com.nimbusds.jwt.proc

Class DefaultJWTClaimsVerifier<C extends SecurityContext>

java.lang.Object

com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier<C>

All Implemented Interfaces:

ClockSkewAware, JWTClaimsSetVerifier<C>

@ThreadSafe
public class DefaultJWTClaimsVerifier<C extends SecurityContext>
extends Object
implements JWTClaimsSetVerifier<C>, ClockSkewAware

A JWT claims verifier implementation.

Configurable checks:

1. Specify JWT claims that must be present and which values must match exactly, for example the expected JWT issuer ("iss") and audience ("aud").
2. Specify JWT claims that must be present, for example expiration ("exp") and not-before ("nbf") times. If the "exp" or "nbf" claims are marked as required they will be automatically checked against the current time.
3. Specify JWT claims that are prohibited, for example to prevent cross-JWT confusion in situations when explicit JWT typing via the type ("typ") header is not used.

Performs the following time validity checks:

1. If an expiration time ("exp") claim is present, makes sure it is ahead of the current time, else the JWT claims set is rejected.
2. If a not-before-time ("nbf") claim is present, makes sure it is before the current time, else the JWT claims set is rejected.

Note, to enforce a time validity check the claim ("exp" and / or "nbf" ) must be set as required.

Example verifier with exact matches for "iss" and "aud", and setting the "exp", "nbf" and "jti" claims as required to be present:

 DefaultJWTClaimsVerifier<?> verifier = new DefaultJWTClaimsVerifier<>(
        new JWTClaimsSet.Builder()
                .issuer("https://issuer.example.com")
                .audience("https://client.example.com")
                .build(),
        new HashSet<>(Arrays.asList("exp", "nbf", "jti")));

 verifier.verify(jwtClaimsSet, null);
 

This class may be extended to perform additional checks.

This class is thread-safe.

Version:

2021-06-05

Author:

Vladimir Dzhuvinov

Field Summary

Fields

Modifier and Type	Field and Description
static int	DEFAULT_MAX_CLOCK_SKEW_SECONDS The default maximum acceptable clock skew, in seconds (60).

Constructor Summary

Constructors

Constructor and Description
DefaultJWTClaimsVerifier() Deprecated. Use a more specific constructor that at least specifies a list of required JWT claims.
DefaultJWTClaimsVerifier(JWTClaimsSet exactMatchClaims, Set<String> requiredClaims) Creates a new JWT claims verifier.
DefaultJWTClaimsVerifier(Set<String> acceptedAudience, JWTClaimsSet exactMatchClaims, Set<String> requiredClaims, Set<String> prohibitedClaims) Creates new default JWT claims verifier.
DefaultJWTClaimsVerifier(String requiredAudience, JWTClaimsSet exactMatchClaims, Set<String> requiredClaims) Creates new default JWT claims verifier.

Method Summary

Modifier and Type	Method and Description
Set<String>	getAcceptedAudienceValues() Returns the accepted audience values.
JWTClaimsSet	getExactMatchClaims() Returns the JWT claims that must match exactly.
int	getMaxClockSkew() Gets the maximum acceptable clock skew.
Set<String>	getProhibitedClaims() Returns the names of the JWT claims that must not be present.
Set<String>	getRequiredClaims() Returns the names of the JWT claims that must be present, including the name of those that must match exactly.
void	setMaxClockSkew(int maxClockSkewSeconds) Sets the maximum acceptable clock skew.
void	verify(JWTClaimsSet claimsSet, C context) Verifies selected or all claims from the specified JWT claims set.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

DEFAULT_MAX_CLOCK_SKEW_SECONDS

public static final int DEFAULT_MAX_CLOCK_SKEW_SECONDS

The default maximum acceptable clock skew, in seconds (60).

See Also:

Constant Field Values

Constructor Detail

DefaultJWTClaimsVerifier

@Deprecated
public DefaultJWTClaimsVerifier()

Deprecated. Use a more specific constructor that at least specifies a list of required JWT claims.

