• Home
• com.nimbusds
• c2id-server-sdk
• 5.7.2
• source code
• PrivateKeyJWTCertificateVerifier.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

com.nimbusds.openid.connect.provider.spi.clientauth.PrivateKeyJWTCertificateVerifier Maven / Gradle / Ivy

package com.nimbusds.openid.connect.provider.spi.clientauth;


import java.util.Optional;

import net.jcip.annotations.ThreadSafe;

import com.nimbusds.oauth2.sdk.auth.verifier.InvalidClientException;
import com.nimbusds.openid.connect.provider.spi.Lifecycle;


/**
 * Service Provider Interface (SPI) for verifying an X.509 certificate (x5c) in
 * {@link com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod#PRIVATE_KEY_JWT
 * private_key_jwt} client authentications. This can be used to enable
 * {@code private_key_jwt} authentication based on qualified certificates and
 * without a prior client JWK set registration (via the "jwks" or "jwks_uri"
 * client metadata parameters).
 *
 * 
The SPI enables implementation of policies where only selected
 * clients are allowed or required to include a certificate for the
 * {@code private_key_jwt}, based on the client's registered metadata or other
 * criteria.
 *
 * 
A client can {@linkplain CertificateLocation place} the certificate in
 * the {@code private_key_jwt} "x5c" header. Alternatively, the certificate
 * can be put in the "x5c" parameter of a matching public JWK and have the key
 * pre-registered via the "jwks" or "jwks_uri" client metadata parameter.
 *
 * 
Implementations must be thread-safe.
 */
@ThreadSafe
public interface PrivateKeyJWTCertificateVerifier extends Lifecycle {
	
	
	/**
	 * Checks the X.509 certificate requirement for the specified
	 * {@code private_key_jwt} client authentication. If the client must
	 * use a certificate as part of the {@code private_key_jwt}
	 * authentication, included by value in the JWS "x5c" header parameter,
	 * or included in a registered client JWK in the client's "jwks" or
	 * "jwks_uri", the method returns a certificate verification callback.
	 *
	 * @param context The {@code private_key_jwt} client authentication
	 *                context. Not {@code null}.
	 *
	 * @return A certificate verification callback if a certificate is
	 *         required for the {@code private_key_jwt} client
	 *         authentication. If a certificate isn't required none is
	 *         returned.
	 *
	 * @throws InvalidClientException To reject the authentication with an
	 * {@link com.nimbusds.oauth2.sdk.OAuth2Error#INVALID_CLIENT
	 * invalid_client} error, due to an unmet authentication requirement.
	 * Throwing an {@link ExposedInvalidClientException} will override the
	 * default Connect2id server {@code error_description} and
	 * {@code error_uri} in the HTTP 401 Unauthorized error response.
	 */
	Optional checkCertificateRequirement(final PrivateKeyJWTContext context)
		throws InvalidClientException;
}