Class IssuerValidator

java.lang.Object
cloud.opencode.base.oauth2.security.IssuerValidator

public final class IssuerValidator extends Object
Authorization Server Issuer Validator (RFC 9207) 授权服务器颁发者验证器(RFC 9207)

Validates the authorization server issuer identifier as defined in RFC 9207. Uses constant-time comparison via MessageDigest.isEqual(byte[], byte[]) to prevent timing side-channel attacks when comparing issuer values.

验证 RFC 9207 定义的授权服务器颁发者标识符。使用 MessageDigest.isEqual(byte[], byte[]) 进行恒定时间比较,以防止比较颁发者值时的时序侧信道攻击。

Features | 主要功能:

  • RFC 9207 compliant issuer identification - 符合 RFC 9207 的颁发者识别
  • Constant-time comparison to prevent timing attacks - 恒定时间比较防止时序攻击
  • Null-safe with configurable validation - 空值安全,支持可配置验证

Usage Examples | 使用示例:

// Validate issuer in authorization response
// 验证授权响应中的颁发者
IssuerValidator.validate("https://auth.example.com", responseIssuer);

// Check without throwing
// 不抛异常地检查
if (IssuerValidator.matches("https://auth.example.com", responseIssuer)) {
    // Issuer is valid
}

Security | 安全性:

  • Thread-safe: Yes (stateless utility class) - 线程安全: 是(无状态工具类)
  • Null-safe: Yes - 空值安全: 是
  • Uses constant-time comparison (MessageDigest.isEqual) - 使用恒定时间比较
Since:
JDK 25, opencode-base-oauth2 V1.0.3
Author:
Leon Soo www.LeonSoo.com
See Also:
  • Method Details

    • validate

      public static void validate(String expectedIssuer, String actualIssuer)
      Validate that the actual issuer matches the expected issuer. 验证实际颁发者是否匹配预期颁发者。

      If expectedIssuer is null, validation is skipped (issuer validation not configured). If actualIssuer is null, an exception is thrown.

      如果 expectedIssuer 为 null,则跳过验证(颁发者验证未配置)。 如果 actualIssuer 为 null,则抛出异常。

      Parameters:
      expectedIssuer - the expected issuer (null to skip validation) | 预期颁发者(null 跳过验证)
      actualIssuer - the actual issuer from the response | 响应中的实际颁发者
      Throws:
      OAuth2Exception - with ISSUER_MISMATCH if issuers don't match or actualIssuer is null | 如果颁发者不匹配或 actualIssuer 为 null 则抛出 ISSUER_MISMATCH
    • matches

      public static boolean matches(String expectedIssuer, String actualIssuer)
      Check if the actual issuer matches the expected issuer. 检查实际颁发者是否匹配预期颁发者。

      Uses constant-time comparison to prevent timing attacks.

      使用恒定时间比较以防止时序攻击。

      Parameters:
      expectedIssuer - the expected issuer | 预期颁发者
      actualIssuer - the actual issuer | 实际颁发者
      Returns:
      true if both are non-null and equal | 如果两者都非 null 且相等返回 true