java.lang.Object
- com.nimbusds.oauth2.sdk.auth.verifier.ClientAuthenticationVerifier<T>

```
@ThreadSafe
public class ClientAuthenticationVerifier<T>
extends Object
```
Client authentication verifier.
Related specifications:
- OAuth 2.0 (RFC 6749), sections 2.3.1 and 3.2.1.
- OpenID Connect Core 1.0, section 9.
- JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7523).
- OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens (RFC 8705), section 2.

Constructor Summary

Constructors
Constructor	Description
`ClientAuthenticationVerifier(ClientCredentialsSelector<T> clientCredentialsSelector, ClientX509CertificateBindingVerifier<T> certBindingVerifier, Set<Audience> expectedAudience)`	Deprecated. Use the constructor with `PKIClientX509CertificateBindingVerifier`
`ClientAuthenticationVerifier(ClientCredentialsSelector<T> clientCredentialsSelector, PKIClientX509CertificateBindingVerifier<T> pkiCertBindingVerifier, Set<Audience> expectedAudience)`	Creates a new client authentication verifier.
`ClientAuthenticationVerifier(ClientCredentialsSelector<T> clientCredentialsSelector, PKIClientX509CertificateBindingVerifier<T> pkiCertBindingVerifier, Set<Audience> expectedAudience, ExpendedJTIChecker<T> expendedJTIChecker, long expMaxAhead)`	Creates a new client authentication verifier.
`ClientAuthenticationVerifier(ClientCredentialsSelector<T> clientCredentialsSelector, Set<Audience> expectedAudience)`	Creates a new client authentication verifier without support for `tls_client_auth`.
`ClientAuthenticationVerifier(ClientCredentialsSelector<T> clientCredentialsSelector, Set<Audience> expectedAudience, ExpendedJTIChecker<T> expendedJTIChecker)`	Creates a new client authentication verifier without support for `tls_client_auth`.

Method Summary

All Methods Instance Methods Concrete Methods Deprecated Methods
Modifier and Type	Method	Description
`ClientCredentialsSelector<T>`	`getClientCredentialsSelector()`	Returns the client credentials selector.
`ClientX509CertificateBindingVerifier<T>`	`getClientX509CertificateBindingVerifier()`	Deprecated. See `PKIClientX509CertificateBindingVerifier`
`Set<Audience>`	`getExpectedAudience()`	Returns the permitted audience values in JWT authentication assertions.
`ExpendedJTIChecker<T>`	`getExpendedJTIChecker()`	Returns the optional expended JWT ID (jti) claim checker to prevent JWT replay.
`PKIClientX509CertificateBindingVerifier<T>`	`getPKIClientX509CertificateBindingVerifier()`	Returns the client X.509 certificate binding verifier for use in `tls_client_auth`.
`void`	`verify(ClientAuthentication clientAuth, Set<Hint> hints, Context<T> context)`	Verifies a client authentication request.

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Constructor Detail
  - ClientAuthenticationVerifier
```
@Deprecated
public ClientAuthenticationVerifier(ClientCredentialsSelector<T> clientCredentialsSelector,
                                    ClientX509CertificateBindingVerifier<T> certBindingVerifier,
                                    Set<Audience> expectedAudience)
```
    Deprecated.
    Use the constructor with PKIClientX509CertificateBindingVerifier
    
    Creates a new client authentication verifier.
    
    Parameters:
    
    clientCredentialsSelector - The client credentials selector. Must not be null.
    
    certBindingVerifier - Optional client X.509 certificate binding verifier for tls_client_auth, null if not supported.
    
    expectedAudience - The permitted audience (aud) claim values in JWT authentication assertions. Must not be empty or null. Should typically contain the token endpoint URI and for OpenID provider it may also include the issuer URI.
  - ClientAuthenticationVerifier
```
public ClientAuthenticationVerifier(ClientCredentialsSelector<T> clientCredentialsSelector,
                                    Set<Audience> expectedAudience)
```
    Creates a new client authentication verifier without support for tls_client_auth.
    
    Parameters:
    
    clientCredentialsSelector - The client credentials selector. Must not be null.
    
    expectedAudience - The permitted audience (aud) claim values in JWT authentication assertions. Must not be empty or null. Should typically contain the token endpoint URI and for OpenID provider it may also include the issuer URI.
  - ClientAuthenticationVerifier
```
public ClientAuthenticationVerifier(ClientCredentialsSelector<T> clientCredentialsSelector,
                                    Set<Audience> expectedAudience,
                                    ExpendedJTIChecker<T> expendedJTIChecker)
```
    Creates a new client authentication verifier without support for tls_client_auth.
    
