All Downloads are FREE. Search and download functionalities are using the official Maven repository.

com.nimbusds.oauth2.sdk.assertions.jwt.JWTAssertionDetailsVerifier Maven / Gradle / Ivy

Go to download

OAuth 2.0 SDK with OpenID Connection extensions for developing client and server applications.

There is a newer version: 11.20.1
Show newest version
/*
 * oauth2-oidc-sdk
 *
 * Copyright 2012-2016, Connect2id Ltd and contributors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
 * this file except in compliance with the License. You may obtain a copy of the
 * License at
 *
 *    http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software distributed
 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
 * CONDITIONS OF ANY KIND, either express or implied. See the License for the
 * specific language governing permissions and limitations under the License.
 */

package com.nimbusds.oauth2.sdk.assertions.jwt;


import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.proc.BadJWTException;
import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier;
import com.nimbusds.jwt.util.DateUtils;
import com.nimbusds.oauth2.sdk.id.Audience;
import com.nimbusds.oauth2.sdk.id.Identifier;
import com.nimbusds.oauth2.sdk.util.CollectionUtils;
import net.jcip.annotations.Immutable;

import java.util.Arrays;
import java.util.Date;
import java.util.HashSet;
import java.util.Set;


/**
 * JSON Web Token (JWT) bearer assertion details (claims set) verifier for
 * OAuth 2.0 client authentication and authorisation grants. Intended for
 * initial validation of JWT assertions:
 *
 * 
    *
  • Audience check *
  • Expiration time check *
  • Expiration time too far ahead check (optional) *
  • Not-before time check (if set) *
  • Subject and issuer presence check *
* *

Related specifications: * *

    *
  • JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and * Authorization Grants (RFC 7523). *
*/ @Immutable public class JWTAssertionDetailsVerifier extends DefaultJWTClaimsVerifier { /** * The expected audience. */ private final Set expectedAudience; /** * The maximum number of seconds the expiration time can be ahead of * the current time. */ private final long expMaxAhead; /** * Creates a new JWT bearer assertion details (claims set) verifier. * * @param expectedAudience The expected audience (aud) claim values. * Must not be empty or {@code null}. Should * typically contain the token endpoint URI and * for OpenID provider it may also include the * issuer URI. */ public JWTAssertionDetailsVerifier(final Set expectedAudience) { this(expectedAudience, -1L); } /** * Creates a new JWT bearer assertion details (claims set) verifier. * * @param expectedAudience The expected audience (aud) claim values. * Must not be empty or {@code null}. Should * typically contain the token endpoint URI and * for OpenID provider it may also include the * issuer URI. * @param expMaxAhead The maximum number of seconds the expiration * time (exp) claim can be ahead of the current * time, if zero or negative this check is * disabled. */ public JWTAssertionDetailsVerifier(final Set expectedAudience, final long expMaxAhead) { super( new HashSet<>(Identifier.toStringList(expectedAudience)), null, new HashSet<>(Arrays.asList("aud", "exp", "sub", "iss")), null); if (CollectionUtils.isEmpty(expectedAudience)) { throw new IllegalArgumentException("The expected audience set must not be null or empty"); } this.expectedAudience = expectedAudience; this.expMaxAhead = expMaxAhead; } /** * Returns the expected audience values. * * @return The expected audience (aud) claim values. */ @Deprecated public Set getExpectedAudience() { return expectedAudience; } /** * Returns the maximum number of seconds the expiration time (exp) * claim can be ahead of the current time. * * @return The maximum number of seconds, if zero or negative this * check is disabled. */ public long getExpirationTimeMaxAhead() { return expMaxAhead; } @Override public void verify(JWTClaimsSet claimsSet, SecurityContext context) throws BadJWTException { super.verify(claimsSet, context); if (expMaxAhead > 0) { long now = DateUtils.toSecondsSinceEpoch(new Date()); long exp = DateUtils.toSecondsSinceEpoch(claimsSet.getExpirationTime()); if (now + expMaxAhead < exp) { throw new BadJWTException("JWT expiration too far ahead"); } } } }




© 2015 - 2024 Weber Informatics LLC | Privacy Policy