Package com.nimbusds.oauth2.sdk.auth

Class PrivateKeyJWT

java.lang.Object
com.nimbusds.oauth2.sdk.auth.ClientAuthentication
com.nimbusds.oauth2.sdk.auth.JWTAuthentication
com.nimbusds.oauth2.sdk.auth.PrivateKeyJWT
@Immutable public final class PrivateKeyJWT extends JWTAuthentication
Private key JWT authentication at the Token endpoint. Implements ClientAuthenticationMethod.PRIVATE_KEY_JWT.

Supported signature JSON Web Algorithms (JWAs) by this implementation:

  • RS256
  • RS384
  • RS512
  • PS256
  • PS384
  • PS512
  • ES256
  • ES256K
  • ES384
  • ES512

Example TokenRequest with private key JWT authentication: 

 POST /token HTTP/1.1
 Host: server.example.com
 Content-Type: application/x-www-form-urlencoded

 grant_type=authorization_code&
 code=i1WsRn1uB1&
 client_id=s6BhdRkqt3&
 client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&
 client_assertion=PHNhbWxwOl...[omitted for brevity]...ZT

Related specifications:

  • Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7521).
  • JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7523)

  • Constructor Details

    • PrivateKeyJWT

      public PrivateKeyJWT(ClientID clientID, URI endpoint, com.nimbusds.jose.JWSAlgorithm jwsAlgorithm, PrivateKey privateKey, String keyID, Provider jcaProvider) throws com.nimbusds.jose.JOSEException
      Creates a new private key JWT authentication. The expiration time (exp) is set to 1 minute from the current system time. Generates a default identifier (jti) for the JWT. The issued-at (iat) and not-before (nbf) claims are not set.
      Parameters:
      clientID - The client identifier. Must not be null.
      endpoint - The endpoint URI where the client will submit the JWT authentication, for example the token endpoint. Must not be null.
      jwsAlgorithm - The expected RSA (RS256, RS384, RS512, PS256, PS384 or PS512) or EC (ES256, ES384, ES512) signature algorithm for the JWT assertion. Must be supported and not null.
      privateKey - The signing private RSA or EC key. Must not be null.
      keyID - Optional identifier for the key, to aid key selection on the recipient side. Recommended. null if not specified.
      jcaProvider - Optional specific JCA provider, null to use the default one.
      Throws:
      com.nimbusds.jose.JOSEException - If RSA signing failed.

    • PrivateKeyJWT

      public PrivateKeyJWT(Issuer iss, ClientID clientID, URI endpoint, com.nimbusds.jose.JWSAlgorithm jwsAlgorithm, PrivateKey privateKey, String keyID, Provider jcaProvider) throws com.nimbusds.jose.JOSEException
      Creates a new private key JWT authentication. The expiration time (exp) is set to 1 minute from the current system time. Generates a default identifier (jti) for the JWT. The issued-at (iat) and not-before (nbf) claims are not set.
      Parameters:
      iss - The issuer. May be different from the client identifier. Must not be null.
      clientID - The client identifier. Must not be null.
      endpoint - The endpoint URI where the client will submit the JWT authentication, for example the token endpoint. Must not be null.
      jwsAlgorithm - The expected RSA (RS256, RS384, RS512, PS256, PS384 or PS512) or EC (ES256, ES384, ES512) signature algorithm for the JWT assertion. Must be supported and not null.
      privateKey - The signing private RSA or EC key. Must not be null.
      keyID - Optional identifier for the key, to aid key selection on the recipient side. Recommended. null if not specified.
      jcaProvider - Optional specific JCA provider, null to use the default one.
      Throws:
      com.nimbusds.jose.JOSEException - If RSA signing failed.

