PrivateKeyJWTCertificateVerifier (Connect2id Server SDK 4.52 API)

All Superinterfaces:

Lifecycle
```
@ThreadSafe
public interface PrivateKeyJWTCertificateVerifier
extends Lifecycle
```
Service Provider Interface (SPI) for verifying an X.509 certificate (x5c) in private_key_jwt client authentications. This can be used to enable private_key_jwt authentication based on qualified certificates and without a prior client JWK set registration (via the "jwks" or "jwks_uri" client metadata parameters).
The SPI enables implementation of policies where only selected clients are allowed or required to include a certificate for the private_key_jwt, based on the client's registered metadata or other criteria.
A client can place the certificate in the private_key_jwt "x5c" header. Alternatively, the certificate can be put in the "x5c" parameter of a matching public JWK and have the key pre-registered via the "jwks" or "jwks_uri" client metadata parameter.
Implementations must be thread-safe.

Method Summary

All Methods Instance Methods Abstract Methods
Modifier and Type	Method	Description
`Optional<CertificateVerification>`	`checkCertificateRequirement(PrivateKeyJWTContext context)`	Checks the X.509 certificate requirement for the specified `private_key_jwt` client authentication.

Methods inherited from interface com.nimbusds.openid.connect.provider.spi.Lifecycle
init, isEnabled, shutdown

- Method Detail
  - checkCertificateRequirement
```
Optional<CertificateVerification> checkCertificateRequirement(PrivateKeyJWTContext context)
                                                       throws com.nimbusds.oauth2.sdk.auth.verifier.InvalidClientException
```
    Checks the X.509 certificate requirement for the specified private_key_jwt client authentication. If the client must use a certificate as part of the private_key_jwt authentication, included by value in the JWS "x5c" header parameter, or included in a registered client JWK in the client's "jwks" or "jwks_uri", the method returns a certificate verification callback.
    
    Parameters:
    
    context - The private_key_jwt client authentication context. Not null.
    
    Returns:
    
    A certificate verification callback if a certificate is required for the private_key_jwt client authentication. If a certificate isn't required none is returned.
    
    Throws:
    
    com.nimbusds.oauth2.sdk.auth.verifier.InvalidClientException - To reject the authentication with an invalid_client error, due to an unmet authentication requirement. Throwing an ExposedInvalidClientException will override the default Connect2id server error_description and error_uri in the HTTP 401 Unauthorized error response.