Class OidcJWTClaimsVerifier
java.lang.Object
com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier<com.nimbusds.jose.proc.SecurityContext>
org.mockserver.authentication.jwt.CustomJWTClaimsVerifier
org.mockserver.authentication.oidc.OidcJWTClaimsVerifier
- All Implemented Interfaces:
com.nimbusds.jwt.proc.ClockSkewAware,com.nimbusds.jwt.proc.JWTClaimsSetVerifier<com.nimbusds.jose.proc.SecurityContext>
Extends
CustomJWTClaimsVerifier (which already enforces audience, exp/nbf
with skew, required claims and exact-match claims) to additionally assert, for an
external OIDC IdP:
- the
issclaim equals the configured issuer, and - the token's granted scopes (parsed from the configured scope claim) contain every required scope.
The exp claim is REQUIRED (passed as a required claim to the superclass):
nimbus only checks expiry when the claim is present, so without this a token minted
with no exp would be accepted forever. A real OIDC token always carries
exp, so requiring it is secure-by-default with no legitimate downside.
-
Field Summary
Fields inherited from class com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier
DEFAULT_MAX_CLOCK_SKEW_SECONDS -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionvoidverify(com.nimbusds.jwt.JWTClaimsSet claimsSet, com.nimbusds.jose.proc.SecurityContext context) Methods inherited from class com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier
currentTime, getAcceptedAudienceValues, getExactMatchClaims, getMaxClockSkew, getProhibitedClaims, getRequiredClaims, setMaxClockSkew
-
Constructor Details
-
OidcJWTClaimsVerifier
-
-
Method Details
-
verify
public void verify(com.nimbusds.jwt.JWTClaimsSet claimsSet, com.nimbusds.jose.proc.SecurityContext context) throws com.nimbusds.jwt.proc.BadJWTException - Specified by:
verifyin interfacecom.nimbusds.jwt.proc.JWTClaimsSetVerifier<com.nimbusds.jose.proc.SecurityContext>- Overrides:
verifyin classCustomJWTClaimsVerifier- Throws:
com.nimbusds.jwt.proc.BadJWTException
-