com.nimbusds.jwt.proc.ClockSkewAware
@ThreadSafe public class JARMValidator extends AbstractJWTValidator implements com.nimbusds.jwt.proc.ClockSkewAware
Supports processing of JWT responses with the following protection:
Convenience static methods for creating a validator from Authorisation Server metadata or issuer URL, and the registered OAuth 2.0 client information:
Related specifications:
DEFAULT_MAX_CLOCK_SKEW
Constructor | Description |
---|---|
JARMValidator(Issuer expectedIssuer,
ClientID clientID,
com.nimbusds.jose.JWSAlgorithm expectedJWSAlg,
com.nimbusds.jose.jwk.JWKSet jwkSet) |
Creates a new JARM validator for RSA or EC signed authorisation
responses where the Authorisation Server's JWK set is specified by
value.
|
JARMValidator(Issuer expectedIssuer,
ClientID clientID,
com.nimbusds.jose.JWSAlgorithm expectedJWSAlg,
Secret clientSecret) |
Creates a new JARM validator for HMAC protected authorisation
responses.
|
JARMValidator(Issuer expectedIssuer,
ClientID clientID,
com.nimbusds.jose.JWSAlgorithm expectedJWSAlg,
URL jwkSetURI) |
Creates a new JARM validator for RSA or EC signed authorisation
responses where the Authorisation Server's JWK set is specified by
URL.
|
JARMValidator(Issuer expectedIssuer,
ClientID clientID,
com.nimbusds.jose.JWSAlgorithm expectedJWSAlg,
URL jwkSetURI,
com.nimbusds.jose.util.ResourceRetriever resourceRetriever) |
Creates a new JARM validator for RSA or EC signed authorisation
responses where the Authorisation Server's JWK set is specified by
URL.
|
JARMValidator(Issuer expectedIssuer,
ClientID clientID,
com.nimbusds.jose.proc.JWSKeySelector jwsKeySelector,
com.nimbusds.jose.proc.JWEKeySelector jweKeySelector) |
Creates a new JARM validator.
|
Modifier and Type | Method | Description |
---|---|---|
static JARMValidator |
create(AuthorizationServerMetadata asMetadata,
ClientInformation clientInfo) |
Creates a new JARM validator for the specified Authorisation Server
metadata and OAuth 2.0 client registration.
|
static JARMValidator |
create(AuthorizationServerMetadata asMetadata,
ClientInformation clientInfo,
com.nimbusds.jose.jwk.source.JWKSource clientJWKSource) |
Creates a new JARM validator for the specified Authorisation Server
metadata and OAuth 2.0 client registration.
|
static JARMValidator |
create(Issuer issuer,
ClientInformation clientInfo) |
Creates a new JARM validator for the specified Authorisation Server
or OpenID Provider, which must publish its metadata at
[issuer-url]/.well-known/oauth-authorization-server resp. |
static JARMValidator |
create(Issuer issuer,
ClientInformation clientInfo,
com.nimbusds.jose.jwk.source.JWKSource clientJWKSource,
int connectTimeout,
int readTimeout) |
Creates a new JARM validator for the specified Authorisation Server
or OpenID Provider, which must publish its metadata at
[issuer-url]/.well-known/oauth-authorization-server resp. |
protected static com.nimbusds.jose.proc.JWEKeySelector |
createJWEKeySelector(AuthorizationServerMetadata asMetadata,
ClientInformation clientInfo,
com.nimbusds.jose.jwk.source.JWKSource clientJWKSource) |
Creates a key selector for JWE decryption.
|
protected static com.nimbusds.jose.proc.JWSKeySelector |
createJWSKeySelector(AuthorizationServerMetadata asMetadata,
ClientInformation clientInfo) |
Creates a key selector for JWS verification.
|
com.nimbusds.jwt.JWTClaimsSet |
validate(com.nimbusds.jwt.JWT jwtResponse) |
Validates the specified JWT-secured authorisation response.
|
com.nimbusds.jwt.JWTClaimsSet |
validate(String jwtResponseString) |
Validates the specified JWT-secured authorisation response.
|
getClientID, getExpectedIssuer, getJWEKeySelector, getJWSKeySelector, getMaxClockSkew, setMaxClockSkew
public JARMValidator(Issuer expectedIssuer, ClientID clientID, com.nimbusds.jose.JWSAlgorithm expectedJWSAlg, com.nimbusds.jose.jwk.JWKSet jwkSet)
expectedIssuer
- The expected issuer (Authorisation Server).
Must not be null
.clientID
- The client ID. Must not be null
.expectedJWSAlg
- The expected RSA or EC JWS algorithm. Must not
be null
.jwkSet
- The Authorisation Server JWK set. Must not be
null
.public JARMValidator(Issuer expectedIssuer, ClientID clientID, com.nimbusds.jose.JWSAlgorithm expectedJWSAlg, URL jwkSetURI)
expectedIssuer
- The expected issuer (Authorisation Server).
Must not be null
.clientID
- The client ID. Must not be null
.expectedJWSAlg
- The expected RSA or EC JWS algorithm. Must not
be null
.jwkSetURI
- The OpenID Provider JWK set URL. Must not be
null
.public JARMValidator(Issuer expectedIssuer, ClientID clientID, com.nimbusds.jose.JWSAlgorithm expectedJWSAlg, URL jwkSetURI, com.nimbusds.jose.util.ResourceRetriever resourceRetriever)
expectedIssuer
- The expected issuer (Authorisation Server).
