Class LogoutTokenValidator
- java.lang.Object
-
- com.nimbusds.openid.connect.sdk.validators.AbstractJWTValidator
-
- com.nimbusds.openid.connect.sdk.validators.LogoutTokenValidator
-
- All Implemented Interfaces:
com.nimbusds.jwt.proc.ClockSkewAware
@ThreadSafe public class LogoutTokenValidator extends AbstractJWTValidator
Validator of logout tokens issued by an OpenID Provider (OP).Supports processing of logout tokens with the following protection:
- Logout tokens signed (JWS) with the OP's RSA or EC key, require the OP public JWK set (provided by value or URL) to verify them.
- Logout tokens authenticated with a JWS HMAC, require the client's secret to verify them.
Related specifications:
- OpenID Connect Back-Channel Logout 1.0, section 2.4 (draft 04).
-
-
Field Summary
-
Fields inherited from class com.nimbusds.openid.connect.sdk.validators.AbstractJWTValidator
DEFAULT_MAX_CLOCK_SKEW
-
-
Constructor Summary
Constructors Constructor Description LogoutTokenValidator(Issuer expectedIssuer, ClientID clientID, com.nimbusds.jose.JWSAlgorithm expectedJWSAlg, com.nimbusds.jose.jwk.JWKSet jwkSet)
Creates a new validator for RSA or EC signed logout tokens where the OpenID Provider's JWK set is specified by value.LogoutTokenValidator(Issuer expectedIssuer, ClientID clientID, com.nimbusds.jose.JWSAlgorithm expectedJWSAlg, Secret clientSecret)
Creates a new validator for HMAC protected logout tokens.LogoutTokenValidator(Issuer expectedIssuer, ClientID clientID, com.nimbusds.jose.JWSAlgorithm expectedJWSAlg, URL jwkSetURI)
Creates a new validator for RSA or EC signed logout tokens where the OpenID Provider's JWK set is specified by URL.LogoutTokenValidator(Issuer expectedIssuer, ClientID clientID, com.nimbusds.jose.JWSAlgorithm expectedJWSAlg, URL jwkSetURI, com.nimbusds.jose.util.ResourceRetriever resourceRetriever)
Creates a new validator for RSA or EC signed logout tokens where the OpenID Provider's JWK set is specified by URL.LogoutTokenValidator(Issuer expectedIssuer, ClientID clientID, com.nimbusds.jose.proc.JWSKeySelector jwsKeySelector, com.nimbusds.jose.proc.JWEKeySelector jweKeySelector)
Creates a new logout token validator.
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description static LogoutTokenValidator
create(OIDCProviderMetadata opMetadata, OIDCClientInformation clientInfo, com.nimbusds.jose.jwk.source.JWKSource clientJWKSource)
Creates a new logout token validator for the specified OpenID Provider metadata and OpenID Relying Party registration.LogoutTokenClaimsSet
validate(com.nimbusds.jwt.JWT logoutToken)
Validates the specified logout token.-
Methods inherited from class com.nimbusds.openid.connect.sdk.validators.AbstractJWTValidator
getClientID, getExpectedIssuer, getJWEKeySelector, getJWSKeySelector, getMaxClockSkew, setMaxClockSkew
-
-
-
-
Constructor Detail
-
LogoutTokenValidator
public LogoutTokenValidator(Issuer expectedIssuer, ClientID clientID, com.nimbusds.jose.JWSAlgorithm expectedJWSAlg, com.nimbusds.jose.jwk.JWKSet jwkSet)
Creates a new validator for RSA or EC signed logout tokens where the OpenID Provider's JWK set is specified by value.- Parameters:
expectedIssuer
- The expected logout token issuer (OpenID Provider). Must not benull
.clientID
- The client ID. Must not benull
.expectedJWSAlg
- The expected RSA or EC JWS algorithm. Must not benull
.jwkSet
- The OpenID Provider JWK set. Must not benull
.
