Class ClientAuthenticationVerifier<T>
- java.lang.Object
-
- com.nimbusds.oauth2.sdk.auth.verifier.ClientAuthenticationVerifier<T>
-
@ThreadSafe public class ClientAuthenticationVerifier<T> extends Object
Client authentication verifier.Related specifications:
- OAuth 2.0 (RFC 6749), sections 2.3.1 and 3.2.1.
- OpenID Connect Core 1.0, section 9.
- JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7523).
- OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens (draft-ietf-oauth-mtls-15), section 2.
-
-
Constructor Summary
Constructors Constructor Description ClientAuthenticationVerifier(ClientCredentialsSelector<T> clientCredentialsSelector, ClientX509CertificateBindingVerifier<T> certBindingVerifier, Set<Audience> expectedAudience)
Deprecated.Use the constructor withPKIClientX509CertificateBindingVerifier
ClientAuthenticationVerifier(ClientCredentialsSelector<T> clientCredentialsSelector, PKIClientX509CertificateBindingVerifier<T> pkiCertBindingVerifier, Set<Audience> expectedAudience)
Creates a new client authentication verifier.ClientAuthenticationVerifier(ClientCredentialsSelector<T> clientCredentialsSelector, Set<Audience> expectedAudience)
Creates a new client authentication verifier without support fortls_client_auth
.
-
Method Summary
All Methods Instance Methods Concrete Methods Deprecated Methods Modifier and Type Method Description ClientCredentialsSelector<T>
getClientCredentialsSelector()
Returns the client credentials selector.ClientX509CertificateBindingVerifier<T>
getClientX509CertificateBindingVerifier()
Deprecated.Set<Audience>
getExpectedAudience()
Returns the permitted audience values in JWT authentication assertions.PKIClientX509CertificateBindingVerifier<T>
getPKIClientX509CertificateBindingVerifier()
Returns the client X.509 certificate binding verifier for use intls_client_auth
.void
verify(ClientAuthentication clientAuth, Set<Hint> hints, Context<T> context)
Verifies a client authentication request.
-
-
-
Constructor Detail
-
ClientAuthenticationVerifier
@Deprecated public ClientAuthenticationVerifier(ClientCredentialsSelector<T> clientCredentialsSelector, ClientX509CertificateBindingVerifier<T> certBindingVerifier, Set<Audience> expectedAudience)
Deprecated.Use the constructor withPKIClientX509CertificateBindingVerifier
Creates a new client authentication verifier.- Parameters:
clientCredentialsSelector
- The client credentials selector. Must not benull
.certBindingVerifier
- Optional client X.509 certificate binding verifier fortls_client_auth
,null
if not supported.expectedAudience
- The permitted audience (aud) claim values in JWT authentication assertions. Must not be empty ornull
. Should typically contain the token endpoint URI and for OpenID provider it may also include the issuer URI.
-
ClientAuthenticationVerifier
public ClientAuthenticationVerifier(ClientCredentialsSelector<T> clientCredentialsSelector, Set<Audience> expectedAudience)
Creates a new client authentication verifier without support fortls_client_auth
.- Parameters:
clientCredentialsSelector
- The client credentials selector. Must not benull
.expectedAudience
- The permitted audience (aud) claim values in JWT authentication assertions. Must not be empty ornull
. Should typically contain the token endpoint URI and for OpenID provider it may also include the issuer URI.
-
ClientAuthenticationVerifier
public ClientAuthenticationVerifier(ClientCredentialsSelector<T> clientCredentialsSelector, PKIClientX509CertificateBindingVerifier<T> pkiCertBindingVerifier, Set<Audience> expectedAudience)
Creates a new client authentication verifier.- Parameters:
clientCredentialsSelector
- The client credentials selector. Must not benull
.pkiCertBindingVerifier
- Optional client X.509 certificate binding verifier fortls_client_auth
,null
if not supported.expectedAudience
- The permitted audience (aud) claim values in JWT authentication assertions. Must not be empty ornull
. Should typically contain the token endpoint URI and for OpenID provider it may also include the issuer URI.
-
-
Method Detail
-
getClientCredentialsSelector
public ClientCredentialsSelector<T> getClientCredentialsSelector()
Returns the client credentials selector.- Returns:
- The client credentials selector.
-
getClientX509CertificateBindingVerifier
@Deprecated public ClientX509CertificateBindingVerifier<T> getClientX509CertificateBindingVerifier()
Deprecated.Returns the client X.509 certificate binding verifier for use intls_client_auth
.- Returns:
- The client X.509 certificate binding verifier,
null
if not specified.
-
getPKIClientX509CertificateBindingVerifier
public PKIClientX509CertificateBindingVerifier<T> getPKIClientX509CertificateBindingVerifier()
Returns the client X.509 certificate binding verifier for use intls_client_auth
.- Returns:
- The client X.509 certificate binding verifier,
null
if not specified.
-
getExpectedAudience
public Set<Audience> getExpectedAudience()
Returns the permitted audience values in JWT authentication assertions.- Returns:
- The permitted audience (aud) claim values.
-
verify
public void verify(ClientAuthentication clientAuth, Set<Hint> hints, Context<T> context) throws InvalidClientException, com.nimbusds.jose.JOSEException
Verifies a client authentication request.- Parameters:
clientAuth
- The client authentication. Must not benull
.hints
- Optional hints to the verifier, empty set ofnull
if none.context
- Additional context to be passed to the client credentials selector. May benull
.- Throws:
InvalidClientException
- If the client authentication is invalid, typically due to bad credentials.com.nimbusds.jose.JOSEException
- If authentication failed due to an internal JOSE / JWT processing exception.
-
-