public class RealmOAuth2ProviderSettings extends Object implements OAuth2ProviderSettings
| Constructor and Description |
|---|
RealmOAuth2ProviderSettings(OpenAMSettings settings,
String realm,
ResourceSetStore resourceSetStore,
ServiceConfigManagerFactory serviceConfigManagerFactory)
Constructs a new OpenAMOAuth2ProviderSettings.
|
| Modifier and Type | Method and Description |
|---|---|
Map<String,String> |
additionalDataToReturnFromAuthorizeEndpoint(Map<String,Token> tokens,
OAuth2Request request)
Provided as an extension point to allow the OAuth2 provider to return additional data from an authorization
request.
|
void |
additionalDataToReturnFromTokenEndpoint(AccessToken accessToken,
OAuth2Request request)
Provided as an extension point to allow the OAuth2 provider to return additional data from an access token
request.
|
boolean |
clientsCanSkipConsent()
Whether clients can opt to skip resource owner consent during authorization flows.
|
Map<String,Object> |
evaluateScope(AccessToken accessToken)
Gets the specified access token's information.
|
boolean |
exists()
Checks whether the config exists.
|
long |
getAccessTokenLifetime()
Gets the lifetime an access token will have before it expires.
|
Map<String,AuthenticationMethod> |
getAcrMapping()
Returns a mapping from Authentication Context Class Reference (ACR) values (typically a Level of Assurance
value) to concrete authentication methods.
|
Map<String,ResponseTypeHandler> |
getAllowedResponseTypes()
Gets the response types allowed by the OAuth2 provider.
|
Map<String,String> |
getAMRAuthModuleMappings()
The mappings between amr values and auth module names.
|
long |
getAuthorizationCodeLifetime()
Gets the lifetime an authorization code will have before it expires.
|
boolean |
getClaimsParameterSupported()
Returns whether this provider supports claims requested via 'claims' parameter.
|
String |
getCompletionUrl()
The URL that the user will be sent to on completion of their OAuth 2 login
and consent when using the device code flow.
|
String |
getCreatedTimestampAttributeName()
Gets the created timestamp attribute name.
|
freemarker.template.Template |
getCustomLoginUrlTemplate()
Gets the custom login url template which will create the url to redirect resource owners to for authentication.
|
String |
getDefaultAcrValues()
The default Authentication Context Class Reference (ACR) values to use for authentication if none is specified
in the request.
|
Set<String> |
getDefaultScopes()
Gets the default set of scopes to give a client registering with this provider.
|
int |
getDeviceCodeLifetime()
The lifetime of the device code.
|
int |
getDeviceCodePollInterval()
The polling interval for devices waiting for tokens when using the device code flow.
|
Set<String> |
getEndpointAuthMethodsSupported()
Returns the token_endpoint_auth_methods available for clients to register (and subsequently auth) using.
|
String |
getHashSalt()
Returns the salt to use for hashing sub values upon pairwise requests.
|
org.forgerock.json.JsonValue |
getJWKSet()
Gets the JWK Set for this OAuth2 Authorization /OpenID Provider.
|
String |
getJWKSUri()
Gets the JSON Web Key Set URI.
|
String |
getModifiedTimestampAttributeName()
Gets the modified timestamp attribute name.
|
String |
getOpenIDConnectVersion()
Gets the supported version of the OpenID Connect specification.
|
long |
getOpenIdTokenLifetime()
Gets the lifetime an OpenID token will have before it expires.
|
long |
getRefreshTokenLifetime()
Gets the lifetime an refresh token will have before it expires.
|
Set<String> |
getResourceOwnerAuthenticatedAttributes()
Gets the attributes of the resource owner that are used for authenticating resource owners.
|
ResourceSetStore |
getResourceSetStore()
Returns the ResourceSetStore instance for the realm.
|
KeyPair |
getSigningKeyPair(org.forgerock.json.jose.jws.JwsAlgorithm algorithm)
Gets the signing key pair of the OAuth2 provider.
|
Set<String> |
getSupportedClaims()
Gets the supported claims for this provider.
