001/* 002 * oauth2-oidc-sdk 003 * 004 * Copyright 2012-2021, Connect2id Ltd and contributors. 005 * 006 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use 007 * this file except in compliance with the License. You may obtain a copy of the 008 * License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software distributed 013 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR 014 * CONDITIONS OF ANY KIND, either express or implied. See the License for the 015 * specific language governing permissions and limitations under the License. 016 */ 017 018package com.nimbusds.oauth2.sdk.dpop.verifiers; 019 020 021import com.nimbusds.jose.JOSEException; 022import com.nimbusds.jose.JWSAlgorithm; 023import com.nimbusds.jwt.SignedJWT; 024import com.nimbusds.oauth2.sdk.dpop.JWKThumbprintConfirmation; 025import com.nimbusds.oauth2.sdk.id.JWTID; 026import com.nimbusds.oauth2.sdk.token.DPoPAccessToken; 027import com.nimbusds.oauth2.sdk.util.Receiver; 028import com.nimbusds.oauth2.sdk.util.singleuse.SingleUseChecker; 029import com.nimbusds.openid.connect.sdk.Nonce; 030import net.jcip.annotations.ThreadSafe; 031 032import java.net.URI; 033import java.util.Collections; 034import java.util.Map; 035import java.util.Objects; 036import java.util.Set; 037 038 039/** 040 * DPoP proof JWT verifier for a protected resource. 041 */ 042@ThreadSafe 043public class DPoPProtectedResourceRequestVerifier extends DPoPCommonVerifier { 044 045 046 /** 047 * Creates a new DPoP proof JWT verifier for a protected resource. 048 * 049 * @param acceptedJWSAlgs The accepted JWS algorithms. Must be 050 * supported and not {@code null}. 051 * @param maxClockSkewSeconds The maximum permitted DPoP proof "iat" 052 * clock skew, in seconds. A proof with 053 * "iat" in the future is accepted if it is 054 * within this skew tolerance. Intended to 055 * prevent rejections due to client and 056 * server system time differences. 057 * @param maxAgeSeconds The maximum accepted DPoP proof "iat" age 058 * relative to the current system time, in 059 * seconds. Intended to limit replay by 060 * bounding how long a proof is valid after 061 * issue. 062 * @param singleUseChecker The single use checker for the DPoP proof 063 * "jti" (JWT ID) claims, {@code null} if 064 * not specified. 065 */ 066 public DPoPProtectedResourceRequestVerifier(final Set<JWSAlgorithm> acceptedJWSAlgs, 067 final long maxClockSkewSeconds, 068 final long maxAgeSeconds, 069 final SingleUseChecker<DPoPProofUse> singleUseChecker) { 070 071 super(acceptedJWSAlgs, maxClockSkewSeconds, maxAgeSeconds, singleUseChecker); 072 } 073 074 075 /** 076 * Creates a new DPoP proof JWT verifier for a protected resource. 077 * 078 * @param acceptedJWSAlgs The accepted JWS algorithms. Must be 079 * supported and not {@code null}. 080 * @param maxClockSkewSeconds The maximum permitted DPoP proof "iat" 081 * clock skew, in seconds. A proof with 082 * "iat" in the future is accepted if it is 083 * within this skew tolerance. Intended to 084 * prevent rejections due to client and 085 * server system time differences. 086 * @param singleUseChecker The single use checker for the DPoP proof 087 * "jti" (JWT ID) claims, {@code null} if 088 * not specified. 089 */ 090 @Deprecated 091 public DPoPProtectedResourceRequestVerifier(final Set<JWSAlgorithm> acceptedJWSAlgs, 092 final long maxClockSkewSeconds, 093 final SingleUseChecker<Map.Entry<DPoPIssuer, JWTID>> singleUseChecker) { 094 095 super(acceptedJWSAlgs, maxClockSkewSeconds, singleUseChecker); 096 } 097 098 099 /** 100 * Verifies the specified DPoP proof and its access token and JWK 101 * SHA-256 thumbprint bindings. 102 * 103 * @param method The HTTP request method (case-insensitive). Must 104 * not be {@code null}. 105 * @param uri The HTTP URI. Any query or fragment component 106 * will be stripped from it before DPoP validation. 107 * Must not be {@code null}. 108 * @param issuer Unique identifier for the DPoP proof issuer, such 109 * as its client ID. Must not be {@code null}. 110 * @param proof The DPoP proof JWT, {@code null} if not received. 111 * @param accessToken The received and successfully validated DPoP 112 * access token. Must not be {@code null}. 113 * @param cnf The JWK SHA-256 thumbprint confirmation for the 114 * DPoP access token. Must not be {@code null}. 