Module io.helidon.security.jwt
Package io.helidon.security.jwt

Class Jwt

java.lang.Object
io.helidon.security.jwt.Jwt
public class Jwt extends Object
JWT token.

Representation of a JSON web token (a generic one).

  • Method Details

    • defaultTimeValidators

      public static List<Validator<Jwt>> defaultTimeValidators()
      Return a list of validators to validate expiration time, issue time and not-before time. By default the time skew allowed is 5 seconds and all fields are optional.
      Returns:
      list of validators

    • defaultTimeValidators

      public static List<Validator<Jwt>> defaultTimeValidators(Instant now, int timeSkewAmount, ChronoUnit timeSkewUnit, boolean mandatory)
      Return a list of validators to validate expiration time, issue time and not-before time.
      Parameters:
      now - Time that acts as the "now" instant (this allows us to validate if a token was valid at an instant in the past
      timeSkewAmount - time skew allowed when validating (amount - such as 5)
      timeSkewUnit - time skew allowed when validating (unit - such as ChronoUnit.SECONDS)
      mandatory - whether the field is mandatory. True for mandatory, false for optional (for all default time validators)
      Returns:
      list of validators

    • addIssuerValidator

      public static void addIssuerValidator(Collection<Validator<Jwt>> validators, String issuer, boolean mandatory)
      Add validator of issuer to the collection of validators.
      Parameters:
      validators - collection of validators
      issuer - issuer expected to be in the token
      mandatory - whether issuer field is mandatory in the token (true - mandatory, false - optional)

    • addAudienceValidator

      public static void addAudienceValidator(Collection<Validator<Jwt>> validators, String audience, boolean mandatory)
      Add validator of audience to the collection of validators.
      Parameters:
      validators - collection of validators
      audience - audience expected to be in the token, never null
      mandatory - whether the audience field is mandatory in the token

    • addAudienceValidator

      public static void addAudienceValidator(Collection<Validator<Jwt>> validators, Set<String> audience, boolean mandatory)
      Add validator of audience to the collection of validators.
      Parameters:
      validators - collection of validators
      audience - audience expected to be in the token
      mandatory - whether the audience field is mandatory in the token

    • addMaxTokenAgeValidator

      public static void addMaxTokenAgeValidator(Collection<Validator<Jwt>> validators, Duration expectedMaxTokenAge, Duration clockSkew, boolean iatRequired)
      Add validator of max token age to the collection of validators.
      Parameters:
      validators - collection of validators
      expectedMaxTokenAge - max token age since issue time
      clockSkew - clock skew
      iatRequired - whether to fail if iat clam is present

    • builder

      public static Jwt.Builder builder()
      Get a builder to create a JWT.
      Returns:
      new builder

    • scopes

      public Optional<List<String>> scopes()
      Scopes of this token.
      Returns:
      list of scopes or empty if claim is not defined

    • headerClaim

      public Optional<JsonValue> headerClaim(String claim)
      Get a claim by its name from header.
      Parameters:
      claim - name of a claim
      Returns:
      claim value if present

    • payloadClaim

      public Optional<JsonValue> payloadClaim(String claim)
      Get a claim by its name from payload.
      Parameters:
      claim - name of a claim
      Returns:
      claim value if present

    • headers

      public JwtHeaders headers()
      Headers.
      Returns:
      JWT headers information

    • payloadClaims

      public Map<String,JsonValue> payloadClaims()
      All payload claims in raw json form.
      Returns:
      map of payload names to claims

    • algorithm

      public Optional<String> algorithm()
      Algorithm claim.
      Returns:
      algorithm or empty if claim is not defined

    • keyId

      public Optional<String> keyId()
      Key id claim.
      Returns:
      key id or empty if claim is not defined

    • type

      public Optional<String> type()
      Type claim.
      Returns:
      type or empty if claim is not defined

    • contentType

      public Optional<String> contentType()
      Content type claim.
      Returns:
      content type or empty if claim is not defined

    • issuer

      public Optional<String> issuer()
      Issuer claim.
      Returns:
      Issuer or empty if claim is not defined

    • expirationTime

      public Optional<Instant> expirationTime()
      Expiration time claim.
      Returns:
      expiration time or empty if claim is not defined

    • issueTime

      public Optional<Instant> issueTime()
      Issue time claim.
      Returns:
      issue time or empty if claim is not defined

    • notBefore

      public Optional<Instant> notBefore()
      Not before claim.
      Returns:
      not before or empty if claim is not defined

    • subject

      public Optional<String> subject()
      Subject claim.
      Returns:
      subject or empty if claim is not defined

    • userPrincipal

      public Optional<String> userPrincipal()
      User principal claim ("upn" from microprofile specification).
      Returns:
      user principal or empty if claim is not defined

    • userGroups

      public Optional<List<String>> userGroups()
      User groups claim ("groups" from microprofile specification).
      Returns:
      groups or empty if claim is not defined

    • audience

      public Optional<List<String>> audience()
      Audience claim.
      Returns:
      audience or empty if claim is not defined

    • jwtId

      public Optional<String> jwtId()
      Jwt id claim.
      Returns:
      jwt id or empty if claim is not defined

    • email

      public Optional<String> email()
      Email claim.
      Returns:
      email or empty if claim is not defined

