com.ibm.websphere.security.oidc.util

Class OidcClientHelper

  • java.lang.Object
    • com.ibm.websphere.security.oidc.util.OidcClientHelper
  • Direct Known Subclasses:
    OauthClientHelper

    public class OidcClientHelper
extends java.lang.Object

    This API has utility methods for interacting with the OpenID Connect (OIDC) Relying Party (RP) TAI.

    This API contains two sets of methods; one set that operates on the runAs subject and another that operates on a Subject that is passed into the method. If you are running the methods from a business application, the standard versions that use the runAs subject will suffice. However, if you are running the methods from a JAAS login module, there are conditions where the runAs subject may not be updated with the OIDC data, but the JAAS Subject has. In this case, you would use the set of methods where you pass the Subject into the method.

    The OidcClientHelper class can be found in the following jars:

    • plugins/com.ibm.ws.security.oidc.client.jar
    • dev/was_public.jar

    Sample code to get the JWT claims from an ID token on the runAs Subject:

         String idTokenJwt = OidcClientHelper.getIdTokenFromSubject();
     //get the claims string
     String idTokenClaims = OidcClientHelper.getJwtClaimsAsString(idtokenJwt);
     //-or- get the claims map
     Map<String,Object> claimsMap = OidcClientHelper.getJwtClaimsAsMap(idtokenJwt);

    Sample code to get the Introspection response from the runAs subject as a Map:

         String response = OidcClientHelper.getIntrospectionResponseFromSubject();
     Map<String,Object> map = OidcClientHelper.json2map(response);

    • Constructor Summary

      Constructors 
      Constructor and Description
      OidcClientHelper() 

