Package no.nav.security.token.support.core.validation

Class DefaultConfigurableJwtValidator

java.lang.Object

no.nav.security.token.support.core.validation.DefaultConfigurableJwtValidator

All Implemented Interfaces:

JwtTokenValidator

public class DefaultConfigurableJwtValidator
extends Object
implements JwtTokenValidator

The default configurable JwtTokenValidator. Configures sane defaults and delegates verification to DefaultJwtClaimsVerifier:

The following set of claims are required by default and mustbe present in the JWTs:

• iss - Issuer
• sub - Subject
• aud - Audience
• exp - Expiration Time
• iat - Issued At

Otherwise, the following checks are in place:

• The issuer ("iss") claim value must match exactly with the specified accepted issuer value.
• At least one of the values in audience ("aud") claim must match one of the specified accepted audiences.
• Time validity checks are performed on the issued at ("iat"), expiration ("exp") and not-before ("nbf") claims if and only if they are present.

Note: the not-before ("nbf") claim is not a required claim. Conversely, the expiration ("exp") claim is a default required claim.

Specifying optional claims will remove any matching claims from the default set of required claims.

Audience validation is only skipped if the claim is explicitly configured as an optional claim, and the list of accepted audiences is empty / not configured.

If the audience claim is explicitly configured as an optional claim and the list of accepted audience is non-empty, the following rules apply:

• If the audience claim is present (non-empty) in the JWT, it will be matched against the list of accepted audiences.
• If the audience claim is not present, the audience match and existence checks are skipped - since it is an optional claim.

An empty list of accepted audiences alone does not remove the audience ("aud") claim from the default set of required claims; the claim must explicitly be specified as optional.

Constructor Summary

Constructors

Constructor	Description
DefaultConfigurableJwtValidator(String issuer, List<String> acceptedAudiences, com.nimbusds.jose.jwk.source.JWKSource<com.nimbusds.jose.proc.SecurityContext> jwkSource)
DefaultConfigurableJwtValidator(String issuer, List<String> acceptedAudiences, List<String> optionalClaims, com.nimbusds.jose.jwk.source.JWKSource<com.nimbusds.jose.proc.SecurityContext> jwkSource)

Method Summary

Modifier and Type	Method	Description
void	assertValidToken(String tokenString)
protected com.nimbusds.jose.jwk.source.JWKSource<com.nimbusds.jose.proc.SecurityContext>	getJwkSource()

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

DefaultConfigurableJwtValidator

public DefaultConfigurableJwtValidator(String issuer,
 List<String> acceptedAudiences,
 com.nimbusds.jose.jwk.source.JWKSource<com.nimbusds.jose.proc.SecurityContext> jwkSource)

DefaultConfigurableJwtValidator

public DefaultConfigurableJwtValidator(String issuer,
 List<String> acceptedAudiences,
 List<String> optionalClaims,
 com.nimbusds.jose.jwk.source.JWKSource<com.nimbusds.jose.proc.SecurityContext> jwkSource)

Method Details

assertValidToken

public void assertValidToken(String tokenString)
                      throws JwtTokenValidatorException

Specified by:

assertValidToken in interface JwtTokenValidator

Throws:

JwtTokenValidatorException

getJwkSource

protected com.nimbusds.jose.jwk.source.JWKSource<com.nimbusds.jose.proc.SecurityContext> getJwkSource()