Package org.forgerock.openig.tools.jwt

Class Constraints

java.lang.Object

org.forgerock.openig.tools.jwt.Constraints

public final class Constraints
extends Object

Constraints defined for JWT validation. Constraint evaluation results in a promise of a Result.

Method Summary

Modifier and Type	Method	Description
static JwtConstraint	canBeDecrypted(SecretsProvider secretsProvider, Purpose<DataDecryptionKey> purpose)	Provides a JwtConstraint configured with the supplied SecretsProvider that contain a secret capable of decrypting and verifying a JWT's encryption.
static <T> JwtClaimConstraint<Collection<T>>	contains(T expected)	Returns empty if the list contains the expected value.
static <T> JwtClaimConstraint<Collection<T>>	containsOnly(T expected)	Returns empty if the list contains only the expected value.
static JwtConstraint	hasClaims()	Returns empty if the JWT does contain claims.
static JwtConstraint	hasValidSignature(JwsSignatureVerifier verifier)	Validates the signature of this SignedJwt.
static JwtConstraint	hasValidSignatureAndEncryption(JwtConstraint signatureConstraint, JwtConstraint decryptionConstraint)	Provides a JwtConstraint configured with the supplied JwtConstraints verifying both signature and encryption.
static <T> JwtClaimConstraint<T>	isEqualTo(T expected)	Returns empty if the value is equal to the one expected and fulfill the Violation with the custom error message.
static JwtClaimConstraint<Instant>	isInTheFuture()	Returns a JwtClaimConstraint that will succeed if the timestamp is after the given date, otherwise it will fail.
static JwtClaimConstraint<Instant>	isInThePast()	Returns a JwtClaimConstraint that will succeed if the timestamp is before the given date, otherwise it will fail.
static JwtClaimConstraint<JsonValue>	isNotNull()	Returns empty if the value is present.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Detail

isEqualTo

public static <T> JwtClaimConstraint<T> isEqualTo(T expected)

Returns empty if the value is equal to the one expected and fulfill the Violation with the custom error message.

Type Parameters:

T - The type on which the constraint applies.

Parameters:

expected - The expected value.

Returns:

empty if the value is equal to the one expected or a Violation corresponding to this constraint.

contains

public static <T> JwtClaimConstraint<Collection<T>> contains(T expected)

Returns empty if the list contains the expected value.

Type Parameters:

T - The type on which the constraint applies.

Parameters:

expected - The expected value.

Returns:

empty if the value is contained in the list or a Violation corresponding to this constraint.

containsOnly

public static <T> JwtClaimConstraint<Collection<T>> containsOnly(T expected)

Returns empty if the list contains only the expected value.

Type Parameters:

T - The type on which the constraint applies.

Parameters:

expected - The expected value.

Returns:

empty if the value is contained in the singletonlist or a Violation corresponding to this constraint.

isInTheFuture

public static JwtClaimConstraint<Instant> isInTheFuture()

Returns a JwtClaimConstraint that will succeed if the timestamp is after the given date, otherwise it will fail. This method uses the skew allowance held on the ValidatorContraintContext.

Returns:

a JwtClaimConstraint that will succeed if the timestamp is after the given date, otherwise it will fail.

isInThePast

public static JwtClaimConstraint<Instant> isInThePast()

Returns a JwtClaimConstraint that will succeed if the timestamp is before the given date, otherwise it will fail. This method uses the skew allowance held on the ValidatorContraintContext.

Returns:

a JwtClaimConstraint that will succeed if the timestamp is before the given date, otherwise it will fail.

isNotNull

public static JwtClaimConstraint<JsonValue> isNotNull()

Returns empty if the value is present.

Returns:

empty if the value is present in the list or a Violation corresponding to this constraint.

hasClaims

public static JwtConstraint hasClaims()

Returns empty if the JWT does contain claims.

Returns:

empty if the JWT does contain claims or a Violation corresponding to this constraint.

hasValidSignature

public static JwtConstraint hasValidSignature(JwsSignatureVerifier verifier)

Validates the signature of this SignedJwt.

Parameters:

verifier - The JwsSignatureVerifier used to verify the signature.

Returns:

empty if the JWT has a valid signature or a Violation corresponding to this constraint.

canBeDecrypted

public static JwtConstraint canBeDecrypted(SecretsProvider secretsProvider,
                                           Purpose<DataDecryptionKey> purpose)

Provides a JwtConstraint configured with the supplied SecretsProvider that contain a secret capable of decrypting and verifying a JWT's encryption. Fails if the supplied JWT is not encrypted or cannot be decrypted with the secrets available in the SecretsProvider.

Parameters:

secretsProvider - the instance from where to get the keys.

purpose - the Purpose of the decryption.

Returns:

empty if the JWT has a valid encryption or a Violation corresponding to this constraint.

hasValidSignatureAndEncryption

public static JwtConstraint hasValidSignatureAndEncryption(JwtConstraint signatureConstraint,
                                                           JwtConstraint decryptionConstraint)

Provides a JwtConstraint configured with the supplied JwtConstraints verifying both signature and encryption. Fails if the supplied JWT is either :

• Not encrypted and signed (both orders are accepted)
• Not decipherable
• Signed with an invalid signature

Parameters:

signatureConstraint - the constraint on signature.

decryptionConstraint - the constraint on decryption.

Returns:

the combined JwtConstraint.