Package com.nimbusds.oauth2.sdk.auth

Class JWTAuthenticationClaimsSet

  • public class JWTAuthenticationClaimsSet
extends JWTAssertionDetails
    JWT client authentication claims set, serialisable to a JSON object and JWT claims set.

    Used for client secret JWT and private key JWT authentication at the Token endpoint.

    Example client authentication claims set: 

     {
   "iss" : "https://client.example.com",
   "sub" : "https://client.example.com",
   "aud" : [ "https://idp.example.com/token" ],
   "jti" : "d396036d-c4d9-40d8-8e98-f7e8327002d9",
   "exp" : 1311281970,
   "iat" : 1311280970
 }

    Example client authentication claims set where the issuer is a 3rd party: 

     {
   "iss" : "https://sts.example.com",
   "sub" : "https://client.example.com",
   "aud" : [ "https://idp.example.com/token" ],
   "jti" : "d396036d-c4d9-40d8-8e98-f7e8327002d9",
   "exp" : 1311281970,
   "iat" : 1311280970
 }

    Related specifications:

    • OAuth 2.0 (RFC 6749), section 3.2.1.
    • JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7523).

    • Constructor Detail

      • JWTAuthenticationClaimsSet

        public JWTAuthenticationClaimsSet​(ClientID clientID,
                                  Audience aud)
        Creates a new JWT client authentication claims set. The expiration time (exp) is set to 1 minute from the current system time. Generates a default identifier (jti) for the JWT. The issued-at (iat) and not-before (nbf) claims are not set.
        Parameters:
        clientID - The client identifier. Used to specify the issuer and the subject. Must not be null.
        aud - The audience identifier, typically the URI of the authorisation server's Token endpoint. Must not be null.

      • JWTAuthenticationClaimsSet

        public JWTAuthenticationClaimsSet​(Issuer iss,
                                  ClientID clientID,
                                  Audience aud)
        Creates a new JWT client authentication claims set. The expiration time (exp) is set to 1 minute from the current system time. Generates a default identifier (jti) for the JWT. The issued-at (iat) and not-before (nbf) claims are not set.
        Parameters:
        iss - The issuer. May be different from the client identifier that is used to specify the subject. Must not be null.
        clientID - The client identifier. Used to specify the issuer and the subject. Must not be null.
        aud - The audience identifier, typically the URI of the authorisation server's Token endpoint. Must not be null.

      • JWTAuthenticationClaimsSet

        public JWTAuthenticationClaimsSet​(ClientID clientID,
                                  List<Audience> aud,
                                  Date exp,
                                  Date nbf,
                                  Date iat,
                                  JWTID jti)
        Creates a new JWT client authentication claims set.
        Parameters:
        clientID - The client identifier. Used to specify the issuer and the subject. Must not be null.
        aud - The audience, typically including the URI of the authorisation server's Token endpoint. Must not be null.
        exp - The expiration time. Must not be null.
        nbf - The time before which the token must not be accepted for processing, null if not specified.
        iat - The time at which the token was issued, null if not specified.
        jti - Unique identifier for the JWT, null if not specified.

      • JWTAuthenticationClaimsSet

        public JWTAuthenticationClaimsSet​(Issuer iss,
                                  ClientID clientID,
                                  List<Audience> aud,
                                  Date exp,
                                  Date nbf,
                                  Date iat,
                                  JWTID jti)
        Creates a new JWT client authentication claims set.
        Parameters:
        iss - The issuer. May be different from the client identifier that is used to specify the subject. Must not be null.
        clientID - The client identifier. Used to specify the subject. Must not be null.
        aud - The audience, typically including the URI of the authorisation server's Token endpoint. Must not be null.
        exp - The expiration time. Must not be null.
        nbf - The time before which the token must not be accepted for processing, null if not specified.
        iat - The time at which the token was issued, null if not specified.
        jti - Unique identifier for the JWT, null if not specified.

    • Method Detail

      • getClientID

        public ClientID getClientID()
        Gets the client identifier. Corresponds to the sub claim.
        Returns:
        The client identifier.

      • parse

        public static JWTAuthenticationClaimsSet parse​(net.minidev.json.JSONObject jsonObject)
                                        throws ParseException
        Parses a JWT client authentication claims set from the specified JSON object.
        Parameters:
        jsonObject - The JSON object. Must not be null.
        Returns:
        The client authentication claims set.
        Throws:
        ParseException - If the JSON object couldn't be parsed to a client authentication claims set.

      • parse

        public static JWTAuthenticationClaimsSet parse​(com.nimbusds.jwt.JWTClaimsSet jwtClaimsSet)
                                        throws ParseException
        Parses a JWT client authentication claims set from the specified JWT claims set.
        Parameters:
        jwtClaimsSet - The JWT claims set. Must not be null.
        Returns:
        The client authentication claims set.
        Throws:
        ParseException - If the JWT claims set couldn't be parsed to a client authentication claims set.