Added support for EC JWT signing and logging

pom.xml

@@ -10,7 +10,7 @@
     </parent>
     <groupId>org.surfnet</groupId>
     <artifactId>student-mobility-inteken-ontvanger-generiek</artifactId>
-    <version>0.2.15</version>
+    <version>0.2.16-SNAPSHOT</version>
     <name>inteken-ontvanger-generiek</name>
     <description>inteken-ontvanger-generiek</description>
     <properties>

src/main/java/generiek/api/EnrollmentEndpoint.java

@@ -1,6 +1,8 @@
 package generiek.api;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.proc.BadJOSEException;
 import com.nimbusds.jwt.JWTClaimsSet;
 import com.nimbusds.openid.connect.sdk.OIDCClaimsRequest;
 import com.nimbusds.openid.connect.sdk.claims.ClaimsSetRequest;
@@ -167,7 +169,7 @@ public View enrollment(@ModelAttribute EnrollmentRequest enrollmentRequest) thro
      * Redirect after authentication. Give browser-control back to the client to call start and show progress-spinner
      */
     @GetMapping("/redirect_uri")
-    public View redirect(@RequestParam("code") String code, @RequestParam("state") String state) throws ParseException, IOException {
+    public View redirect(@RequestParam("code") String code, @RequestParam("state") String state) throws ParseException, IOException, BadJOSEException, JOSEException {
         MultiValueMap<String, String> map = new LinkedMultiValueMap<>();
         map.add("client_id", clientId);
         map.add("client_secret", clientSecret);

src/main/java/generiek/jwt/JWTValidator.java

@@ -1,35 +1,55 @@
 package generiek.jwt;
 
+import com.nimbusds.jose.JOSEException;
 import com.nimbusds.jose.JWSAlgorithm;
 import com.nimbusds.jose.jwk.source.RemoteJWKSet;
+import com.nimbusds.jose.proc.BadJOSEException;
 import com.nimbusds.jose.proc.JWSKeySelector;
 import com.nimbusds.jose.proc.JWSVerificationKeySelector;
 import com.nimbusds.jose.proc.SecurityContext;
 import com.nimbusds.jose.util.DefaultResourceRetriever;
 import com.nimbusds.jwt.JWTClaimsSet;
 import com.nimbusds.jwt.proc.ConfigurableJWTProcessor;
 import com.nimbusds.jwt.proc.DefaultJWTProcessor;
+import generiek.api.EnrollmentEndpoint;
 import lombok.SneakyThrows;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 
 import java.net.MalformedURLException;
 import java.net.URL;
+import java.text.ParseException;
+import java.util.HashSet;
+import java.util.Set;
 
 public class JWTValidator {
 
+    private static final Log LOG = LogFactory.getLog(EnrollmentEndpoint.class);
+
+    private final String jwkSetUri;
     private final ConfigurableJWTProcessor<SecurityContext> jwtProcessor;
 
     public JWTValidator(String jwkSetUri, int connectTimeout, int readTimeout, int sizeLimit) throws MalformedURLException {
+        this.jwkSetUri = jwkSetUri;
         this.jwtProcessor = new DefaultJWTProcessor<>();
         DefaultResourceRetriever resourceRetriever = new DefaultResourceRetriever(connectTimeout, readTimeout, sizeLimit);
         RemoteJWKSet<SecurityContext> remoteJWKSet = new RemoteJWKSet<>(new URL(jwkSetUri), resourceRetriever);
+        Set<JWSAlgorithm> jwsAlgs = new HashSet<>();
+        jwsAlgs.add(JWSAlgorithm.RS256);
+        jwsAlgs.add(JWSAlgorithm.ES256);
         JWSKeySelector<SecurityContext> keySelector =
-                new JWSVerificationKeySelector<>(JWSAlgorithm.RS256, remoteJWKSet);
+                new JWSVerificationKeySelector<>(jwsAlgs, remoteJWKSet);
         this.jwtProcessor.setJWSKeySelector(keySelector);
     }
 
-    @SneakyThrows
-    public JWTClaimsSet validate(String jwtToken) {
-        return jwtProcessor.process(jwtToken, null);
+    public JWTClaimsSet validate(String jwtToken) throws ParseException, BadJOSEException, JOSEException {
+        try {
+            return jwtProcessor.process(jwtToken, null);
+        } catch (ParseException | BadJOSEException | JOSEException e) {
+            LOG.error(String.format("Error in validation of JWT token for token %s against jwkSetUri %s",
+                    jwtToken, this.jwkSetUri), e);
+            throw e;
+        }
     }
 
 }