@ThreadSafe public class IDTokenValidator extends Object implements com.nimbusds.jwt.proc.ClockSkewAware
Supports processing of ID tokens with the following protection:
Convenience static methods for creating an ID token validator from OpenID Provider metadata or issuer URL, and the registered Relying Party information:
Related specifications:
Modifier and Type | Field and Description |
---|---|
static int |
DEFAULT_MAX_CLOCK_SKEW
The default maximum acceptable clock skew for verifying token
timestamps, in seconds.
|
Constructor and Description |
---|
IDTokenValidator(Issuer expectedIssuer,
ClientID clientID)
Creates a new validator for unsecured (plain) ID tokens.
|
IDTokenValidator(Issuer expectedIssuer,
ClientID clientID,
com.nimbusds.jose.JWSAlgorithm expectedJWSAlg,
com.nimbusds.jose.jwk.JWKSet jwkSet)
Creates a new validator for RSA or EC signed ID tokens where the
OpenID Provider's JWK set is specified by value.
|
IDTokenValidator(Issuer expectedIssuer,
ClientID clientID,
com.nimbusds.jose.JWSAlgorithm expectedJWSAlg,
Secret clientSecret)
Creates a new validator for HMAC protected ID tokens.
|
IDTokenValidator(Issuer expectedIssuer,
ClientID clientID,
com.nimbusds.jose.JWSAlgorithm expectedJWSAlg,
URL jwkSetURI)
Creates a new validator for RSA or EC signed ID tokens where the
OpenID Provider's JWK set is specified by URL.
|
IDTokenValidator(Issuer expectedIssuer,
ClientID clientID,
com.nimbusds.jose.JWSAlgorithm expectedJWSAlg,
URL jwkSetURI,
com.nimbusds.jose.util.ResourceRetriever resourceRetriever)
Creates a new validator for RSA or EC signed ID tokens where the
OpenID Provider's JWK set is specified by URL.
|
IDTokenValidator(Issuer expectedIssuer,
ClientID clientID,
com.nimbusds.jose.proc.JWSKeySelector jwsKeySelector,
com.nimbusds.jose.proc.JWEKeySelector jweKeySelector)
Creates a new ID token validator.
|
Modifier and Type | Method and Description |
---|---|
static IDTokenValidator |
create(Issuer opIssuer,
OIDCClientInformation clientInfo)
Creates a new ID token validator for the specified OpenID Provider,
which must publish its metadata at
[issuer-url]/.well-known/openid-configuration . |
static IDTokenValidator |
create(Issuer opIssuer,
OIDCClientInformation clientInfo,
com.nimbusds.jose.jwk.source.JWKSource clientJWKSource,
int connectTimeout,
int readTimeout)
Creates a new ID token validator for the specified OpenID Provider,
which must publish its metadata at
[issuer-url]/.well-known/openid-configuration . |
static IDTokenValidator |
create(OIDCProviderMetadata opMetadata,
OIDCClientInformation clientInfo)
Creates a new ID token validator for the specified OpenID Provider
metadata and OpenID Relying Party registration.
|
static IDTokenValidator |
create(OIDCProviderMetadata opMetadata,
OIDCClientInformation clientInfo,
com.nimbusds.jose.jwk.source.JWKSource clientJWKSource)
Creates a new ID token validator for the specified OpenID Provider
metadata and OpenID Relying Party registration.
|
protected static com.nimbusds.jose.proc.JWEKeySelector |
createJWEKeySelector(OIDCProviderMetadata opMetadata,
OIDCClientInformation clientInfo,
com.nimbusds.jose.jwk.source.JWKSource clientJWKSource)
Creates a key selector for JWE decryption.
|
protected static com.nimbusds.jose.proc.JWSKeySelector |
createJWSKeySelector(OIDCProviderMetadata opMetadata,
OIDCClientInformation clientInfo)
Creates a key selector for JWS verification.
|
ClientID |
getClientID()
Returns the client ID (the expected token audience).
|
Issuer |
getExpectedIssuer()
Returns the expected token issuer.