|
Set<String> |
getSupportedClaimsWithTranslations()
Gets the supported claims for this provider as strings with pipe-separated translations.
|
Set<String> |
getSupportedIDTokenEncryptionAlgorithms()
Gets the algorithms that the OAuth2 provider supports for encryptin OpenID tokens.
|
Set<String> |
getSupportedIDTokenEncryptionMethods()
Gets the encryption methods that the OAuth2 provider supports for encryptin OpenID tokens.
|
Set<String> |
getSupportedIDTokenSigningAlgorithms()
Gets the algorithms that the OAuth2 provider supports for signing OpenID tokens.
|
Set<String> |
getSupportedScopes()
Gets the supported scopes for this provider without translations.
|
Set<String> |
getSupportedScopesWithTranslations()
Gets the supported scopes for this provider.
|
Set<String> |
getSupportedSubjectTypes()
Gets the subject types supported by the OAuth2 provider.
|
String |
getTokenHmacSharedSecret()
Gets the Base64 encoded shared secret used to sign stateless access and refresh tokens.
|
String |
getTokenSigningAlgorithm()
Gets the signing algorithm used when issuing stateless access and refresh tokens.
|
String |
getUserDisplayNameAttribute()
The attribute that can be used to obtain a UI-displayable name for a user's AMIdentity.
|
UserInfoClaims |
getUserInfo(ClientRegistration clientRegistration,
AccessToken token,
OAuth2Request request)
Gets the resource owners information based on an issued access token or request.
|
String |
getVerificationUrl()
The URL that the user will be instructed to visit to complete their OAuth 2 login and consent when using the
device code flow.
|
boolean |
isAlwaysAddClaimsToToken()
Whether to always add claims to id_tokens - non-spec compliant.
|
boolean |
isCodeVerifierRequired()
Whether or not to enforce the Code Verifier Parameter.
|
boolean |
isConsentSaved(ResourceOwner resourceOwner,
String clientId,
Set<String> scope)
Determines whether a resource owner's consent has been saved from a previous authorize request.
|
boolean |
isIdTokenInfoClientAuthenticationEnabled()
Determines whether idtokeninfo endpoint should require client authentication.
|
boolean |
isOpenDynamicClientRegistrationAllowed()
Indicates whether clients may register without providing an access token.
|
boolean |
isOpenIDConnectSSOProviderEnabled()
Whether OpenID Connect ID Tokens are accepted as SSOTokens in this realm or not.
|
boolean |
isRegistrationAccessTokenGenerationEnabled()
Whether to generate access tokens for clients that register without one.
|
boolean |
isSaveConsentEnabled()
Determines if the consent can be saved or not, due to a lack of configuration.
|
boolean |
isStatelessTokensEnabled()
Determines whether access and refresh tokens should be stateless.
|
boolean |
issueRefreshTokens()
Whether the OAuth2 provider should issue refresh tokens when issuing access tokens.
|
boolean |
issueRefreshTokensOnRefreshingToken()
Whether the OAuth2 provider should issue refresh tokens when refreshing access tokens.
|
boolean |
isTokenCompressionEnabled()
Determines whether token compression is enabled for stateless access and refresh tokens.
|
void |
revokeConsent(String userId,
String clientId)
Revokes the resource owner's consent for the granting authorization for the specified client.
|
void |
saveConsent(ResourceOwner resourceOwner,
String clientId,
Set<String> scope)
Saves the resource owner's consent for the granting authorization for the specified client with the specified
scope.
|
boolean |
shouldStoreOpsTokens()
Whether to generate and store an ops token in CTS for this OIDC provider.
|
Set<String> |
validateAccessTokenScope(ClientRegistration clientRegistration,
Set<String> scope,
OAuth2Request request)
Provided as an extension point to allow the OAuth2 provider to customise the scope requested when an access token
is requested.
|
Set<String> |
validateAuthorizationScope(ClientRegistration clientRegistration,
Set<String> scope,
OAuth2Request request)
Provided as an extension point to allow the OAuth2 provider to customise the scope requested when authorization
is requested.
