Interface ClientSecretStoreCodec
Service Provider Interface (SPI) for encoding OAuth client secrets before
persisting them to storage. Can be used to symmetrically encrypt or to hash
secrets (e.g. with SCrypt, BCrypt) before committing them to storage. Note,
OAuth clients registered for
client_secret_jwt
authentication where
the secret must be available in plaintext to perform HMAC must not be
hashed. This also applies to secrets which may otherwise require the plain
secret to be available for decoding, for example to facilitate symmetric
encryption of ID tokens or UserInfo.
The supplied context
provides access to the
Connect2id server JWK set to retrieve any configured symmetric keys for the
client secret encryption, as well as the client metadata to determine the
registered client authentication method.
Implementations must be thread-safe.
-
Method Summary
Modifier and TypeMethodDescriptiondefault DecodedSecret
decode
(String storedValue, SecretCodecContext ctx) Decodes a client secret after retrieving it from the store.default String
encode
(com.nimbusds.oauth2.sdk.auth.Secret secret, SecretCodecContext ctx) Encodes the specified client secret before storing it.default String
encodeImported
(com.nimbusds.oauth2.sdk.auth.Secret secret, SecretCodecContext ctx) Encodes a client secret imported via the custompreferred_client_secret
client metadata field before storing it.
-
Method Details
-
encode
Encodes the specified client secret before storing it. Encoding can be applied for selected clients only, based on their metadata or other criteria.- Parameters:
secret
- The client secret. To obtain its value use theSecret.getValue()
orSecret.getValueBytes()
methods. Note, the secret's expiration, if any, need not be encoded, it is persisted separately. Notnull
.ctx
- The codec context. Notnull
.- Returns:
- The encoded secret. The default method returns the secret value unencoded.
-
encodeImported
Encodes a client secret imported via the custompreferred_client_secret
client metadata field before storing it. Encoding can be applied for selected clients only, based on their metadata or other criteria.- Parameters:
secret
- The client secret as set by the custompreferred_client_secret
metadata field. To obtain its value use theSecret.getValue()
orSecret.getValueBytes()
methods. Note, the secret's expiration, if any, need not be encoded, it is persisted separately. Notnull
.ctx
- The codec context. Notnull
.- Returns:
- The encoded secret. The default method returns the secret value unencoded.
-
decode
Decodes a client secret after retrieving it from the store.If the secret is decoded to plain value the returned
DecodedSecret
must specify it.If the secret is stored in a hashed form and cannot be decoded, the returned
DecodedSecret
instance must specify aSecretVerifier
.- Parameters:
storedValue
- The stored client secret value. Notnull
.ctx
- The codec context. Notnull
.- Returns:
- The decoded secret. The default method returns the stored secret value.
-