115 * 116 * @throws InvalidDPoPProofException If the DPoP proof is invalid 117 * or missing. 118 * @throws AccessTokenValidationException If the DPoP access token 119 * binding validation failed. 120 * @throws JOSEException If an internal JOSE exception 121 * is encountered. 122 */ 123 @Deprecated 124 public void verify(final String method, 125 final URI uri, 126 final DPoPIssuer issuer, 127 final SignedJWT proof, 128 final DPoPAccessToken accessToken, 129 final JWKThumbprintConfirmation cnf) 130 throws 131 InvalidDPoPProofException, 132 AccessTokenValidationException, 133 JOSEException { 134 135 verify(method, uri, issuer, proof, accessToken, cnf, (Set<Nonce>) null, null); 136 } 137 138 139 /** 140 * Verifies the specified DPoP proof and its access token and JWK 141 * SHA-256 thumbprint bindings. 142 * 143 * @param method The HTTP request method (case-insensitive). Must 144 * not be {@code null}. 145 * @param uri The HTTP URI. Any query or fragment component 146 * will be stripped from it before DPoP validation. 147 * Must not be {@code null}. 148 * @param issuer Unique identifier for the DPoP proof issuer, such 149 * as its client ID. Must not be {@code null}. 150 * @param proof The DPoP proof JWT, {@code null} if not received. 151 * @param accessToken The received and successfully validated DPoP 152 * access token. Must not be {@code null}. 153 * @param cnf The JWK SHA-256 thumbprint confirmation for the 154 * DPoP access token. Must not be {@code null}. 155 * @param nonce The accepted DPoP proof JWT nonce, {@code null} 156 * if none is expected. 157 * 158 * @throws InvalidDPoPProofException If the DPoP proof is invalid 159 * or missing. 160 * @throws AccessTokenValidationException If the DPoP access token 161 * binding validation failed. 162 * @throws JOSEException If an internal JOSE exception 163 * is encountered. 164 */ 165 public void verify(final String method, 166 final URI uri, 167 final DPoPIssuer issuer, 168 final SignedJWT proof, 169 final DPoPAccessToken accessToken, 170 final JWKThumbprintConfirmation cnf, 171 final Nonce nonce) 172 throws 173 InvalidDPoPProofException, 174 AccessTokenValidationException, 175 JOSEException { 176 177 verify(method, uri, issuer, proof, accessToken, cnf, nonce != null ? Collections.singleton(nonce) : null, null); 178 } 179 180 181 /** 182 * Verifies the specified DPoP proof and its access token and JWK 183 * SHA-256 thumbprint bindings. 184 * 185 * @param method The HTTP request method (case-insensitive). Must 186 * not be {@code null}. 187 * @param uri The HTTP URI. Any query or fragment component 188 * will be stripped from it before DPoP validation. 189 * Must not be {@code null}. 190 * @param issuer Unique identifier for the DPoP proof issuer, such 191 * as its client ID. Must not be {@code null}. 192 * @param proof The DPoP proof JWT, {@code null} if not received. 193 * @param accessToken The received and successfully validated DPoP 194 * access token. Must not be {@code null}. 195 * @param cnf The JWK SHA-256 thumbprint confirmation for the 196 * DPoP access token. Must not be {@code null}. 197 * @param nonces The accepted DPoP proof JWT nonce values, 198 * {@code null} if none are is expected. 199 * @param ctxReceiver To access the DPoP proof JWT claims set, 200 * {@code null} if not required. 201 * 202 * @throws InvalidDPoPProofException If the DPoP proof is invalid 203 * or missing. 204 * @throws AccessTokenValidationException If the DPoP access token 205 * binding validation failed. 206 * @throws JOSEException If an internal JOSE exception 207 * is encountered. 208 */ 209 public void verify(final String method, 210 final URI uri, 211 final DPoPIssuer issuer, 212 final SignedJWT proof, 213 final DPoPAccessToken accessToken, 214 final JWKThumbprintConfirmation cnf, 215 final Set<Nonce> nonces, 216 final Receiver<DPoPProofContext> ctxReceiver) 217 throws 218 InvalidDPoPProofException, 219 AccessTokenValidationException, 220 JOSEException { 221 222 if (proof == null) { 223 throw new InvalidDPoPProofException("Missing required DPoP proof"); 224 } 225 226 Objects.requireNonNull(accessToken); 227 Objects.requireNonNull(cnf); 228 super.verify(method, uri, issuer, proof, accessToken, cnf, nonces, ctxReceiver); 229 } 230}