|
Set<String> |
validateRefreshTokenScope(ClientRegistration clientRegistration,
Set<String> requestedScope,
Set<String> tokenScope,
OAuth2Request request)
Provided as an extension point to allow the OAuth2 provider to customise the scope requested when a refresh token
is requested.
|
String |
validateRequestedClaims(String requestedClaims)
Validates that the requested claims are appropriate to be requested by the given client.
|
public RealmOAuth2ProviderSettings(OpenAMSettings settings, String realm, ResourceSetStore resourceSetStore, ServiceConfigManagerFactory serviceConfigManagerFactory)
settings - OpenAM settings.realm - The realm.resourceSetStore - An instance of the ResourceSetStore for the current realm.serviceConfigManagerFactory - Factory for creating ServiceConfigManager instances.public boolean isStatelessTokensEnabled()
throws ServerException
OAuth2ProviderSettingsisStatelessTokensEnabled in interface OAuth2ProviderSettingstrue if access and refresh tokens are stateless.ServerException - If any internal server error occurs.public boolean isIdTokenInfoClientAuthenticationEnabled()
throws ServerException
OAuth2ProviderSettingsisIdTokenInfoClientAuthenticationEnabled in interface OAuth2ProviderSettingstrue if idtokeninfo endpoint requires client authentication.ServerException - If any internal server error occurs.public String getTokenSigningAlgorithm() throws ServerException
OAuth2ProviderSettingsgetTokenSigningAlgorithm in interface OAuth2ProviderSettingsServerException - If any internal server error occurs.public boolean isTokenCompressionEnabled()
throws ServerException
OAuth2ProviderSettingsisTokenCompressionEnabled in interface OAuth2ProviderSettingsServerException - if an error occurs reading the settings.public String getTokenHmacSharedSecret() throws ServerException
OAuth2ProviderSettingsgetTokenHmacSharedSecret in interface OAuth2ProviderSettingsServerException - If any internal server error occurs.public Map<String,ResponseTypeHandler> getAllowedResponseTypes() throws UnsupportedResponseTypeException, ServerException
OAuth2ProviderSettingsgetAllowedResponseTypes in interface OAuth2ProviderSettingsUnsupportedResponseTypeException - If the requested response type is not supported by either the client
or the OAuth2 provider.ServerException - If any internal server error occurs.public boolean isSaveConsentEnabled()
OAuth2ProviderSettingsisSaveConsentEnabled in interface OAuth2ProviderSettingstrue if the consent can be saved, false if it is not configured properly.public boolean isConsentSaved(ResourceOwner resourceOwner, String clientId, Set<String> scope)
OAuth2ProviderSettingsisConsentSaved in interface OAuth2ProviderSettingsresourceOwner - The resource owner.clientId - The if of the client making the request.scope - The requested scope.true if the resource owner has previously requested that consent should be saved from the
specified client and the exact scope.public Set<String> validateAuthorizationScope(ClientRegistration clientRegistration, Set<String> scope, OAuth2Request request) throws ServerException, InvalidScopeException
OAuth2ProviderSettingsvalidateAuthorizationScope in interface OAuth2ProviderSettingsclientRegistration - The client registration.scope - The requested scope.ServerException - If any internal server error occurs.InvalidScopeException - If the requested scope is invalid, unknown, or malformed.public Set<String> validateAccessTokenScope(ClientRegistration clientRegistration, Set<String> scope, OAuth2Request request) throws ServerException, InvalidScopeException
OAuth2ProviderSettingsvalidateAccessTokenScope in interface OAuth2ProviderSettingsclientRegistration - The client registration.scope - The requested scope.request - The OAuth2 request.ServerException - If any internal server error occurs.InvalidScopeException - If the requested scope is invalid, unknown, or malformed.public Set<String> validateRefreshTokenScope(ClientRegistration clientRegistration, Set<String> requestedScope, Set<String> tokenScope, OAuth2Request request) throws ServerException, InvalidScopeException
