JwtConsumer consumer = new JwtConsumerBuilder() .setSkipAllValidators() .setDisableRequireSignature() .setSkipSignatureVerification() .build(); JwtContext jwtContext = consumer.process(jwt); claims = jwtContext.getJwtClaims(); JsonWebStructure structure = jwtContext.getJoseObjects().get(0); throw new InvalidJwtException("MalformedClaimException", new ErrorCodeValidator.Error(ErrorCodes.MALFORMED_CLAIM, "Invalid ExpirationTime Format"), e, jwtContext); consumer = new JwtConsumerBuilder() .setRequireExpirationTime() .setAllowedClockSkewInSeconds(315360000) // use seconds of 10 years to skip expiration validation as we need skip it in some cases. .setSkipDefaultAudienceValidation() .setVerificationKeyResolver(x509VerificationKeyResolver) .build(); jwtContext = consumer.process(jwt); claims = jwtContext.getJwtClaims(); if(Boolean.TRUE.equals(enableJwtCache)) { cache.put(jwt, claims);
JwtConsumer jwtConsumer = new JwtConsumerBuilder() .setRequireExpirationTime() .setMaxFutureValidityInMinutes(confService.getMaxTokenValidity()) .setAllowedClockSkewInSeconds(confService.getAllowedClockSkew()) .setRequireSubject() .setExpectedIssuer(confService.getIssuer()) .setExpectedAudience(confService.getClientID()) .setVerificationKeyResolver(resolver) .build(); JwtClaims claims = jwtConsumer.processToClaims(token); logger.info("Rejected invalid OpenID token: {}", e.getMessage()); logger.debug("Invalid JWT received.", e);
public JwtClaims processToClaims(String jwt) throws InvalidJwtException { return process(jwt).getJwtClaims(); }
public JsonWebTokenVerificationBuilder requiringExpirationTime() { builder.setRequireExpirationTime(); return this; }
/** * Indicates the expected value of the issuer ("iss") claim and that the claim is required. * Equivalent to calling {@link #setExpectedIssuer(boolean, String)} with {@code true} as the first argument. * @param expectedIssuer the value that the issuer claim must have to pass validation, {@code null} means that any value is acceptable * @return the same JwtConsumerBuilder */ public JwtConsumerBuilder setExpectedIssuer(String expectedIssuer) { return setExpectedIssuer(true, expectedIssuer); }
/** * Require that a subject ("sub") claim be present in the JWT and that its value * match that of the provided subject. * The subject ("sub") claim is defined in <a href="http://tools.ietf.org/html/rfc7519#section-4.1.2">Section 4.1.2 of RFC 7519</a>. * * @param subject the required value of the subject claim. * @return the same JwtConsumerBuilder */ public JwtConsumerBuilder setExpectedSubject(String subject) { this.expectedSubject = subject; return setRequireSubject(); }
public JsonWebTokenVerificationBuilder expectingAudience(String audience) { builder.setExpectedAudience(audience); return this; }
/** * Set the key to be used for JWS signature/MAC verification. * @param verificationKey the verification key. * @return the same JwtConsumerBuilder */ public JwtConsumerBuilder setVerificationKey(Key verificationKey) { return setVerificationKeyResolver(new SimpleKeyResolver(verificationKey)); }
/** * Set the key to be used for JWE decryption. * @param decryptionKey the decryption key. * @return the same JwtConsumerBuilder */ public JwtConsumerBuilder setDecryptionKey(Key decryptionKey) { return setDecryptionKeyResolver(new SimpleKeyResolver(decryptionKey)); }
/** * Indicates whether or not the issuer ("iss") claim is required and optionally what the expected values can be. * @param requireIssuer true if issuer claim is required, false otherwise * @param expectedIssuers the values, one of which the issuer claim must match to pass validation, {@code null} means that any value is acceptable * @return the same JwtConsumerBuilder */ public JwtConsumerBuilder setExpectedIssuers(boolean requireIssuer, String... expectedIssuers) { issValidator = new IssValidator(requireIssuer, expectedIssuers); return this; }
/** * Require that the JWT contain an <a href="http://tools.ietf.org/html/rfc7519#section-4.1.4">expiration time ("exp") claim</a>. * The expiration time is always checked when present (unless explicitly disabled) but * calling this method strengthens the requirement such that a JWT without an expiration time * will not pass validation. * @return the same JwtConsumerBuilder */ public JwtConsumerBuilder setRequireExpirationTime() { dateClaimsValidator.setRequireExp(true); return this; }
/** * Require that the JWT contain an <a href="http://tools.ietf.org/html/rfc7519#section-4.1.5">not before ("nbf") claim</a>. * @return the same JwtConsumerBuilder */ public JwtConsumerBuilder setRequireNotBefore() { dateClaimsValidator.setRequireNbf(true); return this; }
/** * Set the time used to validate the expiration time, issued at time, and not before time claims. * If not set (or null), the current time will be used to validate the date claims. * @param evaluationTime the time with respect to which to validate the date claims. * @return the same JwtConsumerBuilder */ public JwtConsumerBuilder setEvaluationTime(NumericDate evaluationTime) { dateClaimsValidator.setEvaluationTime(evaluationTime); return this; }
/** * Require that the JWT contain an <a href="http://tools.ietf.org/html/rfc7519#section-4.1.6">issued at time ("iat") claim</a>. * @return the same JwtConsumerBuilder */ public JwtConsumerBuilder setRequireIssuedAt() { dateClaimsValidator.setRequireIat(true); return this; }
/** * Set the amount of clock skew to allow for when validate the expiration time, issued at time, and not before time claims. * @param secondsOfAllowedClockSkew the number of seconds of leniency in date comparisons * @return the same JwtConsumerBuilder */ public JwtConsumerBuilder setAllowedClockSkewInSeconds(int secondsOfAllowedClockSkew) { dateClaimsValidator.setAllowedClockSkewSeconds(secondsOfAllowedClockSkew); return this; }
/** * Set maximum on how far in the future the "exp" claim can be. * @param maxFutureValidityInMinutes how far is too far (in minutes) * @return the same JwtConsumerBuilder */ public JwtConsumerBuilder setMaxFutureValidityInMinutes(int maxFutureValidityInMinutes) { dateClaimsValidator.setMaxFutureValidityInMinutes(maxFutureValidityInMinutes); return this; }
/** * Indicates if the JWT was invalid because it had expired * (i.e. the expiration time "exp" claim identified a time in the past). * This is equivalent to calling * <code>hasErrorCode(ErrorCodes.EXPIRED)</code> * @return true if expiration is one of the reasons for the JWT being invalid and false otherwise */ public boolean hasExpired() { return hasErrorCode(ErrorCodes.EXPIRED); }
public JsonWebTokenVerificationBuilder expectingSubject(String subject) { builder.setExpectedSubject(subject); return this; }
/** * Indicates whether or not the issuer ("iss") claim is required and optionally what the expected value is. * @param requireIssuer true if issuer is required, false otherwise * @param expectedIssuer the value that the issuer claim must have to pass validation, {@code null} means that any value is acceptable * @return the same JwtConsumerBuilder */ public JwtConsumerBuilder setExpectedIssuer(boolean requireIssuer, String expectedIssuer) { issValidator = new IssValidator(expectedIssuer, requireIssuer); return this; }