Source code

001package com.nimbusds.oauth2.sdk.auth;
002
003
004import java.util.Date;
005import java.util.List;
006
007import net.minidev.json.JSONObject;
008
009import com.nimbusds.jwt.JWTClaimsSet;
010
011import com.nimbusds.oauth2.sdk.ParseException;
012import com.nimbusds.oauth2.sdk.assertions.jwt.JWTAssertionDetails;
013import com.nimbusds.oauth2.sdk.id.Audience;
014import com.nimbusds.oauth2.sdk.id.ClientID;
015import com.nimbusds.oauth2.sdk.id.Issuer;
016import com.nimbusds.oauth2.sdk.id.JWTID;
017import com.nimbusds.oauth2.sdk.id.Subject;
018
019
020/**
021 * JWT client authentication claims set, serialisable to a JSON object and JWT 
022 * claims set.
023 *
024 * <p>Used for {@link ClientSecretJWT client secret JWT} and
025 * {@link PrivateKeyJWT private key JWT} authentication at the Token endpoint.
026 *
027 * <p>Example client authentication claims set:
028 *
029 * <pre>
030 * {
031 *   "iss" : "http://client.example.com",
032 *   "sub" : "http://client.example.com",
033 *   "aud" : [ "http://idp.example.com/token" ],
034 *   "jti" : "d396036d-c4d9-40d8-8e98-f7e8327002d9",
035 *   "exp" : 1311281970,
036 *   "iat" : 1311280970
037 * }
038 * </pre>
039 *
040 * <p>Related specifications:
041 *
042 * <ul>
043 *     <li>OAuth 2.0 (RFC 6749), section-3.2.1.
044 *     <li>JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and
045 *         Authorization Grants (RFC 7523).
046 * </ul>
047 */
048public class JWTAuthenticationClaimsSet extends JWTAssertionDetails {
049
050
051        /**
052         * Creates a new JWT client authentication claims set. The expiration
053         * time (exp) is set to five minutes from the current system time.
054         * Generates a default identifier (jti) for the JWT. The issued-at
055         * (iat) and not-before (nbf) claims are not set.
056         *
057         * @param clientID The client identifier. Used to specify the issuer
058         *                 and the subject. Must not be {@code null}.
059         * @param aud      The audience identifier, typically the URI of the
060         *                 authorisation server's Token endpoint. Must not be
061         *                 {@code null}.
062         */
063        public JWTAuthenticationClaimsSet(final ClientID clientID,
064                                          final Audience aud) {
065
066                this(clientID, aud.toSingleAudienceList(), new Date(new Date().getTime() + 5*60* 1000L), null, null, new JWTID());
067        }
068
069        
070        /**
071         * Creates a new JWT client authentication claims set.
072         *
073         * @param clientID The client identifier. Used to specify the issuer 
074         *                 and the subject. Must not be {@code null}.
075         * @param aud      The audience, typically including the URI of the
076         *                 authorisation server's Token endpoint. Must not be 
077         *                 {@code null}.
078         * @param exp      The expiration time. Must not be {@code null}.
079         * @param nbf      The time before which the token must not be 
080         *                 accepted for processing, {@code null} if not
081         *                 specified.
082         * @param iat      The time at which the token was issued, 
083         *                 {@code null} if not specified.
084         * @param jti      Unique identifier for the JWT, {@code null} if
085         *                 not specified.
086         */
087        public JWTAuthenticationClaimsSet(final ClientID clientID,
088                                          final List<Audience> aud,
089                                          final Date exp,
090                                          final Date nbf,
091                                          final Date iat,
092                                          final JWTID jti) {
093
094                super(new Issuer(clientID.getValue()), new Subject(clientID.getValue()), aud, exp, nbf, iat, jti, null);
095        }
096
097
098        /**
099         * Gets the client identifier. Corresponds to the {@code iss} and
100         * {@code sub} claims.
101         *
102         * @return The client identifier.
103         */
104        public ClientID getClientID() {
105
106                return new ClientID(getIssuer());
107        }
108        
109        /**
110         * Parses a JWT client authentication claims set from the specified 
111         * JSON object.
112         *
113         * @param jsonObject The JSON object. Must not be {@code null}.
114         *
115         * @return The client authentication claims set.
116         *
117         * @throws ParseException If the JSON object couldn't be parsed to a 
118         *                        client authentication claims set.
119         */
120        public static JWTAuthenticationClaimsSet parse(final JSONObject jsonObject)
121                throws ParseException {
122                
123                JWTAssertionDetails assertion = JWTAssertionDetails.parse(jsonObject);
124
125                return new JWTAuthenticationClaimsSet(
126                        new ClientID(assertion.getIssuer()), // iss=sub
127                        assertion.getAudience(),
128                        assertion.getExpirationTime(),
129                        assertion.getNotBeforeTime(),
130                        assertion.getIssueTime(),
131                        assertion.getJWTID());
132        }
133
134
135        /**
136         * Parses a JWT client authentication claims set from the specified JWT 
137         * claims set.
138         *
139         * @param jwtClaimsSet The JWT claims set. Must not be {@code null}.
140         *
141         * @return The client authentication claims set.
142         *
143         * @throws ParseException If the JWT claims set couldn't be parsed to a 
144         *                        client authentication claims set.
145         */
146        public static JWTAuthenticationClaimsSet parse(final JWTClaimsSet jwtClaimsSet)
147                throws ParseException {
148                
149                return parse(jwtClaimsSet.toJSONObject());
150        }
151}