    • PrivateKeyJWT

      public PrivateKeyJWT(ClientID clientID, URI endpoint, com.nimbusds.jose.JWSAlgorithm jwsAlgorithm, PrivateKey privateKey, String keyID, List<com.nimbusds.jose.util.Base64> x5c, com.nimbusds.jose.util.Base64URL x5t256, Provider jcaProvider) throws com.nimbusds.jose.JOSEException
      Creates a new private key JWT authentication. The expiration time (exp) is set to 1 minute from the current system time. Generates a default identifier (jti) for the JWT. The issued-at (iat) and not-before (nbf) claims are not set.
      Parameters:
      clientID - The client identifier. Must not be null.
      endpoint - The endpoint URI where the client will submit the JWT authentication, for example the token endpoint. Must not be null.
      jwsAlgorithm - The expected RSA (RS256, RS384, RS512, PS256, PS384 or PS512) or EC (ES256, ES384, ES512) signature algorithm for the JWT assertion. Must be supported and not null.
      privateKey - The signing private RSA or EC key. Must not be null.
      keyID - Optional identifier for the key, to aid key selection on the recipient side. Recommended. null if not specified.
      x5c - Optional X.509 certificate chain for the public key, null if not specified.
      x5t256 - Optional X.509 certificate SHA-256 thumbprint, null if not specified.
      jcaProvider - Optional specific JCA provider, null to use the default one.
      Throws:
      com.nimbusds.jose.JOSEException - If RSA signing failed.

    • PrivateKeyJWT

      public PrivateKeyJWT(Issuer iss, ClientID clientID, URI endpoint, com.nimbusds.jose.JWSAlgorithm jwsAlgorithm, PrivateKey privateKey, String keyID, List<com.nimbusds.jose.util.Base64> x5c, com.nimbusds.jose.util.Base64URL x5t256, Provider jcaProvider) throws com.nimbusds.jose.JOSEException
      Creates a new private key JWT authentication. The expiration time (exp) is set to 1 minute from the current system time. Generates a default identifier (jti) for the JWT. The issued-at (iat) and not-before (nbf) claims are not set.
      Parameters:
      iss - The issuer. May be different from the client identifier. Must not be null.
      clientID - The client identifier. Must not be null.
      endpoint - The endpoint URI where the client will submit the JWT authentication, for example the token endpoint. Must not be null.
      jwsAlgorithm - The expected RSA (RS256, RS384, RS512, PS256, PS384 or PS512) or EC (ES256, ES384, ES512) signature algorithm for the JWT assertion. Must be supported and not null.
      privateKey - The signing private RSA or EC key. Must not be null.
      keyID - Optional identifier for the key, to aid key selection on the recipient side. Recommended. null if not specified.
      x5c - Optional X.509 certificate chain for the public key, null if not specified.
      x5t256 - Optional X.509 certificate SHA-256 thumbprint, null if not specified.
      jcaProvider - Optional specific JCA provider, null to use the default one.
      Throws:
      com.nimbusds.jose.JOSEException - If RSA signing failed.

    • PrivateKeyJWT

      public PrivateKeyJWT(JWTAuthenticationClaimsSet jwtAuthClaimsSet, com.nimbusds.jose.JWSAlgorithm jwsAlgorithm, PrivateKey privateKey, String keyID, Provider jcaProvider) throws com.nimbusds.jose.JOSEException
      Creates a new private key JWT authentication.
      Parameters:
      jwtAuthClaimsSet - The JWT authentication claims set. Must not be null.
      jwsAlgorithm - The expected RSA (RS256, RS384, RS512, PS256, PS384 or PS512) or EC (ES256, ES384, ES512) signature algorithm for the JWT assertion. Must be supported and not null.
      privateKey - The signing private RSA or EC key. Must not be null.
      keyID - Optional identifier for the key, to aid key selection on the recipient side. Recommended. null if not specified.
      jcaProvider - Optional specific JCA provider, null to use the default one.
      Throws:
      com.nimbusds.jose.JOSEException - If RSA signing failed.

