Package com.sap.cloud.security.token.validation.validators

Class JwtX5tValidator

java.lang.Object

com.sap.cloud.security.token.validation.validators.JwtX5tValidator

All Implemented Interfaces:

Validator<Token>

public class JwtX5tValidator
extends Object
implements Validator<Token>

Validates if the jwt access token is intended for the OAuth2 client of this application, in certificate based authentication scenario. The cnf claim provides the SHA-256 thumbprint of the X.509 certificate information, this information needs to match the thumbprint of the provided certificate.

Validates whether there 'cnf' thumbprint value matches with the X509 certificate from the request.

Validator is by default disabled. It can be activated by setting environment variable 'X5T_VALIDATOR_ENABLED' to true.

Constructor Summary

Constructors

Constructor	Description
JwtX5tValidator(OAuth2ServiceConfiguration config)

Method Summary

Modifier and Type	Method	Description
ValidationResult	validate(Token token)	Validates the cnf thumbprint of X509 certificate against trusted certificate's thumbprint.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

JwtX5tValidator

public JwtX5tValidator(OAuth2ServiceConfiguration config)

Method Details

validate

public ValidationResult validate(Token token)

Validates the cnf thumbprint of X509 certificate against trusted certificate's thumbprint.

In case audience contains only a single value, thumbprint comparison is not performed and request is validated. To guarantee that this single audience is trusted, use this validator in combination with JwtAudienceValidator

Specified by:

validate in interface Validator<Token>

Parameters:

token - token to be validated

Returns:

validation result. Result is valid when both thumbprints match in case of multiple audiences.