TokenValidation overriding the Default Claimset Validation

Issue #176 resolved

Vinoj Mathew created an issue 2016-04-07

Hi there,

I am using IDTokenValidator to validate the signature of the token.

By default its doing the following things

1) Identifying the key and doing the signature Validation

2) If the signature validation is successful its doing the default claimset Validation (per Spec)

Is there any way we can avoid the ClaimSet Validation. We should give users the provision to validate the claims or not---> like a boolean Attribute.

For us we only need to do signature Validation and if required do the Claimset Validation.

Thanks VInoj

Comments (12)

Vinoj Mathew reporter
- edited description
- 2016-04-07T18:35:15+00:00
Connect2id OSS
Can you list the claims that you need to override?

The default claims set validator checks only the minimal amount of required stuff:

https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/src/e481125d6e5b05e10b04ed7d171111d588afba61/src/main/java/com/nimbusds/openid/connect/sdk/validators/IDTokenClaimsVerifier.java?at=master&fileviewer=file-view-default#IDTokenClaimsVerifier.java-200
- 2016-04-07T18:47:51+00:00
Vinoj Mathew reporter
yes we only need to validate the token where the current date is within nbf and expiry date

we are exactly looking on what com.nimbusds.jwt.JWTClaimsSet.DefaultJWTClaimsVerifier is doing
- 2016-04-07T23:50:26+00:00
Vinoj Mathew reporter
Basically looking for following things to do the validation

User will have only two things

1) tokenId

2) jwksURl

nice to have following methods

IDTokenValidator( java.net.URL jwkSetURI) or

IDTokenValidator(com.nimbusds.jose.proc.JWSKeySelector jwsKeySelector)

Then we can use

IDTokenValidator.validate(idtoken,nounce)

Validation

User should have the provision to go for default validation ----> boolean set attribute to turn on/off

user should have the provision to go for all validation ----> boolean set attribite to turn on /off

so that way they can turn off for all the validation and if they specifically look for some validation they can add their own custom validator.

just sharing my thoughts here and i think this will give the flexible to user whatever they need

thanks Vinoj
- 2016-04-08T14:05:44+00:00
Connect2id OSS
Thanks for explaining the situation. We need to think about this :)
- 2016-04-08T14:56:35+00:00
Connect2id OSS
- changed status to resolved
Hi,

Here is a good solution: take a look at the generic JWT validator that comes in the base Nimbus JOSE+JWT library. With it you'll be able to set the claims validation any way you want to.

http://static.javadoc.io/com.nimbusds/nimbus-jose-jwt/4.14/com/nimbusds/jwt/proc/DefaultJWTProcessor.html

For examples and howto:

http://connect2id.com/products/nimbus-jose-jwt/examples/validating-jwt-access-tokens

For that you'll need the latest Nimbus JOSE+JWT version:

<dependency> <groupId>com.nimbusds</groupId> <artifactId>nimbus-jose-jwt</artifactId> <version>4.15.1</version> </dependency>

Happy coding!
- 2016-04-11T05:01:01+00:00
Vinoj Mathew reporter
Thanks for help

The latest revison push to maven repository is 4.15 http://mvnrepository.com/artifact/com.nimbusds/nimbus-jose-jwt

where do we get the 4.15.1

I have couple of question along with it.

Instead of passing the jwksurl if I have the RSAKey is there any way i can pass it.

-Can we get the provison of passing both jwksURl or passing securityKey. -Is there any default cache associate with jwksURL if then does the user have provision of set the timing.

JWSKeySelector keySelector = new JWSVerificationKeySelector(expectedJWSAlg, keySource);

thanks Vinoj
- 2016-04-11T16:50:36+00:00
Connect2id OSS
It's there, but the mirror that you cite hasn't picked it up yet:

http://search.maven.org/#artifactdetails|com.nimbusds|nimbus-jose-jwt|4.15.1|jar
- 2016-04-11T17:46:07+00:00
Vinoj Mathew reporter
Thanks is there any solution for this

I have couple of question along with it.

Instead of passing the jwksurl if I have the RSAKey is there any way i can pass it.

-Can we get the provison of passing both jwksURl or passing securityKey.

-Is there any default cache associate with jwksURL if then does the user have provision of set the timing.

JWSKeySelector keySelector = new JWSVerificationKeySelector(expectedJWSAlg, keySource);

thanks Vinoj
- 2016-04-11T18:17:00+00:00
Connect2id OSS
You can specify a key source by providing the keys directly as a JWK set:

http://connect2id.com/products/nimbus-jose-jwt/examples/validating-jwt-access-tokens#key-sources

If you need something more complicated, feel free to implement the JWKSource interfaces. It is very simple conceptually.

The cache works as follows: On RemoteJWKSet construction the key material is fetched from the URL asynchronously. The cache is updated whenever the key selector tries to get a key with an unknown ID. There is no expiration time as such.
- 2016-04-11T18:54:50+00:00
Vinoj Mathew reporter
thanks :)
- 2016-04-11T21:59:27+00:00
Connect2id OSS
You're welcome! Happy coding :)
- 2016-04-12T08:01:55+00:00
Log in to comment

Assignee: Connect2id OSS

Type: enhancement

Priority: major

Status: resolved

Milestone: –

Votes: 0

Watchers: 2