001/* 002 * oauth2-oidc-sdk 003 * 004 * Copyright 2012-2016, Connect2id Ltd and contributors. 005 * 006 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use 007 * this file except in compliance with the License. You may obtain a copy of the 008 * License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software distributed 013 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR 014 * CONDITIONS OF ANY KIND, either express or implied. See the License for the 015 * specific language governing permissions and limitations under the License. 016 */ 017 018package com.nimbusds.oauth2.sdk.auth; 019 020 021import com.nimbusds.oauth2.sdk.id.Identifier; 022import net.jcip.annotations.Immutable; 023 024 025/** 026 * Client authentication method at the Token endpoint. 027 * 028 * <p>Constants are provided for four client authentication methods: 029 * 030 * <ul> 031 * <li>{@link #CLIENT_SECRET_BASIC client_secret_basic} (default) 032 * <li>{@link #CLIENT_SECRET_POST client_secret_post} 033 * <li>{@link #CLIENT_SECRET_JWT client_secret_jwt} 034 * <li>{@link #PRIVATE_KEY_JWT private_key_jwt} 035 * <li>{@link #TLS_CLIENT_AUTH tls_client_auth} 036 * <li>{@link #PUB_KEY_TLS_CLIENT_AUTH pub_key_tls_client_auth} 037 * <li>{@link #NONE none} 038 * </ul> 039 * 040 * <p>Use the constructor to define a custom client authentication method. 041 * 042 * <p>Related specifications: 043 * 044 * <ul> 045 * <li>OAuth 2.0 (RFC 6749), section 2.3. 046 * <li>OAuth 2.0 Dynamic Client Registration Protocol (RFC 7591), section 047 * 2. 048 * <li>Mutual TLS Profile for OAuth 2.0 (draft-ietf-oauth-mtls-03), section 049 * 2.1. 050 * </ul> 051 */ 052@Immutable 053public final class ClientAuthenticationMethod extends Identifier { 054 055 056 /** 057 * Clients that have received a client secret from the authorisation 058 * server authenticate with the authorisation server in accordance with 059 * section 3.2.1 of OAuth 2.0 using HTTP Basic authentication. This is 060 * the default if no method has been registered for the client. 061 */ 062 public static final ClientAuthenticationMethod CLIENT_SECRET_BASIC = 063 new ClientAuthenticationMethod("client_secret_basic"); 064 065 066 /** 067 * Clients that have received a client secret from the authorisation 068 * server authenticate with the authorisation server in accordance with 069 * section 3.2.1 of OAuth 2.0 by including the client credentials in 070 * the request body. 071 */ 072 public static final ClientAuthenticationMethod CLIENT_SECRET_POST = 073 new ClientAuthenticationMethod("client_secret_post"); 074 075 076 /** 077 * Clients that have received a client secret from the authorisation 078 * server, create a JWT using an HMAC SHA algorithm, such as HMAC 079 * SHA-256. The HMAC (Hash-based Message Authentication Code) is 080 * calculated using the value of client secret as the shared key. The 081 * client authenticates in accordance with section 2.2 of (JWT) Bearer 082 * Token Profiles and OAuth 2.0 Assertion Profile. 083 */ 084 public static final ClientAuthenticationMethod CLIENT_SECRET_JWT = 085 new ClientAuthenticationMethod("client_secret_jwt"); 086 087 088 /** 089 * Clients that have registered a public key sign a JWT using the RSA 090 * algorithm if a RSA key was registered or the ECDSA algorithm if an 091 * Elliptic Curve key was registered (see JWA for the algorithm 092 * identifiers). The client authenticates in accordance with section 093 * 2.2 of (JWT) Bearer Token Profiles and OAuth 2.0 Assertion Profile. 094 */ 095 public static final ClientAuthenticationMethod PRIVATE_KEY_JWT = 096 new ClientAuthenticationMethod("private_key_jwt"); 097 098 099 /** 100 * Client TLS / X.509 certificate authentication using PKI. See Mutual 101 * TLS Profile for OAuth 2.0, section 2.1. 102 */ 103 public static final ClientAuthenticationMethod TLS_CLIENT_AUTH = 104 new ClientAuthenticationMethod("tls_client_auth"); 105 106 107 /** 108 * Client TLS / X.509 certificate authentication using a public key. 109 * See Mutual TLS Profile for OAuth 2.0, section 2.1. 110 */ 111 public static final ClientAuthenticationMethod PUB_KEY_TLS_CLIENT_AUTH = 112 new ClientAuthenticationMethod("pub_key_tls_client_auth"); 113 114 115 /** 116 * The client is a public client as defined in OAuth 2.0 and does not 117 * have a client secret. 118 */ 119 public static final ClientAuthenticationMethod NONE = 120 new ClientAuthenticationMethod("none"); 121 122 123 /** 124 * Gets the default client authentication method. 125 * 126 * @return {@link #CLIENT_SECRET_BASIC} 127 */ 128 public static ClientAuthenticationMethod getDefault() { 129 130 return CLIENT_SECRET_BASIC; 131 } 132 133 134 /** 135 * Creates a new client authentication method with the specified value. 136 * 137 * @param value The authentication method value. Must not be 138 * {@code null} or empty string. 139 */ 140 public ClientAuthenticationMethod(final String value) { 141 142 super(value); 143 } 144 145 146 /** 147 * Parses a client authentication method from the specified value. 148 * 149 * @param value The authentication method value. Must not be 150 * {@code null} or empty string. 151 * 152 * @return The client authentication method. 153 */ 154 public static ClientAuthenticationMethod parse(final String value) { 155 156 if (value.equals(CLIENT_SECRET_BASIC.getValue())) { 157 return CLIENT_SECRET_BASIC; 158 } else if (value.equals(CLIENT_SECRET_POST.getValue())) { 159 return CLIENT_SECRET_POST; 160 } else if (value.equals(CLIENT_SECRET_JWT.getValue())) { 161 return CLIENT_SECRET_JWT; 162 } else if (value.equals(PRIVATE_KEY_JWT.getValue())) { 163 return PRIVATE_KEY_JWT; 164 } else if (value.equalsIgnoreCase(TLS_CLIENT_AUTH.getValue())) { 165 return TLS_CLIENT_AUTH; 166 } else if (value.equalsIgnoreCase(PUB_KEY_TLS_CLIENT_AUTH.getValue())) { 167 return PUB_KEY_TLS_CLIENT_AUTH; 168 } else if (value.equals(NONE.getValue())) { 169 return NONE; 170 } else { 171 return new ClientAuthenticationMethod(value); 172 } 173 } 174 175 176 @Override 177 public boolean equals(final Object object) { 178 179 return object instanceof ClientAuthenticationMethod && 180 this.toString().equals(object.toString()); 181 } 182}