Source code

001/*
002 * oauth2-oidc-sdk
003 *
004 * Copyright 2012-2016, Connect2id Ltd and contributors.
005 *
006 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
007 * this file except in compliance with the License. You may obtain a copy of the
008 * License at
009 *
010 *    http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software distributed
013 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
014 * CONDITIONS OF ANY KIND, either express or implied. See the License for the
015 * specific language governing permissions and limitations under the License.
016 */
017
018package com.nimbusds.oauth2.sdk.auth.verifier;
019
020
021import com.nimbusds.oauth2.sdk.id.ClientID;
022
023
024/**
025 * Client X.509 certificate binding verifier. Intended for verifying that the
026 * subject and root issuer of a client X.509 certificate submitted during
027 * successful mutual TLS authentication (in
028 * {@link com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod#TLS_CLIENT_AUTH
029 * tls_client_auth}) match the registered {@code tls_client_auth_subject_dn}
030 * and {@code tls_client_auth_root_dn} values for the submitted client ID.
031 *
032 * <p>Implementations must be tread-safe.
033 */
034public interface ClientX509CertificateBindingVerifier<T> {
035        
036        
037        /**
038         * Verifies that the specified X.509 certificate issuer DN and subject
039         * DN bind to the claimed client ID.
040         *
041         * @param clientID  The claimed client ID. Not {@code null}.
042         * @param subjectDN The X.509 certificate subject DN. Not {@code null}.
043         * @param rootDN    The X.509 certificate root DN, {@code null} if not
044         *                  available.
045         * @param context   Additional context. May be {@code null}.
046         *
047         * @throws InvalidClientException If client ID and issuer / subject DN
048         *                                tuple don't bind or are invalid.
049         */
050        void verifyCertificateBinding(final ClientID clientID,
051                                      final String subjectDN,
052                                      final String rootDN,
053                                      final Context<T> context)
054                throws InvalidClientException;
055}