Package com.nimbusds.openid.connect.provider.spi.grants

Interface SelfIssuedJWTGrantHandler

All Superinterfaces:
GrantHandler, JWTGrantHandler, Lifecycle
@ThreadSafe public interface SelfIssuedJWTGrantHandler extends JWTGrantHandler
Service Provider Interface (SPI) for handling self-issued JSON Web Token (JWT) bearer assertion grants. Returns the matching authorisation on success.

The handler should not specify access token lifetimes that exceed the validity period of the JWT assertion by a significant period. The issue of refresh tokens is not permitted. Clients can refresh an expired access token by requesting a new one using the same assertion, if it is still valid, or with a new assertion.

Implementations must be thread-safe.

Related specifications:

  • Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7521), section 4.1.
  • JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7523), sections 2.1, 3 and 3.1.

  • Method Details

    • processSelfIssuedGrant

      @Deprecated default SelfIssuedAssertionAuthorization processSelfIssuedGrant(com.nimbusds.jwt.JWTClaimsSet jwtClaimsSet, com.nimbusds.oauth2.sdk.Scope scope, com.nimbusds.oauth2.sdk.id.ClientID clientID, com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata clientMetadata) throws com.nimbusds.oauth2.sdk.GeneralException
      Deprecated.
      Handles a self-issued JWT bearer assertion grant by a client registered with the Connect2id server.

      This method is called for JWT assertion grants which fulfil all the following conditions:

      1. Are issued by a client which is registered with the Connect2id server, i.e. the JWT issuer (iss) assertion matches a registered client_id;
      2. The client is registered for the urn:ietf:params:oauth:grant-type:jwt-bearer grant;
      3. The client is successfully authenticated, by means of separate client authentication included in the token request (client_secret_basic, client_secret_post, client_secret_jwt or private_key_jwt), and / or with the JWT assertion grant itself;
      4. The JWT MAC or signature was successfully verified using with a registered client_secret or jwks / jwks_uri;
      5. The JWT audience (aud), expiration (exp) and not-before time (nbf) claims verify successfully.

      If the requested scope is invalid, unknown, malformed, or exceeds the scope granted by the resource owner the handler must throw a GeneralException with an invalid_scope error code.

      Parameters:
      jwtClaimsSet - The claims set included in the verified JWT assertion grant. The audience (aud), expiration (exp) and not-before time (nbf) claims are verified by the Connect2id server. The issuer (iss) claims will equal the client_id. Not null.
      scope - The requested scope, null if not specified.
      clientID - The identifier of the authenticated client. Not null.
      clientMetadata - The OAuth 2.0 client / OpenID relying party metadata. Not null.
      Returns:
      The authorisation.
      Throws:
      com.nimbusds.oauth2.sdk.GeneralException - If the grant is invalid, or another exception was encountered.

    • processSelfIssuedGrant

      @Deprecated default SelfIssuedAssertionAuthorization processSelfIssuedGrant(com.nimbusds.jwt.JWTClaimsSet jwtClaimsSet, TokenRequestParameters tokenRequestParams, com.nimbusds.oauth2.sdk.id.ClientID clientID, com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata clientMetadata, InvocationContext invocationCtx) throws com.nimbusds.oauth2.sdk.GeneralException
      Deprecated.
      Handles a self-issued JWT bearer assertion grant by a client registered with the Connect2id server.

      This method is called for JWT assertion grants which fulfil all the following conditions:

      1. Are issued by a client which is registered with the Connect2id server, i.e. the JWT issuer (iss) assertion matches a registered client_id;
      2. The client is registered for the urn:ietf:params:oauth:grant-type:jwt-bearer grant;
      3. The client is successfully authenticated, by means of separate client authentication included in the token request (client_secret_basic, client_secret_post, client_secret_jwt or private_key_jwt), and / or with the JWT assertion grant itself;
      4. The JWT MAC or signature was successfully verified using with a registered client_secret or jwks / jwks_uri;
      5. The JWT audience (aud), expiration (exp) and not-before time (nbf) claims verify successfully.

      If the requested scope is invalid, unknown, malformed, or exceeds the scope granted by the resource owner the handler must throw a GeneralException with an invalid_scope error code.

      Parameters:
      jwtClaimsSet - The claims set included in the verified JWT assertion grant. The audience (aud), expiration (exp) and not-before time (nbf) claims are verified by the Connect2id server. The issuer (iss) claims will equal the client_id. Not null.
      tokenRequestParams - The token request parameters, such as the requested scope. Not null.
      clientID - The identifier of the authenticated client. Not null.
      clientMetadata - The OAuth 2.0 client / OpenID relying party metadata. Not null.
      invocationCtx - The invocation context. Not null.
      Returns:
      The authorisation.
      Throws:
      com.nimbusds.oauth2.sdk.GeneralException - If the grant is invalid, or another exception was encountered.

    • processSelfIssuedGrant

      default SelfIssuedAssertionAuthorization processSelfIssuedGrant(com.nimbusds.jwt.JWTClaimsSet jwtClaimsSet, TokenRequestParameters tokenRequestParams, com.nimbusds.oauth2.sdk.id.ClientID clientID, com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata clientMetadata, GrantHandlerContext handlerCtx) throws com.nimbusds.oauth2.sdk.GeneralException
      Handles a self-issued JWT bearer assertion grant by a client registered with the Connect2id server.

      This method is called for JWT assertion grants which fulfil all the following conditions:

      1. Are issued by a client which is registered with the Connect2id server, i.e. the JWT issuer (iss) assertion matches a registered client_id;
      2. The client is registered for the urn:ietf:params:oauth:grant-type:jwt-bearer grant;
      3. The client is successfully authenticated, by means of separate client authentication included in the token request (client_secret_basic, client_secret_post, client_secret_jwt or private_key_jwt), and / or with the JWT assertion grant itself;
      4. The JWT MAC or signature was successfully verified using with a registered client_secret or jwks / jwks_uri;
      5. The JWT audience (aud), expiration (exp) and not-before time (nbf) claims verify successfully.

      If the requested scope is invalid, unknown, malformed, or exceeds the scope granted by the resource owner the handler must throw a GeneralException with an invalid_scope error code.

      Parameters:
      jwtClaimsSet - The claims set included in the verified JWT assertion grant. The audience (aud), expiration (exp) and not-before time (nbf) claims are verified by the Connect2id server. The issuer (iss) claims will equal the client_id. Not null.
      tokenRequestParams - The token request parameters, such as the requested scope. Not null.
      clientID - The identifier of the authenticated client. Not null.
      clientMetadata - The OAuth 2.0 client / OpenID relying party metadata. Not null.
      handlerCtx - The handler context. Not null.
      Returns:
      The authorisation.
      Throws:
      com.nimbusds.oauth2.sdk.GeneralException - If the grant is invalid, or another exception was encountered.