Class OidcClientHelper
- java.lang.Object
-
- com.ibm.websphere.security.oidc.util.OidcClientHelper
-
- Direct Known Subclasses:
- OauthClientHelper
public class OidcClientHelper extends java.lang.Object
This API has utility methods for interacting with the OpenID Connect (OIDC) Relying Party (RP) TAI.
This API contains two sets of methods; one set that operates on the runAs subject and another that operates on a Subject that is passed into the method. If you are running the methods from a business application, the standard versions that use the runAs subject will suffice. However, if you are running the methods from a JAAS login module, there are conditions where the runAs subject may not be updated with the OIDC data, but the JAAS Subject has. In this case, you would use the set of methods where you pass the Subject into the method.
The OidcClientHelper class can be found in the following jars:
- plugins/com.ibm.ws.security.oidc.client.jar
- dev/was_public.jar
Sample code to get the JWT claims from an ID token on the runAs Subject:
String idTokenJwt = OidcClientHelper.getIdTokenFromSubject(); //get the claims string String idTokenClaims = OidcClientHelper.getJwtClaimsAsString(idtokenJwt); //-or- get the claims map Map<String,Object> claimsMap = OidcClientHelper.getJwtClaimsAsMap(idtokenJwt);
Sample code to get the Introspection response from the runAs subject as a Map:
String response = OidcClientHelper.getIntrospectionResponseFromSubject(); Map<String,Object> map = OidcClientHelper.json2map(response);
-
-
Constructor Summary
Constructors Constructor and Description OidcClientHelper()
-
Method Summary
Methods Modifier and Type Method and Description static java.lang.String
getAccessTokenFromSubject()
Retrieve the access token from the current runAs Subject In the OpenID Connect scenario, this is the access_token that is returned from the provider.static java.lang.String
getAccessTokenFromSubject(javax.security.auth.Subject subj)
Retrieve the access token from the input Subject In the OpenID Connect scenario, this is the access_token that is returned from the provider.static java.lang.String
getClientCredentialsGrantAccessToken()
Deprecated.static java.lang.String
getEndSessionEndpoint()
Retrieve the end session endpoint associated with the access token on the current runAs Subject.static java.lang.String
getEndSessionEndpoint(javax.security.auth.Subject subj)
Retrieve the end session endpoint associated with the access token on the from the input Subject A null value will be returned in the following instances: Administrative security is not enabled.static java.lang.String
getIdTokenFromSubject()
Retrieve the ID token from the current runAs Subject This String is the id_token JSON Web Token (JWT) that is returned from the OpenID provider.static java.lang.String
getIdTokenFromSubject(javax.security.auth.Subject subj)
Retrieve the ID token from the input Subject This String is the id_token JWT that is returned from the OpenID provider.static java.lang.String
getIntrospectionResponseFromSubject()
Retrieve the introspection response String from the current runAs Subject.static java.lang.String
getIntrospectionResponseFromSubject(javax.security.auth.Subject subj)
Retrieve the introspection response String from the input Subject.static java.util.Map<java.lang.String,java.lang.Object>
getJwtClaimsAsMap(java.lang.String jwtString)
Get the JWT claims from a JWT as a Map.static java.lang.String
getJwtClaimsAsString(java.lang.String jwtString)
Get the JWT claims from a JWT as a JSON String.static java.lang.String
getJwtFromSubject()
Retrieve the JWT Authentication token from the current runAs Subject.static java.lang.String
getJwtFromSubject(javax.security.auth.Subject subj)
Retrieve the JWT Authentication token from the input Subject.static java.lang.String
getRefreshTokenFromSubject()
Retrieve the refresh token from the current runAs Subjectstatic java.lang.String
getRefreshTokenFromSubject(javax.security.auth.Subject subj)
Retrieve the refresh token from the input Subjectstatic javax.security.auth.Subject
getRunAsSubject()
getRunAsSubject
returns a JAAS subject that represents the RunAs identity.static java.lang.String
getScopeFromSubject()
Retrieve the scope of the access token from the current runAs Subjectstatic java.lang.String
getScopeFromSubject(javax.security.auth.Subject subj)
Retrieve the scope of the access token from the input Subjectstatic java.lang.String
