Package com.nimbusds.oauth2.sdk.auth
Class PrivateKeyJWT
- java.lang.Object
-
- com.nimbusds.oauth2.sdk.auth.ClientAuthentication
-
- com.nimbusds.oauth2.sdk.auth.JWTAuthentication
-
- com.nimbusds.oauth2.sdk.auth.PrivateKeyJWT
-
@Immutable public final class PrivateKeyJWT extends JWTAuthentication
Private key JWT authentication at the Token endpoint. ImplementsClientAuthenticationMethod.PRIVATE_KEY_JWT
.Supported signature JSON Web Algorithms (JWAs) by this implementation:
- RS256
- RS384
- RS512
- PS256
- PS384
- PS512
- ES256
- ES384
- ES512
Example
TokenRequest
with private key JWT authentication:POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded grant_type=authorization_code& code=i1WsRn1uB1& client_id=s6BhdRkqt3& client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer& client_assertion=PHNhbWxwOl...[omitted for brevity]...ZT
Related specifications:
- Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7521).
- JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7523)
-
-
Field Summary
-
Fields inherited from class com.nimbusds.oauth2.sdk.auth.JWTAuthentication
CLIENT_ASSERTION_TYPE
-
-
Constructor Summary
Constructors Constructor Description PrivateKeyJWT(com.nimbusds.jwt.SignedJWT clientAssertion)
Creates a new private key JWT authentication.PrivateKeyJWT(JWTAuthenticationClaimsSet jwtAuthClaimsSet, com.nimbusds.jose.JWSAlgorithm jwsAlgorithm, ECPrivateKey ecPrivateKey, String keyID, Provider jcaProvider)
Creates a new EC private key JWT authentication.PrivateKeyJWT(JWTAuthenticationClaimsSet jwtAuthClaimsSet, com.nimbusds.jose.JWSAlgorithm jwsAlgorithm, RSAPrivateKey rsaPrivateKey, String keyID, Provider jcaProvider)
Creates a new RSA private key JWT authentication.PrivateKeyJWT(ClientID clientID, URI tokenEndpoint, com.nimbusds.jose.JWSAlgorithm jwsAlgorithm, ECPrivateKey ecPrivateKey, String keyID, Provider jcaProvider)
Creates a new EC private key JWT authentication.PrivateKeyJWT(ClientID clientID, URI tokenEndpoint, com.nimbusds.jose.JWSAlgorithm jwsAlgorithm, RSAPrivateKey rsaPrivateKey, String keyID, Provider jcaProvider)
Creates a new RSA private key JWT authentication.
-
Method Summary
All Methods Static Methods Concrete Methods Modifier and Type Method Description static PrivateKeyJWT
parse(HTTPRequest httpRequest)
Parses the specified HTTP POST request for a private key JSON Web Token (JWT) authentication.static PrivateKeyJWT
parse(String paramsString)
Parses a private key JSON Web Token (JWT) authentication from the specifiedapplication/x-www-form-urlencoded
encoded parameters string.static PrivateKeyJWT
parse(Map<String,List<String>> params)
Parses the specified parameters map for a private key JSON Web Token (JWT) authentication.static Set<com.nimbusds.jose.JWSAlgorithm>
supportedJWAs()
Returns the supported signature JSON Web Algorithms (JWAs).-
Methods inherited from class com.nimbusds.oauth2.sdk.auth.JWTAuthentication
applyTo, ensureClientAssertionType, getClientAssertion, getJWTAuthenticationClaimsSet, parseClientAssertion, parseClientID, toParameters
-
Methods inherited from class com.nimbusds.oauth2.sdk.auth.ClientAuthentication
getClientID, getMethod
-
-
-
-
Constructor Detail
-
PrivateKeyJWT
public PrivateKeyJWT(ClientID clientID, URI tokenEndpoint, com.nimbusds.jose.JWSAlgorithm jwsAlgorithm, RSAPrivateKey rsaPrivateKey, String keyID, Provider jcaProvider) throws com.nimbusds.jose.JOSEException
Creates a new RSA private key JWT authentication. The expiration time (exp) is set to five minutes from the current system time. Generates a default identifier (jti) for the JWT. The issued-at (iat) and not-before (nbf) claims are not set.- Parameters:
clientID
- The client identifier. Must not benull
.tokenEndpoint
- The token endpoint URI of the authorisation server. Must not benull
.jwsAlgorithm
- The expected RSA signature algorithm (RS256, RS384 or RS512) for the private key JWT assertion. Must be supported and notnull
.rsaPrivateKey
- The RSA private key. Must not benull
.keyID
- Optional identifier for the RSA key, to aid key selection at the authorisation server. Recommended.null
if not specified.jcaProvider
- Optional specific JCA provider,null
to use the default one.- Throws:
com.nimbusds.jose.JOSEException
- If RSA signing failed.
