001/* 002 * oauth2-oidc-sdk 003 * 004 * Copyright 2012-2021, Connect2id Ltd and contributors. 005 * 006 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use 007 * this file except in compliance with the License. You may obtain a copy of the 008 * License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software distributed 013 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR 014 * CONDITIONS OF ANY KIND, either express or implied. See the License for the 015 * specific language governing permissions and limitations under the License. 016 */ 017 018package com.nimbusds.oauth2.sdk.dpop.verifiers; 019 020 021import java.net.URI; 022import java.util.Map; 023import java.util.Set; 024 025import net.jcip.annotations.ThreadSafe; 026 027import com.nimbusds.jose.JOSEException; 028import com.nimbusds.jose.JWSAlgorithm; 029import com.nimbusds.jwt.SignedJWT; 030import com.nimbusds.oauth2.sdk.dpop.JWKThumbprintConfirmation; 031import com.nimbusds.oauth2.sdk.id.JWTID; 032import com.nimbusds.oauth2.sdk.token.DPoPAccessToken; 033import com.nimbusds.oauth2.sdk.util.singleuse.SingleUseChecker; 034 035 036/** 037 * DPoP proof JWT verifier for a protected resource. 038 */ 039@ThreadSafe 040public class DPoPProtectedResourceRequestVerifier extends DPoPCommonVerifier { 041 042 043 /** 044 * Creates a new DPoP proof JWT verifier for a protected resource. 045 * 046 * @param acceptedJWSAlgs The accepted JWS algorithms. Must be 047 * supported and not {@code null}. 048 * @param maxAgeSeconds The maximum acceptable "iat" (issued-at) 049 * claim age, in seconds. JWTs older than that 050 * will be rejected. 051 * @param singleUseChecker The single use checker for the DPoP proof 052 * "jti" (JWT ID) claims, {@code null} if not 053 * specified. 054 */ 055 public DPoPProtectedResourceRequestVerifier(final Set<JWSAlgorithm> acceptedJWSAlgs, 056 final long maxAgeSeconds, 057 final SingleUseChecker<Map.Entry<DPoPIssuer, JWTID>> singleUseChecker) { 058 059 super(acceptedJWSAlgs, maxAgeSeconds, true, singleUseChecker); 060 } 061 062 063 /** 064 * Verifies the specified DPoP proof and its access token and JWK 065 * SHA-256 thumbprint bindings. 066 * 067 * @param method The HTTP request method (case insensitive). Must 068 * not be {@code null}. 069 * @param uri The HTTP URI. Any query or fragment component 070 * will be stripped from it before DPoP validation. 071 * Must not be {@code null}. 072 * @param issuer Unique identifier for the the DPoP proof issuer, 073 * such as its client ID. Must not be {@code null}. 074 * @param proof The DPoP proof JWT. Must not be {@code null}. 075 * @param accessToken The received DPoP access token. Must not be 076 * {@code null}. 077 * @param cnf The JWK SHA-256 thumbprint confirmation for the 078 * DPoP access token. Must not be {@code null}. 079 * 080 * @throws InvalidDPoPProofException If the DPoP proof is invalid. 081 * @throws AccessTokenValidationException If the DPoP access token 082 * binding validation failed. 083 * @throws JOSEException If an internal JOSE exception 084 * is encountered. 085 */ 086 public void verify(final String method, 087 final URI uri, 088 final DPoPIssuer issuer, 089 final SignedJWT proof, 090 final DPoPAccessToken accessToken, 091 final JWKThumbprintConfirmation cnf) 092 throws 093 InvalidDPoPProofException, 094 AccessTokenValidationException, 095 JOSEException { 096 097 super.verify(method, uri, issuer, proof, accessToken, cnf); 098 } 099}