com.nimbusds.oauth2.sdk.auth.verifier.JWTAuthenticationClaimsSetVerifier Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of oauth2-oidc-sdk Show documentation
Show all versions of oauth2-oidc-sdk Show documentation
OAuth 2.0 SDK with OpenID Connection extensions for developing
client and server applications.
package com.nimbusds.oauth2.sdk.auth.verifier;
import java.util.Set;
import net.jcip.annotations.Immutable;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.proc.BadJWTException;
import com.nimbusds.oauth2.sdk.assertions.jwt.JWTAssertionDetailsVerifier;
import com.nimbusds.oauth2.sdk.id.Audience;
/**
* JWT client authentication claims set verifier.
*
* Related specifications:
*
*
* - OpenID Connect Core 1.0, section 9.
*
- JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and
* Authorization Grants (RFC 7523).
*
*/
@Immutable
class JWTAuthenticationClaimsSetVerifier extends JWTAssertionDetailsVerifier {
// Cache JWT exceptions for quick processing of bad claims
/**
* Missing or invalid JWT claim exception.
*/
private static final BadJWTException ISS_SUB_MISMATCH_EXCEPTION =
new BadJWTException("Issuer and subject JWT claims don't match");
/**
* Creates a new JWT client authentication claims set verifier.
*
* @param expectedAudience The permitted audience (aud) claim values.
* Must not be empty or {@code null}. Should
* typically contain the token endpoint URI and
* for OpenID provider it may also include the
* issuer URI.
*/
public JWTAuthenticationClaimsSetVerifier(final Set expectedAudience) {
super(expectedAudience);
}
@Override
public void verify(final JWTClaimsSet claimsSet)
throws BadJWTException {
super.verify(claimsSet);
// iss == sub
if (! claimsSet.getIssuer().equals(claimsSet.getSubject())) {
throw ISS_SUB_MISMATCH_EXCEPTION;
}
}
}
© 2015 - 2025 Weber Informatics LLC | Privacy Policy