Module org.elasticsearch.security
Interface JwtSignatureValidator
- All Superinterfaces:
AutoCloseable,Closeable,org.elasticsearch.core.Releasable
- All Known Implementing Classes:
JwtSignatureValidator.DelegatingJwtSignatureValidator,JwtSignatureValidator.HmacJwtSignatureValidator,JwtSignatureValidator.PkcJwtSignatureValidator
public interface JwtSignatureValidator
extends org.elasticsearch.core.Releasable
-
Nested Class Summary
Nested ClassesModifier and TypeInterfaceDescriptionstatic classstatic classstatic interfacestatic class -
Field Summary
Fields -
Method Summary
Modifier and TypeMethodDescriptiondefault voidclose()default com.nimbusds.jose.JWSVerifiercreateJwsVerifier(com.nimbusds.jose.jwk.JWK jwk) voidvalidate(String tokenPrincipal, com.nimbusds.jwt.SignedJWT jwt, ActionListener<Void> listener) default voidvalidateSignature(com.nimbusds.jwt.SignedJWT jwt, List<com.nimbusds.jose.jwk.JWK> jwks) Look through each JWK in the JWKSet to see if they can validate the Signed JWT signature.
-
Field Details
-
logger
static final org.apache.logging.log4j.Logger logger
-
-
Method Details
-
close
default void close()- Specified by:
closein interfaceAutoCloseable- Specified by:
closein interfaceCloseable- Specified by:
closein interfaceorg.elasticsearch.core.Releasable
-
validate
-
validateSignature
default void validateSignature(com.nimbusds.jwt.SignedJWT jwt, List<com.nimbusds.jose.jwk.JWK> jwks) throws Exception Look through each JWK in the JWKSet to see if they can validate the Signed JWT signature. Apply JWT kid and JWT alg filters to the JWKs to skip unnecessary signature checking. If JWT kid is present, and any JWK kid matches, only use the matching subset of JWKs. Ignore the rest. Note: JWK kid should be unique. However, this method does not assume they are unique. Each match will be tried. Depending on the JWT alg, certain HMAC/RSA/EC JWKs can be excluded. HMAC JWKs that do not meet the minimum length requirement are ignored. RSA JWKs that do not meet the minimum length requirement are ignored. EC JWKs that do not meet the exact curve requirement are ignored.- Parameters:
jwt- Signed JWT to be validated.jwks- JWKSet of HMAC/RSA/EC JWKs. At least one JWK is required to succeed.- Throws:
Exception- Error if JWKs fail to validate the Signed JWT.
-
createJwsVerifier
default com.nimbusds.jose.JWSVerifier createJwsVerifier(com.nimbusds.jose.jwk.JWK jwk) throws com.nimbusds.jose.JOSEException - Throws:
com.nimbusds.jose.JOSEException
-