spring-security-oauth2之JwtTimestampValid

601 阅读1分钟

org.springframework.security.oauth2.jwt.JwtTimestampValidator#validate 用于校验Authorization中的token是否过期

public OAuth2TokenValidatorResult validate(Jwt jwt) {
    Assert.notNull(jwt, "jwt cannot be null");
    Instant expiry = jwt.getExpiresAt();
    if (expiry != null && Instant.now(this.clock).minus(this.clockSkew).isAfter(expiry)) {
        OAuth2Error oAuth2Error = this.createOAuth2Error(String.format("Jwt expired at %s", jwt.getExpiresAt()));
        return OAuth2TokenValidatorResult.failure(new OAuth2Error[]{oAuth2Error});
    } else {
        Instant notBefore = jwt.getNotBefore();
        if (notBefore != null && Instant.now(this.clock).plus(this.clockSkew).isBefore(notBefore)) {
            OAuth2Error oAuth2Error = this.createOAuth2Error(String.format("Jwt used before %s", jwt.getNotBefore()));
            return OAuth2TokenValidatorResult.failure(new OAuth2Error[]{oAuth2Error});
        } else {
            return OAuth2TokenValidatorResult.success();
        }
    }
}

路径

  1. org.springframework.security.web.server.authentication.AuthenticationWebFilter#filter
  2. org.springframework.security.oauth2.server.resource.authentication.JwtReactiveAuthenticationManager#authenticate
  3. org.springframework.security.oauth2.jwt.NimbusReactiveJwtDecoder#decode(java.lang.String)
  4. org.springframework.security.oauth2.jwt.NimbusReactiveJwtDecoder#validateJwt
  5. org.springframework.security.oauth2.jwt.JwtTimestampValidator#validate