diff --git a/docs/allclasses-index.html b/docs/allclasses-index.html index fe9b548..2145d67 100644 --- a/docs/allclasses-index.html +++ b/docs/allclasses-index.html @@ -1,7 +1,7 @@ - + All Classes and Interfaces (Javadoc) diff --git a/docs/allpackages-index.html b/docs/allpackages-index.html index b89d6d1..dd9c243 100644 --- a/docs/allpackages-index.html +++ b/docs/allpackages-index.html @@ -1,7 +1,7 @@ - + All Packages (Javadoc) diff --git a/docs/eu/righettod/InputFileType.html b/docs/eu/righettod/InputFileType.html index 80466b3..801cc7d 100644 --- a/docs/eu/righettod/InputFileType.html +++ b/docs/eu/righettod/InputFileType.html @@ -1,7 +1,7 @@ - + InputFileType (Javadoc) diff --git a/docs/eu/righettod/ProcessingMode.html b/docs/eu/righettod/ProcessingMode.html index 76b2c6c..c31be10 100644 --- a/docs/eu/righettod/ProcessingMode.html +++ b/docs/eu/righettod/ProcessingMode.html @@ -1,7 +1,7 @@ - + ProcessingMode (Javadoc) diff --git a/docs/eu/righettod/SecurityUtils.html b/docs/eu/righettod/SecurityUtils.html index e1339af..da55178 100644 --- a/docs/eu/righettod/SecurityUtils.html +++ b/docs/eu/righettod/SecurityUtils.html @@ -1,7 +1,7 @@ - + SecurityUtils (Javadoc) @@ -120,8 +120,10 @@

Method Summary

Perform a set of additional validations against a JWT token: + Do not use the NONE signature algorithm. + Have a EXP claim defined. + The token identifier (JTI claim) is NOT part of the list of revoked token. Match the expected type of token: ACCESS or ID or REFRESH. - The token ID (JTI claim) is NOT part of the list of revoked token.
static String
@@ -997,13 +999,15 @@

isXMLHaveCommentsOrXSLProcessingInstructions

  • applyJWTExtraValidation

    -
    public static boolean applyJWTExtraValidation(com.auth0.jwt.interfaces.DecodedJWT token, +
    public static boolean applyJWTExtraValidation(com.auth0.jwt.interfaces.DecodedJWT token, TokenType expectedTokenType, List<String> revokedTokenJTIList)
    Perform a set of additional validations against a JWT token:
      +
    • Do not use the NONE signature algorithm.
      • +
    • Have a EXP claim defined.
      • +
    • The token identifier (JTI claim) is NOT part of the list of revoked token.
    • Match the expected type of token: ACCESS or ID or REFRESH.
      • -
    • The token ID (JTI claim) is NOT part of the list of revoked token.
    Parameters:
    diff --git a/docs/eu/righettod/TokenType.html b/docs/eu/righettod/TokenType.html index e3f8c9c..dcb1192 100644 --- a/docs/eu/righettod/TokenType.html +++ b/docs/eu/righettod/TokenType.html @@ -1,7 +1,7 @@ - + TokenType (Javadoc) diff --git a/docs/eu/righettod/class-use/InputFileType.html b/docs/eu/righettod/class-use/InputFileType.html index e6f51be..13c4ef3 100644 --- a/docs/eu/righettod/class-use/InputFileType.html +++ b/docs/eu/righettod/class-use/InputFileType.html @@ -1,7 +1,7 @@ - + Uses of Enum Class eu.righettod.InputFileType (Javadoc) diff --git a/docs/eu/righettod/class-use/ProcessingMode.html b/docs/eu/righettod/class-use/ProcessingMode.html index 73c139a..1cae482 100644 --- a/docs/eu/righettod/class-use/ProcessingMode.html +++ b/docs/eu/righettod/class-use/ProcessingMode.html @@ -1,7 +1,7 @@ - + Uses of Enum Class eu.righettod.ProcessingMode (Javadoc) diff --git a/docs/eu/righettod/class-use/SecurityUtils.html b/docs/eu/righettod/class-use/SecurityUtils.html index 1da451c..3b68ab0 100644 --- a/docs/eu/righettod/class-use/SecurityUtils.html +++ b/docs/eu/righettod/class-use/SecurityUtils.html @@ -1,7 +1,7 @@ - + Uses of Class eu.righettod.SecurityUtils (Javadoc) diff --git a/docs/eu/righettod/class-use/TokenType.html b/docs/eu/righettod/class-use/TokenType.html index fbc497e..5b11177 100644 --- a/docs/eu/righettod/class-use/TokenType.html +++ b/docs/eu/righettod/class-use/TokenType.html @@ -1,7 +1,7 @@ - + Uses of Enum Class eu.righettod.TokenType (Javadoc) @@ -84,8 +84,10 @@

