Package org.forgerock.oauth2.core

Class RealmOAuth2ProviderSettings

java.lang.Object

org.forgerock.oauth2.core.RealmOAuth2ProviderSettings

All Implemented Interfaces:

OAuth2ProviderSettings

public class RealmOAuth2ProviderSettings
extends Object
implements OAuth2ProviderSettings

Models all of the possible settings the OAuth2 provider can have and that can be configured.
The actual implementation is responsible for providing the method in which these settings are configured. This interface only describes the API for other code to get the OAuth2 provider settings.

Since:

12.0.0

Constructor Summary

Constructors

Constructor	Description
RealmOAuth2ProviderSettings(OpenAMSettings settings, String realm, ResourceSetStore resourceSetStore, ServiceConfigManagerFactory serviceConfigManagerFactory)	Constructs a new OpenAMOAuth2ProviderSettings.

Method Summary

Modifier and Type	Method	Description
Map<String,String>	additionalDataToReturnFromAuthorizeEndpoint(Map<String,Token> tokens, OAuth2Request request)	Provided as an extension point to allow the OAuth2 provider to return additional data from an authorization request.
void	additionalDataToReturnFromTokenEndpoint(AccessToken accessToken, OAuth2Request request)	Provided as an extension point to allow the OAuth2 provider to return additional data from an access token request.
boolean	clientsCanSkipConsent()	Whether clients can opt to skip resource owner consent during authorization flows.
Map<String,Object>	evaluateScope(AccessToken accessToken)	Gets the specified access token's information.
boolean	exists()	Checks whether the config exists.
long	getAccessTokenLifetime()	Gets the lifetime an access token will have before it expires.
Map<String,AuthenticationMethod>	getAcrMapping()	Returns a mapping from Authentication Context Class Reference (ACR) values (typically a Level of Assurance value) to concrete authentication methods.
Map<String,ResponseTypeHandler>	getAllowedResponseTypes()	Gets the response types allowed by the OAuth2 provider.
Map<String,String>	getAMRAuthModuleMappings()	The mappings between amr values and auth module names.
long	getAuthorizationCodeLifetime()	Gets the lifetime an authorization code will have before it expires.
boolean	getClaimsParameterSupported()	Returns whether this provider supports claims requested via 'claims' parameter.
String	getCompletionUrl()	The URL that the user will be sent to on completion of their OAuth 2 login and consent when using the device code flow.
String	getCreatedTimestampAttributeName()	Gets the created timestamp attribute name.
freemarker.template.Template	getCustomLoginUrlTemplate()	Gets the custom login url template which will create the url to redirect resource owners to for authentication.
String	getDefaultAcrValues()	The default Authentication Context Class Reference (ACR) values to use for authentication if none is specified in the request.
Set<String>	getDefaultScopes()	Gets the default set of scopes to give a client registering with this provider.
int	getDeviceCodeLifetime()	The lifetime of the device code.
int	getDeviceCodePollInterval()	The polling interval for devices waiting for tokens when using the device code flow.
Set<String>	getEndpointAuthMethodsSupported()	Returns the token_endpoint_auth_methods available for clients to register (and subsequently auth) using.
String	getHashSalt()	Returns the salt to use for hashing sub values upon pairwise requests.
org.forgerock.json.JsonValue	getJWKSet()	Gets the JWK Set for this OAuth2 Authorization /OpenID Provider.
String	getJWKSUri()	Gets the JSON Web Key Set URI.
String	getModifiedTimestampAttributeName()	Gets the modified timestamp attribute name.
String	getOpenIDConnectVersion()	Gets the supported version of the OpenID Connect specification.
long	getOpenIdTokenLifetime()	Gets the lifetime an OpenID token will have before it expires.
long	getRefreshTokenLifetime()	Gets the lifetime an refresh token will have before it expires.
Set<String>	getResourceOwnerAuthenticatedAttributes()	Gets the attributes of the resource owner that are used for authenticating resource owners.
ResourceSetStore	getResourceSetStore()	Returns the ResourceSetStore instance for the realm.
KeyPair	getSigningKeyPair(org.forgerock.json.jose.jws.JwsAlgorithm algorithm)	Gets the signing key pair of the OAuth2 provider.
Set<String>	getSupportedClaims()	Gets the supported claims for this provider.
Set<String>	getSupportedClaimsWithTranslations()	Gets the supported claims for this provider as strings with pipe-separated translations.
Set<String>	getSupportedIDTokenEncryptionAlgorithms()	Gets the algorithms that the OAuth2 provider supports for encryptin OpenID tokens.
