Source code

001package com.nimbusds.oauth2.sdk.auth.verifier;
002
003
004import java.security.PublicKey;
005import java.util.List;
006
007import com.nimbusds.jose.JWSHeader;
008
009import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
010import com.nimbusds.oauth2.sdk.auth.Secret;
011import com.nimbusds.oauth2.sdk.id.ClientID;
012
013
014/**
015 * Selector of client credential candidates for client authentication
016 * verification. The select methods should typically return a single candidate,
017 * but may also return multiple in case of client credentials key rotation.
018 * Implementations should be tread-safe.
019 *
020 * <p>Selection of {@link com.nimbusds.oauth2.sdk.auth.ClientSecretBasic
021 * client_secret_basic}, {@link com.nimbusds.oauth2.sdk.auth.ClientSecretPost
022 * client_secret_post} and {@link com.nimbusds.oauth2.sdk.auth.ClientSecretJWT
023 * client_secret_jwt} secrets is handled by the {@link #selectClientSecrets}
024 * method.
025 *
026 * <p>Selection of {@link com.nimbusds.oauth2.sdk.auth.PrivateKeyJWT
027 * private_key_jwt} keys is handled by the {@link #selectPublicKeys} method.
028 *
029 * <p>The generic {@link Context context object} may be used to return
030 * {@link com.nimbusds.oauth2.sdk.client.ClientMetadata client metadata} or
031 * other information to the caller.
032 */
033public interface ClientCredentialsSelector<T> {
034
035
036        /**
037         * Selects one or more client secret candidates for
038         * {@link com.nimbusds.oauth2.sdk.auth.ClientSecretBasic client_secret_basic},
039         * {@link com.nimbusds.oauth2.sdk.auth.ClientSecretPost client_secret_post} and
040         * {@link com.nimbusds.oauth2.sdk.auth.ClientSecretJWT client_secret_jwt}
041         * authentication.
042         *
043         * @param claimedClientID The client identifier (to be verified). Not
044         *                        {@code null}.
045         * @param authMethod      The client authentication method. Not
046         *                        {@code null}.
047         * @param context         Additional context. May be {@code null}.
048         *
049         * @return The selected client secret candidates. If empty or
050         *         {@code null} implies an invalid client.
051         */
052        List<Secret> selectClientSecrets(final ClientID claimedClientID,
053                                         final ClientAuthenticationMethod authMethod,
054                                         final Context<T> context);
055
056
057        /**
058         * Selects one or more public key candidates (e.g. RSA or EC) for
059         * {@link com.nimbusds.oauth2.sdk.auth.PrivateKeyJWT private_key_jwt}
060         * authentication.
061         *
062         * @param claimedClientID The client identifier (to be verified). Not
063         *                        {@code null}.
064         * @param authMethod      The client authentication method. Not
065         *                        {@code null}.
066         * @param jwsHeader       The JWS header, which may contain parameters
067         *                        such as key ID to facilitate the key
068         *                        selection. Not {@code null}.
069         * @param context         Additional context. Not {@code null}.
070         *
071         * @return The selected public key candidates. If empty or {@code null}
072         *         implies an invalid client.
073         */
074        List<? extends PublicKey> selectPublicKeys(final ClientID claimedClientID,
075                                                   final ClientAuthenticationMethod authMethod,
076                                                   final JWSHeader jwsHeader,
077                                                   final Context<T> context);
078}