Source code

001/*
002 * oauth2-oidc-sdk
003 *
004 * Copyright 2012-2016, Connect2id Ltd and contributors.
005 *
006 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
007 * this file except in compliance with the License. You may obtain a copy of the
008 * License at
009 *
010 *    http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software distributed
013 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
014 * CONDITIONS OF ANY KIND, either express or implied. See the License for the
015 * specific language governing permissions and limitations under the License.
016 */
017
018package com.nimbusds.openid.connect.sdk.validators;
019
020
021import com.nimbusds.jose.JWSAlgorithm;
022import com.nimbusds.oauth2.sdk.token.AccessToken;
023import com.nimbusds.openid.connect.sdk.claims.AccessTokenHash;
024import net.jcip.annotations.ThreadSafe;
025
026
027/**
028 * Access token validator, using the {@code at_hash} ID token claim. Required
029 * in the implicit flow and the hybrid flow where the access token is returned
030 * at the authorisation endpoint.
031 *
032 * <p>Related specifications:
033 *
034 * <ul>
035 *     <li>OpenID Connect Core 1.0, sections 3.1.3.8, 3.2.2.9 and 3.3.2.9.
036 * </ul>
037 */
038@ThreadSafe
039public class AccessTokenValidator {
040        
041
042        /**
043         * Validates the specified access token.
044         *
045         * @param accessToken     The access token. Must not be {@code null}.
046         * @param jwsAlgorithm    The JWS algorithm of the ID token. Must not
047         *                        be {@code null}.
048         * @param accessTokenHash The access token hash, as set in the
049         *                        {@code at_hash} ID token claim. Must not be
050         *                        {@code null},
051         *
052         * @throws InvalidHashException If the access token doesn't match the
053         *                              hash.
054         */
055        public static void validate(final AccessToken accessToken,
056                                    final JWSAlgorithm jwsAlgorithm,
057                                    final AccessTokenHash accessTokenHash)
058                throws InvalidHashException {
059
060                AccessTokenHash expectedHash = AccessTokenHash.compute(accessToken, jwsAlgorithm);
061
062                if (expectedHash == null) {
063                        throw InvalidHashException.INVALID_ACCESS_T0KEN_HASH_EXCEPTION;
064                }
065
066                if (! expectedHash.equals(accessTokenHash)) {
067                        throw InvalidHashException.INVALID_ACCESS_T0KEN_HASH_EXCEPTION;
068                }
069        }
070}