Is there an API in OpenSAML library to check expiration of SAML2 token?

StackOverflow https://stackoverflow.com/questions/16725119

  •  30-05-2022
  •  | 
  •  

Question

I am working with OpenSAML library to generate SAML2 tokens. I was under the impression that validation signature of the token will also check for its expiration which apparently is not the case. Is there an API provided by the library that I can use to check for the expiration? Like checkIfExpired() in the following code snippet:

public static boolean validateSignature(String token, Credential credential)
    {
       try {

        InputStream in = new ByteArrayInputStream(token.getBytes());
        Document inCommonMDDoc = ppMgr.parse(in);
        AssertionUnmarshaller unmarshaller = new AssertionUnmarshaller();
        Assertion assertion = (Assertion) unmarshaller
                .unmarshall(inCommonMDDoc.getDocumentElement());
        SignatureValidator validator = new SignatureValidator(credential);
        try {
            validator.validate(assertion.getSignature());

             return checkIfExpired(assertion) ; // -- Checks if assertion has expired and return true/false

        } catch (ValidationException e) {
            log.error("Invalid Signature", e);
            return false;
        }
    } catch (Exception e) {
        log.error("Unable to perform Signature Validation", e);

    }
}

NOTE: I want to avoid doing it manually if OpenSAML already has an API for it.

Was it helpful?

Solution

The way to check if the assertion is expired is to check the conditions in the assertion. Something like this.

if (assertion.getConditions().getNotBefore() != null && assertion.getConditions().getNotBefore().isAfterNow()) {
    throw new ValidationException("Condition states that assertion is not yet valid (is the server time correct?)");
}

if (assertion.getConditions().getNotOnOrAfter() != null
                && (assertion.getConditions().getNotOnOrAfter().isBeforeNow() || assertion.getConditions().getNotOnOrAfter().isEqualNow())) {
    throw new ValidationException("Condition states that assertion is no longer valid (is the server time correct?)");
}

As far as I now there is no simpler method for doing this. The right way is probably to write a validator, maybe extend the ConditionsSpecValidator. This Validator does not bye itself validate all conditions

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top