getTokenTypeFromSubject()
Retrieve the token type from the current runAs Subjectstatic java.lang.String
getTokenTypeFromSubject(javax.security.auth.Subject subj)
Retrieve the token type from the input Subjectstatic java.lang.String
getUserInfoFromServer()
Retrieve the userInfo for the associated with the access token from the configured userinfoEndpointUrl.static java.lang.String
getUserInfoFromServer(javax.security.auth.Subject subj)
Retrieve the userInfo for the associated with the access token from the configured userinfoEndpointUrl.static java.lang.String
getUserInfoFromSubject()
Retrieve the userInfo associated with the access token from the current runAs Subject.static java.lang.String
getUserInfoFromSubject(javax.security.auth.Subject subj)
Retrieve the userInfo associated with the access token from the input Subject.static java.lang.String
getValidAccessToken()
Retrieve a valid access token based on the access token in the current runAs Subject.static java.lang.String
getValidAccessToken(javax.security.auth.Subject subj)
Retrieve a valid access token based on the access token in the input Subject.static java.util.Map<java.lang.String,java.lang.Object>
json2map(java.lang.String jsonString)
Convert a JSON String to a Map.static void
logout(javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse rsp)
Invoke the OIDC TAI's logout method that is ordinarily invoked by HttpServletRequest.logout and ibm_security_logout This method deletes cookies (through the HttpServletResponse) object, removes cache entries, and if configured to do so, sends a request to the OP to revoke tokens and redirects the request to the OP's end session endpoint.static void
logout(javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse rsp, java.lang.String endSessionRedirectUrl)
Invoke the OIDC TAI's logout method that is ordinarily invoked by HttpServletRequest.logout and ibm_security_logout This method deletes cookies (through the HttpServletResponse) object, removes cache entries, and if configured to do so, sends a request to the OP to revoke tokens and redirects the request to the OP's end session endpoint.static void
opLogout(javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse rsp)
Invoke the OIDC TAI's logout method that is ordinarily invoked by HttpServletRequest.logout and ibm_security_logout This method deletes cookies (through the HttpServletResponse) object, removes cache entries, and if configured to do so, sends a request to the OP to revoke tokens and redirects the request to the OP's end session endpoint.static void
opLogout(javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse rsp, java.lang.String endSessionRedirectUrl)
Invoke the OIDC TAI's logout method that is ordinarily invoked by HttpServletRequest.logout and ibm_security_logout This method deletes cookies (through the HttpServletResponse) object, removes cache entries, and if configured to do so, sends a request to the OP to revoke tokens and redirects the request to the OP's end session endpoint.static boolean
verifyJwt(java.lang.String jwtString)
Verify a JWT To find the information required to verify the JWT, this method will first attempt to find an OIDC TAI config entry that matches the iss claim in the JWT.static boolean
verifyJwt(java.lang.String jwtString, java.lang.String defaultIssuer)
Verify a JWT To find the information required to verify the JWT, this method will first attempt to find an OIDC TAI config entry that matches the issuer.static boolean
verifyJwtUsingDiscovery(java.lang.String jwtString)
Verify a JWT using discovery This method will obtain the information to verify the JWT using discovery.static boolean
verifyJwtUsingDiscovery(java.lang.String jwtString, java.lang.String discoveryUrl)
Verify a JWT using discovery This method will obtain the information to verify the JWT using the specified discovery endpoint.static boolean
verifyJwtUsingTAIConfig(java.lang.String jwtString)
Verify a JWT using the OpenID Connect (OIDC) TAI configuration To find the information required to verify the JWT, this method will attempt to find an OIDC TAI config entry that matches the iss claim in the JWT.static boolean
verifyJwtUsingTAIConfig(java.lang.String jwtString, java.lang.String defaultIssuer)
Verify a JWT using the OpenID Connect (OIDC) TAI configuration To find the information required to verify the JWT, this method will attempt to find an OIDC TAI config entry that matches the issuer.
