All Downloads are FREE. Search and download functionalities are using the official Maven repository.

com.nimbusds.oauth2.sdk.auth.ClientSecretJWT Maven / Gradle / Ivy

Go to download

OAuth 2.0 SDK with OpenID Connection extensions for developing client and server applications.

There is a newer version: 11.20.1
Show newest version
/*
 * oauth2-oidc-sdk
 *
 * Copyright 2012-2016, Connect2id Ltd and contributors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
 * this file except in compliance with the License. You may obtain a copy of the
 * License at
 *
 *    http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software distributed
 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
 * CONDITIONS OF ANY KIND, either express or implied. See the License for the
 * specific language governing permissions and limitations under the License.
 */

package com.nimbusds.oauth2.sdk.auth;


import com.nimbusds.common.contenttype.ContentType;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.assertions.jwt.JWTAssertionFactory;
import com.nimbusds.oauth2.sdk.http.HTTPRequest;
import com.nimbusds.oauth2.sdk.id.Audience;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.id.Issuer;
import com.nimbusds.oauth2.sdk.util.URLUtils;
import net.jcip.annotations.Immutable;

import java.net.URI;
import java.util.*;


/**
 * Client secret JWT authentication at the Token endpoint. Implements
 * {@link ClientAuthenticationMethod#CLIENT_SECRET_JWT}.
 *
 * 

Supported signature JSON Web Algorithms (JWAs) by this implementation: * *

    *
  • HS256 *
  • HS384 *
  • HS512 *
* *

Related specifications: * *

    *
  • Assertion Framework for OAuth 2.0 Client Authentication and * Authorization Grants (RFC 7521). *
  • JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and * Authorization Grants (RFC 7523). *
*/ @Immutable public final class ClientSecretJWT extends JWTAuthentication { /** * Returns the supported signature JSON Web Algorithms (JWAs). * * @return The supported JSON Web Algorithms (JWAs). */ public static Set supportedJWAs() { return Collections.unmodifiableSet(new HashSet<>(JWSAlgorithm.Family.HMAC_SHA)); } /** * Creates a new client secret JWT authentication. The expiration * time (exp) is set to 1 minute from the current system time. * Generates a default identifier (jti) for the JWT. The issued-at * (iat) and not-before (nbf) claims are not set. * * @param clientID The client identifier. Must not be * {@code null}. * @param endpoint The endpoint URI where the client will submit * the JWT authentication, for example the token * endpoint. Must not be {@code null}. * @param jwsAlgorithm The expected HMAC algorithm (HS256, HS384 or * HS512) for the client secret JWT assertion. * Must be supported and not {@code null}. * @param clientSecret The client secret. Must be at least 256-bits * long. * * @throws JOSEException If the client secret is too short, or HMAC * computation failed. */ public ClientSecretJWT(final ClientID clientID, final URI endpoint, final JWSAlgorithm jwsAlgorithm, final Secret clientSecret) throws JOSEException { this(new Issuer(clientID), clientID, endpoint, jwsAlgorithm, clientSecret); } /** * Creates a new client secret JWT authentication. The expiration * time (exp) is set to 1 minute from the current system time. * Generates a default identifier (jti) for the JWT. The issued-at * (iat) and not-before (nbf) claims are not set. * * @param iss The issuer. May be different from the client * identifier. Must not be {@code null}. * @param clientID The client identifier. Must not be * {@code null}. * @param endpoint The endpoint URI where the client will submit * the JWT authentication, for example the token * endpoint. Must not be {@code null}. * @param jwsAlgorithm The expected HMAC algorithm (HS256, HS384 or * HS512) for the client secret JWT assertion. * Must be supported and not {@code null}. * @param clientSecret The client secret. Must be at least 256-bits * long. * * @throws JOSEException If the client secret is too short, or HMAC * computation failed. */ public ClientSecretJWT(final Issuer iss, final ClientID clientID, final URI endpoint, final JWSAlgorithm jwsAlgorithm, final Secret clientSecret) throws JOSEException { this(JWTAssertionFactory.create( new JWTAuthenticationClaimsSet(iss, clientID, new Audience(endpoint.toString())), jwsAlgorithm, clientSecret)); } /** * Creates a new client secret JWT authentication. * * @param clientAssertion The client assertion, corresponding to the * {@code client_assertion_parameter}, as a * supported HMAC-protected JWT. Must be signed * and not {@code null}. */ public ClientSecretJWT(final SignedJWT clientAssertion) { super(ClientAuthenticationMethod.CLIENT_SECRET_JWT, clientAssertion); if (! JWSAlgorithm.Family.HMAC_SHA.contains(clientAssertion.getHeader().getAlgorithm())) throw new IllegalArgumentException("The client assertion JWT must be HMAC-signed (HS256, HS384 or HS512)"); } /** * Parses the specified parameters map for a client secret JSON Web * Token (JWT) authentication. Note that the parameters must not be * {@code application/x-www-form-urlencoded} encoded. * * @param params The parameters map to parse. The client secret JSON * Web Token (JWT) parameters must be keyed under * "client_assertion" and "client_assertion_type". The * map must not be {@code null}. * * @return The client secret JSON Web Token (JWT) authentication. * * @throws ParseException If the parameters map couldn't be parsed to a * client secret JSON Web Token (JWT) * authentication. */ public static ClientSecretJWT parse(final Map> params) throws ParseException { JWTAuthentication.ensureClientAssertionType(params); SignedJWT clientAssertion = JWTAuthentication.parseClientAssertion(params); ClientSecretJWT clientSecretJWT; try { clientSecretJWT = new ClientSecretJWT(clientAssertion); } catch (IllegalArgumentException e) { throw new ParseException(e.getMessage(), e); } // Check that the top level client_id matches the assertion subject + issuer ClientID clientID = JWTAuthentication.parseClientID(params); if (clientID != null) { if (! clientID.equals(clientSecretJWT.getClientID())) throw new ParseException("Invalid client secret JWT authentication: The client identifier doesn't match the client assertion subject"); } return clientSecretJWT; } /** * Parses a client secret JSON Web Token (JWT) authentication from the * specified {@code application/x-www-form-urlencoded} encoded * parameters string. * * @param paramsString The parameters string to parse. The client secret * JSON Web Token (JWT) parameters must be keyed * under "client_assertion" and * "client_assertion_type". The string must not be * {@code null}. * * @return The client secret JSON Web Token (JWT) authentication. * * @throws ParseException If the parameters string couldn't be parsed * to a client secret JSON Web Token (JWT) * authentication. */ public static ClientSecretJWT parse(final String paramsString) throws ParseException { Map> params = URLUtils.parseParameters(paramsString); return parse(params); } /** * Parses the specified HTTP POST request for a client secret JSON Web * Token (JWT) authentication. * * @param httpRequest The HTTP POST request to parse. Must not be * {@code null} and must contain a valid * {@code application/x-www-form-urlencoded} encoded * parameters string in the entity body. The client * secret JSON Web Token (JWT) parameters must be * keyed under "client_assertion" and * "client_assertion_type". * * @return The client secret JSON Web Token (JWT) authentication. * * @throws ParseException If the HTTP request header couldn't be parsed * to a client secret JSON Web Token (JWT) * authentication. */ public static ClientSecretJWT parse(final HTTPRequest httpRequest) throws ParseException { httpRequest.ensureMethod(HTTPRequest.Method.POST); httpRequest.ensureEntityContentType(ContentType.APPLICATION_URLENCODED); return parse(httpRequest.getBodyAsFormParameters()); } }




© 2015 - 2024 Weber Informatics LLC | Privacy Policy