    Uses of Token
    Perform a set of additional validations against a JWT token: + Do not use the NONE signature algorithm. + Have a EXP claim defined. + The token identifier (JTI claim) is NOT part of the list of revoked token. Match the expected type of token: ACCESS or ID or REFRESH. - The token ID (JTI claim) is NOT part of the list of revoked token.

    diff --git a/docs/eu/righettod/package-summary.html b/docs/eu/righettod/package-summary.html index 6d26191..0678e9f 100644 --- a/docs/eu/righettod/package-summary.html +++ b/docs/eu/righettod/package-summary.html @@ -1,7 +1,7 @@ - + eu.righettod (Javadoc) diff --git a/docs/eu/righettod/package-tree.html b/docs/eu/righettod/package-tree.html index 09e9848..28502ba 100644 --- a/docs/eu/righettod/package-tree.html +++ b/docs/eu/righettod/package-tree.html @@ -1,7 +1,7 @@ - + eu.righettod Class Hierarchy (Javadoc) diff --git a/docs/eu/righettod/package-use.html b/docs/eu/righettod/package-use.html index 0c02b81..c6c4a29 100644 --- a/docs/eu/righettod/package-use.html +++ b/docs/eu/righettod/package-use.html @@ -1,7 +1,7 @@ - + Uses of Package eu.righettod (Javadoc) diff --git a/docs/help-doc.html b/docs/help-doc.html index 50498af..fdc7c52 100644 --- a/docs/help-doc.html +++ b/docs/help-doc.html @@ -1,7 +1,7 @@ - + API Help (Javadoc) diff --git a/docs/index-all.html b/docs/index-all.html index f80d56e..b4aa845 100644 --- a/docs/index-all.html +++ b/docs/index-all.html @@ -1,7 +1,7 @@ - + Index (Javadoc) @@ -61,8 +61,10 @@

