Package com.nimbusds.oauth2.sdk.auth
Class PrivateKeyJWT
- java.lang.Object
-
- com.nimbusds.oauth2.sdk.auth.ClientAuthentication
-
- com.nimbusds.oauth2.sdk.auth.JWTAuthentication
-
- com.nimbusds.oauth2.sdk.auth.PrivateKeyJWT
-
@Immutable public final class PrivateKeyJWT extends JWTAuthentication
Private key JWT authentication at the Token endpoint. ImplementsClientAuthenticationMethod.PRIVATE_KEY_JWT
.Supported signature JSON Web Algorithms (JWAs) by this implementation:
- RS256
- RS384
- RS512
- PS256
- PS384
- PS512
- ES256
- ES256K
- ES384
- ES512
Example
TokenRequest
with private key JWT authentication:POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded grant_type=authorization_code& code=i1WsRn1uB1& client_id=s6BhdRkqt3& client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer& client_assertion=PHNhbWxwOl...[omitted for brevity]...ZT
Related specifications:
- Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7521).
- JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7523)
-
-
Field Summary
-
Fields inherited from class com.nimbusds.oauth2.sdk.auth.JWTAuthentication
CLIENT_ASSERTION_TYPE
-
-
Constructor Summary
Constructors Constructor Description PrivateKeyJWT(com.nimbusds.jwt.SignedJWT clientAssertion)
Creates a new private key JWT authentication.PrivateKeyJWT(JWTAuthenticationClaimsSet jwtAuthClaimsSet, com.nimbusds.jose.JWSAlgorithm jwsAlgorithm, ECPrivateKey ecPrivateKey, String keyID, Provider jcaProvider)
Deprecated.PrivateKeyJWT(JWTAuthenticationClaimsSet jwtAuthClaimsSet, com.nimbusds.jose.JWSAlgorithm jwsAlgorithm, RSAPrivateKey rsaPrivateKey, String keyID, Provider jcaProvider)
Deprecated.PrivateKeyJWT(JWTAuthenticationClaimsSet jwtAuthClaimsSet, com.nimbusds.jose.JWSAlgorithm jwsAlgorithm, PrivateKey privateKey, String keyID, Provider jcaProvider)
Creates a new private key JWT authentication.PrivateKeyJWT(JWTAuthenticationClaimsSet jwtAuthClaimsSet, com.nimbusds.jose.JWSAlgorithm jwsAlgorithm, PrivateKey privateKey, String keyID, List<com.nimbusds.jose.util.Base64> x5c, com.nimbusds.jose.util.Base64URL x5t256, Provider jcaProvider)
Creates a new private key JWT authentication.PrivateKeyJWT(ClientID clientID, URI endpoint, com.nimbusds.jose.JWSAlgorithm jwsAlgorithm, ECPrivateKey ecPrivateKey, String keyID, Provider jcaProvider)
Deprecated.PrivateKeyJWT(ClientID clientID, URI endpoint, com.nimbusds.jose.JWSAlgorithm jwsAlgorithm, RSAPrivateKey rsaPrivateKey, String keyID, Provider jcaProvider)
Deprecated.PrivateKeyJWT(ClientID clientID, URI endpoint, com.nimbusds.jose.JWSAlgorithm jwsAlgorithm, PrivateKey privateKey, String keyID, Provider jcaProvider)
Creates a new private key JWT authentication.PrivateKeyJWT(ClientID clientID, URI endpoint, com.nimbusds.jose.JWSAlgorithm jwsAlgorithm, PrivateKey privateKey, String keyID, List<com.nimbusds.jose.util.Base64> x5c, com.nimbusds.jose.util.Base64URL x5t256, Provider jcaProvider)
Creates a new private key JWT authentication.
