Package org.forgerock.oauth2.core

Class OAuth2Jwt

  • @SupportedAll
public class OAuth2Jwt
extends Object
    Parses a JWT string and offers methods to validate the JWT is valid for the use as an OAuth2 authorization grant or for OAuth2 client authentication.
    Since:
    12.0.0

    • Method Summary

      All Methods Static Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      static OAuth2Jwt create​(String jwtString)
      Creates an OAuth2Jwt instance from the provided JWT string.
      static OAuth2Jwt create​(SignedJwt jws)
      Creates an OAuth2Jwt instance from the provided JWT string.
      String getIssuer()
      Gets the JWT issuer.
      SignedJwt getSignedJwt()
      Gets the Signed JWT.
      String getSubject()
      Gets the JWT subject.
      boolean isContentValid()
      Verifies that the JWT is valid by: ensuring the JWT contains the 'iss', 'sub', 'aud' and 'exp' claims ensuring the JWT expiry is not unreasonably far in the future ensuring the JWT has not expired ensuring the JWT is not being used before its 'not before time' ensuring the JWT issued at time is not unreasonably far in the past
      boolean isContentValid​(boolean includeExpiryCheck)
      Verifies that the JWT is valid by: ensuring the JWT contains the 'iss', 'sub', 'aud' and 'exp' claims ensuring the JWT expiry is not unreasonably far in the future ensuring the JWT has not expired ensuring the JWT is not being used before its 'not before time' ensuring the JWT issued at time is not unreasonably far in the past
      boolean isExpired()
      Checks that the JWT has not expired.
      boolean isExpiryUnreasonable()
      Checks that the JWT has an unreasonable expiration time.
      boolean isIntendedForAudience​(String audience)
      Checks that the JWT is intended for the provided audience.
      boolean isValid​(SigningHandler signingHandler)
      Verifies that the JWT is valid by: verifying the signature ensuring the JWT contains the 'iss', 'sub', 'aud' and 'exp' claims ensuring the JWT expiry is not unreasonably far in the future ensuring the JWT has not expired ensuring the JWT is not being used before its 'not before time' ensuring the JWT issued at time is not unreasonably far in the past
      boolean isValid​(SigningHandler signingHandler, boolean includeExpiryCheck)
      Verifies that the JWT is valid by: verifying the signature ensuring the JWT contains the 'iss', 'sub', 'aud' and 'exp' claims ensuring the JWT expiry is not unreasonably far in the future optionally ensuring the JWT has not expired ensuring the JWT is not being used before its 'not before time' ensuring the JWT issued at time is not unreasonably far in the past

    • Method Detail

      • create

        public static OAuth2Jwt create​(String jwtString)
        Creates an OAuth2Jwt instance from the provided JWT string.
        Parameters:
        jwtString - The JWT string.
        Returns:
        An OAuth2Jwt instance.

      • create

        public static OAuth2Jwt create​(SignedJwt jws)
        Creates an OAuth2Jwt instance from the provided JWT string.
        Parameters:
        jws - The JWS.
        Returns:
        An OAuth2Jwt instance.

      • isValid

        public boolean isValid​(SigningHandler signingHandler)
        Verifies that the JWT is valid by:
        • verifying the signature
        • ensuring the JWT contains the 'iss', 'sub', 'aud' and 'exp' claims
        • ensuring the JWT expiry is not unreasonably far in the future
        • ensuring the JWT has not expired
        • ensuring the JWT is not being used before its 'not before time'
        • ensuring the JWT issued at time is not unreasonably far in the past
        Parameters:
        signingHandler - The SigningHandler instance to verify the JWT signature with.
        Returns:
        true if the JWT meets all the expectations.

      • isValid

        public boolean isValid​(SigningHandler signingHandler,
                       boolean includeExpiryCheck)
        Verifies that the JWT is valid by:
        • verifying the signature
        • ensuring the JWT contains the 'iss', 'sub', 'aud' and 'exp' claims
        • ensuring the JWT expiry is not unreasonably far in the future
        • optionally ensuring the JWT has not expired
        • ensuring the JWT is not being used before its 'not before time'
        • ensuring the JWT issued at time is not unreasonably far in the past
        Parameters:
        signingHandler - The SigningHandler instance to verify the JWT signature with.
        includeExpiryCheck - Whether to also verify that the JWT has not expired.
        Returns:
        true if the JWT meets all the expectations.

      • isContentValid

        public boolean isContentValid()
        Verifies that the JWT is valid by:
        • ensuring the JWT contains the 'iss', 'sub', 'aud' and 'exp' claims
        • ensuring the JWT expiry is not unreasonably far in the future
        • ensuring the JWT has not expired
        • ensuring the JWT is not being used before its 'not before time'
        • ensuring the JWT issued at time is not unreasonably far in the past
        Returns:
        true if the JWT meets all the expectations.

      • isContentValid

        public boolean isContentValid​(boolean includeExpiryCheck)
        Verifies that the JWT is valid by:
        • ensuring the JWT contains the 'iss', 'sub', 'aud' and 'exp' claims
        • ensuring the JWT expiry is not unreasonably far in the future
        • ensuring the JWT has not expired
        • ensuring the JWT is not being used before its 'not before time'
        • ensuring the JWT issued at time is not unreasonably far in the past
        Parameters:
        includeExpiryCheck - Whether to include the expiry check in the above. If set to false, expired JWTs will pass validation.
        Returns:
        true if the JWT meets all the expectations.

      • isExpiryUnreasonable

        public boolean isExpiryUnreasonable()
        Checks that the JWT has an unreasonable expiration time.
        Returns:
        true if the JWT has expired.

      • isExpired

        public boolean isExpired()
        Checks that the JWT has not expired.
        Returns:
        true if the JWT has expired.

      • isIntendedForAudience

        public boolean isIntendedForAudience​(String audience)
        Checks that the JWT is intended for the provided audience.
        Parameters:
        audience - The audience.
        Returns:
        true if the JWT 'audience' claim contains the provided audience.

      • getSubject

        public String getSubject()
        Gets the JWT subject.
        Returns:
        The JWT subject.

      • getIssuer

        public String getIssuer()
        Gets the JWT issuer.
        Returns:
        the JWT issuer.

      • getSignedJwt

        public SignedJwt getSignedJwt()
        Gets the Signed JWT.