OAuth2ProviderSettingsvalidateRefreshTokenScope in interface OAuth2ProviderSettingsclientRegistration - The client registration.requestedScope - The requested scope.tokenScope - The scope from the access token.request - The OAuth2 request.ServerException - If any internal server error occurs.InvalidScopeException - If the requested scope is invalid, unknown, or malformed.public UserInfoClaims getUserInfo(ClientRegistration clientRegistration, AccessToken token, OAuth2Request request) throws ServerException, UnauthorizedClientException, NotFoundException
OAuth2ProviderSettingsgetUserInfo in interface OAuth2ProviderSettingsclientRegistration - The client registration.token - The access token.request - The OAuth2 request.ServerException - If any internal server error occurs.UnauthorizedClientException - If the client's authorization fails.NotFoundException - If the realm does not have an OAuth 2.0 provider service.public Map<String,Object> evaluateScope(AccessToken accessToken) throws ServerException
OAuth2ProviderSettingsevaluateScope in interface OAuth2ProviderSettingsaccessToken - The access token.Map<String, Object> of the access token's information.ServerException - If any internal server error occurs.public Map<String,String> additionalDataToReturnFromAuthorizeEndpoint(Map<String,Token> tokens, OAuth2Request request) throws ServerException
OAuth2ProviderSettingsadditionalDataToReturnFromAuthorizeEndpoint in interface OAuth2ProviderSettingstokens - The tokens that will be returned from the authorization call.request - The OAuth2 request.Map<String, String> of the additional data to return.ServerException - If any internal server error occurs.public void additionalDataToReturnFromTokenEndpoint(AccessToken accessToken, OAuth2Request request) throws ServerException, InvalidClientException, NotFoundException
OAuth2ProviderSettingsadditionalDataToReturnFromTokenEndpoint in interface OAuth2ProviderSettingsaccessToken - The access token.request - The OAuth2 request.ServerException - If any internal server error occurs.InvalidClientException - If either the request does not contain the client's id or the client fails to be
authenticated.NotFoundException - If the realm does not have an OAuth 2.0 provider service.public void saveConsent(ResourceOwner resourceOwner, String clientId, Set<String> scope)
OAuth2ProviderSettingssaveConsent in interface OAuth2ProviderSettingsresourceOwner - The resource owner.clientId - The client id.scope - The requested scope.public void revokeConsent(String userId, String clientId)
OAuth2ProviderSettingsrevokeConsent in interface OAuth2ProviderSettingsuserId - The user id.clientId - The client id.public boolean issueRefreshTokens()
throws ServerException
OAuth2ProviderSettingsissueRefreshTokens in interface OAuth2ProviderSettingstrue if refresh tokens should be issued.ServerException - If any internal server error occurs.public boolean issueRefreshTokensOnRefreshingToken()
throws ServerException
OAuth2ProviderSettingsissueRefreshTokensOnRefreshingToken in interface OAuth2ProviderSettingstrue if refresh tokens should be issued when access tokens are refreshed.ServerException - If any internal server error occurs.public long getAuthorizationCodeLifetime()
throws ServerException
OAuth2ProviderSettingsgetAuthorizationCodeLifetime in interface OAuth2ProviderSettingsServerException - If any internal server error occurs.public long getAccessTokenLifetime()
throws ServerException
OAuth2ProviderSettingsgetAccessTokenLifetime in interface OAuth2ProviderSettingsServerException - If any internal server error occurs.public long getOpenIdTokenLifetime()
throws ServerException
OAuth2ProviderSettingsgetOpenIdTokenLifetime in interface OAuth2ProviderSettingsServerException - If any internal server error occurs.public long getRefreshTokenLifetime()
throws ServerException
