Package com.nimbusds.oauth2.sdk.dpop.verifiers

Class DPoPProtectedResourceRequestVerifier

java.lang.Object

com.nimbusds.oauth2.sdk.dpop.verifiers.DPoPProtectedResourceRequestVerifier

@ThreadSafe
public class DPoPProtectedResourceRequestVerifier
extends Object

DPoP proof JWT verifier for a protected resource.

Field Summary

Fields

Modifier and Type	Field	Description
static Set<com.nimbusds.jose.JWSAlgorithm>	SUPPORTED_JWS_ALGORITHMS	The supported JWS algorithms for the DPoP proof JWTs.

Constructor Summary

Constructors

Constructor	Description
DPoPProtectedResourceRequestVerifier(Set<com.nimbusds.jose.JWSAlgorithm> acceptedJWSAlgs, long maxClockSkewSeconds, SingleUseChecker<Map.Entry<DPoPIssuer,JWTID>> singleUseChecker)	Creates a new DPoP proof JWT verifier for a protected resource.

Method Summary

Modifier and Type	Method	Description
void	verify(String method, URI uri, DPoPIssuer issuer, com.nimbusds.jwt.SignedJWT proof, DPoPAccessToken accessToken, JWKThumbprintConfirmation cnf)	Verifies the specified DPoP proof and its access token and JWK SHA-256 thumbprint bindings.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

SUPPORTED_JWS_ALGORITHMS

public static final Set<com.nimbusds.jose.JWSAlgorithm> SUPPORTED_JWS_ALGORITHMS

The supported JWS algorithms for the DPoP proof JWTs.

Constructor Detail

DPoPProtectedResourceRequestVerifier

public DPoPProtectedResourceRequestVerifier(Set<com.nimbusds.jose.JWSAlgorithm> acceptedJWSAlgs,
                                            long maxClockSkewSeconds,
                                            SingleUseChecker<Map.Entry<DPoPIssuer,JWTID>> singleUseChecker)

Creates a new DPoP proof JWT verifier for a protected resource.

Parameters:

acceptedJWSAlgs - The accepted JWS algorithms. Must be supported and not null.

maxClockSkewSeconds - The max acceptable clock skew for the "iat" (issued-at) claim checks, in seconds. Should be in the order of a few seconds.

singleUseChecker - The single use checker for the DPoP proof "jti" (JWT ID) claims, null if not specified.

Method Detail

verify

public void verify(String method,
                   URI uri,
                   DPoPIssuer issuer,
                   com.nimbusds.jwt.SignedJWT proof,
                   DPoPAccessToken accessToken,
                   JWKThumbprintConfirmation cnf)
            throws InvalidDPoPProofException,
                   AccessTokenValidationException,
                   com.nimbusds.jose.JOSEException

Verifies the specified DPoP proof and its access token and JWK SHA-256 thumbprint bindings.

Parameters:

method - The HTTP request method (case-insensitive). Must not be null.

uri - The HTTP URI. Any query or fragment component will be stripped from it before DPoP validation. Must not be null.

issuer - Unique identifier for the DPoP proof issuer, such as its client ID. Must not be null.

proof - The DPoP proof JWT, null if not received.

accessToken - The received and successfully validated DPoP access token. Must not be null.

cnf - The JWK SHA-256 thumbprint confirmation for the DPoP access token. Must not be null.

Throws:

InvalidDPoPProofException - If the DPoP proof is invalid or missing.

AccessTokenValidationException - If the DPoP access token binding validation failed.

com.nimbusds.jose.JOSEException - If an internal JOSE exception is encountered.