Class ClientAuthenticationVerifier<T>
- java.lang.Object
-
- com.nimbusds.oauth2.sdk.auth.verifier.ClientAuthenticationVerifier<T>
-
@ThreadSafe public class ClientAuthenticationVerifier<T> extends Object
Client authentication verifier.Related specifications:
- OAuth 2.0 (RFC 6749), sections 2.3.1 and 3.2.1.
- OpenID Connect Core 1.0, section 9.
- JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7523).
- OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens (RFC 8705), section 2.
-
-
Constructor Summary
Constructors Constructor Description ClientAuthenticationVerifier(ClientCredentialsSelector<T> clientCredentialsSelector, ClientX509CertificateBindingVerifier<T> certBindingVerifier, Set<Audience> expectedAudience)Deprecated.Use the constructor withPKIClientX509CertificateBindingVerifierClientAuthenticationVerifier(ClientCredentialsSelector<T> clientCredentialsSelector, PKIClientX509CertificateBindingVerifier<T> pkiCertBindingVerifier, Set<Audience> expectedAudience)Creates a new client authentication verifier.ClientAuthenticationVerifier(ClientCredentialsSelector<T> clientCredentialsSelector, Set<Audience> expectedAudience)Creates a new client authentication verifier without support fortls_client_auth.
-
Method Summary
All Methods Instance Methods Concrete Methods Deprecated Methods Modifier and Type Method Description ClientCredentialsSelector<T>getClientCredentialsSelector()Returns the client credentials selector.ClientX509CertificateBindingVerifier<T>getClientX509CertificateBindingVerifier()Deprecated.Set<Audience>getExpectedAudience()Returns the permitted audience values in JWT authentication assertions.PKIClientX509CertificateBindingVerifier<T>getPKIClientX509CertificateBindingVerifier()Returns the client X.509 certificate binding verifier for use intls_client_auth.voidverify(ClientAuthentication clientAuth, Set<Hint> hints, Context<T> context)Verifies a client authentication request.
-
-
-
Constructor Detail
-
ClientAuthenticationVerifier
@Deprecated public ClientAuthenticationVerifier(ClientCredentialsSelector<T> clientCredentialsSelector, ClientX509CertificateBindingVerifier<T> certBindingVerifier, Set<Audience> expectedAudience)
Deprecated.Use the constructor withPKIClientX509CertificateBindingVerifierCreates a new client authentication verifier.- Parameters:
clientCredentialsSelector- The client credentials selector. Must not benull.certBindingVerifier- Optional client X.509 certificate binding verifier fortls_client_auth,nullif not supported.expectedAudience- The permitted audience (aud) claim values in JWT authentication assertions. Must not be empty ornull. Should typically contain the token endpoint URI and for OpenID provider it may also include the issuer URI.
-
ClientAuthenticationVerifier
public ClientAuthenticationVerifier(ClientCredentialsSelector<T> clientCredentialsSelector, Set<Audience> expectedAudience)
Creates a new client authentication verifier without support fortls_client_auth.- Parameters:
clientCredentialsSelector- The client credentials selector. Must not benull.expectedAudience- The permitted audience (aud) claim values in JWT authentication assertions. Must not be empty ornull. Should typically contain the token endpoint URI and for OpenID provider it may also include the issuer URI.
-
ClientAuthenticationVerifier
public ClientAuthenticationVerifier(ClientCredentialsSelector<T> clientCredentialsSelector, PKIClientX509CertificateBindingVerifier<T> pkiCertBindingVerifier, Set<Audience> expectedAudience)
Creates a new client authentication verifier.- Parameters:
clientCredentialsSelector- The client credentials selector. Must not benull.pkiCertBindingVerifier- Optional client X.509 certificate binding verifier fortls_client_auth,nullif not supported.expectedAudience- The permitted audience (aud) claim values in JWT authentication assertions. Must not be empty ornull. Should typically contain the token endpoint URI and for OpenID provider it may also include the issuer URI.
-
-
Method Detail
-
getClientCredentialsSelector
public ClientCredentialsSelector<T> getClientCredentialsSelector()
Returns the client credentials selector.- Returns:
- The client credentials selector.
-
getClientX509CertificateBindingVerifier
@Deprecated public ClientX509CertificateBindingVerifier<T> getClientX509CertificateBindingVerifier()
Deprecated.Returns the client X.509 certificate binding verifier for use intls_client_auth.- Returns:
- The client X.509 certificate binding verifier,
nullif not specified.
-
getPKIClientX509CertificateBindingVerifier
public PKIClientX509CertificateBindingVerifier<T> getPKIClientX509CertificateBindingVerifier()
Returns the client X.509 certificate binding verifier for use intls_client_auth.- Returns:
- The client X.509 certificate binding verifier,
nullif not specified.
-
getExpectedAudience
public Set<Audience> getExpectedAudience()
Returns the permitted audience values in JWT authentication assertions.- Returns:
- The permitted audience (aud) claim values.
-
verify
public void verify(ClientAuthentication clientAuth, Set<Hint> hints, Context<T> context) throws InvalidClientException, com.nimbusds.jose.JOSEException
Verifies a client authentication request.- Parameters:
clientAuth- The client authentication. Must not benull.hints- Optional hints to the verifier, empty set ofnullif none.context- Additional context to be passed to the client credentials selector. May benull.- Throws:
InvalidClientException- If the client authentication is invalid, typically due to bad credentials.com.nimbusds.jose.JOSEException- If authentication failed due to an internal JOSE / JWT processing exception.
-
-