Package com.nimbusds.oauth2.sdk.auth

Class ClientSecretJWT

  • @Immutable
public final class ClientSecretJWT
extends JWTAuthentication
    Client secret JWT authentication at the Token endpoint. Implements ClientAuthenticationMethod.CLIENT_SECRET_JWT.

    Supported signature JSON Web Algorithms (JWAs) by this implementation:

    • HS256
    • HS384
    • HS512

    Related specifications:

    • Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7521).
    • JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7523).

    • Constructor Detail

      • ClientSecretJWT

        public ClientSecretJWT​(ClientID clientID,
                       URI endpoint,
                       com.nimbusds.jose.JWSAlgorithm jwsAlgorithm,
                       Secret clientSecret)
                throws com.nimbusds.jose.JOSEException
        Creates a new client secret JWT authentication. The expiration time (exp) is set to five minutes from the current system time. Generates a default identifier (jti) for the JWT. The issued-at (iat) and not-before (nbf) claims are not set.
        Parameters:
        clientID - The client identifier. Must not be null.
        endpoint - The endpoint URI where the client will submit the JWT authentication, for example the token endpoint. Must not be null.
        jwsAlgorithm - The expected HMAC algorithm (HS256, HS384 or HS512) for the client secret JWT assertion. Must be supported and not null.
        clientSecret - The client secret. Must be at least 256-bits long.
        Throws:
        com.nimbusds.jose.JOSEException - If the client secret is too short, or HMAC computation failed.

      • ClientSecretJWT

        public ClientSecretJWT​(com.nimbusds.jwt.SignedJWT clientAssertion)
        Creates a new client secret JWT authentication.
        Parameters:
        clientAssertion - The client assertion, corresponding to the client_assertion_parameter, as a supported HMAC-protected JWT. Must be signed and not null.

    • Method Detail

      • supportedJWAs

        public static Set<com.nimbusds.jose.JWSAlgorithm> supportedJWAs()
        Returns the supported signature JSON Web Algorithms (JWAs).
        Returns:
        The supported JSON Web Algorithms (JWAs).

      • parse

        public static ClientSecretJWT parse​(Map<String,​List<String>> params)
                             throws ParseException
        Parses the specified parameters map for a client secret JSON Web Token (JWT) authentication. Note that the parameters must not be application/x-www-form-urlencoded encoded.
        Parameters:
        params - The parameters map to parse. The client secret JSON Web Token (JWT) parameters must be keyed under "client_assertion" and "client_assertion_type". The map must not be null.
        Returns:
        The client secret JSON Web Token (JWT) authentication.
        Throws:
        ParseException - If the parameters map couldn't be parsed to a client secret JSON Web Token (JWT) authentication.

      • parse

        public static ClientSecretJWT parse​(String paramsString)
                             throws ParseException
        Parses a client secret JSON Web Token (JWT) authentication from the specified application/x-www-form-urlencoded encoded parameters string.
        Parameters:
        paramsString - The parameters string to parse. The client secret JSON Web Token (JWT) parameters must be keyed under "client_assertion" and "client_assertion_type". The string must not be null.
        Returns:
        The client secret JSON Web Token (JWT) authentication.
        Throws:
        ParseException - If the parameters string couldn't be parsed to a client secret JSON Web Token (JWT) authentication.

      • parse

        public static ClientSecretJWT parse​(HTTPRequest httpRequest)
                             throws ParseException
        Parses the specified HTTP POST request for a client secret JSON Web Token (JWT) authentication.
        Parameters:
        httpRequest - The HTTP POST request to parse. Must not be null and must contain a valid application/x-www-form-urlencoded encoded parameters string in the entity body. The client secret JSON Web Token (JWT) parameters must be keyed under "client_assertion" and "client_assertion_type".
        Returns:
        The client secret JSON Web Token (JWT) authentication.
        Throws:
        ParseException - If the HTTP request header couldn't be parsed to a client secret JSON Web Token (JWT) authentication.