List of usage examples for com.fasterxml.jackson.core Base64Variants MODIFIED_FOR_URL
Base64Variant MODIFIED_FOR_URL
To view the source code for com.fasterxml.jackson.core Base64Variants MODIFIED_FOR_URL.
Click Source Link
From source file:me.lazerka.gae.jersey.oauth2.facebook.TokenVerifierFacebookSignedRequest.java
@Override public FacebookUserPrincipal verify(String signedRequestToken) throws IOException, InvalidKeyException { logger.trace("Requesting endpoint to validate token"); List<String> parts = Splitter.on('.').splitToList(signedRequestToken); checkArgument(parts.size() == 2, "Signed request must have two parts separated by period."); byte[] providedSignature = Base64Variants.MODIFIED_FOR_URL.decode(parts.get(0)); String signedRequestJsonEncoded = parts.get(1); byte[] signedRequestJson = Base64Variants.MODIFIED_FOR_URL.decode(signedRequestJsonEncoded); SignedRequest signedRequest = jackson.readValue(signedRequestJson, SignedRequest.class); if (!"HMAC-SHA256".equals(signedRequest.algorithm)) { throw new InvalidKeyException("Unsupported signing method: " + signedRequest.algorithm); }// w w w .j a v a 2 s .c o m byte[] expectedSignature = hmac.doFinal(signedRequestJsonEncoded.getBytes(UTF_8)); if (!Arrays.equals(providedSignature, expectedSignature)) { throw new InvalidKeyException("Signature invalid"); } // We still need to verify expiration somehow. The only way is to ask Facebook. // Exchange `code` for long-lived access token. // This serves as verification for `code` expiration too. AccessTokenResponse response = fetcher.fetchUserAccessToken(signedRequest.code, redirectUri); // Not fetching email, because maybe we won't need to, if ID is enough. return new FacebookUserPrincipal(signedRequest.userId, null, response, null); }