Class JwtSvid

java.lang.Object
io.spiffe.svid.jwtsvid.JwtSvid
public class JwtSvid extends Object
Represents a SPIFFE JWT-SVID.

  • Field Details

  • Method Details

    • parseAndValidate

      public static JwtSvid parseAndValidate(@NonNull @NonNull String token, @NonNull @NonNull BundleSource<JwtBundle> jwtBundleSource, @NonNull @NonNull Set<String> audience) throws JwtSvidException, BundleNotFoundException, AuthorityNotFoundException
      Parses and validates a JWT-SVID token and returns an instance of JwtSvid.

      The JWT-SVID signature is verified using the JWT bundle source.

      Parameters:
      token - a token as a string that is parsed and validated
      jwtBundleSource - an implementation of a BundleSource that provides the JWT authorities to verify the signature
      audience - audience as a list of strings used to validate the 'aud' claim
      Returns:
      an instance of a JwtSvid with a SPIFFE ID parsed from the 'sub', audience from 'aud', and expiry from 'exp' claim.
      Throws:
      JwtSvidException - when the token expired or the expiration claim is missing, when the algorithm is not supported (See JwtSignatureAlgorithm), when the header 'kid' is missing, when the header 'typ' is present and is not 'JWT' or 'JOSE' when the signature cannot be verified, when the 'aud' claim has an audience that is not in the audience list provided as parameter
      IllegalArgumentException - when the token is blank or cannot be parsed
      BundleNotFoundException - if the bundle for the trust domain of the spiffe id from the 'sub' cannot be found in the JwtBundleSource
      AuthorityNotFoundException - if the authority cannot be found in the bundle using the value from the 'kid' header

    • parseAndValidate

      public static JwtSvid parseAndValidate(@NonNull @NonNull String token, @NonNull @NonNull BundleSource<JwtBundle> jwtBundleSource, @NonNull @NonNull Set<String> audience, String hint) throws JwtSvidException, BundleNotFoundException, AuthorityNotFoundException
      Parses and validates a JWT-SVID token and returns an instance of JwtSvid.

      The JWT-SVID signature is verified using the JWT bundle source.

      Parameters:
      token - a token as a string that is parsed and validated
      jwtBundleSource - an implementation of a BundleSource that provides the JWT authorities to verify the signature
      audience - audience as a list of strings used to validate the 'aud' claim
      hint - a hint that can be used to provide guidance on how this identity should be used
      Returns:
      an instance of a JwtSvid with a SPIFFE ID parsed from the 'sub', audience from 'aud', and expiry from 'exp' claim.
      Throws:
      JwtSvidException - when the token expired or the expiration claim is missing, when the algorithm is not supported (See JwtSignatureAlgorithm), when the header 'kid' is missing, when the header 'typ' is present and is not 'JWT' or 'JOSE' when the signature cannot be verified, when the 'aud' claim has an audience that is not in the audience list provided as parameter
      IllegalArgumentException - when the token is blank or cannot be parsed
      BundleNotFoundException - if the bundle for the trust domain of the spiffe id from the 'sub' cannot be found in the JwtBundleSource
      AuthorityNotFoundException - if the authority cannot be found in the bundle using the value from the 'kid' header

    • parseInsecure

      public static JwtSvid parseInsecure(@NonNull @NonNull String token, @NonNull @NonNull Set<String> audience) throws JwtSvidException
      Parses and validates a JWT-SVID token and returns an instance of a JwtSvid.

      The JWT-SVID signature is not verified.

      Parameters:
      token - a token as a string that is parsed and validated
      audience - audience as a list of strings used to validate the 'aud' claim
      Returns:
      an instance of a JwtSvid with a SPIFFE ID parsed from the 'sub', audience from 'aud', and expiry from 'exp' claim.
      Throws:
      JwtSvidException - when the token expired or the expiration claim is missing, when the 'aud' has an audience that is not in the audience provided as parameter, when the 'alg' is not supported (See JwtSignatureAlgorithm), when the header 'typ' is present and is not 'JWT' or 'JOSE'.
      IllegalArgumentException - when the token cannot be parsed

    • parseInsecure

      public static JwtSvid parseInsecure(@NonNull @NonNull String token, @NonNull @NonNull Set<String> audience, String hint) throws JwtSvidException
      Parses and validates a JWT-SVID token and returns an instance of a JwtSvid.

      The JWT-SVID signature is not verified.

      Parameters:
      token - a token as a string that is parsed and validated
      audience - audience as a list of strings used to validate the 'aud'
      hint - a hint that can be used to provide guidance on how this identity should be used
      Returns:
      an instance of a JwtSvid with a SPIFFE ID parsed from the 'sub', audience from 'aud', and expiry from 'exp' claim.
      Throws:
      JwtSvidException - when the token expired or the expiration claim is missing, when the 'aud' has an audience that is not in the audience provided as parameter, when the 'alg' is not supported (See JwtSignatureAlgorithm), when the header 'typ' is present and is not 'JWT' or 'JOSE'.
      IllegalArgumentException - when the token cannot be parsed

    • marshal

      public String marshal()
      Returns the JWT-SVID marshaled to a string. The returned value is the same token value originally passed to the parseAndValidate method.
      Returns:
      the token as String

    • getExpiry

      public Date getExpiry()
      Returns a copy of the expiration date time of the JWT SVID.
      Returns:
      a copy of the expiration date time of the JWT SVID

    • getHint

      public String getHint()
      Returns the SVID hint.
      Returns:
      the SVID hint

    • getClaims

      public Map<String,Object> getClaims()
      Returns the map of claims.
      Returns:
      the map of claims

    • getAudience

      public Set<String> getAudience()
      Returns the Set of audiences.
      Returns:
      the Set of audiences