Source code

001/*
002 * oauth2-oidc-sdk
003 *
004 * Copyright 2012-2016, Connect2id Ltd and contributors.
005 *
006 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
007 * this file except in compliance with the License. You may obtain a copy of the
008 * License at
009 *
010 *    http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software distributed
013 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
014 * CONDITIONS OF ANY KIND, either express or implied. See the License for the
015 * specific language governing permissions and limitations under the License.
016 */
017
018package com.nimbusds.oauth2.sdk.auth;
019
020
021import com.nimbusds.oauth2.sdk.id.Identifier;
022import net.jcip.annotations.Immutable;
023
024
025/**
026 * Client authentication method at the Token endpoint.
027 *
028 * <p>Constants are provided for four client authentication methods:
029 *
030 * <ul>
031 *     <li>{@link #CLIENT_SECRET_BASIC client_secret_basic} (default)
032 *     <li>{@link #CLIENT_SECRET_POST client_secret_post}
033 *     <li>{@link #CLIENT_SECRET_JWT client_secret_jwt}
034 *     <li>{@link #PRIVATE_KEY_JWT private_key_jwt}
035 *     <li>{@link #TLS_CLIENT_AUTH tls_client_auth}
036 *     <li>{@link #PUB_KEY_TLS_CLIENT_AUTH pub_key_tls_client_auth}
037 *     <li>{@link #NONE none}
038 * </ul>
039 *
040 * <p>Use the constructor to define a custom client authentication method.
041 *
042 * <p>Related specifications:
043 *
044 * <ul>
045 *     <li>OAuth 2.0 (RFC 6749), section 2.3.
046 *     <li>OAuth 2.0 Dynamic Client Registration Protocol (RFC 7591), section
047 *         2.
048 *     <li>Mutual TLS Profile for OAuth 2.0 (draft-ietf-oauth-mtls-03), section
049 *         2.1.
050 * </ul>
051 */
052@Immutable
053public final class ClientAuthenticationMethod extends Identifier {
054
055
056        /**
057         * Clients that have received a client secret from the authorisation 
058         * server authenticate with the authorisation server in accordance with
059         * section 3.2.1 of OAuth 2.0 using HTTP Basic authentication. This is 
060         * the default if no method has been registered for the client.
061         */
062        public static final ClientAuthenticationMethod CLIENT_SECRET_BASIC = 
063                new ClientAuthenticationMethod("client_secret_basic");
064
065
066        /**
067         * Clients that have received a client secret from the authorisation 
068         * server authenticate with the authorisation server in accordance with
069         * section 3.2.1 of OAuth 2.0 by including the client credentials in 
070         * the request body.
071         */
072        public static final ClientAuthenticationMethod CLIENT_SECRET_POST =
073                new ClientAuthenticationMethod("client_secret_post");
074
075
076        /**
077         * Clients that have received a client secret from the authorisation 
078         * server, create a JWT using an HMAC SHA algorithm, such as HMAC 
079         * SHA-256. The HMAC (Hash-based Message Authentication Code) is
080         * calculated using the value of client secret as the shared key. The 
081         * client authenticates in accordance with section 2.2 of (JWT) Bearer
082         * Token Profiles and OAuth 2.0 Assertion Profile. 
083         */
084        public static final ClientAuthenticationMethod CLIENT_SECRET_JWT =
085                new ClientAuthenticationMethod("client_secret_jwt");
086
087
088        /**
089         * Clients that have registered a public key sign a JWT using the RSA 
090         * algorithm if a RSA key was registered or the ECDSA algorithm if an 
091         * Elliptic Curve key was registered (see JWA for the algorithm 
092         * identifiers). The client authenticates in accordance with section 
093         * 2.2 of (JWT) Bearer Token Profiles and OAuth 2.0 Assertion Profile.
094         */
095        public static final ClientAuthenticationMethod PRIVATE_KEY_JWT =
096                new ClientAuthenticationMethod("private_key_jwt");
097        
098        
099        /**
100         * Client TLS / X.509 certificate authentication using PKI. See Mutual
101         * TLS Profile for OAuth 2.0, section 2.1.
102         */
103        public static final ClientAuthenticationMethod TLS_CLIENT_AUTH =
104                new ClientAuthenticationMethod("tls_client_auth");
105        
106        
107        /**
108         * Client TLS / X.509 certificate authentication using a public key.
109         * See Mutual TLS Profile for OAuth 2.0, section 2.1.
110         */
111        public static final ClientAuthenticationMethod PUB_KEY_TLS_CLIENT_AUTH =
112                new ClientAuthenticationMethod("pub_key_tls_client_auth");
113
114
115        /**
116         * The client is a public client as defined in OAuth 2.0 and does not
117         * have a client secret.
118         */
119        public static final ClientAuthenticationMethod NONE =
120                new ClientAuthenticationMethod("none");
121
122
123        /**
124         * Gets the default client authentication method.
125         *
126         * @return {@link #CLIENT_SECRET_BASIC}
127         */
128        public static ClientAuthenticationMethod getDefault() {
129
130                return CLIENT_SECRET_BASIC;
131        }
132
133
134        /**
135         * Creates a new client authentication method with the specified value.
136         *
137         * @param value The authentication method value. Must not be 
138         *              {@code null} or empty string.
139         */
140        public ClientAuthenticationMethod(final String value) {
141
142                super(value);
143        }
144
145
146        /**
147         * Parses a client authentication method from the specified value.
148         *
149         * @param value The authentication method value. Must not be
150         *              {@code null} or empty string.
151         *
152         * @return The client authentication method.
153         */
154        public static ClientAuthenticationMethod parse(final String value) {
155
156                if (value.equals(CLIENT_SECRET_BASIC.getValue())) {
157                        return CLIENT_SECRET_BASIC;
158                } else if (value.equals(CLIENT_SECRET_POST.getValue())) {
159                        return CLIENT_SECRET_POST;
160                } else if (value.equals(CLIENT_SECRET_JWT.getValue())) {
161                        return CLIENT_SECRET_JWT;
162                } else if (value.equals(PRIVATE_KEY_JWT.getValue())) {
163                        return PRIVATE_KEY_JWT;
164                } else if (value.equalsIgnoreCase(TLS_CLIENT_AUTH.getValue())) {
165                        return TLS_CLIENT_AUTH;
166                } else if (value.equalsIgnoreCase(PUB_KEY_TLS_CLIENT_AUTH.getValue())) {
167                        return PUB_KEY_TLS_CLIENT_AUTH;
168                } else if (value.equals(NONE.getValue())) {
169                        return NONE;
170                } else {
171                        return new ClientAuthenticationMethod(value);
172                }
173        }
174
175
176        @Override
177        public boolean equals(final Object object) {
178        
179                return object instanceof ClientAuthenticationMethod &&
180                       this.toString().equals(object.toString());
181        }
182}