Class JWTBearerGrant


@Immutable public class JWTBearerGrant extends AssertionGrant
JWT bearer grant. Used in access token requests with a JSON Web Token (JWT), such an OpenID Connect ID token.

The JWT assertion can be:

  • Signed or MAC protected with JWS
  • Encrypted with JWE
  • Nested - signed / MAC protected with JWS and then encrypted with JWE

Related specifications:

  • Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7521), section 4.1.
  • JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7523), section-2.1.
  • Field Details

  • Constructor Details

    • JWTBearerGrant

      public JWTBearerGrant(com.nimbusds.jwt.SignedJWT assertion)
      Creates a new signed JSON Web Token (JWT) bearer assertion grant.
      Parameters:
      assertion - The signed JSON Web Token (JWT) assertion. Must not be in a unsigned state or null. The JWT claims are not validated for compliance with the standard.
    • JWTBearerGrant

      public JWTBearerGrant(com.nimbusds.jose.JWEObject assertion)
      Creates a new nested signed and encrypted JSON Web Token (JWT) bearer assertion grant.
      Parameters:
      assertion - The nested signed and encrypted JSON Web Token (JWT) assertion. Must not be in a unencrypted state or null. The JWT claims are not validated for compliance with the standard.
    • JWTBearerGrant

      public JWTBearerGrant(com.nimbusds.jwt.EncryptedJWT assertion)
      Creates a new signed and encrypted JSON Web Token (JWT) bearer assertion grant.
      Parameters:
      assertion - The signed and encrypted JSON Web Token (JWT) assertion. Must not be in a unencrypted state or null. The JWT claims are not validated for compliance with the standard.
  • Method Details

    • getJWTAssertion

      public com.nimbusds.jwt.JWT getJWTAssertion()
      Gets the JSON Web Token (JWT) bearer assertion.
      Returns:
      The assertion as a signed or encrypted JWT, null if the assertion is a signed and encrypted JWT.
    • getJOSEAssertion

      public com.nimbusds.jose.JOSEObject getJOSEAssertion()
      Gets the JSON Web Token (JWT) bearer assertion.
      Returns:
      The assertion as a generic JOSE object (signed JWT, encrypted JWT, or signed and encrypted JWT).
    • getAssertion

      public String getAssertion()
      Description copied from class: AssertionGrant
      Gets the assertion.
      Specified by:
      getAssertion in class AssertionGrant
      Returns:
      The assertion as a string.
    • toParameters

      Description copied from class: AuthorizationGrant
      Returns the request body parameters for the authorisation grant.
      Specified by:
      toParameters in class AuthorizationGrant
      Returns:
      The parameters.
    • parse

      public static JWTBearerGrant parse(Map<String,List<String>> params) throws ParseException
      Parses a JWT bearer grant from the specified request body parameters. The JWT claims are not validated for compliance with the standard.

      Example:

       grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer
       &assertion=eyJhbGciOiJFUzI1NiJ9.eyJpc3Mi[...omitted for brevity...].
       J9l-ZhwP[...omitted for brevity...]
       
      Parameters:
      params - The parameters.
      Returns:
      The JWT bearer grant.
      Throws:
      ParseException - If parsing failed.