Class DPoPProtectedResourceRequestVerifier

    • Field Detail


        public static final Set<com.nimbusds.jose.JWSAlgorithm> SUPPORTED_JWS_ALGORITHMS
        The supported JWS algorithms for the DPoP proof JWTs.
    • Constructor Detail

      • DPoPProtectedResourceRequestVerifier

        public DPoPProtectedResourceRequestVerifier​(Set<com.nimbusds.jose.JWSAlgorithm> acceptedJWSAlgs,
                                                    long maxClockSkewSeconds,
                                                    SingleUseChecker<Map.Entry<DPoPIssuer,​JWTID>> singleUseChecker)
        Creates a new DPoP proof JWT verifier for a protected resource.
        acceptedJWSAlgs - The accepted JWS algorithms. Must be supported and not null.
        maxClockSkewSeconds - The max acceptable clock skew for the "iat" (issued-at) claim checks, in seconds. Should be in the order of a few seconds.
        singleUseChecker - The single use checker for the DPoP proof "jti" (JWT ID) claims, null if not specified.
    • Method Detail

      • verify

        public void verify​(String method,
                           URI uri,
                           DPoPIssuer issuer,
                           com.nimbusds.jwt.SignedJWT proof,
                           DPoPAccessToken accessToken,
                           JWKThumbprintConfirmation cnf)
                    throws InvalidDPoPProofException,
        Verifies the specified DPoP proof and its access token and JWK SHA-256 thumbprint bindings.
        method - The HTTP request method (case-insensitive). Must not be null.
        uri - The HTTP URI. Any query or fragment component will be stripped from it before DPoP validation. Must not be null.
        issuer - Unique identifier for the DPoP proof issuer, such as its client ID. Must not be null.
        proof - The DPoP proof JWT, null if not received.
        accessToken - The received and successfully validated DPoP access token. Must not be null.
        cnf - The JWK SHA-256 thumbprint confirmation for the DPoP access token. Must not be null.
        InvalidDPoPProofException - If the DPoP proof is invalid or missing.
        AccessTokenValidationException - If the DPoP access token binding validation failed.
        com.nimbusds.jose.JOSEException - If an internal JOSE exception is encountered.