Changes

Adds the ability to authenticate using JWT Client Authentication instead of a client secret.

New classes:

• ClientAssertionSigner - interface that defines the contract to create signed client authentication JWTs
• RSAClientAssertionSigner - implementation that supports RS256 and RS384 signing

New methods:

• AuthAPI.Builder#withClientAssertionSigning(ClientAssertionSigner signer) - configure the builder to use client assertion signing

Usage:

AuthAPI api = new AuthAPI.Builder("domain", "client-id")
    // defaults to RS256 algorithm
    .withClientAssertionSigning(new RSAClientAssertionSigner(rsaPrivateKey));
    .build();

A static method has also been added to AuthAPI for convenience:

AuthAPI api = AuthAPI.newBuilder("domain", "clientId", new RSAClientAssertionSigner(rsaPrivateKey)).build();

Note that in the event both a client secret and a client assertion is specified, the client assertion will be preferred.

References

https://openid.net/specs/openid-connect-core-1_0-15.html#ClientAuthentication

Testing

In addition to unit tests, tested using a client configured for client authentication and specified withClientAssertionSigner using an RSA signer from a public key in PEM format.