OAuth2ProviderSettingsgetRefreshTokenLifetime in interface OAuth2ProviderSettingsServerException - If any internal server error occurs.public KeyPair getSigningKeyPair(org.forgerock.json.jose.jws.JwsAlgorithm algorithm) throws ServerException
OAuth2ProviderSettingsgetSigningKeyPair in interface OAuth2ProviderSettingsalgorithm - The signing algorithm.ServerException - If any internal server error occurs.public Set<String> getResourceOwnerAuthenticatedAttributes() throws ServerException
OAuth2ProviderSettingsgetResourceOwnerAuthenticatedAttributes in interface OAuth2ProviderSettingsSet of resource owner attributes.ServerException - If any internal server error occurs.public Set<String> getSupportedClaims() throws ServerException
OAuth2ProviderSettingsgetSupportedClaims in interface OAuth2ProviderSettingsSet of the supported claims.ServerException - If any internal server error occurs.public Set<String> getSupportedClaimsWithTranslations() throws ServerException
OAuth2ProviderSettingsgetSupportedClaimsWithTranslations in interface OAuth2ProviderSettingsSet of the supported claims.ServerException - If any internal server error occurs.public Set<String> getSupportedScopes() throws ServerException
OAuth2ProviderSettingsgetSupportedScopes in interface OAuth2ProviderSettingsSet of the supported scopes.ServerException - If any internal server error occurs.public Set<String> getSupportedScopesWithTranslations() throws ServerException
OAuth2ProviderSettingsgetSupportedScopesWithTranslations in interface OAuth2ProviderSettingsSet of the supported scopes.ServerException - If any internal server error occurs.public Set<String> getDefaultScopes() throws ServerException
OAuth2ProviderSettingsgetDefaultScopes in interface OAuth2ProviderSettingsSet of the default scopes.ServerException - If any internal server error occurs.public Set<String> getSupportedIDTokenSigningAlgorithms() throws ServerException
OAuth2ProviderSettingsgetSupportedIDTokenSigningAlgorithms in interface OAuth2ProviderSettingsSet of the supported algorithms.ServerException - If any internal server error occurs.public Set<String> getSupportedIDTokenEncryptionAlgorithms() throws ServerException
OAuth2ProviderSettingsgetSupportedIDTokenEncryptionAlgorithms in interface OAuth2ProviderSettingsSet of the supported algorithms.ServerException - If any internal server error occurs.public Set<String> getSupportedIDTokenEncryptionMethods() throws ServerException
OAuth2ProviderSettingsgetSupportedIDTokenEncryptionMethods in interface OAuth2ProviderSettingsSet of the supported algorithms.ServerException - If any internal server error occurs.public String getOpenIDConnectVersion()
OAuth2ProviderSettingsgetOpenIDConnectVersion in interface OAuth2ProviderSettingspublic org.forgerock.json.JsonValue getJWKSet()
throws ServerException
OAuth2ProviderSettingsgetJWKSet in interface OAuth2ProviderSettingsServerExceptionpublic String getCreatedTimestampAttributeName() throws ServerException
OAuth2ProviderSettingsgetCreatedTimestampAttributeName in interface OAuth2ProviderSettingsServerExceptionpublic String getModifiedTimestampAttributeName() throws ServerException
OAuth2ProviderSettingsgetModifiedTimestampAttributeName in interface OAuth2ProviderSettingsServerExceptionpublic Set<String> getSupportedSubjectTypes() throws ServerException
OAuth2ProviderSettingsgetSupportedSubjectTypes in interface OAuth2ProviderSettingsSet of supported subject types.ServerException - If any internal server error occurs.public boolean isOpenDynamicClientRegistrationAllowed()
throws ServerException
OAuth2ProviderSettingsisOpenDynamicClientRegistrationAllowed in interface OAuth2ProviderSettingsServerException - If any internal server error occurs.public boolean isRegistrationAccessTokenGenerationEnabled()
throws ServerException
OAuth2ProviderSettingsOAuth2ProviderSettings.isOpenDynamicClientRegistrationAllowed() is true.isRegistrationAccessTokenGenerationEnabled in interface OAuth2ProviderSettingsServerException - If any internal server error occurs.public Map<String,AuthenticationMethod> getAcrMapping() throws ServerException