-
PrivateKeyJWT
public PrivateKeyJWT(JWTAuthenticationClaimsSet jwtAuthClaimsSet, com.nimbusds.jose.JWSAlgorithm jwsAlgorithm, RSAPrivateKey rsaPrivateKey, String keyID, Provider jcaProvider) throws com.nimbusds.jose.JOSEException
Creates a new RSA private key JWT authentication.- Parameters:
jwtAuthClaimsSet
- The JWT authentication claims set. Must not benull
.jwsAlgorithm
- The expected RSA signature algorithm (RS256, RS384 or RS512) for the private key JWT assertion. Must be supported and notnull
.rsaPrivateKey
- The RSA private key. Must not benull
.keyID
- Optional identifier for the RSA key, to aid key selection at the authorisation server. Recommended.null
if not specified.jcaProvider
- Optional specific JCA provider,null
to use the default one.- Throws:
com.nimbusds.jose.JOSEException
- If RSA signing failed.
-
PrivateKeyJWT
public PrivateKeyJWT(ClientID clientID, URI tokenEndpoint, com.nimbusds.jose.JWSAlgorithm jwsAlgorithm, ECPrivateKey ecPrivateKey, String keyID, Provider jcaProvider) throws com.nimbusds.jose.JOSEException
Creates a new EC private key JWT authentication. The expiration time (exp) is set to five minutes from the current system time. Generates a default identifier (jti) for the JWT. The issued-at (iat) and not-before (nbf) claims are not set.- Parameters:
clientID
- The client identifier. Must not benull
.tokenEndpoint
- The token endpoint URI of the authorisation server. Must not benull
.jwsAlgorithm
- The expected EC signature algorithm (ES256, ES384 or ES512) for the private key JWT assertion. Must be supported and notnull
.ecPrivateKey
- The EC private key. Must not benull
.keyID
- Optional identifier for the EC key, to aid key selection at the authorisation server. Recommended.null
if not specified.jcaProvider
- Optional specific JCA provider,null
to use the default one.- Throws:
com.nimbusds.jose.JOSEException
- If RSA signing failed.
-
PrivateKeyJWT
public PrivateKeyJWT(JWTAuthenticationClaimsSet jwtAuthClaimsSet, com.nimbusds.jose.JWSAlgorithm jwsAlgorithm, ECPrivateKey ecPrivateKey, String keyID, Provider jcaProvider) throws com.nimbusds.jose.JOSEException
Creates a new EC private key JWT authentication.- Parameters:
jwtAuthClaimsSet
- The JWT authentication claims set. Must not benull
.jwsAlgorithm
- The expected ES signature algorithm (ES256, ES384 or ES512) for the private key JWT assertion. Must be supported and notnull
.ecPrivateKey
- The EC private key. Must not benull
.keyID
- Optional identifier for the EC key, to aid key selection at the authorisation server. Recommended.null
if not specified.jcaProvider
- Optional specific JCA provider,null
to use the default one.- Throws:
com.nimbusds.jose.JOSEException
- If RSA signing failed.
-
PrivateKeyJWT
public PrivateKeyJWT(com.nimbusds.jwt.SignedJWT clientAssertion)
Creates a new private key JWT authentication.- Parameters:
clientAssertion
- The client assertion, corresponding to theclient_assertion
parameter, as a supported RSA or ECDSA-signed JWT. Must be signed and notnull
.
-
-
Method Detail
-
supportedJWAs
public static Set<com.nimbusds.jose.JWSAlgorithm> supportedJWAs()
Returns the supported signature JSON Web Algorithms (JWAs).- Returns:
- The supported JSON Web Algorithms (JWAs).
-
parse
public static PrivateKeyJWT parse(Map<String,List<String>> params) throws ParseException
Parses the specified parameters map for a private key JSON Web Token (JWT) authentication. Note that the parameters must not beapplication/x-www-form-urlencoded
encoded.- Parameters:
params
- The parameters map to parse. The private key JSON Web Token (JWT) parameters must be keyed under "client_assertion" and "client_assertion_type". The map must not benull
.- Returns:
- The private key JSON Web Token (JWT) authentication.
- Throws:
ParseException
- If the parameters map couldn't be parsed to a private key JSON Web Token (JWT) authentication.
-
parse
public static PrivateKeyJWT parse(String paramsString) throws ParseException
Parses a private key JSON Web Token (JWT) authentication from the specifiedapplication/x-www-form-urlencoded
encoded parameters string.- Parameters:
paramsString
- The parameters string to parse. The private key JSON Web Token (JWT) parameters must be keyed under "client_assertion" and "client_assertion_type". The string must not benull
.- Returns:
- The private key JSON Web Token (JWT) authentication.
- Throws:
ParseException
- If the parameters string couldn't be parsed to a private key JSON Web Token (JWT) authentication.
-
parse
public static PrivateKeyJWT parse(HTTPRequest httpRequest) throws ParseException
Parses the specified HTTP POST request for a private key JSON Web Token (JWT) authentication.- Parameters:
httpRequest
- The HTTP POST request to parse. Must not benull
and must contain a validapplication/x-www-form-urlencoded
encoded parameters string in the entity body. The private key JSON Web Token (JWT) parameters must be keyed under "client_assertion" and "client_assertion_type".- Returns:
- The private key JSON Web Token (JWT) authentication.
- Throws:
ParseException
- If the HTTP request header couldn't be parsed to a private key JSON Web Token (JWT) authentication.
-
-