Class JWTCredentialValidator
- java.lang.Object
-
- net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
-
- net.shibboleth.utilities.java.support.component.AbstractIdentifiedInitializableComponent
-
- net.shibboleth.idp.authn.AbstractCredentialValidator
-
- net.shibboleth.idp.plugin.oidc.op.authn.impl.JWTCredentialValidator
-
- All Implemented Interfaces:
net.shibboleth.idp.authn.CredentialValidator,net.shibboleth.idp.authn.principal.PrincipalSupportingComponent,Component,DestructableComponent,IdentifiableComponent,IdentifiedComponent,InitializableComponent
@ThreadSafeAfterInit public class JWTCredentialValidator extends net.shibboleth.idp.authn.AbstractCredentialValidator
A validator that handles authentication via signed JWT.For now, implemented via Nimbus APIs.
TODO: there will be additional validation checks added once implemented on the older branch
-
-
Field Summary
Fields Modifier and Type Field Description private Function<ProfileRequestContext,net.shibboleth.oidc.jwt.claims.ClaimsValidator>claimsValidatorLookupStrategyStrategy used to obtainClaimsValidator.private Function<ProfileRequestContext,net.shibboleth.oidc.authn.context.OAuth2ClientAuthenticationContext>clientAuthContextLookupStrategyStrategy that will returnOAuth2ClientAuthenticationContext.private org.slf4j.LoggerlogClass logger.private booleansaveTokenToCredentialSetWhether to save the JWT in the Java Subject's public credentials.private Function<ProfileRequestContext,SecurityParametersContext>securityParametersLookupStrategyStrategy used to locate theSecurityParametersContextto use for verification.
-
Constructor Summary
Constructors Constructor Description JWTCredentialValidator()Constructor.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected SubjectdoValidate(ProfileRequestContext profileRequestContext, net.shibboleth.idp.authn.context.AuthenticationContext authenticationContext, net.shibboleth.idp.authn.CredentialValidator.WarningHandler warningHandler, net.shibboleth.idp.authn.CredentialValidator.ErrorHandler errorHandler)protected SubjectpopulateSubject(com.nimbusds.oauth2.sdk.id.ClientID clientId, com.nimbusds.jwt.SignedJWT token)Builds a subject with "standard" content from the validation.voidsetClaimsValidatorLookupStrategy(Function<ProfileRequestContext,net.shibboleth.oidc.jwt.claims.ClaimsValidator> strategy)Set the strategy used to locateClaimsValidatorused.voidsetOAuth2ClientAuthenticationLookupStrategy(Function<ProfileRequestContext,net.shibboleth.oidc.authn.context.OAuth2ClientAuthenticationContext> strategy)Set the strategy used to return theOAuth2ClientAuthenticationContext.voidsetSaveTokenToCredentialSet(boolean flag)Set whether to save the JWT in the Java Subject's public credentials.voidsetSecurityParametersLookupStrategy(Function<ProfileRequestContext,SecurityParametersContext> strategy)Set the strategy used to locate theSecurityParametersContextto use.protected voidvalidateJWTClaims(ProfileRequestContext profileRequestContext, com.nimbusds.jwt.SignedJWT jwt, com.nimbusds.oauth2.sdk.id.ClientID clientId)Validates the contents of the given JWT against the requirements set in the OIDC core specification section 9.-
Methods inherited from class net.shibboleth.idp.authn.AbstractCredentialValidator
getLogPrefix, getSupportedPrincipals, isAcceptable, populateSubject, setActivationCondition, setId, setSupportedPrincipals, validate
-
Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractIdentifiedInitializableComponent
doInitialize, getId
-
Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
destroy, doDestroy, initialize, isDestroyed, isInitialized
-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface net.shibboleth.utilities.java.support.component.IdentifiedComponent
getId
-
-
-
-
Field Detail
-
log
@Nonnull private final org.slf4j.Logger log
Class logger.
-
clientAuthContextLookupStrategy
@Nonnull private Function<ProfileRequestContext,net.shibboleth.oidc.authn.context.OAuth2ClientAuthenticationContext> clientAuthContextLookupStrategy
Strategy that will returnOAuth2ClientAuthenticationContext.
-
securityParametersLookupStrategy
@Nonnull private Function<ProfileRequestContext,SecurityParametersContext> securityParametersLookupStrategy
Strategy used to locate theSecurityParametersContextto use for verification.
-
claimsValidatorLookupStrategy
@Nonnull private Function<ProfileRequestContext,net.shibboleth.oidc.jwt.claims.ClaimsValidator> claimsValidatorLookupStrategy
Strategy used to obtainClaimsValidator.
-
saveTokenToCredentialSet
private boolean saveTokenToCredentialSet
Whether to save the JWT in the Java Subject's public credentials.
-
-
Method Detail
-
setOAuth2ClientAuthenticationLookupStrategy
public void setOAuth2ClientAuthenticationLookupStrategy(@Nonnull Function<ProfileRequestContext,net.shibboleth.oidc.authn.context.OAuth2ClientAuthenticationContext> strategy)Set the strategy used to return theOAuth2ClientAuthenticationContext.- Parameters:
strategy- lookup strategy
-
setSecurityParametersLookupStrategy
public void setSecurityParametersLookupStrategy(@Nonnull Function<ProfileRequestContext,SecurityParametersContext> strategy)Set the strategy used to locate theSecurityParametersContextto use.- Parameters:
strategy- lookup strategy
-
setClaimsValidatorLookupStrategy
public void setClaimsValidatorLookupStrategy(@Nonnull Function<ProfileRequestContext,net.shibboleth.oidc.jwt.claims.ClaimsValidator> strategy)Set the strategy used to locateClaimsValidatorused.- Parameters:
strategy- lookup strategy
-
setSaveTokenToCredentialSet
public void setSaveTokenToCredentialSet(boolean flag)
Set whether to save the JWT in the Java Subject's public credentials.Defaults to true
- Parameters:
flag- flag to set
-
doValidate
@Nullable protected Subject doValidate(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull net.shibboleth.idp.authn.context.AuthenticationContext authenticationContext, @Nullable net.shibboleth.idp.authn.CredentialValidator.WarningHandler warningHandler, @Nullable net.shibboleth.idp.authn.CredentialValidator.ErrorHandler errorHandler) throws Exception
- Specified by:
doValidatein classnet.shibboleth.idp.authn.AbstractCredentialValidator- Throws:
Exception
-
validateJWTClaims
protected void validateJWTClaims(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull com.nimbusds.jwt.SignedJWT jwt, @Nonnull com.nimbusds.oauth2.sdk.id.ClientID clientId) throws ParseException, net.shibboleth.oidc.jwt.claims.JWTValidationExceptionValidates the contents of the given JWT against the requirements set in the OIDC core specification section 9.- Parameters:
jwt- JWT to be validatedclientId- client ID from which the JWT is coming fromprofileRequestContext- profile request context- Throws:
ParseException- if unable to parse the claim setnet.shibboleth.oidc.jwt.claims.JWTValidationException- if the claims fail to validate
-
populateSubject
@Nonnull protected Subject populateSubject(@Nonnull @NotEmpty com.nimbusds.oauth2.sdk.id.ClientID clientId, @Nonnull com.nimbusds.jwt.SignedJWT token)
Builds a subject with "standard" content from the validation.- Parameters:
clientId- client IDtoken- the token validated- Returns:
- the decorated subject
-
-