Package com.nimbusds.jwt.proc

Class DefaultJWTClaimsVerifier<C extends SecurityContext>

  • All Implemented Interfaces:
    ClockSkewAware, JWTClaimsSetVerifier<C>
    @ThreadSafe
public class DefaultJWTClaimsVerifier<C extends SecurityContext>
extends Object
implements JWTClaimsSetVerifier<C>, ClockSkewAware
    A JWT claims verifier implementation.

    Configurable checks:

    1. Specify JWT claims that must be present and which values must match exactly, for example the expected JWT issuer ("iss") and audience ("aud").
    2. Specify JWT claims that must be present, for example expiration ("exp") and not-before ("nbf") times. If the "exp" or "nbf" claims are marked as required they will be automatically checked against the current time.
    3. Specify JWT claims that are prohibited, for example to prevent cross-JWT confusion in situations when explicit JWT typing via the type ("typ") header is not used.

    Performs the following time validity checks:

    1. If an expiration time ("exp") claim is present, makes sure it is ahead of the current time, else the JWT claims set is rejected.
    2. If a not-before-time ("nbf") claim is present, makes sure it is before the current time, else the JWT claims set is rejected.

    Note, to enforce a time validity check the claim ("exp" and / or "nbf" ) must be set as required.

    Example verifier with exact matches for "iss" and "aud", and setting the "exp", "nbf" and "jti" claims as required to be present: 

     DefaultJWTClaimsVerifier<?> verifier = new DefaultJWTClaimsVerifier<>(
        new JWTClaimsSet.Builder()
                .issuer("https://issuer.example.com")
                .audience("https://client.example.com")
                .build(),
        new HashSet<>(Arrays.asList("exp", "nbf", "jti")));

 verifier.verify(jwtClaimsSet, null);

    The currentTime() method can be overridden to use an alternative time provider for the "exp" (expiration time) and "nbf" (not-before time) verification, or to disable "exp" and "nbf" verification entirely.

    This class may be extended to perform additional checks.

    This class is thread-safe.

    Version:
    2021-09-28
    Author:
    Vladimir Dzhuvinov, Eugene Kuleshov

    • Constructor Detail

      • DefaultJWTClaimsVerifier

        @Deprecated
public DefaultJWTClaimsVerifier()
        Deprecated.
        Use a more specific constructor that at least specifies a list of required JWT claims.
        Creates a new JWT claims verifier. No audience ("aud"), required and prohibited claims are specified. The expiration ("exp") and not-before ("nbf") claims will be checked only if they are present and parsed successfully.

      • DefaultJWTClaimsVerifier

        public DefaultJWTClaimsVerifier​(JWTClaimsSet exactMatchClaims,
                                Set<String> requiredClaims)
        Creates a new JWT claims verifier. Allows any audience ("aud") unless an exact match is specified. The expiration ("exp") and not-before ("nbf") claims will be checked only if they are present and parsed successfully; add them to the required claims if they are mandatory.
        Parameters:
        exactMatchClaims - The JWT claims that must match exactly, null if none.
        requiredClaims - The names of the JWT claims that must be present, empty set or null if none.

      • DefaultJWTClaimsVerifier

        public DefaultJWTClaimsVerifier​(String requiredAudience,
                                JWTClaimsSet exactMatchClaims,
                                Set<String> requiredClaims)
        Creates new default JWT claims verifier. The expiration ("exp") and not-before ("nbf") claims will be checked only if they are present and parsed successfully; add them to the required claims if they are mandatory.
        Parameters:
        requiredAudience - The required JWT audience, null if not specified.
        exactMatchClaims - The JWT claims that must match exactly, null if none.
        requiredClaims - The names of the JWT claims that must be present, empty set or null if none.

      • DefaultJWTClaimsVerifier

        public DefaultJWTClaimsVerifier​(Set<String> acceptedAudience,
                                JWTClaimsSet exactMatchClaims,
                                Set<String> requiredClaims,
                                Set<String> prohibitedClaims)
        Creates new default JWT claims verifier. The expiration ("exp") and not-before ("nbf") claims will be checked only if they are present and parsed successfully; add them to the required claims if they are mandatory.
        Parameters:
        acceptedAudience - The accepted JWT audience values, null if not specified. A null value in the set allows JWTs with no audience.
        exactMatchClaims - The JWT claims that must match exactly, null if none.
        requiredClaims - The names of the JWT claims that must be present, empty set or null if none.
        prohibitedClaims - The names of the JWT claims that must not be present, empty set or null if none.

    • Method Detail

      • getAcceptedAudienceValues

        public Set<StringgetAcceptedAudienceValues()
        Returns the accepted audience values.
        Returns:
        The accepted JWT audience values, null if not specified. A null value in the set allows JWTs with no audience.

      • getExactMatchClaims

        public JWTClaimsSet getExactMatchClaims()
        Returns the JWT claims that must match exactly.
        Returns:
        The JWT claims that must match exactly, empty set if none.

      • getRequiredClaims

        public Set<StringgetRequiredClaims()
        Returns the names of the JWT claims that must be present, including the name of those that must match exactly.
        Returns:
        The names of the JWT claims that must be present, empty set if none.

      • getProhibitedClaims

        public Set<StringgetProhibitedClaims()
        Returns the names of the JWT claims that must not be present.
        Returns:
        The names of the JWT claims that must not be present, empty set if none.

      • setMaxClockSkew

        public void setMaxClockSkew​(int maxClockSkewSeconds)
        Description copied from interface: ClockSkewAware
        Sets the maximum acceptable clock skew.
        Specified by:
        setMaxClockSkew in interface ClockSkewAware
        Parameters:
        maxClockSkewSeconds - The maximum acceptable clock skew, in seconds. Zero if none.

      • currentTime

        protected Date currentTime()
        Returns the current time for the purpose of "exp" (expiration time) and "nbf" (not-before time) claim verification. This method can be overridden to inject an alternative time provider (e.g. for testing purposes) or to disable "exp" and "nbf" verification.
        Returns:
        The current time or null to disable "exp" and "nbf" claim verification entirely.