-
-
-
Method Detail
-
getIdTokenFromSubject
public static java.lang.String getIdTokenFromSubject() throws java.lang.Exception
Retrieve the ID token from the current runAs SubjectThis String is the id_token JSON Web Token (JWT) that is returned from the OpenID provider.
- Returns:
- The ID token String or null if there is no ID token on the Subject
- Throws:
java.lang.Exception
- if an error occurs either while obtaining the runAs Subject or accessing the private credentials.
-
getIdTokenFromSubject
public static java.lang.String getIdTokenFromSubject(javax.security.auth.Subject subj) throws java.lang.Exception
Retrieve the ID token from the input SubjectThis String is the id_token JWT that is returned from the OpenID provider.
- Returns:
- The ID token String or null if there is no ID token on the Subject
- Throws:
java.lang.Exception
- if an error occurs when accessing the private credentials in the Subject.
-
getAccessTokenFromSubject
public static java.lang.String getAccessTokenFromSubject() throws java.lang.Exception
Retrieve the access token from the current runAs Subject- In the OpenID Connect scenario, this is the access_token that is returned from the provider. Depending on your provider's implementation, this value may be opaque or a JWT.
- In the JWT Authentication scenario, this is the JWT obtained from the HTTP header of the request message.
- Returns:
- The Access token String or null if there is no access token on the Subject
- Throws:
java.lang.Exception
- if an error occurs either while obtaining the runAs Subject or accessing the private credentials.
-
getAccessTokenFromSubject
public static java.lang.String getAccessTokenFromSubject(javax.security.auth.Subject subj) throws java.lang.Exception
Retrieve the access token from the input Subject- In the OpenID Connect scenario, this is the access_token that is returned from the provider. Depending on your provider's implementation, this value may be opaque or a JWT.
- In the JWT Authentication scenario, this is the JWT obtained from the HTTP header of the request message.
- Returns:
- The Access token String or null if there is no access token on the Subject
- Throws:
java.lang.Exception
- if an error occurs when accessing the private credentials in the Subject.
-
getRefreshTokenFromSubject
public static java.lang.String getRefreshTokenFromSubject() throws java.lang.Exception
Retrieve the refresh token from the current runAs Subject- Returns:
- The Refresh token String or null if there is no access token on the Subject
- Throws:
java.lang.Exception
- if an error occurs either while obtaining the runAs Subject or accessing the private credentials.
-
getRefreshTokenFromSubject
public static java.lang.String getRefreshTokenFromSubject(javax.security.auth.Subject subj) throws java.lang.Exception
Retrieve the refresh token from the input Subject- Returns:
- The Refresh token String or null if there is no access token on the Subject
- Throws:
java.lang.Exception
- if an error occurs when accessing the private credentials in the Subject.
-
getTokenTypeFromSubject
public static java.lang.String getTokenTypeFromSubject() throws java.lang.Exception
Retrieve the token type from the current runAs Subject- Returns:
- The token type or null if there is no token type on the Subject
- Throws:
java.lang.Exception
- if an error occurs either while obtaining the runAs Subject or accessing the private credentials.
-
getTokenTypeFromSubject
public static java.lang.String getTokenTypeFromSubject(javax.security.auth.Subject subj) throws java.lang.Exception
Retrieve the token type from the input Subject- Returns:
- The token type or null if there is no token type on the Subject
- Throws:
java.lang.Exception
- if an error occurs when accessing the private credentials in the Subject.
