Constructor Detail

Method Detail

• isPrompt

   final static Boolean isPrompt(AuthenticationRequest $self)

• verifyPkce

   final static Unit verifyPkce(AuthenticationRequest $self, TokenRequest tokenRequest)

• grantType

   final static GrantType grantType(TokenRequest $self)

• scopesWithoutOidcScopes

   final static List<String> scopesWithoutOidcScopes(TokenRequest $self)

• tokenExchangeGrantOrNull

   final static TokenExchangeGrant tokenExchangeGrantOrNull(TokenRequest $self)

• authorizationCode

   final static AuthorizationCode authorizationCode(TokenRequest $self)

• grant

   final static <T extends AuthorizationGrant> T grant(TokenRequest $self, Class<T> type)

• clientIdAsString

   final static String clientIdAsString(TokenRequest $self)

• expiresIn

   final static Integer expiresIn(SignedJWT $self)

• verifySignatureAndIssuer

   final static JWTClaimsSet verifySignatureAndIssuer(SignedJWT $self, Issuer issuer, JWKSet jwkSet, JWSAlgorithm jwsAlgorithm)

• clientAuthentication

   final static ClientAuthentication clientAuthentication(HTTPRequest $self)

• requirePrivateKeyJwt

   final static PrivateKeyJWT requirePrivateKeyJwt(ClientAuthentication $self, String requiredAudience, Long maxLifetimeSeconds, String additionalAcceptedAudience)

  TODO: We currently accept multiple audiences for backwards compatibility as updates to RFC7523 are pending. Relevant excerpts:

  The JWT MUST contain an aud (audience) claim containing the issuer identifier RFC8414 of the authorization server as its sole value.

  Unlike the aud value specified in RFC7523, there MUST be no value other than the issuer identifier of the intended authorization server used as the audience of the JWT; this includes that the token endpoint URL of the authorization server MUST NOT be used as an audience value.

  The authorization server MUST reject any JWT that does not contain its issuer identifier as its sole audience value.

  See RFC7523bis for details. Compliance with the RFC will require breaking changes.