Module jakarta.security

Package jakarta.security.enterprise.identitystore.openid

Interface JwtClaims

All Superinterfaces:

Claims

public interface JwtClaims
extends Claims

Standard JWT claims. A token typically.

Field Summary

Fields

Modifier and Type	Field	Description
static final JwtClaims	NONE	Singleton instance representing no claims

Method Summary

Modifier and Type	Method	Description
default List<String>	getAudience()	The recipients that the JWT is intended for.
default Optional<Instant>	getExpirationTime()	Expiration time on or after which the JWT MUST NOT be accepted for processing.
default Optional<Instant>	getIssuedAt()	The time at which the JWT was issued.
default Optional<String>	getIssuer()	The principal that issued the JWT
default Optional<String>	getJwtId()	Unique identifier for the JWT
default Optional<Instant>	getNotBeforeTime()	The time before which the JWT MUST NOT be accepted for processing.
default Optional<String>	getSubject()	The principal that is the subject of the JWT.
default boolean	isBeforeValidity(Clock clock, boolean required, Duration skew)	Check if JWT is before its defined validity
default boolean	isExpired(Clock clock, boolean required, Duration skew)	Check if JWT is expired
default boolean	isValid()	Check JWT validity against current time with 1MIN clock skew.

Methods inherited from interface jakarta.security.enterprise.identitystore.openid.Claims

getArrayStringClaim, getDoubleClaim, getIntClaim, getLongClaim, getNested, getNumericDateClaim, getStringClaim

Field Details

NONE

static final JwtClaims NONE

Singleton instance representing no claims

Method Details

getIssuer

default Optional<String> getIssuer()

The principal that issued the JWT

Returns:

value of iss claim

getSubject

default Optional<String> getSubject()

The principal that is the subject of the JWT. The claims in a JWT are normally statements about the subject.

Returns:

value of sub claim

getAudience

default List<String> getAudience()

The recipients that the JWT is intended for. To ease work with the field, audience is always represented as list, also in special cases -- it is singleton list when it was a string in the token, and empty set if it was not present.

Returns:

non-null set representing the values of aud claim

getExpirationTime

default Optional<Instant> getExpirationTime()

Expiration time on or after which the JWT MUST NOT be accepted for processing.

Returns:

value of exp claim

isExpired

default boolean isExpired(Clock clock,
 boolean required,
 Duration skew)

Check if JWT is expired

Parameters:

clock - Clock representing reference time of checking

required - indication whether the claim is required, i. e. whether token with claim is considered expired

skew - allowed clock skew to account for drift between provider and us

Returns:

true when current time is past expiration time, or exp claim is not present and required is true

getNotBeforeTime

default Optional<Instant> getNotBeforeTime()

The time before which the JWT MUST NOT be accepted for processing.

Returns:

isBeforeValidity

default boolean isBeforeValidity(Clock clock,
 boolean required,
 Duration skew)

Check if JWT is before its defined validity

Parameters:

clock - Clock representing reference time of checking

required - indication, whether the claim is required, i. e. whether token without nbf is considered before validity

skew - allowed clock skew to account for drift between provider and us

Returns:

isValid

default boolean isValid()

Check JWT validity against current time with 1MIN clock skew.

Returns:

true if exp token is present and within limits and nbf is within limits when present

getIssuedAt

default Optional<Instant> getIssuedAt()

The time at which the JWT was issued.

Returns:

value of exp claim

getJwtId

default Optional<String> getJwtId()

Unique identifier for the JWT

Returns:

value of jti claim