-
Method Summary
All Methods Static Methods Concrete Methods Modifier and Type Method Description static PrivateKeyJWT
parse(HTTPRequest httpRequest)
Parses the specified HTTP POST request for a private key JSON Web Token (JWT) authentication.static PrivateKeyJWT
parse(String paramsString)
Parses a private key JSON Web Token (JWT) authentication from the specifiedapplication/x-www-form-urlencoded
encoded parameters string.static PrivateKeyJWT
parse(Map<String,List<String>> params)
Parses the specified parameters map for a private key JSON Web Token (JWT) authentication.static Set<com.nimbusds.jose.JWSAlgorithm>
supportedJWAs()
Returns the supported signature JSON Web Algorithms (JWAs).-
Methods inherited from class com.nimbusds.oauth2.sdk.auth.JWTAuthentication
applyTo, ensureClientAssertionType, getClientAssertion, getFormParameterNames, getJWTAuthenticationClaimsSet, parseClientAssertion, parseClientID, toParameters
-
Methods inherited from class com.nimbusds.oauth2.sdk.auth.ClientAuthentication
getClientID, getMethod
-
-
-
-
Constructor Detail
-
PrivateKeyJWT
public PrivateKeyJWT(ClientID clientID, URI endpoint, com.nimbusds.jose.JWSAlgorithm jwsAlgorithm, PrivateKey privateKey, String keyID, Provider jcaProvider) throws com.nimbusds.jose.JOSEException
Creates a new private key JWT authentication. The expiration time (exp) is set to five minutes from the current system time. Generates a default identifier (jti) for the JWT. The issued-at (iat) and not-before (nbf) claims are not set.- Parameters:
clientID
- The client identifier. Must not benull
.endpoint
- The endpoint URI where the client will submit the JWT authentication, for example the token endpoint. Must not benull
.jwsAlgorithm
- The expected RSA (RS256, RS384, RS512, PS256, PS384 or PS512) or EC (ES256, ES384, ES512) signature algorithm for the JWT assertion. Must be supported and notnull
.privateKey
- The signing private RSA or EC key. Must not benull
.keyID
- Optional identifier for the key, to aid key selection on the recipient side. Recommended.null
if not specified.jcaProvider
- Optional specific JCA provider,null
to use the default one.- Throws:
com.nimbusds.jose.JOSEException
- If RSA signing failed.
-
PrivateKeyJWT
public PrivateKeyJWT(ClientID clientID, URI endpoint, com.nimbusds.jose.JWSAlgorithm jwsAlgorithm, PrivateKey privateKey, String keyID, List<com.nimbusds.jose.util.Base64> x5c, com.nimbusds.jose.util.Base64URL x5t256, Provider jcaProvider) throws com.nimbusds.jose.JOSEException
Creates a new private key JWT authentication. The expiration time (exp) is set to five minutes from the current system time. Generates a default identifier (jti) for the JWT. The issued-at (iat) and not-before (nbf) claims are not set.- Parameters:
clientID
- The client identifier. Must not benull
.endpoint
- The endpoint URI where the client will submit the JWT authentication, for example the token endpoint. Must not benull
.jwsAlgorithm
- The expected RSA (RS256, RS384, RS512, PS256, PS384 or PS512) or EC (ES256, ES384, ES512) signature algorithm for the JWT assertion. Must be supported and notnull
.privateKey
- The signing private RSA or EC key. Must not benull
.keyID
- Optional identifier for the key, to aid key selection on the recipient side. Recommended.null
if not specified.x5c
- Optional X.509 certificate chain for the public key,null
if not specified.x5t256
- Optional X.509 certificate SHA-256 thumbprint,null
if not specified.jcaProvider
- Optional specific JCA provider,null
to use the default one.- Throws:
com.nimbusds.jose.JOSEException
- If RSA signing failed.
-
PrivateKeyJWT
public PrivateKeyJWT(JWTAuthenticationClaimsSet jwtAuthClaimsSet, com.nimbusds.jose.JWSAlgorithm jwsAlgorithm, PrivateKey privateKey, String keyID, Provider jcaProvider) throws com.nimbusds.jose.JOSEException
Creates a new private key JWT authentication.- Parameters:
jwtAuthClaimsSet
- The JWT authentication claims set. Must not benull
.jwsAlgorithm
- The expected RSA (RS256, RS384, RS512, PS256, PS384 or PS512) or EC (ES256, ES384, ES512) signature algorithm for the JWT assertion. Must be supported and notnull
.privateKey
- The signing private RSA or EC key. Must not benull
.keyID
- Optional identifier for the key, to aid key selection on the recipient side. Recommended.null
if not specified.jcaProvider
- Optional specific JCA provider,null
to use the default one.- Throws:
com.nimbusds.jose.JOSEException
- If RSA signing failed.