    • Method Summary

      Methods 
      Modifier and Type Method and Description
      static java.lang.String getAccessTokenFromSubject()
      Retrieve the access token from the current runAs Subject In the OpenID Connect scenario, this is the access_token that is returned from the provider.
      static java.lang.String getAccessTokenFromSubject(javax.security.auth.Subject subj)
      Retrieve the access token from the input Subject In the OpenID Connect scenario, this is the access_token that is returned from the provider.
      static java.lang.String getClientCredentialsGrantAccessToken()
      Deprecated. 
      static java.lang.String getEndSessionEndpoint()
      Retrieve the end session endpoint associated with the access token on the current runAs Subject.
      static java.lang.String getEndSessionEndpoint(javax.security.auth.Subject subj)
      Retrieve the end session endpoint associated with the access token on the from the input Subject A null value will be returned in the following instances: Administrative security is not enabled.
      static java.lang.String getIdTokenFromSubject()
      Retrieve the ID token from the current runAs Subject This String is the id_token JSON Web Token (JWT) that is returned from the OpenID provider.
      static java.lang.String getIdTokenFromSubject(javax.security.auth.Subject subj)
      Retrieve the ID token from the input Subject This String is the id_token JWT that is returned from the OpenID provider.
      static java.lang.String getIntrospectionResponseFromSubject()
      Retrieve the introspection response String from the current runAs Subject.
      static java.lang.String getIntrospectionResponseFromSubject(javax.security.auth.Subject subj)
      Retrieve the introspection response String from the input Subject.
      static java.util.Map<java.lang.String,java.lang.Object> getJwtClaimsAsMap(java.lang.String jwtString)
      Get the JWT claims from a JWT as a Map.
      static java.lang.String getJwtClaimsAsString(java.lang.String jwtString)
      Get the JWT claims from a JWT as a JSON String.
      static java.lang.String getJwtFromSubject()
      Retrieve the JWT Authentication token from the current runAs Subject.
      static java.lang.String getJwtFromSubject(javax.security.auth.Subject subj)
      Retrieve the JWT Authentication token from the input Subject.
      static java.lang.String getRefreshTokenFromSubject()
      Retrieve the refresh token from the current runAs Subject
      static java.lang.String getRefreshTokenFromSubject(javax.security.auth.Subject subj)
      Retrieve the refresh token from the input Subject
      static javax.security.auth.Subject getRunAsSubject()
      getRunAsSubject returns a JAAS subject that represents the RunAs identity.
      static java.lang.String getScopeFromSubject()
      Retrieve the scope of the access token from the current runAs Subject
      static java.lang.String getScopeFromSubject(javax.security.auth.Subject subj)
      Retrieve the scope of the access token from the input Subject
      static java.lang.String getTokenTypeFromSubject()
      Retrieve the token type from the current runAs Subject
      static java.lang.String getTokenTypeFromSubject(javax.security.auth.Subject subj)
      Retrieve the token type from the input Subject
      static java.lang.String getUserInfoFromServer()
      Retrieve the userInfo for the associated with the access token from the configured userinfoEndpointUrl.
      static java.lang.String getUserInfoFromServer(javax.security.auth.Subject subj)
      Retrieve the userInfo for the associated with the access token from the configured userinfoEndpointUrl.
      static java.lang.String getUserInfoFromSubject()
      Retrieve the userInfo associated with the access token from the current runAs Subject.
      static java.lang.String getUserInfoFromSubject(javax.security.auth.Subject subj)
      Retrieve the userInfo associated with the access token from the input Subject.
      static java.lang.String getValidAccessToken()
      Retrieve a valid access token based on the access token in the current runAs Subject.
      static java.lang.String getValidAccessToken(javax.security.auth.Subject subj)
      Retrieve a valid access token based on the access token in the input Subject.
      static java.util.Map<java.lang.String,java.lang.Object> json2map(java.lang.String jsonString)
      Convert a JSON String to a Map.
      static void logout(javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse rsp)
      Invoke the OIDC TAI's logout method that is ordinarily invoked by HttpServletRequest.logout and ibm_security_logout This method deletes cookies (through the HttpServletResponse) object, removes cache entries, and if configured to do so, sends a request to the OP to revoke tokens and redirects the request to the OP's end session endpoint.
      static void logout(javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse rsp, java.lang.String endSessionRedirectUrl)
      Invoke the OIDC TAI's logout method that is ordinarily invoked by HttpServletRequest.logout and ibm_security_logout This method deletes cookies (through the HttpServletResponse) object, removes cache entries, and if configured to do so, sends a request to the OP to revoke tokens and redirects the request to the OP's end session endpoint.
      static void opLogout(javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse rsp)
      Invoke the OIDC TAI's logout method that is ordinarily invoked by HttpServletRequest.logout and ibm_security_logout This method deletes cookies (through the HttpServletResponse) object, removes cache entries, and if configured to do so, sends a request to the OP to revoke tokens and redirects the request to the OP's end session endpoint.
      static void opLogout(javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse rsp, java.lang.String endSessionRedirectUrl)
      Invoke the OIDC TAI's logout method that is ordinarily invoked by HttpServletRequest.logout and ibm_security_logout This method deletes cookies (through the HttpServletResponse) object, removes cache entries, and if configured to do so, sends a request to the OP to revoke tokens and redirects the request to the OP's end session endpoint.
      static boolean verifyJwt(java.lang.String jwtString)
      Verify a JWT To find the information required to verify the JWT, this method will first attempt to find an OIDC TAI config entry that matches the iss claim in the JWT.
      static boolean verifyJwt(java.lang.String jwtString, java.lang.String defaultIssuer)
      Verify a JWT To find the information required to verify the JWT, this method will first attempt to find an OIDC TAI config entry that matches the issuer.
      static boolean verifyJwtUsingDiscovery(java.lang.String jwtString)
      Verify a JWT using discovery This method will obtain the information to verify the JWT using discovery.
      static boolean verifyJwtUsingDiscovery(java.lang.String jwtString, java.lang.String discoveryUrl)
      Verify a JWT using discovery This method will obtain the information to verify the JWT using the specified discovery endpoint.
      static boolean verifyJwtUsingTAIConfig(java.lang.String jwtString)
      Verify a JWT using the OpenID Connect (OIDC) TAI configuration To find the information required to verify the JWT, this method will attempt to find an OIDC TAI config entry that matches the iss claim in the JWT.
      static boolean verifyJwtUsingTAIConfig(java.lang.String jwtString, java.lang.String defaultIssuer)
      Verify a JWT using the OpenID Connect (OIDC) TAI configuration To find the information required to verify the JWT, this method will attempt to find an OIDC TAI config entry that matches the issuer.

