com.nimbusds.oauth2.sdk.auth

Class PrivateKeyJWT

java.lang.Object

com.nimbusds.oauth2.sdk.auth.ClientAuthentication

com.nimbusds.oauth2.sdk.auth.JWTAuthentication

com.nimbusds.oauth2.sdk.auth.PrivateKeyJWT

@Immutable
public final class PrivateKeyJWT
extends JWTAuthentication

Private key JWT authentication at the Token endpoint. Implements ClientAuthenticationMethod.PRIVATE_KEY_JWT.

Supported signature JSON Web Algorithms (JWAs) by this implementation:

• RS256
• RS384
• RS512
• PS256
• PS384
• PS512
• ES256
• ES384
• ES512

Example TokenRequest with private key JWT authentication:

 POST /token HTTP/1.1
 Host: server.example.com
 Content-Type: application/x-www-form-urlencoded

 grant_type=authorization_code&
 code=i1WsRn1uB1&
 client_id=s6BhdRkqt3&
 client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&
 client_assertion=PHNhbWxwOl...[omitted for brevity]...ZT
 

Related specifications:

• Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7521).
• JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7523)

Field Summary

Fields inherited from class com.nimbusds.oauth2.sdk.auth.JWTAuthentication

CLIENT_ASSERTION_TYPE

Constructor Summary

Constructors

Constructor and Description
PrivateKeyJWT(ClientID clientID, URI tokenEndpoint, com.nimbusds.jose.JWSAlgorithm jwsAlgorithm, ECPrivateKey ecPrivateKey, String keyID, Provider jcaProvider) Creates a new EC private key JWT authentication.
PrivateKeyJWT(ClientID clientID, URI tokenEndpoint, com.nimbusds.jose.JWSAlgorithm jwsAlgorithm, RSAPrivateKey rsaPrivateKey, String keyID, Provider jcaProvider) Creates a new RSA private key JWT authentication.
PrivateKeyJWT(JWTAuthenticationClaimsSet jwtAuthClaimsSet, com.nimbusds.jose.JWSAlgorithm jwsAlgorithm, ECPrivateKey ecPrivateKey, String keyID, Provider jcaProvider) Creates a new EC private key JWT authentication.
PrivateKeyJWT(JWTAuthenticationClaimsSet jwtAuthClaimsSet, com.nimbusds.jose.JWSAlgorithm jwsAlgorithm, RSAPrivateKey rsaPrivateKey, String keyID, Provider jcaProvider) Creates a new RSA private key JWT authentication.
PrivateKeyJWT(com.nimbusds.jwt.SignedJWT clientAssertion) Creates a new private key JWT authentication.

Method Summary

Methods

Modifier and Type	Method and Description
static PrivateKeyJWT	parse(HTTPRequest httpRequest) Parses the specified HTTP POST request for a private key JSON Web Token (JWT) authentication.
static PrivateKeyJWT	parse(Map<String,String> params) Parses the specified parameters map for a private key JSON Web Token (JWT) authentication.
static PrivateKeyJWT	parse(String paramsString) Parses a private key JSON Web Token (JWT) authentication from the specified application/x-www-form-urlencoded encoded parameters string.
static Set<com.nimbusds.jose.JWSAlgorithm>	supportedJWAs() Returns the supported signature JSON Web Algorithms (JWAs).

Methods inherited from class com.nimbusds.oauth2.sdk.auth.JWTAuthentication

applyTo, ensureClientAssertionType, getClientAssertion, getJWTAuthenticationClaimsSet, parseClientAssertion, parseClientID, toParameters

Methods inherited from class com.nimbusds.oauth2.sdk.auth.ClientAuthentication

getClientID, getMethod

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

PrivateKeyJWT

public PrivateKeyJWT(ClientID clientID,
             URI tokenEndpoint,
             com.nimbusds.jose.JWSAlgorithm jwsAlgorithm,
             RSAPrivateKey rsaPrivateKey,
             String keyID,
             Provider jcaProvider)
              throws com.nimbusds.jose.JOSEException

Creates a new RSA private key JWT authentication. The expiration time (exp) is set to five minutes from the current system time. Generates a default identifier (jti) for the JWT. The issued-at (iat) and not-before (nbf) claims are not set.

Parameters:

clientID - The client identifier. Must not be null.

tokenEndpoint - The token endpoint URI of the authorisation server. Must not be null.

jwsAlgorithm - The expected RSA signature algorithm (RS256, RS384 or RS512) for the private key JWT assertion. Must be supported and not null.

rsaPrivateKey - The RSA private key. Must not be null.

keyID - Optional identifier for the RSA key, to aid key selection at the authorisation server. Recommended. null if not specified.

jcaProvider - Optional specific JCA provider, null to use the default one.

Throws:

com.nimbusds.jose.JOSEException - If RSA signing failed.

PrivateKeyJWT

public PrivateKeyJWT(JWTAuthenticationClaimsSet jwtAuthClaimsSet,
             com.nimbusds.jose.JWSAlgorithm jwsAlgorithm,
             RSAPrivateKey rsaPrivateKey,
             String keyID,
             Provider jcaProvider)
              throws com.nimbusds.jose.JOSEException

Creates a new RSA private key JWT authentication.