Set<String>	getSupportedIDTokenEncryptionMethods()	Gets the encryption methods that the OAuth2 provider supports for encryptin OpenID tokens.
Set<String>	getSupportedIDTokenSigningAlgorithms()	Gets the algorithms that the OAuth2 provider supports for signing OpenID tokens.
Set<String>	getSupportedScopes()	Gets the supported scopes for this provider without translations.
Set<String>	getSupportedScopesWithTranslations()	Gets the supported scopes for this provider.
Set<String>	getSupportedSubjectTypes()	Gets the subject types supported by the OAuth2 provider.
String	getTokenHmacSharedSecret()	Gets the Base64 encoded shared secret used to sign stateless access and refresh tokens.
String	getTokenSigningAlgorithm()	Gets the signing algorithm used when issuing stateless access and refresh tokens.
String	getUserDisplayNameAttribute()	The attribute that can be used to obtain a UI-displayable name for a user's AMIdentity.
UserInfoClaims	getUserInfo(ClientRegistration clientRegistration, AccessToken token, OAuth2Request request)	Gets the resource owners information based on an issued access token or request.
String	getVerificationUrl()	The URL that the user will be instructed to visit to complete their OAuth 2 login and consent when using the device code flow.
boolean	isAlwaysAddClaimsToToken()	Whether to always add claims to id_tokens - non-spec compliant.
boolean	isCodeVerifierRequired()	Whether or not to enforce the Code Verifier Parameter.
boolean	isConsentSaved(ResourceOwner resourceOwner, String clientId, Set<String> scope)	Determines whether a resource owner's consent has been saved from a previous authorize request.
boolean	isIdTokenInfoClientAuthenticationEnabled()	Determines whether idtokeninfo endpoint should require client authentication.
boolean	isOpenDynamicClientRegistrationAllowed()	Indicates whether clients may register without providing an access token.
boolean	isOpenIDConnectSSOProviderEnabled()	Whether OpenID Connect ID Tokens are accepted as SSOTokens in this realm or not.
boolean	isRegistrationAccessTokenGenerationEnabled()	Whether to generate access tokens for clients that register without one.
boolean	isSaveConsentEnabled()	Determines if the consent can be saved or not, due to a lack of configuration.
boolean	isStatelessTokensEnabled()	Determines whether access and refresh tokens should be stateless.
boolean	issueRefreshTokens()	Whether the OAuth2 provider should issue refresh tokens when issuing access tokens.
boolean	issueRefreshTokensOnRefreshingToken()	Whether the OAuth2 provider should issue refresh tokens when refreshing access tokens.
boolean	isTokenCompressionEnabled()	Determines whether token compression is enabled for stateless access and refresh tokens.
void	revokeConsent(String userId, String clientId)	Revokes the resource owner's consent for the granting authorization for the specified client.
void	saveConsent(ResourceOwner resourceOwner, String clientId, Set<String> scope)	Saves the resource owner's consent for the granting authorization for the specified client with the specified scope.
boolean	shouldStoreOpsTokens()	Whether to generate and store an ops token in CTS for this OIDC provider.
Set<String>	validateAccessTokenScope(ClientRegistration clientRegistration, Set<String> scope, OAuth2Request request)	Provided as an extension point to allow the OAuth2 provider to customise the scope requested when an access token is requested.
Set<String>	validateAuthorizationScope(ClientRegistration clientRegistration, Set<String> scope, OAuth2Request request)	Provided as an extension point to allow the OAuth2 provider to customise the scope requested when authorization is requested.
Set<String>	validateRefreshTokenScope(ClientRegistration clientRegistration, Set<String> requestedScope, Set<String> tokenScope, OAuth2Request request)	Provided as an extension point to allow the OAuth2 provider to customise the scope requested when a refresh token is requested.
String	validateRequestedClaims(String requestedClaims)	Validates that the requested claims are appropriate to be requested by the given client.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

RealmOAuth2ProviderSettings

public RealmOAuth2ProviderSettings(OpenAMSettings settings,
                                   String realm,
                                   ResourceSetStore resourceSetStore,
                                   ServiceConfigManagerFactory serviceConfigManagerFactory)

Constructs a new OpenAMOAuth2ProviderSettings.

Parameters:

settings - OpenAM settings.

realm - The realm.

resourceSetStore - An instance of the ResourceSetStore for the current realm.

serviceConfigManagerFactory - Factory for creating ServiceConfigManager instances.

