```
public interface ClientCredentialsSelector<T>
```
Selector of client credential candidates for client authentication verification. The select methods should typically return a single candidate, but may also return multiple in case the client rotates its keys.
Implementations must be tread-safe.
Selection of client_secret_basic, client_secret_post and client_secret_jwt secrets is handled by the selectClientSecrets(com.nimbusds.oauth2.sdk.id.ClientID, com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod, com.nimbusds.oauth2.sdk.auth.verifier.Context<T>) method.
Selection of private_key_jwt and pub_key_tls_client_auth keys is handled by the selectPublicKeys(com.nimbusds.oauth2.sdk.id.ClientID, com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod, com.nimbusds.jose.JWSHeader, boolean, com.nimbusds.oauth2.sdk.auth.verifier.Context<T>) method.
The generic context object may be used to return client metadata or other information to the caller.

Method Summary

All Methods Instance Methods Abstract Methods
Modifier and Type	Method	Description
`List<Secret>`	`selectClientSecrets(ClientID claimedClientID, ClientAuthenticationMethod authMethod, Context<T> context)`	Selects one or more client secret candidates for `client_secret_basic`, `client_secret_post` and `client_secret_jwt` authentication.
`List<? extends PublicKey>`	`selectPublicKeys(ClientID claimedClientID, ClientAuthenticationMethod authMethod, com.nimbusds.jose.JWSHeader jwsHeader, boolean forceRefresh, Context<T> context)`	Selects one or more public key candidates (e.g.

- Method Detail
  - selectClientSecrets
```
List<Secret> selectClientSecrets(ClientID claimedClientID,
                                 ClientAuthenticationMethod authMethod,
                                 Context<T> context)
                          throws InvalidClientException
```
    Selects one or more client secret candidates for client_secret_basic, client_secret_post and client_secret_jwt authentication.
    
    Parameters:
    
    claimedClientID - The client identifier (to be verified). Not null.
    
    authMethod - The client authentication method. Not null.
    
    context - Additional context. May be null.
    
    Returns:
    
    The selected client secret candidates, empty list if none.
    
    Throws:
    
    InvalidClientException - If the client is invalid.
  - selectPublicKeys
```
List<? extends PublicKey> selectPublicKeys(ClientID claimedClientID,
                                           ClientAuthenticationMethod authMethod,
                                           com.nimbusds.jose.JWSHeader jwsHeader,
                                           boolean forceRefresh,
                                           Context<T> context)
                                    throws InvalidClientException
```
    Selects one or more public key candidates (e.g. RSA or EC) for private_key_jwt and pub_key_tls_client_auth authentication.
    
    Parameters:
    
    claimedClientID - The client identifier (to be verified). Not null.
    
    authMethod - The client authentication method. Not null.
    
    jwsHeader - The JWS header, which may contain parameters such as key ID to facilitate the key selection. null for TLS client authentication.
    
    forceRefresh - true to force refresh of the JWK set (for a remote JWK set referenced by URL).
    
    context - Additional context. May be null.
    
    Returns:
    
    The selected public key candidates, empty list if none.
    
    Throws:
    
    InvalidClientException - If the client is invalid.

Interface ClientCredentialsSelector<T>

Method Summary

Method Detail

selectClientSecrets

selectPublicKeys