-
PrivateKeyJWT
public PrivateKeyJWT(JWTAuthenticationClaimsSet jwtAuthClaimsSet, com.nimbusds.jose.JWSAlgorithm jwsAlgorithm, PrivateKey privateKey, String keyID, List<com.nimbusds.jose.util.Base64> x5c, com.nimbusds.jose.util.Base64URL x5t256, Provider jcaProvider) throws com.nimbusds.jose.JOSEException
Creates a new private key JWT authentication.- Parameters:
jwtAuthClaimsSet
- The JWT authentication claims set. Must not benull
.jwsAlgorithm
- The expected RSA (RS256, RS384, RS512, PS256, PS384 or PS512) or EC (ES256, ES384, ES512) signature algorithm for the JWT assertion. Must be supported and notnull
.privateKey
- The signing private RSA or EC key. Must not benull
.keyID
- Optional identifier for the key, to aid key selection on the recipient side. Recommended.null
if not specified.x5c
- Optional X.509 certificate chain for the public key,null
if not specified.x5t256
- Optional X.509 certificate SHA-256 thumbprint,null
if not specified.jcaProvider
- Optional specific JCA provider,null
to use the default one.- Throws:
com.nimbusds.jose.JOSEException
- If RSA signing failed.
-
PrivateKeyJWT
@Deprecated public PrivateKeyJWT(ClientID clientID, URI endpoint, com.nimbusds.jose.JWSAlgorithm jwsAlgorithm, RSAPrivateKey rsaPrivateKey, String keyID, Provider jcaProvider) throws com.nimbusds.jose.JOSEException
Deprecated.Creates a new RSA private key JWT authentication. The expiration time (exp) is set to five minutes from the current system time. Generates a default identifier (jti) for the JWT. The issued-at (iat) and not-before (nbf) claims are not set.- Parameters:
clientID
- The client identifier. Must not benull
.endpoint
- The endpoint URI where the client will submit the JWT authentication, for example the token endpoint. Must not benull
.jwsAlgorithm
- The expected RSA signature algorithm (RS256, RS384 or RS512) for the private key JWT assertion. Must be supported and notnull
.rsaPrivateKey
- The RSA private key. Must not benull
.keyID
- Optional identifier for the RSA key, to aid key selection at the authorisation server. Recommended.null
if not specified.jcaProvider
- Optional specific JCA provider,null
to use the default one.- Throws:
com.nimbusds.jose.JOSEException
- If RSA signing failed.
-
PrivateKeyJWT
@Deprecated public PrivateKeyJWT(JWTAuthenticationClaimsSet jwtAuthClaimsSet, com.nimbusds.jose.JWSAlgorithm jwsAlgorithm, RSAPrivateKey rsaPrivateKey, String keyID, Provider jcaProvider) throws com.nimbusds.jose.JOSEException
Deprecated.Creates a new RSA private key JWT authentication.- Parameters:
jwtAuthClaimsSet
- The JWT authentication claims set. Must not benull
.jwsAlgorithm
- The expected RSA signature algorithm (RS256, RS384 or RS512) for the private key JWT assertion. Must be supported and notnull
.rsaPrivateKey
- The RSA private key. Must not benull
.keyID
- Optional identifier for the RSA key, to aid key selection at the authorisation server. Recommended.null
if not specified.jcaProvider
- Optional specific JCA provider,null
to use the default one.- Throws:
com.nimbusds.jose.JOSEException
- If RSA signing failed.
