @@
-include 'jmh-utils', 'frameworks:java-jwt-bench', 'frameworks:jjwt-bench', 'frameworks:okta-jwt-verifier-bench', 'jmh-benchmark'
+include 'jmh-utils', 'frameworks:java-jwt-bench', 'frameworks:jjwt-bench', 'frameworks:okta-jwt-verifier-bench', 'frameworks:fusionauth-jwt-bench', 'jmh-benchmark'