Class IdTokenClaimsValidator<T>

java.lang.Object
io.micronaut.security.oauth2.client.IdTokenClaimsValidator<T>
Type Parameters:
T - request
All Implemented Interfaces:
GenericJwtClaimsValidator<T>, JwtClaimsValidator<T>

@Requires(property="micronaut.security.authentication",value="idtoken") @Requires(property="micronaut.security.token.jwt.claims-validators.openid-idtoken",notEquals="false") @Singleton public class IdTokenClaimsValidator<T> extends Object implements GenericJwtClaimsValidator<T>
For AuthenticationMode.IDTOKEN authentication mode performs the following verification as described in the OpenID Connect Spec. - The Issuer Identifier for the OpenID Provider (which is typically obtained during Discovery) MUST exactly match the value of the iss (issuer) Claim. - The Client MUST validate that the aud (audience) Claim contains its client_id value registered at the Issuer identified by the iss (issuer) Claim as an audience. The aud (audience) Claim MAY contain an array with more than one element. - If the ID Token contains multiple audiences, the Client SHOULD verify that an azp Claim is present. - If an azp (authorized party) Claim is present, the Client SHOULD verify that its client_id is the Claim Value. * @see ID Token Validation
Since:
2.2.0
Author:
Sergio del Amo
  • Field Details

  • Constructor Details

    • IdTokenClaimsValidator

      public IdTokenClaimsValidator(Collection<OauthClientConfiguration> oauthClientConfigurations)
      Parameters:
      oauthClientConfigurations - OpenId client configurations
  • Method Details

    • validate

      public boolean validate(@NonNull @NonNull Claims claims, @Nullable T request)
      Specified by:
      validate in interface JwtClaimsValidator<T>
      Parameters:
      claims - JWT Claims
      request - HTTP request
      Returns:
      whether the JWT claims pass validation.
    • parseIssuerClaim

      protected Optional<String> parseIssuerClaim(Claims claims)
      Parameters:
      claims - JWT Claims
      Returns:
      the iss claim value wrapped in an Optional. If not found, an empty Optional is returned.
    • parseClaim

      protected Optional<Object> parseClaim(Claims claims, String claimName)
      Parameters:
      claims - JWT Claims
      claimName - Claim Name
      Returns:
      the claim value wrapped in an Optional. If not found, an empty Optional is returned.
    • parseClaimString

      protected Optional<String> parseClaimString(Claims claims, String claimName)
      Parameters:
      claims - JWT Claims
      claimName - Claim Name
      Returns:
      the claim value as a String wrapped in an Optional. If not found, an empty Optional is returned.
    • parseClaimList

      protected Optional<List<String>> parseClaimList(Claims claims, String claimName)
      Parameters:
      claims - JWT Claims
      claimName - Claim Name
      Returns:
      the claim value as a list of Strings wrapped in an Optional. If not found, an empty Optional is returned.
    • parseAudiences

      protected Optional<List<String>> parseAudiences(Claims claims)
      Parameters:
      claims - JWT Claims
      Returns:
      the aud claim value a list of strings wrapped in an Optional. If not found, an empty Optional is returned.
    • validateIssuerAudienceAndAzp

      protected boolean validateIssuerAudienceAndAzp(@NonNull @NonNull Claims claims, @NonNull @NonNull String iss, @NonNull @NonNull List<String> audiences)
      Parameters:
      claims - JWT Claims
      iss - Issuer claim
      audiences - aud claim as a list of string
      Returns:
      true if an OAuth 2.0 client issuer matches the iss claim, any of the audiences in the aud claim matches the OAuth 2.0 client_id and for multiple audiencies the azp claim is present and matches OAuth 2.0 client_id
    • validateIssuerAudienceAndAzp

      protected boolean validateIssuerAudienceAndAzp(@NonNull @NonNull Claims claims, @NonNull @NonNull String iss, @NonNull @NonNull List<String> audiences, @NonNull @NonNull OauthClientConfiguration oauthClientConfiguration)
      Parameters:
      claims - JWT Claims
      iss - Issuer claim
      audiences - aud claim as a list of string
      oauthClientConfiguration - OAuth 2.0 client configuration
      Returns:
      true if the OAuth 2.0 client OpenID issuer matches the iss claim, any of the audiences in the aud claim matches the OAuth 2.0 client_id and for multiple audiencies the azp claim is present and matches OAuth 2.0 client_id
    • validateIssuerAudienceAndAzp

      protected boolean validateIssuerAudienceAndAzp(@NonNull @NonNull Claims claims, @NonNull @NonNull String iss, @NonNull @NonNull List<String> audiences, @NonNull @NonNull String clientId, @NonNull @NonNull OpenIdClientConfiguration openIdClientConfiguration)
      Parameters:
      claims - JWT Claims
      iss - Issuer claim
      audiences - aud claim as a list of string
      clientId - OAuth 2.0 client_id
      openIdClientConfiguration - OpenID OAuth 2.0 client configuration
      Returns:
      true if the OAuth 2.0 client OpenID issuer matches the iss claim, any of the audiences in the aud claim matches the OAuth 2.0 client_id and for multiple audiencies the azp claim is present and matches OAuth 2.0 client_id
    • matchesIssuer

      @NonNull protected @NonNull Optional<Boolean> matchesIssuer(@NonNull @NonNull OpenIdClientConfiguration openIdClientConfiguration, @NonNull @NonNull String iss)
      Parameters:
      iss - Issuer claim
      openIdClientConfiguration - OpenID OAuth 2.0 client configuration
      Returns:
      true wrapped in an Optional if the OAuth 2.0 client OpenID issuer matches the iss claim. Empty Optional of OpenID Client configuration does not define an issuer.
    • parseAzpClaim

      protected Optional<String> parseAzpClaim(Claims claims)
      Parameters:
      claims - JWT Claims
      Returns:
      the azp claim value wrapped in an Optional. If not found, an empty Optional is returned.
    • validateAzp

      protected boolean validateAzp(@NonNull @NonNull Claims claims, @NonNull @NonNull String clientId, @NonNull @NonNull List<String> audiences)
      Parameters:
      claims - JWT Claims
      clientId - OAuth 2.0 client ID
      audiences - audiences specified in the JWT Claims
      Returns:
      true for single audiences, for multiple audiences returns true azp claim is present and matches OAuth 2.0 client_id