Interface SelfIssuedJWTGrantHandler
-
- All Superinterfaces:
GrantHandler
,JWTGrantHandler
,Lifecycle
@ThreadSafe public interface SelfIssuedJWTGrantHandler extends JWTGrantHandler
Service Provider Interface (SPI) for handling self-issued JSON Web Token (JWT) bearer assertion grants. Returns the matchingauthorisation
on success.The handler should not specify access token lifetimes that exceed the validity period of the JWT assertion by a significant period. The issue of refresh tokens is not permitted. Clients can refresh an expired access token by requesting a new one using the same assertion, if it is still valid, or with a new assertion.
Implementations must be thread-safe.
Related specifications:
- Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7521), section 4.1.
- JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7523), sections 2.1, 3 and 3.1.
-
-
Field Summary
-
Fields inherited from interface com.nimbusds.openid.connect.provider.spi.grants.JWTGrantHandler
GRANT_TYPE
-
-
Method Summary
All Methods Instance Methods Default Methods Deprecated Methods Modifier and Type Method Description default SelfIssuedAssertionAuthorization
processSelfIssuedGrant(com.nimbusds.jwt.JWTClaimsSet jwtClaimsSet, com.nimbusds.oauth2.sdk.Scope scope, com.nimbusds.oauth2.sdk.id.ClientID clientID, com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata clientMetadata)
Deprecated.default SelfIssuedAssertionAuthorization
processSelfIssuedGrant(com.nimbusds.jwt.JWTClaimsSet jwtClaimsSet, TokenRequestParameters tokenRequestParams, com.nimbusds.oauth2.sdk.id.ClientID clientID, com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata clientMetadata, InvocationContext invocationCtx)
Handles a self-issued JWT bearer assertion grant by a client registered with the Connect2id server.-
Methods inherited from interface com.nimbusds.openid.connect.provider.spi.grants.JWTGrantHandler
getGrantType
-
-
-
-
Method Detail
-
processSelfIssuedGrant
@Deprecated default SelfIssuedAssertionAuthorization processSelfIssuedGrant(com.nimbusds.jwt.JWTClaimsSet jwtClaimsSet, com.nimbusds.oauth2.sdk.Scope scope, com.nimbusds.oauth2.sdk.id.ClientID clientID, com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata clientMetadata) throws com.nimbusds.oauth2.sdk.GeneralException
Deprecated.Handles a self-issued JWT bearer assertion grant by a client registered with the Connect2id server.This method is called for JWT assertion grants which fulfil all the following conditions:
- Are issued by a client which is registered with the Connect2id server, i.e. the JWT issuer (iss) assertion matches a registered client_id;
- The client is registered for the
urn:ietf:params:oauth:grant-type:jwt-bearer
grant; - The client is successfully authenticated, by means of separate client authentication included in the token request (client_secret_basic, client_secret_post, client_secret_jwt or private_key_jwt), and / or with the JWT assertion grant itself;
- The JWT MAC or signature was successfully verified using
with a registered
client_secret
orjwks
/jwks_uri
; - The JWT audience (aud), expiration (exp) and not-before time (nbf) claims verify successfully.
If the requested scope is invalid, unknown, malformed, or exceeds the scope granted by the resource owner the handler must throw a
GeneralException
with aninvalid_scope
error code.- Parameters:
jwtClaimsSet
- The claims set included in the verified JWT assertion grant. The audience (aud), expiration (exp) and not-before time (nbf) claims are verified by the Connect2id server. The issuer (iss) claims will equal the client_id. Notnull
.scope
- The requested scope,null
if not specified.clientID
- The identifier of the authenticated client. Notnull
.clientMetadata
- The OAuth 2.0 / OpenID Connect metadata for the client. Notnull
.- Returns:
- The authorisation.
- Throws:
com.nimbusds.oauth2.sdk.GeneralException
- If the grant is invalid, or another exception was encountered.
-
processSelfIssuedGrant
default SelfIssuedAssertionAuthorization processSelfIssuedGrant(com.nimbusds.jwt.JWTClaimsSet jwtClaimsSet, TokenRequestParameters tokenRequestParams, com.nimbusds.oauth2.sdk.id.ClientID clientID, com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata clientMetadata, InvocationContext invocationCtx) throws com.nimbusds.oauth2.sdk.GeneralException
Handles a self-issued JWT bearer assertion grant by a client registered with the Connect2id server.This method is called for JWT assertion grants which fulfil all the following conditions:
- Are issued by a client which is registered with the Connect2id server, i.e. the JWT issuer (iss) assertion matches a registered client_id;
- The client is registered for the
urn:ietf:params:oauth:grant-type:jwt-bearer
grant; - The client is successfully authenticated, by means of separate client authentication included in the token request (client_secret_basic, client_secret_post, client_secret_jwt or private_key_jwt), and / or with the JWT assertion grant itself;
- The JWT MAC or signature was successfully verified using
with a registered
client_secret
orjwks
/jwks_uri
; - The JWT audience (aud), expiration (exp) and not-before time (nbf) claims verify successfully.
If the requested scope is invalid, unknown, malformed, or exceeds the scope granted by the resource owner the handler must throw a
GeneralException
with aninvalid_scope
error code.- Parameters:
jwtClaimsSet
- The claims set included in the verified JWT assertion grant. The audience (aud), expiration (exp) and not-before time (nbf) claims are verified by the Connect2id server. The issuer (iss) claims will equal the client_id. Notnull
.tokenRequestParams
- The token request parameters, such as the requested scope. Notnull
.clientID
- The identifier of the authenticated client. Notnull
.clientMetadata
- The OAuth 2.0 / OpenID Connect metadata for the client. Notnull
.invocationCtx
- The invocation context. Notnull
.- Returns:
- The authorisation.
- Throws:
com.nimbusds.oauth2.sdk.GeneralException
- If the grant is invalid, or another exception was encountered.
-
-