    • emailVerified

      public Optional<Boolean> emailVerified()
      Email verified claim.
      Returns:
      email verified or empty if claim is not defined

    • fullName

      public Optional<String> fullName()
      Full name claim.
      Returns:
      full name or empty if claim is not defined

    • givenName

      public Optional<String> givenName()
      Given name claim.
      Returns:
      given name or empty if claim is not defined

    • middleName

      public Optional<String> middleName()
      Middle name claim.
      Returns:
      middle name or empty if claim is not defined

    • familyName

      public Optional<String> familyName()
      Family name claim.
      Returns:
      family name or empty if claim is not defined

    • locale

      public Optional<Locale> locale()
      Locale claim.
      Returns:
      locale or empty if claim is not defined

    • nickname

      public Optional<String> nickname()
      Nickname claim.
      Returns:
      nickname or empty if claim is not defined

    • preferredUsername

      public Optional<String> preferredUsername()
      Preferred username claim.
      Returns:
      preferred username or empty if claim is not defined

    • profile

      public Optional<URI> profile()
      Profile URI claim.
      Returns:
      profile URI or empty if claim is not defined

    • picture

      public Optional<URI> picture()
      Picture URI claim.
      Returns:
      picture URI or empty if claim is not defined

    • website

      public Optional<URI> website()
      Website URI claim.
      Returns:
      website URI or empty if claim is not defined

    • gender

      public Optional<String> gender()
      Gender claim.
      Returns:
      gender or empty if claim is not defined

    • birthday

      public Optional<LocalDate> birthday()
      Birthday claim.
      Returns:
      birthday or empty if claim is not defined

    • timeZone

      public Optional<ZoneId> timeZone()
      Time Zone claim.
      Returns:
      time zone or empty if claim is not defined

    • phoneNumber

      public Optional<String> phoneNumber()
      Phone number claim.
      Returns:
      phone number or empty if claim is not defined

    • phoneNumberVerified

      public Optional<Boolean> phoneNumberVerified()
      Phone number verified claim.
      Returns:
      phone number verified or empty if claim is not defined

    • updatedAt

      public Optional<Instant> updatedAt()
      Updated at claim.
      Returns:
      updated at or empty if claim is not defined

    • address

      public Optional<JwtUtil.Address> address()
      Address claim.
      Returns:
      address or empty if claim is not defined

    • atHash

      public Optional<byte[]> atHash()
      AtHash claim.
      Returns:
      atHash or empty if claim is not defined

    • cHash

      public Optional<byte[]> cHash()
      CHash claim.
      Returns:
      cHash or empty if claim is not defined

    • nonce

      public Optional<String> nonce()
      Nonce claim.
      Returns:
      nonce or empty if claim is not defined

    • headerJson

      public JsonObject headerJson()
      Create a JSON header object.
      Returns:
      JsonObject for header

    • payloadJson

      public JsonObject payloadJson()
      Create a JSON payload object.
      Returns:
      JsonObject for payload

    • validate

      public Errors validate(List<Validator<Jwt>> validators)
      Validate this JWT against provided validators.
      Parameters:
      validators - Validators to validate with. Obtain them through (e.g.) defaultTimeValidators() , addAudienceValidator(Collection, String, boolean) , addIssuerValidator(Collection, String, boolean)
      Returns:
      errors instance to check if valid and access error messages

    • validate

      public Errors validate(String issuer, String audience)
      Validates all default values. Values validated:
      Parameters:
      issuer - validates that this JWT was issued by this issuer. Setting this to non-null value will make issuer claim mandatory
      audience - validates that this JWT was issued for this audience. Setting this to non-null value will make audience claim mandatory
      Returns:
      errors instance to check for validation result

    • validate

      public Errors validate(String issuer, String audience, boolean checkAudience)
      Validates all default values. Values validated: validate(String, Set, boolean)
      Parameters:
      issuer - validates that this JWT was issued by this issuer. Setting this to non-null value will make issuer claim mandatory
      audience - validates that this JWT was issued for this audience. Setting this to non-null value will make audience claim mandatory
      checkAudience - whether audience claim validation should be executed
      Returns:
      errors instance to check for validation result

    • validate

      public Errors validate(String issuer, Set<String> audience, boolean checkAudience)
      Validates all default values. Values validated:
      Parameters:
      issuer - validates that this JWT was issued by this issuer. Setting this to non-null value will make issuer claim mandatory
      audience - validates that this JWT was issued for this audience. Setting this to non-null value and with any non-null value in the Set will make audience claim mandatory
      checkAudience - whether audience claim validation should be executed
      Returns:
      errors instance to check for validation result

    • validate

      public Errors validate(String issuer, Set<String> audience)
      Validates all default values. Audience claim check is not mandatory. Values validated: validate(String, Set, boolean)
      Parameters:
      issuer - validates that this JWT was issued by this issuer. Setting this to non-null value will make issuer claim mandatory
      audience - validates that this JWT was issued for this audience. Setting this to non-null value and with any non-null value in the Set will make audience claim mandatory
      Returns:
      errors instance to check for validation result

    • addUserPrincipalValidator

      public static void addUserPrincipalValidator(Collection<Validator<Jwt>> validators)
      Adds a validator that makes sure the userPrincipal() is present.
      Parameters:
      validators - validator collection to update