001package com.nimbusds.openid.connect.provider.spi.crypto; 002 003 004import net.jcip.annotations.ThreadSafe; 005import org.checkerframework.checker.nullness.qual.Nullable; 006 007import com.nimbusds.jose.JOSEObjectType; 008import com.nimbusds.jwt.JWTClaimsSet; 009import com.nimbusds.jwt.SignedJWT; 010 011 012/** 013 * Interface exposed by the Connect2id server for signing JSON Web Tokens (JWT) 014 * created by SPI implementations, for example Security Event Tokens (SET). 015 */ 016@ThreadSafe 017public interface JWTSigner { 018 019 020 /** 021 * Signs the specified JWT claims. The issuer (iss) claim will be set 022 * to the OpenID Provider / Authorisation Server issuer URL. The JWT 023 * will be signed with the private key (RSA or EC) used for signing 024 * self-contained access tokens. Recipients can validate the JWT 025 * signature using the published JWK set. 026 * 027 * @param jwtClaimsSet The JWT claims. Must not be {@code null}. 028 * 029 * @return The signed JWT. 030 */ 031 default SignedJWT sign(final JWTClaimsSet jwtClaimsSet) { 032 return sign(null, jwtClaimsSet); 033 } 034 035 036 /** 037 * Signs the specified JWT claims. The issuer (iss) claim will be set 038 * to the OpenID Provider / Authorisation Server issuer URL. The JWT 039 * will be signed with the private key (RSA or EC) used for signing 040 * self-contained access tokens. Recipients can validate the JWT 041 * signature using the published JWK set. 042 * 043 * @param typ The JOSE object type ("typ") header parameter, 044 * {@code null} if none. 045 * @param jwtClaimsSet The JWT claims. Must not be {@code null}. 046 * 047 * @return The signed JWT. 048 */ 049 SignedJWT sign(@Nullable final JOSEObjectType typ, final JWTClaimsSet jwtClaimsSet); 050}