Interface PrivateKeyJWTCertificateVerifier
-
- All Superinterfaces:
Lifecycle
@ThreadSafe public interface PrivateKeyJWTCertificateVerifier extends Lifecycle
Service Provider Interface (SPI) for verifying an X.509 certificate (x5c) inprivate_key_jwt
client authentications. This can be used to enableprivate_key_jwt
authentication based on qualified certificates and without a prior client JWK set registration (via the "jwks" or "jwks_uri" client metadata parameters).The SPI enables implementation of policies where only selected clients are allowed or required to include a certificate for the
private_key_jwt
, based on the client's registered metadata or other criteria.A client can place the certificate in the
private_key_jwt
"x5c" header. Alternatively, the certificate can be put in the "x5c" parameter of a matching public JWK and have the key pre-registered via the "jwks" or "jwks_uri" client metadata parameter.Implementations must be thread-safe.
-
-
Method Summary
All Methods Instance Methods Abstract Methods Modifier and Type Method Description Optional<CertificateVerification>
checkCertificateRequirement(PrivateKeyJWTContext context)
Checks the X.509 certificate requirement for the specifiedprivate_key_jwt
client authentication.
-
-
-
Method Detail
-
checkCertificateRequirement
Optional<CertificateVerification> checkCertificateRequirement(PrivateKeyJWTContext context) throws com.nimbusds.oauth2.sdk.auth.verifier.InvalidClientException
Checks the X.509 certificate requirement for the specifiedprivate_key_jwt
client authentication. If the client must use a certificate as part of theprivate_key_jwt
authentication, included by value in the JWS "x5c" header parameter, or included in a registered client JWK in the client's "jwks" or "jwks_uri", the method returns a certificate verification callback.- Parameters:
context
- Theprivate_key_jwt
client authentication context. Notnull
.- Returns:
- A certificate verification callback if a certificate is
required for the
private_key_jwt
client authentication. If a certificate isn't required none is returned. - Throws:
com.nimbusds.oauth2.sdk.auth.verifier.InvalidClientException
- To reject the authentication with aninvalid_client
error, due to an unmet authentication requirement. Throwing anExposedInvalidClientException
will override the default Connect2id servererror_description
anderror_uri
in the HTTP 401 Unauthorized error response.
-
-