-
getScopeFromSubject
public static java.lang.String getScopeFromSubject() throws java.lang.Exception
Retrieve the scope of the access token from the current runAs Subject- Returns:
- The scope of the access token or null if there is no scope on the Subject
- Throws:
java.lang.Exception
- if an error occurs either while obtaining the runAs Subject or accessing the private credentials.
-
getScopeFromSubject
public static java.lang.String getScopeFromSubject(javax.security.auth.Subject subj) throws java.lang.Exception
Retrieve the scope of the access token from the input Subject- Returns:
- The scope of the access token or null if there is no scope on the Subject
- Throws:
java.lang.Exception
- if an error occurs when accessing the private credentials in the Subject.
-
getUserInfoFromSubject
public static java.lang.String getUserInfoFromSubject() throws java.lang.Exception
Retrieve the userInfo associated with the access token from the current runAs Subject.If there is a userinfoEndpointUrl configured for the access token on the Subject, this method will return the userInfo associated with the access token.
- Returns:
- The userInfo associated with the access token or null if there is no userInfo on the Subject
- Throws:
java.lang.Exception
- if an error occurs either while obtaining the runAs Subject or accessing the private credentials.
-
getUserInfoFromSubject
public static java.lang.String getUserInfoFromSubject(javax.security.auth.Subject subj) throws java.lang.Exception
Retrieve the userInfo associated with the access token from the input Subject.If there is a userinfoEndpointUrl configured for the access token on the Subject, this method will return the userInfo associated with the access token.
- Returns:
- The userInfo associated with the access token or null if there is no userInfo on the Subject
- Throws:
java.lang.Exception
- if an error occurs when accessing the private credentials in the Subject.
-
getValidAccessToken
public static java.lang.String getValidAccessToken() throws java.lang.Exception
Retrieve a valid access token based on the access token in the current runAs Subject.
A null value will be returned in the following instances:
- Administrative security is not enabled.
- Trust Association is not enabled.
- The OIDC RP TAI is not configured and successfully initialized.
- There is no access token on the runAs Subject.
- There are any errors while attempting to obtain the OIDC session data associated with the access token on the runAs Subject.
- The access token on the runAs Subject has expired and there is no refresh token associated with the access token.
- The access token on the runAs Subject has expired and any error occurs while attempting to refresh the token.
- The access token on the runAs Subject has expired and any error occurs while updating the OIDC session data.
If the access token retrieved from the runAs subject has expired and is successfully refreshed, the following will be updated with the new access token:
- Its associated OIDC session data
- The runAs Subject
This method will only throw an exception if errors occur related to the initial processing of the runAs Subject. If an error occurs after information has been retrieved from the runAs Subject, an FFDC entry will be created, but the exception will not be emitted by this method and the method will return null in most cases. If the access token has been refreshed, but the runAs Subject cannot be updated, an FFDC will be emitted and the method will return the new access token.
If there is a userinfoEndpointUrl configured for the access token, the user info will also be refreshed.
- Returns:
- A valid access token string or null if the conditions listed above are true.
- Throws:
java.lang.Exception
- if an error occurs either while obtaining the runAs Subject or accessing the private credentials.
-
getValidAccessToken
public static java.lang.String getValidAccessToken(javax.security.auth.Subject subj) throws java.lang.Exception
Retrieve a valid access token based on the access token in the input Subject.
A null value will be returned in the following instances:
- The input subject is null.
- Administrative security is not enabled.
- Trust Association is not enabled.
- The OIDC RP TAI is not configured and successfully initialized.
- There is no access token on the input Subject.
- There are any errors while attempting to obtain the OIDC session data associated with the access token on the input Subject.
- The access token on the input Subject has expired and there is no refresh token associated with the access token.
- The access token on the input Subject has expired and any error occurs while attempting to refresh the token.
- The access token on the input Subject has expired and any error occurs while updating the OIDC session data.
