|
| 1 | +## Classes |
| 2 | + |
| 3 | +<dl> |
| 4 | +<dt><a href="#JwtBearerClientAuthentication">JwtBearerClientAuthentication</a> ⇐ <code>AbstractClientAuthentication</code></dt> |
| 5 | +<dd><p>JWT client assertion authentication — <code>client_assertion</code> + |
| 6 | +<code>client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer</code>.</p> |
| 7 | +<p>Covers both OIDC methods, distinguished by the JWS <code>alg</code> of the assertion:</p> |
| 8 | +<ul> |
| 9 | +<li><code>client_secret_jwt</code> — HMAC (<code>HS*</code>), keyed by the client secret;</li> |
| 10 | +<li><code>private_key_jwt</code> — asymmetric (<code>RS*</code>/<code>PS*</code>/<code>ES*</code>), verified against |
| 11 | +the client's registered public keys (a JWK Set).</li> |
| 12 | +</ul> |
| 13 | +<p>The library owns the <em>protocol</em> (parse → resolve client → verify → bind); |
| 14 | +key material and replay state come from the model/client. This method is |
| 15 | +opt-in (it requires per-deployment <code>audience</code> configuration); register it |
| 16 | +via the <code>extendedClientAuthentication</code> server option.</p> |
| 17 | +</dd> |
| 18 | +<dt><a href="#JwtBearerClientAuthentication">JwtBearerClientAuthentication</a></dt> |
| 19 | +<dd></dd> |
| 20 | +</dl> |
| 21 | + |
| 22 | +## Constants |
| 23 | + |
| 24 | +<dl> |
| 25 | +<dt><a href="#CLIENT_ASSERTION_TYPE">CLIENT_ASSERTION_TYPE</a></dt> |
| 26 | +<dd><p>The <code>client_assertion_type</code> value identifying a JWT client assertion.</p> |
| 27 | +</dd> |
| 28 | +</dl> |
| 29 | + |
| 30 | +<a name="JwtBearerClientAuthentication"></a> |
| 31 | + |
| 32 | +## JwtBearerClientAuthentication ⇐ <code>AbstractClientAuthentication</code> |
| 33 | +JWT client assertion authentication — `client_assertion` + |
| 34 | +`client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer`. |
| 35 | + |
| 36 | +Covers both OIDC methods, distinguished by the JWS `alg` of the assertion: |
| 37 | + - `client_secret_jwt` — HMAC (`HS*`), keyed by the client secret; |
| 38 | + - `private_key_jwt` — asymmetric (`RS*`/`PS*`/`ES*`), verified against |
| 39 | + the client's registered public keys (a JWK Set). |
| 40 | + |
| 41 | +The library owns the *protocol* (parse → resolve client → verify → bind); |
| 42 | +key material and replay state come from the model/client. This method is |
| 43 | +opt-in (it requires per-deployment `audience` configuration); register it |
| 44 | +via the `extendedClientAuthentication` server option. |
| 45 | + |
| 46 | +**Kind**: global class |
| 47 | +**Extends**: <code>AbstractClientAuthentication</code> |
| 48 | +**See** |
| 49 | + |
| 50 | +- https://datatracker.ietf.org/doc/html/rfc7521#section-4.2 |
| 51 | +- https://datatracker.ietf.org/doc/html/rfc7523#section-2.2 |
| 52 | +- https://datatracker.ietf.org/doc/html/rfc7523#section-3 |
| 53 | +- https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication |
| 54 | + |
| 55 | + |
| 56 | +* [JwtBearerClientAuthentication](#JwtBearerClientAuthentication) ⇐ <code>AbstractClientAuthentication</code> |
| 57 | + * [new JwtBearerClientAuthentication(options)](#new_JwtBearerClientAuthentication_new) |
| 58 | + * [.defaultGetKey()](#JwtBearerClientAuthentication+defaultGetKey) |
| 59 | + * [.assertNotReplayed()](#JwtBearerClientAuthentication+assertNotReplayed) |
| 60 | + |
| 61 | +<a name="new_JwtBearerClientAuthentication_new"></a> |
| 62 | + |
| 63 | +### new JwtBearerClientAuthentication(options) |
| 64 | + |
| 65 | +| Param | Type | Description | |
| 66 | +| --- | --- | --- | |
| 67 | +| options | <code>object</code> | | |
| 68 | +| options.audience | <code>string</code> \| <code>Array.<string></code> | the value(s) the assertion's `aud` claim must contain — typically this authorization server's token endpoint URL and/or its issuer identifier. REQUIRED. | |
| 69 | +| [options.maxTokenAge] | <code>number</code> | maximum assertion age in seconds, measured from `iat` (enabling this requires assertions to carry `iat`). | |
| 70 | +| [options.clockTolerance] | <code>number</code> | clock skew tolerance in seconds. | |
| 71 | +| [options.algorithms] | <code>Array.<string></code> | override the accepted JWS algorithms. | |
