Module io.helidon.security.jwt

Package io.helidon.security.jwt

Class Jwt

java.lang.Object

io.helidon.security.jwt.Jwt

public class Jwt
extends Object

JWT token.

Representation of a JSON web token (a generic one).

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static final class	Jwt.Builder	Builder of a Jwt.
static final class	Jwt.ExpirationValidator	Deprecated, for removal: This API element is subject to removal in a future version. use JwtValidator.Builder.addExpirationValidator() instead
static final class	Jwt.FieldValidator	Deprecated, for removal: This API element is subject to removal in a future version. use JwtValidator.Builder.addFieldValidator(Consumer) instead
static final class	Jwt.IssueTimeValidator	Deprecated, for removal: This API element is subject to removal in a future version. use JwtValidator.Builder.addIssueTimeValidator() instead
static final class	Jwt.NotBeforeValidator	Deprecated, for removal: This API element is subject to removal in a future version. use JwtValidator.Builder.addNotBeforeValidator() instead

Method Summary

Modifier and Type	Method	Description
static void	addAudienceValidator(Collection<Validator<Jwt>> validators, String audience, boolean mandatory)	Deprecated, for removal: This API element is subject to removal in a future version. use JwtValidator.Builder.addAudienceValidator(Consumer) instead
static void	addAudienceValidator(Collection<Validator<Jwt>> validators, Set<String> audience, boolean mandatory)	Deprecated, for removal: This API element is subject to removal in a future version. use JwtValidator.Builder.addAudienceValidator(Consumer) instead
static void	addIssuerValidator(Collection<Validator<Jwt>> validators, String issuer, boolean mandatory)	Deprecated, for removal: This API element is subject to removal in a future version. use JwtValidator.Builder.addIssuerValidator(String, boolean) instead
static void	addMaxTokenAgeValidator(Collection<Validator<Jwt>> validators, Duration expectedMaxTokenAge, Duration clockSkew, boolean iatRequired)	Deprecated, for removal: This API element is subject to removal in a future version. use JwtValidator.Builder.addMaxTokenAgeValidator(Consumer) instead
Optional<JwtUtil.Address>	address()	Address claim.
static void	addUserPrincipalValidator(Collection<Validator<Jwt>> validators)	Deprecated, for removal: This API element is subject to removal in a future version. use JwtValidator.Builder.addUserPrincipalValidator() instead
Optional<String>	algorithm()	Algorithm claim.
Optional<byte[]>	atHash()	AtHash claim.
Optional<List<String>>	audience()	Audience claim.
Optional<LocalDate>	birthday()	Birthday claim.
static Jwt.Builder	builder()	Get a builder to create a JWT.
Optional<byte[]>	cHash()	CHash claim.
Optional<String>	contentType()	Content type claim.
static List<Validator<Jwt>>	defaultTimeValidators()	Deprecated, for removal: This API element is subject to removal in a future version. use JwtValidator.Builder.addDefaultTimeValidators() instead
static List<Validator<Jwt>>	defaultTimeValidators(Instant now, int timeSkewAmount, ChronoUnit timeSkewUnit, boolean mandatory)	Deprecated, for removal: This API element is subject to removal in a future version. use JwtValidator.Builder.addDefaultTimeValidators(Instant, Duration, boolean) instead
Optional<String>	email()	Email claim.
Optional<Boolean>	emailVerified()	Email verified claim.
Optional<Instant>	expirationTime()	Expiration time claim.
Optional<String>	familyName()	Family name claim.
Optional<String>	fullName()	Full name claim.
Optional<String>	gender()	Gender claim.
Optional<String>	givenName()	Given name claim.
Optional<JsonValue>	headerClaim(String claim)	Get a claim by its name from header.
JsonObject	headerJson()	Create a JSON header object.
JwtHeaders	headers()	Headers.
Optional<String>	issuer()	Issuer claim.
Optional<Instant>	issueTime()	Issue time claim.
Optional<String>	jwtId()	Jwt id claim.
Optional<String>	keyId()	Key id claim.
Optional<Locale>	locale()	Locale claim.
Optional<String>	middleName()	Middle name claim.
Optional<String>	nickname()	Nickname claim.
Optional<String>	nonce()	Nonce claim.
Optional<Instant>	notBefore()	Not before claim.
Optional<JsonValue>	payloadClaim(String claim)	Get a claim by its name from payload.
Map<String,JsonValue>	payloadClaims()	All payload claims in raw json form.
JsonObject	payloadJson()	Create a JSON payload object.
Optional<String>	phoneNumber()	Phone number claim.
Optional<Boolean>	phoneNumberVerified()	Phone number verified claim.
Optional<URI>	picture()	Picture URI claim.
Optional<String>	preferredUsername()	Preferred username claim.
Optional<URI>	profile()	Profile URI claim.
Optional<List<String>>	scopes()	Scopes of this token.
Optional<String>	subject()	Subject claim.
Optional<ZoneId>	timeZone()	Time Zone claim.
Optional<String>	type()	Type claim.
Optional<Instant>	updatedAt()	Updated at claim.
Optional<List<String>>	userGroups()	User groups claim ("groups" from microprofile specification).
Optional<String>	userPrincipal()	User principal claim ("upn" from microprofile specification).
Errors	validate(String issuer, String audience)	Deprecated, for removal: This API element is subject to removal in a future version. use JwtValidator.validate(Jwt) instead
Errors	validate(String issuer, String audience, boolean checkAudience)	Deprecated, for removal: This API element is subject to removal in a future version. use JwtValidator.validate(Jwt) instead
Errors	validate(String issuer, Set<String> audience)	Deprecated, for removal: This API element is subject to removal in a future version. use JwtValidator.validate(Jwt) instead
Errors	validate(String issuer, Set<String> audience, boolean checkAudience)	Deprecated, for removal: This API element is subject to removal in a future version. use JwtValidator.validate(Jwt) instead
Errors	validate(List<Validator<Jwt>> validators)	Deprecated, for removal: This API element is subject to removal in a future version. use JwtValidator.validate(Jwt) instead
Optional<URI>	website()	Website URI claim.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Details