If the access token retrieved from the input subject has expired and is successfully refreshed, the following will be updated with the new access token:
- Its associated OIDC session data
- The input Subject
This method will only throw an exception if errors occur related to the initial processing of the input Subject. If an error occurs after information has been retrieved from the input Subject, an FFDC entry will be created, but the exception will not be emitted by this method and the method will return null in most cases. If the access token has been refreshed, but the input Subject cannot be updated, an FFDC will be emitted and the method will return the new access token.
If there is a userinfoEndpointUrl configured for the access token, the user info will also be refreshed.
- Returns:
- A valid access token string or null if the conditions listed above are true.
- Throws:
java.lang.Exception
- if an error occurs when accessing the private credentials in the Subject.
-
getUserInfoFromServer
public static java.lang.String getUserInfoFromServer() throws java.lang.Exception
Retrieve the userInfo for the associated with the access token from the configured userinfoEndpointUrl.
A null value will be returned in the following instances:
- Administrative security is not enabled.
- Trust Association is not enabled.
- The OIDC RP TAI is not configured and successfully initialized.
- There is no access token on the runAs Subject.
- There are any errors while attempting to obtain the OIDC session data associated with the access token on the runAs Subject.
- There is no userinfoEndpointUrl configured for the access token on the runAs Subject.
- If the access token on the runAs Subject has expired, any errors occur when attempting to refresh the access token.
- An error occurred while obtaining the user info from the user info endpoint.
If the user info is successfully retrieved server, the following will be updated with the new user info:
- Its associated OIDC session data
- The runAs Subject
- Returns:
- The userInfo retrieved from the server for the associated with the access token or null in the cases outlined above
- Throws:
java.lang.Exception
- if an error occurs either while obtaining the runAs Subject or accessing the private credentials.
-
getUserInfoFromServer
public static java.lang.String getUserInfoFromServer(javax.security.auth.Subject subj) throws java.lang.Exception
Retrieve the userInfo for the associated with the access token from the configured userinfoEndpointUrl.
A null value will be returned in the following instances:
- The input subject is null.
- Administrative security is not enabled.
- Trust Association is not enabled.
- The OIDC RP TAI is not configured and successfully initialized.
- There is no access token on the input Subject.
- There are any errors while attempting to obtain the OIDC session data associated with the access token on the input Subject.
- There is no userinfoEndpointUrl configured for the access token on the input Subject.
- If the access token on the input Subject has expired, any errors occur when attempting to refresh the access token.
- An error occurred while obtaining the user info from the user info endpoint.
If the user info is successfully retrieved server, the following will be updated with the new user info:
- Its associated OIDC session data
- The input Subject
- Returns:
- The userInfo retrieved from the server for the associated with the access token or null in the cases outlined above
- Throws:
java.lang.Exception
- if an error occurs when accessing the private credentials in the Subject.
-
getRunAsSubject
public static javax.security.auth.Subject getRunAsSubject() throws java.lang.Exception
getRunAsSubject
returns a JAAS subject that represents the RunAs identity.- Returns:
- A JAAS subject that represents the RunAs identity.
