Package com.nimbusds.openid.connect.provider.spi.clientauth

Interface PrivateKeyJWTCertificateVerifier

All Superinterfaces:

Lifecycle

@ThreadSafe
public interface PrivateKeyJWTCertificateVerifier
extends Lifecycle

Service Provider Interface (SPI) for verifying an X.509 certificate (x5c) in private_key_jwt client authentications. This can be used to enable private_key_jwt authentication based on qualified certificates and without a prior client JWK set registration (via the "jwks" or "jwks_uri" client metadata parameters).

The SPI enables implementation of policies where only selected clients are allowed or required to include a certificate for the private_key_jwt, based on the client's registered metadata or other criteria.

A client can place the certificate in the private_key_jwt "x5c" header. Alternatively, the certificate can be put in the "x5c" parameter of a matching public JWK and have the key pre-registered via the "jwks" or "jwks_uri" client metadata parameter.

Implementations must be thread-safe.

Method Summary

Modifier and Type	Method	Description
Optional<CertificateVerification>	checkCertificateRequirement(PrivateKeyJWTContext context)	Checks the X.509 certificate requirement for the specified private_key_jwt client authentication.

Methods inherited from interface com.nimbusds.openid.connect.provider.spi.Lifecycle

init, isEnabled, shutdown

Method Details

checkCertificateRequirement

Optional<CertificateVerification> checkCertificateRequirement(PrivateKeyJWTContext context)
                                                       throws com.nimbusds.oauth2.sdk.auth.verifier.InvalidClientException

Checks the X.509 certificate requirement for the specified private_key_jwt client authentication. If the client must use a certificate as part of the private_key_jwt authentication, included by value in the JWS "x5c" header parameter, or included in a registered client JWK in the client's "jwks" or "jwks_uri", the method returns a certificate verification callback.

Parameters:

context - The private_key_jwt client authentication context. Not null.

Returns:

A certificate verification callback if a certificate is required for the private_key_jwt client authentication. If a certificate isn't required none is returned.

Throws:

com.nimbusds.oauth2.sdk.auth.verifier.InvalidClientException - To reject the authentication with an invalid_client error, due to an unmet authentication requirement. Throwing an ExposedInvalidClientException will override the default Connect2id server error_description and error_uri in the HTTP 401 Unauthorized error response.