Interface ClientSecretStoreCodec
-
@ThreadSafe public interface ClientSecretStoreCodec
Service Provider Interface (SPI) for encoding OAuth client secrets before persisting them to storage. Can be used to symmetrically encrypt or to hash secrets (e.g. with SCrypt, BCrypt) before committing them to storage. Note, OAuth clients registered forclient_secret_jwt
authentication where the secret must be available in plaintext to perform HMAC must not be hashed. This also applies to secrets which may otherwise require the plain secret to be available for decoding, for example to facilitate symmetric encryption of ID tokens or UserInfo.The supplied
context
provides access to the Connect2id server JWK set to retrieve any configured symmetric keys for the client secret encryption, as well as the client metadata to determine the registered client authentication method.Implementations must be thread-safe.
-
-
Method Summary
All Methods Instance Methods Default Methods Modifier and Type Method Description default DecodedSecret
decode(String storedValue, SecretCodecContext ctx)
Decodes a client secret after retrieving it from the store.default String
encode(com.nimbusds.oauth2.sdk.auth.Secret secret, SecretCodecContext ctx)
Encodes the specified client secret before storing it.default String
encodeImported(com.nimbusds.oauth2.sdk.auth.Secret secret, SecretCodecContext ctx)
Encodes a client secret imported via the custompreferred_client_secret
client metadata field before storing it.
-
-
-
Method Detail
-
encode
default String encode(com.nimbusds.oauth2.sdk.auth.Secret secret, SecretCodecContext ctx)
Encodes the specified client secret before storing it. Encoding can be applied for selected clients only, based on their metadata or other criteria.- Parameters:
secret
- The client secret. To obtain its value use theSecret.getValue()
orSecret.getValueBytes()
methods. Note, the secret's expiration, if any, need not be encoded, it is persisted separately. Notnull
.ctx
- The codec context. Notnull
.- Returns:
- The encoded secret. The default method returns the secret value unencoded.
-
encodeImported
default String encodeImported(com.nimbusds.oauth2.sdk.auth.Secret secret, SecretCodecContext ctx)
Encodes a client secret imported via the custompreferred_client_secret
client metadata field before storing it. Encoding can be applied for selected clients only, based on their metadata or other criteria.- Parameters:
secret
- The client secret as set by the custompreferred_client_secret
metadata field. To obtain its value use theSecret.getValue()
orSecret.getValueBytes()
methods. Note, the secret's expiration, if any, need not be encoded, it is persisted separately. Notnull
.ctx
- The codec context. Notnull
.- Returns:
- The encoded secret. The default method returns the secret value unencoded.
-
decode
default DecodedSecret decode(String storedValue, SecretCodecContext ctx)
Decodes a client secret after retrieving it from the store.If the secret is decoded to plain value the returned
DecodedSecret
must specify it.If the secret is stored in a hashed form and cannot be decoded, the returned
DecodedSecret
instance must specify aSecretVerifier
.- Parameters:
storedValue
- The stored client secret value. Notnull
.ctx
- The codec context. Notnull
.- Returns:
- The decoded secret. The default method returns the stored secret value.
-
-