Class ValidateTokenClaims
- java.lang.Object
-
- net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
-
- org.opensaml.profile.action.AbstractProfileAction
-
- org.opensaml.profile.action.AbstractConditionalProfileAction
-
- net.shibboleth.idp.profile.AbstractProfileAction
-
- net.shibboleth.idp.authn.AbstractAuthenticationAction
-
- net.shibboleth.idp.plugin.authn.duo.AbstractDuoAuthenticationAction
-
- net.shibboleth.idp.plugin.authn.duo.impl.ValidateTokenClaims
-
- All Implemented Interfaces:
Component,DestructableComponent,InitializableComponent,ProfileAction,Aware,MessageSource,MessageSourceAware,Action
public class ValidateTokenClaims extends AbstractDuoAuthenticationAction
Action that validates the claims of the Duo id_token using the suppliedclaims validator. The verifier must be thread-safe and validate the claims set against the OpenID Connect core 1.0 section 3.1.3.7 specification and those required by Duo.- Event:
EventIds.PROCEED_EVENT_ID,AuthnEventIds.AUTHN_EXCEPTION,AuthnEventIds.NO_CREDENTIALS- Precondition:
ProfileRequestContext.getSubcontext(AuthenticationContext.class, false) != null,AuthenticationContext.getSubcontext(DuoOIDCAuthenticationContext.class, false) != null,DuoOIDCAuthenticationContext.getAuthToken() != null,DuoOIDCAuthenticationContext.getIntegration() != null
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static classValidateTokenClaims.DuoOIDAuthenticationContextCleanupHookA cleanup hook that removes the 'nonce' parameter from theDuoOIDCAuthenticationContextso it could not be reused.
-
Field Summary
Fields Modifier and Type Field Description private com.nimbusds.jwt.JWTClaimsSetclaimsSetThe parsed claimset.private net.shibboleth.oidc.jwt.claims.JWTClaimsValidationclaimsValidatorThe JWT claims validator used to verify the claimsset.private Consumer<ProfileRequestContext>cleanupHookA cleanup hook to execute after either a successful or unsuccessful claims validation.private org.slf4j.LoggerlogClass logger.
-
Constructor Summary
Constructors Constructor Description ValidateTokenClaims()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected voiddoExecute(ProfileRequestContext profileRequestContext, net.shibboleth.idp.authn.context.AuthenticationContext authenticationContext, DuoOIDCAuthenticationContext duoContext)protected voiddoInitialize()protected booleandoPreExecute(ProfileRequestContext profileRequestContext, net.shibboleth.idp.authn.context.AuthenticationContext authenticationContext, DuoOIDCAuthenticationContext duoContext)voidsetClaimsValidator(net.shibboleth.oidc.jwt.claims.JWTClaimsValidation validator)Set the JWT claims verifier to use.voidsetCleanupHook(Consumer<ProfileRequestContext> hook)Set the cleanup hook to execute after either a successful or unsuccessful claims validation.-
Methods inherited from class net.shibboleth.idp.plugin.authn.duo.AbstractDuoAuthenticationAction
doExecute, doPreExecute, setDuoContextLookupStrategy
-
Methods inherited from class net.shibboleth.idp.authn.AbstractAuthenticationAction
doExecute, doPreExecute, setAuthenticationContextLookupStrategy
-
Methods inherited from class net.shibboleth.idp.profile.AbstractProfileAction
doExecute, execute, getMessage, getMessage, getMessage, getProfileContextLookupStrategy, getRequestContext, getResult, setMessageSource, setProfileContextLookupStrategy
-
Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction
getActivationCondition, setActivationCondition
-
Methods inherited from class org.opensaml.profile.action.AbstractProfileAction
doPostExecute, doPostExecute, execute, getHttpServletRequest, getHttpServletResponse, getLogPrefix, setHttpServletRequest, setHttpServletResponse
-
Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
destroy, doDestroy, initialize, isDestroyed, isInitialized
-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent
initialize, isInitialized
-
-
-
-
Field Detail
-
log
@Nonnull private final org.slf4j.Logger log
Class logger.
-
claimsSet
@Nullable private com.nimbusds.jwt.JWTClaimsSet claimsSet
The parsed claimset.
-
cleanupHook
@Nullable private Consumer<ProfileRequestContext> cleanupHook
A cleanup hook to execute after either a successful or unsuccessful claims validation.
-
claimsValidator
@NonnullAfterInit private net.shibboleth.oidc.jwt.claims.JWTClaimsValidation claimsValidator
The JWT claims validator used to verify the claimsset.
-
-
Method Detail
-
doInitialize
protected void doInitialize() throws ComponentInitializationException- Overrides:
doInitializein classAbstractInitializableComponent- Throws:
ComponentInitializationException
-
setCleanupHook
public void setCleanupHook(@Nullable Consumer<ProfileRequestContext> hook)Set the cleanup hook to execute after either a successful or unsuccessful claims validation.- Parameters:
hook- cleanup hook
-
setClaimsValidator
public void setClaimsValidator(@Nonnull net.shibboleth.oidc.jwt.claims.JWTClaimsValidation validator)Set the JWT claims verifier to use.- Parameters:
validator- the claims validator.
-
doPreExecute
protected boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull net.shibboleth.idp.authn.context.AuthenticationContext authenticationContext, @Nonnull DuoOIDCAuthenticationContext duoContext)- Overrides:
doPreExecutein classAbstractDuoAuthenticationAction
-
doExecute
protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull net.shibboleth.idp.authn.context.AuthenticationContext authenticationContext, @Nonnull DuoOIDCAuthenticationContext duoContext)- Overrides:
doExecutein classAbstractDuoAuthenticationAction
-
-