Package org.forgerock.openam.authentication.modules.oidc

Class JwtHandler

  • public class JwtHandler
extends Object
    The logic required to validate the integrity of an OIDC ID token JWT.

    • Method Detail

      • validateJwt

        public org.forgerock.json.jose.jwt.JwtClaimsSet validateJwt​(String jwtValue)
                                                     throws AuthLoginException
        Validate the integrity of the JWT OIDC token, according to the spec (http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation). Specifically check that the issuer is the expected issuer, the token has not expired, the token has at least one audience claim, and if there is an authorized party claim ("azp"), does it appear in the audience list contained within the token?
        Parameters:
        jwtValue - The encoded JWT string.
        Returns:
        The validated JWT claims.
        Throws:
        AuthLoginException

      • isIntendedForAudience

        public static boolean isIntendedForAudience​(String audienceName,
                                            org.forgerock.json.jose.jwt.JwtClaimsSet jwtClaims)
                                     throws AuthLoginException
        Check whether or not the token is designated for the specified audience.
        Parameters:
        audienceName - The audience name to check that the token is intended for.
        jwtClaims - The parsed JWT claims.
        Returns:
        true if the token is intended for the specified audience, false if it is not.
        Throws:
        AuthLoginException

      • isFromValidAuthorizedParty

        public static boolean isFromValidAuthorizedParty​(Set<String> acceptedAuthorizedParties,
                                                 org.forgerock.json.jose.jwt.JwtClaimsSet jwtClaims)
                                          throws AuthLoginException
        Check whether or not the token is from one of the accepted authorized parties specified.
        Parameters:
        acceptedAuthorizedParties - A list of accepted authorized parties.
        jwtClaims - The parsed JWT claims.
        Returns:
        true if the token's authorized party is in the list of accepted authorized parties, false if it is not, or the token does not contain an authorized party entry.
        Throws:
        AuthLoginException

      • jwtHasAuthorizedPartyClaim

        public static boolean jwtHasAuthorizedPartyClaim​(org.forgerock.json.jose.jwt.JwtClaimsSet jwtClaims)
                                          throws AuthLoginException
        Check if the token has an authorized party ("azp") entry.
        Parameters:
        jwtClaims - The parsed JWT claims.
        Returns:
        true if the token contains an authorized party claim and that claim is not an empty string, otherwise false.
        Throws:
        AuthLoginException

      • getJwtClaims

        public org.forgerock.json.jose.jwt.JwtClaimsSet getJwtClaims​(String jwtValue)
                                                      throws AuthLoginException
        Get the set of claims contained within the specified token.
        Parameters:
        jwtValue - The encoded JWT string.
        Returns:
        The set of claims contained within the token.
        Throws:
        AuthLoginException