Method Detail

isStatelessTokensEnabled

public boolean isStatelessTokensEnabled()
                                 throws ServerException

Description copied from interface: OAuth2ProviderSettings

Determines whether access and refresh tokens should be stateless.

Specified by:

isStatelessTokensEnabled in interface OAuth2ProviderSettings

Returns:

true if access and refresh tokens are stateless.

Throws:

ServerException - If any internal server error occurs.

isIdTokenInfoClientAuthenticationEnabled

public boolean isIdTokenInfoClientAuthenticationEnabled()
                                                 throws ServerException

Description copied from interface: OAuth2ProviderSettings

Determines whether idtokeninfo endpoint should require client authentication.

Specified by:

isIdTokenInfoClientAuthenticationEnabled in interface OAuth2ProviderSettings

Returns:

true if idtokeninfo endpoint requires client authentication.

Throws:

ServerException - If any internal server error occurs.

getTokenSigningAlgorithm

public String getTokenSigningAlgorithm()
                                throws ServerException

Description copied from interface: OAuth2ProviderSettings

Gets the signing algorithm used when issuing stateless access and refresh tokens.

Specified by:

getTokenSigningAlgorithm in interface OAuth2ProviderSettings

Returns:

The signing algorithm.

Throws:

ServerException - If any internal server error occurs.

isTokenCompressionEnabled

public boolean isTokenCompressionEnabled()
                                  throws ServerException

Description copied from interface: OAuth2ProviderSettings

Determines whether token compression is enabled for stateless access and refresh tokens.

Specified by:

isTokenCompressionEnabled in interface OAuth2ProviderSettings

Returns:

true if compression should be enabled.

Throws:

ServerException - if an error occurs reading the settings.

getTokenHmacSharedSecret

public String getTokenHmacSharedSecret()
                                throws ServerException

Description copied from interface: OAuth2ProviderSettings

Gets the Base64 encoded shared secret used to sign stateless access and refresh tokens.

Specified by:

getTokenHmacSharedSecret in interface OAuth2ProviderSettings

Returns:

The Base64 encoded shared secret.

Throws:

ServerException - If any internal server error occurs.

getAllowedResponseTypes

public Map<String,ResponseTypeHandler> getAllowedResponseTypes()
                                                              throws UnsupportedResponseTypeException,
                                                                     ServerException

Description copied from interface: OAuth2ProviderSettings

Gets the response types allowed by the OAuth2 provider.

Specified by:

getAllowedResponseTypes in interface OAuth2ProviderSettings

Returns:

The allowed response types and their handler implementations.

Throws:

UnsupportedResponseTypeException - If the requested response type is not supported by either the client or the OAuth2 provider.

ServerException - If any internal server error occurs.

isSaveConsentEnabled

public boolean isSaveConsentEnabled()

Description copied from interface: OAuth2ProviderSettings

Determines if the consent can be saved or not, due to a lack of configuration.

Specified by:

isSaveConsentEnabled in interface OAuth2ProviderSettings

Returns:

true if the consent can be saved, false if it is not configured properly.

isConsentSaved

public boolean isConsentSaved(ResourceOwner resourceOwner,
                              String clientId,
                              Set<String> scope)

Description copied from interface: OAuth2ProviderSettings

Determines whether a resource owner's consent has been saved from a previous authorize request.

Specified by:

isConsentSaved in interface OAuth2ProviderSettings

Parameters:

resourceOwner - The resource owner.

clientId - The if of the client making the request.

scope - The requested scope.

Returns:

true if the resource owner has previously requested that consent should be saved from the specified client and the exact scope.

validateAuthorizationScope

public Set<String> validateAuthorizationScope(ClientRegistration clientRegistration,
                                              Set<String> scope,
                                              OAuth2Request request)
                                       throws ServerException,
                                              InvalidScopeException

Description copied from interface: OAuth2ProviderSettings

Provided as an extension point to allow the OAuth2 provider to customise the scope requested when authorization is requested.

Specified by:

validateAuthorizationScope in interface OAuth2ProviderSettings

Parameters:

clientRegistration - The client registration.

scope - The requested scope.

Returns:

The updated scope used in the remaining OAuth2 process.

Throws:

ServerException - If any internal server error occurs.