    • PrivateKeyJWT

      public PrivateKeyJWT(JWTAuthenticationClaimsSet jwtAuthClaimsSet, com.nimbusds.jose.JWSAlgorithm jwsAlgorithm, PrivateKey privateKey, String keyID, List<com.nimbusds.jose.util.Base64> x5c, com.nimbusds.jose.util.Base64URL x5t256, Provider jcaProvider) throws com.nimbusds.jose.JOSEException
      Creates a new private key JWT authentication.
      Parameters:
      jwtAuthClaimsSet - The JWT authentication claims set. Must not be null.
      jwsAlgorithm - The expected RSA (RS256, RS384, RS512, PS256, PS384 or PS512) or EC (ES256, ES384, ES512) signature algorithm for the JWT assertion. Must be supported and not null.
      privateKey - The signing private RSA or EC key. Must not be null.
      keyID - Optional identifier for the key, to aid key selection on the recipient side. Recommended. null if not specified.
      x5c - Optional X.509 certificate chain for the public key, null if not specified.
      x5t256 - Optional X.509 certificate SHA-256 thumbprint, null if not specified.
      jcaProvider - Optional specific JCA provider, null to use the default one.
      Throws:
      com.nimbusds.jose.JOSEException - If RSA signing failed.

    • PrivateKeyJWT

      @Deprecated public PrivateKeyJWT(ClientID clientID, URI endpoint, com.nimbusds.jose.JWSAlgorithm jwsAlgorithm, RSAPrivateKey rsaPrivateKey, String keyID, Provider jcaProvider) throws com.nimbusds.jose.JOSEException
      Deprecated.
      Creates a new RSA private key JWT authentication. The expiration time (exp) is set to 1 minute from the current system time. Generates a default identifier (jti) for the JWT. The issued-at (iat) and not-before (nbf) claims are not set.
      Parameters:
      clientID - The client identifier. Must not be null.
      endpoint - The endpoint URI where the client will submit the JWT authentication, for example the token endpoint. Must not be null.
      jwsAlgorithm - The expected RSA signature algorithm (RS256, RS384 or RS512) for the private key JWT assertion. Must be supported and not null.
      rsaPrivateKey - The RSA private key. Must not be null.
      keyID - Optional identifier for the RSA key, to aid key selection at the authorisation server. Recommended. null if not specified.
      jcaProvider - Optional specific JCA provider, null to use the default one.
      Throws:
      com.nimbusds.jose.JOSEException - If RSA signing failed.

    • PrivateKeyJWT

      @Deprecated public PrivateKeyJWT(JWTAuthenticationClaimsSet jwtAuthClaimsSet, com.nimbusds.jose.JWSAlgorithm jwsAlgorithm, RSAPrivateKey rsaPrivateKey, String keyID, Provider jcaProvider) throws com.nimbusds.jose.JOSEException
      Deprecated.
      Creates a new RSA private key JWT authentication.
      Parameters:
      jwtAuthClaimsSet - The JWT authentication claims set. Must not be null.
      jwsAlgorithm - The expected RSA signature algorithm (RS256, RS384 or RS512) for the private key JWT assertion. Must be supported and not null.
      rsaPrivateKey - The RSA private key. Must not be null.
      keyID - Optional identifier for the RSA key, to aid key selection at the authorisation server. Recommended. null if not specified.
      jcaProvider - Optional specific JCA provider, null to use the default one.
      Throws:
      com.nimbusds.jose.JOSEException - If RSA signing failed.

    • PrivateKeyJWT

      @Deprecated public PrivateKeyJWT(ClientID clientID, URI endpoint, com.nimbusds.jose.JWSAlgorithm jwsAlgorithm, ECPrivateKey ecPrivateKey, String keyID, Provider jcaProvider) throws com.nimbusds.jose.JOSEException
      Deprecated.
      Creates a new EC private key JWT authentication. The expiration time (exp) is set to 1 minute from the current system time. Generates a default identifier (jti) for the JWT. The issued-at (iat) and not-before (nbf) claims are not set.
      Parameters:
      clientID - The client identifier. Must not be null.
      endpoint - The endpoint URI where the client will submit the JWT authentication, for example the token endpoint. Must not be null.
      jwsAlgorithm - The expected EC signature algorithm (ES256, ES384 or ES512) for the private key JWT assertion. Must be supported and not null.
      ecPrivateKey - The EC private key. Must not be null.
      keyID - Optional identifier for the EC key, to aid key selection at the authorisation server. Recommended. null if not specified.
      jcaProvider - Optional specific JCA provider, null to use the default one.
      Throws:
      com.nimbusds.jose.JOSEException - If RSA signing failed.

