Source code

001/*
002 * oauth2-oidc-sdk
003 *
004 * Copyright 2012-2016, Connect2id Ltd and contributors.
005 *
006 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
007 * this file except in compliance with the License. You may obtain a copy of the
008 * License at
009 *
010 *    http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software distributed
013 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
014 * CONDITIONS OF ANY KIND, either express or implied. See the License for the
015 * specific language governing permissions and limitations under the License.
016 */
017
018package com.nimbusds.openid.connect.sdk.validators;
019
020
021import com.nimbusds.jose.proc.JWEKeySelector;
022import com.nimbusds.jose.proc.JWSKeySelector;
023import com.nimbusds.jwt.proc.ClockSkewAware;
024import com.nimbusds.oauth2.sdk.id.ClientID;
025import com.nimbusds.oauth2.sdk.id.Issuer;
026
027
028/**
029 * Abstract JSON Web Token (JWT) validator for ID tokens and logout tokens.
030 */
031public abstract class AbstractJWTValidator implements ClockSkewAware {
032        
033        
034        /**
035         * The default maximum acceptable clock skew for verifying token
036         * timestamps, in seconds.
037         */
038        public static final int DEFAULT_MAX_CLOCK_SKEW = 60;
039        
040        
041        /**
042         * The expected token issuer.
043         */
044        private final Issuer expectedIssuer;
045        
046        
047        /**
048         * The requesting client.
049         */
050        private final ClientID clientID;
051        
052        
053        /**
054         * The JWS key selector.
055         */
056        private final JWSKeySelector jwsKeySelector;
057        
058        
059        /**
060         * The JWE key selector.
061         */
062        private final JWEKeySelector jweKeySelector;
063        
064        
065        /**
066         * The maximum acceptable clock skew, in seconds.
067         */
068        private int maxClockSkew = DEFAULT_MAX_CLOCK_SKEW;
069        
070        
071        /**
072         * Creates a new abstract JWT validator.
073         *
074         * @param expectedIssuer The expected token issuer (OpenID Provider).
075         *                       Must not be {@code null}.
076         * @param clientID       The client ID. Must not be {@code null}.
077         * @param jwsKeySelector The key selector for JWS verification,
078         *                       {@code null} if unsecured (plain) tokens are
079         *                       expected.
080         * @param jweKeySelector The key selector for JWE decryption,
081         *                       {@code null} if encrypted tokens are not
082         *                       expected.
083         */
084        public AbstractJWTValidator(final Issuer expectedIssuer,
085                                    final ClientID clientID,
086                                    final JWSKeySelector jwsKeySelector,
087                                    final JWEKeySelector jweKeySelector) {
088                
089                if (expectedIssuer == null) {
090                        throw new IllegalArgumentException("The expected token issuer must not be null");
091                }
092                this.expectedIssuer = expectedIssuer;
093                
094                if (clientID == null) {
095                        throw new IllegalArgumentException("The client ID must not be null");
096                }
097                this.clientID = clientID;
098                
099                // Optional
100                this.jwsKeySelector = jwsKeySelector;
101                this.jweKeySelector = jweKeySelector;
102        }
103        
104        
105        /**
106         * Returns the expected token issuer.
107         *
108         * @return The token issuer.
109         */
110        public Issuer getExpectedIssuer() {
111                return expectedIssuer;
112        }
113        
114        
115        /**
116         * Returns the client ID (the expected JWT audience).
117         *
118         * @return The client ID.
119         */
120        public ClientID getClientID() {
121                return clientID;
122        }
123        
124        
125        /**
126         * Returns the configured JWS key selector for signed token
127         * verification.
128         *
129         * @return The JWS key selector, {@code null} if none.
130         */
131        public JWSKeySelector getJWSKeySelector() {
132                return jwsKeySelector;
133        }
134        
135        
136        /**
137         * Returns the configured JWE key selector for encrypted token
138         * decryption.
139         *
140         * @return The JWE key selector, {@code null}.
141         */
142        public JWEKeySelector getJWEKeySelector() {
143                return jweKeySelector;
144        }
145        
146        
147        /**
148         * Gets the maximum acceptable clock skew for verifying the token
149         * timestamps.
150         *
151         * @return The maximum acceptable clock skew, in seconds. Zero
152         *         indicates none.
153         */
154        @Override
155        public int getMaxClockSkew() {
156                
157                return maxClockSkew;
158        }
159        
160        
161        /**
162         * Sets the maximum acceptable clock skew for verifying the token
163         * timestamps.
164         *
165         * @param maxClockSkew The maximum acceptable clock skew, in seconds.
166         *                     Zero indicates none. Must not be negative.
167         */
168        @Override
169        public void setMaxClockSkew(final int maxClockSkew) {
170                
171                this.maxClockSkew = maxClockSkew;
172        }
173}