Package com.nimbusds.jwt.proc
Class DefaultJWTClaimsVerifier<C extends SecurityContext>
- java.lang.Object
-
- com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier<C>
-
- All Implemented Interfaces:
ClockSkewAware
,JWTClaimsSetVerifier<C>
@ThreadSafe public class DefaultJWTClaimsVerifier<C extends SecurityContext> extends Object implements JWTClaimsSetVerifier<C>, ClockSkewAware
AJWT claims verifier
implementation.Configurable checks:
- Specify JWT claims that must be present and which values must match exactly, for example the expected JWT issuer ("iss") and audience ("aud").
- Specify JWT claims that must be present, for example expiration ("exp") and not-before ("nbf") times. If the "exp" or "nbf" claims are marked as required they will be automatically checked against the current time.
- Specify JWT claims that are prohibited, for example to prevent cross-JWT confusion in situations when explicit JWT typing via the type ("typ") header is not used.
Performs the following time validity checks:
- If an expiration time ("exp") claim is present, makes sure it is ahead of the current time, else the JWT claims set is rejected.
- If a not-before-time ("nbf") claim is present, makes sure it is before the current time, else the JWT claims set is rejected.
Note, to enforce a time validity check the claim ("exp" and / or "nbf" ) must be set as required.
Example verifier with exact matches for "iss" and "aud", and setting the "exp", "nbf" and "jti" claims as required to be present:
DefaultJWTClaimsVerifier<?> verifier = new DefaultJWTClaimsVerifier<>( new JWTClaimsSet.Builder() .issuer("https://issuer.example.com") .audience("https://client.example.com") .build(), new HashSet<>(Arrays.asList("exp", "nbf", "jti"))); verifier.verify(jwtClaimsSet, null);
The
currentTime()
method can be overridden to use an alternative time provider for the "exp" (expiration time) and "nbf" (not-before time) verification, or to disable "exp" and "nbf" verification entirely.This class may be extended to perform additional checks.
This class is thread-safe.
- Version:
- 2021-09-28
- Author:
- Vladimir Dzhuvinov, Eugene Kuleshov
-
-
Field Summary
Fields Modifier and Type Field Description static int
DEFAULT_MAX_CLOCK_SKEW_SECONDS
The default maximum acceptable clock skew, in seconds (60).
-
Constructor Summary
Constructors Constructor Description DefaultJWTClaimsVerifier()
Deprecated.Use a more specific constructor that at least specifies a list of required JWT claims.DefaultJWTClaimsVerifier(JWTClaimsSet exactMatchClaims, Set<String> requiredClaims)
Creates a new JWT claims verifier.DefaultJWTClaimsVerifier(String requiredAudience, JWTClaimsSet exactMatchClaims, Set<String> requiredClaims)
Creates new default JWT claims verifier.DefaultJWTClaimsVerifier(Set<String> acceptedAudience, JWTClaimsSet exactMatchClaims, Set<String> requiredClaims, Set<String> prohibitedClaims)
Creates new default JWT claims verifier.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected Date
currentTime()
Returns the current time for the purpose of "exp" (expiration time) and "nbf" (not-before time) claim verification.Set<String>
getAcceptedAudienceValues()
Returns the accepted audience values.JWTClaimsSet
getExactMatchClaims()
Returns the JWT claims that must match exactly.int
getMaxClockSkew()
Gets the maximum acceptable clock skew.Set<String>
getProhibitedClaims()
Returns the names of the JWT claims that must not be present.Set<String>
getRequiredClaims()
Returns the names of the JWT claims that must be present, including the name of those that must match exactly.void
setMaxClockSkew(int maxClockSkewSeconds)
Sets the maximum acceptable clock skew.void
verify(JWTClaimsSet claimsSet, C context)
Verifies selected or all claims from the specified JWT claims set.
-
-
-
Field Detail
-
DEFAULT_MAX_CLOCK_SKEW_SECONDS
public static final int DEFAULT_MAX_CLOCK_SKEW_SECONDS
The default maximum acceptable clock skew, in seconds (60).- See Also:
- Constant Field Values
-
-
Constructor Detail
-
DefaultJWTClaimsVerifier
@Deprecated public DefaultJWTClaimsVerifier()
Deprecated.Use a more specific constructor that at least specifies a list of required JWT claims.Creates a new JWT claims verifier. No audience ("aud"), required and prohibited claims are specified. The expiration ("exp") and not-before ("nbf") claims will be checked only if they are present and parsed successfully.
