Package com.nimbusds.oauth2.sdk.assertions.jwt

Class JWTAssertionDetailsVerifier

java.lang.Object

com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier

com.nimbusds.oauth2.sdk.assertions.jwt.JWTAssertionDetailsVerifier

All Implemented Interfaces:

com.nimbusds.jwt.proc.ClockSkewAware, com.nimbusds.jwt.proc.JWTClaimsSetVerifier

@Immutable
public class JWTAssertionDetailsVerifier
extends com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier

JSON Web Token (JWT) bearer assertion details (claims set) verifier for OAuth 2.0 client authentication and authorisation grants. Intended for initial validation of JWT assertions:

• Audience check
• Expiration time check
• Expiration time too far ahead check (optional)
• Not-before time check (if set)
• Subject and issuer presence check

Related specifications:

• JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7523).

Field Summary

Fields inherited from class com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier

DEFAULT_MAX_CLOCK_SKEW_SECONDS

Constructor Summary

Constructors

Constructor	Description
JWTAssertionDetailsVerifier(Set<Audience> expectedAudience)	Creates a new JWT bearer assertion details (claims set) verifier.
JWTAssertionDetailsVerifier(Set<Audience> expectedAudience, long expMaxAhead)	Creates a new JWT bearer assertion details (claims set) verifier.

Method Summary

Modifier and Type	Method	Description
Set<Audience>	getExpectedAudience()	Deprecated.
long	getExpirationTimeMaxAhead()	Returns the maximum number of seconds the expiration time (exp) claim can be ahead of the current time.
void	verify(com.nimbusds.jwt.JWTClaimsSet claimsSet, com.nimbusds.jose.proc.SecurityContext context)

Methods inherited from class com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier

currentTime, getAcceptedAudienceValues, getExactMatchClaims, getMaxClockSkew, getProhibitedClaims, getRequiredClaims, setMaxClockSkew

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

JWTAssertionDetailsVerifier

public JWTAssertionDetailsVerifier(Set<Audience> expectedAudience)

Creates a new JWT bearer assertion details (claims set) verifier.

Parameters:

expectedAudience - The expected audience (aud) claim values. Must not be empty or null. Should typically contain the token endpoint URI and for OpenID provider it may also include the issuer URI.

JWTAssertionDetailsVerifier

public JWTAssertionDetailsVerifier(Set<Audience> expectedAudience,
                                   long expMaxAhead)

Creates a new JWT bearer assertion details (claims set) verifier.

Parameters:

expectedAudience - The expected audience (aud) claim values. Must not be empty or null. Should typically contain the token endpoint URI and for OpenID provider it may also include the issuer URI.

expMaxAhead - The maximum number of seconds the expiration time (exp) claim can be ahead of the current time, if zero or negative this check is disabled.

Method Detail

getExpectedAudience

@Deprecated
public Set<Audience> getExpectedAudience()

Deprecated.

Returns the expected audience values.

Returns:

The expected audience (aud) claim values.

getExpirationTimeMaxAhead

public long getExpirationTimeMaxAhead()

Returns the maximum number of seconds the expiration time (exp) claim can be ahead of the current time.

Returns:

The maximum number of seconds, if zero or negative this check is disabled.

verify

public void verify(com.nimbusds.jwt.JWTClaimsSet claimsSet,
                   com.nimbusds.jose.proc.SecurityContext context)
            throws com.nimbusds.jwt.proc.BadJWTException

Specified by:

verify in interface com.nimbusds.jwt.proc.JWTClaimsSetVerifier

Overrides:

verify in class com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier

Throws:

com.nimbusds.jwt.proc.BadJWTException