Parameters:

jwtAuthClaimsSet - The JWT authentication claims set. Must not be null.

jwsAlgorithm - The expected RSA signature algorithm (RS256, RS384 or RS512) for the private key JWT assertion. Must be supported and not null.

rsaPrivateKey - The RSA private key. Must not be null.

keyID - Optional identifier for the RSA key, to aid key selection at the authorisation server. Recommended. null if not specified.

jcaProvider - Optional specific JCA provider, null to use the default one.

Throws:

com.nimbusds.jose.JOSEException - If RSA signing failed.

PrivateKeyJWT

public PrivateKeyJWT(ClientID clientID,
             URI tokenEndpoint,
             com.nimbusds.jose.JWSAlgorithm jwsAlgorithm,
             ECPrivateKey ecPrivateKey,
             String keyID,
             Provider jcaProvider)
              throws com.nimbusds.jose.JOSEException

Creates a new EC private key JWT authentication. The expiration time (exp) is set to five minutes from the current system time. Generates a default identifier (jti) for the JWT. The issued-at (iat) and not-before (nbf) claims are not set.

Parameters:

clientID - The client identifier. Must not be null.

tokenEndpoint - The token endpoint URI of the authorisation server. Must not be null.

jwsAlgorithm - The expected EC signature algorithm (ES256, ES384 or ES512) for the private key JWT assertion. Must be supported and not null.

ecPrivateKey - The EC private key. Must not be null.

keyID - Optional identifier for the EC key, to aid key selection at the authorisation server. Recommended. null if not specified.

jcaProvider - Optional specific JCA provider, null to use the default one.

Throws:

com.nimbusds.jose.JOSEException - If RSA signing failed.

PrivateKeyJWT

public PrivateKeyJWT(JWTAuthenticationClaimsSet jwtAuthClaimsSet,
             com.nimbusds.jose.JWSAlgorithm jwsAlgorithm,
             ECPrivateKey ecPrivateKey,
             String keyID,
             Provider jcaProvider)
              throws com.nimbusds.jose.JOSEException

Creates a new EC private key JWT authentication.

Parameters:

jwtAuthClaimsSet - The JWT authentication claims set. Must not be null.

jwsAlgorithm - The expected ES signature algorithm (ES256, ES384 or ES512) for the private key JWT assertion. Must be supported and not null.

ecPrivateKey - The EC private key. Must not be null.

keyID - Optional identifier for the EC key, to aid key selection at the authorisation server. Recommended. null if not specified.

jcaProvider - Optional specific JCA provider, null to use the default one.

Throws:

com.nimbusds.jose.JOSEException - If RSA signing failed.

PrivateKeyJWT

public PrivateKeyJWT(com.nimbusds.jwt.SignedJWT clientAssertion)

Creates a new private key JWT authentication.

Parameters:

clientAssertion - The client assertion, corresponding to the client_assertion parameter, as a supported RSA or ECDSA-signed JWT. Must be signed and not null.

Method Detail

supportedJWAs

public static Set<com.nimbusds.jose.JWSAlgorithm> supportedJWAs()

Returns the supported signature JSON Web Algorithms (JWAs).

Returns:

The supported JSON Web Algorithms (JWAs).

parse

public static PrivateKeyJWT parse(Map<String,String> params)
                           throws ParseException

Parses the specified parameters map for a private key JSON Web Token (JWT) authentication. Note that the parameters must not be application/x-www-form-urlencoded encoded.

Parameters:

params - The parameters map to parse. The private key JSON Web Token (JWT) parameters must be keyed under "client_assertion" and "client_assertion_type". The map must not be null.

Returns:

The private key JSON Web Token (JWT) authentication.

Throws:

ParseException - If the parameters map couldn't be parsed to a private key JSON Web Token (JWT) authentication.

parse

public static PrivateKeyJWT parse(String paramsString)
                           throws ParseException

Parses a private key JSON Web Token (JWT) authentication from the specified application/x-www-form-urlencoded encoded parameters string.

Parameters:

paramsString - The parameters string to parse. The private key JSON Web Token (JWT) parameters must be keyed under "client_assertion" and "client_assertion_type". The string must not be null.

Returns:

The private key JSON Web Token (JWT) authentication.

Throws:

ParseException - If the parameters string couldn't be parsed to a private key JSON Web Token (JWT) authentication.

parse

public static PrivateKeyJWT parse(HTTPRequest httpRequest)
                           throws ParseException

Parses the specified HTTP POST request for a private key JSON Web Token (JWT) authentication.

Parameters:

httpRequest - The HTTP POST request to parse. Must not be null and must contain a valid application/x-www-form-urlencoded encoded parameters string in the entity body. The private key JSON Web Token (JWT) parameters must be keyed under "client_assertion" and "client_assertion_type".

Returns:

The private key JSON Web Token (JWT) authentication.

Throws:

ParseException - If the HTTP request header couldn't be parsed to a private key JSON Web Token (JWT) authentication.