InvalidScopeException - If the requested scope is invalid, unknown, or malformed.

validateAccessTokenScope

public Set<String> validateAccessTokenScope(ClientRegistration clientRegistration,
                                            Set<String> scope,
                                            OAuth2Request request)
                                     throws ServerException,
                                            InvalidScopeException

Description copied from interface: OAuth2ProviderSettings

Provided as an extension point to allow the OAuth2 provider to customise the scope requested when an access token is requested.

Specified by:

validateAccessTokenScope in interface OAuth2ProviderSettings

Parameters:

clientRegistration - The client registration.

scope - The requested scope.

request - The OAuth2 request.

Returns:

The updated scope used in the remaining OAuth2 process.

Throws:

ServerException - If any internal server error occurs.

InvalidScopeException - If the requested scope is invalid, unknown, or malformed.

validateRefreshTokenScope

public Set<String> validateRefreshTokenScope(ClientRegistration clientRegistration,
                                             Set<String> requestedScope,
                                             Set<String> tokenScope,
                                             OAuth2Request request)
                                      throws ServerException,
                                             InvalidScopeException

Description copied from interface: OAuth2ProviderSettings

Provided as an extension point to allow the OAuth2 provider to customise the scope requested when a refresh token is requested.

Specified by:

validateRefreshTokenScope in interface OAuth2ProviderSettings

Parameters:

clientRegistration - The client registration.

requestedScope - The requested scope.

tokenScope - The scope from the access token.

request - The OAuth2 request.

Returns:

The updated scope used in the remaining OAuth2 process.

Throws:

ServerException - If any internal server error occurs.

InvalidScopeException - If the requested scope is invalid, unknown, or malformed.

getUserInfo

public UserInfoClaims getUserInfo(ClientRegistration clientRegistration,
                                  AccessToken token,
                                  OAuth2Request request)
                           throws ServerException,
                                  UnauthorizedClientException,
                                  NotFoundException

Description copied from interface: OAuth2ProviderSettings

Gets the resource owners information based on an issued access token or request.

Specified by:

getUserInfo in interface OAuth2ProviderSettings

Parameters:

clientRegistration - The client registration.

token - The access token.

request - The OAuth2 request.

Returns:

The claims for the resource owner's information.

Throws:

ServerException - If any internal server error occurs.

UnauthorizedClientException - If the client's authorization fails.

NotFoundException - If the realm does not have an OAuth 2.0 provider service.

evaluateScope

public Map<String,Object> evaluateScope(AccessToken accessToken)
                                       throws ServerException

Description copied from interface: OAuth2ProviderSettings

Gets the specified access token's information.

Specified by:

evaluateScope in interface OAuth2ProviderSettings

Parameters:

accessToken - The access token.

Returns:

A Map<String, Object> of the access token's information.

Throws:

ServerException - If any internal server error occurs.

additionalDataToReturnFromAuthorizeEndpoint

public Map<String,String> additionalDataToReturnFromAuthorizeEndpoint(Map<String,Token> tokens,
                                                                            OAuth2Request request)
                                                                     throws ServerException

Description copied from interface: OAuth2ProviderSettings

Provided as an extension point to allow the OAuth2 provider to return additional data from an authorization request.

Specified by:

additionalDataToReturnFromAuthorizeEndpoint in interface OAuth2ProviderSettings

Parameters:

tokens - The tokens that will be returned from the authorization call.

request - The OAuth2 request.

Returns:

A Map<String, String> of the additional data to return.

Throws:

ServerException - If any internal server error occurs.

additionalDataToReturnFromTokenEndpoint

public void additionalDataToReturnFromTokenEndpoint(AccessToken accessToken,
                                                    OAuth2Request request)
                                             throws ServerException,
                                                    InvalidClientException,
                                                    NotFoundException

Description copied from interface: OAuth2ProviderSettings

Provided as an extension point to allow the OAuth2 provider to return additional data from an access token request.
Any additional data to be returned should be added to the access token by invoking, AccessToken#addExtraData(String, String).

Specified by:

additionalDataToReturnFromTokenEndpoint in interface OAuth2ProviderSettings

Parameters:

accessToken - The access token.

request - The OAuth2 request.

Throws:

ServerException - If any internal server error occurs.

InvalidClientException - If either the request does not contain the client's id or the client fails to be authenticated.

NotFoundException - If the realm does not have an OAuth 2.0 provider service.

saveConsent

public void saveConsent(ResourceOwner resourceOwner,
                        String clientId,
                        Set<String> scope)

Description copied from interface: OAuth2ProviderSettings

Saves the resource owner's consent for the granting authorization for the specified client with the specified scope.

