001/* 002 * oauth2-oidc-sdk 003 * 004 * Copyright 2012-2021, Connect2id Ltd and contributors. 005 * 006 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use 007 * this file except in compliance with the License. You may obtain a copy of the 008 * License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software distributed 013 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR 014 * CONDITIONS OF ANY KIND, either express or implied. See the License for the 015 * specific language governing permissions and limitations under the License. 016 */ 017 018package com.nimbusds.oauth2.sdk.dpop.verifiers; 019 020 021import java.net.URI; 022import java.util.Map; 023import java.util.Set; 024 025import net.jcip.annotations.ThreadSafe; 026 027import com.nimbusds.jose.JOSEException; 028import com.nimbusds.jose.JWSAlgorithm; 029import com.nimbusds.jwt.SignedJWT; 030import com.nimbusds.oauth2.sdk.dpop.JWKThumbprintConfirmation; 031import com.nimbusds.oauth2.sdk.id.JWTID; 032import com.nimbusds.oauth2.sdk.util.singleuse.SingleUseChecker; 033 034 035/** 036 * DPoP proof JWT verifier for the OAuth 2.0 token endpoint of an authorisation 037 * server. 038 */ 039@ThreadSafe 040public class DPoPTokenRequestVerifier extends DPoPCommonVerifier { 041 042 043 /** 044 * The token endpoint URI. 045 */ 046 private final URI endpointURI; 047 048 049 /** 050 * Creates a new DPoP proof JWT verifier for the OAuth 2.0 token 051 * endpoint. 052 * 053 * @param acceptedJWSAlgs The accepted JWS algorithms. Must be 054 * supported and not {@code null}. 055 * @param endpointURI The token endpoint URI. Any query or 056 * fragment component will be stripped from it 057 * before performing the comparison. Must not 058 * be {@code null}. 059 * @param maxAgeSeconds The maximum acceptable "iat" (issued-at) 060 * claim age, in seconds. JWTs older than that 061 * will be rejected. 062 * @param singleUseChecker The single use checker for the DPoP proof 063 * "jti" (JWT ID) claims, {@code null} if not 064 * specified. 065 */ 066 public DPoPTokenRequestVerifier(final Set<JWSAlgorithm> acceptedJWSAlgs, 067 final URI endpointURI, 068 final long maxAgeSeconds, 069 final SingleUseChecker<Map.Entry<DPoPIssuer, JWTID>> singleUseChecker) { 070 071 super(acceptedJWSAlgs, maxAgeSeconds, false, singleUseChecker); 072 073 if (endpointURI == null) { 074 throw new IllegalArgumentException("The token endpoint URI must not be null"); 075 } 076 this.endpointURI = endpointURI; 077 } 078 079 080 /** 081 * Verifies the specified DPoP proof and returns the DPoP JWK SHA-256 082 * thumbprint confirmation. 083 * 084 * @param issuer Unique identifier for the DPoP proof issuer, typically 085 * as its client ID. Must not be {@code null}. 086 * @param proof The DPoP proof JWT. Must not be {@code null}. 087 * 088 * @return The DPoP JWK SHA-256 thumbprint confirmation. 089 * 090 * @throws InvalidDPoPProofException If the DPoP proof is invalid. 091 * @throws JOSEException If an internal JOSE exception is 092 * encountered. 093 */ 094 public JWKThumbprintConfirmation verify(final DPoPIssuer issuer, final SignedJWT proof) 095 throws InvalidDPoPProofException, JOSEException { 096 097 try { 098 super.verify("POST", endpointURI, issuer, proof, null, null); 099 } catch (AccessTokenValidationException e) { 100 throw new RuntimeException("Unexpected exception", e); 101 } 102 103 return new JWKThumbprintConfirmation(proof.getHeader().getJWK().computeThumbprint()); 104 } 105}