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Constructor Detail

      • OidcClientHelper

        public OidcClientHelper()

    • Method Detail

      • getIdTokenFromSubject

        public static java.lang.String getIdTokenFromSubject()
                                              throws java.lang.Exception
        Retrieve the ID token from the current runAs Subject

        This String is the id_token JSON Web Token (JWT) that is returned from the OpenID provider.

        Returns:
        The ID token String or null if there is no ID token on the Subject
        Throws:
        java.lang.Exception - if an error occurs either while obtaining the runAs Subject or accessing the private credentials.

      • getIdTokenFromSubject

        public static java.lang.String getIdTokenFromSubject(javax.security.auth.Subject subj)
                                              throws java.lang.Exception
        Retrieve the ID token from the input Subject

        This String is the id_token JWT that is returned from the OpenID provider.

        Returns:
        The ID token String or null if there is no ID token on the Subject
        Throws:
        java.lang.Exception - if an error occurs when accessing the private credentials in the Subject.

      • getAccessTokenFromSubject

        public static java.lang.String getAccessTokenFromSubject()
                                                  throws java.lang.Exception
        Retrieve the access token from the current runAs Subject

        • In the OpenID Connect scenario, this is the access_token that is returned from the provider. Depending on your provider's implementation, this value may be opaque or a JWT.
        • In the JWT Authentication scenario, this is the JWT obtained from the HTTP header of the request message.

        Returns:
        The Access token String or null if there is no access token on the Subject
        Throws:
        java.lang.Exception - if an error occurs either while obtaining the runAs Subject or accessing the private credentials.

      • getAccessTokenFromSubject

        public static java.lang.String getAccessTokenFromSubject(javax.security.auth.Subject subj)
                                                  throws java.lang.Exception
        Retrieve the access token from the input Subject

        • In the OpenID Connect scenario, this is the access_token that is returned from the provider. Depending on your provider's implementation, this value may be opaque or a JWT.
        • In the JWT Authentication scenario, this is the JWT obtained from the HTTP header of the request message.

        Returns:
        The Access token String or null if there is no access token on the Subject
        Throws:
        java.lang.Exception - if an error occurs when accessing the private credentials in the Subject.

      • getRefreshTokenFromSubject

        public static java.lang.String getRefreshTokenFromSubject()
                                                   throws java.lang.Exception
        Retrieve the refresh token from the current runAs Subject
        Returns:
        The Refresh token String or null if there is no access token on the Subject
        Throws:
        java.lang.Exception - if an error occurs either while obtaining the runAs Subject or accessing the private credentials.

      • getRefreshTokenFromSubject

        public static java.lang.String getRefreshTokenFromSubject(javax.security.auth.Subject subj)
                                                   throws java.lang.Exception
        Retrieve the refresh token from the input Subject
        Returns:
        The Refresh token String or null if there is no access token on the Subject
        Throws:
        java.lang.Exception - if an error occurs when accessing the private credentials in the Subject.

      • getTokenTypeFromSubject

        public static java.lang.String getTokenTypeFromSubject()
                                                throws java.lang.Exception
        Retrieve the token type from the current runAs Subject
        Returns:
        The token type or null if there is no token type on the Subject
        Throws:
        java.lang.Exception - if an error occurs either while obtaining the runAs Subject or accessing the private credentials.

      • getTokenTypeFromSubject

        public static java.lang.String getTokenTypeFromSubject(javax.security.auth.Subject subj)
                                                throws java.lang.Exception
        Retrieve the token type from the input Subject
        Returns:
        The token type or null if there is no token type on the Subject
        Throws:
        java.lang.Exception - if an error occurs when accessing the private credentials in the Subject.

      • getScopeFromSubject

        public static java.lang.String getScopeFromSubject()
                                            throws java.lang.Exception
        Retrieve the scope of the access token from the current runAs Subject
        Returns:
        The scope of the access token or null if there is no scope on the Subject
        Throws:
        java.lang.Exception - if an error occurs either while obtaining the runAs Subject or accessing the private credentials.

