.setRequireSubject() .setExpectedIssuer(confService.getIssuer()) .setExpectedAudience(confService.getClientID()) .setVerificationKeyResolver(resolver) .build();
public JsonWebTokenVerificationBuilder expectingAudience(String audience) { builder.setExpectedAudience(audience); return this; }
/** * <p> * Set the audience value(s) to use when validating the audience ("aud") claim of a JWT * and require that an audience claim be present. * Audience validation will succeed, if any one of the provided values is equal to any one * of the values of the "aud" claim in the JWT. * </p> * <p> * From <a href="http://tools.ietf.org/html/rfc7519#section-4.1.3">Section 4.1.3 of RFC 7519</a>: * The "aud" (audience) claim identifies the recipients that the JWT is * intended for. Each principal intended to process the JWT MUST * identify itself with a value in the audience claim. If the principal * processing the claim does not identify itself with a value in the * "aud" claim when this claim is present, then the JWT MUST be * rejected. In the general case, the "aud" value is an array of case- * sensitive strings, each containing a StringOrURI value. In the * special case when the JWT has one audience, the "aud" value MAY be a * single case-sensitive string containing a StringOrURI value. The * interpretation of audience values is generally application specific. * Use of this claim is OPTIONAL. * </p> * <p>Equivalent to calling {@link #setExpectedAudience(boolean, String...)} with {@code true} as the first argument.</p> * @param audience the audience value(s) that identify valid recipient(s) of a JWT * @return the same JwtConsumerBuilder */ public JwtConsumerBuilder setExpectedAudience(String... audience) { return setExpectedAudience(true, audience); }
public JWTVerifier(final String secret, final String issuer, final String audience) { final JwtConsumerBuilder builder = new JwtConsumerBuilder(); if (StringUtils.isNotBlank(audience)) builder.setExpectedAudience(audience); if (StringUtils.isNotBlank(issuer)) builder.setExpectedIssuer(issuer); builder.setVerificationKey(new HmacKey(secret.getBytes(StandardCharsets.UTF_8))); builder.setAllowedClockSkewInSeconds(60); builder.setRelaxVerificationKeyValidation(); // Allow HMAC keys < 256 bits consumer = builder.build(); }
.setExpectedIssuer(oidcConfig.getIssuer()) .setVerificationKey(((RsaJsonWebKey)oidcConfig.getSigningKey()).getKey()) .setExpectedAudience(System.getenv("OIDC_AUDIENCE") != null ? System.getenv("OIDC_AUDIENCE") : System.getProperty("OIDC_AUDIENCE", "hobson-webconsole")) .build(); } catch (JoseException e) {
public static Map<String, Object> verifyJwt(String jwt) throws InvalidJwtException, MalformedClaimException { Map<String, Object> user = null; X509VerificationKeyResolver x509VerificationKeyResolver = new X509VerificationKeyResolver(certificate); x509VerificationKeyResolver.setTryAllOnNoThumbHeader(true); JwtConsumer jwtConsumer = new JwtConsumerBuilder() .setRequireExpirationTime() // the JWT must have an expiration time .setAllowedClockSkewInSeconds((Integer) config.get(CLOCK_SKEW_IN_MINUTE)*60) // allow some leeway in validating time based claims to account for clock skew .setRequireSubject() // the JWT must have a subject claim .setExpectedIssuer(issuer) .setExpectedAudience(audience) .setVerificationKeyResolver(x509VerificationKeyResolver) // verify the signature with the certificates .build(); // create the JwtConsumer instance // Validate the JWT and process it to the Claims JwtClaims claims = jwtConsumer.processToClaims(jwt); if(claims != null) { user = new HashMap<String, Object>(); user.put("userId", claims.getClaimValue("userId")); user.put("clientId", claims.getClaimValue("clientId")); List roles = claims.getStringListClaimValue("roles"); user.put("roles", roles); Object host = claims.getClaimValue("host"); if(host != null) user.put("host", host); } return user; } }
public Processor(final URI jwksUri, String[] audiences, String[] expectedIssuers) { final HttpsJwksVerificationKeyResolver resolver = new HttpsJwksVerificationKeyResolver(new HttpsJwks(jwksUri.toString())); this.consumer = new JwtConsumerBuilder() .setVerificationKeyResolver(resolver) // Set resolver key .setRequireIssuedAt() // Set require reserved claim: iat .setRequireExpirationTime() // Set require reserved claim: exp .setRequireSubject() // // Set require reserved claim: sub .setExpectedIssuers(true, expectedIssuers) .setExpectedAudience(audiences) .build(); }
.setExpectedAudience(AUDIENCE) // to whom the JWT is intended for
.setAllowedClockSkewInSeconds(60) .setExpectedIssuer(issuer != null ? issuer : config.getIssuer()) .setExpectedAudience(audience != null ? audience : config.getAudience()) .setEvaluationTime(org.jose4j.jwt.NumericDate.now()) .setVerificationKey(publicKey)
.setAllowedClockSkewInSeconds(60) .setExpectedIssuer(issuer != null ? issuer : config.getIssuer()) .setExpectedAudience(audience != null ? audience : config.getAudience()) .setEvaluationTime(org.jose4j.jwt.NumericDate.now()) .setVerificationKey(publicKey)
public static boolean validateToken(String token) { JwtConsumer jwtConsumer = new JwtConsumerBuilder() .setRequireExpirationTime() // the JWT must have an expiration time .setAllowedClockSkewInSeconds(30) // allow some leeway in validating time based claims to account for clock skew .setRequireSubject() // the JWT must have a subject claim .setExpectedIssuer(ISSUER) // whom the JWT needs to have been issued by .setExpectedAudience(AUDIENCE) // to whom the JWT is intended for .setVerificationKey(rsaJsonWebKey.getKey()) // verify the signature with the public key .build(); // create the JwtConsumer instance try { // Validate the JWT and process it to the Claims JwtClaims jwtClaims = jwtConsumer.processToClaims(token); //过期时间 //用户名和ID return true; } catch (InvalidJwtException e) { // InvalidJwtException will be thrown, if the JWT failed processing or validation in anyway. // Hopefully with meaningful explanations(s) about what went wrong. System.out.println("Invalid JWT! " + e); return false; } catch (Exception ex) { ex.printStackTrace(); return false; } }