-
PrivateKeyJWT
@Deprecated public PrivateKeyJWT(ClientID clientID, URI endpoint, com.nimbusds.jose.JWSAlgorithm jwsAlgorithm, ECPrivateKey ecPrivateKey, String keyID, Provider jcaProvider) throws com.nimbusds.jose.JOSEException
Deprecated.Creates a new EC private key JWT authentication. The expiration time (exp) is set to five minutes from the current system time. Generates a default identifier (jti) for the JWT. The issued-at (iat) and not-before (nbf) claims are not set.- Parameters:
clientID
- The client identifier. Must not benull
.endpoint
- The endpoint URI where the client will submit the JWT authentication, for example the token endpoint. Must not benull
.jwsAlgorithm
- The expected EC signature algorithm (ES256, ES384 or ES512) for the private key JWT assertion. Must be supported and notnull
.ecPrivateKey
- The EC private key. Must not benull
.keyID
- Optional identifier for the EC key, to aid key selection at the authorisation server. Recommended.null
if not specified.jcaProvider
- Optional specific JCA provider,null
to use the default one.- Throws:
com.nimbusds.jose.JOSEException
- If RSA signing failed.
-
PrivateKeyJWT
@Deprecated public PrivateKeyJWT(JWTAuthenticationClaimsSet jwtAuthClaimsSet, com.nimbusds.jose.JWSAlgorithm jwsAlgorithm, ECPrivateKey ecPrivateKey, String keyID, Provider jcaProvider) throws com.nimbusds.jose.JOSEException
Deprecated.Creates a new EC private key JWT authentication.- Parameters:
jwtAuthClaimsSet
- The JWT authentication claims set. Must not benull
.jwsAlgorithm
- The expected ES signature algorithm (ES256, ES384 or ES512) for the private key JWT assertion. Must be supported and notnull
.ecPrivateKey
- The EC private key. Must not benull
.keyID
- Optional identifier for the EC key, to aid key selection at the authorisation server. Recommended.null
if not specified.jcaProvider
- Optional specific JCA provider,null
to use the default one.- Throws:
com.nimbusds.jose.JOSEException
- If RSA signing failed.
-
PrivateKeyJWT
public PrivateKeyJWT(com.nimbusds.jwt.SignedJWT clientAssertion)
Creates a new private key JWT authentication.- Parameters:
clientAssertion
- The client assertion, corresponding to theclient_assertion
parameter, as a supported RSA or ECDSA-signed JWT. Must be signed and notnull
.
-
-
Method Detail
-
supportedJWAs
public static Set<com.nimbusds.jose.JWSAlgorithm> supportedJWAs()
Returns the supported signature JSON Web Algorithms (JWAs).- Returns:
- The supported JSON Web Algorithms (JWAs).
-
parse
public static PrivateKeyJWT parse(Map<String,List<String>> params) throws ParseException
Parses the specified parameters map for a private key JSON Web Token (JWT) authentication. Note that the parameters must not beapplication/x-www-form-urlencoded
encoded.- Parameters:
params
- The parameters map to parse. The private key JSON Web Token (JWT) parameters must be keyed under "client_assertion" and "client_assertion_type". The map must not benull
.- Returns:
- The private key JSON Web Token (JWT) authentication.
- Throws:
ParseException
- If the parameters map couldn't be parsed to a private key JSON Web Token (JWT) authentication.
-
parse
public static PrivateKeyJWT parse(String paramsString) throws ParseException
Parses a private key JSON Web Token (JWT) authentication from the specifiedapplication/x-www-form-urlencoded
encoded parameters string.- Parameters:
paramsString
- The parameters string to parse. The private key JSON Web Token (JWT) parameters must be keyed under "client_assertion" and "client_assertion_type". The string must not benull
.- Returns:
- The private key JSON Web Token (JWT) authentication.
- Throws:
ParseException
- If the parameters string couldn't be parsed to a private key JSON Web Token (JWT) authentication.
-
parse
public static PrivateKeyJWT parse(HTTPRequest httpRequest) throws ParseException
Parses the specified HTTP POST request for a private key JSON Web Token (JWT) authentication.- Parameters:
httpRequest
- The HTTP POST request to parse. Must not benull
and must contain a validapplication/x-www-form-urlencoded
encoded parameters string in the entity body. The private key JSON Web Token (JWT) parameters must be keyed under "client_assertion" and "client_assertion_type".- Returns:
- The private key JSON Web Token (JWT) authentication.
- Throws:
ParseException
- If the HTTP request header couldn't be parsed to a private key JSON Web Token (JWT) authentication.
-
-