001/* 002 * oauth2-oidc-sdk 003 * 004 * Copyright 2012-2021, Connect2id Ltd and contributors. 005 * 006 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use 007 * this file except in compliance with the License. You may obtain a copy of the 008 * License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software distributed 013 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR 014 * CONDITIONS OF ANY KIND, either express or implied. See the License for the 015 * specific language governing permissions and limitations under the License. 016 */ 017 018package com.nimbusds.oauth2.sdk.dpop.verifiers; 019 020 021import java.net.URI; 022import java.util.Map; 023import java.util.Set; 024 025import net.jcip.annotations.ThreadSafe; 026 027import com.nimbusds.jose.JOSEException; 028import com.nimbusds.jose.JWSAlgorithm; 029import com.nimbusds.jwt.SignedJWT; 030import com.nimbusds.oauth2.sdk.dpop.JWKThumbprintConfirmation; 031import com.nimbusds.oauth2.sdk.id.JWTID; 032import com.nimbusds.oauth2.sdk.util.singleuse.SingleUseChecker; 033import com.nimbusds.openid.connect.sdk.Nonce; 034 035 036/** 037 * DPoP proof JWT verifier for the OAuth 2.0 token endpoint of an authorisation 038 * server. 039 */ 040@ThreadSafe 041public class DPoPTokenRequestVerifier extends DPoPCommonVerifier { 042 043 044 /** 045 * The token endpoint URI. 046 */ 047 private final URI endpointURI; 048 049 050 /** 051 * Creates a new DPoP proof JWT verifier for the OAuth 2.0 token 052 * endpoint. 053 * 054 * @param acceptedJWSAlgs The accepted JWS algorithms. Must be 055 * supported and not {@code null}. 056 * @param endpointURI The token endpoint URI. Any query or 057 * fragment component will be stripped from 058 * it before performing the comparison. Must 059 * not be {@code null}. 060 * @param maxClockSkewSeconds The max acceptable clock skew for the 061 * "iat" (issued-at) claim checks, in 062 * seconds. Should be in the order of a few 063 * seconds. 064 * @param singleUseChecker The single use checker for the DPoP proof 065 * "jti" (JWT ID) claims, {@code null} if 066 * not specified. 067 */ 068 public DPoPTokenRequestVerifier(final Set<JWSAlgorithm> acceptedJWSAlgs, 069 final URI endpointURI, 070 final long maxClockSkewSeconds, 071 final SingleUseChecker<Map.Entry<DPoPIssuer, JWTID>> singleUseChecker) { 072 073 super(acceptedJWSAlgs, maxClockSkewSeconds, singleUseChecker); 074 075 if (endpointURI == null) { 076 throw new IllegalArgumentException("The token endpoint URI must not be null"); 077 } 078 this.endpointURI = endpointURI; 079 } 080 081 082 /** 083 * Verifies the specified DPoP proof and returns the DPoP JWK SHA-256 084 * thumbprint confirmation. 085 * 086 * @param issuer Unique identifier for the DPoP proof issuer, typically 087 * as its client ID. Must not be {@code null}. 088 * @param proof The DPoP proof JWT. Must not be {@code null}. 089 * 090 * @return The DPoP JWK SHA-256 thumbprint confirmation. 091 * 092 * @throws InvalidDPoPProofException If the DPoP proof is invalid. 093 * @throws JOSEException If an internal JOSE exception is 094 * encountered. 095 */ 096 @Deprecated 097 public JWKThumbprintConfirmation verify(final DPoPIssuer issuer, final SignedJWT proof) 098 throws InvalidDPoPProofException, JOSEException { 099 100 return verify(issuer, proof, null); 101 } 102 103 104 /** 105 * Verifies the specified DPoP proof and returns the DPoP JWK SHA-256 106 * thumbprint confirmation. 107 * 108 * @param issuer Unique identifier for the DPoP proof issuer, typically 109 * as its client ID. Must not be {@code null}. 110 * @param proof The DPoP proof JWT. Must not be {@code null}. 111 * @param nonce The expected DPoP proof JWT nonce, {@code null} if 112 * none. 113 * 114 * @return The DPoP JWK SHA-256 thumbprint confirmation. 115 * 116 * @throws InvalidDPoPProofException If the DPoP proof is invalid. 117 * @throws JOSEException If an internal JOSE exception is 118 * encountered. 119 */ 120 public JWKThumbprintConfirmation verify(final DPoPIssuer issuer, final SignedJWT proof, final Nonce nonce) 121 throws InvalidDPoPProofException, JOSEException { 122 123 try { 124 super.verify("POST", endpointURI, issuer, proof, null, null, nonce); 125 } catch (AccessTokenValidationException e) { 126 throw new RuntimeException("Unexpected exception", e); 127 } 128 129 return new JWKThumbprintConfirmation(proof.getHeader().getJWK().computeThumbprint()); 130 } 131}