Package com.nimbusds.oauth2.sdk.auth

Class JWTAuthenticationClaimsSet

java.lang.Object
com.nimbusds.oauth2.sdk.assertions.AssertionDetails
com.nimbusds.oauth2.sdk.assertions.jwt.JWTAssertionDetails
com.nimbusds.oauth2.sdk.auth.JWTAuthenticationClaimsSet
public class JWTAuthenticationClaimsSet extends JWTAssertionDetails
JWT client authentication claims set, serialisable to a JSON object and JWT claims set.

Used for client secret JWT and private key JWT authentication at the Token endpoint.

Example client authentication claims set: 

 {
   "iss" : "https://client.example.com",
   "sub" : "https://client.example.com",
   "aud" : [ "https://idp.example.com/token" ],
   "jti" : "d396036d-c4d9-40d8-8e98-f7e8327002d9",
   "exp" : 1311281970,
   "iat" : 1311280970
 }

Example client authentication claims set where the issuer is a 3rd party: 

 {
   "iss" : "https://sts.example.com",
   "sub" : "https://client.example.com",
   "aud" : [ "https://idp.example.com/token" ],
   "jti" : "d396036d-c4d9-40d8-8e98-f7e8327002d9",
   "exp" : 1311281970,
   "iat" : 1311280970
 }

Related specifications:

  • OAuth 2.0 (RFC 6749), section 3.2.1.
  • JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7523).

  • Constructor Details

    • JWTAuthenticationClaimsSet

      public JWTAuthenticationClaimsSet(ClientID clientID, Audience aud)
      Creates a new JWT client authentication claims set. The expiration time (exp) is set to 1 minute from the current system time. Generates a default identifier (jti) for the JWT. The issued-at (iat) and not-before (nbf) claims are not set.
      Parameters:
      clientID - The client identifier. Used to specify the issuer and the subject. Must not be null.
      aud - The audience identifier, typically the URI of the authorisation server's Token endpoint. Must not be null.

    • JWTAuthenticationClaimsSet

      public JWTAuthenticationClaimsSet(Issuer iss, ClientID clientID, Audience aud)
      Creates a new JWT client authentication claims set. The expiration time (exp) is set to 1 minute from the current system time. Generates a default identifier (jti) for the JWT. The issued-at (iat) and not-before (nbf) claims are not set.
      Parameters:
      iss - The issuer. May be different from the client identifier that is used to specify the subject. Must not be null.
      clientID - The client identifier. Used to specify the issuer and the subject. Must not be null.
      aud - The audience identifier, typically the URI of the authorisation server's Token endpoint. Must not be null.

    • JWTAuthenticationClaimsSet

      public JWTAuthenticationClaimsSet(ClientID clientID, List<Audience> aud, Date exp, Date nbf, Date iat, JWTID jti)
      Creates a new JWT client authentication claims set.
      Parameters:
      clientID - The client identifier. Used to specify the issuer and the subject. Must not be null.
      aud - The audience, typically including the URI of the authorisation server's Token endpoint. Must not be null.
      exp - The expiration time. Must not be null.
      nbf - The time before which the token must not be accepted for processing, null if not specified.
      iat - The time at which the token was issued, null if not specified.
      jti - Unique identifier for the JWT, null if not specified.

    • JWTAuthenticationClaimsSet

      public JWTAuthenticationClaimsSet(Issuer iss, ClientID clientID, List<Audience> aud, Date exp, Date nbf, Date iat, JWTID jti)
      Creates a new JWT client authentication claims set.
      Parameters:
      iss - The issuer. May be different from the client identifier that is used to specify the subject. Must not be null.
      clientID - The client identifier. Used to specify the subject. Must not be null.
      aud - The audience, typically including the URI of the authorisation server's Token endpoint. Must not be null.
      exp - The expiration time. Must not be null.
      nbf - The time before which the token must not be accepted for processing, null if not specified.
      iat - The time at which the token was issued, null if not specified.
      jti - Unique identifier for the JWT, null if not specified.

  • Method Details

    • getClientID

      public ClientID getClientID()
      Gets the client identifier. Corresponds to the sub claim.
      Returns:
      The client identifier.

    • parse

      public static JWTAuthenticationClaimsSet parse(net.minidev.json.JSONObject jsonObject) throws ParseException
      Parses a JWT client authentication claims set from the specified JSON object.
      Parameters:
      jsonObject - The JSON object. Must not be null.
      Returns:
      The client authentication claims set.
      Throws:
      ParseException - If the JSON object couldn't be parsed to a client authentication claims set.

    • parse

      public static JWTAuthenticationClaimsSet parse(com.nimbusds.jwt.JWTClaimsSet jwtClaimsSet) throws ParseException
      Parses a JWT client authentication claims set from the specified JWT claims set.
      Parameters:
      jwtClaimsSet - The JWT claims set. Must not be null.
      Returns:
      The client authentication claims set.
      Throws:
      ParseException - If the JWT claims set couldn't be parsed to a client authentication claims set.