001/* 002 * oauth2-oidc-sdk 003 * 004 * Copyright 2012-2020, Connect2id Ltd and contributors. 005 * 006 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use 007 * this file except in compliance with the License. You may obtain a copy of the 008 * License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software distributed 013 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR 014 * CONDITIONS OF ANY KIND, either express or implied. See the License for the 015 * specific language governing permissions and limitations under the License. 016 */ 017 018package com.nimbusds.openid.connect.sdk.federation.api; 019 020 021import java.util.Arrays; 022import java.util.Date; 023import java.util.HashSet; 024 025import net.jcip.annotations.Immutable; 026 027import com.nimbusds.jose.proc.SecurityContext; 028import com.nimbusds.jwt.JWTClaimsSet; 029import com.nimbusds.jwt.proc.BadJWTException; 030import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier; 031import com.nimbusds.jwt.util.DateUtils; 032 033 034/** 035 * Resolve claims verifier. 036 * 037 * <p>Verifies: 038 * 039 * <ul> 040 * <li>The presence of the required "iss", "sub", "iat", "exp" and 041 * "metadata" claims. 042 * <li>The current time is within the "iat" and "exp" window. 043 * </ul> 044 */ 045@Immutable 046public class ResolveClaimsVerifier extends DefaultJWTClaimsVerifier { 047 048 049 /** 050 * Creates a new resolve claims verifier. 051 */ 052 public ResolveClaimsVerifier() { 053 super(null, new HashSet<>(Arrays.asList("iss", "sub", "iat", "exp", "metadata"))); 054 } 055 056 057 @Override 058 public void verify(final JWTClaimsSet claimsSet, final SecurityContext context) throws BadJWTException { 059 060 super.verify(claimsSet, context); 061 062 // Add iat check 063 Date now = new Date(); 064 if (! DateUtils.isBefore(claimsSet.getIssueTime(), now, getMaxClockSkew())) { 065 throw new BadJWTException("JWT issue time after current time"); 066 } 067 } 068}