      • getScopeFromSubject

        public static java.lang.String getScopeFromSubject(javax.security.auth.Subject subj)
                                            throws java.lang.Exception
        Retrieve the scope of the access token from the input Subject
        Returns:
        The scope of the access token or null if there is no scope on the Subject
        Throws:
        java.lang.Exception - if an error occurs when accessing the private credentials in the Subject.

      • getUserInfoFromSubject

        public static java.lang.String getUserInfoFromSubject()
                                               throws java.lang.Exception
        Retrieve the userInfo associated with the access token from the current runAs Subject.

        If there is a userinfoEndpointUrl configured for the access token on the Subject, this method will return the userInfo associated with the access token.

        Returns:
        The userInfo associated with the access token or null if there is no userInfo on the Subject
        Throws:
        java.lang.Exception - if an error occurs either while obtaining the runAs Subject or accessing the private credentials.

      • getUserInfoFromSubject

        public static java.lang.String getUserInfoFromSubject(javax.security.auth.Subject subj)
                                               throws java.lang.Exception
        Retrieve the userInfo associated with the access token from the input Subject.

        If there is a userinfoEndpointUrl configured for the access token on the Subject, this method will return the userInfo associated with the access token.

        Returns:
        The userInfo associated with the access token or null if there is no userInfo on the Subject
        Throws:
        java.lang.Exception - if an error occurs when accessing the private credentials in the Subject.

      • getValidAccessToken

        public static java.lang.String getValidAccessToken()
                                            throws java.lang.Exception

        Retrieve a valid access token based on the access token in the current runAs Subject.

        A null value will be returned in the following instances:

        • Administrative security is not enabled.
        • Trust Association is not enabled.
        • The OIDC RP TAI is not configured and successfully initialized.
        • There is no access token on the runAs Subject.
        • There are any errors while attempting to obtain the OIDC session data associated with the access token on the runAs Subject.
        • The access token on the runAs Subject has expired and there is no refresh token associated with the access token.
        • The access token on the runAs Subject has expired and any error occurs while attempting to refresh the token.
        • The access token on the runAs Subject has expired and any error occurs while updating the OIDC session data.

        If the access token retrieved from the runAs subject has expired and is successfully refreshed, the following will be updated with the new access token:

        • Its associated OIDC session data
        • The runAs Subject

        This method will only throw an exception if errors occur related to the initial processing of the runAs Subject. If an error occurs after information has been retrieved from the runAs Subject, an FFDC entry will be created, but the exception will not be emitted by this method and the method will return null in most cases. If the access token has been refreshed, but the runAs Subject cannot be updated, an FFDC will be emitted and the method will return the new access token.

        If there is a userinfoEndpointUrl configured for the access token, the user info will also be refreshed.

        Returns:
        A valid access token string or null if the conditions listed above are true.
        Throws:
        java.lang.Exception - if an error occurs either while obtaining the runAs Subject or accessing the private credentials.

      • getValidAccessToken

        public static java.lang.String getValidAccessToken(javax.security.auth.Subject subj)
                                            throws java.lang.Exception

        Retrieve a valid access token based on the access token in the input Subject.

        A null value will be returned in the following instances:

        • The input subject is null.
        • Administrative security is not enabled.
        • Trust Association is not enabled.
        • The OIDC RP TAI is not configured and successfully initialized.
        • There is no access token on the input Subject.
        • There are any errors while attempting to obtain the OIDC session data associated with the access token on the input Subject.
        • The access token on the input Subject has expired and there is no refresh token associated with the access token.
        • The access token on the input Subject has expired and any error occurs while attempting to refresh the token.
        • The access token on the input Subject has expired and any error occurs while updating the OIDC session data.

        If the access token retrieved from the input subject has expired and is successfully refreshed, the following will be updated with the new access token:

        • Its associated OIDC session data
        • The input Subject

        This method will only throw an exception if errors occur related to the initial processing of the input Subject. If an error occurs after information has been retrieved from the input Subject, an FFDC entry will be created, but the exception will not be emitted by this method and the method will return null in most cases. If the access token has been refreshed, but the input Subject cannot be updated, an FFDC will be emitted and the method will return the new access token.

