001/* 002 * oauth2-oidc-sdk 003 * 004 * Copyright 2012-2016, Connect2id Ltd and contributors. 005 * 006 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use 007 * this file except in compliance with the License. You may obtain a copy of the 008 * License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software distributed 013 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR 014 * CONDITIONS OF ANY KIND, either express or implied. See the License for the 015 * specific language governing permissions and limitations under the License. 016 */ 017 018package com.nimbusds.openid.connect.sdk.validators; 019 020 021import com.nimbusds.jose.JWSAlgorithm; 022import com.nimbusds.oauth2.sdk.token.AccessToken; 023import com.nimbusds.openid.connect.sdk.claims.AccessTokenHash; 024import net.jcip.annotations.ThreadSafe; 025 026 027/** 028 * Access token validator, using the {@code at_hash} ID token claim. Required 029 * in the implicit flow and the hybrid flow where the access token is returned 030 * at the authorisation endpoint. 031 * 032 * <p>Related specifications: 033 * 034 * <ul> 035 * <li>OpenID Connect Core 1.0, sections 3.1.3.8, 3.2.2.9 and 3.3.2.9. 036 * </ul> 037 */ 038@ThreadSafe 039public class AccessTokenValidator { 040 041 042 /** 043 * Validates the specified access token. 044 * 045 * @param accessToken The access token. Must not be {@code null}. 046 * @param jwsAlgorithm The JWS algorithm of the ID token. Must not 047 * be {@code null}. 048 * @param accessTokenHash The access token hash, as set in the 049 * {@code at_hash} ID token claim. Must not be 050 * {@code null}, 051 * 052 * @throws InvalidHashException If the access token doesn't match the 053 * hash. 054 */ 055 public static void validate(final AccessToken accessToken, 056 final JWSAlgorithm jwsAlgorithm, 057 final AccessTokenHash accessTokenHash) 058 throws InvalidHashException { 059 060 AccessTokenHash expectedHash = AccessTokenHash.compute(accessToken, jwsAlgorithm); 061 062 if (expectedHash == null) { 063 throw InvalidHashException.INVALID_ACCESS_T0KEN_HASH_EXCEPTION; 064 } 065 066 if (! expectedHash.equals(accessTokenHash)) { 067 throw InvalidHashException.INVALID_ACCESS_T0KEN_HASH_EXCEPTION; 068 } 069 } 070}