@ -261,6 +261,16 @@ public final class NimbusJwtDecoder implements JwtDecoder {
@@ -261,6 +261,16 @@ public final class NimbusJwtDecoder implements JwtDecoder {
return new SecretKeyJwtDecoderBuilder ( secretKey ) ;
}
/ * *
* Use the given { @code JWKSource } to create a JwkSourceJwtDecoderBuilder .
* @param jwkSource the JWK Source to use
* @return a { @link JwkSetUriJwtDecoderBuilder } for further configurations
* @since 7 . 0
* /
public static JwkSourceJwtDecoderBuilder withJwkSource ( JWKSource < SecurityContext > jwkSource ) {
return new JwkSourceJwtDecoderBuilder ( jwkSource ) ;
}
/ * *
* A builder for creating { @link NimbusJwtDecoder } instances based on a
* < a target = "_blank" href = "https://tools.ietf.org/html/rfc7517#section-5" > JWK Set < / a >
@ -535,6 +545,108 @@ public final class NimbusJwtDecoder implements JwtDecoder {
@@ -535,6 +545,108 @@ public final class NimbusJwtDecoder implements JwtDecoder {
}
/ * *
* A builder for creating { @link NimbusJwtDecoder } instances based on a
* { @code JWKSource } .
* /
public static final class JwkSourceJwtDecoderBuilder {
private static final JOSEObjectTypeVerifier < SecurityContext > NO_TYPE_VERIFIER = ( header , context ) - > {
} ;
private final Function < JWKSource < SecurityContext > , Set < JWSAlgorithm > > defaultAlgorithms = ( source ) - > Set
. of ( JWSAlgorithm . RS256 ) ;
private final JOSEObjectTypeVerifier < SecurityContext > typeVerifier = NO_TYPE_VERIFIER ;
private final Set < SignatureAlgorithm > signatureAlgorithms = new HashSet < > ( ) ;
private Consumer < ConfigurableJWTProcessor < SecurityContext > > jwtProcessorCustomizer ;
private final JWKSource < SecurityContext > jwkSource ;
private JwkSourceJwtDecoderBuilder ( JWKSource < SecurityContext > jwkSource ) {
Assert . notNull ( jwkSource , "jwkSource cannot be null" ) ;
this . jwkSource = jwkSource ;
this . jwtProcessorCustomizer = ( processor ) - > {
} ;
}
/ * *
* Append the given signing
* < a href = "https://tools.ietf.org/html/rfc7515#section-4.1.1" target =
* "_blank" > algorithm < / a > to the set of algorithms to use .
* @param signatureAlgorithm the algorithm to use
* @return a { @link JwkSourceJwtDecoderBuilder } for further configurations
* /
public JwkSourceJwtDecoderBuilder jwsAlgorithm ( SignatureAlgorithm signatureAlgorithm ) {
Assert . notNull ( signatureAlgorithm , "signatureAlgorithm cannot be null" ) ;
this . signatureAlgorithms . add ( signatureAlgorithm ) ;
return this ;
}
/ * *
* Configure the list of
* < a href = "https://tools.ietf.org/html/rfc7515#section-4.1.1" target =
* "_blank" > algorithms < / a > to use with the given { @link Consumer } .
* @param signatureAlgorithmsConsumer a { @link Consumer } for further configuring
* the algorithm list
* @return a { @link JwkSourceJwtDecoderBuilder } for further configurations
* /
public JwkSourceJwtDecoderBuilder jwsAlgorithms ( Consumer < Set < SignatureAlgorithm > > signatureAlgorithmsConsumer ) {
Assert . notNull ( signatureAlgorithmsConsumer , "signatureAlgorithmsConsumer cannot be null" ) ;
signatureAlgorithmsConsumer . accept ( this . signatureAlgorithms ) ;
return this ;
}
/ * *
* Use the given { @link Consumer } to customize the { @link JWTProcessor
* ConfigurableJWTProcessor } before passing it to the build
* { @link NimbusJwtDecoder } .
* @param jwtProcessorCustomizer the callback used to alter the processor
* @return a { @link JwkSourceJwtDecoderBuilder } for further configurations
* @since 5 . 4
* /
public JwkSourceJwtDecoderBuilder jwtProcessorCustomizer (
Consumer < ConfigurableJWTProcessor < SecurityContext > > jwtProcessorCustomizer ) {
Assert . notNull ( jwtProcessorCustomizer , "jwtProcessorCustomizer cannot be null" ) ;
this . jwtProcessorCustomizer = jwtProcessorCustomizer ;
return this ;
}
JWSKeySelector < SecurityContext > jwsKeySelector ( JWKSource < SecurityContext > jwkSource ) {
if ( this . signatureAlgorithms . isEmpty ( ) ) {
return new JWSVerificationKeySelector < > ( this . defaultAlgorithms . apply ( jwkSource ) , jwkSource ) ;
}
Set < JWSAlgorithm > jwsAlgorithms = new HashSet < > ( ) ;
for ( SignatureAlgorithm signatureAlgorithm : this . signatureAlgorithms ) {
JWSAlgorithm jwsAlgorithm = JWSAlgorithm . parse ( signatureAlgorithm . getName ( ) ) ;
jwsAlgorithms . add ( jwsAlgorithm ) ;
}
return new JWSVerificationKeySelector < > ( jwsAlgorithms , jwkSource ) ;
}
JWTProcessor < SecurityContext > processor ( ) {
ConfigurableJWTProcessor < SecurityContext > jwtProcessor = new DefaultJWTProcessor < > ( ) ;
jwtProcessor . setJWSTypeVerifier ( this . typeVerifier ) ;
jwtProcessor . setJWSKeySelector ( jwsKeySelector ( this . jwkSource ) ) ;
// Spring Security validates the claim set independent from Nimbus
jwtProcessor . setJWTClaimsSetVerifier ( ( claims , context ) - > {
} ) ;
this . jwtProcessorCustomizer . accept ( jwtProcessor ) ;
return jwtProcessor ;
}
/ * *
* Build the configured { @link NimbusJwtDecoder } .
* @return the configured { @link NimbusJwtDecoder }
* /
public NimbusJwtDecoder build ( ) {
return new NimbusJwtDecoder ( processor ( ) ) ;
}
}
/ * *
* A builder for creating { @link NimbusJwtDecoder } instances based on a public key .
* /
Mark Bonnekessel
7 months ago
committed by
Josh Cummings