public interface SelfIssuedJWTGrantHandler extends JWTGrantHandler
The handler should not specify access token lifetimes that exceed the validity period of the JWT assertion by a significant period. The issue of refresh tokens is not permitted. Clients can refresh an expired access token by requesting a new one using the same assertion, if it is still valid, or with a new assertion.
Implementations must be thread-safe.
|Modifier and Type||Method and Description|
Handles a self-issued JWT bearer assertion grant by a client registered with the Connect2id server.
SelfIssuedAssertionAuthorization processSelfIssuedGrant(com.nimbusds.jwt.JWTClaimsSet jwtClaimsSet, com.nimbusds.oauth2.sdk.Scope scope, com.nimbusds.oauth2.sdk.id.ClientID clientID, com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata clientMetadata) throws com.nimbusds.oauth2.sdk.GeneralException
This method is called for JWT assertion grants which fulfil all of the following conditions:
If the requested scope is invalid, unknown, malformed, or exceeds
the scope granted by the resource owner the handler must throw a
GeneralException with an
invalid_scope error code.
jwtClaimsSet- The claims set included in the verified JWT assertion grant. The audience (aud), expiration (exp) and not-before time (nbf) claims are verified by the Connect2id server. The issuer (iss) claims will equal the client_id. Not
scope- The requested scope,
nullif not specified.
clientID- The identifier of the authenticated client. Not
clientMetadata- The OAuth 2.0 / OpenID Connect metadata for the client. Not
com.nimbusds.oauth2.sdk.GeneralException- If the grant is invalid, or another exception was encountered.
Copyright © 2018 Connect2id Ltd.. All rights reserved.