public interface ThirdPartyJWTGrantHandler extends JWTGrantHandler
authorisation on success. Must
throw a GeneralException with an
invalid_grant
error code if the JWT assertion is invalid.
The passed JWT assertion can be an instance of:
SignedJWT -- Signed or MAC protected with
JWS;
EncryptedJWT -- Encrypted with JWE;
JWEObject -- Signed or MAC protected with
JWS, then encrypted with JWE.
The handler should not specify access token lifetimes that exceed the validity period of the JWT assertion by a significant period. The issue of refresh tokens is not permitted. Clients can refresh an expired access token by requesting a new one using the same assertion, if it is still valid, or with a new assertion.
Implementations must be thread-safe.
Related specifications:
GRANT_TYPE| Modifier and Type | Method and Description |
|---|---|
ThirdPartyAssertionAuthorization |
processThirdPartyGrant(com.nimbusds.jose.JOSEObject jwtAssertion,
com.nimbusds.oauth2.sdk.Scope scope,
com.nimbusds.oauth2.sdk.id.ClientID clientID,
boolean confidentialClient,
com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata clientMetadata)
Handles a JWT assertion grant issued by a third-party security token
service.
|
getGrantTypeThirdPartyAssertionAuthorization processThirdPartyGrant(com.nimbusds.jose.JOSEObject jwtAssertion, com.nimbusds.oauth2.sdk.Scope scope, com.nimbusds.oauth2.sdk.id.ClientID clientID, boolean confidentialClient, com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata clientMetadata) throws com.nimbusds.oauth2.sdk.GeneralException
The following client authentication / identification cases may be handled:
confidentialClient flag will be true. The
client_id and metadata arguments will be set.
client_id using the optional token request
parameter, the confidentialClient flag will be
false and the client metadata will be set.
client_id is passed
with the token request, the client information arguments
will be null and the confidentialClient flag
will be false. The grant handler must resolve the
client_id for the authorisation result from the
claims of the JWT assertion. If such a use case is not
supported or permitted the grant handler should throw a
GeneralException with an
invalid_request error.
If the JWT assertion is invalid the handler must throw a
GeneralException with an
invalid_grant error code.
If the requested scope is invalid, unknown, malformed, or exceeds
the scope granted by the resource owner the handler must throw a
GeneralException with an
invalid_scope error code.
jwtAssertion - The JWT assertion, to be verified /
decrypted by the handler. Can be a signed
JWT, an encrypted JWT, or a signed and
encrypted (nested) JWT. Not null.scope - The requested scope, null if not
specified.clientID - The client identifier, null if not
specified or if no client authentication
was provided.confidentialClient - true if the client is confidential
and has been authenticated, else
false.clientMetadata - The OAuth 2.0 / OpenID Connect client
metadata, null if no
client_id or client authentication
was provided.com.nimbusds.oauth2.sdk.GeneralException - If the grant is invalid, or another
exception was encountered.Copyright © 2015 Connect2id Ltd.. All Rights Reserved.