        If there is a userinfoEndpointUrl configured for the access token, the user info will also be refreshed.

        Returns:
        A valid access token string or null if the conditions listed above are true.
        Throws:
        java.lang.Exception - if an error occurs when accessing the private credentials in the Subject.

      • getUserInfoFromServer

        public static java.lang.String getUserInfoFromServer()
                                              throws java.lang.Exception

        Retrieve the userInfo for the associated with the access token from the configured userinfoEndpointUrl.

        A null value will be returned in the following instances:

        • Administrative security is not enabled.
        • Trust Association is not enabled.
        • The OIDC RP TAI is not configured and successfully initialized.
        • There is no access token on the runAs Subject.
        • There are any errors while attempting to obtain the OIDC session data associated with the access token on the runAs Subject.
        • There is no userinfoEndpointUrl configured for the access token on the runAs Subject.
        • If the access token on the runAs Subject has expired, any errors occur when attempting to refresh the access token.
        • An error occurred while obtaining the user info from the user info endpoint.

        If the user info is successfully retrieved server, the following will be updated with the new user info:

        • Its associated OIDC session data
        • The runAs Subject

        Returns:
        The userInfo retrieved from the server for the associated with the access token or null in the cases outlined above
        Throws:
        java.lang.Exception - if an error occurs either while obtaining the runAs Subject or accessing the private credentials.

      • getUserInfoFromServer

        public static java.lang.String getUserInfoFromServer(javax.security.auth.Subject subj)
                                              throws java.lang.Exception

        Retrieve the userInfo for the associated with the access token from the configured userinfoEndpointUrl.

        A null value will be returned in the following instances:

        • The input subject is null.
        • Administrative security is not enabled.
        • Trust Association is not enabled.
        • The OIDC RP TAI is not configured and successfully initialized.
        • There is no access token on the input Subject.
        • There are any errors while attempting to obtain the OIDC session data associated with the access token on the input Subject.
        • There is no userinfoEndpointUrl configured for the access token on the input Subject.
        • If the access token on the input Subject has expired, any errors occur when attempting to refresh the access token.
        • An error occurred while obtaining the user info from the user info endpoint.

        If the user info is successfully retrieved server, the following will be updated with the new user info:

        • Its associated OIDC session data
        • The input Subject

        Returns:
        The userInfo retrieved from the server for the associated with the access token or null in the cases outlined above
        Throws:
        java.lang.Exception - if an error occurs when accessing the private credentials in the Subject.

      • getRunAsSubject

        public static javax.security.auth.Subject getRunAsSubject()
                                                   throws java.lang.Exception
        getRunAsSubject returns a JAAS subject that represents the RunAs identity.
        Returns:
        A JAAS subject that represents the RunAs identity.
        Throws:
        java.lang.Exception - if an error occurs while obtaining the runAs Subject

      • getClientCredentialsGrantAccessToken

        @Deprecated
public static java.lang.String getClientCredentialsGrantAccessToken()
                                                             throws java.lang.Exception
        Deprecated. 
        Throws:
        java.lang.Exception

      • getJwtClaimsAsString

        public static java.lang.String getJwtClaimsAsString(java.lang.String jwtString)
                                             throws java.lang.Exception
        Get the JWT claims from a JWT as a JSON String.

        For example:
        {"sub":"1234567890","name":"John Doe", "admin": true, "exp":1588806453}

        Returns:
        The JWT claims JSON String
        Throws:
        java.lang.Exception - if an error occurs decoding the JWT

      • getJwtClaimsAsMap

        public static java.util.Map<java.lang.String,java.lang.Object> getJwtClaimsAsMap(java.lang.String jwtString)
                                                                          throws java.lang.Exception
        Get the JWT claims from a JWT as a Map.

