com.nimbusds.oauth2.sdk.auth.ClientAuthentication Maven / Gradle / Ivy
/*
* oauth2-oidc-sdk
*
* Copyright 2012-2016, Connect2id Ltd and contributors.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not use
* this file except in compliance with the License. You may obtain a copy of the
* License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software distributed
* under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
* CONDITIONS OF ANY KIND, either express or implied. See the License for the
* specific language governing permissions and limitations under the License.
*/
package com.nimbusds.oauth2.sdk.auth;
import com.nimbusds.common.contenttype.ContentType;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.http.HTTPRequest;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.util.MultivaluedMapUtils;
import com.nimbusds.oauth2.sdk.util.StringUtils;
import javax.security.auth.x500.X500Principal;
import java.util.List;
import java.util.Map;
import java.util.Set;
/**
* Base abstract class for client authentication at the Token endpoint.
*
* Related specifications:
*
*
* - OAuth 2.0 (RFC 6749), section 2.3.
*
- JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and
* Authorization Grants (RFC 7523), section 2.2.
*
- OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound
* Access Tokens (draft-ietf-oauth-mtls-15), section 2.
*
*/
public abstract class ClientAuthentication {
/**
* The client authentication method.
*/
private final ClientAuthenticationMethod method;
/**
* The client ID.
*/
private final ClientID clientID;
/**
* Creates a new abstract client authentication.
*
* @param method The client authentication method. Must not be
* {@code null}.
* @param clientID The client identifier. Must not be {@code null}.
*/
protected ClientAuthentication(final ClientAuthenticationMethod method, final ClientID clientID) {
if (method == null)
throw new IllegalArgumentException("The client authentication method must not be null");
this.method = method;
if (clientID == null)
throw new IllegalArgumentException("The client identifier must not be null");
this.clientID = clientID;
}
/**
* Returns the client authentication method.
*
* @return The client authentication method.
*/
public ClientAuthenticationMethod getMethod() {
return method;
}
/**
* Returns the client identifier.
*
* @return The client identifier.
*/
public ClientID getClientID() {
return clientID;
}
/**
* Returns the name of the form parameters, if such are used by the
* authentication method.
*
* @return The form parameter names, empty set if none.
*/
public abstract Set getFormParameterNames();
/**
* Parses the specified HTTP request for a supported client
* authentication (see {@link ClientAuthenticationMethod}). This method
* is intended to aid parsing of authenticated
* {@link com.nimbusds.oauth2.sdk.TokenRequest}s.
*
* @param httpRequest The HTTP request to parse. Must not be
* {@code null}.
*
* @return The client authentication method, {@code null} if none or
* the method is not supported.
*
* @throws ParseException If the inferred client authentication
* couldn't be parsed.
*/
public static ClientAuthentication parse(final HTTPRequest httpRequest)
throws ParseException {
// Check for client secret basic
if (httpRequest.getAuthorization() != null &&
httpRequest.getAuthorization().startsWith("Basic")) {
return ClientSecretBasic.parse(httpRequest);
}
// The other methods require HTTP POST with URL-encoded params
if (httpRequest.getMethod() != HTTPRequest.Method.POST &&
! httpRequest.getEntityContentType().matches(ContentType.APPLICATION_URLENCODED)) {
return null; // no auth
}
Map> params = httpRequest.getBodyAsFormParameters();
// We have client secret post
if (StringUtils.isNotBlank(MultivaluedMapUtils.getFirstValue(params, "client_id")) && StringUtils.isNotBlank(MultivaluedMapUtils.getFirstValue(params, "client_secret"))) {
return ClientSecretPost.parse(httpRequest);
}
// Do we have a signed JWT assertion?
if (StringUtils.isNotBlank(MultivaluedMapUtils.getFirstValue(params, "client_assertion")) && StringUtils.isNotBlank(MultivaluedMapUtils.getFirstValue(params, "client_assertion_type"))) {
return JWTAuthentication.parse(httpRequest);
}
// Client TLS?
if (httpRequest.getClientX509Certificate() != null && StringUtils.isNotBlank(MultivaluedMapUtils.getFirstValue(params, "client_id"))) {
// Check for self-issued first (not for self-signed (too expensive in terms of CPU time)
X500Principal issuer = httpRequest.getClientX509Certificate().getIssuerX500Principal();
X500Principal subject = httpRequest.getClientX509Certificate().getSubjectX500Principal();
if (issuer != null && issuer.equals(subject)) {
// Additional checks
if (httpRequest.getClientX509CertificateRootDN() != null) {
// If TLS proxy set issuer header it must match the certificate's
if (! httpRequest.getClientX509CertificateRootDN().equalsIgnoreCase(issuer.toString())) {
throw new ParseException("Client X.509 certificate issuer DN doesn't match HTTP request metadata");
}
}
if (httpRequest.getClientX509CertificateSubjectDN() != null) {
// If TLS proxy set subject header it must match the certificate's
if (! httpRequest.getClientX509CertificateSubjectDN().equalsIgnoreCase(subject.toString())) {
throw new ParseException("Client X.509 certificate subject DN doesn't match HTTP request metadata");
}
}
// Self-issued (assumes self-signed)
return SelfSignedTLSClientAuthentication.parse(httpRequest);
} else {
// PKI bound
return PKITLSClientAuthentication.parse(httpRequest);
}
}
return null; // no auth
}
/**
* Applies the authentication to the specified HTTP request by setting
* its Authorization header and/or POST entity-body parameters
* (according to the implemented client authentication method).
*
* @param httpRequest The HTTP request. Must not be {@code null}.
*/
public abstract void applyTo(final HTTPRequest httpRequest);
}
© 2015 - 2025 Weber Informatics LLC | Privacy Policy