Creates a new JWT claims verifier. No audience ("aud"), required and prohibited claims are specified. The expiration ("exp") and not-before ("nbf") claims will be checked only if they are present and parsed successfully.

DefaultJWTClaimsVerifier

public DefaultJWTClaimsVerifier(JWTClaimsSet exactMatchClaims,
                                Set<String> requiredClaims)

Creates a new JWT claims verifier. Allows any audience ("aud") unless an exact match is specified. The expiration ("exp") and not-before ("nbf") claims will be checked only if they are present and parsed successfully; add them to the required claims if they are mandatory.

Parameters:

exactMatchClaims - The JWT claims that must match exactly, null if none.

requiredClaims - The names of the JWT claims that must be present, empty set or null if none.

DefaultJWTClaimsVerifier

public DefaultJWTClaimsVerifier(String requiredAudience,
                                JWTClaimsSet exactMatchClaims,
                                Set<String> requiredClaims)

Creates new default JWT claims verifier. The expiration ("exp") and not-before ("nbf") claims will be checked only if they are present and parsed successfully; add them to the required claims if they are mandatory.

Parameters:

requiredAudience - The required JWT audience, null if not specified.

exactMatchClaims - The JWT claims that must match exactly, null if none.

requiredClaims - The names of the JWT claims that must be present, empty set or null if none.

DefaultJWTClaimsVerifier

public DefaultJWTClaimsVerifier(Set<String> acceptedAudience,
                                JWTClaimsSet exactMatchClaims,
                                Set<String> requiredClaims,
                                Set<String> prohibitedClaims)

Creates new default JWT claims verifier. The expiration ("exp") and not-before ("nbf") claims will be checked only if they are present and parsed successfully; add them to the required claims if they are mandatory.

Parameters:

acceptedAudience - The accepted JWT audience values, null if not specified. A null value in the set allows JWTs with no audience.

exactMatchClaims - The JWT claims that must match exactly, null if none.

requiredClaims - The names of the JWT claims that must be present, empty set or null if none.

prohibitedClaims - The names of the JWT claims that must not be present, empty set or null if none.

Method Detail

getAcceptedAudienceValues

public Set<String> getAcceptedAudienceValues()

Returns the accepted audience values.

Returns:

The accepted JWT audience values, null if not specified. A null value in the set allows JWTs with no audience.

getExactMatchClaims

public JWTClaimsSet getExactMatchClaims()

Returns the JWT claims that must match exactly.

Returns:

The JWT claims that must match exactly, empty set if none.

getRequiredClaims

public Set<String> getRequiredClaims()

Returns the names of the JWT claims that must be present, including the name of those that must match exactly.

Returns:

The names of the JWT claims that must be present, empty set if none.

getProhibitedClaims

public Set<String> getProhibitedClaims()

Returns the names of the JWT claims that must not be present.

Returns:

The names of the JWT claims that must not be present, empty set if none.

getMaxClockSkew

public int getMaxClockSkew()

Description copied from interface: ClockSkewAware

Gets the maximum acceptable clock skew.

Specified by:

getMaxClockSkew in interface ClockSkewAware

Returns:

The maximum acceptable clock skew, in seconds. Zero if none.

setMaxClockSkew

public void setMaxClockSkew(int maxClockSkewSeconds)

Description copied from interface: ClockSkewAware

Sets the maximum acceptable clock skew.

Specified by:

setMaxClockSkew in interface ClockSkewAware

Parameters:

maxClockSkewSeconds - The maximum acceptable clock skew, in seconds. Zero if none.

verify

public void verify(JWTClaimsSet claimsSet,
                   C context)
            throws BadJWTException

Description copied from interface: JWTClaimsSetVerifier

Verifies selected or all claims from the specified JWT claims set.

Specified by:

verify in interface JWTClaimsSetVerifier<C extends SecurityContext>

Parameters:

claimsSet - The JWT claims set. Not null.

context - Optional context, null if not required.

Throws:

BadJWTException - If the JWT claims set is rejected.