- Throws:
java.lang.Exception
- if an error occurs while obtaining the runAs Subject
-
getClientCredentialsGrantAccessToken
@Deprecated public static java.lang.String getClientCredentialsGrantAccessToken() throws java.lang.Exception
Deprecated.- Throws:
java.lang.Exception
-
getJwtClaimsAsString
public static java.lang.String getJwtClaimsAsString(java.lang.String jwtString) throws java.lang.Exception
Get the JWT claims from a JWT as a JSON String.For example:
{"sub":"1234567890","name":"John Doe", "admin": true, "exp":1588806453}- Returns:
- The JWT claims JSON String
- Throws:
java.lang.Exception
- if an error occurs decoding the JWT
-
getJwtClaimsAsMap
public static java.util.Map<java.lang.String,java.lang.Object> getJwtClaimsAsMap(java.lang.String jwtString) throws java.lang.Exception
Get the JWT claims from a JWT as a Map.The Map will have value types that correspond to the values in the claims string. For instance, the following claims string:
{"sub":"1234567890","name":"John Doe", "admin": true, "exp":1588806453}
will produce the map entries with the value types: String, String, Boolean, Long- Returns:
- The JWT claims JSON represented as a Map
- Throws:
java.lang.Exception
- if an error occurs decoding the JWT
-
json2map
public static java.util.Map<java.lang.String,java.lang.Object> json2map(java.lang.String jsonString) throws java.lang.Exception
Convert a JSON String to a Map.The Map will have value types that correspond to the values in the JSON string. For instance, the following JSON string:
{"sub":"1234567890","name":"John Doe", "admin": true, "exp":1588806453}
will produce the map entries with the value types: String, String, Boolean, Long- Returns:
- A Map created from the JSON String
- Throws:
java.lang.Exception
- if an error occurs creating the Map
-
getJwtFromSubject
public static java.lang.String getJwtFromSubject() throws java.lang.Exception
Retrieve the JWT Authentication token from the current runAs Subject.- Returns:
- The JWT Authentication token String or null if there is no JWT Authentication token on the Subject
- Throws:
java.lang.Exception
- if an error occurs either while obtaining the runAs Subject or accessing the private credentials.
-
getJwtFromSubject
public static java.lang.String getJwtFromSubject(javax.security.auth.Subject subj) throws java.lang.Exception
Retrieve the JWT Authentication token from the input Subject.- Returns:
- The JWT Authentication token String or null if there is no JWT Authentication token on the Subject
- Throws:
java.lang.Exception
- if an error occurs when accessing the private credentials in the Subject.
-
getIntrospectionResponseFromSubject
public static java.lang.String getIntrospectionResponseFromSubject() throws java.lang.Exception
Retrieve the introspection response String from the current runAs Subject.This method will return null if the OIDC session data associated with this subject was not created via introspection.
- Returns:
- The introspection response String or null if there is no access token on the Subject
- Throws:
java.lang.Exception
- if an error occurs either while obtaining the runAs Subject or accessing the private credentials.
-
getIntrospectionResponseFromSubject
public static java.lang.String getIntrospectionResponseFromSubject(javax.security.auth.Subject subj) throws java.lang.Exception
Retrieve the introspection response String from the input Subject.This method will return null if the OIDC session data associated with this subject was not created via introspection.
- Returns:
- The introspection response String or null if there is no access token on the Subject
- Throws:
java.lang.Exception
- if an error occurs either while obtaining the runAs Subject or accessing the private credentials.
-
getEndSessionEndpoint
public static java.lang.String getEndSessionEndpoint() throws java.lang.Exception
Retrieve the end session endpoint associated with the access token on the current runAs Subject.A null value will be returned in the following instances:
- Administrative security is not enabled.
- Trust Association is not enabled.
- The OIDC RP TAI is not configured and successfully initialized.
- There is no access token on the runAs Subject.
- There are any errors while attempting to obtain the OIDC session data associated with the access token on the runAs Subject.
- There is end session endpoint in the configuration used to create the associated SessionData. The end session endpoint may be hardcoded in the OIDC TAI configuration or obtained via discovery.
- Returns:
- The end session endpoint associated with the access token on the runAs Subject
- Throws:
java.lang.Exception
- if an error occurs either while obtaining the runAs Subject or accessing the private credentials.
-
getEndSessionEndpoint
public static java.lang.String getEndSessionEndpoint(javax.security.auth.Subject subj) throws java.lang.Exception
Retrieve the end session endpoint associated with the access token on the from the input SubjectA null value will be returned in the following instances:
- Administrative security is not enabled.
- Trust Association is not enabled.
- The OIDC RP TAI is not configured and successfully initialized.
- There is no access token on the input Subject.
- There are any errors while attempting to obtain the OIDC session data associated with the access token on the input Subject.
- There is end session endpoint in the configuration used to create the associated SessionData. The end session endpoint may be hardcoded in the OIDC TAI configuration or obtained via discovery.
