com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier Maven / Gradle / Ivy

Go to download
Show more of this group Show more artifacts with this name
Show all versions of nimbus-jose-jwt Show documentation
Java library for Javascript Object Signing and Encryption (JOSE) and JSON Web Tokens (JWT)
There is a newer version: 9.48
/*
 * nimbus-jose-jwt
 *
 * Copyright 2012-2016, Connect2id Ltd.
 *
 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
 * this file except in compliance with the License. You may obtain a copy of the
 * License at
 *
 *    http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software distributed
 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
 * CONDITIONS OF ANY KIND, either express or implied. See the License for the
 * specific language governing permissions and limitations under the License.
 */

package com.nimbusds.jwt.proc;


import java.util.*;

import net.jcip.annotations.ThreadSafe;

import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.util.DateUtils;


/**
 * {@link JWTClaimsSetVerifier JWT claims verifier} implementation. This class
 * is thread-safe.
 *
 * Performs the following checks:
 *
 * 

 *     If an expiration time (exp) claim is present, makes sure it is ahead
 *         of the current time, else the JWT claims set is rejected.
 *     
If a not-before-time (nbf) claim is present, makes sure it is
 *         before the current time, else the JWT claims set is rejected.
 * 
 *
 * This class may be extended to perform additional checks.
 *
 * @author Vladimir Dzhuvinov
 * @version 2019-10-17
 */
@ThreadSafe
public class DefaultJWTClaimsVerifier  implements JWTClaimsSetVerifier, JWTClaimsVerifier, ClockSkewAware {


	/**
	 * The default maximum acceptable clock skew, in seconds (60).
	 */
	public static final int DEFAULT_MAX_CLOCK_SKEW_SECONDS = 60;


	/**
	 * The maximum acceptable clock skew, in seconds.
	 */
	private int maxClockSkew = DEFAULT_MAX_CLOCK_SKEW_SECONDS;
	
	
	/**
	 * The accepted audience values, {@code null} if not specified. A
	 * {@code null} value present in the set allows JWTs with no audience.
	 */
	private final Set acceptedAudienceValues;
	
	
	/**
	 * The JWT claims that must match exactly, empty set if none.
	 */
	private final JWTClaimsSet exactMatchClaims;
	
	
	/**
	 * The names of the JWT claims that must be present, empty set if none.
	 */
	private final Set requiredClaims;
	
	
	/**
	 * The names of the JWT claims that must not be present, empty set if
	 * none.
	 */
	private final Set prohibitedClaims;
	
	
	/**
	 * Creates a new JWT claims verifier. No audience ("aud"), required and
	 * prohibited claims are specified. Will check the expiration ("exp")
	 * and not-before ("nbf") times if present.
	 */
	public DefaultJWTClaimsVerifier() {
		this(null, null, null, null);
	}
	
	
	/**
	 * Creates a new JWT claims verifier. Allows any audience ("aud")
	 * unless an exact match is specified. Will check the expiration
	 * ("exp") and not-before ("nbf") times if present.
	 *
	 * @param exactMatchClaims The JWT claims that must match exactly,
	 *                         {@code null} if none.
	 * @param requiredClaims   The names of the JWT claims that must be
	 *                         present, empty set or {@code null} if none.
	 */
	public DefaultJWTClaimsVerifier(final JWTClaimsSet exactMatchClaims,
					final Set requiredClaims) {
		
		this(null, exactMatchClaims, requiredClaims, null);
	}
	
	
	/**
	 * Creates new default JWT claims verifier.
	 *
	 * @param requiredAudience The required JWT audience, {@code null} if
	 *                         not specified.
	 * @param exactMatchClaims The JWT claims that must match exactly,
	 *                         {@code null} if none.
	 * @param requiredClaims   The names of the JWT claims that must be
	 *                         present, empty set or {@code null} if none.
	 */
	public DefaultJWTClaimsVerifier(final String requiredAudience,
					final JWTClaimsSet exactMatchClaims,
					final Set requiredClaims) {
		
		this(requiredAudience != null ? Collections.singleton(requiredAudience) : null,
			exactMatchClaims,
			requiredClaims,
			null);
	}
	
	
	/**
	 * Creates new default JWT claims verifier.
	 *
	 * @param acceptedAudience The accepted JWT audience values,
	 *                         {@code null} if not specified. A
	 *                         {@code null} value in the set allows JWTs
	 *                         with no audience.
	 * @param exactMatchClaims The JWT claims that must match exactly,
	 *                         {@code null} if none.
	 * @param requiredClaims   The names of the JWT claims that must be
	 *                         present, empty set or {@code null} if none.
	 * @param prohibitedClaims The names of the JWT claims that must not be
	 *                         present, empty set or {@code null} if none.
	 */
	public DefaultJWTClaimsVerifier(final Set acceptedAudience,
					final JWTClaimsSet exactMatchClaims,
					final Set requiredClaims,
					final Set prohibitedClaims) {
		
		this.acceptedAudienceValues = acceptedAudience != null ? Collections.unmodifiableSet(acceptedAudience) : null;
		
		this.exactMatchClaims = exactMatchClaims != null ? exactMatchClaims : new JWTClaimsSet.Builder().build();
		
