Package com.nimbusds.openid.connect.sdk.validators

Class LogoutTokenValidator

java.lang.Object
com.nimbusds.openid.connect.sdk.validators.AbstractJWTValidator
com.nimbusds.openid.connect.sdk.validators.LogoutTokenValidator
All Implemented Interfaces:
com.nimbusds.jwt.proc.ClockSkewAware
@ThreadSafe public class LogoutTokenValidator extends AbstractJWTValidator
Validator of logout tokens issued by an OpenID Provider (OP).

Supports processing of logout tokens with the following protection:

  • Logout tokens signed (JWS) with the OP's RSA or EC key, require the OP public JWK set (provided by value or URL) to verify them.
  • Logout tokens authenticated with a JWS HMAC, require the client's secret to verify them.

The logout types may be explicitly typed with logout+jwt.

Related specifications:

  • OpenID Connect Back-Channel Logout 1.0, section 2.4.

  • Field Details

    • TYPE

      public static final com.nimbusds.jose.JOSEObjectType TYPE
      The recommended logout token JWT (typ) type.

  • Constructor Details

    • LogoutTokenValidator

      public LogoutTokenValidator(Issuer expectedIssuer, ClientID clientID, com.nimbusds.jose.JWSAlgorithm expectedJWSAlg, com.nimbusds.jose.jwk.JWKSet jwkSet)
      Creates a new validator for RSA or EC signed logout tokens where the OpenID Provider's JWK set is specified by value. Explicit typing of the logout tokens is not required but wil be checked if present.
      Parameters:
      expectedIssuer - The expected logout token issuer (OpenID Provider). Must not be null.
      clientID - The client ID. Must not be null.
      expectedJWSAlg - The expected RSA or EC JWS algorithm. Must not be null.
      jwkSet - The OpenID Provider JWK set. Must not be null.

    • LogoutTokenValidator

      public LogoutTokenValidator(Issuer expectedIssuer, ClientID clientID, com.nimbusds.jose.JWSAlgorithm expectedJWSAlg, URL jwkSetURI)
      Creates a new validator for RSA or EC signed logout tokens where the OpenID Provider's JWK set is specified by URL. Explicit typing of the logout tokens is not required but wil be checked if present.
      Parameters:
      expectedIssuer - The expected logout token issuer (OpenID Provider). Must not be null.
      clientID - The client ID. Must not be null.
      expectedJWSAlg - The expected RSA or EC JWS algorithm. Must not be null.
      jwkSetURI - The OpenID Provider JWK set URL. Must not be null.

    • LogoutTokenValidator

      public LogoutTokenValidator(Issuer expectedIssuer, ClientID clientID, com.nimbusds.jose.JWSAlgorithm expectedJWSAlg, URL jwkSetURI, com.nimbusds.jose.util.ResourceRetriever resourceRetriever)
      Creates a new validator for RSA or EC signed logout tokens where the OpenID Provider's JWK set is specified by URL. Permits setting of a specific resource retriever (HTTP client) for the JWK set. Explicit typing of the logout tokens is not required but wil be checked if present.
      Parameters:
      expectedIssuer - The expected logout token issuer (OpenID Provider). Must not be null.
      clientID - The client ID. Must not be null.
      expectedJWSAlg - The expected RSA or EC JWS algorithm. Must not be null.
      jwkSetURI - The OpenID Provider JWK set URL. Must not be null.
      resourceRetriever - For retrieving the OpenID Connect Provider JWK set from the specified URL. If null the default retriever will be used, with preset HTTP connect timeout, HTTP read timeout and entity size limit.

    • LogoutTokenValidator

      public LogoutTokenValidator(Issuer expectedIssuer, ClientID clientID, com.nimbusds.jose.JWSAlgorithm expectedJWSAlg, Secret clientSecret)
      Creates a new validator for HMAC protected logout tokens. Explicit typing of the logout tokens is not required but wil be checked if present.
      Parameters:
      expectedIssuer - The expected logout token issuer (OpenID Provider). Must not be null.
      clientID - The client ID. Must not be null.
      expectedJWSAlg - The expected HMAC JWS algorithm. Must not be null.
      clientSecret - The client secret. Must not be null.

    • LogoutTokenValidator

      @Deprecated public LogoutTokenValidator(Issuer expectedIssuer, ClientID clientID, com.nimbusds.jose.proc.JWSKeySelector<?> jwsKeySelector, com.nimbusds.jose.proc.JWEKeySelector<?> jweKeySelector)
      Deprecated.
      Creates a new logout token validator.
      Parameters:
      expectedIssuer - The expected logout token issuer (OpenID Provider). Must not be null.
      clientID - The client ID. Must not be null.
      jwsKeySelector - The key selector for JWS verification, null if unsecured (plain) logout tokens are expected.
      jweKeySelector - The key selector for JWE decryption, null if encrypted logout tokens are not expected.

    • LogoutTokenValidator

      public LogoutTokenValidator(Issuer expectedIssuer, ClientID clientID, boolean requireTypedToken, com.nimbusds.jose.proc.JWSKeySelector<?> jwsKeySelector, com.nimbusds.jose.proc.JWEKeySelector<?> jweKeySelector)
      Creates a new logout token validator.
      Parameters:
      expectedIssuer - The expected logout token issuer (OpenID Provider). Must not be null.
      clientID - The client ID. Must not be null.
      requireTypedToken - true to require logout tokens to be explicitly typed, false to accept untyped tokens.
      jwsKeySelector - The key selector for JWS verification, null if unsecured (plain) logout tokens are expected.
      jweKeySelector - The key selector for JWE decryption, null if encrypted logout tokens are not expected.

  • Method Details

    • validate

      public LogoutTokenClaimsSet validate(com.nimbusds.jwt.JWT logoutToken) throws com.nimbusds.jose.proc.BadJOSEException, com.nimbusds.jose.JOSEException
      Validates the specified logout token.
      Parameters:
      logoutToken - The logout token. Must not be null.
      Returns:
      The claims set of the verified logout token.
      Throws:
      com.nimbusds.jose.proc.BadJOSEException - If the logout token is invalid or expired.
      com.nimbusds.jose.JOSEException - If an internal JOSE exception was encountered.

    • create

      public static LogoutTokenValidator create(OIDCProviderMetadata opMetadata, OIDCClientInformation clientInfo, com.nimbusds.jose.jwk.source.JWKSource<?> clientJWKSource) throws GeneralException
      Creates a new logout token validator for the specified OpenID Provider metadata and OpenID Relying Party registration. Explicit typing of the logout tokens is not required but wil be checked if present.
      Parameters:
      opMetadata - The OpenID Provider metadata. Must not be null.
      clientInfo - The OpenID Relying Party registration. Must not be null.
      clientJWKSource - The client private JWK source, null if encrypted logout tokens are not expected.
      Returns:
      The logout token validator.
      Throws:
      GeneralException - If the supplied OpenID Provider metadata or Relying Party metadata are missing a required parameter or inconsistent.