Package dev.relism.flash.ext.oidc

Class JwtValidator

java.lang.Object
dev.relism.flash.ext.oidc.JwtValidator
public class JwtValidator extends Object
Validates JWTs against a remote JWKS endpoint using Nimbus JOSE+JWT.

Two validation modes:

JWKS handling: the shared JWKSource uses caching + rate-limiting + automatic retry-on-key-miss (key rotation). Both processors share the same source — one JWKS fetch serves both token types.

  • Constructor Details

    • JwtValidator

      public JwtValidator(String jwksUri, String issuer, String clientId, String algorithm, HttpClient http)
      Parameters:
      jwksUri - JWKS endpoint URI
      issuer - Expected iss claim
      clientId - OAuth2 client ID — used as expected aud in ID tokens
      algorithm - JWS algorithm (e.g. "RS256")
      http - Shared HttpClient used for all JWKS fetches — already configured with the correct TLS policy (trust-all or default trust store).

  • Method Details

    • validate

      public Map<String,Object> validate(String token)
      Validates a JWT access token (bearer on incoming request). Returns claims on success; throws HttpException 401 on any failure.

    • validateIdToken

      public Map<String,Object> validateIdToken(String idToken, String nonce)
      Validates an ID token received directly from the token endpoint.

      Checks: signature (JWKS), iss, aud == clientId, exp, iat, sub, and nonce if provided.

      Parameters:
      idToken - Raw ID token string
      nonce - Nonce sent in the authorization request; null to skip check
      Throws:
      OidcValidationException - on any validation failure

    • isJwt

      public static boolean isJwt(String token)
      Returns true if token is a signed JWT (three dot-separated Base64URL parts). Used to detect opaque access tokens before attempting JWKS validation.