-
LogoutTokenValidator
public LogoutTokenValidator(Issuer expectedIssuer, ClientID clientID, com.nimbusds.jose.JWSAlgorithm expectedJWSAlg, URL jwkSetURI)
Creates a new validator for RSA or EC signed logout tokens where the OpenID Provider's JWK set is specified by URL.- Parameters:
expectedIssuer
- The expected logout token issuer (OpenID Provider). Must not benull
.clientID
- The client ID. Must not benull
.expectedJWSAlg
- The expected RSA or EC JWS algorithm. Must not benull
.jwkSetURI
- The OpenID Provider JWK set URL. Must not benull
.
-
LogoutTokenValidator
public LogoutTokenValidator(Issuer expectedIssuer, ClientID clientID, com.nimbusds.jose.JWSAlgorithm expectedJWSAlg, URL jwkSetURI, com.nimbusds.jose.util.ResourceRetriever resourceRetriever)
Creates a new validator for RSA or EC signed logout tokens where the OpenID Provider's JWK set is specified by URL. Permits setting of a specific resource retriever (HTTP client) for the JWK set.- Parameters:
expectedIssuer
- The expected logout token issuer (OpenID Provider). Must not benull
.clientID
- The client ID. Must not benull
.expectedJWSAlg
- The expected RSA or EC JWS algorithm. Must not benull
.jwkSetURI
- The OpenID Provider JWK set URL. Must not benull
.resourceRetriever
- For retrieving the OpenID Connect Provider JWK set from the specified URL. Ifnull
thedefault retriever
will be used, with preset HTTP connect timeout, HTTP read timeout and entity size limit.
-
LogoutTokenValidator
public LogoutTokenValidator(Issuer expectedIssuer, ClientID clientID, com.nimbusds.jose.JWSAlgorithm expectedJWSAlg, Secret clientSecret)
Creates a new validator for HMAC protected logout tokens.- Parameters:
expectedIssuer
- The expected logout token issuer (OpenID Provider). Must not benull
.clientID
- The client ID. Must not benull
.expectedJWSAlg
- The expected HMAC JWS algorithm. Must not benull
.clientSecret
- The client secret. Must not benull
.
-
LogoutTokenValidator
public LogoutTokenValidator(Issuer expectedIssuer, ClientID clientID, com.nimbusds.jose.proc.JWSKeySelector jwsKeySelector, com.nimbusds.jose.proc.JWEKeySelector jweKeySelector)
Creates a new logout token validator.- Parameters:
expectedIssuer
- The expected logout token issuer (OpenID Provider). Must not benull
.clientID
- The client ID. Must not benull
.jwsKeySelector
- The key selector for JWS verification,null
if unsecured (plain) logout tokens are expected.jweKeySelector
- The key selector for JWE decryption,null
if encrypted logout tokens are not expected.
-
-
Method Detail
-
validate
public LogoutTokenClaimsSet validate(com.nimbusds.jwt.JWT logoutToken) throws com.nimbusds.jose.proc.BadJOSEException, com.nimbusds.jose.JOSEException
Validates the specified logout token.- Parameters:
logoutToken
- The logout token. Must not benull
.- Returns:
- The claims set of the verified logout token.
- Throws:
com.nimbusds.jose.proc.BadJOSEException
- If the logout token is invalid or expired.com.nimbusds.jose.JOSEException
- If an internal JOSE exception was encountered.
-
create
public static LogoutTokenValidator create(OIDCProviderMetadata opMetadata, OIDCClientInformation clientInfo, com.nimbusds.jose.jwk.source.JWKSource clientJWKSource) throws GeneralException
Creates a new logout token validator for the specified OpenID Provider metadata and OpenID Relying Party registration.- Parameters:
opMetadata
- The OpenID Provider metadata. Must not benull
.clientInfo
- The OpenID Relying Party registration. Must not benull
.clientJWKSource
- The client private JWK source,null
if encrypted logout tokens are not expected.- Returns:
- The logout token validator.
- Throws:
GeneralException
- If the supplied OpenID Provider metadata or Relying Party metadata are missing a required parameter or inconsistent.
-
-