Specified by:

saveConsent in interface OAuth2ProviderSettings

Parameters:

resourceOwner - The resource owner.

clientId - The client id.

scope - The requested scope.

revokeConsent

public void revokeConsent(String userId,
                          String clientId)

Description copied from interface: OAuth2ProviderSettings

Revokes the resource owner's consent for the granting authorization for the specified client.

Specified by:

revokeConsent in interface OAuth2ProviderSettings

Parameters:

userId - The user id.

clientId - The client id.

issueRefreshTokens

public boolean issueRefreshTokens()
                           throws ServerException

Description copied from interface: OAuth2ProviderSettings

Whether the OAuth2 provider should issue refresh tokens when issuing access tokens.

Specified by:

issueRefreshTokens in interface OAuth2ProviderSettings

Returns:

true if refresh tokens should be issued.

Throws:

ServerException - If any internal server error occurs.

issueRefreshTokensOnRefreshingToken

public boolean issueRefreshTokensOnRefreshingToken()
                                            throws ServerException

Description copied from interface: OAuth2ProviderSettings

Whether the OAuth2 provider should issue refresh tokens when refreshing access tokens.

Specified by:

issueRefreshTokensOnRefreshingToken in interface OAuth2ProviderSettings

Returns:

true if refresh tokens should be issued when access tokens are refreshed.

Throws:

ServerException - If any internal server error occurs.

getAuthorizationCodeLifetime

public long getAuthorizationCodeLifetime()
                                  throws ServerException

Description copied from interface: OAuth2ProviderSettings

Gets the lifetime an authorization code will have before it expires.

Specified by:

getAuthorizationCodeLifetime in interface OAuth2ProviderSettings

Returns:

The lifetime of an authorization code in seconds.

Throws:

ServerException - If any internal server error occurs.

getAccessTokenLifetime

public long getAccessTokenLifetime()
                            throws ServerException

Description copied from interface: OAuth2ProviderSettings

Gets the lifetime an access token will have before it expires.

Specified by:

getAccessTokenLifetime in interface OAuth2ProviderSettings

Returns:

The lifetime of an access token in seconds.

Throws:

ServerException - If any internal server error occurs.

getOpenIdTokenLifetime

public long getOpenIdTokenLifetime()
                            throws ServerException

Description copied from interface: OAuth2ProviderSettings

Gets the lifetime an OpenID token will have before it expires.

Specified by:

getOpenIdTokenLifetime in interface OAuth2ProviderSettings

Returns:

The lifetime of an OpenID token in seconds.

Throws:

ServerException - If any internal server error occurs.

getRefreshTokenLifetime

public long getRefreshTokenLifetime()
                             throws ServerException

Description copied from interface: OAuth2ProviderSettings

Gets the lifetime an refresh token will have before it expires.

Specified by:

getRefreshTokenLifetime in interface OAuth2ProviderSettings

Returns:

The lifetime of an refresh token in seconds.

Throws:

ServerException - If any internal server error occurs.

getSigningKeyPair

public KeyPair getSigningKeyPair(org.forgerock.json.jose.jws.JwsAlgorithm algorithm)
                          throws ServerException

Description copied from interface: OAuth2ProviderSettings

Gets the signing key pair of the OAuth2 provider.

Specified by:

getSigningKeyPair in interface OAuth2ProviderSettings

Parameters:

algorithm - The signing algorithm.

Returns:

The KeyPair.

Throws:

ServerException - If any internal server error occurs.

getResourceOwnerAuthenticatedAttributes

public Set<String> getResourceOwnerAuthenticatedAttributes()
                                                    throws ServerException

Description copied from interface: OAuth2ProviderSettings

Gets the attributes of the resource owner that are used for authenticating resource owners.

Specified by:

getResourceOwnerAuthenticatedAttributes in interface OAuth2ProviderSettings

Returns:

A Set of resource owner attributes.

Throws:

ServerException - If any internal server error occurs.

getSupportedClaims

public Set<String> getSupportedClaims()
                               throws ServerException

Description copied from interface: OAuth2ProviderSettings

Gets the supported claims for this provider.

Specified by:

getSupportedClaims in interface OAuth2ProviderSettings

Returns:

A Set of the supported claims.

Throws:

ServerException - If any internal server error occurs.

getSupportedClaimsWithTranslations

public Set<String> getSupportedClaimsWithTranslations()
                                               throws ServerException

Description copied from interface: OAuth2ProviderSettings

Gets the supported claims for this provider as strings with pipe-separated translations.

