001/* 002 * oauth2-oidc-sdk 003 * 004 * Copyright 2012-2016, Connect2id Ltd and contributors. 005 * 006 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use 007 * this file except in compliance with the License. You may obtain a copy of the 008 * License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software distributed 013 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR 014 * CONDITIONS OF ANY KIND, either express or implied. See the License for the 015 * specific language governing permissions and limitations under the License. 016 */ 017 018package com.nimbusds.oauth2.sdk.auth.verifier; 019 020 021import java.security.PublicKey; 022import java.util.List; 023 024import com.nimbusds.jose.JWSHeader; 025import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod; 026import com.nimbusds.oauth2.sdk.auth.SelfSignedTLSClientAuthentication; 027import com.nimbusds.oauth2.sdk.auth.Secret; 028import com.nimbusds.oauth2.sdk.id.ClientID; 029 030 031/** 032 * Selector of client credential candidates for client authentication 033 * verification. The select methods should typically return a single candidate, 034 * but may also return multiple in case the client rotates its keys. 035 * 036 * <p>Implementations must be tread-safe. 037 * 038 * <p>Selection of {@link com.nimbusds.oauth2.sdk.auth.ClientSecretBasic 039 * client_secret_basic}, {@link com.nimbusds.oauth2.sdk.auth.ClientSecretPost 040 * client_secret_post} and {@link com.nimbusds.oauth2.sdk.auth.ClientSecretJWT 041 * client_secret_jwt} secrets is handled by the {@link #selectClientSecrets} 042 * method. 043 * 044 * <p>Selection of {@link com.nimbusds.oauth2.sdk.auth.PrivateKeyJWT 045 * private_key_jwt} and 046 * {@link SelfSignedTLSClientAuthentication pub_key_tls_client_auth} 047 * keys is handled by the {@link #selectPublicKeys} method. 048 * 049 * <p>The generic {@link Context context object} may be used to return 050 * {@link com.nimbusds.oauth2.sdk.client.ClientMetadata client metadata} or 051 * other information to the caller. 052 */ 053public interface ClientCredentialsSelector<T> { 054 055 056 /** 057 * Selects one or more client secret candidates for 058 * {@link com.nimbusds.oauth2.sdk.auth.ClientSecretBasic client_secret_basic}, 059 * {@link com.nimbusds.oauth2.sdk.auth.ClientSecretPost client_secret_post} and 060 * {@link com.nimbusds.oauth2.sdk.auth.ClientSecretJWT client_secret_jwt} 061 * authentication. 062 * 063 * @param claimedClientID The client identifier (to be verified). Not 064 * {@code null}. 065 * @param authMethod The client authentication method. Not 066 * {@code null}. 067 * @param context Additional context. May be {@code null}. 068 * 069 * @return The selected client secret candidates, empty list if none. 070 * 071 * @throws InvalidClientException If the client is invalid. 072 */ 073 List<Secret> selectClientSecrets(final ClientID claimedClientID, 074 final ClientAuthenticationMethod authMethod, 075 final Context<T> context) 076 throws InvalidClientException; 077 078 079 /** 080 * Selects one or more public key candidates (e.g. RSA or EC) for 081 * {@link com.nimbusds.oauth2.sdk.auth.PrivateKeyJWT private_key_jwt} 082 * and {@link SelfSignedTLSClientAuthentication 083 * pub_key_tls_client_auth} authentication. 084 * 085 * @param claimedClientID The client identifier (to be verified). Not 086 * {@code null}. 087 * @param authMethod The client authentication method. Not 088 * {@code null}. 089 * @param jwsHeader The JWS header, which may contain parameters 090 * such as key ID to facilitate the key 091 * selection. {@code null} for TLS client 092 * authentication. 093 * @param forceRefresh {@code true} to force refresh of the JWK set 094 * (for a remote JWK set referenced by URL). 095 * @param context Additional context. May be {@code null}. 096 * 097 * @return The selected public key candidates, empty list if none. 098 * 099 * @throws InvalidClientException If the client is invalid. 100 */ 101 List<? extends PublicKey> selectPublicKeys(final ClientID claimedClientID, 102 final ClientAuthenticationMethod authMethod, 103 final JWSHeader jwsHeader, 104 final boolean forceRefresh, 105 final Context<T> context) 106 throws InvalidClientException; 107}