com.nimbusds.oauth2.sdk.assertions.saml2.SAML2AssertionDetailsVerifier Maven / Gradle / Ivy

Go to download
Show more of this group Show more artifacts with this name
Show all versions of oauth2-oidc-sdk Show documentation
OAuth 2.0 SDK with OpenID Connection extensions for developing client and server applications.
There is a newer version: 11.19.1
/*
 * oauth2-oidc-sdk
 *
 * Copyright 2012-2016, Connect2id Ltd and contributors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
 * this file except in compliance with the License. You may obtain a copy of the
 * License at
 *
 *    http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software distributed
 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
 * CONDITIONS OF ANY KIND, either express or implied. See the License for the
 * specific language governing permissions and limitations under the License.
 */

package com.nimbusds.oauth2.sdk.assertions.saml2;


import java.util.Date;
import java.util.Set;

import com.nimbusds.jwt.util.DateUtils;
import com.nimbusds.jwt.proc.ClockSkewAware;
import com.nimbusds.oauth2.sdk.id.Audience;
import com.nimbusds.oauth2.sdk.util.CollectionUtils;
import net.jcip.annotations.Immutable;


/**
 * SAML 2.0 bearer assertion details verifier for OAuth 2.0 client
 * authentication and authorisation grants. Intended for initial validation of
 * SAML 2.0 assertions:
 *
 * 
 *     Audience check
 *     
Expiration time check
 *     
Not-before time check (is set)
 * 
 *
 * Related specifications:
 *
 * 

 *     Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0
 *         Client Authentication and Authorization Grants (RFC 7522).
 * 
 */
@Immutable
public class SAML2AssertionDetailsVerifier implements ClockSkewAware {


	/**
	 * The default maximum acceptable clock skew, in seconds (60).
	 */
	public static final int DEFAULT_MAX_CLOCK_SKEW_SECONDS = 60;
	

	// Cache SAML exceptions to speed up processing


	/**
	 * Expired SAML 2.0 assertion exception.
	 */
	private static final BadSAML2AssertionException EXPIRED_SAML2_ASSERTION_EXCEPTION =
		new BadSAML2AssertionException("Expired SAML 2.0 assertion");


	/**
	 * SAML 2.0 assertion before use time.
	 */
	private static final BadSAML2AssertionException SAML2_ASSERTION_BEFORE_USE_EXCEPTION =
		new BadSAML2AssertionException("SAML 2.0 assertion before use time");


	/**
	 * The expected audience.
	 */
	private final Set expectedAudience;


	/**
	 * Cached unexpected SAML 2.0 audience exception.
	 */
	private final BadSAML2AssertionException unexpectedAudienceException;


	/**
	 * The maximum acceptable clock skew, in seconds.
	 */
	private int maxClockSkewSeconds = DEFAULT_MAX_CLOCK_SKEW_SECONDS;


	/**
	 * Creates a new SAML 2.0 bearer assertion details verifier.
	 *
	 * @param expectedAudience The expected audience values. Must not be
	 *                         empty or {@code null}. Should typically
	 *                         contain the token endpoint URI and for
	 *                         OpenID provider it may also include the
	 *                         issuer URI.
	 */
	public SAML2AssertionDetailsVerifier(final Set expectedAudience) {
		if (CollectionUtils.isEmpty(expectedAudience)) {
			throw new IllegalArgumentException("The expected audience set must not be null or empty");
		}

		this.expectedAudience = expectedAudience;

		unexpectedAudienceException = new BadSAML2AssertionException("Invalid SAML 2.0 audience, expected " + expectedAudience);
	}


	/**
	 * Returns the expected audience values.
	 *
	 * @return The expected audience values.
	 */
	public Set getExpectedAudience() {
		return expectedAudience;
	}


	@Override
	public int getMaxClockSkew() {
		return maxClockSkewSeconds;
	}


	@Override
	public void setMaxClockSkew(int maxClockSkewSeconds) {
		this.maxClockSkewSeconds = maxClockSkewSeconds;
	}


	/**
	 * Verifies the specified SAML 2.0 bearer assertion details.
	 *
	 * @param assertionDetails The SAML 2.0 bearer assertion details. Must
	 *                         not be {@code null}.
	 *
	 * @throws BadSAML2AssertionException If verification didn't pass
	 *                                    successfully.
	 */
	public void verify(final SAML2AssertionDetails assertionDetails)
		throws BadSAML2AssertionException {

		// Check audience
		if (! Audience.matchesAny(expectedAudience, assertionDetails.getAudience())) {
			throw unexpectedAudienceException;
		}

		// Check expiration
		final Date now = new Date();

		if (! DateUtils.isAfter(assertionDetails.getExpirationTime(), now, maxClockSkewSeconds)) {
			throw EXPIRED_SAML2_ASSERTION_EXCEPTION;
		}

		// Check optional not before use time
		if (assertionDetails.getNotBeforeTime() != null) {
			if (! DateUtils.isBefore(assertionDetails.getNotBeforeTime(), now, maxClockSkewSeconds))
				throw SAML2_ASSERTION_BEFORE_USE_EXCEPTION;
		}
	}
}