Specified by:

getSupportedClaimsWithTranslations in interface OAuth2ProviderSettings

Returns:

A Set of the supported claims.

Throws:

ServerException - If any internal server error occurs.

getSupportedScopes

public Set<String> getSupportedScopes()
                               throws ServerException

Description copied from interface: OAuth2ProviderSettings

Gets the supported scopes for this provider without translations.

Specified by:

getSupportedScopes in interface OAuth2ProviderSettings

Returns:

A Set of the supported scopes.

Throws:

ServerException - If any internal server error occurs.

getSupportedScopesWithTranslations

public Set<String> getSupportedScopesWithTranslations()
                                               throws ServerException

Description copied from interface: OAuth2ProviderSettings

Gets the supported scopes for this provider.

Specified by:

getSupportedScopesWithTranslations in interface OAuth2ProviderSettings

Returns:

A Set of the supported scopes.

Throws:

ServerException - If any internal server error occurs.

getDefaultScopes

public Set<String> getDefaultScopes()
                             throws ServerException

Description copied from interface: OAuth2ProviderSettings

Gets the default set of scopes to give a client registering with this provider.

Specified by:

getDefaultScopes in interface OAuth2ProviderSettings

Returns:

A Set of the default scopes.

Throws:

ServerException - If any internal server error occurs.

getSupportedIDTokenSigningAlgorithms

public Set<String> getSupportedIDTokenSigningAlgorithms()
                                                 throws ServerException

Description copied from interface: OAuth2ProviderSettings

Gets the algorithms that the OAuth2 provider supports for signing OpenID tokens.

Specified by:

getSupportedIDTokenSigningAlgorithms in interface OAuth2ProviderSettings

Returns:

A Set of the supported algorithms.

Throws:

ServerException - If any internal server error occurs.

getSupportedIDTokenEncryptionAlgorithms

public Set<String> getSupportedIDTokenEncryptionAlgorithms()
                                                    throws ServerException

Description copied from interface: OAuth2ProviderSettings

Gets the algorithms that the OAuth2 provider supports for encryptin OpenID tokens.

Specified by:

getSupportedIDTokenEncryptionAlgorithms in interface OAuth2ProviderSettings

Returns:

A Set of the supported algorithms.

Throws:

ServerException - If any internal server error occurs.

getSupportedIDTokenEncryptionMethods

public Set<String> getSupportedIDTokenEncryptionMethods()
                                                 throws ServerException

Description copied from interface: OAuth2ProviderSettings

Gets the encryption methods that the OAuth2 provider supports for encryptin OpenID tokens.

Specified by:

getSupportedIDTokenEncryptionMethods in interface OAuth2ProviderSettings

Returns:

A Set of the supported algorithms.

Throws:

ServerException - If any internal server error occurs.

getOpenIDConnectVersion

public String getOpenIDConnectVersion()

Description copied from interface: OAuth2ProviderSettings

Gets the supported version of the OpenID Connect specification.

Specified by:

getOpenIDConnectVersion in interface OAuth2ProviderSettings

Returns:

The OpenID Connect version.

getJWKSet

public org.forgerock.json.JsonValue getJWKSet()
                                       throws ServerException

Description copied from interface: OAuth2ProviderSettings

Gets the JWK Set for this OAuth2 Authorization /OpenID Provider.

Specified by:

getJWKSet in interface OAuth2ProviderSettings

Returns:

The JWK Set of signing and encryption keys.

Throws:

ServerException

getCreatedTimestampAttributeName

public String getCreatedTimestampAttributeName()
                                        throws ServerException

Description copied from interface: OAuth2ProviderSettings

Gets the created timestamp attribute name.

Specified by:

getCreatedTimestampAttributeName in interface OAuth2ProviderSettings

Returns:

The created attribute timestamp attribute name.

Throws:

ServerException

getModifiedTimestampAttributeName

public String getModifiedTimestampAttributeName()
                                         throws ServerException

Description copied from interface: OAuth2ProviderSettings

Gets the modified timestamp attribute name.

Specified by:

getModifiedTimestampAttributeName in interface OAuth2ProviderSettings

Returns:

The modified attribute timestamp attribute name.

Throws:

ServerException

getSupportedSubjectTypes

public Set<String> getSupportedSubjectTypes()
                                     throws ServerException

Description copied from interface: OAuth2ProviderSettings

Gets the subject types supported by the OAuth2 provider.

