Package com.nimbusds.oauth2.sdk.auth.verifier

Class ClientAuthenticationVerifier<T>

java.lang.Object
com.nimbusds.oauth2.sdk.auth.verifier.ClientAuthenticationVerifier<T>
@ThreadSafe public class ClientAuthenticationVerifier<T> extends Object
Client authentication verifier.

Related specifications:

  • OAuth 2.0 (RFC 6749)
  • OpenID Connect Core 1.0
  • JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7523)
  • OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens (RFC 8705)

  • Constructor Details

    • ClientAuthenticationVerifier

      @Deprecated public ClientAuthenticationVerifier(ClientCredentialsSelector<T> clientCredentialsSelector, ClientX509CertificateBindingVerifier<T> certBindingVerifier, Set<Audience> aud)
      Deprecated.
      Use the constructor with PKIClientX509CertificateBindingVerifier
      Creates a new client authentication verifier.
      Parameters:
      clientCredentialsSelector - The client credentials selector. Must not be null.
      certBindingVerifier - Optional client X.509 certificate binding verifier for tls_client_auth, null if not supported.
      aud - The permitted audience (aud) claim. Must not be empty or null. Should be the identity of the recipient, such as the issuer URI for an OpenID provider.

    • ClientAuthenticationVerifier

      @Deprecated public ClientAuthenticationVerifier(ClientCredentialsSelector<T> clientCredentialsSelector, Set<Audience> aud)
      Deprecated.
      Creates a new client authentication verifier without support for tls_client_auth. The audience check is legacy.
      Parameters:
      clientCredentialsSelector - The client credentials selector. Must not be null.
      aud - The permitted audience (aud) claim. Must not be empty or null. Should be the identity of the recipient, such as the issuer URI for an OpenID provider.

    • ClientAuthenticationVerifier

      public ClientAuthenticationVerifier(ClientCredentialsSelector<T> clientCredentialsSelector, Set<Audience> aud, JWTAudienceCheck audCheck)
      Creates a new client authentication verifier without support for tls_client_auth.
      Parameters:
      clientCredentialsSelector - The client credentials selector. Must not be null.
      aud - The permitted audience (aud) claim. Must not be empty or null. Should be the identity of the recipient, such as the issuer URI for an OpenID provider.

    • ClientAuthenticationVerifier

      @Deprecated public ClientAuthenticationVerifier(ClientCredentialsSelector<T> clientCredentialsSelector, Set<Audience> aud, ExpendedJTIChecker<T> expendedJTIChecker)
      Deprecated.
      Creates a new client authentication verifier without support for tls_client_auth. The audience check is legacy.
      Parameters:
      clientCredentialsSelector - The client credentials selector. Must not be null.
      aud - The permitted audience (aud) claim. Must not be empty or null. Should be the identity of the recipient, such as the issuer URI for an OpenID provider.
      expendedJTIChecker - Optional expended JWT ID (jti) claim checker to prevent JWT replay, null if none.

    • ClientAuthenticationVerifier

      public ClientAuthenticationVerifier(ClientCredentialsSelector<T> clientCredentialsSelector, Set<Audience> aud, JWTAudienceCheck audCheck, ExpendedJTIChecker<T> expendedJTIChecker)
      Creates a new client authentication verifier without support for tls_client_auth.
      Parameters:
      clientCredentialsSelector - The client credentials selector. Must not be null.
      aud - The permitted audience (aud) claim. Must not be empty or null. Should be the identity of the recipient, such as the issuer URI for an OpenID provider.
      expendedJTIChecker - Optional expended JWT ID (jti) claim checker to prevent JWT replay, null if none.

    • ClientAuthenticationVerifier

      @Deprecated public ClientAuthenticationVerifier(ClientCredentialsSelector<T> clientCredentialsSelector, PKIClientX509CertificateBindingVerifier<T> pkiCertBindingVerifier, Set<Audience> aud)
      Deprecated.
      Creates a new client authentication verifier. The audience check is legacy.
      Parameters:
      clientCredentialsSelector - The client credentials selector. Must not be null.
      pkiCertBindingVerifier - Optional client X.509 certificate binding verifier for tls_client_auth, null if not supported.
      aud - The permitted audience (aud) claim. Must not be empty or null. Should be the identity of the recipient, such as the issuer URI for an OpenID provider.

    • ClientAuthenticationVerifier

      public ClientAuthenticationVerifier(ClientCredentialsSelector<T> clientCredentialsSelector, PKIClientX509CertificateBindingVerifier<T> pkiCertBindingVerifier, Set<Audience> aud, JWTAudienceCheck audCheck)
      Creates a new client authentication verifier.
      Parameters:
      clientCredentialsSelector - The client credentials selector. Must not be null.
      pkiCertBindingVerifier - Optional client X.509 certificate binding verifier for tls_client_auth, null if not supported.
      aud - The permitted audience (aud) claim. Must not be empty or null. Should be the identity of the recipient, such as the issuer URI for an OpenID provider.

    • ClientAuthenticationVerifier

      @Deprecated public ClientAuthenticationVerifier(ClientCredentialsSelector<T> clientCredentialsSelector, PKIClientX509CertificateBindingVerifier<T> pkiCertBindingVerifier, Set<Audience> aud, ExpendedJTIChecker<T> expendedJTIChecker, long expMaxAhead)
      Deprecated.
      Creates a new client authentication verifier. The audience check is legacy.
      Parameters:
      clientCredentialsSelector - The client credentials selector. Must not be null.
      pkiCertBindingVerifier - Optional client X.509 certificate binding verifier for tls_client_auth, null if not supported.
      aud - The permitted audience (aud) claim. Must not be empty or null. Should be the identity of the recipient, such as the issuer URI for an OpenID provider.
      expendedJTIChecker - Optional expended JWT ID (jti) claim checker to prevent JWT replay, null if none.
      expMaxAhead - The maximum number of seconds the expiration time (exp) claim can be ahead of the current time, if zero or negative this check is disabled.

    • ClientAuthenticationVerifier

      public ClientAuthenticationVerifier(ClientCredentialsSelector<T> clientCredentialsSelector, PKIClientX509CertificateBindingVerifier<T> pkiCertBindingVerifier, Set<Audience> aud, JWTAudienceCheck audCheck, ExpendedJTIChecker<T> expendedJTIChecker, long expMaxAhead)
      Creates a new client authentication verifier.
      Parameters:
      clientCredentialsSelector - The client credentials selector. Must not be null.
      pkiCertBindingVerifier - Optional client X.509 certificate binding verifier for tls_client_auth, null if not supported.
      aud - The permitted audience (aud) claim. Must not be empty or null. Should be the identity of the recipient, such as the issuer URI for an OpenID provider. When the audience check is strict, the permitted audience must be single-valued.
      audCheck - The type of audience (aud) check. Must not be null.
      expendedJTIChecker - Optional expended JWT ID (jti) claim checker to prevent JWT replay, null if none.
      expMaxAhead - The maximum number of seconds the expiration time (exp) claim can be ahead of the current time, if zero or negative this check is disabled.

  • Method Details