Class ValidatorAccessTokenValidator
java.lang.Object
org.apache.kafka.common.security.oauthbearer.secured.ValidatorAccessTokenValidator
- All Implemented Interfaces:
AccessTokenValidator
ValidatorAccessTokenValidator is an implementation of
AccessTokenValidator that is used
by the broker to perform more extensive validation of the JWT access token that is received
from the client, but ultimately from posting the client credentials to the OAuth/OIDC provider's
token endpoint.
The validation steps performed (primary by the jose4j library) are:
-
Basic structural validation of the
b64tokenvalue as defined in RFC 6750 Section 2.1 - Basic conversion of the token into an in-memory data structure
-
Presence of scope,
exp, subject,iss, andiatclaims -
Signature matching validation against the
kidand those provided by the OAuth/OIDC provider's JWKS
-
Nested Class Summary
Nested Classes -
Constructor Summary
ConstructorsConstructorDescriptionValidatorAccessTokenValidator(Integer clockSkew, Set<String> expectedAudiences, String expectedIssuer, org.jose4j.keys.resolvers.VerificationKeyResolver verificationKeyResolver, String scopeClaimName, String subClaimName) Creates a new ValidatorAccessTokenValidator that will be used by the broker for more thorough validation of the JWT. -
Method Summary
Modifier and TypeMethodDescriptionAccepts an OAuth JWT access token in base-64 encoded format, validates, and returns an OAuthBearerToken.
-
Constructor Details
-
ValidatorAccessTokenValidator
public ValidatorAccessTokenValidator(Integer clockSkew, Set<String> expectedAudiences, String expectedIssuer, org.jose4j.keys.resolvers.VerificationKeyResolver verificationKeyResolver, String scopeClaimName, String subClaimName) Creates a new ValidatorAccessTokenValidator that will be used by the broker for more thorough validation of the JWT.- Parameters:
clockSkew- The optional value (in seconds) to allow for differences between the time of the OAuth/OIDC identity provider and the broker. Ifnullis provided, the broker and the OAUth/OIDC identity provider are assumed to have very close clock settings.expectedAudiences- The (optional) set the broker will use to verify that the JWT was issued for one of the expected audiences. The JWT will be inspected for the standard OAuthaudclaim and if this value is set, the broker will match the value from JWT'saudclaim to see if there is an exact match. If there is no match, the broker will reject the JWT and authentication will fail. May benullto not perform any check to verify the JWT'saudclaim matches any fixed set of known/expected audiences.expectedIssuer- The (optional) value for the broker to use to verify that the JWT was created by the expected issuer. The JWT will be inspected for the standard OAuthissclaim and if this value is set, the broker will match it exactly against what is in the JWT'sissclaim. If there is no match, the broker will reject the JWT and authentication will fail. May benullto not perform any check to verify the JWT'sissclaim matches a specific issuer.verificationKeyResolver- jose4j-basedVerificationKeyResolverthat is used to validate the signature matches the contents of the header and payloadscopeClaimName- Name of the scope claim to use; must be non-nullsubClaimName- Name of the subject claim to use; must be non-null- See Also:
-
JwtConsumerBuilderJwtConsumerVerificationKeyResolver
-
-
Method Details
-
validate
Accepts an OAuth JWT access token in base-64 encoded format, validates, and returns an OAuthBearerToken.- Specified by:
validatein interfaceAccessTokenValidator- Parameters:
accessToken- Non-nullJWT access token- Returns:
OAuthBearerToken- Throws:
ValidateException- Thrown on errors performing validation of given token
-