defaultTimeValidators

@Deprecated(since="4.0.10",
            forRemoval=true)
public static List<Validator<Jwt>> defaultTimeValidators()

Deprecated, for removal: This API element is subject to removal in a future version.

use JwtValidator.Builder.addDefaultTimeValidators() instead

Return a list of validators to validate expiration time, issue time and not-before time. By default the time skew allowed is 5 seconds and all fields are optional.

Returns:

list of validators

defaultTimeValidators

@Deprecated(since="4.0.10",
            forRemoval=true)
public static List<Validator<Jwt>> defaultTimeValidators(Instant now,
 int timeSkewAmount,
 ChronoUnit timeSkewUnit,
 boolean mandatory)

Deprecated, for removal: This API element is subject to removal in a future version.

use JwtValidator.Builder.addDefaultTimeValidators(Instant, Duration, boolean) instead

Return a list of validators to validate expiration time, issue time and not-before time.

Parameters:

now - Time that acts as the "now" instant (this allows us to validate if a token was valid at an instant in the past

timeSkewAmount - time skew allowed when validating (amount - such as 5)

timeSkewUnit - time skew allowed when validating (unit - such as ChronoUnit.SECONDS)

mandatory - whether the field is mandatory. True for mandatory, false for optional (for all default time validators)

Returns:

list of validators

addIssuerValidator

@Deprecated(since="4.0.10",
            forRemoval=true)
public static void addIssuerValidator(Collection<Validator<Jwt>> validators,
 String issuer,
 boolean mandatory)

Deprecated, for removal: This API element is subject to removal in a future version.

use JwtValidator.Builder.addIssuerValidator(String, boolean) instead

Add validator of issuer to the collection of validators.

Parameters:

validators - collection of validators

issuer - issuer expected to be in the token

mandatory - whether issuer field is mandatory in the token (true - mandatory, false - optional)

addAudienceValidator

@Deprecated(since="4.0.10",
            forRemoval=true)
public static void addAudienceValidator(Collection<Validator<Jwt>> validators,
 String audience,
 boolean mandatory)

Deprecated, for removal: This API element is subject to removal in a future version.

use JwtValidator.Builder.addAudienceValidator(Consumer) instead

Add validator of audience to the collection of validators.

Parameters:

validators - collection of validators

audience - audience expected to be in the token, never null

mandatory - whether the audience field is mandatory in the token

addAudienceValidator

@Deprecated(since="4.0.10",
            forRemoval=true)
public static void addAudienceValidator(Collection<Validator<Jwt>> validators,
 Set<String> audience,
 boolean mandatory)

Deprecated, for removal: This API element is subject to removal in a future version.

use JwtValidator.Builder.addAudienceValidator(Consumer) instead

Add validator of audience to the collection of validators.

