001/* 002 * oauth2-oidc-sdk 003 * 004 * Copyright 2012-2021, Connect2id Ltd and contributors. 005 * 006 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use 007 * this file except in compliance with the License. You may obtain a copy of the 008 * License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software distributed 013 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR 014 * CONDITIONS OF ANY KIND, either express or implied. See the License for the 015 * specific language governing permissions and limitations under the License. 016 */ 017 018package com.nimbusds.oauth2.sdk.dpop.verifiers; 019 020 021import java.net.URI; 022import java.util.Map; 023import java.util.Objects; 024import java.util.Set; 025 026import net.jcip.annotations.ThreadSafe; 027 028import com.nimbusds.jose.JOSEException; 029import com.nimbusds.jose.JWSAlgorithm; 030import com.nimbusds.jwt.SignedJWT; 031import com.nimbusds.oauth2.sdk.dpop.JWKThumbprintConfirmation; 032import com.nimbusds.oauth2.sdk.id.JWTID; 033import com.nimbusds.oauth2.sdk.token.DPoPAccessToken; 034import com.nimbusds.oauth2.sdk.util.singleuse.SingleUseChecker; 035import com.nimbusds.openid.connect.sdk.Nonce; 036 037 038/** 039 * DPoP proof JWT verifier for a protected resource. 040 */ 041@ThreadSafe 042public class DPoPProtectedResourceRequestVerifier extends DPoPCommonVerifier { 043 044 045 /** 046 * Creates a new DPoP proof JWT verifier for a protected resource. 047 * 048 * @param acceptedJWSAlgs The accepted JWS algorithms. Must be 049 * supported and not {@code null}. 050 * @param maxClockSkewSeconds The max acceptable clock skew for the 051 * "iat" (issued-at) claim checks, in 052 * seconds. Should be in the order of a few 053 * seconds. 054 * @param singleUseChecker The single use checker for the DPoP proof 055 * "jti" (JWT ID) claims, {@code null} if 056 * not specified. 057 */ 058 public DPoPProtectedResourceRequestVerifier(final Set<JWSAlgorithm> acceptedJWSAlgs, 059 final long maxClockSkewSeconds, 060 final SingleUseChecker<Map.Entry<DPoPIssuer, JWTID>> singleUseChecker) { 061 062 super(acceptedJWSAlgs, maxClockSkewSeconds, singleUseChecker); 063 } 064 065 066 /** 067 * Verifies the specified DPoP proof and its access token and JWK 068 * SHA-256 thumbprint bindings. 069 * 070 * @param method The HTTP request method (case-insensitive). Must 071 * not be {@code null}. 072 * @param uri The HTTP URI. Any query or fragment component 073 * will be stripped from it before DPoP validation. 074 * Must not be {@code null}. 075 * @param issuer Unique identifier for the DPoP proof issuer, such 076 * as its client ID. Must not be {@code null}. 077 * @param proof The DPoP proof JWT, {@code null} if not received. 078 * @param accessToken The received and successfully validated DPoP 079 * access token. Must not be {@code null}. 080 * @param cnf The JWK SHA-256 thumbprint confirmation for the 081 * DPoP access token. Must not be {@code null}. 082 * 083 * @throws InvalidDPoPProofException If the DPoP proof is invalid 084 * or missing. 085 * @throws AccessTokenValidationException If the DPoP access token 086 * binding validation failed. 087 * @throws JOSEException If an internal JOSE exception 088 * is encountered. 089 */ 090 @Deprecated 091 public void verify(final String method, 092 final URI uri, 093 final DPoPIssuer issuer, 094 final SignedJWT proof, 095 final DPoPAccessToken accessToken, 096 final JWKThumbprintConfirmation cnf) 097 throws 098 InvalidDPoPProofException, 099 AccessTokenValidationException, 100 JOSEException { 101 102 verify(method, uri, issuer, proof, accessToken, cnf, null); 103 } 104 105 106 /** 107 * Verifies the specified DPoP proof and its access token and JWK 108 * SHA-256 thumbprint bindings. 109 * 110 * @param method The HTTP request method (case-insensitive). Must 111 * not be {@code null}. 112 * @param uri The HTTP URI. Any query or fragment component 113 * will be stripped from it before DPoP validation. 114 * Must not be {@code null}. 115 * @param issuer Unique identifier for the DPoP proof issuer, such 116 * as its client ID. Must not be {@code null}. 117 * @param proof The DPoP proof JWT, {@code null} if not received. 118 * @param accessToken The received and successfully validated DPoP 119 * access token. Must not be {@code null}. 120 * @param cnf The JWK SHA-256 thumbprint confirmation for the 121 * DPoP access token. Must not be {@code null}. 122 * @param nonce The expected DPoP proof JWT nonce, {@code null} 123 * if none. 124 * 125 * @throws InvalidDPoPProofException If the DPoP proof is invalid 126 * or missing. 127 * @throws AccessTokenValidationException If the DPoP access token 128 * binding validation failed. 129 * @throws JOSEException If an internal JOSE exception 130 * is encountered. 131 */ 132 public void verify(final String method, 133 final URI uri, 134 final DPoPIssuer issuer, 135 final SignedJWT proof, 136 final DPoPAccessToken accessToken, 137 final JWKThumbprintConfirmation cnf, 138 final Nonce nonce) 139 throws 140 InvalidDPoPProofException, 141 AccessTokenValidationException, 142 JOSEException { 143 144 if (proof == null) { 145 throw new InvalidDPoPProofException("Missing required DPoP proof"); 146 } 147 148 Objects.requireNonNull(accessToken, "The access token must not be null"); 149 150 Objects.requireNonNull(cnf, "The DPoP JWK thumbprint confirmation must not be null"); 151 152 super.verify(method, uri, issuer, proof, accessToken, cnf, nonce); 153 } 154}