|
com.nimbusds.jose.proc.JWEKeySelector |
getJWEKeySelector()
Returns the configured JWE key selector for encrypted token
decryption.
|
com.nimbusds.jose.proc.JWSKeySelector |
getJWSKeySelector()
Returns the configured JWS key selector for signed token
verification.
|
int |
getMaxClockSkew()
Gets the maximum acceptable clock skew for verifying the token
timestamps.
|
void |
setMaxClockSkew(int maxClockSkew)
Sets the maximum acceptable clock skew for verifying the token
timestamps.
|
IDTokenClaimsSet |
validate(com.nimbusds.jwt.JWT idToken,
Nonce expectedNonce)
Validates the specified ID token.
|
public static final int DEFAULT_MAX_CLOCK_SKEW
public IDTokenValidator(Issuer expectedIssuer, ClientID clientID)
expectedIssuer
- The expected ID token issuer (OpenID
Provider). Must not be null
.clientID
- The client ID. Must not be null
.public IDTokenValidator(Issuer expectedIssuer, ClientID clientID, com.nimbusds.jose.JWSAlgorithm expectedJWSAlg, com.nimbusds.jose.jwk.JWKSet jwkSet)
expectedIssuer
- The expected ID token issuer (OpenID
Provider). Must not be null
.clientID
- The client ID. Must not be null
.expectedJWSAlg
- The expected RSA or EC JWS algorithm. Must not
be null
.jwkSet
- The OpenID Provider JWK set. Must not be
null
.public IDTokenValidator(Issuer expectedIssuer, ClientID clientID, com.nimbusds.jose.JWSAlgorithm expectedJWSAlg, URL jwkSetURI)
expectedIssuer
- The expected ID token issuer (OpenID
Provider). Must not be null
.clientID
- The client ID. Must not be null
.expectedJWSAlg
- The expected RSA or EC JWS algorithm. Must not
be null
.jwkSetURI
- The OpenID Provider JWK set URL. Must not be
null
.public IDTokenValidator(Issuer expectedIssuer, ClientID clientID, com.nimbusds.jose.JWSAlgorithm expectedJWSAlg, URL jwkSetURI, com.nimbusds.jose.util.ResourceRetriever resourceRetriever)
expectedIssuer
- The expected ID token issuer (OpenID
Provider). Must not be null
.clientID
- The client ID. Must not be null
.expectedJWSAlg
- The expected RSA or EC JWS algorithm. Must
not be null
.jwkSetURI
- The OpenID Provider JWK set URL. Must not
be null
.resourceRetriever
- For retrieving the OpenID Connect Provider
JWK set from the specified URL. If
null
the
default retriever
will be used, with
preset HTTP connect timeout, HTTP read
timeout and entity size limit.public IDTokenValidator(Issuer expectedIssuer, ClientID clientID, com.nimbusds.jose.JWSAlgorithm expectedJWSAlg, Secret clientSecret)
expectedIssuer
- The expected ID token issuer (OpenID
Provider). Must not be null
.clientID
- The client ID. Must not be null
.expectedJWSAlg
- The expected HMAC JWS algorithm. Must not be
null
.clientSecret
- The client secret. Must not be null
.public IDTokenValidator(Issuer expectedIssuer, ClientID clientID, com.nimbusds.jose.proc.JWSKeySelector jwsKeySelector, com.nimbusds.jose.proc.JWEKeySelector jweKeySelector)
expectedIssuer
- The expected ID token issuer (OpenID
Provider). Must not be null
.clientID
- The client ID. Must not be null
.jwsKeySelector
- The key selector for JWS verification,
null
if unsecured (plain) ID tokens
are expected.jweKeySelector
- The key selector for JWE decryption,
null
if encrypted ID tokens are not
expected.public IDTokenClaimsSet validate(com.nimbusds.jwt.JWT idToken, Nonce expectedNonce) throws com.nimbusds.jose.proc.BadJOSEException, com.nimbusds.jose.JOSEException
idToken
- The ID token. Must not be null
.expectedNonce
- The expected nonce, null
if none.com.nimbusds.jose.proc.BadJOSEException
- If the ID token is invalid or expired.com.nimbusds.jose.JOSEException
- If an internal JOSE exception was
