Class OIDCClientInformationSignatureValidationParametersResolver
- java.lang.Object
-
- org.opensaml.xmlsec.impl.AbstractSecurityParametersResolver<SignatureSigningParameters>
-
- org.opensaml.xmlsec.impl.BasicSignatureSigningParametersResolver
-
- net.shibboleth.idp.plugin.oidc.op.security.impl.OIDCClientInformationSignatureValidationParametersResolver
-
- All Implemented Interfaces:
Resolver<SignatureSigningParameters,CriteriaSet>,SignatureSigningParametersResolver
public class OIDCClientInformationSignatureValidationParametersResolver extends BasicSignatureSigningParametersResolver
A specialization ofBasicSignatureSigningParametersResolverwhich supports selecting signature validation credentials based on client registration data. If the resolver fails to resolve credentials it leaves the job to the hands of the super class method.In addition to the
Criterioninputs documented inBasicSignatureSigningParametersResolver, the following inputs are also supported:ClientInformationCriterion- optional
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static classOIDCClientInformationSignatureValidationParametersResolver.ParameterTypeWhether to create parameters for request object signature validation or token endpoint JWT validation.
-
Field Summary
Fields Modifier and Type Field Description private DurationkeyFetchIntervalThe remote key refresh interval.private org.slf4j.LoggerlogLogger.private net.shibboleth.oidc.jwk.RemoteJwkSetCacheremoteJwkSetCacheThe cache for remote JWK key sets.private OIDCClientInformationSignatureValidationParametersResolver.ParameterTypetargetThe type of validation.
-
Constructor Summary
Constructors Constructor Description OIDCClientInformationSignatureValidationParametersResolver()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description private List<com.nimbusds.jose.JWSAlgorithm>convertToJWSAlgorithmList(List<String> algorithms)Convert algorithm string list to JWSAlgorithm list.private booleancurveMatchesESAlgorithm(com.nimbusds.jose.jwk.Curve curve, com.nimbusds.jose.JWSAlgorithm algorithm)Helper to match ECKey curve to JWS algorithm ES256, ES384 and ES512.protected voidresolveAndPopulateCredentialAndSignatureAlgorithm(SignatureSigningParameters params, CriteriaSet criteria, Predicate<String> whitelistBlacklistPredicate)SignatureSigningParametersresolveSingle(CriteriaSet criteria)voidsetKeyFetchInterval(Duration interval)Set the remote key refresh interval.voidsetParameterType(OIDCClientInformationSignatureValidationParametersResolver.ParameterType value)Whether to create parameters for request object signature validation or token endpoint jwt validation.voidsetRemoteJwkSetCache(net.shibboleth.oidc.jwk.RemoteJwkSetCache jwkSetCache)Set the cache for remote JWK key sets.protected booleanvalidate(SignatureSigningParameters params)-
Methods inherited from class org.opensaml.xmlsec.impl.BasicSignatureSigningParametersResolver
credentialSupportsAlgorithm, getAlgorithmRegistry, getAlgorithmRuntimeSupportedPredicate, getEffectiveSignatureAlgorithms, getEffectiveSigningCredentials, getIncludeExcludePredicate, getWhitelistBlacklistPredicate, logResult, resolve, resolveCanonicalizationAlgorithm, resolveHMACOutputLength, resolveKeyInfoGenerator, resolveReferenceCanonicalizationAlgorithm, resolveReferenceDigestMethod, setAlgorithmRegistry
-
Methods inherited from class org.opensaml.xmlsec.impl.AbstractSecurityParametersResolver
lookupKeyInfoGenerator, resolveAndPopulateIncludesExcludes, resolveEffectiveExcludes, resolveEffectiveIncludes, resolveIncludeExcludePrecedence, resolveIncludeExcludePredicate
-
-
-
-
Field Detail
-
log
@Nonnull private org.slf4j.Logger log
Logger.
-
target
private OIDCClientInformationSignatureValidationParametersResolver.ParameterType target
The type of validation.
-
remoteJwkSetCache
private net.shibboleth.oidc.jwk.RemoteJwkSetCache remoteJwkSetCache
The cache for remote JWK key sets.
-
-
Method Detail
-
setParameterType
public void setParameterType(OIDCClientInformationSignatureValidationParametersResolver.ParameterType value)
Whether to create parameters for request object signature validation or token endpoint jwt validation.- Parameters:
value- Whether to create parameters for request object signature validation, id token signing or userinfo response signing.
-
setRemoteJwkSetCache
public void setRemoteJwkSetCache(net.shibboleth.oidc.jwk.RemoteJwkSetCache jwkSetCache)
Set the cache for remote JWK key sets.- Parameters:
jwkSetCache- What to set.
-
setKeyFetchInterval
public void setKeyFetchInterval(@Positive Duration interval)
Set the remote key refresh interval.- Parameters:
interval- What to set.
-
resolveSingle
@Nullable public SignatureSigningParameters resolveSingle(@Nonnull CriteriaSet criteria) throws ResolverException
- Specified by:
resolveSinglein interfaceResolver<SignatureSigningParameters,CriteriaSet>- Overrides:
resolveSinglein classBasicSignatureSigningParametersResolver- Throws:
ResolverException
-
curveMatchesESAlgorithm
private boolean curveMatchesESAlgorithm(com.nimbusds.jose.jwk.Curve curve, com.nimbusds.jose.JWSAlgorithm algorithm)Helper to match ECKey curve to JWS algorithm ES256, ES384 and ES512.- Parameters:
curve- curve to match.algorithm- algorithm to match.- Returns:
- true if key curve matches algorithm, otherwise false.
-
resolveAndPopulateCredentialAndSignatureAlgorithm
protected void resolveAndPopulateCredentialAndSignatureAlgorithm(@Nonnull SignatureSigningParameters params, @Nonnull CriteriaSet criteria, @Nonnull Predicate<String> whitelistBlacklistPredicate)
-
convertToJWSAlgorithmList
private List<com.nimbusds.jose.JWSAlgorithm> convertToJWSAlgorithmList(List<String> algorithms)
Convert algorithm string list to JWSAlgorithm list.- Parameters:
algorithms- algorithm string list- Returns:
- JWSAlgorithm list
-
validate
protected boolean validate(@Nonnull SignatureSigningParameters params)- Overrides:
validatein classBasicSignatureSigningParametersResolver
-
-