Package com.nimbusds.oauth2.sdk.auth

Class ClientSecretJWT

java.lang.Object
com.nimbusds.oauth2.sdk.auth.ClientAuthentication
com.nimbusds.oauth2.sdk.auth.JWTAuthentication
com.nimbusds.oauth2.sdk.auth.ClientSecretJWT
@Immutable public final class ClientSecretJWT extends JWTAuthentication
Client secret JWT authentication at the Token endpoint. Implements ClientAuthenticationMethod.CLIENT_SECRET_JWT.

Supported signature JSON Web Algorithms (JWAs) by this implementation:

  • HS256
  • HS384
  • HS512

Related specifications:

  • Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7521).
  • JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7523).

  • Constructor Details

    • ClientSecretJWT

      public ClientSecretJWT(ClientID clientID, URI endpoint, com.nimbusds.jose.JWSAlgorithm jwsAlgorithm, Secret clientSecret) throws com.nimbusds.jose.JOSEException
      Creates a new client secret JWT authentication. The expiration time (exp) is set to five minutes from the current system time. Generates a default identifier (jti) for the JWT. The issued-at (iat) and not-before (nbf) claims are not set.
      Parameters:
      clientID - The client identifier. Must not be null.
      endpoint - The endpoint URI where the client will submit the JWT authentication, for example the token endpoint. Must not be null.
      jwsAlgorithm - The expected HMAC algorithm (HS256, HS384 or HS512) for the client secret JWT assertion. Must be supported and not null.
      clientSecret - The client secret. Must be at least 256-bits long.
      Throws:
      com.nimbusds.jose.JOSEException - If the client secret is too short, or HMAC computation failed.

    • ClientSecretJWT

      public ClientSecretJWT(Issuer iss, ClientID clientID, URI endpoint, com.nimbusds.jose.JWSAlgorithm jwsAlgorithm, Secret clientSecret) throws com.nimbusds.jose.JOSEException
      Creates a new client secret JWT authentication. The expiration time (exp) is set to five minutes from the current system time. Generates a default identifier (jti) for the JWT. The issued-at (iat) and not-before (nbf) claims are not set.
      Parameters:
      iss - The issuer. May be different from the client identifier. Must not be null.
      clientID - The client identifier. Must not be null.
      endpoint - The endpoint URI where the client will submit the JWT authentication, for example the token endpoint. Must not be null.
      jwsAlgorithm - The expected HMAC algorithm (HS256, HS384 or HS512) for the client secret JWT assertion. Must be supported and not null.
      clientSecret - The client secret. Must be at least 256-bits long.
      Throws:
      com.nimbusds.jose.JOSEException - If the client secret is too short, or HMAC computation failed.

    • ClientSecretJWT

      public ClientSecretJWT(com.nimbusds.jwt.SignedJWT clientAssertion)
      Creates a new client secret JWT authentication.
      Parameters:
      clientAssertion - The client assertion, corresponding to the client_assertion_parameter, as a supported HMAC-protected JWT. Must be signed and not null.

  • Method Details

    • supportedJWAs

      public static Set<com.nimbusds.jose.JWSAlgorithm> supportedJWAs()
      Returns the supported signature JSON Web Algorithms (JWAs).
      Returns:
      The supported JSON Web Algorithms (JWAs).

    • parse

      public static ClientSecretJWT parse(Map<String,List<String>> params) throws ParseException
      Parses the specified parameters map for a client secret JSON Web Token (JWT) authentication. Note that the parameters must not be application/x-www-form-urlencoded encoded.
      Parameters:
      params - The parameters map to parse. The client secret JSON Web Token (JWT) parameters must be keyed under "client_assertion" and "client_assertion_type". The map must not be null.
      Returns:
      The client secret JSON Web Token (JWT) authentication.
      Throws:
      ParseException - If the parameters map couldn't be parsed to a client secret JSON Web Token (JWT) authentication.

    • parse

      public static ClientSecretJWT parse(String paramsString) throws ParseException
      Parses a client secret JSON Web Token (JWT) authentication from the specified application/x-www-form-urlencoded encoded parameters string.
      Parameters:
      paramsString - The parameters string to parse. The client secret JSON Web Token (JWT) parameters must be keyed under "client_assertion" and "client_assertion_type". The string must not be null.
      Returns:
      The client secret JSON Web Token (JWT) authentication.
      Throws:
      ParseException - If the parameters string couldn't be parsed to a client secret JSON Web Token (JWT) authentication.

    • parse

      public static ClientSecretJWT parse(HTTPRequest httpRequest) throws ParseException
      Parses the specified HTTP POST request for a client secret JSON Web Token (JWT) authentication.
      Parameters:
      httpRequest - The HTTP POST request to parse. Must not be null and must contain a valid application/x-www-form-urlencoded encoded parameters string in the entity body. The client secret JSON Web Token (JWT) parameters must be keyed under "client_assertion" and "client_assertion_type".
      Returns:
      The client secret JSON Web Token (JWT) authentication.
      Throws:
      ParseException - If the HTTP request header couldn't be parsed to a client secret JSON Web Token (JWT) authentication.