Package com.nimbusds.oauth2.sdk

Class JWTBearerGrant

  • @Immutable
public class JWTBearerGrant
extends AssertionGrant
    JWT bearer grant. Used in access token requests with a JSON Web Token (JWT), such an OpenID Connect ID token.

    The JWT assertion can be:

    • Signed or MAC protected with JWS
    • Encrypted with JWE
    • Nested - signed / MAC protected with JWS and then encrypted with JWE

    Related specifications:

    • Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7521), section 4.1.
    • JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7523), section-2.1.

    • Constructor Detail

      • JWTBearerGrant

        public JWTBearerGrant​(com.nimbusds.jwt.SignedJWT assertion)
        Creates a new signed JSON Web Token (JWT) bearer assertion grant.
        Parameters:
        assertion - The signed JSON Web Token (JWT) assertion. Must not be in a unsigned state or null. The JWT claims are not validated for compliance with the standard.

      • JWTBearerGrant

        public JWTBearerGrant​(com.nimbusds.jose.JWEObject assertion)
        Creates a new nested signed and encrypted JSON Web Token (JWT) bearer assertion grant.
        Parameters:
        assertion - The nested signed and encrypted JSON Web Token (JWT) assertion. Must not be in a unencrypted state or null. The JWT claims are not validated for compliance with the standard.

      • JWTBearerGrant

        public JWTBearerGrant​(com.nimbusds.jwt.EncryptedJWT assertion)
        Creates a new signed and encrypted JSON Web Token (JWT) bearer assertion grant.
        Parameters:
        assertion - The signed and encrypted JSON Web Token (JWT) assertion. Must not be in a unencrypted state or null. The JWT claims are not validated for compliance with the standard.

    • Method Detail

      • getJWTAssertion

        public com.nimbusds.jwt.JWT getJWTAssertion()
        Gets the JSON Web Token (JWT) bearer assertion.
        Returns:
        The assertion as a signed or encrypted JWT, null if the assertion is a signed and encrypted JWT.

      • getJOSEAssertion

        public com.nimbusds.jose.JOSEObject getJOSEAssertion()
        Gets the JSON Web Token (JWT) bearer assertion.
        Returns:
        The assertion as a generic JOSE object (signed JWT, encrypted JWT, or signed and encrypted JWT).

      • parse

        public static JWTBearerGrant parse​(Map<String,​List<String>> params)
                            throws ParseException
        Parses a JWT bearer grant from the specified request body parameters. The JWT claims are not validated for compliance with the standard.

        Example: 

         grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer
 &assertion=eyJhbGciOiJFUzI1NiJ9.eyJpc3Mi[...omitted for brevity...].
 J9l-ZhwP[...omitted for brevity...]
        Parameters:
        params - The parameters.
        Returns:
        The JWT bearer grant.
        Throws:
        ParseException - If parsing failed.