@Requires(property="micronaut.security.authentication",value="idtoken") @Requires(property="micronaut.security.token.jwt.claims-validators.openid-idtoken",notEquals="false") @Singleton public class IdTokenClaimsValidator extends java.lang.Object implements GenericJwtClaimsValidator
AuthenticationMode.IDTOKEN authentication mode performs the following verification as described in the OpenID Connect Spec.
- The Issuer Identifier for the OpenID Provider (which is typically obtained during Discovery) MUST exactly match the value of the iss (issuer) Claim.
- The Client MUST validate that the aud (audience) Claim contains its client_id value registered at the Issuer identified by the iss (issuer) Claim as an audience. The aud (audience) Claim MAY contain an array with more than one element.
- If the ID Token contains multiple audiences, the Client SHOULD verify that an azp Claim is present.
- If an azp (authorized party) Claim is present, the Client SHOULD verify that its client_id is the Claim Value.
* @see ID Token Validation| Modifier and Type | Field and Description |
|---|---|
protected static java.lang.String |
AUTHORIZED_PARTY |
protected static org.slf4j.Logger |
LOG |
protected java.util.Collection<OauthClientConfiguration> |
oauthClientConfigurations |
PREFIX| Constructor and Description |
|---|
IdTokenClaimsValidator(java.util.Collection<OauthClientConfiguration> oauthClientConfigurations) |
| Modifier and Type | Method and Description |
|---|---|
protected java.util.Optional<java.util.List<java.lang.String>> |
parseAudiences(JwtClaims claims) |
protected java.util.Optional<java.lang.String> |
parseAzpClaim(JwtClaims claims) |
protected java.util.Optional<java.lang.Object> |
parseClaim(JwtClaims claims,
java.lang.String claimName) |
protected java.util.Optional<java.util.List<java.lang.String>> |
parseClaimList(JwtClaims claims,
java.lang.String claimName) |
protected java.util.Optional<java.lang.String> |
parseClaimString(JwtClaims claims,
java.lang.String claimName) |
protected java.util.Optional<java.lang.String> |
parseIssuerClaim(JwtClaims claims) |
boolean |
validate(JwtClaims claims,
io.micronaut.http.HttpRequest<?> request) |
protected boolean |
validateAzp(JwtClaims claims,
java.lang.String clientId,
java.util.List<java.lang.String> audiences) |
protected boolean |
validateIssuerAudienceAndAzp(JwtClaims claims,
java.lang.String iss,
java.util.List<java.lang.String> audiences) |
protected boolean |
validateIssuerAudienceAndAzp(JwtClaims claims,
java.lang.String iss,
java.util.List<java.lang.String> audiences,
OauthClientConfiguration oauthClientConfiguration) |
protected boolean |
validateIssuerAudienceAndAzp(JwtClaims claims,
java.lang.String iss,
java.util.List<java.lang.String> audiences,
java.lang.String clientId,
OpenIdClientConfiguration openIdClientConfiguration) |
protected static final org.slf4j.Logger LOG
protected static final java.lang.String AUTHORIZED_PARTY
protected final java.util.Collection<OauthClientConfiguration> oauthClientConfigurations
public IdTokenClaimsValidator(java.util.Collection<OauthClientConfiguration> oauthClientConfigurations)
oauthClientConfigurations - OpenId client configurationspublic boolean validate(@NonNull
JwtClaims claims,
@Nullable
io.micronaut.http.HttpRequest<?> request)
validate in interface JwtClaimsValidatorclaims - JWT Claimsrequest - HTTP requestprotected java.util.Optional<java.lang.String> parseIssuerClaim(JwtClaims claims)
claims - JWT ClaimsOptional. If not found, an empty Optional is returned.protected java.util.Optional<java.lang.Object> parseClaim(JwtClaims claims, java.lang.String claimName)
claims - JWT ClaimsclaimName - Claim NameOptional. If not found, an empty Optional is returned.protected java.util.Optional<java.lang.String> parseClaimString(JwtClaims claims, java.lang.String claimName)
claims - JWT ClaimsclaimName - Claim NameOptional. If not found, an empty Optional is returned.protected java.util.Optional<java.util.List<java.lang.String>> parseClaimList(JwtClaims claims, java.lang.String claimName)
claims - JWT ClaimsclaimName - Claim NameOptional. If not found, an empty Optional is returned.protected java.util.Optional<java.util.List<java.lang.String>> parseAudiences(JwtClaims claims)
claims - JWT ClaimsOptional. If not found, an empty Optional is returned.protected boolean validateIssuerAudienceAndAzp(@NonNull
JwtClaims claims,
@NonNull
java.lang.String iss,
@NonNull
java.util.List<java.lang.String> audiences)
claims - JWT Claimsiss - Issuer claimaudiences - aud claim as a list of stringprotected boolean validateIssuerAudienceAndAzp(@NonNull
JwtClaims claims,
@NonNull
java.lang.String iss,
@NonNull
java.util.List<java.lang.String> audiences,
@NonNull
OauthClientConfiguration oauthClientConfiguration)
claims - JWT Claimsiss - Issuer claimaudiences - aud claim as a list of stringoauthClientConfiguration - OAuth 2.0 client configurationprotected boolean validateIssuerAudienceAndAzp(@NonNull
JwtClaims claims,
@NonNull
java.lang.String iss,
@NonNull
java.util.List<java.lang.String> audiences,
@NonNull
java.lang.String clientId,
@NonNull
OpenIdClientConfiguration openIdClientConfiguration)
claims - JWT Claimsiss - Issuer claimaudiences - aud claim as a list of stringclientId - OAuth 2.0 client_idopenIdClientConfiguration - OpenID OAuth 2.0 client configurationprotected java.util.Optional<java.lang.String> parseAzpClaim(JwtClaims claims)
claims - JWT ClaimsOptional. If not found, an empty Optional is returned.protected boolean validateAzp(@NonNull
JwtClaims claims,
@NonNull
java.lang.String clientId,
@NonNull
java.util.List<java.lang.String> audiences)
claims - JWT ClaimsclientId - OAuth 2.0 client IDaudiences - audiences specified in the JWT Claims