All Downloads are FREE. Search and download functionalities are using the official Maven repository.

com.nimbusds.openid.connect.sdk.validators.IDTokenClaimsVerifier Maven / Gradle / Ivy

Go to download

OAuth 2.0 SDK with OpenID Connection extensions for developing client and server applications.

There is a newer version: 11.20.1
Show newest version
/*
 * oauth2-oidc-sdk
 *
 * Copyright 2012-2016, Connect2id Ltd and contributors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
 * this file except in compliance with the License. You may obtain a copy of the
 * License at
 *
 *    http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software distributed
 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
 * CONDITIONS OF ANY KIND, either express or implied. See the License for the
 * specific language governing permissions and limitations under the License.
 */

package com.nimbusds.openid.connect.sdk.validators;


import java.util.Date;
import java.util.List;

import net.jcip.annotations.ThreadSafe;

import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.proc.BadJWTException;
import com.nimbusds.jwt.proc.ClockSkewAware;
import com.nimbusds.jwt.proc.JWTClaimsSetVerifier;
import com.nimbusds.jwt.util.DateUtils;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.id.Issuer;
import com.nimbusds.oauth2.sdk.util.CollectionUtils;
import com.nimbusds.openid.connect.sdk.Nonce;


/**
 * ID token claims verifier.
 *
 * 

Related specifications: * *

    *
  • OpenID Connect Core 1.0, section 3.1.3.7 for code flow. *
  • OpenID Connect Core 1.0, section 3.2.2.11 for implicit flow. *
  • OpenID Connect Core 1.0, sections 3.3.2.12 and 3.3.3.7 for hybrid * flow. *
*/ @ThreadSafe public class IDTokenClaimsVerifier implements JWTClaimsSetVerifier, ClockSkewAware { /** * The expected ID token issuer. */ private final Issuer expectedIssuer; /** * The requesting client. */ private final ClientID expectedClientID; /** * The expected nonce, {@code null} if not required or specified. */ private final Nonce expectedNonce; /** * The maximum acceptable clock skew, in seconds. */ private int maxClockSkew; /** * Creates a new ID token claims verifier. * * @param issuer The expected ID token issuer. Must not be * {@code null}. * @param clientID The client ID. Must not be {@code null}. * @param nonce The nonce, required in the implicit flow or for * ID tokens returned by the authorisation endpoint * int the hybrid flow. {@code null} if not * required or specified. * @param maxClockSkew The maximum acceptable clock skew (absolute * value), in seconds. Must be zero (no clock skew) * or positive integer. */ public IDTokenClaimsVerifier(final Issuer issuer, final ClientID clientID, final Nonce nonce, final int maxClockSkew) { if (issuer == null) { throw new IllegalArgumentException("The expected ID token issuer must not be null"); } this.expectedIssuer = issuer; if (clientID == null) { throw new IllegalArgumentException("The client ID must not be null"); } this.expectedClientID = clientID; this.expectedNonce = nonce; setMaxClockSkew(maxClockSkew); } /** * Returns the expected ID token issuer. * * @return The ID token issuer. */ public Issuer getExpectedIssuer() { return expectedIssuer; } /** * Returns the client ID for verifying the ID token audience. * * @return The client ID. */ public ClientID getClientID() { return expectedClientID; } /** * Returns the expected nonce. * * @return The nonce, {@code null} if not required or specified. */ public Nonce getExpectedNonce() { return expectedNonce; } @Override public int getMaxClockSkew() { return maxClockSkew; } @Override public void setMaxClockSkew(final int maxClockSkew) { if (maxClockSkew < 0) { throw new IllegalArgumentException("The max clock skew must be zero or positive"); } this.maxClockSkew = maxClockSkew; } @Override public void verify(final JWTClaimsSet claimsSet, final SecurityContext ctx) throws BadJWTException { // See http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation final String tokenIssuer = claimsSet.getIssuer(); if (tokenIssuer == null) { throw BadJWTExceptions.MISSING_ISS_CLAIM_EXCEPTION; } if (! expectedIssuer.getValue().equals(tokenIssuer)) { throw new BadJWTException("Unexpected JWT issuer: " + tokenIssuer); } if (claimsSet.getSubject() == null) { throw BadJWTExceptions.MISSING_SUB_CLAIM_EXCEPTION; } final List tokenAudience = claimsSet.getAudience(); if (CollectionUtils.isEmpty(tokenAudience)) { throw BadJWTExceptions.MISSING_AUD_CLAIM_EXCEPTION; } if (! tokenAudience.contains(expectedClientID.getValue())) { throw new BadJWTException("Unexpected JWT audience: " + tokenAudience); } if (tokenAudience.size() > 1) { final String tokenAzp; try { tokenAzp = claimsSet.getStringClaim("azp"); } catch (java.text.ParseException e) { throw new BadJWTException("Invalid JWT authorized party (azp) claim: " + e.getMessage()); } if (tokenAzp == null) { throw new BadJWTException("JWT authorized party (azp) claim required when multiple (aud) audiences present"); } if (! expectedClientID.getValue().equals(tokenAzp)) { throw new BadJWTException("Unexpected JWT authorized party (azp) claim: " + tokenAzp); } } final Date exp = claimsSet.getExpirationTime(); if (exp == null) { throw BadJWTExceptions.MISSING_EXP_CLAIM_EXCEPTION; } final Date iat = claimsSet.getIssueTime(); if (iat == null) { throw BadJWTExceptions.MISSING_IAT_CLAIM_EXCEPTION; } final Date nowRef = new Date(); // Expiration must be after current time, given acceptable clock skew if (! DateUtils.isAfter(exp, nowRef, maxClockSkew)) { throw BadJWTExceptions.EXPIRED_EXCEPTION; } // Issue time must be before current time, given acceptable clock skew, or equal to current time if (! (iat.equals(nowRef) || DateUtils.isBefore(iat, nowRef, maxClockSkew))) { throw BadJWTExceptions.IAT_CLAIM_AHEAD_EXCEPTION; } if (expectedNonce != null) { final String tokenNonce; try { tokenNonce = claimsSet.getStringClaim("nonce"); } catch (java.text.ParseException e) { throw new BadJWTException("Invalid JWT nonce (nonce) claim: " + e.getMessage()); } if (tokenNonce == null) { throw BadJWTExceptions.MISSING_NONCE_CLAIM_EXCEPTION; } if (! expectedNonce.getValue().equals(tokenNonce)) { throw new BadJWTException("Unexpected JWT nonce (nonce) claim: " + tokenNonce); } } } }




© 2015 - 2024 Weber Informatics LLC | Privacy Policy