- Returns:
- The end session endpoint associated with the access token on the input Subject
- Throws:
java.lang.Exception
- if an error occurs either while obtaining the accessing the private credentials from the input Subject.
-
verifyJwt
public static boolean verifyJwt(java.lang.String jwtString) throws java.lang.Exception
Verify a JWT- To find the information required to verify the JWT, this method will first attempt to find an OIDC TAI config entry that matches the iss claim in the JWT.
- If one is not found, the method will attempt to obtain the information to verify the JWT using discovery.
- The discovery endpoint is calculated from the iss claim
in the JWT:
(issuer)/.well-known/openid-configuration
- The discovery result is cached to optimize method performance.
- An iss claim must be present in the JWT.
- Parameters:
jwtString
- JWT string to verify- Returns:
true
if the JWT is valid- Throws:
java.lang.Exception
- if the JWT is not valid or an error occurs while accessing the discovery endpoint on the OP.
-
verifyJwt
public static boolean verifyJwt(java.lang.String jwtString, java.lang.String defaultIssuer) throws java.lang.Exception
Verify a JWT- To find the information required to verify the JWT, this method will first attempt to find an OIDC TAI config entry that matches the issuer.
- If one is not found, the method will attempt to obtain the information to verify the JWT using discovery.
- The discovery endpoint is calculated from the issuer:
(issuer)/.well-known/openid-configuration
- The discovery result is cached to optimize method performance.
- Parameters:
jwtString
- JWT string to verifydefaultIssuer
- Default issuer to use if there is no iss claim in the JWT- Returns:
true
if the JWT is valid- Throws:
java.lang.Exception
- if the JWT is not valid or an error occurs while accessing the discovery endpoint on the OP.
-
verifyJwtUsingDiscovery
public static boolean verifyJwtUsingDiscovery(java.lang.String jwtString) throws java.lang.Exception
Verify a JWT using discovery- This method will obtain the information to verify the JWT using discovery.
- The discovery endpoint is calculated from the iss claim
in the JWT:
(issuer)/.well-known/openid-configuration
- The discovery result is cached to optimize method performance.
- An iss claim must be present in the JWT.
- Parameters:
jwtString
- JWT string to verify- Returns:
true
if the JWT is valid- Throws:
java.lang.Exception
- if the JWT is not valid or an error occurs while accessing the discovery endpoint on the OP.
-
verifyJwtUsingDiscovery
public static boolean verifyJwtUsingDiscovery(java.lang.String jwtString, java.lang.String discoveryUrl) throws java.lang.Exception
Verify a JWT using discovery- This method will obtain the information to verify the JWT using the specified discovery endpoint.
- The discovery result is cached to optimize method performance.
- Parameters:
jwtString
- JWT string to verifydiscoveryUrl
- Discovery endpoint URL- Returns:
true
if the JWT is valid- Throws:
java.lang.Exception
- if the JWT is not valid or an error occurs while accessing the discovery endpoint on the OP.
-
verifyJwtUsingTAIConfig
public static boolean verifyJwtUsingTAIConfig(java.lang.String jwtString) throws java.lang.Exception
Verify a JWT using the OpenID Connect (OIDC) TAI configuration- To find the information required to verify the JWT, this method will attempt to find an OIDC TAI config entry that matches the iss claim in the JWT.
- An iss claim must be present in the JWT.
- Parameters:
jwtString
- JWT string to verify- Returns:
true
if the JWT is valid- Throws:
java.lang.Exception
- if the JWT is not valid or an error occurs while attempting to find an OIDC TAI config entry that matches the issuer.
-
verifyJwtUsingTAIConfig
public static boolean verifyJwtUsingTAIConfig(java.lang.String jwtString, java.lang.String defaultIssuer) throws java.lang.Exception
Verify a JWT using the OpenID Connect (OIDC) TAI configurationTo find the information required to verify the JWT, this method will attempt to find an OIDC TAI config entry that matches the issuer.