        The Map will have value types that correspond to the values in the claims string. For instance, the following claims string:

        {"sub":"1234567890","name":"John Doe", "admin": true, "exp":1588806453}

        will produce the map entries with the value types: String, String, Boolean, Long

        Returns:
        The JWT claims JSON represented as a Map
        Throws:
        java.lang.Exception - if an error occurs decoding the JWT

      • json2map

        public static java.util.Map<java.lang.String,java.lang.Object> json2map(java.lang.String jsonString)
                                                                 throws java.lang.Exception
        Convert a JSON String to a Map.

        The Map will have value types that correspond to the values in the JSON string. For instance, the following JSON string:

        {"sub":"1234567890","name":"John Doe", "admin": true, "exp":1588806453}

        will produce the map entries with the value types: String, String, Boolean, Long

        Returns:
        A Map created from the JSON String
        Throws:
        java.lang.Exception - if an error occurs creating the Map

      • getJwtFromSubject

        public static java.lang.String getJwtFromSubject()
                                          throws java.lang.Exception
        Retrieve the JWT Authentication token from the current runAs Subject.
        Returns:
        The JWT Authentication token String or null if there is no JWT Authentication token on the Subject
        Throws:
        java.lang.Exception - if an error occurs either while obtaining the runAs Subject or accessing the private credentials.

      • getJwtFromSubject

        public static java.lang.String getJwtFromSubject(javax.security.auth.Subject subj)
                                          throws java.lang.Exception
        Retrieve the JWT Authentication token from the input Subject.
        Returns:
        The JWT Authentication token String or null if there is no JWT Authentication token on the Subject
        Throws:
        java.lang.Exception - if an error occurs when accessing the private credentials in the Subject.

      • getIntrospectionResponseFromSubject

        public static java.lang.String getIntrospectionResponseFromSubject()
                                                            throws java.lang.Exception
        Retrieve the introspection response String from the current runAs Subject.

        This method will return null if the OIDC session data associated with this subject was not created via introspection.

        Returns:
        The introspection response String or null if there is no access token on the Subject
        Throws:
        java.lang.Exception - if an error occurs either while obtaining the runAs Subject or accessing the private credentials.

      • getIntrospectionResponseFromSubject

        public static java.lang.String getIntrospectionResponseFromSubject(javax.security.auth.Subject subj)
                                                            throws java.lang.Exception
        Retrieve the introspection response String from the input Subject.

        This method will return null if the OIDC session data associated with this subject was not created via introspection.

        Returns:
        The introspection response String or null if there is no access token on the Subject
        Throws:
        java.lang.Exception - if an error occurs either while obtaining the runAs Subject or accessing the private credentials.

      • getEndSessionEndpoint

        public static java.lang.String getEndSessionEndpoint()
                                              throws java.lang.Exception
        Retrieve the end session endpoint associated with the access token on the current runAs Subject.

        A null value will be returned in the following instances:

        • Administrative security is not enabled.
        • Trust Association is not enabled.
        • The OIDC RP TAI is not configured and successfully initialized.
        • There is no access token on the runAs Subject.
        • There are any errors while attempting to obtain the OIDC session data associated with the access token on the runAs Subject.
        • There is end session endpoint in the configuration used to create the associated SessionData. The end session endpoint may be hardcoded in the OIDC TAI configuration or obtained via discovery.

        Returns:
        The end session endpoint associated with the access token on the runAs Subject
        Throws:
        java.lang.Exception - if an error occurs either while obtaining the runAs Subject or accessing the private credentials.

      • getEndSessionEndpoint

        public static java.lang.String getEndSessionEndpoint(javax.security.auth.Subject subj)
                                              throws java.lang.Exception
        Retrieve the end session endpoint associated with the access token on the from the input Subject

        A null value will be returned in the following instances:

        • Administrative security is not enabled.
        • Trust Association is not enabled.
        • The OIDC RP TAI is not configured and successfully initialized.
        • There is no access token on the input Subject.
        • There are any errors while attempting to obtain the OIDC session data associated with the access token on the input Subject.
        • There is end session endpoint in the configuration used to create the associated SessionData. The end session endpoint may be hardcoded in the OIDC TAI configuration or obtained via discovery.

        Returns:
        The end session endpoint associated with the access token on the input Subject
        Throws:
        java.lang.Exception - if an error occurs either while obtaining the accessing the private credentials from the input Subject.

