Package com.nimbusds.jwt.proc

Class DefaultJWTClaimsVerifier<C extends SecurityContext>

java.lang.Object
com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier<C>
All Implemented Interfaces:
ClockSkewAware, JWTClaimsSetVerifier<C>
@ThreadSafe public class DefaultJWTClaimsVerifier<C extends SecurityContext> extends Object implements JWTClaimsSetVerifier<C>, ClockSkewAware
A JWT claims verifier implementation.

Configurable checks:

  1. Specify JWT claims that must be present and which values must match exactly, for example the expected JWT issuer ("iss") and audience ("aud").
  2. Specify JWT claims that must be present, for example expiration ("exp") and not-before ("nbf") times. If the "exp" or "nbf" claims are marked as required they will be automatically checked against the current time.
  3. Specify JWT claims that are prohibited, for example to prevent cross-JWT confusion in situations when explicit JWT typing via the type ("typ") header is not used.

Performs the following time validity checks:

  1. If an expiration time ("exp") claim is present, makes sure it is ahead of the current time, else the JWT claims set is rejected.
  2. If a not-before-time ("nbf") claim is present, makes sure it is before the current time, else the JWT claims set is rejected.

Note, to enforce a time validity check the claim ("exp" and / or "nbf" ) must be set as required.

Example verifier with exact matches for "iss" and "aud", and setting the "exp", "nbf" and "jti" claims as required to be present: 

 DefaultJWTClaimsVerifier<?> verifier = new DefaultJWTClaimsVerifier<>(
        new JWTClaimsSet.Builder()
                .issuer("https://issuer.example.com")
                .audience("https://client.example.com")
                .build(),
        new HashSet<>(Arrays.asList("exp", "nbf", "jti")));

 verifier.verify(jwtClaimsSet, null);

The currentTime() method can be overridden to use an alternative time provider for the "exp" (expiration time) and "nbf" (not-before time) verification, or to disable "exp" and "nbf" verification entirely.

This class may be extended to perform additional checks.

This class is thread-safe.

Version:
2021-09-28
Author:
Vladimir Dzhuvinov, Eugene Kuleshov

  • Field Details

  • Constructor Details

    • DefaultJWTClaimsVerifier

      @Deprecated public DefaultJWTClaimsVerifier()
      Deprecated.
      Use a more specific constructor that at least specifies a list of required JWT claims.
      Creates a new JWT claims verifier. No audience ("aud"), required and prohibited claims are specified. The expiration ("exp") and not-before ("nbf") claims will be checked only if they are present and parsed successfully.

    • DefaultJWTClaimsVerifier

      public DefaultJWTClaimsVerifier(JWTClaimsSet exactMatchClaims, Set<String> requiredClaims)
      Creates a new JWT claims verifier. Allows any audience ("aud") unless an exact match is specified. The expiration ("exp") and not-before ("nbf") claims will be checked only if they are present and parsed successfully; add them to the required claims if they are mandatory.
      Parameters:
      exactMatchClaims - The JWT claims that must match exactly, null if none.
      requiredClaims - The names of the JWT claims that must be present, empty set or null if none.

    • DefaultJWTClaimsVerifier

      public DefaultJWTClaimsVerifier(String requiredAudience, JWTClaimsSet exactMatchClaims, Set<String> requiredClaims)
      Creates new default JWT claims verifier. The expiration ("exp") and not-before ("nbf") claims will be checked only if they are present and parsed successfully; add them to the required claims if they are mandatory.
      Parameters:
      requiredAudience - The required JWT audience, null if not specified.
      exactMatchClaims - The JWT claims that must match exactly, null if none.
      requiredClaims - The names of the JWT claims that must be present, empty set or null if none.

    • DefaultJWTClaimsVerifier

      public DefaultJWTClaimsVerifier(Set<String> acceptedAudience, JWTClaimsSet exactMatchClaims, Set<String> requiredClaims, Set<String> prohibitedClaims)
      Creates new default JWT claims verifier. The expiration ("exp") and not-before ("nbf") claims will be checked only if they are present and parsed successfully; add them to the required claims if they are mandatory.
      Parameters:
      acceptedAudience - The accepted JWT audience values, null if not specified. A null value in the set allows JWTs with no audience.
      exactMatchClaims - The JWT claims that must match exactly, null if none.
      requiredClaims - The names of the JWT claims that must be present, empty set or null if none.
      prohibitedClaims - The names of the JWT claims that must not be present, empty set or null if none.

  • Method Details

    • getAcceptedAudienceValues

      public Set<String> getAcceptedAudienceValues()
      Returns the accepted audience values.
      Returns:
      The accepted JWT audience values, null if not specified. A null value in the set allows JWTs with no audience.

    • getExactMatchClaims

      public JWTClaimsSet getExactMatchClaims()
      Returns the JWT claims that must match exactly.
      Returns:
      The JWT claims that must match exactly, empty set if none.

    • getRequiredClaims

      public Set<String> getRequiredClaims()
      Returns the names of the JWT claims that must be present, including the name of those that must match exactly.
      Returns:
      The names of the JWT claims that must be present, empty set if none.

    • getProhibitedClaims

      public Set<String> getProhibitedClaims()
      Returns the names of the JWT claims that must not be present.
      Returns:
      The names of the JWT claims that must not be present, empty set if none.

    • getMaxClockSkew

      public int getMaxClockSkew()
      Description copied from interface: ClockSkewAware
      Gets the maximum acceptable clock skew.
      Specified by:
      getMaxClockSkew in interface ClockSkewAware
      Returns:
      The maximum acceptable clock skew, in seconds. Zero if none.

    • setMaxClockSkew

      public void setMaxClockSkew(int maxClockSkewSeconds)
      Description copied from interface: ClockSkewAware
      Sets the maximum acceptable clock skew.
      Specified by:
      setMaxClockSkew in interface ClockSkewAware
      Parameters:
      maxClockSkewSeconds - The maximum acceptable clock skew, in seconds. Zero if none.

    • verify

      public void verify(JWTClaimsSet claimsSet, C context) throws BadJWTException
      Description copied from interface: JWTClaimsSetVerifier
      Verifies selected or all claims from the specified JWT claims set.
      Specified by:
      verify in interface JWTClaimsSetVerifier<C extends SecurityContext>
      Parameters:
      claimsSet - The JWT claims set. Not null.
      context - Optional context, null if not required.
      Throws:
      BadJWTException - If the JWT claims set is rejected.

    • currentTime

      protected Date currentTime()
      Returns the current time for the purpose of "exp" (expiration time) and "nbf" (not-before time) claim verification. This method can be overridden to inject an alternative time provider (e.g. for testing purposes) or to disable "exp" and "nbf" verification.
      Returns:
      The current time or null to disable "exp" and "nbf" claim verification entirely.