Package com.nimbusds.oauth2.sdk.auth.verifier

Class ClientAuthenticationVerifier<T>

java.lang.Object
com.nimbusds.oauth2.sdk.auth.verifier.ClientAuthenticationVerifier<T>
@ThreadSafe public class ClientAuthenticationVerifier<T> extends Object
Client authentication verifier.

Related specifications:

  • OAuth 2.0 (RFC 6749)
  • OpenID Connect Core 1.0
  • JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7523)
  • OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens (RFC 8705)

  • Constructor Details

    • ClientAuthenticationVerifier

      @Deprecated public ClientAuthenticationVerifier(ClientCredentialsSelector<T> clientCredentialsSelector, ClientX509CertificateBindingVerifier<T> certBindingVerifier, Set<Audience> aud)
      Deprecated.
      Use the constructor with PKIClientX509CertificateBindingVerifier
      Creates a new client authentication verifier.
      Parameters:
      clientCredentialsSelector - The client credentials selector. Must not be null.
      certBindingVerifier - Optional client X.509 certificate binding verifier for tls_client_auth, null if not supported.
      aud - The permitted audience (aud) claim. Must not be empty or null. Should be the identity of the recipient, such as the issuer URI for an OpenID provider.

    • ClientAuthenticationVerifier

      @Deprecated public ClientAuthenticationVerifier(ClientCredentialsSelector<T> clientCredentialsSelector, Set<Audience> aud)
      Deprecated.
      Creates a new client authentication verifier without support for tls_client_auth. The audience check is legacy.
      Parameters:
      clientCredentialsSelector - The client credentials selector. Must not be null.
      aud - The permitted audience (aud) claim. Must not be empty or null. Should be the identity of the recipient, such as the issuer URI for an OpenID provider.

    • ClientAuthenticationVerifier

      public ClientAuthenticationVerifier(ClientCredentialsSelector<T> clientCredentialsSelector, Set<Audience> aud, JWTAudienceCheck audCheck)
      Creates a new client authentication verifier without support for tls_client_auth.
      Parameters:
      clientCredentialsSelector - The client credentials selector. Must not be null.
      aud - The permitted audience (aud) claim. Must not be empty or null. Should be the identity of the recipient, such as the issuer URI for an OpenID provider.

    • ClientAuthenticationVerifier

      @Deprecated public ClientAuthenticationVerifier(ClientCredentialsSelector<T> clientCredentialsSelector, Set<Audience> aud, ExpendedJTIChecker<T> expendedJTIChecker)
      Deprecated.
      Creates a new client authentication verifier without support for tls_client_auth. The audience check is legacy.
      Parameters:
      clientCredentialsSelector - The client credentials selector. Must not be null.
      aud - The permitted audience (aud) claim. Must not be empty or null. Should be the identity of the recipient, such as the issuer URI for an OpenID provider.
      expendedJTIChecker - Optional expended JWT ID (jti) claim checker to prevent JWT replay, null if none.

    • ClientAuthenticationVerifier

      public ClientAuthenticationVerifier(ClientCredentialsSelector<T> clientCredentialsSelector, Set<Audience> aud, JWTAudienceCheck audCheck, ExpendedJTIChecker<T> expendedJTIChecker)
      Creates a new client authentication verifier without support for tls_client_auth.
      Parameters:
      clientCredentialsSelector - The client credentials selector. Must not be null.
      aud - The permitted audience (aud) claim. Must not be empty or null. Should be the identity of the recipient, such as the issuer URI for an OpenID provider.
      expendedJTIChecker - Optional expended JWT ID (jti) claim checker to prevent JWT replay, null if none.

    • ClientAuthenticationVerifier

      @Deprecated public ClientAuthenticationVerifier(ClientCredentialsSelector<T> clientCredentialsSelector, PKIClientX509CertificateBindingVerifier<T> pkiCertBindingVerifier, Set<Audience> aud)
      Deprecated.
      Creates a new client authentication verifier. The audience check is legacy.
      Parameters:
      clientCredentialsSelector - The client credentials selector. Must not be null.
      pkiCertBindingVerifier - Optional client X.509 certificate binding verifier for tls_client_auth, null if not supported.
      aud - The permitted audience (aud) claim. Must not be empty or null. Should be the identity of the recipient, such as the issuer URI for an OpenID provider.

    • ClientAuthenticationVerifier

      public ClientAuthenticationVerifier(ClientCredentialsSelector<T> clientCredentialsSelector, PKIClientX509CertificateBindingVerifier<T> pkiCertBindingVerifier, Set<Audience> aud, JWTAudienceCheck audCheck)
      Creates a new client authentication verifier.
      Parameters:
      clientCredentialsSelector - The client credentials selector. Must not be null.
      pkiCertBindingVerifier - Optional client X.509 certificate binding verifier for tls_client_auth, null if not supported.
      aud - The permitted audience (aud) claim. Must not be empty or null. Should be the identity of the recipient, such as the issuer URI for an OpenID provider.

    • ClientAuthenticationVerifier

      @Deprecated public ClientAuthenticationVerifier(ClientCredentialsSelector<T> clientCredentialsSelector, PKIClientX509CertificateBindingVerifier<T> pkiCertBindingVerifier, Set<Audience> aud, ExpendedJTIChecker<T> expendedJTIChecker, long expMaxAhead)
      Deprecated.
      Creates a new client authentication verifier. The audience check is legacy.
      Parameters:
      clientCredentialsSelector - The client credentials selector. Must not be null.
      pkiCertBindingVerifier - Optional client X.509 certificate binding verifier for tls_client_auth, null if not supported.
      aud - The permitted audience (aud) claim. Must not be empty or null. Should be the identity of the recipient, such as the issuer URI for an OpenID provider.
      expendedJTIChecker - Optional expended JWT ID (jti) claim checker to prevent JWT replay, null if none.
      expMaxAhead - The maximum number of seconds the expiration time (exp) claim can be ahead of the current time, if zero or negative this check is disabled.

    • ClientAuthenticationVerifier

      public ClientAuthenticationVerifier(ClientCredentialsSelector<T> clientCredentialsSelector, PKIClientX509CertificateBindingVerifier<T> pkiCertBindingVerifier, Set<Audience> aud, JWTAudienceCheck audCheck, ExpendedJTIChecker<T> expendedJTIChecker, long expMaxAhead)
      Creates a new client authentication verifier.
      Parameters:
      clientCredentialsSelector - The client credentials selector. Must not be null.
      pkiCertBindingVerifier - Optional client X.509 certificate binding verifier for tls_client_auth, null if not supported.
      aud - The permitted audience (aud) claim. Must not be empty or null. Should be the identity of the recipient, such as the issuer URI for an OpenID provider.
      audCheck - The type of audience (aud) check. Must not be null.
      expendedJTIChecker - Optional expended JWT ID (jti) claim checker to prevent JWT replay, null if none.
      expMaxAhead - The maximum number of seconds the expiration time (exp) claim can be ahead of the current time, if zero or negative this check is disabled.

  • Method Details