Package com.nimbusds.openid.connect.provider.spi.secrets

Interface ClientSecretStoreCodec

  • @ThreadSafe
public interface ClientSecretStoreCodec
    Service Provider Interface (SPI) for encoding OAuth client secrets before persisting them to storage. Can be used to symmetrically encrypt or to hash secrets (e.g. with SCrypt, BCrypt) before committing them to storage. Note, OAuth clients registered for client_secret_jwt authentication where the secret must be available in plaintext to perform HMAC must not be hashed. This also applies to secrets which may otherwise require the plain secret to be available for decoding, for example to facilitate symmetric encryption of ID tokens or UserInfo.

    The supplied context provides access to the Connect2id server JWK set to retrieve any configured symmetric keys for the client secret encryption, as well as the client metadata to determine the registered client authentication method.

    Implementations must be thread-safe.

    • Method Detail

      • encode

        default String encode​(com.nimbusds.oauth2.sdk.auth.Secret secret,
                      SecretCodecContext ctx)
        Encodes the specified client secret before storing it. Encoding can be applied for selected clients only, based on their metadata or other criteria.
        Parameters:
        secret - The client secret. To obtain its value use the Secret.getValue() or Secret.getValueBytes() methods. Note, the secret's expiration, if any, need not be encoded, it is persisted separately. Not null.
        ctx - The codec context. Not null.
        Returns:
        The encoded secret. The default method returns the secret value unencoded.

      • encodeImported

        default String encodeImported​(com.nimbusds.oauth2.sdk.auth.Secret secret,
                              SecretCodecContext ctx)
        Encodes a client secret imported via the custom preferred_client_secret client metadata field before storing it. Encoding can be applied for selected clients only, based on their metadata or other criteria.
        Parameters:
        secret - The client secret as set by the custom preferred_client_secret metadata field. To obtain its value use the Secret.getValue() or Secret.getValueBytes() methods. Note, the secret's expiration, if any, need not be encoded, it is persisted separately. Not null.
        ctx - The codec context. Not null.
        Returns:
        The encoded secret. The default method returns the secret value unencoded.

      • decode

        default DecodedSecret decode​(String storedValue,
                             SecretCodecContext ctx)
        Decodes a client secret after retrieving it from the store.

        If the secret is decoded to plain value the returned DecodedSecret must specify it.

        If the secret is stored in a hashed form and cannot be decoded, the returned DecodedSecret instance must specify a SecretVerifier.

        Parameters:
        storedValue - The stored client secret value. Not null.
        ctx - The codec context. Not null.
        Returns:
        The decoded secret. The default method returns the stored secret value.