001/* 002 * oauth2-oidc-sdk 003 * 004 * Copyright 2012-2016, Connect2id Ltd and contributors. 005 * 006 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use 007 * this file except in compliance with the License. You may obtain a copy of the 008 * License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software distributed 013 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR 014 * CONDITIONS OF ANY KIND, either express or implied. See the License for the 015 * specific language governing permissions and limitations under the License. 016 */ 017 018package com.nimbusds.openid.connect.sdk.validators; 019 020 021import com.nimbusds.jose.JOSEObjectType; 022import com.nimbusds.jose.proc.JWEKeySelector; 023import com.nimbusds.jose.proc.JWSKeySelector; 024import com.nimbusds.jwt.proc.ClockSkewAware; 025import com.nimbusds.oauth2.sdk.id.ClientID; 026import com.nimbusds.oauth2.sdk.id.Issuer; 027 028 029/** 030 * Abstract JSON Web Token (JWT) validator for ID tokens and logout tokens. 031 */ 032public abstract class AbstractJWTValidator implements ClockSkewAware { 033 034 035 /** 036 * The default maximum acceptable clock skew for verifying token 037 * timestamps, in seconds. 038 */ 039 public static final int DEFAULT_MAX_CLOCK_SKEW = 60; 040 041 042 /** 043 * The expected JWT "typ" (type) header, {@code null} if none. 044 */ 045 private final JOSEObjectType jwtType; 046 047 048 /** 049 * The expected token issuer. 050 */ 051 private final Issuer expectedIssuer; 052 053 054 /** 055 * The requesting client. 056 */ 057 private final ClientID clientID; 058 059 060 /** 061 * The JWS key selector. 062 */ 063 private final JWSKeySelector jwsKeySelector; 064 065 066 /** 067 * The JWE key selector. 068 */ 069 private final JWEKeySelector jweKeySelector; 070 071 072 /** 073 * The maximum acceptable clock skew, in seconds. 074 */ 075 private int maxClockSkew = DEFAULT_MAX_CLOCK_SKEW; 076 077 078 /** 079 * Creates a new abstract JWT validator. 080 * 081 * @param expectedIssuer The expected token issuer (OpenID Provider). 082 * Must not be {@code null}. 083 * @param clientID The client ID. Must not be {@code null}. 084 * @param jwsKeySelector The key selector for JWS verification, 085 * {@code null} if unsecured (plain) tokens are 086 * expected. 087 * @param jweKeySelector The key selector for JWE decryption, 088 * {@code null} if encrypted tokens are not 089 * expected. 090 */ 091 @Deprecated 092 public AbstractJWTValidator(final Issuer expectedIssuer, 093 final ClientID clientID, 094 final JWSKeySelector jwsKeySelector, 095 final JWEKeySelector jweKeySelector) { 096 097 this(null, expectedIssuer, clientID, jwsKeySelector, jweKeySelector); 098 } 099 100 101 /** 102 * Creates a new abstract JWT validator. 103 * 104 * @param jwtType The expected JWT "typ" (type) header, 105 * {@code null} if none. 106 * @param expectedIssuer The expected token issuer (OpenID Provider). 107 * Must not be {@code null}. 108 * @param clientID The client ID. Must not be {@code null}. 109 * @param jwsKeySelector The key selector for JWS verification, 110 * {@code null} if unsecured (plain) tokens are 111 * expected. 112 * @param jweKeySelector The key selector for JWE decryption, 113 * {@code null} if encrypted tokens are not 114 * expected. 115 */ 116 public AbstractJWTValidator(final JOSEObjectType jwtType, 117 final Issuer expectedIssuer, 118 final ClientID clientID, 119 final JWSKeySelector jwsKeySelector, 120 final JWEKeySelector jweKeySelector) { 121 122 this.jwtType = jwtType; 123 124 if (expectedIssuer == null) { 125 throw new IllegalArgumentException("The expected token issuer must not be null"); 126 } 127 this.expectedIssuer = expectedIssuer; 128 129 if (clientID == null) { 130 throw new IllegalArgumentException("The client ID must not be null"); 131 } 132 this.clientID = clientID; 133 134 // Optional 135 this.jwsKeySelector = jwsKeySelector; 136 this.jweKeySelector = jweKeySelector; 137 } 138 139 140 /** 141 * Returns the expected JWT "typ" (type) header. 142 * 143 * @return The expected JWT "typ" (type) header, {@code null} if none. 144 */ 145 public JOSEObjectType getExpectedJWTType() { 146 return jwtType; 147 } 148 149 150 /** 151 * Returns the expected token issuer. 152 * 153 * @return The token issuer. 154 */ 155 public Issuer getExpectedIssuer() { 156 return expectedIssuer; 157 } 158 159 160 /** 161 * Returns the client ID (the expected JWT audience). 162 * 163 * @return The client ID. 164 */ 165 public ClientID getClientID() { 166 return clientID; 167 } 168 169 170 /** 171 * Returns the configured JWS key selector for signed token 172 * verification. 173 * 174 * @return The JWS key selector, {@code null} if none. 175 */ 176 public JWSKeySelector getJWSKeySelector() { 177 return jwsKeySelector; 178 } 179 180 181 /** 182 * Returns the configured JWE key selector for encrypted token 183 * decryption. 184 * 185 * @return The JWE key selector, {@code null}. 186 */ 187 public JWEKeySelector getJWEKeySelector() { 188 return jweKeySelector; 189 } 190 191 192 /** 193 * Gets the maximum acceptable clock skew for verifying the token 194 * timestamps. 195 * 196 * @return The maximum acceptable clock skew, in seconds. Zero 197 * indicates none. 198 */ 199 @Override 200 public int getMaxClockSkew() { 201 return maxClockSkew; 202 } 203 204 205 /** 206 * Sets the maximum acceptable clock skew for verifying the token 207 * timestamps. 208 * 209 * @param maxClockSkew The maximum acceptable clock skew, in seconds. 210 * Zero indicates none. Must not be negative. 211 */ 212 @Override 213 public void setMaxClockSkew(final int maxClockSkew) { 214 this.maxClockSkew = maxClockSkew; 215 } 216}