OAuth2ProviderSettingsgetAcrMapping in interface OAuth2ProviderSettingsServerExceptionpublic String getDefaultAcrValues() throws ServerException
OAuth2ProviderSettingsgetDefaultAcrValues in interface OAuth2ProviderSettingsServerExceptionpublic Map<String,String> getAMRAuthModuleMappings() throws ServerException
OAuth2ProviderSettingsgetAMRAuthModuleMappings in interface OAuth2ProviderSettingsServerExceptionpublic boolean exists()
OAuth2ProviderSettingsexists in interface OAuth2ProviderSettingspublic ResourceSetStore getResourceSetStore()
OAuth2ProviderSettingsgetResourceSetStore in interface OAuth2ProviderSettingspublic boolean getClaimsParameterSupported()
throws ServerException
OAuth2ProviderSettingsgetClaimsParameterSupported in interface OAuth2ProviderSettingsServerExceptionpublic String validateRequestedClaims(String requestedClaims) throws InvalidRequestException, ServerException
OAuth2ProviderSettingsvalidateRequestedClaims in interface OAuth2ProviderSettingsInvalidRequestExceptionServerExceptionpublic Set<String> getEndpointAuthMethodsSupported()
OAuth2ProviderSettingsgetEndpointAuthMethodsSupported in interface OAuth2ProviderSettingspublic boolean isCodeVerifierRequired()
throws ServerException
OAuth2ProviderSettingsisCodeVerifierRequired in interface OAuth2ProviderSettingsServerExceptionpublic String getHashSalt() throws ServerException
OAuth2ProviderSettingsgetHashSalt in interface OAuth2ProviderSettingsServerExceptionpublic boolean isAlwaysAddClaimsToToken()
throws ServerException
OAuth2ProviderSettingsisAlwaysAddClaimsToToken in interface OAuth2ProviderSettingsServerExceptionpublic String getUserDisplayNameAttribute() throws ServerException
OAuth2ProviderSettingsgetUserDisplayNameAttribute in interface OAuth2ProviderSettingsServerExceptionpublic String getJWKSUri() throws ServerException
OAuth2ProviderSettingsgetJWKSUri in interface OAuth2ProviderSettingsServerException - If any internal server error occurs.public freemarker.template.Template getCustomLoginUrlTemplate()
throws ServerException
OAuth2ProviderSettingsgetCustomLoginUrlTemplate in interface OAuth2ProviderSettingsServerException - If the custom login url template setting could not be retrieved.public String getVerificationUrl() throws ServerException
OAuth2ProviderSettingsgetVerificationUrl in interface OAuth2ProviderSettingsServerException - If the setting could not be retrieved.public String getCompletionUrl() throws ServerException
OAuth2ProviderSettingsgetCompletionUrl in interface OAuth2ProviderSettingsServerException - If the setting could not be retrieved.public int getDeviceCodeLifetime()
throws ServerException
OAuth2ProviderSettingsgetDeviceCodeLifetime in interface OAuth2ProviderSettingsServerException - If the setting could not be retrieved.public int getDeviceCodePollInterval()
throws ServerException
OAuth2ProviderSettingsgetDeviceCodePollInterval in interface OAuth2ProviderSettingsServerException - If the setting could not be retrieved.public boolean shouldStoreOpsTokens()
throws ServerException
OAuth2ProviderSettingsshouldStoreOpsTokens in interface OAuth2ProviderSettingstrue if ops tokens should be generated/stored in CTS.ServerException - If the setting could not be retrieved.public boolean clientsCanSkipConsent()
throws ServerException
OAuth2ProviderSettingsclientsCanSkipConsent in interface OAuth2ProviderSettingstrue if clients are allowed to opt to skip resource owner consent.ServerException - If the setting could not be retrieved.public boolean isOpenIDConnectSSOProviderEnabled()
throws ServerException
OAuth2ProviderSettingsisOpenIDConnectSSOProviderEnabled in interface OAuth2ProviderSettingstrue if ID Tokens are accepted as SSOTokens in this realm.ServerException - If the setting could not be retrieved.Copyright © 2010–2025 Open Identity Platform Community. All rights reserved.