    A

    Perform a set of additional validations against a JWT token: + Do not use the NONE signature algorithm. + Have a EXP claim defined. + The token identifier (JTI claim) is NOT part of the list of revoked token. Match the expected type of token: ACCESS or ID or REFRESH. - The token ID (JTI claim) is NOT part of the list of revoked token.
    applyURLDecoding(String, int) - Static method in class eu.righettod.SecurityUtils
    diff --git a/docs/index.html b/docs/index.html index 6c846bd..4fd4913 100644 --- a/docs/index.html +++ b/docs/index.html @@ -1,7 +1,7 @@ - + Javadoc diff --git a/docs/overview-tree.html b/docs/overview-tree.html index c74f1c6..0e7a0ac 100644 --- a/docs/overview-tree.html +++ b/docs/overview-tree.html @@ -1,7 +1,7 @@ - + Class Hierarchy (Javadoc) diff --git a/docs/search.html b/docs/search.html index 6ba50e4..2999707 100644 --- a/docs/search.html +++ b/docs/search.html @@ -1,7 +1,7 @@ - + Search (Javadoc) diff --git a/docs/src-html/eu/righettod/SecurityUtils.html b/docs/src-html/eu/righettod/SecurityUtils.html index 398d276..07d818d 100644 --- a/docs/src-html/eu/righettod/SecurityUtils.html +++ b/docs/src-html/eu/righettod/SecurityUtils.html @@ -1251,50 +1251,57 @@ 1238 /** 1239 * Perform a set of additional validations against a JWT token: 1240 * <ul> -1241 * <li>Match the expected type of token: ACCESS or ID or REFRESH.</li> -1242 * <li>The token ID (<a href="https://www.iana.org/assignments/jwt/jwt.xhtml">JTI claim</a>) is NOT part of the list of revoked token.</li> -1243 * </ul> -1244 * -1245 * @param token JWT token for which <b>signature was already validated</b> and on which a set of additional validations will be applied. -1246 * @param expectedTokenType The type of expected token using the enumeration provided. -1247 * @param revokedTokenJTIList A list of token identifier (<b>JTI</b> claim) referring to tokens that were revoked and to which the JTI claim of the token will be compared to. -1248 * @return True only the token pass all the validations. -1249 * @see "https://www.iana.org/assignments/jwt/jwt.xhtml" -1250 * @see "https://auth0.com/docs/secure/tokens/access-tokens" -1251 * @see "https://auth0.com/docs/secure/tokens/id-tokens" -1252 * @see "https://auth0.com/docs/secure/tokens/refresh-tokens" -1253 * @see "https://auth0.com/blog/id-token-access-token-what-is-the-difference/" -1254 * @see "https://jwt.io/libraries?language=Java" -1255 * @see "https://pentesterlab.com/blog/secure-jwt-library-design" -1256 * @see "https://github.com/auth0/java-jwt" -1257 */ -1258 public static boolean applyJWTExtraValidation(DecodedJWT token, TokenType expectedTokenType, List<String> revokedTokenJTIList) { -1259 boolean isValid = false; -1260 TokenType tokenType; -1261 try { -1262 String jti = token.getId(); -1263 if (jti != null && !jti.trim().isEmpty()) { -1264 boolean jtiIsRevoked = revokedTokenJTIList.stream().anyMatch(jti::equalsIgnoreCase); -1265 if (!jtiIsRevoked) { -1266 //Determine the token type based on the presence of specifics claims -1267 if (!token.getClaim("scope").isMissing()) { -1268 tokenType = TokenType.ACCESS; -1269 } else if (!token.getClaim("name").isMissing() || !token.getClaim("email").isMissing()) { -1270 tokenType = TokenType.ID; -1271 } else { -1272 tokenType = TokenType.REFRESH; -1273 } -1274 isValid = (tokenType.equals(expectedTokenType)); -1275 } -1276 } -1277 } catch (Exception e) { -1278 //In case of error then assume that the check failed -1279 isValid = false; -1280 } -1281 -1282 return isValid; -1283 } -1284} +1241 * <li>Do not use the <b>NONE</b> signature algorithm.</li> +1242 * <li>Have a <a href="https://www.iana.org/assignments/jwt/jwt.xhtml">EXP claim</a> defined.</li> +1243 * <li>The token identifier (<a href="https://www.iana.org/assignments/jwt/jwt.xhtml">JTI claim</a>) is NOT part of the list of revoked token.</li> +1244 * <li>Match the expected type of token: ACCESS or ID or REFRESH.</li> +1245 * </ul> +1246 * +1247 * @param token JWT token for which <b>signature was already validated</b> and on which a set of additional validations will be applied. +1248 * @param expectedTokenType The type of expected token using the enumeration provided. +1249 * @param revokedTokenJTIList A list of token identifier (<b>JTI</b> claim) referring to tokens that were revoked and to which the JTI claim of the token will be compared to. +1250 * @return True only the token pass all the validations. +1251 * @see "https://www.iana.org/assignments/jwt/jwt.xhtml" +1252 * @see "https://auth0.com/docs/secure/tokens/access-tokens" +1253 * @see "https://auth0.com/docs/secure/tokens/id-tokens" +1254 * @see "https://auth0.com/docs/secure/tokens/refresh-tokens" +1255 * @see "https://auth0.com/blog/id-token-access-token-what-is-the-difference/" +1256 * @see "https://jwt.io/libraries?language=Java" +1257 * @see "https://pentesterlab.com/blog/secure-jwt-library-design" +1258 * @see "https://github.com/auth0/java-jwt" +1259 */ +1260 public static boolean applyJWTExtraValidation(DecodedJWT token, TokenType expectedTokenType, List<String> revokedTokenJTIList) { +1261 boolean isValid = false; +1262 TokenType tokenType; +1263 try { +1264 if (!"none".equalsIgnoreCase(token.getAlgorithm().trim())) { +1265 if (!token.getClaim("exp").isMissing()) { +1266 String jti = token.getId(); +1267 if (jti != null && !jti.trim().isEmpty()) { +1268 boolean jtiIsRevoked = revokedTokenJTIList.stream().anyMatch(jti::equalsIgnoreCase); +1269 if (!jtiIsRevoked) { +1270 //Determine the token type based on the presence of specifics claims +1271 if (!token.getClaim("scope").isMissing()) { +1272 tokenType = TokenType.ACCESS; +1273 } else if (!token.getClaim("name").isMissing() || !token.getClaim("email").isMissing()) { +1274 tokenType = TokenType.ID; +1275 } else { +1276 tokenType = TokenType.REFRESH; +1277 } +1278 isValid = (tokenType.equals(expectedTokenType)); +1279 } +1280 } +1281 } +1282 } +1283 +1284 } catch (Exception e) { +1285 //In case of error then assume that the check failed +1286 isValid = false; +1287 } +1288 +1289 return isValid; +1290 } +1291}