Package com.nimbusds.oauth2.sdk.auth

Class PKITLSClientAuthentication

java.lang.Object

com.nimbusds.oauth2.sdk.auth.ClientAuthentication

com.nimbusds.oauth2.sdk.auth.TLSClientAuthentication

com.nimbusds.oauth2.sdk.auth.PKITLSClientAuthentication

@Immutable
public class PKITLSClientAuthentication
extends TLSClientAuthentication

PKI mutual TLS client authentication at the Token endpoint. The client certificate is PKI bound, as opposed to self_signed_tls_client_auth which relies on a self-signed certificate. Implements ClientAuthenticationMethod.TLS_CLIENT_AUTH.

Related specifications:

• OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens (draft-ietf-oauth-mtls-14), section 2.1.

Constructor Summary

Constructors

Constructor	Description
PKITLSClientAuthentication(ClientID clientID, String certSubjectDN)	Creates a new PKI mutual TLS client authentication.
PKITLSClientAuthentication(ClientID clientID, SSLSocketFactory sslSocketFactory)	Creates a new PKI mutual TLS client authentication.

Method Summary

Modifier and Type	Method	Description
String	getClientX509CertificateSubjectDN()	Gets the subject DN of the received validated client X.509 certificate.
static PKITLSClientAuthentication	parse(HTTPRequest httpRequest)	Parses a PKI mutual TLS client authentication from the specified HTTP request.

Methods inherited from class com.nimbusds.oauth2.sdk.auth.ClientAuthentication

getClientID, getMethod

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from class com.nimbusds.oauth2.sdk.auth.TLSClientAuthentication

applyTo, getSSLSocketFactory

Constructor Detail

PKITLSClientAuthentication

public PKITLSClientAuthentication(ClientID clientID,
                                  SSLSocketFactory sslSocketFactory)

Creates a new PKI mutual TLS client authentication. This constructor is intended for an outgoing token request.

Parameters:

clientID - The client identifier. Must not be null.

sslSocketFactory - The SSL socket factory to use for the outgoing HTTPS request and to present the client certificate(s), null to use the default one.

PKITLSClientAuthentication

public PKITLSClientAuthentication(ClientID clientID,
                                  String certSubjectDN)

Creates a new PKI mutual TLS client authentication. This constructor is intended for a received token request.

Parameters:

clientID - The client identifier. Must not be null.

certSubjectDN - The subject DN of the received validated client X.509 certificate. Must not be null.

Method Detail

getClientX509CertificateSubjectDN

public String getClientX509CertificateSubjectDN()

Gets the subject DN of the received validated client X.509 certificate.

Returns:

The subject DN.

parse

public static PKITLSClientAuthentication parse(HTTPRequest httpRequest)
                                        throws ParseException

Parses a PKI mutual TLS client authentication from the specified HTTP request.

Parameters:

httpRequest - The HTTP request to parse. Must not be null and must include a validated client X.509 certificate.

Returns:

The PKI mutual TLS client authentication.

Throws:

ParseException - If the client_id or client X.509 certificate is missing.