- edited description
TokenValidation overriding the Default Claimset Validation
Hi there,
I am using IDTokenValidator to validate the signature of the token.
By default its doing the following things
1) Identifying the key and doing the signature Validation
2) If the signature validation is successful its doing the default claimset Validation (per Spec)
Is there any way we can avoid the ClaimSet Validation. We should give users the provision to validate the claims or not---> like a boolean Attribute.
For us we only need to do signature Validation and if required do the Claimset Validation.
Thanks VInoj
Comments (12)
-
reporter -
Can you list the claims that you need to override?
The default claims set validator checks only the minimal amount of required stuff:
-
reporter yes we only need to validate the token where the current date is within nbf and expiry date
we are exactly looking on what com.nimbusds.jwt.JWTClaimsSet.DefaultJWTClaimsVerifier is doing
-
reporter Basically looking for following things to do the validation
User will have only two things
1) tokenId
2) jwksURl
nice to have following methods
IDTokenValidator( java.net.URL jwkSetURI) or
IDTokenValidator(com.nimbusds.jose.proc.JWSKeySelector jwsKeySelector)
Then we can use
IDTokenValidator.validate(idtoken,nounce)
Validation
User should have the provision to go for default validation ----> boolean set attribute to turn on/off
user should have the provision to go for all validation ----> boolean set attribite to turn on /off
so that way they can turn off for all the validation and if they specifically look for some validation they can add their own custom validator.
just sharing my thoughts here and i think this will give the flexible to user whatever they need
thanks Vinoj
-
Thanks for explaining the situation. We need to think about this :)
-
- changed status to resolved
Hi,
Here is a good solution: take a look at the generic JWT validator that comes in the base Nimbus JOSE+JWT library. With it you'll be able to set the claims validation any way you want to.
For examples and howto:
http://connect2id.com/products/nimbus-jose-jwt/examples/validating-jwt-access-tokens
For that you'll need the latest Nimbus JOSE+JWT version:
<dependency> <groupId>com.nimbusds</groupId> <artifactId>nimbus-jose-jwt</artifactId> <version>4.15.1</version> </dependency>
Happy coding!
-
reporter Thanks for help
The latest revison push to maven repository is 4.15 http://mvnrepository.com/artifact/com.nimbusds/nimbus-jose-jwt
where do we get the 4.15.1
I have couple of question along with it.
Instead of passing the jwksurl if I have the RSAKey is there any way i can pass it.
-Can we get the provison of passing both jwksURl or passing securityKey. -Is there any default cache associate with jwksURL if then does the user have provision of set the timing.
JWSKeySelector keySelector = new JWSVerificationKeySelector(expectedJWSAlg, keySource);
thanks Vinoj
-
It's there, but the mirror that you cite hasn't picked it up yet:
http://search.maven.org/#artifactdetails|com.nimbusds|nimbus-jose-jwt|4.15.1|jar
-
reporter Thanks is there any solution for this
I have couple of question along with it.
Instead of passing the jwksurl if I have the RSAKey is there any way i can pass it.
-Can we get the provison of passing both jwksURl or passing securityKey.
-Is there any default cache associate with jwksURL if then does the user have provision of set the timing.
JWSKeySelector keySelector = new JWSVerificationKeySelector(expectedJWSAlg, keySource);
thanks Vinoj
-
You can specify a key source by providing the keys directly as a JWK set:
http://connect2id.com/products/nimbus-jose-jwt/examples/validating-jwt-access-tokens#key-sources
If you need something more complicated, feel free to implement the JWKSource interfaces. It is very simple conceptually.
The cache works as follows: On RemoteJWKSet construction the key material is fetched from the URL asynchronously. The cache is updated whenever the key selector tries to get a key with an unknown ID. There is no expiration time as such.
-
reporter thanks :)
-
You're welcome! Happy coding :)
- Log in to comment