Package com.nimbusds.oauth2.sdk.auth

Class PrivateKeyJWT

  • @Immutable
public final class PrivateKeyJWT
extends JWTAuthentication
    Private key JWT authentication at the Token endpoint. Implements ClientAuthenticationMethod.PRIVATE_KEY_JWT.

    Supported signature JSON Web Algorithms (JWAs) by this implementation:

    • RS256
    • RS384
    • RS512
    • PS256
    • PS384
    • PS512
    • ES256
    • ES384
    • ES512

    Example TokenRequest with private key JWT authentication: 

     POST /token HTTP/1.1
 Host: server.example.com
 Content-Type: application/x-www-form-urlencoded

 grant_type=authorization_code&
 code=i1WsRn1uB1&
 client_id=s6BhdRkqt3&
 client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&
 client_assertion=PHNhbWxwOl...[omitted for brevity]...ZT

    Related specifications:

    • Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7521).
    • JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7523)

    • Constructor Detail

      • PrivateKeyJWT

        public PrivateKeyJWT​(ClientID clientID,
                     URI tokenEndpoint,
                     com.nimbusds.jose.JWSAlgorithm jwsAlgorithm,
                     RSAPrivateKey rsaPrivateKey,
                     String keyID,
                     Provider jcaProvider)
              throws com.nimbusds.jose.JOSEException
        Creates a new RSA private key JWT authentication. The expiration time (exp) is set to five minutes from the current system time. Generates a default identifier (jti) for the JWT. The issued-at (iat) and not-before (nbf) claims are not set.
        Parameters:
        clientID - The client identifier. Must not be null.
        tokenEndpoint - The token endpoint URI of the authorisation server. Must not be null.
        jwsAlgorithm - The expected RSA signature algorithm (RS256, RS384 or RS512) for the private key JWT assertion. Must be supported and not null.
        rsaPrivateKey - The RSA private key. Must not be null.
        keyID - Optional identifier for the RSA key, to aid key selection at the authorisation server. Recommended. null if not specified.
        jcaProvider - Optional specific JCA provider, null to use the default one.
        Throws:
        com.nimbusds.jose.JOSEException - If RSA signing failed.

      • PrivateKeyJWT

        public PrivateKeyJWT​(JWTAuthenticationClaimsSet jwtAuthClaimsSet,
                     com.nimbusds.jose.JWSAlgorithm jwsAlgorithm,
                     RSAPrivateKey rsaPrivateKey,
                     String keyID,
                     Provider jcaProvider)
              throws com.nimbusds.jose.JOSEException
        Creates a new RSA private key JWT authentication.
        Parameters:
        jwtAuthClaimsSet - The JWT authentication claims set. Must not be null.
        jwsAlgorithm - The expected RSA signature algorithm (RS256, RS384 or RS512) for the private key JWT assertion. Must be supported and not null.
        rsaPrivateKey - The RSA private key. Must not be null.
        keyID - Optional identifier for the RSA key, to aid key selection at the authorisation server. Recommended. null if not specified.
        jcaProvider - Optional specific JCA provider, null to use the default one.
        Throws:
        com.nimbusds.jose.JOSEException - If RSA signing failed.

      • PrivateKeyJWT

        public PrivateKeyJWT​(ClientID clientID,
                     URI tokenEndpoint,
                     com.nimbusds.jose.JWSAlgorithm jwsAlgorithm,
                     ECPrivateKey ecPrivateKey,
                     String keyID,
                     Provider jcaProvider)
              throws com.nimbusds.jose.JOSEException
        Creates a new EC private key JWT authentication. The expiration time (exp) is set to five minutes from the current system time. Generates a default identifier (jti) for the JWT. The issued-at (iat) and not-before (nbf) claims are not set.
        Parameters:
        clientID - The client identifier. Must not be null.
        tokenEndpoint - The token endpoint URI of the authorisation server. Must not be null.
        jwsAlgorithm - The expected EC signature algorithm (ES256, ES384 or ES512) for the private key JWT assertion. Must be supported and not null.
        ecPrivateKey - The EC private key. Must not be null.
        keyID - Optional identifier for the EC key, to aid key selection at the authorisation server. Recommended. null if not specified.
        jcaProvider - Optional specific JCA provider, null to use the default one.
        Throws:
        com.nimbusds.jose.JOSEException - If RSA signing failed.

