Package com.nimbusds.oauth2.sdk.auth

Class SelfSignedTLSClientAuthentication

java.lang.Object

com.nimbusds.oauth2.sdk.auth.ClientAuthentication

com.nimbusds.oauth2.sdk.auth.TLSClientAuthentication

com.nimbusds.oauth2.sdk.auth.SelfSignedTLSClientAuthentication

@Immutable
public class SelfSignedTLSClientAuthentication
extends TLSClientAuthentication

Self-signed certificate mutual TLS client authentication at the Token endpoint. The client certificate is self-signed, as opposed to tls_client_auth which relies on PKI binding. Implements ClientAuthenticationMethod.SELF_SIGNED_TLS_CLIENT_AUTH.

Related specifications:

• OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens (draft-ietf-oauth-mtls-14), section 2.2.

Constructor Summary

Constructors

Constructor	Description
SelfSignedTLSClientAuthentication(ClientID clientID, X509Certificate x509Certificate)	Creates a new self-signed certificate mutual TLS client authentication.
SelfSignedTLSClientAuthentication(ClientID clientID, SSLSocketFactory sslSocketFactory)	Creates a new self-signed certificate mutual TLS client authentication.

Method Summary

Modifier and Type	Method	Description
X509Certificate	getClientX509Certificate()	Returns the validated client X.509 certificate from the received HTTPS request.
static SelfSignedTLSClientAuthentication	parse(HTTPRequest httpRequest)	Parses a self-signed certificate mutual TLS client authentication from the specified HTTP request.

Methods inherited from class com.nimbusds.oauth2.sdk.auth.ClientAuthentication

getClientID, getMethod

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from class com.nimbusds.oauth2.sdk.auth.TLSClientAuthentication

applyTo, getSSLSocketFactory

Constructor Detail

SelfSignedTLSClientAuthentication

public SelfSignedTLSClientAuthentication(ClientID clientID,
                                         SSLSocketFactory sslSocketFactory)

Creates a new self-signed certificate mutual TLS client authentication. This constructor is intended for an outgoing token request.

Parameters:

clientID - The client identifier. Must not be null.

sslSocketFactory - The SSL socket factory to use for the outgoing HTTPS request and to present the client certificate(s), null to use the default one.

SelfSignedTLSClientAuthentication

public SelfSignedTLSClientAuthentication(ClientID clientID,
                                         X509Certificate x509Certificate)

Creates a new self-signed certificate mutual TLS client authentication. This constructor is intended for a received token request.

Parameters:

clientID - The client identifier. Must not be null.

x509Certificate - The validated client X.509 certificate from the received HTTPS request. Must not be null.

Method Detail

getClientX509Certificate

public X509Certificate getClientX509Certificate()

Returns the validated client X.509 certificate from the received HTTPS request.

Returns:

The client X.509 certificate, null for an outgoing HTTPS request.

parse

public static SelfSignedTLSClientAuthentication parse(HTTPRequest httpRequest)
                                               throws ParseException

Parses a self-signed certificate mutual TLS client authentication from the specified HTTP request.

Parameters:

httpRequest - The HTTP request to parse. Must not be null and must include a validated client X.509 certificate.

Returns:

The self-signed TLS / X.509 certificate client authentication.

Throws:

ParseException - If the client_id or client X.509 certificate is missing.