Parameters:

validators - collection of validators

audience - audience expected to be in the token

mandatory - whether the audience field is mandatory in the token

addMaxTokenAgeValidator

@Deprecated(since="4.0.10",
            forRemoval=true)
public static void addMaxTokenAgeValidator(Collection<Validator<Jwt>> validators,
 Duration expectedMaxTokenAge,
 Duration clockSkew,
 boolean iatRequired)

Deprecated, for removal: This API element is subject to removal in a future version.

use JwtValidator.Builder.addMaxTokenAgeValidator(Consumer) instead

Add validator of max token age to the collection of validators.

Parameters:

validators - collection of validators

expectedMaxTokenAge - max token age since issue time

clockSkew - clock skew

iatRequired - whether to fail if iat clam is present

builder

public static Jwt.Builder builder()

Get a builder to create a JWT.

Returns:

new builder

scopes

public Optional<List<String>> scopes()

Scopes of this token.

Returns:

list of scopes or empty if claim is not defined

headerClaim

public Optional<JsonValue> headerClaim(String claim)

Get a claim by its name from header.

Parameters:

claim - name of a claim

Returns:

claim value if present

payloadClaim

public Optional<JsonValue> payloadClaim(String claim)

Get a claim by its name from payload.

Parameters:

claim - name of a claim

Returns:

claim value if present

headers

public JwtHeaders headers()

Headers.

Returns:

JWT headers information

payloadClaims

public Map<String,JsonValue> payloadClaims()

All payload claims in raw json form.

Returns:

map of payload names to claims

algorithm

public Optional<String> algorithm()

Algorithm claim.

Returns:

algorithm or empty if claim is not defined

keyId

public Optional<String> keyId()

Key id claim.

Returns:

key id or empty if claim is not defined

type

public Optional<String> type()

Type claim.

Returns:

type or empty if claim is not defined

contentType

public Optional<String> contentType()

Content type claim.

Returns:

content type or empty if claim is not defined

issuer

public Optional<String> issuer()

Issuer claim.

Returns:

Issuer or empty if claim is not defined

expirationTime

public Optional<Instant> expirationTime()

Expiration time claim.

Returns:

expiration time or empty if claim is not defined

issueTime

public Optional<Instant> issueTime()

Issue time claim.

Returns:

issue time or empty if claim is not defined

notBefore

public Optional<Instant> notBefore()

Not before claim.

Returns:

not before or empty if claim is not defined

subject

public Optional<String> subject()

Subject claim.

Returns:

subject or empty if claim is not defined

userPrincipal

public Optional<String> userPrincipal()

User principal claim ("upn" from microprofile specification).

Returns:

user principal or empty if claim is not defined

userGroups

public Optional<List<String>> userGroups()

User groups claim ("groups" from microprofile specification).

Returns:

groups or empty if claim is not defined

audience

public Optional<List<String>> audience()

Audience claim.

Returns:

audience or empty if claim is not defined

jwtId

public Optional<String> jwtId()

Jwt id claim.

Returns:

jwt id or empty if claim is not defined

email

public Optional<String> email()

Email claim.

Returns:

email or empty if claim is not defined

emailVerified

public Optional<Boolean> emailVerified()

Email verified claim.

Returns:

email verified or empty if claim is not defined

fullName

public Optional<String> fullName()

Full name claim.

Returns:

full name or empty if claim is not defined

givenName

public Optional<String> givenName()

Given name claim.

Returns:

given name or empty if claim is not defined

middleName

public Optional<String> middleName()

Middle name claim.

Returns:

middle name or empty if claim is not defined

familyName

public Optional<String> familyName()

Family name claim.

Returns:

family name or empty if claim is not defined

locale

public Optional<Locale> locale()

Locale claim.

Returns:

locale or empty if claim is not defined

nickname

public Optional<String> nickname()

Nickname claim.

Returns:

nickname or empty if claim is not defined

preferredUsername

public Optional<String> preferredUsername()

Preferred username claim.

Returns:

preferred username or empty if claim is not defined

profile

public Optional<URI> profile()

Profile URI claim.

Returns:

profile URI or empty if claim is not defined

picture

public Optional<URI> picture()

Picture URI claim.

Returns:

picture URI or empty if claim is not defined

website

public Optional<URI> website()

Website URI claim.

Returns:

website URI or empty if claim is not defined

gender

public Optional<String> gender()

Gender claim.

Returns:

gender or empty if claim is not defined

birthday

public Optional<LocalDate> birthday()

Birthday claim.

Returns:

birthday or empty if claim is not defined

timeZone

public Optional<ZoneId> timeZone()

Time Zone claim.

Returns:

time zone or empty if claim is not defined

phoneNumber

public Optional<String> phoneNumber()

Phone number claim.