    Parameters:
    
    clientCredentialsSelector - The client credentials selector. Must not be null.
    
    expectedAudience - The permitted audience (aud) claim values in JWT authentication assertions. Must not be empty or null. Should typically contain the token endpoint URI and for OpenID provider it may also include the issuer URI.
    
    expendedJTIChecker - Optional expended JWT ID (jti) claim checker to prevent JWT replay, null if none.
  - ClientAuthenticationVerifier
```
public ClientAuthenticationVerifier(ClientCredentialsSelector<T> clientCredentialsSelector,
                                    PKIClientX509CertificateBindingVerifier<T> pkiCertBindingVerifier,
                                    Set<Audience> expectedAudience)
```
    Creates a new client authentication verifier.
    
    Parameters:
    
    clientCredentialsSelector - The client credentials selector. Must not be null.
    
    pkiCertBindingVerifier - Optional client X.509 certificate binding verifier for tls_client_auth, null if not supported.
    
    expectedAudience - The permitted audience (aud) claim values in JWT authentication assertions. Must not be empty or null. Should typically contain the token endpoint URI and for OpenID provider it may also include the issuer URI.
  - ClientAuthenticationVerifier
```
public ClientAuthenticationVerifier(ClientCredentialsSelector<T> clientCredentialsSelector,
                                    PKIClientX509CertificateBindingVerifier<T> pkiCertBindingVerifier,
                                    Set<Audience> expectedAudience,
                                    ExpendedJTIChecker<T> expendedJTIChecker,
                                    long expMaxAhead)
```
    Creates a new client authentication verifier.
    
    Parameters:
    
    clientCredentialsSelector - The client credentials selector. Must not be null.
    
    pkiCertBindingVerifier - Optional client X.509 certificate binding verifier for tls_client_auth, null if not supported.
    
    expectedAudience - The permitted audience (aud) claim values in JWT authentication assertions. Must not be empty or null. Should typically contain the token endpoint URI and for OpenID provider it may also include the issuer URI.
    
    expendedJTIChecker - Optional expended JWT ID (jti) claim checker to prevent JWT replay, null if none.
    
    expMaxAhead - The maximum number of seconds the expiration time (exp) claim can be ahead of the current time, if zero or negative this check is disabled.
- Method Detail
  - getClientCredentialsSelector
```
public ClientCredentialsSelector<T> getClientCredentialsSelector()
```
    Returns the client credentials selector.
    
    Returns:
    
    The client credentials selector.
  - getClientX509CertificateBindingVerifier
```
@Deprecated
public ClientX509CertificateBindingVerifier<T> getClientX509CertificateBindingVerifier()
```
    Deprecated.
    See PKIClientX509CertificateBindingVerifier
    
    Returns the client X.509 certificate binding verifier for use in tls_client_auth.
    
    Returns:
    
    The client X.509 certificate binding verifier, null if not specified.
  - getPKIClientX509CertificateBindingVerifier
```
public PKIClientX509CertificateBindingVerifier<T> getPKIClientX509CertificateBindingVerifier()
```
    Returns the client X.509 certificate binding verifier for use in tls_client_auth.
    
    Returns:
    
    The client X.509 certificate binding verifier, null if not specified.
  - getExpectedAudience
```
public Set<Audience> getExpectedAudience()
```
    Returns the permitted audience values in JWT authentication assertions.
    
    Returns:
    
    The permitted audience (aud) claim values.
  - getExpendedJTIChecker
```
public ExpendedJTIChecker<T> getExpendedJTIChecker()
```
    Returns the optional expended JWT ID (jti) claim checker to prevent JWT replay.
    
    Returns:
    
    The expended JWT ID (jti) claim checker, null if none.
  - verify
```
public void verify(ClientAuthentication clientAuth,
                   Set<Hint> hints,
                   Context<T> context)
            throws InvalidClientException,
                   com.nimbusds.jose.JOSEException
```
    Verifies a client authentication request.
    
    Parameters:
    
    clientAuth - The client authentication. Must not be null.
    
    hints - Optional hints to the verifier, empty set of null if none.
    
    context - Additional context to be passed to the client credentials selector. May be null.
    
    Throws:
    
    InvalidClientException - If the client authentication is invalid, typically due to bad credentials.
    
    com.nimbusds.jose.JOSEException - If authentication failed due to an internal JOSE / JWT processing exception.

Class ClientAuthenticationVerifier<T>

Constructor Summary

Method Summary

Methods inherited from class java.lang.Object

Constructor Detail

ClientAuthenticationVerifier

ClientAuthenticationVerifier

ClientAuthenticationVerifier

ClientAuthenticationVerifier

ClientAuthenticationVerifier

Method Detail

getClientCredentialsSelector

getClientX509CertificateBindingVerifier

getPKIClientX509CertificateBindingVerifier

getExpectedAudience

getExpendedJTIChecker

verify