Source code

001/*
002 * oauth2-oidc-sdk
003 *
004 * Copyright 2012-2021, Connect2id Ltd and contributors.
005 *
006 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
007 * this file except in compliance with the License. You may obtain a copy of the
008 * License at
009 *
010 *    http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software distributed
013 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
014 * CONDITIONS OF ANY KIND, either express or implied. See the License for the
015 * specific language governing permissions and limitations under the License.
016 */
017
018package com.nimbusds.oauth2.sdk.dpop.verifiers;
019
020
021import com.nimbusds.jose.JOSEException;
022import com.nimbusds.jose.JWSAlgorithm;
023import com.nimbusds.jwt.SignedJWT;
024import com.nimbusds.oauth2.sdk.dpop.JWKThumbprintConfirmation;
025import com.nimbusds.oauth2.sdk.id.JWTID;
026import com.nimbusds.oauth2.sdk.token.DPoPAccessToken;
027import com.nimbusds.oauth2.sdk.util.singleuse.SingleUseChecker;
028import com.nimbusds.openid.connect.sdk.Nonce;
029import net.jcip.annotations.ThreadSafe;
030
031import java.net.URI;
032import java.util.Map;
033import java.util.Objects;
034import java.util.Set;
035
036
037/**
038 * DPoP proof JWT verifier for a protected resource.
039 */
040@ThreadSafe
041public class DPoPProtectedResourceRequestVerifier extends DPoPCommonVerifier {
042        
043        
044        /**
045         * Creates a new DPoP proof JWT verifier for a protected resource.
046         *
047         * @param acceptedJWSAlgs     The accepted JWS algorithms. Must be
048         *                            supported and not {@code null}.
049         * @param maxClockSkewSeconds The maximum permitted DPoP proof "iat"
050         *                            clock skew, in seconds. A proof with
051         *                            "iat" in the future is accepted if it is
052         *                            within this skew tolerance. Intended to
053         *                            prevent rejections due to client and
054         *                            server system time differences.
055         * @param maxAgeSeconds       The maximum accepted DPoP proof "iat" age
056         *                            relative to the current system time, in
057         *                            seconds. Intended to limit replay by
058         *                            bounding how long a proof is valid after
059         *                            issue.
060         * @param singleUseChecker    The single use checker for the DPoP proof
061         *                            "jti" (JWT ID) claims, {@code null} if
062         *                            not specified.
063         */
064        public DPoPProtectedResourceRequestVerifier(final Set<JWSAlgorithm> acceptedJWSAlgs,
065                                                    final long maxClockSkewSeconds,
066                                                    final long maxAgeSeconds,
067                                                    final SingleUseChecker<DPoPProofUse> singleUseChecker) {
068                
069                super(acceptedJWSAlgs, maxClockSkewSeconds, maxAgeSeconds, singleUseChecker);
070        }
071
072
073        /**
074         * Creates a new DPoP proof JWT verifier for a protected resource.
075         *
076         * @param acceptedJWSAlgs     The accepted JWS algorithms. Must be
077         *                            supported and not {@code null}.
078         * @param maxClockSkewSeconds The maximum permitted DPoP proof "iat"
079         *                            clock skew, in seconds. A proof with
080         *                            "iat" in the future is accepted if it is
081         *                            within this skew tolerance. Intended to
082         *                            prevent rejections due to client and
083         *                            server system time differences.
084         * @param singleUseChecker    The single use checker for the DPoP proof
085         *                            "jti" (JWT ID) claims, {@code null} if
086         *                            not specified.
087         */
088        @Deprecated
089        public DPoPProtectedResourceRequestVerifier(final Set<JWSAlgorithm> acceptedJWSAlgs,
090                                                    final long maxClockSkewSeconds,
091                                                    final SingleUseChecker<Map.Entry<DPoPIssuer, JWTID>> singleUseChecker) {
092
093                super(acceptedJWSAlgs, maxClockSkewSeconds, singleUseChecker);
094        }
095        
096        
097        /**
098         * Verifies the specified DPoP proof and its access token and JWK
099         * SHA-256 thumbprint bindings.
100         *
101         * @param method      The HTTP request method (case-insensitive). Must
102         *                    not be {@code null}.
103         * @param uri         The HTTP URI. Any query or fragment component
104         *                    will be stripped from it before DPoP validation.
105         *                    Must not be {@code null}.
106         * @param issuer      Unique identifier for the DPoP proof issuer, such
107         *                    as its client ID. Must not be {@code null}.
108         * @param proof       The DPoP proof JWT, {@code null} if not received.
109         * @param accessToken The received and successfully validated DPoP
110         *                    access token. Must not be {@code null}.
111         * @param cnf         The JWK SHA-256 thumbprint confirmation for the
112         *                    DPoP access token. Must not be {@code null}.
113         *
114         * @throws InvalidDPoPProofException      If the DPoP proof is invalid
115         *                                        or missing.
116         * @throws AccessTokenValidationException If the DPoP access token
117         *                                        binding validation failed.
118         * @throws JOSEException                  If an internal JOSE exception
119         *                                        is encountered.
120         */
121        @Deprecated
122        public void verify(final String method,
123                           final URI uri,
124                           final DPoPIssuer issuer,
125                           final SignedJWT proof,
126                           final DPoPAccessToken accessToken,
127                           final JWKThumbprintConfirmation cnf)
128                throws
129                InvalidDPoPProofException,
130                AccessTokenValidationException,
131                JOSEException {
132                
133                verify(method, uri, issuer, proof, accessToken, cnf, null);
134        }
135        
136        
137        /**
138         * Verifies the specified DPoP proof and its access token and JWK
139         * SHA-256 thumbprint bindings.
140         *
141         * @param method      The HTTP request method (case-insensitive). Must
142         *                    not be {@code null}.
143         * @param uri         The HTTP URI. Any query or fragment component
144         *                    will be stripped from it before DPoP validation.
145         *                    Must not be {@code null}.
146         * @param issuer      Unique identifier for the DPoP proof issuer, such
147         *                    as its client ID. Must not be {@code null}.
148         * @param proof       The DPoP proof JWT, {@code null} if not received.
149         * @param accessToken The received and successfully validated DPoP
150         *                    access token. Must not be {@code null}.
151         * @param cnf         The JWK SHA-256 thumbprint confirmation for the
152         *                    DPoP access token. Must not be {@code null}.
153         * @param nonce       The expected DPoP proof JWT nonce, {@code null}
154         *                    if none.
155         *
156         * @throws InvalidDPoPProofException      If the DPoP proof is invalid
157         *                                        or missing.
158         * @throws AccessTokenValidationException If the DPoP access token
159         *                                        binding validation failed.
160         * @throws JOSEException                  If an internal JOSE exception
161         *                                        is encountered.
162         */
163        public void verify(final String method,
164                           final URI uri,
165                           final DPoPIssuer issuer,
166                           final SignedJWT proof,
167                           final DPoPAccessToken accessToken,
168                           final JWKThumbprintConfirmation cnf,
169                           final Nonce nonce)
170                throws
171                InvalidDPoPProofException,
172                AccessTokenValidationException,
173                JOSEException {
174                
175                if (proof == null) {
176                        throw new InvalidDPoPProofException("Missing required DPoP proof");
177                }
178                
179                Objects.requireNonNull(accessToken);
180                Objects.requireNonNull(cnf);
181                super.verify(method, uri, issuer, proof, accessToken, cnf, nonce);
182        }
183}