Must not be null
.clientID
- The client ID. Must not be null
.expectedJWSAlg
- The expected RSA or EC JWS algorithm. Must
not be null
.jwkSetURI
- The Authorisation Server JWK set URL. Must
not be null
.resourceRetriever
- For retrieving the Authorisation Server JWK
from the specified URL. If null
the
default retriever
will be used, with
preset HTTP connect timeout, HTTP read
timeout and entity size limit.public JARMValidator(Issuer expectedIssuer, ClientID clientID, com.nimbusds.jose.JWSAlgorithm expectedJWSAlg, Secret clientSecret)
expectedIssuer
- The expected issuer (Authorisation Server).
Must not be null
.clientID
- The client ID. Must not be null
.expectedJWSAlg
- The expected HMAC JWS algorithm. Must not be
null
.clientSecret
- The client secret. Must not be null
.public JARMValidator(Issuer expectedIssuer, ClientID clientID, com.nimbusds.jose.proc.JWSKeySelector jwsKeySelector, com.nimbusds.jose.proc.JWEKeySelector jweKeySelector)
expectedIssuer
- The expected issuer (Authorisation Server).
Must not be null
.clientID
- The client ID. Must not be null
.jwsKeySelector
- The key selector for JWS verification, must
not be null
.jweKeySelector
- The key selector for JWE decryption,
null
if encrypted authorisation
responses are not expected.public com.nimbusds.jwt.JWTClaimsSet validate(String jwtResponseString) throws com.nimbusds.jose.proc.BadJOSEException, com.nimbusds.jose.JOSEException
jwtResponseString
- The JWT-secured authorisation response
string. Must not be null
.com.nimbusds.jose.proc.BadJOSEException
- If the JWT is invalid or expired.com.nimbusds.jose.JOSEException
- If an internal JOSE exception was
encountered.public com.nimbusds.jwt.JWTClaimsSet validate(com.nimbusds.jwt.JWT jwtResponse) throws com.nimbusds.jose.proc.BadJOSEException, com.nimbusds.jose.JOSEException
jwtResponse
- The JWT-secured authorisation response. Must not
be null
.com.nimbusds.jose.proc.BadJOSEException
- If the JWT is invalid or expired.com.nimbusds.jose.JOSEException
- If an internal JOSE exception was
encountered.protected static com.nimbusds.jose.proc.JWSKeySelector createJWSKeySelector(AuthorizationServerMetadata asMetadata, ClientInformation clientInfo) throws GeneralException
asMetadata
- The Authorisation Server metadata. Must not be
null
.clientInfo
- The OAuth 2.0 client information. Must not be
null
.GeneralException
- If the supplied Authorisation Server
metadata or OAuth 2.0 client information
are missing a required parameter or
inconsistent.protected static com.nimbusds.jose.proc.JWEKeySelector createJWEKeySelector(AuthorizationServerMetadata asMetadata, ClientInformation clientInfo, com.nimbusds.jose.jwk.source.JWKSource clientJWKSource) throws GeneralException
asMetadata
- The Authorisation Server metadata. Must not
be null
.clientInfo
- The OAuth 2.0 client information. Must not be
null
.clientJWKSource
- The client private JWK source, null
if encrypted JWT-secured authorisation
responses are not expected.GeneralException
- If the supplied Authorisation Server
metadata or OAuth 2.0 client information
are missing a required parameter or
inconsistent.public static JARMValidator create(AuthorizationServerMetadata asMetadata, ClientInformation clientInfo, com.nimbusds.jose.jwk.source.JWKSource clientJWKSource) throws GeneralException
asMetadata
- The Authorisation Server metadata. Must not
be null
.clientInfo
- The OAuth 2.0 client registration. Must not
be null
.clientJWKSource
- The client private JWK source, null
if encrypted authorisation responses are not
expected.GeneralException
- If the supplied Authorisation Server
metadata or OAuth 2.0 client information
are missing a required parameter or
inconsistent.public static JARMValidator create(AuthorizationServerMetadata asMetadata, ClientInformation clientInfo) throws GeneralException
asMetadata
- The Authorisation Server metadata. Must not be
null
.clientInfo
- The OAuth 2.0 client registration. Must not be
null
.GeneralException
- If the supplied Authorisation Server
metadata or OAuth 2.0 client information
are missing a required parameter or
inconsistent.public static JARMValidator create(Issuer issuer, ClientInformation clientInfo) throws GeneralException, IOException
[issuer-url]/.well-known/oauth-authorization-server
resp.
[issuer-url]/.well-known/openid-configuration
.issuer
- The Authorisation Server / OpenID Provider issuer
identifier. Must not be null
.clientInfo
- The OAuth 2.0 client registration. Must not be
null
.GeneralException
- If the resolved Authorisation Server /
OpenID Provider metadata is invalid.IOException
- On a HTTP exception.public static JARMValidator create(Issuer issuer, ClientInformation clientInfo, com.nimbusds.jose.jwk.source.JWKSource clientJWKSource, int connectTimeout, int readTimeout) throws GeneralException, IOException
[issuer-url]/.well-known/oauth-authorization-server
resp.
[issuer-url]/.well-known/openid-configuration
.issuer
- The Authorisation Server / OpenID Provider
issuer identifier. Must not be null
.clientInfo
- The OAuth 2.0 client registration. Must not
be null
.clientJWKSource
- The client private JWK source, null
if encrypted authorisation responses are not
expected.connectTimeout
- The HTTP connect timeout, in milliseconds.
Zero implies no timeout. Must not be
negative.readTimeout
- The HTTP response read timeout, in
milliseconds. Zero implies no timeout. Must
not be negative.GeneralException
- If the resolved Authorisation Server /
OpenID Provider metadata is invalid.IOException
- On a HTTP exception.Copyright © 2019 Connect2id Ltd.. All rights reserved.