      • verifyJwt

        public static boolean verifyJwt(java.lang.String jwtString)
                         throws java.lang.Exception
        Verify a JWT

        • To find the information required to verify the JWT, this method will first attempt to find an OIDC TAI config entry that matches the iss claim in the JWT.
        • If one is not found, the method will attempt to obtain the information to verify the JWT using discovery.
        • The discovery endpoint is calculated from the iss claim in the JWT: (issuer)/.well-known/openid-configuration
        • The discovery result is cached to optimize method performance.
        • An iss claim must be present in the JWT.

        Parameters:
        jwtString - JWT string to verify
        Returns:
        true if the JWT is valid
        Throws:
        java.lang.Exception - if the JWT is not valid or an error occurs while accessing the discovery endpoint on the OP.

      • verifyJwt

        public static boolean verifyJwt(java.lang.String jwtString,
                java.lang.String defaultIssuer)
                         throws java.lang.Exception
        Verify a JWT

        • To find the information required to verify the JWT, this method will first attempt to find an OIDC TAI config entry that matches the issuer.
        • If one is not found, the method will attempt to obtain the information to verify the JWT using discovery.
        • The discovery endpoint is calculated from the issuer: (issuer)/.well-known/openid-configuration
        • The discovery result is cached to optimize method performance.

        Parameters:
        jwtString - JWT string to verify
        defaultIssuer - Default issuer to use if there is no iss claim in the JWT
        Returns:
        true if the JWT is valid
        Throws:
        java.lang.Exception - if the JWT is not valid or an error occurs while accessing the discovery endpoint on the OP.

      • verifyJwtUsingDiscovery

        public static boolean verifyJwtUsingDiscovery(java.lang.String jwtString)
                                       throws java.lang.Exception
        Verify a JWT using discovery

        • This method will obtain the information to verify the JWT using discovery.
        • The discovery endpoint is calculated from the iss claim in the JWT: (issuer)/.well-known/openid-configuration
        • The discovery result is cached to optimize method performance.
        • An iss claim must be present in the JWT.

        Parameters:
        jwtString - JWT string to verify
        Returns:
        true if the JWT is valid
        Throws:
        java.lang.Exception - if the JWT is not valid or an error occurs while accessing the discovery endpoint on the OP.

      • verifyJwtUsingDiscovery

        public static boolean verifyJwtUsingDiscovery(java.lang.String jwtString,
                              java.lang.String discoveryUrl)
                                       throws java.lang.Exception
        Verify a JWT using discovery

        • This method will obtain the information to verify the JWT using the specified discovery endpoint.
        • The discovery result is cached to optimize method performance.

        Parameters:
        jwtString - JWT string to verify
        discoveryUrl - Discovery endpoint URL
        Returns:
        true if the JWT is valid
        Throws:
        java.lang.Exception - if the JWT is not valid or an error occurs while accessing the discovery endpoint on the OP.

      • verifyJwtUsingTAIConfig

        public static boolean verifyJwtUsingTAIConfig(java.lang.String jwtString)
                                       throws java.lang.Exception
        Verify a JWT using the OpenID Connect (OIDC) TAI configuration

        • To find the information required to verify the JWT, this method will attempt to find an OIDC TAI config entry that matches the iss claim in the JWT.
        • An iss claim must be present in the JWT.

        Parameters:
        jwtString - JWT string to verify
        Returns:
        true if the JWT is valid
        Throws:
        java.lang.Exception - if the JWT is not valid or an error occurs while attempting to find an OIDC TAI config entry that matches the issuer.

      • verifyJwtUsingTAIConfig

        public static boolean verifyJwtUsingTAIConfig(java.lang.String jwtString,
                              java.lang.String defaultIssuer)
                                       throws java.lang.Exception
        Verify a JWT using the OpenID Connect (OIDC) TAI configuration

        To find the information required to verify the JWT, this method will attempt to find an OIDC TAI config entry that matches the issuer.

        Parameters:
        jwtString - JWT string to verify
        defaultIssuer - Default issuer to use if there is no iss claim in the JWT
        Returns:
        true if the JWT is valid
        Throws:
        java.lang.Exception - if the JWT is not valid or an error occurs while attempting to find an OIDC TAI config entry that matches the issuer.

