001/* 002 * oauth2-oidc-sdk 003 * 004 * Copyright 2012-2016, Connect2id Ltd and contributors. 005 * 006 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use 007 * this file except in compliance with the License. You may obtain a copy of the 008 * License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software distributed 013 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR 014 * CONDITIONS OF ANY KIND, either express or implied. See the License for the 015 * specific language governing permissions and limitations under the License. 016 */ 017 018package com.nimbusds.oauth2.sdk.auth; 019 020 021import com.nimbusds.oauth2.sdk.id.Identifier; 022import net.jcip.annotations.Immutable; 023 024 025/** 026 * Client authentication method at the Token endpoint. 027 * 028 * <p>Constants are provided for four client authentication methods: 029 * 030 * <ul> 031 * <li>{@link #CLIENT_SECRET_BASIC client_secret_basic} (default) 032 * <li>{@link #CLIENT_SECRET_POST client_secret_post} 033 * <li>{@link #CLIENT_SECRET_JWT client_secret_jwt} 034 * <li>{@link #PRIVATE_KEY_JWT private_key_jwt} 035 * <li>{@link #TLS_CLIENT_AUTH tls_client_auth} 036 * <li>{@link #NONE none} 037 * </ul> 038 * 039 * <p>Use the constructor to define a custom client authentication method. 040 * 041 * <p>Related specifications: 042 * 043 * <ul> 044 * <li>OAuth 2.0 (RFC 6749), section 2.3. 045 * <li>OAuth 2.0 Dynamic Client Registration Protocol (RFC 7591), section 046 * 2. 047 * <li>Mutual TLS Profile for OAuth 2.0 (draft-ietf-oauth-mtls-02), section 048 * 2. 049 * </ul> 050 */ 051@Immutable 052public final class ClientAuthenticationMethod extends Identifier { 053 054 055 /** 056 * Clients that have received a client secret from the authorisation 057 * server authenticate with the authorisation server in accordance with 058 * section 3.2.1 of OAuth 2.0 using HTTP Basic authentication. This is 059 * the default if no method has been registered for the client. 060 */ 061 public static final ClientAuthenticationMethod CLIENT_SECRET_BASIC = 062 new ClientAuthenticationMethod("client_secret_basic"); 063 064 065 /** 066 * Clients that have received a client secret from the authorisation 067 * server authenticate with the authorisation server in accordance with 068 * section 3.2.1 of OAuth 2.0 by including the client credentials in 069 * the request body. 070 */ 071 public static final ClientAuthenticationMethod CLIENT_SECRET_POST = 072 new ClientAuthenticationMethod("client_secret_post"); 073 074 075 /** 076 * Clients that have received a client secret from the authorisation 077 * server, create a JWT using an HMAC SHA algorithm, such as HMAC 078 * SHA-256. The HMAC (Hash-based Message Authentication Code) is 079 * calculated using the value of client secret as the shared key. The 080 * client authenticates in accordance with section 2.2 of (JWT) Bearer 081 * Token Profiles and OAuth 2.0 Assertion Profile. 082 */ 083 public static final ClientAuthenticationMethod CLIENT_SECRET_JWT = 084 new ClientAuthenticationMethod("client_secret_jwt"); 085 086 087 /** 088 * Clients that have registered a public key sign a JWT using the RSA 089 * algorithm if a RSA key was registered or the ECDSA algorithm if an 090 * Elliptic Curve key was registered (see JWA for the algorithm 091 * identifiers). The client authenticates in accordance with section 092 * 2.2 of (JWT) Bearer Token Profiles and OAuth 2.0 Assertion Profile. 093 */ 094 public static final ClientAuthenticationMethod PRIVATE_KEY_JWT = 095 new ClientAuthenticationMethod("private_key_jwt"); 096 097 098 /** 099 * Client TLS / X.509 certificate authentication. See Mutual TLS 100 * Profile for OAuth 2.0, section 2. 101 */ 102 public static final ClientAuthenticationMethod TLS_CLIENT_AUTH = 103 new ClientAuthenticationMethod("tls_client_auth"); 104 105 106 /** 107 * The client is a public client as defined in OAuth 2.0 and does not 108 * have a client secret. 109 */ 110 public static final ClientAuthenticationMethod NONE = 111 new ClientAuthenticationMethod("none"); 112 113 114 /** 115 * Gets the default client authentication method. 116 * 117 * @return {@link #CLIENT_SECRET_BASIC} 118 */ 119 public static ClientAuthenticationMethod getDefault() { 120 121 return CLIENT_SECRET_BASIC; 122 } 123 124 125 /** 126 * Creates a new client authentication method with the specified value. 127 * 128 * @param value The authentication method value. Must not be 129 * {@code null} or empty string. 130 */ 131 public ClientAuthenticationMethod(final String value) { 132 133 super(value); 134 } 135 136 137 /** 138 * Parses a client authentication method from the specified value. 139 * 140 * @param value The authentication method value. Must not be 141 * {@code null} or empty string. 142 * 143 * @return The client authentication method. 144 */ 145 public static ClientAuthenticationMethod parse(final String value) { 146 147 if (value.equals(CLIENT_SECRET_BASIC.getValue())) { 148 return CLIENT_SECRET_BASIC; 149 } else if (value.equals(CLIENT_SECRET_POST.getValue())) { 150 return CLIENT_SECRET_POST; 151 } else if (value.equals(CLIENT_SECRET_JWT.getValue())) { 152 return CLIENT_SECRET_JWT; 153 } else if (value.equals(PRIVATE_KEY_JWT.getValue())) { 154 return PRIVATE_KEY_JWT; 155 } else if (value.equalsIgnoreCase(TLS_CLIENT_AUTH.getValue())) { 156 return TLS_CLIENT_AUTH; 157 } else if (value.equals(NONE.getValue())) { 158 return NONE; 159 } else { 160 return new ClientAuthenticationMethod(value); 161 } 162 } 163 164 165 @Override 166 public boolean equals(final Object object) { 167 168 return object instanceof ClientAuthenticationMethod && 169 this.toString().equals(object.toString()); 170 } 171}