Package com.nimbusds.oauth2.sdk.auth.verifier

Class ClientAuthenticationVerifier<T>

java.lang.Object

com.nimbusds.oauth2.sdk.auth.verifier.ClientAuthenticationVerifier<T>

@ThreadSafe
public class ClientAuthenticationVerifier<T>
extends Object

Client authentication verifier.

Related specifications:

• OAuth 2.0 (RFC 6749), sections 2.3.1 and 3.2.1.
• OpenID Connect Core 1.0, section 9.
• JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7523).
• OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens (draft-ietf-oauth-mtls-12), section 2.

Constructor Summary

Constructors

Constructor	Description
ClientAuthenticationVerifier(ClientCredentialsSelector<T> clientCredentialsSelector, ClientX509CertificateBindingVerifier<T> certBindingVerifier, Set<Audience> expectedAudience)	Creates a new client authentication verifier.

Method Summary

Modifier and Type	Method	Description
ClientCredentialsSelector<T>	getClientCredentialsSelector()	Returns the client credentials selector.
ClientX509CertificateBindingVerifier<T>	getClientX509CertificateBindingVerifier()	Returns the client X.509 certificate binding verifier for use in tls_client_auth.
Set<Audience>	getExpectedAudience()	Returns the permitted audience values in JWT authentication assertions.
void	verify(ClientAuthentication clientAuth, Set<Hint> hints, Context<T> context)	Verifies a client authentication request.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

ClientAuthenticationVerifier

public ClientAuthenticationVerifier(ClientCredentialsSelector<T> clientCredentialsSelector,
                                    ClientX509CertificateBindingVerifier<T> certBindingVerifier,
                                    Set<Audience> expectedAudience)

Creates a new client authentication verifier.

Parameters:

clientCredentialsSelector - The client credentials selector. Must not be null.

certBindingVerifier - Optional client X.509 certificate binding verifier for tls_client_auth, null if not supported.

expectedAudience - The permitted audience (aud) claim values in JWT authentication assertions. Must not be empty or null. Should typically contain the token endpoint URI and for OpenID provider it may also include the issuer URI.

Method Detail

getClientCredentialsSelector

public ClientCredentialsSelector<T> getClientCredentialsSelector()

Returns the client credentials selector.

Returns:

The client credentials selector.

getClientX509CertificateBindingVerifier

public ClientX509CertificateBindingVerifier<T> getClientX509CertificateBindingVerifier()

Returns the client X.509 certificate binding verifier for use in tls_client_auth.

Returns:

The client X.509 certificate binding verifier, null if not specified.

getExpectedAudience

public Set<Audience> getExpectedAudience()

Returns the permitted audience values in JWT authentication assertions.

Returns:

The permitted audience (aud) claim values.

verify

public void verify(ClientAuthentication clientAuth,
                   Set<Hint> hints,
                   Context<T> context)
            throws InvalidClientException,
                   com.nimbusds.jose.JOSEException

Verifies a client authentication request.

Parameters:

clientAuth - The client authentication. Must not be null.

hints - Optional hints to the verifier, empty set of null if none.

context - Additional context to be passed to the client credentials selector. May be null.

Throws:

InvalidClientException - If the client authentication is invalid, typically due to bad credentials.

com.nimbusds.jose.JOSEException - If authentication failed due to an internal JOSE / JWT processing exception.