Package com.nimbusds.oauth2.sdk.auth

Class TLSClientAuthentication

java.lang.Object

com.nimbusds.oauth2.sdk.auth.ClientAuthentication

com.nimbusds.oauth2.sdk.auth.TLSClientAuthentication

@Immutable
public class TLSClientAuthentication
extends ClientAuthentication

PKI mutual TLS client authentication at the Token endpoint. The client certificate is PKI bound, as opposed to self_signed_tls_client_auth which relies on a self-signed certificate. Implements ClientAuthenticationMethod.TLS_CLIENT_AUTH.

Related specifications:

• OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens (draft-ietf-oauth-mtls-08), section 2.1.

Constructor Summary

Constructors

Constructor	Description
TLSClientAuthentication(ClientID clientID, String certSubjectDN)	Creates a new PKI mutual TLS client authentication.
TLSClientAuthentication(ClientID clientID, SSLSocketFactory sslSocketFactory)	Creates a new PKI mutual TLS client authentication.

Method Summary

Modifier and Type	Method	Description
void	applyTo(HTTPRequest httpRequest)	Applies the authentication to the specified HTTP request by setting its Authorization header and/or POST entity-body parameters (according to the implemented client authentication method).
String	getClientX509CertificateSubjectDN()	Gets the subject DN of the received validated client X.509 certificate.
SSLSocketFactory	getSSLSocketFactory()	Returns the SSL socket factory to use for an outgoing HTTPS request and to present the client certificate(s).
static TLSClientAuthentication	parse(HTTPRequest httpRequest)	Parses a PKI mutual TLS client authentication from the specified HTTP request.

Methods inherited from class com.nimbusds.oauth2.sdk.auth.ClientAuthentication

getClientID, getMethod

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

TLSClientAuthentication

public TLSClientAuthentication(ClientID clientID,
                               SSLSocketFactory sslSocketFactory)

Creates a new PKI mutual TLS client authentication. This constructor is intended for an outgoing token request.

Parameters:

clientID - The client identifier. Must not be null.

sslSocketFactory - The SSL socket factory to use for the outgoing HTTPS request and to present the client certificate(s), null to use the default one.

TLSClientAuthentication

public TLSClientAuthentication(ClientID clientID,
                               String certSubjectDN)

Creates a new PKI mutual TLS client authentication. This constructor is intended for a received token request.

Parameters:

clientID - The client identifier. Must not be null.

certSubjectDN - The subject DN of the received validated client X.509 certificate. Must not be null.

Method Detail

getClientX509CertificateSubjectDN

public String getClientX509CertificateSubjectDN()

Gets the subject DN of the received validated client X.509 certificate.

Returns:

The subject DN.

parse

public static TLSClientAuthentication parse(HTTPRequest httpRequest)
                                     throws ParseException

Parses a PKI mutual TLS client authentication from the specified HTTP request.

Parameters:

httpRequest - The HTTP request to parse. Must not be null and must include a validated client X.509 certificate.

Returns:

The PKI mutual TLS client authentication.

Throws:

ParseException - If the client_id or client X.509 certificate is missing.

getSSLSocketFactory

public SSLSocketFactory getSSLSocketFactory()

Returns the SSL socket factory to use for an outgoing HTTPS request and to present the client certificate(s).

Returns:

The SSL socket factory, null to use the default one.

applyTo

public void applyTo(HTTPRequest httpRequest)

Description copied from class: ClientAuthentication

Applies the authentication to the specified HTTP request by setting its Authorization header and/or POST entity-body parameters (according to the implemented client authentication method).

Specified by:

applyTo in class ClientAuthentication

Parameters:

httpRequest - The HTTP request. Must not be null.