public class ValidatorAccessTokenValidator extends Object implements AccessTokenValidator
AccessTokenValidator
that is used
by the broker to perform more extensive validation of the JWT access token that is received
from the client, but ultimately from posting the client credentials to the OAuth/OIDC provider's
token endpoint.
The validation steps performed (primary by the jose4j library) are:
b64token
value as defined in
RFC 6750 Section 2.1
exp
, subject, iss
, and
iat
claims
kid
and those provided by
the OAuth/OIDC provider's JWKS
Modifier and Type | Class and Description |
---|---|
static interface |
ValidatorAccessTokenValidator.ClaimSupplier<T> |
Constructor and Description |
---|
ValidatorAccessTokenValidator(Integer clockSkew,
Set<String> expectedAudiences,
String expectedIssuer,
org.jose4j.keys.resolvers.VerificationKeyResolver verificationKeyResolver,
String scopeClaimName,
String subClaimName)
Creates a new ValidatorAccessTokenValidator that will be used by the broker for more
thorough validation of the JWT.
|
Modifier and Type | Method and Description |
---|---|
OAuthBearerToken |
validate(String accessToken)
Accepts an OAuth JWT access token in base-64 encoded format, validates, and returns an
OAuthBearerToken.
|
public ValidatorAccessTokenValidator(Integer clockSkew, Set<String> expectedAudiences, String expectedIssuer, org.jose4j.keys.resolvers.VerificationKeyResolver verificationKeyResolver, String scopeClaimName, String subClaimName)
clockSkew
- The optional value (in seconds) to allow for differences
between the time of the OAuth/OIDC identity provider and
the broker. If null
is provided, the broker
and the OAUth/OIDC identity provider are assumed to have
very close clock settings.expectedAudiences
- The (optional) set the broker will use to verify that
the JWT was issued for one of the expected audiences.
The JWT will be inspected for the standard OAuth
aud
claim and if this value is set, the
broker will match the value from JWT's aud
claim to see if there is an exact match. If there is no
match, the broker will reject the JWT and authentication
will fail. May be null
to not perform any
check to verify the JWT's aud
claim matches any
fixed set of known/expected audiences.expectedIssuer
- The (optional) value for the broker to use to verify that
the JWT was created by the expected issuer. The JWT will
be inspected for the standard OAuth iss
claim
and if this value is set, the broker will match it
exactly against what is in the JWT's iss
claim. If there is no match, the broker will reject the JWT
and authentication will fail. May be null
to not
perform any check to verify the JWT's iss
claim
matches a specific issuer.verificationKeyResolver
- jose4j-based VerificationKeyResolver
that is used
to validate the signature matches the contents of the header
and payloadscopeClaimName
- Name of the scope claim to use; must be non-null
subClaimName
- Name of the subject claim to use; must be
non-null
JwtConsumerBuilder
,
JwtConsumer
,
VerificationKeyResolver
public OAuthBearerToken validate(String accessToken) throws ValidateException
validate
in interface AccessTokenValidator
accessToken
- Non-null
JWT access tokenOAuthBearerToken
ValidateException
- Thrown on errors performing validation of given token