@ThreadSafe public interface ClientSecretStoreCodec
client_secret_jwt
authentication where
the secret must be available in plaintext to perform HMAC must not be
hashed. This also applies to secrets which may otherwise require the plain
secret to be available for decoding, for example to facilitate symmetric
encryption of ID tokens or UserInfo.
The supplied context
provides access to the
Connect2id server JWK set to retrieve any configured symmetric keys for the
client secret encryption, as well as the client metadata to determine the
registered client authentication method.
Implementations must be thread-safe.
Modifier and Type | Method and Description |
---|---|
default DecodedSecret |
decode(String storedValue,
SecretCodecContext ctx)
Decodes a client secret after retrieving it from the store.
|
default String |
encode(com.nimbusds.oauth2.sdk.auth.Secret secret,
SecretCodecContext ctx)
Encodes the specified client secret before storing it.
|
default String |
encodeImported(com.nimbusds.oauth2.sdk.auth.Secret secret,
SecretCodecContext ctx)
Encodes a client secret imported via the custom
preferred_client_secret client metadata field before storing
it. |
default String encode(com.nimbusds.oauth2.sdk.auth.Secret secret, SecretCodecContext ctx)
secret
- The client secret. To obtain its value use the
Secret.getValue()
or
Secret.getValueBytes()
methods. Note, the
secrets expiration, if any, need not be encoded, it is
persisted separately. Not null
.ctx
- The codec context. Not null
.default String encodeImported(com.nimbusds.oauth2.sdk.auth.Secret secret, SecretCodecContext ctx)
preferred_client_secret
client metadata field before storing
it. Encoding can be applied for selected clients only, based on
their metadata or other criteria.secret
- The client secret as set by the custom
preferred_client_secret
metadata field. To
obtain its value use the Secret.getValue()
or
Secret.getValueBytes()
methods. Note, the
secrets expiration, if any, need not be encoded, it is
persisted separately. Not null
.ctx
- The codec context. Not null
.default DecodedSecret decode(String storedValue, SecretCodecContext ctx)
If the secret is decoded to plain value the returned
DecodedSecret
must specify it.
If the secret is stored in a hashed form and cannot be decoded,
the returned DecodedSecret
instance must specify a
SecretVerifier
.
storedValue
- The stored client secret value. Not null
.ctx
- The codec context. Not null
.Copyright © 2021 Connect2id Ltd.. All rights reserved.