      • logout

        public static void logout(javax.servlet.http.HttpServletRequest req,
          javax.servlet.http.HttpServletResponse rsp)
                   throws java.lang.Exception
        Invoke the OIDC TAI's logout method that is ordinarily invoked by HttpServletRequest.logout and ibm_security_logout

        This method deletes cookies (through the HttpServletResponse) object, removes cache entries, and if configured to do so, sends a request to the OP to revoke tokens and redirects the request to the OP's end session endpoint.

        This method is intended to enable applications to kick off an RP-Initiated logout without having to go through HttpServletRequest.logout or ibm_security_logout.

        Parameters:
        req - request message
        rsp - response message
        Throws:
        java.lang.Exception - if an error occurs during logout

      • logout

        public static void logout(javax.servlet.http.HttpServletRequest req,
          javax.servlet.http.HttpServletResponse rsp,
          java.lang.String endSessionRedirectUrl)
                   throws java.lang.Exception
        Invoke the OIDC TAI's logout method that is ordinarily invoked by HttpServletRequest.logout and ibm_security_logout

        This method deletes cookies (through the HttpServletResponse) object, removes cache entries, and if configured to do so, sends a request to the OP to revoke tokens and redirects the request to the OP's end session endpoint.

        This method is intended to enable applications to kick off an RP-Initiated logout without having to go through HttpServletRequest.logout or ibm_security_logout.

        This method allows you to override the configured value for the endSessionRedirectUrl property if the provider_(id).endSessionUseLogoutExitPage property is set to true.

        Parameters:
        req - request message
        rsp - response message
        endSessionRedirectUrl - value for the post_logout_redirect_uri parameter on the end session request to the OP
        Throws:
        java.lang.Exception - if an error occurs during logout

      • opLogout

        public static void opLogout(javax.servlet.http.HttpServletRequest req,
            javax.servlet.http.HttpServletResponse rsp)
                     throws java.lang.Exception
        Invoke the OIDC TAI's logout method that is ordinarily invoked by HttpServletRequest.logout and ibm_security_logout

        This method deletes cookies (through the HttpServletResponse) object, removes cache entries, and if configured to do so, sends a request to the OP to revoke tokens and redirects the request to the OP's end session endpoint.

        This method is intended to enable applications to kick off an RP-Initiated logout without having to go through HttpServletRequest.logout or ibm_security_logout. This method ignores the value of the provider_(id).endSessionEndpointEnabled property. If a provider_(id).endSessionEndpoint property is configured, the request is redirected to that endpoint regardless of the value for the endSessionEndpointEnabled property.

        Parameters:
        req - request message
        rsp - response message
        Throws:
        java.lang.Exception - if an error occurs during logout

      • opLogout

        public static void opLogout(javax.servlet.http.HttpServletRequest req,
            javax.servlet.http.HttpServletResponse rsp,
            java.lang.String endSessionRedirectUrl)
                     throws java.lang.Exception
        Invoke the OIDC TAI's logout method that is ordinarily invoked by HttpServletRequest.logout and ibm_security_logout

        This method deletes cookies (through the HttpServletResponse) object, removes cache entries, and if configured to do so, sends a request to the OP to revoke tokens and redirects the request to the OP's end session endpoint.

        This method is intended to enable applications to kick off an RP-Initiated logout without having to go through HttpServletRequest.logout or ibm_security_logout. This method ignores the value of the provider_(id).endSessionEndpointEnabled property. If a provider_(id).endSessionEndpoint property is configured, the request is redirected to that endpoint regardless of the value for the endSessionEndpointEnabled property.

        This method allows you to override the configured value for the endSessionRedirectUrl property if the provider_(id).endSessionUseLogoutExitPage property is set to true.

        Parameters:
        req - request message
        rsp - response message
        endSessionRedirectUrl - value for the post_logout_redirect_uri parameter on the end session request to the OP
        Throws:
        java.lang.Exception - if an error occurs during logout
IBM WebSphere Application ServerTM
Release 8.5