Specified by:

getSupportedSubjectTypes in interface OAuth2ProviderSettings

Returns:

A Set of supported subject types.

Throws:

ServerException - If any internal server error occurs.

isOpenDynamicClientRegistrationAllowed

public boolean isOpenDynamicClientRegistrationAllowed()
                                               throws ServerException

Description copied from interface: OAuth2ProviderSettings

Indicates whether clients may register without providing an access token.

Specified by:

isOpenDynamicClientRegistrationAllowed in interface OAuth2ProviderSettings

Returns:

true if allowed, otherwise false.

Throws:

ServerException - If any internal server error occurs.

isRegistrationAccessTokenGenerationEnabled

public boolean isRegistrationAccessTokenGenerationEnabled()
                                                   throws ServerException

Description copied from interface: OAuth2ProviderSettings

Whether to generate access tokens for clients that register without one. Only enabled if OAuth2ProviderSettings.isOpenDynamicClientRegistrationAllowed() is true.

Specified by:

isRegistrationAccessTokenGenerationEnabled in interface OAuth2ProviderSettings

Returns:

true if an access token should be generated for clients that register without one.

Throws:

ServerException - If any internal server error occurs.

getAcrMapping

public Map<String,AuthenticationMethod> getAcrMapping()
                                                     throws ServerException

Description copied from interface: OAuth2ProviderSettings

Returns a mapping from Authentication Context Class Reference (ACR) values (typically a Level of Assurance value) to concrete authentication methods.

Specified by:

getAcrMapping in interface OAuth2ProviderSettings

Throws:

ServerException

getDefaultAcrValues

public String getDefaultAcrValues()
                           throws ServerException

Description copied from interface: OAuth2ProviderSettings

The default Authentication Context Class Reference (ACR) values to use for authentication if none is specified in the request. This is a space-separated list of values in preference order.

Specified by:

getDefaultAcrValues in interface OAuth2ProviderSettings

Throws:

ServerException

getAMRAuthModuleMappings

public Map<String,String> getAMRAuthModuleMappings()
                                                  throws ServerException

Description copied from interface: OAuth2ProviderSettings

The mappings between amr values and auth module names.

Specified by:

getAMRAuthModuleMappings in interface OAuth2ProviderSettings

Returns:

The mappings.

Throws:

ServerException

exists

public boolean exists()

Description copied from interface: OAuth2ProviderSettings

Checks whether the config exists.

Specified by:

exists in interface OAuth2ProviderSettings

Returns:

Whether it exists.

getResourceSetStore

public ResourceSetStore getResourceSetStore()

Description copied from interface: OAuth2ProviderSettings

Returns the ResourceSetStore instance for the realm.

Specified by:

getResourceSetStore in interface OAuth2ProviderSettings

Returns:

The ResourceSetStore instance.

getClaimsParameterSupported

public boolean getClaimsParameterSupported()
                                    throws ServerException

Description copied from interface: OAuth2ProviderSettings

Returns whether this provider supports claims requested via 'claims' parameter.

Specified by:

getClaimsParameterSupported in interface OAuth2ProviderSettings

Returns:

true or false.

Throws:

ServerException

validateRequestedClaims

public String validateRequestedClaims(String requestedClaims)
                               throws InvalidRequestException,
                                      ServerException

Description copied from interface: OAuth2ProviderSettings

Validates that the requested claims are appropriate to be requested by the given client.

Specified by:

validateRequestedClaims in interface OAuth2ProviderSettings

Throws:

InvalidRequestException

ServerException

getEndpointAuthMethodsSupported

public Set<String> getEndpointAuthMethodsSupported()

Description copied from interface: OAuth2ProviderSettings

Returns the token_endpoint_auth_methods available for clients to register (and subsequently auth) using.

Specified by:

getEndpointAuthMethodsSupported in interface OAuth2ProviderSettings

isCodeVerifierRequired

public boolean isCodeVerifierRequired()
                               throws ServerException

Description copied from interface: OAuth2ProviderSettings

Whether or not to enforce the Code Verifier Parameter.

Specified by:

isCodeVerifierRequired in interface OAuth2ProviderSettings

Returns:

Whether the Code Verifier option has been configured.

Throws:

ServerException

See Also:

getHashSalt

public String getHashSalt()
                   throws ServerException

Description copied from interface: OAuth2ProviderSettings

Returns the salt to use for hashing sub values upon pairwise requests.

