Package com.nimbusds.openid.connect.provider.spi.grants

Interface SelfIssuedJWTGrantHandler

  • All Superinterfaces:
    GrantHandler, JWTGrantHandler, Lifecycle
    @ThreadSafe
public interface SelfIssuedJWTGrantHandler
extends JWTGrantHandler
    Service Provider Interface (SPI) for handling self-issued JSON Web Token (JWT) bearer assertion grants. Returns the matching authorisation on success.

    The handler should not specify access token lifetimes that exceed the validity period of the JWT assertion by a significant period. The issue of refresh tokens is not permitted. Clients can refresh an expired access token by requesting a new one using the same assertion, if it is still valid, or with a new assertion.

    Implementations must be thread-safe.

    Related specifications:

    • Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7521), section 4.1.
    • JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7523), sections 2.1, 3 and 3.1.

    • Method Detail

      • processSelfIssuedGrant

        SelfIssuedAssertionAuthorization processSelfIssuedGrant​(com.nimbusds.jwt.JWTClaimsSet jwtClaimsSet,
                                                        com.nimbusds.oauth2.sdk.Scope scope,
                                                        com.nimbusds.oauth2.sdk.id.ClientID clientID,
                                                        com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata clientMetadata)
                                                 throws com.nimbusds.oauth2.sdk.GeneralException
        Handles a self-issued JWT bearer assertion grant by a client registered with the Connect2id server.

        This method is called for JWT assertion grants which fulfil all of the following conditions:

        1. Are issued by a client which is registered with the Connect2id server, i.e. the JWT issuer (iss) assertion matches a registered client_id;
        2. The client is registered for the urn:ietf:params:oauth:grant-type:jwt-bearer grant;
        3. The client is successfully authenticated, by means of separate client authentication included in the token request (client_secret_basic, client_secret_post, client_secret_jwt or private_key_jwt), and / or with the JWT assertion grant itself;
        4. The JWT MAC or signature was successfully verified using with a registered client_secret or jwks / jwks_uri;
        5. The JWT audience (aud), expiration (exp) and not-before time (nbf) claims verify successfully.

        If the requested scope is invalid, unknown, malformed, or exceeds the scope granted by the resource owner the handler must throw a GeneralException with an invalid_scope error code.

        Parameters:
        jwtClaimsSet - The claims set included in the verified JWT assertion grant. The audience (aud), expiration (exp) and not-before time (nbf) claims are verified by the Connect2id server. The issuer (iss) claims will equal the client_id. Not null.
        scope - The requested scope, null if not specified.
        clientID - The identifier of the authenticated client. Not null.
        clientMetadata - The OAuth 2.0 / OpenID Connect metadata for the client. Not null.
        Returns:
        The authorisation.
        Throws:
        com.nimbusds.oauth2.sdk.GeneralException - If the grant is invalid, or another exception was encountered.