001/* 002 * oauth2-oidc-sdk 003 * 004 * Copyright 2012-2016, Connect2id Ltd and contributors. 005 * 006 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use 007 * this file except in compliance with the License. You may obtain a copy of the 008 * License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software distributed 013 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR 014 * CONDITIONS OF ANY KIND, either express or implied. See the License for the 015 * specific language governing permissions and limitations under the License. 016 */ 017 018package com.nimbusds.oauth2.sdk.auth; 019 020 021import java.util.Date; 022import java.util.List; 023 024import net.minidev.json.JSONObject; 025 026import com.nimbusds.jwt.JWTClaimsSet; 027 028import com.nimbusds.oauth2.sdk.ParseException; 029import com.nimbusds.oauth2.sdk.assertions.jwt.JWTAssertionDetails; 030import com.nimbusds.oauth2.sdk.id.Audience; 031import com.nimbusds.oauth2.sdk.id.ClientID; 032import com.nimbusds.oauth2.sdk.id.Issuer; 033import com.nimbusds.oauth2.sdk.id.JWTID; 034import com.nimbusds.oauth2.sdk.id.Subject; 035 036 037/** 038 * JWT client authentication claims set, serialisable to a JSON object and JWT 039 * claims set. 040 * 041 * <p>Used for {@link ClientSecretJWT client secret JWT} and 042 * {@link PrivateKeyJWT private key JWT} authentication at the Token endpoint. 043 * 044 * <p>Example client authentication claims set: 045 * 046 * <pre> 047 * { 048 * "iss" : "http://client.example.com", 049 * "sub" : "http://client.example.com", 050 * "aud" : [ "http://idp.example.com/token" ], 051 * "jti" : "d396036d-c4d9-40d8-8e98-f7e8327002d9", 052 * "exp" : 1311281970, 053 * "iat" : 1311280970 054 * } 055 * </pre> 056 * 057 * <p>Related specifications: 058 * 059 * <ul> 060 * <li>OAuth 2.0 (RFC 6749), section-3.2.1. 061 * <li>JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and 062 * Authorization Grants (RFC 7523). 063 * </ul> 064 */ 065public class JWTAuthenticationClaimsSet extends JWTAssertionDetails { 066 067 068 /** 069 * Creates a new JWT client authentication claims set. The expiration 070 * time (exp) is set to five minutes from the current system time. 071 * Generates a default identifier (jti) for the JWT. The issued-at 072 * (iat) and not-before (nbf) claims are not set. 073 * 074 * @param clientID The client identifier. Used to specify the issuer 075 * and the subject. Must not be {@code null}. 076 * @param aud The audience identifier, typically the URI of the 077 * authorisation server's Token endpoint. Must not be 078 * {@code null}. 079 */ 080 public JWTAuthenticationClaimsSet(final ClientID clientID, 081 final Audience aud) { 082 083 this(clientID, aud.toSingleAudienceList(), new Date(new Date().getTime() + 5*60* 1000L), null, null, new JWTID()); 084 } 085 086 087 /** 088 * Creates a new JWT client authentication claims set. 089 * 090 * @param clientID The client identifier. Used to specify the issuer 091 * and the subject. Must not be {@code null}. 092 * @param aud The audience, typically including the URI of the 093 * authorisation server's Token endpoint. Must not be 094 * {@code null}. 095 * @param exp The expiration time. Must not be {@code null}. 096 * @param nbf The time before which the token must not be 097 * accepted for processing, {@code null} if not 098 * specified. 099 * @param iat The time at which the token was issued, 100 * {@code null} if not specified. 101 * @param jti Unique identifier for the JWT, {@code null} if 102 * not specified. 103 */ 104 public JWTAuthenticationClaimsSet(final ClientID clientID, 105 final List<Audience> aud, 106 final Date exp, 107 final Date nbf, 108 final Date iat, 109 final JWTID jti) { 110 111 super(new Issuer(clientID.getValue()), new Subject(clientID.getValue()), aud, exp, nbf, iat, jti, null); 112 } 113 114 115 /** 116 * Gets the client identifier. Corresponds to the {@code iss} and 117 * {@code sub} claims. 118 * 119 * @return The client identifier. 120 */ 121 public ClientID getClientID() { 122 123 return new ClientID(getIssuer()); 124 } 125 126 /** 127 * Parses a JWT client authentication claims set from the specified 128 * JSON object. 129 * 130 * @param jsonObject The JSON object. Must not be {@code null}. 131 * 132 * @return The client authentication claims set. 133 * 134 * @throws ParseException If the JSON object couldn't be parsed to a 135 * client authentication claims set. 136 */ 137 public static JWTAuthenticationClaimsSet parse(final JSONObject jsonObject) 138 throws ParseException { 139 140 JWTAssertionDetails assertion = JWTAssertionDetails.parse(jsonObject); 141 142 return new JWTAuthenticationClaimsSet( 143 new ClientID(assertion.getIssuer()), // iss=sub 144 assertion.getAudience(), 145 assertion.getExpirationTime(), 146 assertion.getNotBeforeTime(), 147 assertion.getIssueTime(), 148 assertion.getJWTID()); 149 } 150 151 152 /** 153 * Parses a JWT client authentication claims set from the specified JWT 154 * claims set. 155 * 156 * @param jwtClaimsSet The JWT claims set. Must not be {@code null}. 157 * 158 * @return The client authentication claims set. 159 * 160 * @throws ParseException If the JWT claims set couldn't be parsed to a 161 * client authentication claims set. 162 */ 163 public static JWTAuthenticationClaimsSet parse(final JWTClaimsSet jwtClaimsSet) 164 throws ParseException { 165 166 return parse(jwtClaimsSet.toJSONObject()); 167 } 168}