public class JWTSignatureValidator extends java.lang.Object implements TokenValidator
It performs fast local token validation without the need to immediately contact the authorization server. for that it relies on the JWKS endpoint exposed at authorization server, which is a standard OAuth2 public endpoint containing the information about public keys that can be used to validate JWT signatures.
A single threaded refresh job is run periodically or upon detecting an unknown signing key, that fetches the latest trusted public keys for signature validation from authorization server. If the refresh job is unsuccessful it employs the so called 'exponential back-off' to retry later in order to reduce any out-of-sync time with the authorization server while still not flooding the server with endless consecutive requests.
Constructor and Description |
---|
JWTSignatureValidator(java.lang.String keysEndpointUri,
javax.net.ssl.SSLSocketFactory socketFactory,
javax.net.ssl.HostnameVerifier verifier,
PrincipalExtractor principalExtractor,
java.lang.String validIssuerUri,
int refreshSeconds,
int refreshMinPauseSeconds,
int expirySeconds,
boolean checkAccessTokenType,
java.lang.String audience,
java.lang.String customClaimCheck)
Create a new instance.
|
Modifier and Type | Method and Description |
---|---|
TokenInfo |
validate(java.lang.String token) |
public JWTSignatureValidator(java.lang.String keysEndpointUri, javax.net.ssl.SSLSocketFactory socketFactory, javax.net.ssl.HostnameVerifier verifier, PrincipalExtractor principalExtractor, java.lang.String validIssuerUri, int refreshSeconds, int refreshMinPauseSeconds, int expirySeconds, boolean checkAccessTokenType, java.lang.String audience, java.lang.String customClaimCheck)
keysEndpointUri
- The JWKS endpoint url at the authorization serversocketFactory
- The optional SSL socket factory to use when establishing the connection to authorization serververifier
- The optional hostname verifier used to validate the TLS certificate by the authorization serverprincipalExtractor
- The object used to extract the username from the JWT tokenvalidIssuerUri
- The required value of the 'iss' claim in JWT tokenrefreshSeconds
- The optional time interval between two consecutive regular JWKS keys refresh runsrefreshMinPauseSeconds
- The optional minimum pause between two consecutive JWKS keys refreshes.expirySeconds
- The maximum time to trust the unrefreshed JWKS keys. If keys are not successfully refreshed within this time, the validation will start failing.checkAccessTokenType
- Should the 'typ' claim in the token be validated (be equal to 'Bearer')audience
- The optional audiencecustomClaimCheck
- The optional JSONPath filter query for additional custom claim checkingpublic TokenInfo validate(java.lang.String token)
validate
in interface TokenValidator
Copyright © 2021. All rights reserved.