org.xdi.oxd.server.op.Validator 連携図

公開メンバ関数
	Validator (Jwt idToken, OpenIdConfigurationResponse discoveryResponse, PublicOpKeyService keyService)

void	validateAccessToken (String accessToken)

void	validateAuthorizationCode (String code)

void	validateNonce (StateService stateService)

boolean	isIdTokenValid (String clientId)

void	validateIdToken (String clientId)

void	validateIdToken (String nonce, String clientId)

Jwt	getIdToken ()

静的公開メンバ関数
static RSASigner	createRSASigner (Jwt jwt, OpenIdConfigurationResponse discoveryResponse, PublicOpKeyService keyService)

非公開変数類
final Jwt	idToken

final OpenIdConfigurationResponse	discoveryResponse

final PublicOpKeyService	keyService

RSASigner	rsaSigner

静的非公開変数類
static final Logger	LOG = LoggerFactory.getLogger(Validator.class)

詳解

著者: Yuriy Zabrovarnyy

バージョン: 0.9, 14/03/2017

構築子と解体子

◆ Validator()

org.xdi.oxd.server.op.Validator.Validator	(	Jwt	idToken,
		OpenIdConfigurationResponse	discoveryResponse,
		PublicOpKeyService	keyService
	)

inline

                                                                                                                 {
         Preconditions.checkNotNull(idToken);
         Preconditions.checkNotNull(discoveryResponse);
 
         this.idToken = idToken;
         this.discoveryResponse = discoveryResponse;
         this.keyService = keyService;
         this.rsaSigner = createRSASigner(idToken, discoveryResponse, keyService);
     }

関数詳解

◆ createRSASigner()

static RSASigner org.xdi.oxd.server.op.Validator.createRSASigner	(	Jwt	jwt,
		OpenIdConfigurationResponse	discoveryResponse,
		PublicOpKeyService	keyService
	)

inlinestatic

                                                                                                                                    {
         final String jwkUrl = discoveryResponse.getJwksUri();
         final String kid = jwt.getHeader().getClaimAsString(JwtHeaderName.KEY_ID);
         final String algorithm = jwt.getHeader().getClaimAsString(JwtHeaderName.ALGORITHM);
         final SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.fromString(algorithm);
 
         final RSAPublicKey publicKey = keyService.getRSAPublicKey(jwkUrl, kid);
         return new RSASigner(signatureAlgorithm, publicKey);
     }

◆ getIdToken()

Jwt org.xdi.oxd.server.op.Validator.getIdToken ( )

inline

                             {
         return idToken;
     }

◆ isIdTokenValid()

boolean org.xdi.oxd.server.op.Validator.isIdTokenValid ( String clientId )

inline

                                                    {
         try {
             validateIdToken(clientId);
             return true;
         } catch (Exception e) {
             return false;
         }
     }

◆ validateAccessToken()

void org.xdi.oxd.server.op.Validator.validateAccessToken ( String accessToken )

inline

                                                         {
         if (!Strings.isNullOrEmpty(accessToken)) {
             if (!rsaSigner.validateAccessToken(accessToken, idToken)) {
                 throw new ErrorResponseException(ErrorResponseCode.INVALID_ACCESS_TOKEN_BAD_HASH);
             }
         }
     }

◆ validateAuthorizationCode()

void org.xdi.oxd.server.op.Validator.validateAuthorizationCode ( String code )

inline

                                                        {
         if (!Strings.isNullOrEmpty(code)) {
             if (!rsaSigner.validateAuthorizationCode(code, idToken)) {
                 throw new ErrorResponseException(ErrorResponseCode.INVALID_AUTHORIZATION_CODE_BAD_HASH);
             }
         }
     }

◆ validateIdToken() [1/2]

void org.xdi.oxd.server.op.Validator.validateIdToken ( String clientId )

inline

                                                  {
         validateIdToken(null, clientId);
     }

◆ validateIdToken() [2/2]

void org.xdi.oxd.server.op.Validator.validateIdToken	(	String	nonce,
		String	clientId
	)

inline

                                                                {
         try {
             final String issuer = idToken.getClaims().getClaimAsString(JwtClaimName.ISSUER);
             final String nonceFromToken = idToken.getClaims().getClaimAsString(JwtClaimName.NONCE);
             final String audienceFromToken = idToken.getClaims().getClaimAsString(JwtClaimName.AUDIENCE);
 
             if (!Strings.isNullOrEmpty(nonce) && !nonceFromToken.endsWith(nonce)) {
                 LOG.error("ID Token has invalid nonce. Expected nonce: " + nonce + ", nonce from token is: " + nonceFromToken);
                 throw new ErrorResponseException(ErrorResponseCode.INVALID_ID_TOKEN_BAD_NONCE);
             }
 
             if (!clientId.equalsIgnoreCase(audienceFromToken)) {
                 List<String> audAsList = idToken.getClaims().getClaimAsStringList(JwtClaimName.AUDIENCE);
                 if (audAsList != null && audAsList.size() == 1) {
                     if (!clientId.equalsIgnoreCase(audAsList.get(0))) {
                         LOG.error("ID Token has invalid audience (string list). Expected audience: " + clientId + ", audience from token is: " + audAsList);
                         throw new ErrorResponseException(ErrorResponseCode.INVALID_ID_TOKEN_BAD_AUDIENCE);
                     }
                 }
 
