Module iu.util.auth.config
Package iu.auth.config

Class OidcIdToken

java.lang.Object
iu.crypt.Jwt
iu.auth.config.OidcIdToken
All Implemented Interfaces:
WebToken
public class OidcIdToken extends Jwt
Extends Jwt to include OIDC ID token claim validation.

  • Constructor Details

    • OidcIdToken

      public OidcIdToken(WebKey.Algorithm alg, OAuthClient client, String nonce, String accessToken, Duration maxAge, JsonObject claims)
      Constructor.
      Parameters:
      alg - Signature algorithm used to verify ID Token authenticity
      client - Client to which this token was issued
      nonce - One-Time number (nonce) value provided with the original authentication request
      accessToken - Access token issued with this ID token.
      maxAge - Maximum length of time to allow since the user's authentication credentials were last verified.
      claims - JWT claims

  • Method Details

    • verify

      public static OidcIdToken verify(String jwt, WebKey issuerKey, OAuthClient client, String nonce, String accessToken, Duration maxAge)
      Parses and verifies an ID token encoded with JWS compact serialization.
      Parameters:
      jwt - JWS compact serialization
      issuerKey - Issuer public WebKey
      client - Client to which this token was issued
      nonce - One-Time number (nonce) value provided with the original authentication request
      accessToken - Access token issued with this ID token.
      maxAge - Maximum length of time to allow since the user's authentication credentials were last verified.
      Returns:
      OidcIdToken

    • decryptAndVerify

      public static OidcIdToken decryptAndVerify(String jwt, WebKey issuerKey, WebKey audienceKey, OAuthClient client, String nonce, String accessToken, Duration maxAge)
      Parses, decrypts, and verifies a JWT encoded with JWS compact serialization.
      Parameters:
      jwt - JWS or JWE compact serialization
      issuerKey - Issuer public WebKey
      audienceKey - Audience private WebKey, ignored if the JWT is not encrypted
      client - Client to which this token was issued
      nonce - One-Time number (nonce) value provided with the original authentication request
      accessToken - Access token issued with this ID token.
      maxAge - Maximum length of time to allow since the user's authentication credentials were last verified.
      Returns:
      JsonObject of token claims

    • validateClaims

      public void validateClaims(URI expectedAudience, Duration ttl)
      Description copied from interface: WebToken
      Verify JWT registered claims are well-formed and within the allowed time window.

      In addition to the rules outlined in RFC-7519 JWT Section 4.1, REQUIRES the following claim values to be present and not empty:

      Specified by:
      validateClaims in interface WebToken
      Overrides:
      validateClaims in class Jwt
      Parameters:
      expectedAudience - Expected audience URI
      ttl - Maximum assertion time to live allowed by configuration

    • getFullName

      public String getFullName()
      Gets the full display name.
      Returns:
      full display name

    • getEmail

      public String getEmail()
      Gets the preferred email address.
      Returns:
      preferred email address

    • getAuthTime

      public Instant getAuthTime()
      Gets the point in time authentication occurred.
      Returns:
      auth_time claim

    • getRoles

      public Iterable<String> getRoles()
      Gets the roles that the authenticated user is authorized for.
      Returns:
      authorized roles

    • getAccessToken

      public String getAccessToken()
      Gets the access token provided with this ID token.
      Returns:
      access token