    • PrivateKeyJWT

      @Deprecated public PrivateKeyJWT(JWTAuthenticationClaimsSet jwtAuthClaimsSet, com.nimbusds.jose.JWSAlgorithm jwsAlgorithm, ECPrivateKey ecPrivateKey, String keyID, Provider jcaProvider) throws com.nimbusds.jose.JOSEException
      Deprecated.
      Creates a new EC private key JWT authentication.
      Parameters:
      jwtAuthClaimsSet - The JWT authentication claims set. Must not be null.
      jwsAlgorithm - The expected ES signature algorithm (ES256, ES384 or ES512) for the private key JWT assertion. Must be supported and not null.
      ecPrivateKey - The EC private key. Must not be null.
      keyID - Optional identifier for the EC key, to aid key selection at the authorisation server. Recommended. null if not specified.
      jcaProvider - Optional specific JCA provider, null to use the default one.
      Throws:
      com.nimbusds.jose.JOSEException - If RSA signing failed.

    • PrivateKeyJWT

      public PrivateKeyJWT(com.nimbusds.jwt.SignedJWT clientAssertion)
      Creates a new private key JWT authentication.
      Parameters:
      clientAssertion - The client assertion, corresponding to the client_assertion parameter, as a supported RSA or ECDSA-signed JWT. Must be signed and not null.

  • Method Details

    • supportedJWAs

      public static Set<com.nimbusds.jose.JWSAlgorithm> supportedJWAs()
      Returns the supported signature JSON Web Algorithms (JWAs).
      Returns:
      The supported JSON Web Algorithms (JWAs).

    • parse

      public static PrivateKeyJWT parse(Map<String,List<String>> params) throws ParseException
      Parses the specified parameters map for a private key JSON Web Token (JWT) authentication. Note that the parameters must not be application/x-www-form-urlencoded encoded.
      Parameters:
      params - The parameters map to parse. The private key JSON Web Token (JWT) parameters must be keyed under "client_assertion" and "client_assertion_type". The map must not be null.
      Returns:
      The private key JSON Web Token (JWT) authentication.
      Throws:
      ParseException - If the parameters map couldn't be parsed to a private key JSON Web Token (JWT) authentication.

    • parse

      public static PrivateKeyJWT parse(String paramsString) throws ParseException
      Parses a private key JSON Web Token (JWT) authentication from the specified application/x-www-form-urlencoded encoded parameters string.
      Parameters:
      paramsString - The parameters string to parse. The private key JSON Web Token (JWT) parameters must be keyed under "client_assertion" and "client_assertion_type". The string must not be null.
      Returns:
      The private key JSON Web Token (JWT) authentication.
      Throws:
      ParseException - If the parameters string couldn't be parsed to a private key JSON Web Token (JWT) authentication.

    • parse

      public static PrivateKeyJWT parse(HTTPRequest httpRequest) throws ParseException
      Parses the specified HTTP POST request for a private key JSON Web Token (JWT) authentication.
      Parameters:
      httpRequest - The HTTP POST request to parse. Must not be null and must contain a valid application/x-www-form-urlencoded encoded parameters string in the entity body. The private key JSON Web Token (JWT) parameters must be keyed under "client_assertion" and "client_assertion_type".
      Returns:
      The private key JSON Web Token (JWT) authentication.
      Throws:
      ParseException - If the HTTP request header couldn't be parsed to a private key JSON Web Token (JWT) authentication.