@Requires(property="micronaut.security.authentication",value="idtoken") @Requires(property="micronaut.security.token.jwt.claims-validators.openid-idtoken",notEquals="false") @Singleton public class IdTokenClaimsValidator extends java.lang.Object implements GenericJwtClaimsValidator
AuthenticationMode.IDTOKEN
authentication mode performs the following verification as described in the OpenID Connect Spec.
- The Issuer Identifier for the OpenID Provider (which is typically obtained during Discovery) MUST exactly match the value of the iss (issuer) Claim.
- The Client MUST validate that the aud (audience) Claim contains its client_id value registered at the Issuer identified by the iss (issuer) Claim as an audience. The aud (audience) Claim MAY contain an array with more than one element.
- If the ID Token contains multiple audiences, the Client SHOULD verify that an azp Claim is present.
- If an azp (authorized party) Claim is present, the Client SHOULD verify that its client_id is the Claim Value.
* @see ID Token ValidationModifier and Type | Field and Description |
---|---|
protected static java.lang.String |
AUTHORIZED_PARTY |
protected static org.slf4j.Logger |
LOG |
protected java.util.Collection<OauthClientConfiguration> |
oauthClientConfigurations |
PREFIX
Constructor and Description |
---|
IdTokenClaimsValidator(java.util.Collection<OauthClientConfiguration> oauthClientConfigurations) |
Modifier and Type | Method and Description |
---|---|
protected java.util.Optional<java.lang.Boolean> |
matchesIssuer(OpenIdClientConfiguration openIdClientConfiguration,
java.lang.String iss) |
protected java.util.Optional<java.util.List<java.lang.String>> |
parseAudiences(JwtClaims claims) |
protected java.util.Optional<java.lang.String> |
parseAzpClaim(JwtClaims claims) |
protected java.util.Optional<java.lang.Object> |
parseClaim(JwtClaims claims,
java.lang.String claimName) |
protected java.util.Optional<java.util.List<java.lang.String>> |
parseClaimList(JwtClaims claims,
java.lang.String claimName) |
protected java.util.Optional<java.lang.String> |
parseClaimString(JwtClaims claims,
java.lang.String claimName) |
protected java.util.Optional<java.lang.String> |
parseIssuerClaim(JwtClaims claims) |
boolean |
validate(JwtClaims claims,
io.micronaut.http.HttpRequest<?> request) |
protected boolean |
validateAzp(JwtClaims claims,
java.lang.String clientId,
java.util.List<java.lang.String> audiences) |
protected boolean |
validateIssuerAudienceAndAzp(JwtClaims claims,
java.lang.String iss,
java.util.List<java.lang.String> audiences) |
protected boolean |
validateIssuerAudienceAndAzp(JwtClaims claims,
java.lang.String iss,
java.util.List<java.lang.String> audiences,
OauthClientConfiguration oauthClientConfiguration) |
protected boolean |
validateIssuerAudienceAndAzp(JwtClaims claims,
java.lang.String iss,
java.util.List<java.lang.String> audiences,
java.lang.String clientId,
OpenIdClientConfiguration openIdClientConfiguration) |
protected static final org.slf4j.Logger LOG
protected static final java.lang.String AUTHORIZED_PARTY
protected final java.util.Collection<OauthClientConfiguration> oauthClientConfigurations
public IdTokenClaimsValidator(java.util.Collection<OauthClientConfiguration> oauthClientConfigurations)
oauthClientConfigurations
- OpenId client configurationspublic boolean validate(@NonNull JwtClaims claims, @Nullable io.micronaut.http.HttpRequest<?> request)
validate
in interface JwtClaimsValidator
claims
- JWT Claimsrequest
- HTTP requestprotected java.util.Optional<java.lang.String> parseIssuerClaim(JwtClaims claims)
claims
- JWT ClaimsOptional
. If not found, an empty Optional
is returned.protected java.util.Optional<java.lang.Object> parseClaim(JwtClaims claims, java.lang.String claimName)
claims
- JWT ClaimsclaimName
- Claim NameOptional
. If not found, an empty Optional
is returned.protected java.util.Optional<java.lang.String> parseClaimString(JwtClaims claims, java.lang.String claimName)
claims
- JWT ClaimsclaimName
- Claim NameOptional
. If not found, an empty Optional
is returned.protected java.util.Optional<java.util.List<java.lang.String>> parseClaimList(JwtClaims claims, java.lang.String claimName)
claims
- JWT ClaimsclaimName
- Claim NameOptional
. If not found, an empty Optional
is returned.protected java.util.Optional<java.util.List<java.lang.String>> parseAudiences(JwtClaims claims)
claims
- JWT ClaimsOptional
. If not found, an empty Optional
is returned.protected boolean validateIssuerAudienceAndAzp(@NonNull JwtClaims claims, @NonNull java.lang.String iss, @NonNull java.util.List<java.lang.String> audiences)
claims
- JWT Claimsiss
- Issuer claimaudiences
- aud claim as a list of stringprotected boolean validateIssuerAudienceAndAzp(@NonNull JwtClaims claims, @NonNull java.lang.String iss, @NonNull java.util.List<java.lang.String> audiences, @NonNull OauthClientConfiguration oauthClientConfiguration)
claims
- JWT Claimsiss
- Issuer claimaudiences
- aud claim as a list of stringoauthClientConfiguration
- OAuth 2.0 client configurationprotected boolean validateIssuerAudienceAndAzp(@NonNull JwtClaims claims, @NonNull java.lang.String iss, @NonNull java.util.List<java.lang.String> audiences, @NonNull java.lang.String clientId, @NonNull OpenIdClientConfiguration openIdClientConfiguration)
claims
- JWT Claimsiss
- Issuer claimaudiences
- aud claim as a list of stringclientId
- OAuth 2.0 client_idopenIdClientConfiguration
- OpenID OAuth 2.0 client configuration@NonNull protected java.util.Optional<java.lang.Boolean> matchesIssuer(@NonNull OpenIdClientConfiguration openIdClientConfiguration, @NonNull java.lang.String iss)
iss
- Issuer claimopenIdClientConfiguration
- OpenID OAuth 2.0 client configurationprotected java.util.Optional<java.lang.String> parseAzpClaim(JwtClaims claims)
claims
- JWT ClaimsOptional
. If not found, an empty Optional
is returned.protected boolean validateAzp(@NonNull JwtClaims claims, @NonNull java.lang.String clientId, @NonNull java.util.List<java.lang.String> audiences)
claims
- JWT ClaimsclientId
- OAuth 2.0 client IDaudiences
- audiences specified in the JWT Claims