Class LogoutTokenValidator
- java.lang.Object
-
- com.nimbusds.openid.connect.sdk.validators.AbstractJWTValidator
-
- com.nimbusds.openid.connect.sdk.validators.LogoutTokenValidator
-
- All Implemented Interfaces:
com.nimbusds.jwt.proc.ClockSkewAware
@ThreadSafe public class LogoutTokenValidator extends AbstractJWTValidator
Validator of logout tokens issued by an OpenID Provider (OP).Supports processing of logout tokens with the following protection:
- Logout tokens signed (JWS) with the OP's RSA or EC key, require the OP public JWK set (provided by value or URL) to verify them.
- Logout tokens authenticated with a JWS HMAC, require the client's secret to verify them.
The logout types may be explicitly typed with
logout+jwt
.Related specifications:
- OpenID Connect Back-Channel Logout 1.0, section 2.4 (draft 07).
-
-
Field Summary
Fields Modifier and Type Field Description static com.nimbusds.jose.JOSEObjectType
TYPE
The recommended logout token JWT (typ) type.-
Fields inherited from class com.nimbusds.openid.connect.sdk.validators.AbstractJWTValidator
DEFAULT_MAX_CLOCK_SKEW
-
-
Constructor Summary
Constructors Constructor Description LogoutTokenValidator(Issuer expectedIssuer, ClientID clientID, boolean requireTypedToken, com.nimbusds.jose.proc.JWSKeySelector<?> jwsKeySelector, com.nimbusds.jose.proc.JWEKeySelector<?> jweKeySelector)
Creates a new logout token validator.LogoutTokenValidator(Issuer expectedIssuer, ClientID clientID, com.nimbusds.jose.JWSAlgorithm expectedJWSAlg, com.nimbusds.jose.jwk.JWKSet jwkSet)
Creates a new validator for RSA or EC signed logout tokens where the OpenID Provider's JWK set is specified by value.LogoutTokenValidator(Issuer expectedIssuer, ClientID clientID, com.nimbusds.jose.JWSAlgorithm expectedJWSAlg, Secret clientSecret)
Creates a new validator for HMAC protected logout tokens.LogoutTokenValidator(Issuer expectedIssuer, ClientID clientID, com.nimbusds.jose.JWSAlgorithm expectedJWSAlg, URL jwkSetURI)
Creates a new validator for RSA or EC signed logout tokens where the OpenID Provider's JWK set is specified by URL.LogoutTokenValidator(Issuer expectedIssuer, ClientID clientID, com.nimbusds.jose.JWSAlgorithm expectedJWSAlg, URL jwkSetURI, com.nimbusds.jose.util.ResourceRetriever resourceRetriever)
Creates a new validator for RSA or EC signed logout tokens where the OpenID Provider's JWK set is specified by URL.LogoutTokenValidator(Issuer expectedIssuer, ClientID clientID, com.nimbusds.jose.proc.JWSKeySelector<?> jwsKeySelector, com.nimbusds.jose.proc.JWEKeySelector<?> jweKeySelector)
Deprecated.
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description static LogoutTokenValidator
create(OIDCProviderMetadata opMetadata, OIDCClientInformation clientInfo, com.nimbusds.jose.jwk.source.JWKSource<?> clientJWKSource)
Creates a new logout token validator for the specified OpenID Provider metadata and OpenID Relying Party registration.LogoutTokenClaimsSet
validate(com.nimbusds.jwt.JWT logoutToken)
Validates the specified logout token.-
Methods inherited from class com.nimbusds.openid.connect.sdk.validators.AbstractJWTValidator
getClientID, getExpectedIssuer, getExpectedJWTType, getJWEKeySelector, getJWSKeySelector, getMaxClockSkew, setMaxClockSkew
-
-
-
-
Field Detail
-
TYPE
public static final com.nimbusds.jose.JOSEObjectType TYPE
The recommended logout token JWT (typ) type.
-
-
Constructor Detail
-
LogoutTokenValidator
public LogoutTokenValidator(Issuer expectedIssuer, ClientID clientID, com.nimbusds.jose.JWSAlgorithm expectedJWSAlg, com.nimbusds.jose.jwk.JWKSet jwkSet)
Creates a new validator for RSA or EC signed logout tokens where the OpenID Provider's JWK set is specified by value. Explicit typing of the logout tokens is not required but wil be checked if present.- Parameters:
expectedIssuer
- The expected logout token issuer (OpenID Provider). Must not benull
.clientID
- The client ID. Must not benull
.expectedJWSAlg
- The expected RSA or EC JWS algorithm. Must not benull
.jwkSet
- The OpenID Provider JWK set. Must not benull
.
