Package com.google.crypto.tink.jwt

Class JwtValidator.Builder

  • Enclosing class:
    JwtValidator
    public static final class JwtValidator.Builder
extends java.lang.Object
    Builder for JwtValidator

    • Method Detail

      • expectTypeHeader

        @CanIgnoreReturnValue
public JwtValidator.Builder expectTypeHeader​(java.lang.String value)
        Sets the expected type header of the token. When this is set, all tokens with missing or different typ header are rejected. When this is not set, all token that have a typ header are rejected. So this must be set for token that have a typ header.

        If you want to ignore the type header or if you want to validate it yourself, use ignoreTypeHeader().

        https://tools.ietf.org/html/rfc7519#section-4.1.1

      • ignoreTypeHeader

        @CanIgnoreReturnValue
public JwtValidator.Builder ignoreTypeHeader()
        Lets the validator ignore the typ header.

      • expectIssuer

        @CanIgnoreReturnValue
public JwtValidator.Builder expectIssuer​(java.lang.String value)
        Sets the expected issuer claim of the token. When this is set, all tokens with missing or different iss claims are rejected. When this is not set, all token that have a iss claim are rejected. So this must be set for token that have a iss claim.

        If you want to ignore the issuer claim or if you want to validate it yourself, use ignoreIssuer().

        https://tools.ietf.org/html/rfc7519#section-4.1.1

      • ignoreIssuer

        @CanIgnoreReturnValue
public JwtValidator.Builder ignoreIssuer()
        Lets the validator ignore the iss claim.

      • expectAudience

        @CanIgnoreReturnValue
public JwtValidator.Builder expectAudience​(java.lang.String value)
        Sets the expected audience. When this is set, all tokens that do not contain this audience in their aud claims are rejected. When this is not set, all token that have aud claims are rejected. So this must be set for token that have aud claims.

        If you want to ignore this claim or if you want to validate it yourself, use ignoreAudiences().

        https://tools.ietf.org/html/rfc7519#section-4.1.3

      • ignoreAudiences

        @CanIgnoreReturnValue
public JwtValidator.Builder ignoreAudiences()
        Lets the validator ignore the aud claim.

      • expectIssuedInThePast

        @CanIgnoreReturnValue
public JwtValidator.Builder expectIssuedInThePast()
        Checks that the iat claim is in the past.

      • setClock

        @CanIgnoreReturnValue
public JwtValidator.Builder setClock​(java.time.Clock clock)
        Sets the clock used to verify timestamp claims.

      • setClockSkew

        @CanIgnoreReturnValue
public JwtValidator.Builder setClockSkew​(java.time.Duration clockSkew)
        Sets the clock skew to tolerate when verifying timestamp claims, to deal with small clock differences among different machines.

        As recommended by https://tools.ietf.org/html/rfc7519, the clock skew should usually be no more than a few minutes. In this implementation, the maximum value is 10 minutes.

      • allowMissingExpiration

        @CanIgnoreReturnValue
public JwtValidator.Builder allowMissingExpiration()
        When set, the validator accepts tokens that do not have an expiration set.

        In most cases, tokens should always have an expiration, so this option should rarely be used.