-
DefaultJWTClaimsVerifier
public DefaultJWTClaimsVerifier(JWTClaimsSet exactMatchClaims, Set<String> requiredClaims)
Creates a new JWT claims verifier. Allows any audience ("aud") unless an exact match is specified. The expiration ("exp") and not-before ("nbf") claims will be checked only if they are present and parsed successfully; add them to the required claims if they are mandatory.- Parameters:
exactMatchClaims
- The JWT claims that must match exactly,null
if none.requiredClaims
- The names of the JWT claims that must be present, empty set ornull
if none.
-
DefaultJWTClaimsVerifier
public DefaultJWTClaimsVerifier(String requiredAudience, JWTClaimsSet exactMatchClaims, Set<String> requiredClaims)
Creates new default JWT claims verifier. The expiration ("exp") and not-before ("nbf") claims will be checked only if they are present and parsed successfully; add them to the required claims if they are mandatory.- Parameters:
requiredAudience
- The required JWT audience,null
if not specified.exactMatchClaims
- The JWT claims that must match exactly,null
if none.requiredClaims
- The names of the JWT claims that must be present, empty set ornull
if none.
-
DefaultJWTClaimsVerifier
public DefaultJWTClaimsVerifier(Set<String> acceptedAudience, JWTClaimsSet exactMatchClaims, Set<String> requiredClaims, Set<String> prohibitedClaims)
Creates new default JWT claims verifier. The expiration ("exp") and not-before ("nbf") claims will be checked only if they are present and parsed successfully; add them to the required claims if they are mandatory.- Parameters:
acceptedAudience
- The accepted JWT audience values,null
if not specified. Anull
value in the set allows JWTs with no audience.exactMatchClaims
- The JWT claims that must match exactly,null
if none.requiredClaims
- The names of the JWT claims that must be present, empty set ornull
if none.prohibitedClaims
- The names of the JWT claims that must not be present, empty set ornull
if none.
-
-
Method Detail
-
getAcceptedAudienceValues
public Set<String> getAcceptedAudienceValues()
Returns the accepted audience values.- Returns:
- The accepted JWT audience values,
null
if not specified. Anull
value in the set allows JWTs with no audience.
-
getExactMatchClaims
public JWTClaimsSet getExactMatchClaims()
Returns the JWT claims that must match exactly.- Returns:
- The JWT claims that must match exactly, empty set if none.
-
getRequiredClaims
public Set<String> getRequiredClaims()
Returns the names of the JWT claims that must be present, including the name of those that must match exactly.- Returns:
- The names of the JWT claims that must be present, empty set if none.
-
getProhibitedClaims
public Set<String> getProhibitedClaims()
Returns the names of the JWT claims that must not be present.- Returns:
- The names of the JWT claims that must not be present, empty set if none.
-
getMaxClockSkew
public int getMaxClockSkew()
Description copied from interface:ClockSkewAware
Gets the maximum acceptable clock skew.- Specified by:
getMaxClockSkew
in interfaceClockSkewAware
- Returns:
- The maximum acceptable clock skew, in seconds. Zero if none.
-
setMaxClockSkew
public void setMaxClockSkew(int maxClockSkewSeconds)
Description copied from interface:ClockSkewAware
Sets the maximum acceptable clock skew.- Specified by:
setMaxClockSkew
in interfaceClockSkewAware
- Parameters:
maxClockSkewSeconds
- The maximum acceptable clock skew, in seconds. Zero if none.
-
verify
public void verify(JWTClaimsSet claimsSet, C context) throws BadJWTException
Description copied from interface:JWTClaimsSetVerifier
Verifies selected or all claims from the specified JWT claims set.- Specified by:
verify
in interfaceJWTClaimsSetVerifier<C extends SecurityContext>
- Parameters:
claimsSet
- The JWT claims set. Notnull
.context
- Optional context,null
if not required.- Throws:
BadJWTException
- If the JWT claims set is rejected.
-
currentTime
protected Date currentTime()
Returns the current time for the purpose of "exp" (expiration time) and "nbf" (not-before time) claim verification. This method can be overridden to inject an alternative time provider (e.g. for testing purposes) or to disable "exp" and "nbf" verification.- Returns:
- The current time or
null
to disable "exp" and "nbf" claim verification entirely.
-
-