- Parameters:
jwtString
- JWT string to verifydefaultIssuer
- Default issuer to use if there is no iss claim in the JWT- Returns:
true
if the JWT is valid- Throws:
java.lang.Exception
- if the JWT is not valid or an error occurs while attempting to find an OIDC TAI config entry that matches the issuer.
-
logout
public static void logout(javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse rsp) throws java.lang.Exception
Invoke the OIDC TAI's logout method that is ordinarily invoked by HttpServletRequest.logout and ibm_security_logoutThis method deletes cookies (through the HttpServletResponse) object, removes cache entries, and if configured to do so, sends a request to the OP to revoke tokens and redirects the request to the OP's end session endpoint.
This method is intended to enable applications to kick off an RP-Initiated logout without having to go through HttpServletRequest.logout or ibm_security_logout.
- Parameters:
req
- request messagersp
- response message- Throws:
java.lang.Exception
- if an error occurs during logout
-
logout
public static void logout(javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse rsp, java.lang.String endSessionRedirectUrl) throws java.lang.Exception
Invoke the OIDC TAI's logout method that is ordinarily invoked by HttpServletRequest.logout and ibm_security_logoutThis method deletes cookies (through the HttpServletResponse) object, removes cache entries, and if configured to do so, sends a request to the OP to revoke tokens and redirects the request to the OP's end session endpoint.
This method is intended to enable applications to kick off an RP-Initiated logout without having to go through HttpServletRequest.logout or ibm_security_logout.
This method allows you to override the configured value for the endSessionRedirectUrl property if the provider_(id).endSessionUseLogoutExitPage property is set to true.
- Parameters:
req
- request messagersp
- response messageendSessionRedirectUrl
- value for the post_logout_redirect_uri parameter on the end session request to the OP- Throws:
java.lang.Exception
- if an error occurs during logout
-
opLogout
public static void opLogout(javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse rsp) throws java.lang.Exception
Invoke the OIDC TAI's logout method that is ordinarily invoked by HttpServletRequest.logout and ibm_security_logoutThis method deletes cookies (through the HttpServletResponse) object, removes cache entries, and if configured to do so, sends a request to the OP to revoke tokens and redirects the request to the OP's end session endpoint.
This method is intended to enable applications to kick off an RP-Initiated logout without having to go through HttpServletRequest.logout or ibm_security_logout. This method ignores the value of the provider_(id).endSessionEndpointEnabled property. If a provider_(id).endSessionEndpoint property is configured, the request is redirected to that endpoint regardless of the value for the endSessionEndpointEnabled property.
- Parameters:
req
- request messagersp
- response message- Throws:
java.lang.Exception
- if an error occurs during logout
-
opLogout
public static void opLogout(javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse rsp, java.lang.String endSessionRedirectUrl) throws java.lang.Exception
Invoke the OIDC TAI's logout method that is ordinarily invoked by HttpServletRequest.logout and ibm_security_logoutThis method deletes cookies (through the HttpServletResponse) object, removes cache entries, and if configured to do so, sends a request to the OP to revoke tokens and redirects the request to the OP's end session endpoint.
This method is intended to enable applications to kick off an RP-Initiated logout without having to go through HttpServletRequest.logout or ibm_security_logout. This method ignores the value of the provider_(id).endSessionEndpointEnabled property. If a provider_(id).endSessionEndpoint property is configured, the request is redirected to that endpoint regardless of the value for the endSessionEndpointEnabled property.
This method allows you to override the configured value for the endSessionRedirectUrl property if the provider_(id).endSessionUseLogoutExitPage property is set to true.
- Parameters:
req
- request messagersp
- response messageendSessionRedirectUrl
- value for the post_logout_redirect_uri parameter on the end session request to the OP- Throws:
java.lang.Exception
- if an error occurs during logout
-
-