@ThreadSafe public interface ThirdPartyJWTGrantHandler extends JWTGrantHandler
authorisation
on success. Must
throw a GeneralException
with an
invalid_grant
error code if the JWT assertion is invalid.
The passed JWT assertion can be an instance of:
SignedJWT
-- Signed or MAC protected with
JWS;
EncryptedJWT
-- Encrypted with JWE;
JWEObject
-- Signed or MAC protected with
JWS, then encrypted with JWE.
The handler should not specify access token lifetimes that exceed the validity period of the JWT assertion by a significant period. The issue of refresh tokens is not permitted. Clients can refresh an expired access token by requesting a new one using the same assertion, if it is still valid, or with a new assertion.
Implementations must be thread-safe.
Related specifications:
GRANT_TYPE
Modifier and Type | Method and Description |
---|---|
ThirdPartyAssertionAuthorization |
processThirdPartyGrant(com.nimbusds.jose.JOSEObject jwtAssertion,
com.nimbusds.oauth2.sdk.Scope scope,
com.nimbusds.oauth2.sdk.id.ClientID clientID,
boolean confidentialClient,
com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata clientMetadata)
Handles a JWT bearer assertion grant issued by a third-party
security token service (STS).
|
getGrantType
ThirdPartyAssertionAuthorization processThirdPartyGrant(com.nimbusds.jose.JOSEObject jwtAssertion, com.nimbusds.oauth2.sdk.Scope scope, com.nimbusds.oauth2.sdk.id.ClientID clientID, boolean confidentialClient, com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata clientMetadata) throws com.nimbusds.oauth2.sdk.GeneralException
The following client authentication / identification cases may be handled:
confidentialClient
flag will be true
. The
client_id and metadata arguments will be set.
client_id
using the optional token request
parameter, the confidentialClient
flag will be
false
and the client metadata will be set.
client_id
is passed
with the token request, the client information arguments
will be null
and the confidentialClient
flag
will be false
. The grant handler must resolve the
client_id
for the authorisation result from claims
of the JWT assertion. If such a use case is not supported or
permitted the grant handler should throw a
GeneralException
with an
invalid_request
error.
If the JWT assertion is invalid the handler must throw a
GeneralException
with an
invalid_grant
error code.
If the requested scope is invalid, unknown, malformed, or exceeds
the scope granted by the resource owner the handler must throw a
GeneralException
with an
invalid_scope
error code.
jwtAssertion
- The JWT assertion, to be verified /
decrypted by the handler. Can be a signed
JWT, an encrypted JWT, or a signed and
encrypted (nested) JWT. Not null
.scope
- The requested scope, null
if not
specified.clientID
- The client identifier, null
if not
specified or if no client authentication
was provided.confidentialClient
- true
if the client is confidential
and has been authenticated, else
false
.clientMetadata
- The OAuth 2.0 / OpenID Connect client
metadata, null
if no
client_id
or client authentication
was provided.com.nimbusds.oauth2.sdk.GeneralException
- If the grant is invalid, or another
exception was encountered.Copyright © 2021 Connect2id Ltd.. All rights reserved.