Package com.nimbusds.oauth2.sdk.auth
Class PKITLSClientAuthentication
java.lang.Object
com.nimbusds.oauth2.sdk.auth.ClientAuthentication
com.nimbusds.oauth2.sdk.auth.TLSClientAuthentication
com.nimbusds.oauth2.sdk.auth.PKITLSClientAuthentication
PKI mutual TLS client authentication at the Token endpoint. The client
certificate is PKI bound, as opposed to
self_signed_tls_client_auth
which
relies on a self-signed certificate. Implements
ClientAuthenticationMethod.TLS_CLIENT_AUTH
.
Related specifications:
- OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens (RFC 8705), section 2.1.
-
Field Summary
Fields inherited from class com.nimbusds.oauth2.sdk.auth.TLSClientAuthentication
certificate
-
Constructor Summary
ConstructorsConstructorDescriptionPKITLSClientAuthentication
(ClientID clientID, String certSubjectDN) Deprecated.This constructor does set the certificatePKITLSClientAuthentication
(ClientID clientID, X509Certificate certificate) Creates a new PKI mutual TLS client authentication.PKITLSClientAuthentication
(ClientID clientID, SSLSocketFactory sslSocketFactory) Creates a new PKI mutual TLS client authentication. -
Method Summary
Modifier and TypeMethodDescriptionGets the subject DN of the received validated client X.509 certificate.static PKITLSClientAuthentication
parse
(HTTPRequest httpRequest) Parses a PKI mutual TLS client authentication from the specified HTTP request.Methods inherited from class com.nimbusds.oauth2.sdk.auth.TLSClientAuthentication
applyTo, getClientX509Certificate, getFormParameterNames, getSSLSocketFactory
Methods inherited from class com.nimbusds.oauth2.sdk.auth.ClientAuthentication
getClientID, getMethod
-
Constructor Details
-
PKITLSClientAuthentication
Creates a new PKI mutual TLS client authentication. This constructor is intended for an outgoing token request.- Parameters:
clientID
- The client identifier. Must not benull
.sslSocketFactory
- The SSL socket factory to use for the outgoing HTTPS request and to present the client certificate(s),null
to use the default one.
-
PKITLSClientAuthentication
Deprecated.This constructor does set the certificateCreates a new PKI mutual TLS client authentication. This constructor is intended for a received token request.- Parameters:
clientID
- The client identifier. Must not benull
.certSubjectDN
- The subject DN of the received validated client X.509 certificate. Must not benull
.
-
PKITLSClientAuthentication
Creates a new PKI mutual TLS client authentication. This constructor is intended for a received token request.- Parameters:
clientID
- The client identifier. Must not benull
.certificate
- The validated client X.509 certificate from the received HTTPS request. Must not benull
.
-
-
Method Details
-
getClientX509CertificateSubjectDN
Gets the subject DN of the received validated client X.509 certificate.- Returns:
- The subject DN.
-
parse
Parses a PKI mutual TLS client authentication from the specified HTTP request.- Parameters:
httpRequest
- The HTTP request to parse. Must not benull
and must include a validated client X.509 certificate.- Returns:
- The PKI mutual TLS client authentication.
- Throws:
ParseException
- If theclient_id
or client X.509 certificate is missing.
-