backend/src/main/java/de/tavolio/verify/JwtVerificationService.java

package de.tavolio.verify;

import de.tavolio.auth.utils.JwtUtils;
import de.tavolio.oidc.IssuerService;
import de.tavolio.realm.key.KeypairEntity;
import de.tavolio.realm.key.KeypairRepo;
import io.quarkus.security.AuthenticationFailedException;
import io.quarkus.security.UnauthorizedException;
import io.smallrye.jwt.auth.principal.DefaultJWTParser;
import io.smallrye.jwt.auth.principal.JWTAuthContextInfo;
import io.smallrye.jwt.auth.principal.ParseException;
import jakarta.enterprise.context.ApplicationScoped;
import jakarta.inject.Inject;
import org.eclipse.microprofile.jwt.JsonWebToken;

@ApplicationScoped
public class JwtVerificationService
{
    @Inject
    IssuerService issuerService;

    @Inject
    JwksService jwksService;

    @Inject
    KeypairRepo keypairRepo;

    public JsonWebToken validate(String realmKey, String jwt)
    {
        KeypairEntity keypair = keypairRepo.findById(JwtUtils.parseHeader(jwt).getKid());
        if (keypair != null)
        {
            try
            {
                return new DefaultJWTParser(getContextForRealm(realmKey)).verify(jwt, jwksService.generate(keypair).toPublicKey());
            }
            catch (ParseException e)
            {
                throw new UnauthorizedException();
            }
        }
        throw new UnauthorizedException();
    }

    private JWTAuthContextInfo getContextForRealm(String realmKey)
    {
        JWTAuthContextInfo info = new JWTAuthContextInfo();
        info.setIssuedBy(issuerService.getIssuer(realmKey));
        return info;
    }
}