001package com.nimbusds.openid.connect.sdk.validators; 002 003 004import com.nimbusds.jose.JWSAlgorithm; 005import com.nimbusds.oauth2.sdk.AuthorizationCode; 006import com.nimbusds.openid.connect.sdk.claims.CodeHash; 007import net.jcip.annotations.ThreadSafe; 008 009 010/** 011 * Authorisation code validator, using the {@code c_hash} ID token claim. 012 * Required in the hybrid flow where the authorisation code is returned 013 * together with an ID token at the authorisation endpoint. 014 * 015 * <p>Related specifications: 016 * 017 * <ul> 018 * <li>OpenID Connect Core 1.0, section 3.3.2.10. 019 * </ul> 020 */ 021@ThreadSafe 022public class AuthorizationCodeValidator { 023 024 025 /** 026 * Validates the specified authorisation code. 027 * 028 * @param code The authorisation code. Must not be 029 * {@code null}. 030 * @param jwsAlgorithm The JWS algorithm of the ID token. Must not 031 * be {@code null}.= 032 * @param codeHash The authorisation code hash, as set in the 033 * {@code c_hash} ID token claim. Must not be 034 * {@code null}. 035 * 036 * @throws InvalidHashException If the authorisation code doesn't match 037 * the hash. 038 */ 039 public static void validate(final AuthorizationCode code, 040 final JWSAlgorithm jwsAlgorithm, 041 final CodeHash codeHash) 042 throws InvalidHashException { 043 044 CodeHash expectedHash = CodeHash.compute(code, jwsAlgorithm); 045 046 if (expectedHash == null) { 047 throw InvalidHashException.INVALID_CODE_HASH_EXCEPTION; 048 } 049 050 if (! expectedHash.equals(codeHash)) { 051 throw InvalidHashException.INVALID_CODE_HASH_EXCEPTION; 052 } 053 } 054}