Package com.networknt.security
Class JwtVerifier
- java.lang.Object
-
- com.networknt.security.JwtVerifier
-
public class JwtVerifier extends Object
This is a new class that is designed as non-static to replace the JwtHelper which is a static class. The reason is to pass the framework specific security configuration so that we can eliminate the security.yml for token verification. The JwtHelper will be stay for a while for backward compatibility reason as it is a public class and users might use it in their application. The only thing that need to remember is to have both security.yml and openapi-security.yml for the security configuration and there are overlap between these two files. To use this class, create an instance by passing in the security configuration and cache the instance in your app as a field or an instance variable.- Author:
- Steve Hu
-
-
Field Summary
Fields Modifier and Type Field Description static StringENABLE_VERIFY_JWTstatic StringJWT_CERTIFICATEstatic StringJWT_CLOCK_SKEW_IN_SECONDSstatic StringJWT_CONFIGstatic StringJWT_KEY_RESOLVERstatic StringJWT_KEY_RESOLVER_JWKSstatic StringJWT_KEY_RESOLVER_X509CERTstatic StringKIDstatic StringSECURITY_CONFIG
-
Constructor Summary
Constructors Constructor Description JwtVerifier(Map<String,Object> config)
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description X509CertificategetCertForSign(String kid)X509CertificategetCertForToken(String kid)ListgetFingerPrints()Get a list of certificate fingerprints for server info endpoint so that certification process in light-portal can detect if your service still use the default public key certificates provided by the light-4j framework.static StringgetJwtFromAuthorization(String authorization)Parse the jwt token from Authorization header.X509CertificatereadCertificate(String filename)Read certificate from a file and convert it into X509Certificate objectorg.jose4j.jwt.JwtClaimsverifyJwt(String jwt, boolean ignoreExpiry, boolean isToken)This method is to keep backward compatible for those call without VerificationKeyResolver.org.jose4j.jwt.JwtClaimsverifyJwt(String jwt, boolean ignoreExpiry, boolean isToken, BiFunction<String,Boolean,org.jose4j.keys.resolvers.VerificationKeyResolver> getKeyResolver)Verify JWT token format and signature.
-
-
-
Field Detail
-
KID
public static final String KID
- See Also:
- Constant Field Values
-
SECURITY_CONFIG
public static final String SECURITY_CONFIG
- See Also:
- Constant Field Values
-
JWT_CONFIG
public static final String JWT_CONFIG
- See Also:
- Constant Field Values
-
JWT_CERTIFICATE
public static final String JWT_CERTIFICATE
- See Also:
- Constant Field Values
-
JWT_CLOCK_SKEW_IN_SECONDS
public static final String JWT_CLOCK_SKEW_IN_SECONDS
- See Also:
- Constant Field Values
-
ENABLE_VERIFY_JWT
public static final String ENABLE_VERIFY_JWT
- See Also:
- Constant Field Values
-
JWT_KEY_RESOLVER
public static final String JWT_KEY_RESOLVER
- See Also:
- Constant Field Values
-
JWT_KEY_RESOLVER_X509CERT
public static final String JWT_KEY_RESOLVER_X509CERT
- See Also:
- Constant Field Values
-
JWT_KEY_RESOLVER_JWKS
public static final String JWT_KEY_RESOLVER_JWKS
- See Also:
- Constant Field Values
-
-
Method Detail
-
readCertificate
public X509Certificate readCertificate(String filename) throws Exception
Read certificate from a file and convert it into X509Certificate object- Parameters:
filename- certificate file name- Returns:
- X509Certificate object
- Throws:
Exception- Exception while reading certificate
-
getJwtFromAuthorization
public static String getJwtFromAuthorization(String authorization)
Parse the jwt token from Authorization header.- Parameters:
authorization- authorization header.- Returns:
- JWT token
-
verifyJwt
public org.jose4j.jwt.JwtClaims verifyJwt(String jwt, boolean ignoreExpiry, boolean isToken) throws org.jose4j.jwt.consumer.InvalidJwtException, ExpiredTokenException
This method is to keep backward compatible for those call without VerificationKeyResolver.- Parameters:
jwt- JWT tokenignoreExpiry- indicate if the expiry will be ignoredisToken- indicate if the JWT is a token- Returns:
- JwtClaims
- Throws:
org.jose4j.jwt.consumer.InvalidJwtException- throw when the token is invalidExpiredTokenException- throw when the token is expired
-
verifyJwt
public org.jose4j.jwt.JwtClaims verifyJwt(String jwt, boolean ignoreExpiry, boolean isToken, BiFunction<String,Boolean,org.jose4j.keys.resolvers.VerificationKeyResolver> getKeyResolver) throws org.jose4j.jwt.consumer.InvalidJwtException, ExpiredTokenException
Verify JWT token format and signature. If ignoreExpiry is true, skip expiry verification, otherwise verify the expiry before signature verification. In most cases, we need to verify the expiry of the jwt token. The only time we need to ignore expiry verification is in SPA middleware handlers which need to verify csrf token in jwt against the csrf token in the request header to renew the expired token.- Parameters:
jwt- String of Json web tokenignoreExpiry- If true, don't verify if the token is expired.isToken- True if the jwt is an OAuth 2.0 access tokengetKeyResolver- How to get VerificationKeyResolver- Returns:
- JwtClaims object
- Throws:
org.jose4j.jwt.consumer.InvalidJwtException- InvalidJwtExceptionExpiredTokenException- ExpiredTokenException
-
getCertForToken
public X509Certificate getCertForToken(String kid)
-
getCertForSign
public X509Certificate getCertForSign(String kid)
-
getFingerPrints
public List getFingerPrints()
Get a list of certificate fingerprints for server info endpoint so that certification process in light-portal can detect if your service still use the default public key certificates provided by the light-4j framework. The default public key certificates are for dev only and should be replaced on any other environment or set bootstrapFromKeyService: true if you are using light-oauth2 so that key can be dynamically loaded.- Returns:
- List of certificate fingerprints
-
-