@ThreadSafe public class IDTokenVerifier extends Object
Supports processing of ID tokens with the following protection:
Constructor and Description |
---|
IDTokenVerifier(Issuer expectedIssuer,
ClientID clientID)
Creates a new verifier for unsecured (plain) ID tokens.
|
IDTokenVerifier(Issuer expectedIssuer,
ClientID clientID,
com.nimbusds.jose.JWSAlgorithm expectedJWSAlg,
com.nimbusds.jose.jwk.JWKSet jwkSet)
Creates a new verifier for RSA or EC signed ID tokens where the
OpenID Provider's JWK set is specified by value.
|
IDTokenVerifier(Issuer expectedIssuer,
ClientID clientID,
com.nimbusds.jose.JWSAlgorithm expectedJWSAlg,
Secret clientSecret)
Creates a new verifier for HMAC protected ID tokens.
|
IDTokenVerifier(Issuer expectedIssuer,
ClientID clientID,
com.nimbusds.jose.JWSAlgorithm expectedJWSAlg,
URL jwkSetURI)
Creates a new verifier for RSA or EC signed ID tokens where the
OpenID Provider's JWK set is specified by URL.
|
IDTokenVerifier(Issuer expectedIssuer,
ClientID clientID,
com.nimbusds.jose.proc.JWSKeySelector jwsKeySelector,
com.nimbusds.jose.proc.JWEKeySelector jweKeySelector)
Creates a new ID token verifier.
|
Modifier and Type | Method and Description |
---|---|
static IDTokenVerifier |
create(OIDCProviderMetadata opMetadata,
OIDCClientInformation clientInfo,
JWKSource clientJWKSource)
Creates a new ID token verifier for the specified OpenID Provider
metadata and OpenID Relying Party registration.
|
ClientID |
getClientID()
Returns the client ID (the expected ID token audience).
|
Issuer |
getExpectedIssuer()
Returns the expected ID token issuer.
|
com.nimbusds.jose.proc.JWEKeySelector |
getJWEKeySelector()
Returns the configured JWE key selector for encrypted ID token
decryption.
|
com.nimbusds.jose.proc.JWSKeySelector |
getJWSKeySelector()
Returns the configured JWS key selector for signed ID token
verification.
|
IDTokenClaimsSet |
verify(com.nimbusds.jwt.JWT idToken,
Nonce expectedNonce)
Verifies the specified ID token.
|
public IDTokenVerifier(Issuer expectedIssuer, ClientID clientID)
expectedIssuer
- The expected ID token issuer (OpenID
Provider). Must not be null
.clientID
- The client ID. Must not be null
.public IDTokenVerifier(Issuer expectedIssuer, ClientID clientID, com.nimbusds.jose.JWSAlgorithm expectedJWSAlg, com.nimbusds.jose.jwk.JWKSet jwkSet)
expectedIssuer
- The expected ID token issuer (OpenID
Provider). Must not be null
.clientID
- The client ID. Must not be null
.expectedJWSAlg
- The expected RSA or EC JWS algorithm. Must not
be null
.jwkSet
- The OpenID Provider JWK set. Must not be
null
.public IDTokenVerifier(Issuer expectedIssuer, ClientID clientID, com.nimbusds.jose.JWSAlgorithm expectedJWSAlg, URL jwkSetURI)
expectedIssuer
- The expected ID token issuer (OpenID
Provider). Must not be null
.clientID
- The client ID. Must not be null
.expectedJWSAlg
- The expected RSA or EC JWS algorithm. Must not
be null
.jwkSetURI
- The OpenID Provider JWK set URL. Must not be
null
.public IDTokenVerifier(Issuer expectedIssuer, ClientID clientID, com.nimbusds.jose.JWSAlgorithm expectedJWSAlg, Secret clientSecret)
expectedIssuer
- The expected ID token issuer (OpenID
Provider). Must not be null
.clientID
- The client ID. Must not be null
.expectedJWSAlg
- The expected HMAC JWS algorithm. Must not be
null
.clientSecret
- The client secret. Must not be null
.public IDTokenVerifier(Issuer expectedIssuer, ClientID clientID, com.nimbusds.jose.proc.JWSKeySelector jwsKeySelector, com.nimbusds.jose.proc.JWEKeySelector jweKeySelector)
expectedIssuer
- The expected ID token issuer (OpenID
Provider). Must not be null
.clientID
- The client ID. Must not be null
.jwsKeySelector
- The key selector for JWS verification,
null
if unsecured (plain) ID tokens
are expected.jweKeySelector
- The key selector for JWE decryption,
null
if encrypted ID tokens are not
expected.public Issuer getExpectedIssuer()
public ClientID getClientID()
public com.nimbusds.jose.proc.JWSKeySelector getJWSKeySelector()
null
if none.public com.nimbusds.jose.proc.JWEKeySelector getJWEKeySelector()
null
.public IDTokenClaimsSet verify(com.nimbusds.jwt.JWT idToken, Nonce expectedNonce) throws com.nimbusds.jose.proc.BadJOSEException, com.nimbusds.jose.JOSEException
idToken
- The ID token. Must not be null
.expectedNonce
- The expected nonce, null
if none.com.nimbusds.jose.proc.BadJOSEException
- If the ID token is invalid or expired.com.nimbusds.jose.JOSEException
- If an internal JOSE exception was
encountered.public static IDTokenVerifier create(OIDCProviderMetadata opMetadata, OIDCClientInformation clientInfo, JWKSource clientJWKSource) throws GeneralException
opMetadata
- The OpenID Provider metadata. Must not be
null
.clientInfo
- The OpenID Relying Party registration. Must
not be null
.clientJWKSource
- The client private JWK source, null
if encrypted ID tokens are not expected.GeneralException
- If the supplied OpenID Provider metadata or
Relying Party metadata are missing a
required parameter or inconsistent.Copyright © 2015 Connect2id Ltd.. All Rights Reserved.