Specified by:

getHashSalt in interface OAuth2ProviderSettings

Throws:

ServerException

isAlwaysAddClaimsToToken

public boolean isAlwaysAddClaimsToToken()
                                 throws ServerException

Description copied from interface: OAuth2ProviderSettings

Whether to always add claims to id_tokens - non-spec compliant.

Specified by:

isAlwaysAddClaimsToToken in interface OAuth2ProviderSettings

Throws:

ServerException

See Also:

OpenID Connect Specification

getUserDisplayNameAttribute

public String getUserDisplayNameAttribute()
                                   throws ServerException

Description copied from interface: OAuth2ProviderSettings

The attribute that can be used to obtain a UI-displayable name for a user's AMIdentity.

Specified by:

getUserDisplayNameAttribute in interface OAuth2ProviderSettings

Throws:

ServerException

getJWKSUri

public String getJWKSUri()
                  throws ServerException

Description copied from interface: OAuth2ProviderSettings

Gets the JSON Web Key Set URI.

Specified by:

getJWKSUri in interface OAuth2ProviderSettings

Returns:

The JWKS URI.

Throws:

ServerException - If any internal server error occurs.

getCustomLoginUrlTemplate

public freemarker.template.Template getCustomLoginUrlTemplate()
                                                       throws ServerException

Description copied from interface: OAuth2ProviderSettings

Gets the custom login url template which will create the url to redirect resource owners to for authentication.

Specified by:

getCustomLoginUrlTemplate in interface OAuth2ProviderSettings

Returns:

The custom login url template.

Throws:

ServerException - If the custom login url template setting could not be retrieved.

getVerificationUrl

public String getVerificationUrl()
                          throws ServerException

Description copied from interface: OAuth2ProviderSettings

The URL that the user will be instructed to visit to complete their OAuth 2 login and consent when using the device code flow.

Specified by:

getVerificationUrl in interface OAuth2ProviderSettings

Returns:

The verification URL.

Throws:

ServerException - If the setting could not be retrieved.

getCompletionUrl

public String getCompletionUrl()
                        throws ServerException

Description copied from interface: OAuth2ProviderSettings

The URL that the user will be sent to on completion of their OAuth 2 login and consent when using the device code flow.

Specified by:

getCompletionUrl in interface OAuth2ProviderSettings

Returns:

The completion URL.

Throws:

ServerException - If the setting could not be retrieved.

getDeviceCodeLifetime

public int getDeviceCodeLifetime()
                          throws ServerException

Description copied from interface: OAuth2ProviderSettings

The lifetime of the device code.

Specified by:

getDeviceCodeLifetime in interface OAuth2ProviderSettings

Returns:

The lifetime in seconds.

Throws:

ServerException - If the setting could not be retrieved.

getDeviceCodePollInterval

public int getDeviceCodePollInterval()
                              throws ServerException

Description copied from interface: OAuth2ProviderSettings

The polling interval for devices waiting for tokens when using the device code flow.

Specified by:

getDeviceCodePollInterval in interface OAuth2ProviderSettings

Returns:

The interval in seconds.

Throws:

ServerException - If the setting could not be retrieved.

shouldStoreOpsTokens

public boolean shouldStoreOpsTokens()
                             throws ServerException

Description copied from interface: OAuth2ProviderSettings

Whether to generate and store an ops token in CTS for this OIDC provider.

Specified by:

shouldStoreOpsTokens in interface OAuth2ProviderSettings

Returns:

true if ops tokens should be generated/stored in CTS.

Throws:

ServerException - If the setting could not be retrieved.

clientsCanSkipConsent

public boolean clientsCanSkipConsent()
                              throws ServerException

Description copied from interface: OAuth2ProviderSettings

Whether clients can opt to skip resource owner consent during authorization flows.

Specified by:

clientsCanSkipConsent in interface OAuth2ProviderSettings

Returns:

true if clients are allowed to opt to skip resource owner consent.

Throws:

ServerException - If the setting could not be retrieved.

isOpenIDConnectSSOProviderEnabled

public boolean isOpenIDConnectSSOProviderEnabled()
                                          throws ServerException

Description copied from interface: OAuth2ProviderSettings

Whether OpenID Connect ID Tokens are accepted as SSOTokens in this realm or not.

Specified by:

isOpenIDConnectSSOProviderEnabled in interface OAuth2ProviderSettings

Returns:

true if ID Tokens are accepted as SSOTokens in this realm.

Throws:

ServerException - If the setting could not be retrieved.