encountered.protected static com.nimbusds.jose.proc.JWSKeySelector createJWSKeySelector(OIDCProviderMetadata opMetadata, OIDCClientInformation clientInfo) throws GeneralException
opMetadata
- The OpenID Provider metadata. Must not be
null
.clientInfo
- The Relying Party metadata. Must not be
null
.GeneralException
- If the supplied OpenID Provider metadata or
Relying Party metadata are missing a
required parameter or inconsistent.protected static com.nimbusds.jose.proc.JWEKeySelector createJWEKeySelector(OIDCProviderMetadata opMetadata, OIDCClientInformation clientInfo, com.nimbusds.jose.jwk.source.JWKSource clientJWKSource) throws GeneralException
opMetadata
- The OpenID Provider metadata. Must not be
null
.clientInfo
- The Relying Party metadata. Must not be
null
.clientJWKSource
- The client private JWK source, null
if encrypted ID tokens are not expected.GeneralException
- If the supplied OpenID Provider metadata or
Relying Party metadata are missing a
required parameter or inconsistent.public static IDTokenValidator create(OIDCProviderMetadata opMetadata, OIDCClientInformation clientInfo, com.nimbusds.jose.jwk.source.JWKSource clientJWKSource) throws GeneralException
opMetadata
- The OpenID Provider metadata. Must not be
null
.clientInfo
- The OpenID Relying Party registration. Must
not be null
.clientJWKSource
- The client private JWK source, null
if encrypted ID tokens are not expected.GeneralException
- If the supplied OpenID Provider metadata or
Relying Party metadata are missing a
required parameter or inconsistent.public static IDTokenValidator create(OIDCProviderMetadata opMetadata, OIDCClientInformation clientInfo) throws GeneralException
opMetadata
- The OpenID Provider metadata. Must not be
null
.clientInfo
- The OpenID Relying Party registration. Must not be
null
.GeneralException
- If the supplied OpenID Provider metadata or
Relying Party metadata are missing a
required parameter or inconsistent.public static IDTokenValidator create(Issuer opIssuer, OIDCClientInformation clientInfo) throws GeneralException, IOException
[issuer-url]/.well-known/openid-configuration
.opIssuer
- The OpenID Provider issuer identifier. Must not be
null
.clientInfo
- The OpenID Relying Party registration. Must not be
null
.GeneralException
- If the resolved OpenID Provider metadata is
invalid.IOException
- On a HTTP exception.public static IDTokenValidator create(Issuer opIssuer, OIDCClientInformation clientInfo, com.nimbusds.jose.jwk.source.JWKSource clientJWKSource, int connectTimeout, int readTimeout) throws GeneralException, IOException
[issuer-url]/.well-known/openid-configuration
.opIssuer
- The OpenID Provider issuer identifier. Must
not be null
.clientInfo
- The OpenID Relying Party registration. Must
not be null
.clientJWKSource
- The client private JWK source, null
if encrypted ID tokens are not expected.connectTimeout
- The HTTP connect timeout, in milliseconds.
Zero implies no timeout. Must not be
negative.readTimeout
- The HTTP response read timeout, in
milliseconds. Zero implies no timeout. Must
not be negative.GeneralException
- If the resolved OpenID Provider metadata is
invalid.IOException
- On a HTTP exception.public Issuer getExpectedIssuer()
public ClientID getClientID()
public com.nimbusds.jose.proc.JWSKeySelector getJWSKeySelector()
null
if none.public com.nimbusds.jose.proc.JWEKeySelector getJWEKeySelector()
null
.public int getMaxClockSkew()
getMaxClockSkew
in interface com.nimbusds.jwt.proc.ClockSkewAware
public void setMaxClockSkew(int maxClockSkew)
setMaxClockSkew
in interface com.nimbusds.jwt.proc.ClockSkewAware
maxClockSkew
- The maximum acceptable clock skew, in seconds.
Zero indicates none. Must not be negative.Copyright © 2017 Connect2id Ltd.. All rights reserved.