      • PrivateKeyJWT

        public PrivateKeyJWT​(JWTAuthenticationClaimsSet jwtAuthClaimsSet,
                     com.nimbusds.jose.JWSAlgorithm jwsAlgorithm,
                     ECPrivateKey ecPrivateKey,
                     String keyID,
                     Provider jcaProvider)
              throws com.nimbusds.jose.JOSEException
        Creates a new EC private key JWT authentication.
        Parameters:
        jwtAuthClaimsSet - The JWT authentication claims set. Must not be null.
        jwsAlgorithm - The expected ES signature algorithm (ES256, ES384 or ES512) for the private key JWT assertion. Must be supported and not null.
        ecPrivateKey - The EC private key. Must not be null.
        keyID - Optional identifier for the EC key, to aid key selection at the authorisation server. Recommended. null if not specified.
        jcaProvider - Optional specific JCA provider, null to use the default one.
        Throws:
        com.nimbusds.jose.JOSEException - If RSA signing failed.

      • PrivateKeyJWT

        public PrivateKeyJWT​(com.nimbusds.jwt.SignedJWT clientAssertion)
        Creates a new private key JWT authentication.
        Parameters:
        clientAssertion - The client assertion, corresponding to the client_assertion parameter, as a supported RSA or ECDSA-signed JWT. Must be signed and not null.

    • Method Detail

      • supportedJWAs

        public static Set<com.nimbusds.jose.JWSAlgorithm> supportedJWAs()
        Returns the supported signature JSON Web Algorithms (JWAs).
        Returns:
        The supported JSON Web Algorithms (JWAs).

      • parse

        public static PrivateKeyJWT parse​(Map<String,​List<String>> params)
                           throws ParseException
        Parses the specified parameters map for a private key JSON Web Token (JWT) authentication. Note that the parameters must not be application/x-www-form-urlencoded encoded.
        Parameters:
        params - The parameters map to parse. The private key JSON Web Token (JWT) parameters must be keyed under "client_assertion" and "client_assertion_type". The map must not be null.
        Returns:
        The private key JSON Web Token (JWT) authentication.
        Throws:
        ParseException - If the parameters map couldn't be parsed to a private key JSON Web Token (JWT) authentication.

      • parse

        public static PrivateKeyJWT parse​(String paramsString)
                           throws ParseException
        Parses a private key JSON Web Token (JWT) authentication from the specified application/x-www-form-urlencoded encoded parameters string.
        Parameters:
        paramsString - The parameters string to parse. The private key JSON Web Token (JWT) parameters must be keyed under "client_assertion" and "client_assertion_type". The string must not be null.
        Returns:
        The private key JSON Web Token (JWT) authentication.
        Throws:
        ParseException - If the parameters string couldn't be parsed to a private key JSON Web Token (JWT) authentication.

      • parse

        public static PrivateKeyJWT parse​(HTTPRequest httpRequest)
                           throws ParseException
        Parses the specified HTTP POST request for a private key JSON Web Token (JWT) authentication.
        Parameters:
        httpRequest - The HTTP POST request to parse. Must not be null and must contain a valid application/x-www-form-urlencoded encoded parameters string in the entity body. The private key JSON Web Token (JWT) parameters must be keyed under "client_assertion" and "client_assertion_type".
        Returns:
        The private key JSON Web Token (JWT) authentication.
        Throws:
        ParseException - If the HTTP request header couldn't be parsed to a private key JSON Web Token (JWT) authentication.