001/* 002 * oauth2-oidc-sdk 003 * 004 * Copyright 2012-2016, Connect2id Ltd and contributors. 005 * 006 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use 007 * this file except in compliance with the License. You may obtain a copy of the 008 * License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software distributed 013 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR 014 * CONDITIONS OF ANY KIND, either express or implied. See the License for the 015 * specific language governing permissions and limitations under the License. 016 */ 017 018package com.nimbusds.oauth2.sdk.auth; 019 020 021import java.util.Date; 022import java.util.List; 023 024import net.minidev.json.JSONObject; 025 026import com.nimbusds.jwt.JWTClaimsSet; 027import com.nimbusds.oauth2.sdk.ParseException; 028import com.nimbusds.oauth2.sdk.assertions.jwt.JWTAssertionDetails; 029import com.nimbusds.oauth2.sdk.id.*; 030import com.nimbusds.oauth2.sdk.util.JSONObjectUtils; 031 032 033/** 034 * JWT client authentication claims set, serialisable to a JSON object and JWT 035 * claims set. 036 * 037 * <p>Used for {@link ClientSecretJWT client secret JWT} and 038 * {@link PrivateKeyJWT private key JWT} authentication at the Token endpoint. 039 * 040 * <p>Example client authentication claims set: 041 * 042 * <pre> 043 * { 044 * "iss" : "http://client.example.com", 045 * "sub" : "http://client.example.com", 046 * "aud" : [ "http://idp.example.com/token" ], 047 * "jti" : "d396036d-c4d9-40d8-8e98-f7e8327002d9", 048 * "exp" : 1311281970, 049 * "iat" : 1311280970 050 * } 051 * </pre> 052 * 053 * <p>Related specifications: 054 * 055 * <ul> 056 * <li>OAuth 2.0 (RFC 6749), section-3.2.1. 057 * <li>JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and 058 * Authorization Grants (RFC 7523). 059 * </ul> 060 */ 061public class JWTAuthenticationClaimsSet extends JWTAssertionDetails { 062 063 064 /** 065 * Creates a new JWT client authentication claims set. The expiration 066 * time (exp) is set to five minutes from the current system time. 067 * Generates a default identifier (jti) for the JWT. The issued-at 068 * (iat) and not-before (nbf) claims are not set. 069 * 070 * @param clientID The client identifier. Used to specify the issuer 071 * and the subject. Must not be {@code null}. 072 * @param aud The audience identifier, typically the URI of the 073 * authorisation server's Token endpoint. Must not be 074 * {@code null}. 075 */ 076 public JWTAuthenticationClaimsSet(final ClientID clientID, 077 final Audience aud) { 078 079 this(clientID, aud.toSingleAudienceList(), new Date(new Date().getTime() + 5*60* 1000L), null, null, new JWTID()); 080 } 081 082 083 /** 084 * Creates a new JWT client authentication claims set. 085 * 086 * @param clientID The client identifier. Used to specify the issuer 087 * and the subject. Must not be {@code null}. 088 * @param aud The audience, typically including the URI of the 089 * authorisation server's Token endpoint. Must not be 090 * {@code null}. 091 * @param exp The expiration time. Must not be {@code null}. 092 * @param nbf The time before which the token must not be 093 * accepted for processing, {@code null} if not 094 * specified. 095 * @param iat The time at which the token was issued, 096 * {@code null} if not specified. 097 * @param jti Unique identifier for the JWT, {@code null} if 098 * not specified. 099 */ 100 public JWTAuthenticationClaimsSet(final ClientID clientID, 101 final List<Audience> aud, 102 final Date exp, 103 final Date nbf, 104 final Date iat, 105 final JWTID jti) { 106 107 super(new Issuer(clientID.getValue()), new Subject(clientID.getValue()), aud, exp, nbf, iat, jti, null); 108 } 109 110 111 /** 112 * Gets the client identifier. Corresponds to the {@code iss} and 113 * {@code sub} claims. 114 * 115 * @return The client identifier. 116 */ 117 public ClientID getClientID() { 118 119 return new ClientID(getIssuer()); 120 } 121 122 /** 123 * Parses a JWT client authentication claims set from the specified 124 * JSON object. 125 * 126 * @param jsonObject The JSON object. Must not be {@code null}. 127 * 128 * @return The client authentication claims set. 129 * 130 * @throws ParseException If the JSON object couldn't be parsed to a 131 * client authentication claims set. 132 */ 133 public static JWTAuthenticationClaimsSet parse(final JSONObject jsonObject) 134 throws ParseException { 135 136 JWTAssertionDetails assertion = JWTAssertionDetails.parse(jsonObject); 137 138 return new JWTAuthenticationClaimsSet( 139 new ClientID(assertion.getIssuer()), // iss=sub 140 assertion.getAudience(), 141 assertion.getExpirationTime(), 142 assertion.getNotBeforeTime(), 143 assertion.getIssueTime(), 144 assertion.getJWTID()); 145 } 146 147 148 /** 149 * Parses a JWT client authentication claims set from the specified JWT 150 * claims set. 151 * 152 * @param jwtClaimsSet The JWT claims set. Must not be {@code null}. 153 * 154 * @return The client authentication claims set. 155 * 156 * @throws ParseException If the JWT claims set couldn't be parsed to a 157 * client authentication claims set. 158 */ 159 public static JWTAuthenticationClaimsSet parse(final JWTClaimsSet jwtClaimsSet) 160 throws ParseException { 161 162 return parse(JSONObjectUtils.toJSONObject(jwtClaimsSet)); 163 } 164}