Package com.nimbusds.oauth2.sdk.auth

Class PKITLSClientAuthentication

java.lang.Object
com.nimbusds.oauth2.sdk.auth.ClientAuthentication
com.nimbusds.oauth2.sdk.auth.TLSClientAuthentication
com.nimbusds.oauth2.sdk.auth.PKITLSClientAuthentication
@Immutable public class PKITLSClientAuthentication extends TLSClientAuthentication
PKI mutual TLS client authentication at the Token endpoint. The client certificate is PKI bound, as opposed to self_signed_tls_client_auth which relies on a self-signed certificate. Implements ClientAuthenticationMethod.TLS_CLIENT_AUTH.

Related specifications:

  • OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens (RFC 8705), section 2.1.

  • Constructor Details

    • PKITLSClientAuthentication

      public PKITLSClientAuthentication(ClientID clientID, SSLSocketFactory sslSocketFactory)
      Creates a new PKI mutual TLS client authentication. This constructor is intended for an outgoing token request.
      Parameters:
      clientID - The client identifier. Must not be null.
      sslSocketFactory - The SSL socket factory to use for the outgoing HTTPS request and to present the client certificate(s), null to use the default one.

    • PKITLSClientAuthentication

      @Deprecated public PKITLSClientAuthentication(ClientID clientID, String certSubjectDN)
      Deprecated.
      This constructor does set the certificate
      Creates a new PKI mutual TLS client authentication. This constructor is intended for a received token request.
      Parameters:
      clientID - The client identifier. Must not be null.
      certSubjectDN - The subject DN of the received validated client X.509 certificate. Must not be null.

    • PKITLSClientAuthentication

      public PKITLSClientAuthentication(ClientID clientID, X509Certificate certificate)
      Creates a new PKI mutual TLS client authentication. This constructor is intended for a received token request.
      Parameters:
      clientID - The client identifier. Must not be null.
      certificate - The validated client X.509 certificate from the received HTTPS request. Must not be null.

  • Method Details

    • getClientX509CertificateSubjectDN

      public String getClientX509CertificateSubjectDN()
      Gets the subject DN of the received validated client X.509 certificate.
      Returns:
      The subject DN.

    • parse

      public static PKITLSClientAuthentication parse(HTTPRequest httpRequest) throws ParseException
      Parses a PKI mutual TLS client authentication from the specified HTTP request.
      Parameters:
      httpRequest - The HTTP request to parse. Must not be null and must include a validated client X.509 certificate.
      Returns:
      The PKI mutual TLS client authentication.
      Throws:
      ParseException - If the client_id or client X.509 certificate is missing.