                 // somehow fetching string list does not return actual list, so we do this ugly trick to compare single valued array, more details in #178
                 boolean equalsWithSingleValuedArray = ("[\"" + clientId + "\"]").equalsIgnoreCase(audienceFromToken);
                 if (!equalsWithSingleValuedArray) {
                     LOG.error("ID Token has invalid audience (single valued array). Expected audience: " + clientId + ", audience from token is: " + audienceFromToken);
                     throw new ErrorResponseException(ErrorResponseCode.INVALID_ID_TOKEN_BAD_AUDIENCE);
                 }
             }
 
             final Date expiresAt = idToken.getClaims().getClaimAsDate(JwtClaimName.EXPIRATION_TIME);
             final Date now = new Date();
             if (now.after(expiresAt)) {
                 LOG.error("ID Token is expired. (It is after " + now + ").");
                 throw new ErrorResponseException(ErrorResponseCode.INVALID_ID_TOKEN_EXPIRED);
             }
 
             // 1. validate issuer
             if (!issuer.equals(discoveryResponse.getIssuer())) {
                 LOG.error("ID Token issuer is invalid. Token issuer: " + issuer + ", discovery issuer: " + discoveryResponse.getIssuer());
                 throw new ErrorResponseException(ErrorResponseCode.INVALID_ID_TOKEN_BAD_ISSUER);
             }
 
             // 2. validate signature
             boolean signature = rsaSigner.validate(idToken);
             if (!signature) {
                 final String jwkUrl = discoveryResponse.getJwksUri();
                 final String kid = idToken.getHeader().getClaimAsString(JwtHeaderName.KEY_ID);
 
                 keyService.refetchKey(jwkUrl, kid);
 
                 RSASigner signerWithRefreshedKey = createRSASigner(idToken, discoveryResponse, keyService);
                 signature = signerWithRefreshedKey.validate(idToken);
 
                 if (!signature) {
                     LOG.error("ID Token signature is invalid.");
                     throw new ErrorResponseException(ErrorResponseCode.INVALID_ID_TOKEN_BAD_SIGNATURE);
                 } else {
                     this.rsaSigner = signerWithRefreshedKey;
                 }
             }
         } catch (Exception e) {
             LOG.error(e.getMessage(), e);
             throw new ErrorResponseException(ErrorResponseCode.INVALID_ID_TOKEN_UNKNOWN);
         }
     }

◆ validateNonce()

void org.xdi.oxd.server.op.Validator.validateNonce ( StateService stateService )

inline

                                                          {
         final String nonceFromToken = idToken.getClaims().getClaimAsString(JwtClaimName.NONCE);
         if (!stateService.isNonceValid(nonceFromToken)) {
             throw new ErrorResponseException(ErrorResponseCode.INVALID_NONCE);
         }
     }

メンバ詳解

◆ discoveryResponse

final OpenIdConfigurationResponse org.xdi.oxd.server.op.Validator.discoveryResponse

private

◆ idToken

final Jwt org.xdi.oxd.server.op.Validator.idToken

private

◆ keyService

final PublicOpKeyService org.xdi.oxd.server.op.Validator.keyService

private

◆ LOG

final Logger org.xdi.oxd.server.op.Validator.LOG = LoggerFactory.getLogger(Validator.class)

staticprivate

◆ rsaSigner

RSASigner org.xdi.oxd.server.op.Validator.rsaSigner

private

このクラス詳解は次のファイルから抽出されました:

D:/AppData/OpenId/gluu/src/oxd/oxd-server/src/main/java/org/xdi/oxd/server/op/Validator.java

公開メンバ関数

静的公開メンバ関数

非公開変数類

静的非公開変数類

詳解

構築子と解体子

◆ Validator()

関数詳解

◆ createRSASigner()

◆ getIdToken()

◆ isIdTokenValid()

◆ validateAccessToken()

◆ validateAuthorizationCode()

◆ validateIdToken() [1/2]

◆ validateIdToken() [2/2]

◆ validateNonce()

メンバ詳解

◆ discoveryResponse

◆ idToken

◆ keyService

◆ LOG

◆ rsaSigner