001package com.nimbusds.openid.connect.sdk.validators; 002 003 004import com.nimbusds.jose.JWSAlgorithm; 005import com.nimbusds.oauth2.sdk.token.AccessToken; 006import com.nimbusds.openid.connect.sdk.claims.AccessTokenHash; 007import net.jcip.annotations.ThreadSafe; 008 009 010/** 011 * Access token validator, using the {@code at_hash} ID token claim. Required 012 * in the implicit flow and the hybrid flow where the access token is returned 013 * at the authorisation endpoint. 014 * 015 * <p>Related specifications: 016 * 017 * <ul> 018 * <li>OpenID Connect Core 1.0, sections 3.1.3.8, 3.2.2.9 and 3.3.2.9. 019 * </ul> 020 */ 021@ThreadSafe 022public class AccessTokenValidator { 023 024 025 /** 026 * Validates the specified access token. 027 * 028 * @param accessToken The access token. Must not be {@code null}. 029 * @param jwsAlgorithm The JWS algorithm of the ID token. Must not 030 * be {@code null}. 031 * @param accessTokenHash The access token hash, as set in the 032 * {@code at_hash} ID token claim. Must not be 033 * {@code null}, 034 * 035 * @throws InvalidHashException If the access token doesn't match the 036 * hash. 037 */ 038 public static void validate(final AccessToken accessToken, 039 final JWSAlgorithm jwsAlgorithm, 040 final AccessTokenHash accessTokenHash) 041 throws InvalidHashException { 042 043 AccessTokenHash expectedHash = AccessTokenHash.compute(accessToken, jwsAlgorithm); 044 045 if (expectedHash == null) { 046 throw InvalidHashException.INVALID_ACCESS_T0KEN_HASH_EXCEPTION; 047 } 048 049 if (! expectedHash.equals(accessTokenHash)) { 050 throw InvalidHashException.INVALID_ACCESS_T0KEN_HASH_EXCEPTION; 051 } 052 } 053}