Interface PrivateKeyJWTCertificateVerifier
- All Superinterfaces:
Lifecycle
Service Provider Interface (SPI) for verifying an X.509 certificate (x5c) in
private_key_jwt
client authentications. This can be used to enable
private_key_jwt
authentication based on qualified certificates and
without a prior client JWK set registration (via the "jwks" or "jwks_uri"
client metadata parameters).
The SPI enables implementation of policies where only selected
clients are allowed or required to include a certificate for the
private_key_jwt
, based on the client's registered metadata or other
criteria.
A client can place the certificate in
the private_key_jwt
"x5c" header. Alternatively, the certificate
can be put in the "x5c" parameter of a matching public JWK and have the key
pre-registered via the "jwks" or "jwks_uri" client metadata parameter.
Implementations must be thread-safe.
-
Method Summary
Modifier and TypeMethodDescriptionChecks the X.509 certificate requirement for the specifiedprivate_key_jwt
client authentication.
-
Method Details
-
checkCertificateRequirement
Optional<CertificateVerification> checkCertificateRequirement(PrivateKeyJWTContext context) throws com.nimbusds.oauth2.sdk.auth.verifier.InvalidClientException Checks the X.509 certificate requirement for the specifiedprivate_key_jwt
client authentication. If the client must use a certificate as part of theprivate_key_jwt
authentication, included by value in the JWS "x5c" header parameter, or included in a registered client JWK in the client's "jwks" or "jwks_uri", the method returns a certificate verification callback.- Parameters:
context
- Theprivate_key_jwt
client authentication context. Notnull
.- Returns:
- A certificate verification callback if a certificate is
required for the
private_key_jwt
client authentication. If a certificate isn't required none is returned. - Throws:
com.nimbusds.oauth2.sdk.auth.verifier.InvalidClientException
- To reject the authentication with aninvalid_client
error, due to an unmet authentication requirement. Throwing anExposedInvalidClientException
will override the default Connect2id servererror_description
anderror_uri
in the HTTP 401 Unauthorized error response.
-