• Home
• com.nimbusds
• oauth2-oidc-sdk
• 11.20
• source code
• JWTAssertionDetailsVerifier.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

com.nimbusds.oauth2.sdk.assertions.jwt.JWTAssertionDetailsVerifier Maven / Gradle / Ivy

/*
 * oauth2-oidc-sdk
 *
 * Copyright 2012-2016, Connect2id Ltd and contributors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
 * this file except in compliance with the License. You may obtain a copy of the
 * License at
 *
 *    http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software distributed
 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
 * CONDITIONS OF ANY KIND, either express or implied. See the License for the
 * specific language governing permissions and limitations under the License.
 */

package com.nimbusds.oauth2.sdk.assertions.jwt;


import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.proc.BadJWTException;
import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier;
import com.nimbusds.jwt.util.DateUtils;
import com.nimbusds.oauth2.sdk.id.Audience;
import com.nimbusds.oauth2.sdk.id.Identifier;
import com.nimbusds.oauth2.sdk.util.CollectionUtils;
import net.jcip.annotations.Immutable;

import java.util.Arrays;
import java.util.Date;
import java.util.HashSet;
import java.util.Set;


/**
 * JSON Web Token (JWT) bearer assertion details (claims set) verifier for
 * OAuth 2.0 client authentication and authorisation grants. Intended for
 * initial validation of JWT assertions:
 *
 * 

 *     
Audience check
 *     
Expiration time check
 *     
Expiration time too far ahead check (optional)
 *     
Not-before time check (if set)
 *     
Subject and issuer presence check
 * 
 *
 * 
Related specifications:
 *
 * 

 *     
JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and
 *         Authorization Grants (RFC 7523)
 * 
 */
@Immutable
public class JWTAssertionDetailsVerifier extends DefaultJWTClaimsVerifier {


	/**
	 * The expected audience.
	 */
	private final Set expectedAudience;


	/**
	 * The maximum number of seconds the expiration time can be ahead of
	 * the current time.
	 */
	private final long expMaxAhead;


	/**
	 * Creates a new JWT bearer assertion details (claims set) verifier.
	 *
	 * @param expectedAudience The expected audience (aud) claim values.
	 *                         Must not be empty or {@code null}. Should
	 *                         typically contain the token endpoint URI and
	 *                         for OpenID provider it may also include the
	 *                         issuer URI.
	 */
	public JWTAssertionDetailsVerifier(final Set expectedAudience) {

		this(expectedAudience, -1L);
	}


	/**
	 * Creates a new JWT bearer assertion details (claims set) verifier.
	 *
	 * @param expectedAudience The expected audience (aud) claim values.
	 *                         Must not be empty or {@code null}. Should
	 *                         typically contain the token endpoint URI and
	 *                         for OpenID provider it may also include the
	 *                         issuer URI.
	 * @param expMaxAhead      The maximum number of seconds the expiration
	 *                         time (exp) claim can be ahead of the current
	 *                         time, if zero or negative this check is
	 *                         disabled.
	 */
	public JWTAssertionDetailsVerifier(final Set expectedAudience,
					   final long expMaxAhead) {

		super(
                        new HashSet<>(Identifier.toStringList(expectedAudience)),
			null,
                        new HashSet<>(Arrays.asList("aud", "exp", "sub", "iss")),
			null);

		if (CollectionUtils.isEmpty(expectedAudience)) {
			throw new IllegalArgumentException("The expected audience set must not be null or empty");
		}

		this.expectedAudience = expectedAudience;

		this.expMaxAhead = expMaxAhead;
	}


	/**
	 * Returns the expected audience values.
	 *
	 * @return The expected audience (aud) claim values.
	 */
	@Deprecated
	public Set getExpectedAudience() {

		return expectedAudience;
	}


	/**
	 * Returns the maximum number of seconds the expiration time (exp)
	 * claim can be ahead of the current time.
	 *
	 * @return The maximum number of seconds, if zero or negative this
	 *         check is disabled.
	 */
	public long getExpirationTimeMaxAhead() {

		return expMaxAhead;
	}


	@Override
	public void verify(JWTClaimsSet claimsSet, SecurityContext context)
		throws BadJWTException {

		super.verify(claimsSet, context);

		if (expMaxAhead > 0) {
			long now = DateUtils.toSecondsSinceEpoch(new Date());
			long exp = DateUtils.toSecondsSinceEpoch(claimsSet.getExpirationTime());
			if (now + expMaxAhead < exp) {
				throw new BadJWTException("JWT expiration too far ahead");
			}
		}
	}
}