All Downloads are FREE. Search and download functionalities are using the official Maven repository.

com.nimbusds.openid.connect.sdk.rp.statement.SoftwareStatementProcessor Maven / Gradle / Ivy

/*
 * oauth2-oidc-sdk
 *
 * Copyright 2012-2020, Connect2id Ltd and contributors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
 * this file except in compliance with the License. You may obtain a copy of the
 * License at
 *
 *    http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software distributed
 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
 * CONDITIONS OF ANY KIND, either express or implied. See the License for the
 * specific language governing permissions and limitations under the License.
 */

package com.nimbusds.openid.connect.sdk.rp.statement;


import java.net.URL;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;

import net.jcip.annotations.ThreadSafe;
import net.minidev.json.JSONObject;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.RemoteKeySourceException;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.source.ImmutableJWKSet;
import com.nimbusds.jose.jwk.source.JWKSource;
import com.nimbusds.jose.jwk.source.RemoteJWKSet;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jose.util.DefaultResourceRetriever;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.id.Issuer;
import com.nimbusds.oauth2.sdk.util.CollectionUtils;
import com.nimbusds.oauth2.sdk.util.JSONObjectUtils;
import com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata;


/**
 * Processor of software statements for client registrations.
 *
 * 

Related specifications: * *

    *
  • OAuth 2.0 Dynamic Client Registration Protocol (RFC 7591), sections * 2.3 and 3.1.1. *
* * @param Optional security context to pass to the underlying JWK source. */ @ThreadSafe public class SoftwareStatementProcessor { private final boolean required; private final DefaultJWTProcessor processor; /** * Creates a new software statement processor. * * @param issuer The expected software statement issuer. Must not be * {@code null}. * @param required If {@code true} the processed client metadata must * include a software statement and if missing this * will result in a {@code invalid_software_statement} * error. If {@code false} client metadata with missing * software statement will be returned unmodified by * the processor. * @param jwsAlgs The expected JWS algorithms of the software * statements. Must not be empty or {@code null}. * @param jwkSet The public JWK set for verifying the software * statement signatures. */ public SoftwareStatementProcessor(final Issuer issuer, final boolean required, final Set jwsAlgs, final JWKSet jwkSet) { this(issuer, required, jwsAlgs, new ImmutableJWKSet(jwkSet)); } /** * Creates a new software statement processor. * * @param issuer The expected software statement issuer. Must * not be {@code null}. * @param required If {@code true} the processed client * metadata must include a software statement * and if missing this will result in a * {@code invalid_software_statement} error. If * {@code false} client metadata with missing * software statement will be returned * unmodified by the processor. * @param jwsAlgs The expected JWS algorithms of the software * statements. Must not be empty or * {@code null}. * @param jwkSetURL The public JWK set URL for verifying the * software statement signatures. * @param connectTimeoutMs The HTTP connect timeout in milliseconds for * retrieving the JWK set, zero implies no * timeout (determined by the underlying HTTP * client). * @param readTimeoutMs The HTTP read timeout in milliseconds for * retrieving the JWK set, zero implies no * timeout (determined by the underlying HTTP * client). * @param sizeLimitBytes The HTTP entity size limit in bytes when * retrieving the JWK set, zero implies no * limit. */ public SoftwareStatementProcessor(final Issuer issuer, final boolean required, final Set jwsAlgs, final URL jwkSetURL, final int connectTimeoutMs, final int readTimeoutMs, final int sizeLimitBytes) { this(issuer, required, jwsAlgs, new RemoteJWKSet( jwkSetURL, new DefaultResourceRetriever( connectTimeoutMs, readTimeoutMs, sizeLimitBytes))); } /** * Creates a new software statement processor. * * @param issuer The expected software statement issuer. Must not be * {@code null}. * @param required If {@code true} the processed client metadata must * include a software statement and if missing this * will result in a {@code invalid_software_statement} * error. If {@code false} client metadata with * missing software statement will be returned * unmodified by the processor. * @param jwsAlgs The expected JWS algorithms of the software * statements. Must not be empty or {@code null}. * @param jwkSource The public JWK source to use for verifying the * software statement signatures. */ public SoftwareStatementProcessor(final Issuer issuer, final boolean required, final Set jwsAlgs, final JWKSource jwkSource) { this(issuer, required, jwsAlgs, jwkSource, Collections.emptySet()); } /** * Creates a new software statement processor. * * @param issuer The expected software statement * issuer. Must not be {@code null}. * @param required If {@code true} the processed client * metadata must include a software * statement and if missing this will * result in a * {@code invalid_software_statement} * error. If {@code false} client * metadata with missing software * statement will be returned * unmodified by the processor. * @param jwsAlgs The expected JWS algorithms of the * software statements. Must not be * empty or {@code null}. * @param jwkSource The public JWK source to use for * verifying the software statement * signatures. * @param additionalRequiredClaims The names of any additional JWT * claims other than "iss" (issuer) * that must be present in the software * statement, empty or {@code null} if * none. */ public SoftwareStatementProcessor(final Issuer issuer, final boolean required, final Set jwsAlgs, final JWKSource jwkSource, final Set additionalRequiredClaims) { this.required = required; Set allRequiredClaims = new HashSet<>(); allRequiredClaims.add("iss"); if (CollectionUtils.isNotEmpty(additionalRequiredClaims)) { allRequiredClaims.addAll(additionalRequiredClaims); } processor = new DefaultJWTProcessor<>(); processor.setJWSKeySelector(new JWSVerificationKeySelector<>(jwsAlgs, jwkSource)); processor.setJWTClaimsSetVerifier(new DefaultJWTClaimsVerifier( new JWTClaimsSet.Builder() .issuer(issuer.getValue()) .build(), allRequiredClaims)); } /** * Processes an optional software statement in the specified client * metadata. * * @param clientMetadata The client metadata, must not be {@code null}. * * @return The processed client metadata, with the merged software * statement. * * @throws InvalidSoftwareStatementException On a invalid or missing * required software * statement. * @throws JOSEException On a internal JOSE * signature verification * exception. */ public OIDCClientMetadata process(final OIDCClientMetadata clientMetadata) throws InvalidSoftwareStatementException, JOSEException { return process(clientMetadata, null); } /** * Processes an optional software statement in the specified client * metadata. * * @param clientMetadata The client metadata, must not be {@code null}. * @param context Optional security context to pass to the * underlying JWK source, {@code null} if not * specified. * * @return The processed client metadata, with the merged software * statement. * * @throws InvalidSoftwareStatementException On a invalid or missing * required software * statement. * @throws JOSEException On a internal JOSE * signature verification * exception. */ public OIDCClientMetadata process(final OIDCClientMetadata clientMetadata, C context) throws InvalidSoftwareStatementException, JOSEException { SignedJWT softwareStatement = clientMetadata.getSoftwareStatement(); if (softwareStatement == null) { if (required) { throw new InvalidSoftwareStatementException("Missing required software statement"); } return clientMetadata; } JWTClaimsSet statementClaims; try { statementClaims = processor.process(softwareStatement, context); } catch (BadJOSEException e) { throw new InvalidSoftwareStatementException("Invalid software statement JWT: " + e.getMessage(), e); } catch (RemoteKeySourceException e) { throw new InvalidSoftwareStatementException("Software statement JWT validation failed: " + e.getMessage(), e); } JSONObject mergedMetadataJSONObject = new JSONObject(); mergedMetadataJSONObject.putAll(clientMetadata.toJSONObject()); mergedMetadataJSONObject.remove("software_statement"); JSONObject statementJSONObject = JSONObjectUtils.toJSONObject(statementClaims); statementJSONObject.remove("iss"); mergedMetadataJSONObject.putAll(statementJSONObject); try { return OIDCClientMetadata.parse(mergedMetadataJSONObject); } catch (ParseException e) { throw new InvalidSoftwareStatementException("Error merging software statement: " + e.getMessage(), e); } } }




© 2015 - 2025 Weber Informatics LLC | Privacy Policy