Package io.micronaut.security.oauth2.client

Class IdTokenClaimsValidator

java.lang.Object
io.micronaut.security.oauth2.client.IdTokenClaimsValidator
All Implemented Interfaces:
GenericJwtClaimsValidator, JwtClaimsValidator
@Requires(property="micronaut.security.authentication",value="idtoken") @Requires(property="micronaut.security.token.jwt.claims-validators.openid-idtoken",notEquals="false") @Singleton public class IdTokenClaimsValidator extends Object implements GenericJwtClaimsValidator
For AuthenticationMode.IDTOKEN authentication mode performs the following verification as described in the OpenID Connect Spec. - The Issuer Identifier for the OpenID Provider (which is typically obtained during Discovery) MUST exactly match the value of the iss (issuer) Claim. - The Client MUST validate that the aud (audience) Claim contains its client_id value registered at the Issuer identified by the iss (issuer) Claim as an audience. The aud (audience) Claim MAY contain an array with more than one element. - If the ID Token contains multiple audiences, the Client SHOULD verify that an azp Claim is present. - If an azp (authorized party) Claim is present, the Client SHOULD verify that its client_id is the Claim Value. * @see ID Token Validation
Since:
2.2.0
Author:
Sergio del Amo

  • Field Details

  • Constructor Details

    • IdTokenClaimsValidator

      public IdTokenClaimsValidator(Collection<OauthClientConfiguration> oauthClientConfigurations)
      Parameters:
      oauthClientConfigurations - OpenId client configurations

  • Method Details

    • validate

      public boolean validate(@NonNull JwtClaims claims, @Nullable io.micronaut.http.HttpRequest<?> request)
      Specified by:
      validate in interface JwtClaimsValidator
      Parameters:
      claims - JWT Claims
      request - HTTP request
      Returns:
      whether the JWT claims pass validation.

    • parseIssuerClaim

      protected Optional<String> parseIssuerClaim(JwtClaims claims)
      Parameters:
      claims - JWT Claims
      Returns:
      the iss claim value wrapped in an Optional. If not found, an empty Optional is returned.

    • parseClaim

      protected Optional<Object> parseClaim(JwtClaims claims, String claimName)
      Parameters:
      claims - JWT Claims
      claimName - Claim Name
      Returns:
      the claim value wrapped in an Optional. If not found, an empty Optional is returned.

    • parseClaimString

      protected Optional<String> parseClaimString(JwtClaims claims, String claimName)
      Parameters:
      claims - JWT Claims
      claimName - Claim Name
      Returns:
      the claim value as a String wrapped in an Optional. If not found, an empty Optional is returned.

    • parseClaimList

      protected Optional<List<String>> parseClaimList(JwtClaims claims, String claimName)
      Parameters:
      claims - JWT Claims
      claimName - Claim Name
      Returns:
      the claim value as a list of Strings wrapped in an Optional. If not found, an empty Optional is returned.

    • parseAudiences

      protected Optional<List<String>> parseAudiences(JwtClaims claims)
      Parameters:
      claims - JWT Claims
      Returns:
      the aud claim value a list of strings wrapped in an Optional. If not found, an empty Optional is returned.

    • validateIssuerAudienceAndAzp

      protected boolean validateIssuerAudienceAndAzp(@NonNull JwtClaims claims, @NonNull String iss, @NonNull List<String> audiences)
      Parameters:
      claims - JWT Claims
      iss - Issuer claim
      audiences - aud claim as a list of string
      Returns:
      true if an OAuth 2.0 client issuer matches the iss claim, any of the audiences in the aud claim matches the OAuth 2.0 client_id and for multiple audiencies the azp claim is present and matches OAuth 2.0 client_id

    • validateIssuerAudienceAndAzp

      protected boolean validateIssuerAudienceAndAzp(@NonNull JwtClaims claims, @NonNull String iss, @NonNull List<String> audiences, @NonNull OauthClientConfiguration oauthClientConfiguration)
      Parameters:
      claims - JWT Claims
      iss - Issuer claim
      audiences - aud claim as a list of string
      oauthClientConfiguration - OAuth 2.0 client configuration
      Returns:
      true if the OAuth 2.0 client OpenID issuer matches the iss claim, any of the audiences in the aud claim matches the OAuth 2.0 client_id and for multiple audiencies the azp claim is present and matches OAuth 2.0 client_id

    • validateIssuerAudienceAndAzp

      protected boolean validateIssuerAudienceAndAzp(@NonNull JwtClaims claims, @NonNull String iss, @NonNull List<String> audiences, @NonNull String clientId, @NonNull OpenIdClientConfiguration openIdClientConfiguration)
      Parameters:
      claims - JWT Claims
      iss - Issuer claim
      audiences - aud claim as a list of string
      clientId - OAuth 2.0 client_id
      openIdClientConfiguration - OpenID OAuth 2.0 client configuration
      Returns:
      true if the OAuth 2.0 client OpenID issuer matches the iss claim, any of the audiences in the aud claim matches the OAuth 2.0 client_id and for multiple audiencies the azp claim is present and matches OAuth 2.0 client_id

    • parseAzpClaim

      protected Optional<String> parseAzpClaim(JwtClaims claims)
      Parameters:
      claims - JWT Claims
      Returns:
      the azp claim value wrapped in an Optional. If not found, an empty Optional is returned.

    • validateAzp

      protected boolean validateAzp(@NonNull JwtClaims claims, @NonNull String clientId, @NonNull List<String> audiences)
      Parameters:
      claims - JWT Claims
      clientId - OAuth 2.0 client ID
      audiences - audiences specified in the JWT Claims
      Returns:
      true for single audiences, for multiple audiences returns true azp claim is present and matches OAuth 2.0 client_id