| 72 | +| [options.getKey] | <code>function</code> | `(client, header) => key` override key resolution. By default HMAC keys derive from `client.secret` and asymmetric keys come from `client.jwks` (a JWK Set) or `client.jwksUri`. | |
| 73 | + |
| 74 | +<a name="JwtBearerClientAuthentication+defaultGetKey"></a> |
| 75 | + |
| 76 | +### jwtBearerClientAuthentication.defaultGetKey() |
| 77 | +Default key resolution: HMAC from the client secret, asymmetric from the |
| 78 | +client's registered JWK Set (inline `jwks` or remote `jwksUri`). |
| 79 | + |
| 80 | +**Kind**: instance method of [<code>JwtBearerClientAuthentication</code>](#JwtBearerClientAuthentication) |
| 81 | +<a name="JwtBearerClientAuthentication+assertNotReplayed"></a> |
| 82 | + |
| 83 | +### jwtBearerClientAuthentication.assertNotReplayed() |
| 84 | +Single-use replay protection. Opt-in: only enforced when the model |
| 85 | +implements the replay hooks. The identifier passed to the hooks is the |
| 86 | +assertion's `jti` when present, otherwise a fingerprint of its signing |
| 87 | +input — so replay protection applies even to assertions without a `jti` |
| 88 | +(OIDC Core §9 requires `jti`; RFC 7523 §3 makes it optional). |
| 89 | + |
| 90 | +**Kind**: instance method of [<code>JwtBearerClientAuthentication</code>](#JwtBearerClientAuthentication) |
| 91 | +<a name="JwtBearerClientAuthentication"></a> |
| 92 | + |
| 93 | +## JwtBearerClientAuthentication |
| 94 | +**Kind**: global class |
| 95 | + |
| 96 | +* [JwtBearerClientAuthentication](#JwtBearerClientAuthentication) |
| 97 | + * [new JwtBearerClientAuthentication(options)](#new_JwtBearerClientAuthentication_new) |
| 98 | + * [.defaultGetKey()](#JwtBearerClientAuthentication+defaultGetKey) |
| 99 | + * [.assertNotReplayed()](#JwtBearerClientAuthentication+assertNotReplayed) |
| 100 | + |
| 101 | +<a name="new_JwtBearerClientAuthentication_new"></a> |
| 102 | + |
| 103 | +### new JwtBearerClientAuthentication(options) |
| 104 | + |
| 105 | +| Param | Type | Description | |
| 106 | +| --- | --- | --- | |
| 107 | +| options | <code>object</code> | | |
| 108 | +| options.audience | <code>string</code> \| <code>Array.<string></code> | the value(s) the assertion's `aud` claim must contain — typically this authorization server's token endpoint URL and/or its issuer identifier. REQUIRED. | |
| 109 | +| [options.maxTokenAge] | <code>number</code> | maximum assertion age in seconds, measured from `iat` (enabling this requires assertions to carry `iat`). | |
| 110 | +| [options.clockTolerance] | <code>number</code> | clock skew tolerance in seconds. | |
| 111 | +| [options.algorithms] | <code>Array.<string></code> | override the accepted JWS algorithms. | |
| 112 | +| [options.getKey] | <code>function</code> | `(client, header) => key` override key resolution. By default HMAC keys derive from `client.secret` and asymmetric keys come from `client.jwks` (a JWK Set) or `client.jwksUri`. | |
| 113 | + |
| 114 | +<a name="JwtBearerClientAuthentication+defaultGetKey"></a> |
| 115 | + |
| 116 | +### jwtBearerClientAuthentication.defaultGetKey() |
| 117 | +Default key resolution: HMAC from the client secret, asymmetric from the |
| 118 | +client's registered JWK Set (inline `jwks` or remote `jwksUri`). |
| 119 | + |
| 120 | +**Kind**: instance method of [<code>JwtBearerClientAuthentication</code>](#JwtBearerClientAuthentication) |
| 121 | +<a name="JwtBearerClientAuthentication+assertNotReplayed"></a> |
| 122 | + |
| 123 | +### jwtBearerClientAuthentication.assertNotReplayed() |
| 124 | +Single-use replay protection. Opt-in: only enforced when the model |
| 125 | +implements the replay hooks. The identifier passed to the hooks is the |
| 126 | +assertion's `jti` when present, otherwise a fingerprint of its signing |
| 127 | +input — so replay protection applies even to assertions without a `jti` |
| 128 | +(OIDC Core §9 requires `jti`; RFC 7523 §3 makes it optional). |
| 129 | + |
| 130 | +**Kind**: instance method of [<code>JwtBearerClientAuthentication</code>](#JwtBearerClientAuthentication) |
| 131 | +<a name="CLIENT_ASSERTION_TYPE"></a> |
| 132 | + |
| 133 | +## CLIENT\_ASSERTION\_TYPE |
| 134 | +The `client_assertion_type` value identifying a JWT client assertion. |
| 135 | + |
| 136 | +**Kind**: global constant |
| 137 | +**See**: https://datatracker.ietf.org/doc/html/rfc7523#section-2.2 |
0 commit comments