Class IdTokenClaimsValidator<T>
java.lang.Object
io.micronaut.security.oauth2.client.IdTokenClaimsValidator<T>
- Type Parameters:
T- request
- All Implemented Interfaces:
GenericJwtClaimsValidator<T>,JwtClaimsValidator<T>
@Requires(property="micronaut.security.authentication",value="idtoken") @Requires(property="micronaut.security.token.jwt.claims-validators.openid-idtoken",notEquals="false")
@Singleton
public class IdTokenClaimsValidator<T>
extends Object
implements GenericJwtClaimsValidator<T>
For
AuthenticationMode.IDTOKEN authentication mode performs the following verification as described in the OpenID Connect Spec.
- The Issuer Identifier for the OpenID Provider (which is typically obtained during Discovery) MUST exactly match the value of the iss (issuer) Claim.
- The Client MUST validate that the aud (audience) Claim contains its client_id value registered at the Issuer identified by the iss (issuer) Claim as an audience. The aud (audience) Claim MAY contain an array with more than one element.
- If the ID Token contains multiple audiences, the Client SHOULD verify that an azp Claim is present.
- If an azp (authorized party) Claim is present, the Client SHOULD verify that its client_id is the Claim Value.
* @see ID Token Validation- Since:
- 2.2.0
- Author:
- Sergio del Amo
-
Field Summary
FieldsModifier and TypeFieldDescriptionprotected static final Stringprotected static final org.slf4j.Loggerprotected final Collection<OauthClientConfiguration> -
Constructor Summary
ConstructorsConstructorDescriptionIdTokenClaimsValidator(Collection<OauthClientConfiguration> oauthClientConfigurations) -
Method Summary
Modifier and TypeMethodDescriptionmatchesIssuer(@NonNull OpenIdClientConfiguration openIdClientConfiguration, @NonNull String iss) parseAudiences(Claims claims) parseAzpClaim(Claims claims) parseClaim(Claims claims, String claimName) parseClaimList(Claims claims, String claimName) parseClaimString(Claims claims, String claimName) parseIssuerClaim(Claims claims) booleanprotected booleanvalidateAzp(@NonNull Claims claims, @NonNull String clientId, @NonNull List<String> audiences) protected booleanvalidateIssuerAudienceAndAzp(@NonNull Claims claims, @NonNull String iss, @NonNull List<String> audiences) protected booleanvalidateIssuerAudienceAndAzp(@NonNull Claims claims, @NonNull String iss, @NonNull List<String> audiences, @NonNull OauthClientConfiguration oauthClientConfiguration) protected booleanvalidateIssuerAudienceAndAzp(@NonNull Claims claims, @NonNull String iss, @NonNull List<String> audiences, @NonNull String clientId, @NonNull OpenIdClientConfiguration openIdClientConfiguration)
-
Field Details
-
LOG
protected static final org.slf4j.Logger LOG -
AUTHORIZED_PARTY
- See Also:
-
oauthClientConfigurations
-
-
Constructor Details
-
IdTokenClaimsValidator
- Parameters:
oauthClientConfigurations- OpenId client configurations
-
-
Method Details
-
validate
- Specified by:
validatein interfaceJwtClaimsValidator<T>- Parameters:
claims- JWT Claimsrequest- HTTP request- Returns:
- whether the JWT claims pass validation.
-
parseIssuerClaim
-
parseClaim
-
parseClaimString
-
parseClaimList
-
parseAudiences
-
validateIssuerAudienceAndAzp
protected boolean validateIssuerAudienceAndAzp(@NonNull @NonNull Claims claims, @NonNull @NonNull String iss, @NonNull @NonNull List<String> audiences) - Parameters:
claims- JWT Claimsiss- Issuer claimaudiences- aud claim as a list of string- Returns:
- true if an OAuth 2.0 client issuer matches the iss claim, any of the audiences in the aud claim matches the OAuth 2.0 client_id and for multiple audiencies the azp claim is present and matches OAuth 2.0 client_id
-
validateIssuerAudienceAndAzp
protected boolean validateIssuerAudienceAndAzp(@NonNull @NonNull Claims claims, @NonNull @NonNull String iss, @NonNull @NonNull List<String> audiences, @NonNull @NonNull OauthClientConfiguration oauthClientConfiguration) - Parameters:
claims- JWT Claimsiss- Issuer claimaudiences- aud claim as a list of stringoauthClientConfiguration- OAuth 2.0 client configuration- Returns:
- true if the OAuth 2.0 client OpenID issuer matches the iss claim, any of the audiences in the aud claim matches the OAuth 2.0 client_id and for multiple audiencies the azp claim is present and matches OAuth 2.0 client_id
-
validateIssuerAudienceAndAzp
protected boolean validateIssuerAudienceAndAzp(@NonNull @NonNull Claims claims, @NonNull @NonNull String iss, @NonNull @NonNull List<String> audiences, @NonNull @NonNull String clientId, @NonNull @NonNull OpenIdClientConfiguration openIdClientConfiguration) - Parameters:
claims- JWT Claimsiss- Issuer claimaudiences- aud claim as a list of stringclientId- OAuth 2.0 client_idopenIdClientConfiguration- OpenID OAuth 2.0 client configuration- Returns:
- true if the OAuth 2.0 client OpenID issuer matches the iss claim, any of the audiences in the aud claim matches the OAuth 2.0 client_id and for multiple audiencies the azp claim is present and matches OAuth 2.0 client_id
-
matchesIssuer
@NonNull protected @NonNull Optional<Boolean> matchesIssuer(@NonNull @NonNull OpenIdClientConfiguration openIdClientConfiguration, @NonNull @NonNull String iss) - Parameters:
iss- Issuer claimopenIdClientConfiguration- OpenID OAuth 2.0 client configuration- Returns:
- true wrapped in an Optional if the OAuth 2.0 client OpenID issuer matches the iss claim. Empty Optional of OpenID Client configuration does not define an issuer.
-
parseAzpClaim
-
validateAzp
protected boolean validateAzp(@NonNull @NonNull Claims claims, @NonNull @NonNull String clientId, @NonNull @NonNull List<String> audiences) - Parameters:
claims- JWT ClaimsclientId- OAuth 2.0 client IDaudiences- audiences specified in the JWT Claims- Returns:
- true for single audiences, for multiple audiences returns true azp claim is present and matches OAuth 2.0 client_id
-