Source code

001/*
002 * oauth2-oidc-sdk
003 *
004 * Copyright 2012-2020, Connect2id Ltd and contributors.
005 *
006 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
007 * this file except in compliance with the License. You may obtain a copy of the
008 * License at
009 *
010 *    http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software distributed
013 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
014 * CONDITIONS OF ANY KIND, either express or implied. See the License for the
015 * specific language governing permissions and limitations under the License.
016 */
017
018package com.nimbusds.openid.connect.sdk.federation.api;
019
020
021import java.util.Arrays;
022import java.util.Date;
023import java.util.HashSet;
024
025import net.jcip.annotations.Immutable;
026
027import com.nimbusds.jose.proc.SecurityContext;
028import com.nimbusds.jwt.JWTClaimsSet;
029import com.nimbusds.jwt.proc.BadJWTException;
030import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier;
031import com.nimbusds.jwt.util.DateUtils;
032
033
034/**
035 * Resolve claims verifier.
036 *
037 * <p>Verifies:
038 *
039 * <ul>
040 *     <li>The presence of the required "iss", "sub", "iat", "exp" and
041 *         "metadata" claims.
042 *     <li>The current time is within the "iat" and "exp" window.
043 * </ul>
044 */
045@Immutable
046public class ResolveClaimsVerifier extends DefaultJWTClaimsVerifier {
047        
048        
049        /**
050         * Creates a new resolve claims verifier.
051         */
052        public ResolveClaimsVerifier() {
053                super(null, new HashSet<>(Arrays.asList("iss", "sub", "iat", "exp", "metadata")));
054        }
055        
056        
057        @Override
058        public void verify(final JWTClaimsSet claimsSet, final SecurityContext context) throws BadJWTException {
059                
060                super.verify(claimsSet, context);
061                
062                // Add iat check
063                Date now = new Date();
064                if (! DateUtils.isBefore(claimsSet.getIssueTime(), now, getMaxClockSkew())) {
065                        throw new BadJWTException("JWT issue time after current time");
066                }
067        }
068}