Source code

001/*
002 * oauth2-oidc-sdk
003 *
004 * Copyright 2012-2021, Connect2id Ltd and contributors.
005 *
006 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
007 * this file except in compliance with the License. You may obtain a copy of the
008 * License at
009 *
010 *    http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software distributed
013 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
014 * CONDITIONS OF ANY KIND, either express or implied. See the License for the
015 * specific language governing permissions and limitations under the License.
016 */
017
018package com.nimbusds.oauth2.sdk.dpop.verifiers;
019
020
021import java.net.URI;
022import java.util.Map;
023import java.util.Set;
024
025import net.jcip.annotations.ThreadSafe;
026
027import com.nimbusds.jose.JOSEException;
028import com.nimbusds.jose.JWSAlgorithm;
029import com.nimbusds.jwt.SignedJWT;
030import com.nimbusds.oauth2.sdk.dpop.JWKThumbprintConfirmation;
031import com.nimbusds.oauth2.sdk.id.JWTID;
032import com.nimbusds.oauth2.sdk.util.singleuse.SingleUseChecker;
033import com.nimbusds.openid.connect.sdk.Nonce;
034
035
036/**
037 * DPoP proof JWT verifier for the OAuth 2.0 token endpoint of an authorisation
038 * server.
039 */
040@ThreadSafe
041public class DPoPTokenRequestVerifier extends DPoPCommonVerifier {
042        
043        
044        /**
045         * The token endpoint URI.
046         */
047        private final URI endpointURI;
048        
049        
050        /**
051         * Creates a new DPoP proof JWT verifier for the OAuth 2.0 token
052         * endpoint.
053         *
054         * @param acceptedJWSAlgs     The accepted JWS algorithms. Must be
055         *                            supported and not {@code null}.
056         * @param endpointURI         The token endpoint URI. Any query or
057         *                            fragment component will be stripped from
058         *                            it before performing the comparison. Must
059         *                            not be {@code null}.
060         * @param maxClockSkewSeconds The max acceptable clock skew for the
061         *                            "iat" (issued-at) claim checks, in
062         *                            seconds. Should be in the order of a few
063         *                            seconds.
064         * @param singleUseChecker    The single use checker for the DPoP proof
065         *                            "jti" (JWT ID) claims, {@code null} if
066         *                            not specified.
067         */
068        public DPoPTokenRequestVerifier(final Set<JWSAlgorithm> acceptedJWSAlgs,
069                                        final URI endpointURI,
070                                        final long maxClockSkewSeconds,
071                                        final SingleUseChecker<Map.Entry<DPoPIssuer, JWTID>> singleUseChecker) {
072                
073                super(acceptedJWSAlgs, maxClockSkewSeconds, singleUseChecker);
074                
075                if (endpointURI == null) {
076                        throw new IllegalArgumentException("The token endpoint URI must not be null");
077                }
078                this.endpointURI = endpointURI;
079        }
080        
081        
082        /**
083         * Verifies the specified DPoP proof and returns the DPoP JWK SHA-256
084         * thumbprint confirmation.
085         *
086         * @param issuer Unique identifier for the DPoP proof issuer, typically
087         *               as its client ID. Must not be {@code null}.
088         * @param proof  The DPoP proof JWT. Must not be {@code null}.
089         *
090         * @return The DPoP JWK SHA-256 thumbprint confirmation.
091         *
092         * @throws InvalidDPoPProofException If the DPoP proof is invalid.
093         * @throws JOSEException             If an internal JOSE exception is
094         *                                   encountered.
095         */
096        @Deprecated
097        public JWKThumbprintConfirmation verify(final DPoPIssuer issuer, final SignedJWT proof)
098                throws InvalidDPoPProofException, JOSEException {
099                
100                return verify(issuer, proof, null);
101        }
102        
103        
104        /**
105         * Verifies the specified DPoP proof and returns the DPoP JWK SHA-256
106         * thumbprint confirmation.
107         *
108         * @param issuer Unique identifier for the DPoP proof issuer, typically
109         *               as its client ID. Must not be {@code null}.
110         * @param proof  The DPoP proof JWT. Must not be {@code null}.
111         * @param nonce  The expected DPoP proof JWT nonce, {@code null} if
112         *               none.
113         *
114         * @return The DPoP JWK SHA-256 thumbprint confirmation.
115         *
116         * @throws InvalidDPoPProofException If the DPoP proof is invalid.
117         * @throws JOSEException             If an internal JOSE exception is
118         *                                   encountered.
119         */
120        public JWKThumbprintConfirmation verify(final DPoPIssuer issuer, final SignedJWT proof, final Nonce nonce)
121                throws InvalidDPoPProofException, JOSEException {
122                
123                try {
124                        super.verify("POST", endpointURI, issuer, proof, null, null, nonce);
125                } catch (AccessTokenValidationException e) {
126                        throw new RuntimeException("Unexpected exception", e);
127                }
128                
129                return new JWKThumbprintConfirmation(proof.getHeader().getJWK().computeThumbprint());
130        }
131}