		Set requiredClaimsCopy = new HashSet<>(this.exactMatchClaims.getClaims().keySet());
		if (acceptedAudienceValues != null && ! acceptedAudienceValues.contains(null)) {
			// check if an explicit aud is required
			requiredClaimsCopy.add("aud");
		}
		if (requiredClaims != null) {
			requiredClaimsCopy.addAll(requiredClaims);
		}
		this.requiredClaims = Collections.unmodifiableSet(requiredClaimsCopy);
		
		this.prohibitedClaims = prohibitedClaims != null ? Collections.unmodifiableSet(prohibitedClaims) : Collections.emptySet();
	}
	
	
	/**
	 * Returns the accepted audience values.
	 *
	 * @return The accepted JWT audience values, {@code null} if not
	 *         specified. A {@code null} value in the set allows JWTs with
	 *         no audience.
	 */
	public Set getAcceptedAudienceValues() {
		return acceptedAudienceValues;
	}
	
	
	/**
	 * Returns the JWT claims that must match exactly.
	 *
	 * @return The JWT claims that must match exactly, empty set if none.
	 */
	public JWTClaimsSet getExactMatchClaims() {
		return exactMatchClaims;
	}
	
	
	/**
	 * Returns the names of the JWT claims that must be present, including
	 * the name of those that must match exactly.
	 *
	 * @return The names of the JWT claims that must be present, empty set
	 *         if none.
	 */
	public Set getRequiredClaims() {
		return requiredClaims;
	}
	
	
	/**
	 * Returns the names of the JWT claims that must not be present.
	 *
	 * @return The names of the JWT claims that must not be present, empty
	 *         set if none.
	 */
	public Set getProhibitedClaims() {
		return prohibitedClaims;
	}
	
	
	@Override
	public int getMaxClockSkew() {
		return maxClockSkew;
	}


	@Override
	public void setMaxClockSkew(final int maxClockSkewSeconds) {
		maxClockSkew = maxClockSkewSeconds;
	}
	
	
	@Override
	public void verify(final JWTClaimsSet claimsSet)
		throws BadJWTException {

		verify(claimsSet, null);
	}
	
	
	@Override
	public void verify(final JWTClaimsSet claimsSet, final C context)
		throws BadJWTException {
		
		// Check audience
		if (acceptedAudienceValues != null) {
			List audList = claimsSet.getAudience();
			if (audList != null && ! audList.isEmpty()) {
				boolean audMatch = false;
				for (String aud : audList) {
					if (acceptedAudienceValues.contains(aud)) {
						audMatch = true;
						break;
					}
				}
				if (! audMatch) {
					throw new BadJWTException("JWT audience rejected: " + audList);
				}
			} else if (! acceptedAudienceValues.contains(null)) {
				throw new BadJWTException("JWT missing required audience");
			}
		}
		
		// Check if all required claims are present
		if (! claimsSet.getClaims().keySet().containsAll(requiredClaims)) {
			Set missingClaims = new HashSet<>(requiredClaims);
			missingClaims.removeAll(claimsSet.getClaims().keySet());
			throw new BadJWTException("JWT missing required claims: " + missingClaims);
		}
		
		// Check if prohibited claims are present
		Set presentProhibitedClaims = new HashSet<>();
		for (String prohibited: prohibitedClaims) {
			if (claimsSet.getClaims().containsKey(prohibited)) {
				presentProhibitedClaims.add(prohibited);
			}
			if (! presentProhibitedClaims.isEmpty()) {
				throw new BadJWTException("JWT has prohibited claims: " + presentProhibitedClaims);
			}
		}
		
		// Check exact matches
		for (String exactMatch: exactMatchClaims.getClaims().keySet()) {
			Object actualClaim = claimsSet.getClaim(exactMatch);
			Object expectedClaim = exactMatchClaims.getClaim(exactMatch);
			if (! actualClaim.equals(expectedClaim)) {
				throw new BadJWTException("JWT \"" + exactMatch + "\" claim has value " + actualClaim + ", must be " + expectedClaim);
			}
		}
		
		// Check time window
		final Date now = new Date();
		
		final Date exp = claimsSet.getExpirationTime();
		if (exp != null) {
			
			if (! DateUtils.isAfter(exp, now, maxClockSkew)) {
				throw new BadJWTException("Expired JWT");
			}
		}
		
		final Date nbf = claimsSet.getNotBeforeTime();
		if (nbf != null) {
			
			if (! DateUtils.isBefore(nbf, now, maxClockSkew)) {
				throw new BadJWTException("JWT before use time");
			}
		}
	}
}