Package com.nimbusds.oauth2.sdk.auth

Class PKITLSClientAuthentication

java.lang.Object

com.nimbusds.oauth2.sdk.auth.ClientAuthentication

com.nimbusds.oauth2.sdk.auth.TLSClientAuthentication

com.nimbusds.oauth2.sdk.auth.PKITLSClientAuthentication

@Immutable
public class PKITLSClientAuthentication
extends TLSClientAuthentication

PKI mutual TLS client authentication at the Token endpoint. The client certificate is PKI bound, as opposed to self_signed_tls_client_auth which relies on a self-signed certificate. Implements ClientAuthenticationMethod.TLS_CLIENT_AUTH.

Related specifications:

• OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens (RFC 8705), section 2.1.

Field Summary

Fields inherited from class com.nimbusds.oauth2.sdk.auth.TLSClientAuthentication

certificate

Constructor Summary

Constructors

Constructor	Description
PKITLSClientAuthentication(ClientID clientID, String certSubjectDN)	Deprecated. This constructor does set the certificate
PKITLSClientAuthentication(ClientID clientID, X509Certificate certificate)	Creates a new PKI mutual TLS client authentication.
PKITLSClientAuthentication(ClientID clientID, SSLSocketFactory sslSocketFactory)	Creates a new PKI mutual TLS client authentication.

Method Summary

Modifier and Type	Method	Description
String	getClientX509CertificateSubjectDN()	Gets the subject DN of the received validated client X.509 certificate.
static PKITLSClientAuthentication	parse(HTTPRequest httpRequest)	Parses a PKI mutual TLS client authentication from the specified HTTP request.

Methods inherited from class com.nimbusds.oauth2.sdk.auth.TLSClientAuthentication

applyTo, getClientX509Certificate, getSSLSocketFactory

Methods inherited from class com.nimbusds.oauth2.sdk.auth.ClientAuthentication

getClientID, getMethod

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

PKITLSClientAuthentication

public PKITLSClientAuthentication(ClientID clientID,
                                  SSLSocketFactory sslSocketFactory)

Creates a new PKI mutual TLS client authentication. This constructor is intended for an outgoing token request.

Parameters:

clientID - The client identifier. Must not be null.

sslSocketFactory - The SSL socket factory to use for the outgoing HTTPS request and to present the client certificate(s), null to use the default one.

PKITLSClientAuthentication

@Deprecated
public PKITLSClientAuthentication(ClientID clientID,
                                  String certSubjectDN)

Deprecated.

This constructor does set the certificate

Creates a new PKI mutual TLS client authentication. This constructor is intended for a received token request.

Parameters:

clientID - The client identifier. Must not be null.

certSubjectDN - The subject DN of the received validated client X.509 certificate. Must not be null.

PKITLSClientAuthentication

public PKITLSClientAuthentication(ClientID clientID,
                                  X509Certificate certificate)

Creates a new PKI mutual TLS client authentication. This constructor is intended for a received token request.

Parameters:

clientID - The client identifier. Must not be null.

certificate - The validated client X.509 certificate from the received HTTPS request. Must not be null.

Method Detail

getClientX509CertificateSubjectDN

public String getClientX509CertificateSubjectDN()

Gets the subject DN of the received validated client X.509 certificate.

Returns:

The subject DN.

parse

public static PKITLSClientAuthentication parse(HTTPRequest httpRequest)
                                        throws ParseException

Parses a PKI mutual TLS client authentication from the specified HTTP request.

Parameters:

httpRequest - The HTTP request to parse. Must not be null and must include a validated client X.509 certificate.

Returns:

The PKI mutual TLS client authentication.

Throws:

ParseException - If the client_id or client X.509 certificate is missing.