com.nimbusds.oauth2.sdk.auth.JWTAuthenticationClaimsSet Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of oauth2-oidc-sdk Show documentation
Show all versions of oauth2-oidc-sdk Show documentation
OAuth 2.0 SDK with OpenID Connection extensions for developing client
and server applications.
package com.nimbusds.oauth2.sdk.auth;
import java.util.Collections;
import java.util.Date;
import java.util.LinkedHashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Set;
import net.minidev.json.JSONObject;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.ReadOnlyJWTClaimsSet;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.id.Audience;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.id.Issuer;
import com.nimbusds.oauth2.sdk.id.JWTID;
import com.nimbusds.oauth2.sdk.id.Subject;
import com.nimbusds.oauth2.sdk.util.DateUtils;
import com.nimbusds.oauth2.sdk.util.JSONObjectUtils;
/**
* JWT client authentication claims set, serialisable to a JSON object and JWT
* claims set.
*
* Used for {@link ClientSecretJWT client secret JWT} and
* {@link PrivateKeyJWT private key JWT} authentication at the Token endpoint.
*
*
Example client authentication claims set:
*
*
* {
* "iss" : "http://client.example.com",
* "sub" : "http://client.example.com",
* "aud" : [ "http://idp.example.com/token" ],
* "jti" : "d396036d-c4d9-40d8-8e98-f7e8327002d9",
* "exp" : 1311281970,
* "iat" : 1311280970
* }
*
*
* Related specifications:
*
*
* - OAuth 2.0 (RFC 6749), section-3.2.1.
*
- JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0
* (draft-ietf-oauth-jwt-bearer-10)
*
*/
public class JWTAuthenticationClaimsSet {
/**
* The names of the reserved client authentication claims.
*/
private static final Set reservedClaimNames = new LinkedHashSet<>();
static {
reservedClaimNames.add("iss");
reservedClaimNames.add("sub");
reservedClaimNames.add("aud");
reservedClaimNames.add("exp");
reservedClaimNames.add("nbf");
reservedClaimNames.add("iat");
reservedClaimNames.add("jti");
}
/**
* Gets the names of the reserved client authentication claims.
*
* @return The names of the reserved client authentication claims
* (read-only set).
*/
public static Set getReservedClaimNames() {
return Collections.unmodifiableSet(reservedClaimNames);
}
/**
* The issuer (required).
*/
private final Issuer iss;
/**
* The subject (required).
*/
private final Subject sub;
/**
* The audience that this token is intended for (required).
*/
private final Audience aud;
/**
* The expiration time that limits the time window during which the JWT
* can be used (required). The serialised value is number of seconds
* from 1970-01-01T0:0:0Z as measured in UTC until the desired
* date/time.
*/
private final Date exp;
/**
* The time before which this token must not be accepted for
* processing (optional). The serialised value is number of seconds
* from 1970-01-01T0:0:0Z as measured in UTC until the desired
* date/time.
*/
private final Date nbf;
/**
* The time at which this token was issued (optional). The serialised
* value is number of seconds from 1970-01-01T0:0:0Z as measured in UTC
* until the desired date/time.
*/
private final Date iat;
/**
* Unique identifier for the JWT (optional). The JWT ID may be used by
* implementations requiring message de-duplication for one-time use
* assertions.
*/
private final JWTID jti;
/**
* Creates a new JWT client authentication claims set.
*
* @param clientID The client identifier. Used to specify the issuer
* and the subject. Must not be {@code null}.
* @param aud The audience identifier, typically the URI of the
* authorisation server's Token endpoint. Must not be
* {@code null}.
* @param exp The expiration time. Must not be {@code null}.
* @param nbf The time before which the token must not be
* accepted for processing, {@code null} if not
* specified.
* @param iat The time at which the token was issued,
* {@code null} if not specified.
* @param jti Unique identifier for the JWT, {@code null} if
* not specified.
*/
public JWTAuthenticationClaimsSet(final ClientID clientID,
final Audience aud,
final Date exp,
final Date nbf,
final Date iat,
final JWTID jti) {
if (clientID == null)
throw new IllegalArgumentException("The client ID must not be null");
iss = new Issuer(clientID.getValue());
sub = new Subject(clientID.getValue());
if (aud == null)
throw new IllegalArgumentException("The audience must not be null");
this.aud = aud;
if (exp == null)
throw new IllegalArgumentException("The expiration time must not be null");
this.exp = exp;
this.nbf = nbf;
this.iat = iat;
this.jti = jti;
}
/**
* Gets the client identifier. Corresponds to the {@code iss} and
* {@code sub} claims.
*
* @return The client identifier.
*/
public ClientID getClientID() {
return new ClientID(iss.getValue());
}
/**
* Gets the issuer. Corresponds to the {@code iss} claim.
*
* @return The issuer. Contains the identifier of the OAuth client.
*/
public Issuer getIssuer() {
return iss;
}
/**
* Gets the subject. Corresponds to the {@code sub} claim.
*
* @return The subject. Contains the identifier of the OAuth client.
*/
public Subject getSubject() {
return sub;
}
/**
* Gets the audience. Corresponds to the {@code aud} claim
* (single-valued).
*
* @return The audience, typically the URI of the authorisation
* server's token endpoint.
*/
public Audience getAudience() {
return aud;
}
/**
* Gets the expiration time. Corresponds to the {@code exp} claim.
*
* @return The expiration time.
*/
public Date getExpirationTime() {
return exp;
}
/**
* Gets the not-before time. Corresponds to the {@code nbf} claim.
*
* @return The not-before time, {@code null} if not specified.
*/
public Date getNotBeforeTime() {
return nbf;
}
/**
* Gets the optional issue time. Corresponds to the {@code iat} claim.
*
* @return The issued-at time, {@code null} if not specified.
*/
public Date getIssueTime() {
return iat;
}
/**
* Gets the identifier for the JWT. Corresponds to the {@code jti}
* claim.
*
* @return The identifier for the JWT, {@code null} if not specified.
*/
public JWTID getJWTID() {
return jti;
}
/**
* Returns a JSON object representation of this JWT client
* authentication claims set.
*
* @return The JSON object.
*/
public JSONObject toJSONObject() {
JSONObject o = new JSONObject();
o.put("iss", iss.getValue());
o.put("sub", sub.getValue());
List