001/* 002 * oauth2-oidc-sdk 003 * 004 * Copyright 2012-2021, Connect2id Ltd and contributors. 005 * 006 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use 007 * this file except in compliance with the License. You may obtain a copy of the 008 * License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software distributed 013 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR 014 * CONDITIONS OF ANY KIND, either express or implied. See the License for the 015 * specific language governing permissions and limitations under the License. 016 */ 017 018package com.nimbusds.oauth2.sdk.dpop.verifiers; 019 020 021import java.net.URI; 022import java.util.Map; 023import java.util.Objects; 024import java.util.Set; 025 026import net.jcip.annotations.ThreadSafe; 027 028import com.nimbusds.jose.JOSEException; 029import com.nimbusds.jose.JWSAlgorithm; 030import com.nimbusds.jwt.SignedJWT; 031import com.nimbusds.oauth2.sdk.dpop.JWKThumbprintConfirmation; 032import com.nimbusds.oauth2.sdk.id.JWTID; 033import com.nimbusds.oauth2.sdk.token.DPoPAccessToken; 034import com.nimbusds.oauth2.sdk.util.singleuse.SingleUseChecker; 035 036 037/** 038 * DPoP proof JWT verifier for a protected resource. 039 */ 040@ThreadSafe 041public class DPoPProtectedResourceRequestVerifier extends DPoPCommonVerifier { 042 043 044 /** 045 * Creates a new DPoP proof JWT verifier for a protected resource. 046 * 047 * @param acceptedJWSAlgs The accepted JWS algorithms. Must be 048 * supported and not {@code null}. 049 * @param maxClockSkewSeconds The max acceptable clock skew for the 050 * "iat" (issued-at) claim checks, in 051 * seconds. Should be in the order of a few 052 * seconds. 053 * @param singleUseChecker The single use checker for the DPoP proof 054 * "jti" (JWT ID) claims, {@code null} if 055 * not specified. 056 */ 057 public DPoPProtectedResourceRequestVerifier(final Set<JWSAlgorithm> acceptedJWSAlgs, 058 final long maxClockSkewSeconds, 059 final SingleUseChecker<Map.Entry<DPoPIssuer, JWTID>> singleUseChecker) { 060 061 super(acceptedJWSAlgs, maxClockSkewSeconds, singleUseChecker); 062 } 063 064 065 /** 066 * Verifies the specified DPoP proof and its access token and JWK 067 * SHA-256 thumbprint bindings. 068 * 069 * @param method The HTTP request method (case-insensitive). Must 070 * not be {@code null}. 071 * @param uri The HTTP URI. Any query or fragment component 072 * will be stripped from it before DPoP validation. 073 * Must not be {@code null}. 074 * @param issuer Unique identifier for the DPoP proof issuer, such 075 * as its client ID. Must not be {@code null}. 076 * @param proof The DPoP proof JWT, {@code null} if not received. 077 * @param accessToken The received and successfully validated DPoP 078 * access token. Must not be {@code null}. 079 * @param cnf The JWK SHA-256 thumbprint confirmation for the 080 * DPoP access token. Must not be {@code null}. 081 * 082 * @throws InvalidDPoPProofException If the DPoP proof is invalid 083 * or missing. 084 * @throws AccessTokenValidationException If the DPoP access token 085 * binding validation failed. 086 * @throws JOSEException If an internal JOSE exception 087 * is encountered. 088 */ 089 public void verify(final String method, 090 final URI uri, 091 final DPoPIssuer issuer, 092 final SignedJWT proof, 093 final DPoPAccessToken accessToken, 094 final JWKThumbprintConfirmation cnf) 095 throws 096 InvalidDPoPProofException, 097 AccessTokenValidationException, 098 JOSEException { 099 100 if (proof == null) { 101 throw new InvalidDPoPProofException("Missing required DPoP proof"); 102 } 103 104 Objects.requireNonNull(accessToken, "The access token must not be null"); 105 106 Objects.requireNonNull(cnf, "The DPoP JWK thumbprint confirmation must not be null"); 107 108 super.verify(method, uri, issuer, proof, accessToken, cnf); 109 } 110}