com.nimbusds.oauth2.sdk.assertions.jwt.JWTAssertionDetailsVerifier Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of oauth2-oidc-sdk Show documentation
Show all versions of oauth2-oidc-sdk Show documentation
OAuth 2.0 SDK with OpenID Connection extensions for developing client
and server applications.
/*
* oauth2-oidc-sdk
*
* Copyright 2012-2016, Connect2id Ltd and contributors.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not use
* this file except in compliance with the License. You may obtain a copy of the
* License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software distributed
* under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
* CONDITIONS OF ANY KIND, either express or implied. See the License for the
* specific language governing permissions and limitations under the License.
*/
package com.nimbusds.oauth2.sdk.assertions.jwt;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.proc.BadJWTException;
import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier;
import com.nimbusds.jwt.util.DateUtils;
import com.nimbusds.oauth2.sdk.id.Audience;
import com.nimbusds.oauth2.sdk.id.Identifier;
import com.nimbusds.oauth2.sdk.util.CollectionUtils;
import net.jcip.annotations.Immutable;
import java.util.Arrays;
import java.util.Date;
import java.util.HashSet;
import java.util.Set;
/**
* JSON Web Token (JWT) bearer assertion details (claims set) verifier for
* OAuth 2.0 client authentication and authorisation grants. Intended for
* initial validation of JWT assertions:
*
*
* - Audience check
*
- Expiration time check
*
- Expiration time too far ahead check (optional)
*
- Not-before time check (if set)
*
- Subject and issuer presence check
*
*
* Related specifications:
*
*
* - JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and
* Authorization Grants (RFC 7523).
*
*/
@Immutable
public class JWTAssertionDetailsVerifier extends DefaultJWTClaimsVerifier {
/**
* The expected audience.
*/
private final Set expectedAudience;
/**
* The maximum number of seconds the expiration time can be ahead of
* the current time.
*/
private final long expMaxAhead;
/**
* Creates a new JWT bearer assertion details (claims set) verifier.
*
* @param expectedAudience The expected audience (aud) claim values.
* Must not be empty or {@code null}. Should
* typically contain the token endpoint URI and
* for OpenID provider it may also include the
* issuer URI.
*/
public JWTAssertionDetailsVerifier(final Set expectedAudience) {
this(expectedAudience, -1L);
}
/**
* Creates a new JWT bearer assertion details (claims set) verifier.
*
* @param expectedAudience The expected audience (aud) claim values.
* Must not be empty or {@code null}. Should
* typically contain the token endpoint URI and
* for OpenID provider it may also include the
* issuer URI.
* @param expMaxAhead The maximum number of seconds the expiration
* time (exp) claim can be ahead of the current
* time, if zero or negative this check is
* disabled.
*/
public JWTAssertionDetailsVerifier(final Set expectedAudience,
final long expMaxAhead) {
super(
new HashSet<>(Identifier.toStringList(expectedAudience)),
null,
new HashSet<>(Arrays.asList("aud", "exp", "sub", "iss")),
null);
if (CollectionUtils.isEmpty(expectedAudience)) {
throw new IllegalArgumentException("The expected audience set must not be null or empty");
}
this.expectedAudience = expectedAudience;
this.expMaxAhead = expMaxAhead;
}
/**
* Returns the expected audience values.
*
* @return The expected audience (aud) claim values.
*/
@Deprecated
public Set getExpectedAudience() {
return expectedAudience;
}
/**
* Returns the maximum number of seconds the expiration time (exp)
* claim can be ahead of the current time.
*
* @return The maximum number of seconds, if zero or negative this
* check is disabled.
*/
public long getExpirationTimeMaxAhead() {
return expMaxAhead;
}
@Override
public void verify(JWTClaimsSet claimsSet, SecurityContext context)
throws BadJWTException {
super.verify(claimsSet, context);
if (expMaxAhead > 0) {
long now = DateUtils.toSecondsSinceEpoch(new Date());
long exp = DateUtils.toSecondsSinceEpoch(claimsSet.getExpirationTime());
if (now + expMaxAhead < exp) {
throw new BadJWTException("JWT expiration too far ahead");
}
}
}
}