com.google.crypto.tink.jwt

Class JwtValidator.Builder

java.lang.Object

com.google.crypto.tink.jwt.JwtValidator.Builder

Enclosing class:

JwtValidator

public static final class JwtValidator.Builder
extends Object

Builder for JwtValidator

Method Summary

Modifier and Type	Method and Description
JwtValidator.Builder	allowMissingExpiration() When set, the validator accepts tokens that do not have an expiration set.
JwtValidator	build()
JwtValidator.Builder	expectAudience(String value) Sets the expected audience.
JwtValidator.Builder	expectIssuedInThePast() Checks that the iat claim is in the past.
JwtValidator.Builder	expectIssuer(String value) Sets the expected issuer claim of the token.
JwtValidator.Builder	expectTypeHeader(String value) Sets the expected type header of the token.
JwtValidator.Builder	ignoreAudiences() Lets the validator ignore the aud claim.
JwtValidator.Builder	ignoreIssuer() Lets the validator ignore the iss claim.
JwtValidator.Builder	ignoreTypeHeader() Lets the validator ignore the typ header.
JwtValidator.Builder	setClock(Clock clock) Sets the clock used to verify timestamp claims.
JwtValidator.Builder	setClockSkew(Duration clockSkew) Sets the clock skew to tolerate when verifying timestamp claims, to deal with small clock differences among different machines.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Detail

expectTypeHeader

@CanIgnoreReturnValue
public JwtValidator.Builder expectTypeHeader(String value)

Sets the expected type header of the token. When this is set, all tokens with missing or different typ header are rejected. When this is not set, all token that have a typ header are rejected. So this must be set for token that have a typ header.

If you want to ignore the type header or if you want to validate it yourself, use ignoreTypeHeader().

https://tools.ietf.org/html/rfc7519#section-4.1.1

ignoreTypeHeader

@CanIgnoreReturnValue
public JwtValidator.Builder ignoreTypeHeader()

Lets the validator ignore the typ header.

expectIssuer

@CanIgnoreReturnValue
public JwtValidator.Builder expectIssuer(String value)

Sets the expected issuer claim of the token. When this is set, all tokens with missing or different iss claims are rejected. When this is not set, all token that have a iss claim are rejected. So this must be set for token that have a iss claim.

If you want to ignore the issuer claim or if you want to validate it yourself, use ignoreIssuer().

https://tools.ietf.org/html/rfc7519#section-4.1.1

ignoreIssuer

@CanIgnoreReturnValue
public JwtValidator.Builder ignoreIssuer()

Lets the validator ignore the iss claim.

expectAudience

@CanIgnoreReturnValue
public JwtValidator.Builder expectAudience(String value)

Sets the expected audience. When this is set, all tokens that do not contain this audience in their aud claims are rejected. When this is not set, all token that have aud claims are rejected. So this must be set for token that have aud claims.

If you want to ignore this claim or if you want to validate it yourself, use ignoreAudiences().

https://tools.ietf.org/html/rfc7519#section-4.1.3

ignoreAudiences

@CanIgnoreReturnValue
public JwtValidator.Builder ignoreAudiences()

Lets the validator ignore the aud claim.

expectIssuedInThePast

@CanIgnoreReturnValue
public JwtValidator.Builder expectIssuedInThePast()

Checks that the iat claim is in the past.

setClock

@CanIgnoreReturnValue
public JwtValidator.Builder setClock(Clock clock)

Sets the clock used to verify timestamp claims.

setClockSkew

@CanIgnoreReturnValue
public JwtValidator.Builder setClockSkew(Duration clockSkew)

Sets the clock skew to tolerate when verifying timestamp claims, to deal with small clock differences among different machines.

As recommended by https://tools.ietf.org/html/rfc7519, the clock skew should usually be no more than a few minutes. In this implementation, the maximum value is 10 minutes.

allowMissingExpiration

@CanIgnoreReturnValue
public JwtValidator.Builder allowMissingExpiration()

When set, the validator accepts tokens that do not have an expiration set.

In most cases, tokens should always have an expiration, so this option should rarely be used.

build

public JwtValidator build()