Returns:

phone number or empty if claim is not defined

phoneNumberVerified

public Optional<Boolean> phoneNumberVerified()

Phone number verified claim.

Returns:

phone number verified or empty if claim is not defined

updatedAt

public Optional<Instant> updatedAt()

Updated at claim.

Returns:

updated at or empty if claim is not defined

address

public Optional<JwtUtil.Address> address()

Address claim.

Returns:

address or empty if claim is not defined

atHash

public Optional<byte[]> atHash()

AtHash claim.

Returns:

atHash or empty if claim is not defined

cHash

public Optional<byte[]> cHash()

CHash claim.

Returns:

cHash or empty if claim is not defined

nonce

public Optional<String> nonce()

Nonce claim.

Returns:

nonce or empty if claim is not defined

headerJson

public JsonObject headerJson()

Create a JSON header object.

Returns:

JsonObject for header

payloadJson

public JsonObject payloadJson()

Create a JSON payload object.

Returns:

JsonObject for payload

validate

@Deprecated(since="4.0.10",
            forRemoval=true)
public Errors validate(List<Validator<Jwt>> validators)

Deprecated, for removal: This API element is subject to removal in a future version.

use JwtValidator.validate(Jwt) instead

Validate this JWT against provided validators.

This method does not work properly upon validation of the crit JWT header.

Parameters:

validators - Validators to validate with. Obtain them through (e.g.) defaultTimeValidators() , addAudienceValidator(Collection, String, boolean) , addIssuerValidator(Collection, String, boolean)

Returns:

errors instance to check if valid and access error messages

validate

@Deprecated(since="4.0.10",
            forRemoval=true)
public Errors validate(String issuer,
 String audience)

Deprecated, for removal: This API element is subject to removal in a future version.

use JwtValidator.validate(Jwt) instead

Validates all default values. Values validated:

• Expiration time if defined
• Issue time if defined
• Not before time if defined
• issuer() Issuer} if defined
• Audience if defined

Parameters:

issuer - validates that this JWT was issued by this issuer. Setting this to non-null value will make issuer claim mandatory

audience - validates that this JWT was issued for this audience. Setting this to non-null value will make audience claim mandatory

Returns:

errors instance to check for validation result

validate

@Deprecated(since="4.0.10",
            forRemoval=true)
public Errors validate(String issuer,
 String audience,
 boolean checkAudience)

Deprecated, for removal: This API element is subject to removal in a future version.

use JwtValidator.validate(Jwt) instead

Validates all default values. Values validated: validate(String, Set, boolean)

Parameters:

issuer - validates that this JWT was issued by this issuer. Setting this to non-null value will make issuer claim mandatory

audience - validates that this JWT was issued for this audience. Setting this to non-null value will make audience claim mandatory

checkAudience - whether audience claim validation should be executed

Returns:

errors instance to check for validation result

validate

@Deprecated(since="4.0.10",
            forRemoval=true)
public Errors validate(String issuer,
 Set<String> audience,
 boolean checkAudience)

Deprecated, for removal: This API element is subject to removal in a future version.

use JwtValidator.validate(Jwt) instead

Validates all default values. Values validated:

• Expiration time if defined
• Issue time if defined
• Not before time if defined
• issuer() Issuer} if defined
• Audience if defined

Parameters:

issuer - validates that this JWT was issued by this issuer. Setting this to non-null value will make issuer claim mandatory

audience - validates that this JWT was issued for this audience. Setting this to non-null value and with any non-null value in the Set will make audience claim mandatory

checkAudience - whether audience claim validation should be executed

Returns:

errors instance to check for validation result

validate

@Deprecated(since="4.0.10",
            forRemoval=true)
public Errors validate(String issuer,
 Set<String> audience)

Deprecated, for removal: This API element is subject to removal in a future version.

use JwtValidator.validate(Jwt) instead

Validates all default values. Audience claim check is not mandatory. Values validated: validate(String, Set, boolean)

Parameters:

issuer - validates that this JWT was issued by this issuer. Setting this to non-null value will make issuer claim mandatory

audience - validates that this JWT was issued for this audience. Setting this to non-null value and with any non-null value in the Set will make audience claim mandatory

Returns:

errors instance to check for validation result

addUserPrincipalValidator

@Deprecated(since="4.0.10",
            forRemoval=true)
public static void addUserPrincipalValidator(Collection<Validator<Jwt>> validators)

Deprecated, for removal: This API element is subject to removal in a future version.

use JwtValidator.Builder.addUserPrincipalValidator() instead

Adds a validator that makes sure the userPrincipal() is present.

Parameters:

validators - validator collection to update