Package com.nimbusds.oauth2.sdk.auth.verifier

Interface ClientCredentialsSelector<T>

public interface ClientCredentialsSelector<T>

Selector of client credential candidates for client authentication verification. The select methods should typically return a single candidate, but may also return multiple in case the client rotates its keys.

Implementations must be tread-safe.

Selection of client_secret_basic, client_secret_post and client_secret_jwt secrets is handled by the selectClientSecrets(com.nimbusds.oauth2.sdk.id.ClientID, com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod, com.nimbusds.oauth2.sdk.auth.verifier.Context<T>) method.

Selection of private_key_jwt and pub_key_tls_client_auth keys is handled by the selectPublicKeys(com.nimbusds.oauth2.sdk.id.ClientID, com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod, com.nimbusds.jose.JWSHeader, boolean, com.nimbusds.oauth2.sdk.auth.verifier.Context<T>) method.

The generic context object may be used to return client metadata or other information to the caller.

Method Summary

Modifier and Type	Method	Description
List<Secret>	selectClientSecrets(ClientID claimedClientID, ClientAuthenticationMethod authMethod, Context<T> context)	Selects one or more client secret candidates for client_secret_basic, client_secret_post and client_secret_jwt authentication.
List<? extends PublicKey>	selectPublicKeys(ClientID claimedClientID, ClientAuthenticationMethod authMethod, com.nimbusds.jose.JWSHeader jwsHeader, boolean forceRefresh, Context<T> context)	Selects one or more public key candidates (e.g.

Method Details

selectClientSecrets

List<Secret> selectClientSecrets(ClientID claimedClientID,
 ClientAuthenticationMethod authMethod,
 Context<T> context)
                          throws InvalidClientException

Selects one or more client secret candidates for client_secret_basic, client_secret_post and client_secret_jwt authentication.

Parameters:

claimedClientID - The client identifier (to be verified). Not null.

authMethod - The client authentication method. Not null.

context - Additional context. May be null.

Returns:

The selected client secret candidates, empty list if none.

Throws:

InvalidClientException - If the client is invalid.

selectPublicKeys

List<? extends PublicKey> selectPublicKeys(ClientID claimedClientID,
 ClientAuthenticationMethod authMethod,
 com.nimbusds.jose.JWSHeader jwsHeader,
 boolean forceRefresh,
 Context<T> context)
                                    throws InvalidClientException

Selects one or more public key candidates (e.g. RSA or EC) for private_key_jwt and pub_key_tls_client_auth authentication.

Parameters:

claimedClientID - The client identifier (to be verified). Not null.

authMethod - The client authentication method. Not null.

jwsHeader - The JWS header, which may contain parameters such as key ID to facilitate the key selection. null for TLS client authentication.

forceRefresh - true to force refresh of the JWK set (for a remote JWK set referenced by URL).

context - Additional context. May be null.

Returns:

The selected public key candidates, empty list if none.

Throws:

InvalidClientException - If the client is invalid.