-
LogoutTokenValidator
public LogoutTokenValidator(Issuer expectedIssuer, ClientID clientID, com.nimbusds.jose.JWSAlgorithm expectedJWSAlg, URL jwkSetURI)
Creates a new validator for RSA or EC signed logout tokens where the OpenID Provider's JWK set is specified by URL. Explicit typing of the logout tokens is not required but wil be checked if present.- Parameters:
expectedIssuer
- The expected logout token issuer (OpenID Provider). Must not benull
.clientID
- The client ID. Must not benull
.expectedJWSAlg
- The expected RSA or EC JWS algorithm. Must not benull
.jwkSetURI
- The OpenID Provider JWK set URL. Must not benull
.
-
LogoutTokenValidator
public LogoutTokenValidator(Issuer expectedIssuer, ClientID clientID, com.nimbusds.jose.JWSAlgorithm expectedJWSAlg, URL jwkSetURI, com.nimbusds.jose.util.ResourceRetriever resourceRetriever)
Creates a new validator for RSA or EC signed logout tokens where the OpenID Provider's JWK set is specified by URL. Permits setting of a specific resource retriever (HTTP client) for the JWK set. Explicit typing of the logout tokens is not required but wil be checked if present.- Parameters:
expectedIssuer
- The expected logout token issuer (OpenID Provider). Must not benull
.clientID
- The client ID. Must not benull
.expectedJWSAlg
- The expected RSA or EC JWS algorithm. Must not benull
.jwkSetURI
- The OpenID Provider JWK set URL. Must not benull
.resourceRetriever
- For retrieving the OpenID Connect Provider JWK set from the specified URL. Ifnull
thedefault retriever
will be used, with preset HTTP connect timeout, HTTP read timeout and entity size limit.
-
LogoutTokenValidator
public LogoutTokenValidator(Issuer expectedIssuer, ClientID clientID, com.nimbusds.jose.JWSAlgorithm expectedJWSAlg, Secret clientSecret)
Creates a new validator for HMAC protected logout tokens. Explicit typing of the logout tokens is not required but wil be checked if present.- Parameters:
expectedIssuer
- The expected logout token issuer (OpenID Provider). Must not benull
.clientID
- The client ID. Must not benull
.expectedJWSAlg
- The expected HMAC JWS algorithm. Must not benull
.clientSecret
- The client secret. Must not benull
.
-
LogoutTokenValidator
@Deprecated public LogoutTokenValidator(Issuer expectedIssuer, ClientID clientID, com.nimbusds.jose.proc.JWSKeySelector<?> jwsKeySelector, com.nimbusds.jose.proc.JWEKeySelector<?> jweKeySelector)
Deprecated.Creates a new logout token validator.- Parameters:
expectedIssuer
- The expected logout token issuer (OpenID Provider). Must not benull
.clientID
- The client ID. Must not benull
.jwsKeySelector
- The key selector for JWS verification,null
if unsecured (plain) logout tokens are expected.jweKeySelector
- The key selector for JWE decryption,null
if encrypted logout tokens are not expected.
-
LogoutTokenValidator
public LogoutTokenValidator(Issuer expectedIssuer, ClientID clientID, boolean requireTypedToken, com.nimbusds.jose.proc.JWSKeySelector<?> jwsKeySelector, com.nimbusds.jose.proc.JWEKeySelector<?> jweKeySelector)
Creates a new logout token validator.- Parameters:
expectedIssuer
- The expected logout token issuer (OpenID Provider). Must not benull
.clientID
- The client ID. Must not benull
.requireTypedToken
-true
to require logout tokens to be explicitlytyped
,false
to accept untyped tokens.jwsKeySelector
- The key selector for JWS verification,null
if unsecured (plain) logout tokens are expected.jweKeySelector
- The key selector for JWE decryption,null
if encrypted logout tokens are not expected.
-
-
Method Detail
-
validate
public LogoutTokenClaimsSet validate(com.nimbusds.jwt.JWT logoutToken) throws com.nimbusds.jose.proc.BadJOSEException, com.nimbusds.jose.JOSEException
Validates the specified logout token.- Parameters:
logoutToken
- The logout token. Must not benull
.- Returns:
- The claims set of the verified logout token.
- Throws:
com.nimbusds.jose.proc.BadJOSEException
- If the logout token is invalid or expired.com.nimbusds.jose.JOSEException
- If an internal JOSE exception was encountered.
-
create
public static LogoutTokenValidator create(OIDCProviderMetadata opMetadata, OIDCClientInformation clientInfo, com.nimbusds.jose.jwk.source.JWKSource<?> clientJWKSource) throws GeneralException
Creates a new logout token validator for the specified OpenID Provider metadata and OpenID Relying Party registration. Explicit typing of the logout tokens is not required but wil be checked if present.- Parameters:
opMetadata
- The OpenID Provider metadata. Must not benull
.clientInfo
- The OpenID Relying Party registration. Must not benull
.clientJWKSource
- The client private JWK source,null
if encrypted logout tokens are not expected.- Returns:
- The logout token validator.
- Throws:
GeneralException
- If the supplied OpenID Provider metadata or Relying Party metadata are missing a required parameter or inconsistent.
-
-