Class ClientAuthenticationVerifier<T>


  • @ThreadSafe
    public class ClientAuthenticationVerifier<T>
    extends Object
    Client authentication verifier.

    Related specifications:

    • OAuth 2.0 (RFC 6749), sections 2.3.1 and 3.2.1.
    • OpenID Connect Core 1.0, section 9.
    • JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7523).
    • OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens (draft-ietf-oauth-mtls-15), section 2.
    • Constructor Detail

      • ClientAuthenticationVerifier

        @Deprecated
        public ClientAuthenticationVerifier​(ClientCredentialsSelector<T> clientCredentialsSelector,
                                            ClientX509CertificateBindingVerifier<T> certBindingVerifier,
                                            Set<Audience> expectedAudience)
        Deprecated.
        Creates a new client authentication verifier.
        Parameters:
        clientCredentialsSelector - The client credentials selector. Must not be null.
        certBindingVerifier - Optional client X.509 certificate binding verifier for tls_client_auth, null if not supported.
        expectedAudience - The permitted audience (aud) claim values in JWT authentication assertions. Must not be empty or null. Should typically contain the token endpoint URI and for OpenID provider it may also include the issuer URI.
      • ClientAuthenticationVerifier

        public ClientAuthenticationVerifier​(ClientCredentialsSelector<T> clientCredentialsSelector,
                                            Set<Audience> expectedAudience)
        Creates a new client authentication verifier without support for tls_client_auth.
        Parameters:
        clientCredentialsSelector - The client credentials selector. Must not be null.
        expectedAudience - The permitted audience (aud) claim values in JWT authentication assertions. Must not be empty or null. Should typically contain the token endpoint URI and for OpenID provider it may also include the issuer URI.
      • ClientAuthenticationVerifier

        public ClientAuthenticationVerifier​(ClientCredentialsSelector<T> clientCredentialsSelector,
                                            PKIClientX509CertificateBindingVerifier<T> pkiCertBindingVerifier,
                                            Set<Audience> expectedAudience)
        Creates a new client authentication verifier.
        Parameters:
        clientCredentialsSelector - The client credentials selector. Must not be null.
        pkiCertBindingVerifier - Optional client X.509 certificate binding verifier for tls_client_auth, null if not supported.
        expectedAudience - The permitted audience (aud) claim values in JWT authentication assertions. Must not be empty or null. Should typically contain the token endpoint URI and for OpenID provider it may also include the issuer URI.