Package com.nimbusds.openid.connect.sdk.federation.entities

Class EntityStatementClaimsSet

java.lang.Object
com.nimbusds.openid.connect.sdk.claims.ClaimsSet
com.nimbusds.openid.connect.sdk.claims.CommonClaimsSet
com.nimbusds.openid.connect.sdk.federation.entities.EntityStatementClaimsSet
All Implemented Interfaces:
net.minidev.json.JSONAware
public class EntityStatementClaimsSet extends CommonClaimsSet
Federation entity statement claims set, serialisable to a JSON object.

Example claims set: 

 {
   "iss": "https://feide.no",
   "sub": "https://ntnu.no",
   "iat": 1516239022,
   "exp": 1516298022,
   "crit": ["jti"],
   "jti": "7l2lncFdY6SlhNia",
   "policy_language_crit": ["regexp"],
   "metadata_policy": {
     "openid_provider": {
       "issuer": {"value": "https://ntnu.no"},
       "organization_name": {"value": "NTNU"},
       "id_token_signing_alg_values_supported":
         {"subset_of": ["RS256", "RS384", "RS512"]},
       "op_policy_uri": {
         "regexp": "^https:\/\/[\w-]+\.example\.com\/[\w-]+\.html"}
     },
     "openid_relying_party": {
       "organization_name": {"value": "NTNU"},
       "grant_types_supported": {
         "subset_of": ["authorization_code", "implicit"]},
       "scopes": {
         "subset_of": ["openid", "profile", "email", "phone"]}
     }
   },
   "constraints": {
     "max_path_length": 2
   }
   "jwks": {
     "keys": [
       {
         "alg": "RS256",
         "e": "AQAB",
         "ext": true,
         "key_ops": ["verify"],
         "kid": "key1",
         "kty": "RSA",
         "n": "pnXBOusEANuug6ewezb9J_...",
         "use": "sig"
       }
     ]
   },
   "authority_hints": [
     "https://edugain.org/federation"
   ]
 }

Related specifications:

  • OpenID Connect Federation 1.0, section 2.1.

  • Field Details

  • Constructor Details

    • EntityStatementClaimsSet

      public EntityStatementClaimsSet(Issuer iss, Subject sub, Date iat, Date exp, com.nimbusds.jose.jwk.JWKSet jwks)
      Creates a new federation entity statement claims set with the minimum required claims.
      Parameters:
      iss - The issuer. Must not be null.
      sub - The subject. Must not be null.
      iat - The issue time. Must not be null.
      exp - The expiration time. Must not be null.
      jwks - The entity public JWK set, null if not required.

    • EntityStatementClaimsSet

      public EntityStatementClaimsSet(EntityID iss, EntityID sub, Date iat, Date exp, com.nimbusds.jose.jwk.JWKSet jwks)
      Creates a new federation entity statement claims set with the minimum required claims.
      Parameters:
      iss - The issuer. Must not be null.
      sub - The subject. Must not be null.
      iat - The issue time. Must not be null.
      exp - The expiration time. Must not be null.
      jwks - The entity public JWK set, null if not required.

    • EntityStatementClaimsSet

      public EntityStatementClaimsSet(com.nimbusds.jwt.JWTClaimsSet jwtClaimsSet) throws ParseException
      Creates a new federation entity statement claims set from the specified JWT claims set.
      Parameters:
      jwtClaimsSet - The JWT claims set. Must not be null.
      Throws:
      ParseException - If the JWT claims set doesn't represent a valid federation entity statement claims set.

  • Method Details

    • validateRequiredClaimsPresence

      public void validateRequiredClaimsPresence() throws ParseException
      Validates this claims set for having all minimum required claims for an entity statement. If a selt-statement check for the presence of metadata. If critical extension claims are listed their presence is also checked.
      Throws:
      ParseException - If the validation failed and a required claim is missing.

    • isSelfStatement

      public boolean isSelfStatement()
      Returns true if this is a self-statement (issuer and subject match).
      Returns:
      true for a self-statement, false if not.

    • getIssuerEntityID

      public EntityID getIssuerEntityID()
      Returns the issuer as entity ID.
      Returns:
      The issuer as entity ID.

    • getSubjectEntityID

      public EntityID getSubjectEntityID()
      Returns the subject as entity ID.
      Returns:
      The subject as entity ID.

    • getExpirationTime

      public Date getExpirationTime()
      Gets the entity statement expiration time. Corresponds to the exp claim.
      Returns:
      The expiration time, null if not specified or parsing failed.

    • getJWKSet

      public com.nimbusds.jose.jwk.JWKSet getJWKSet()
      Gets the entity JWK set.
      Returns:
      The entity JWK set, null if not specified or parsing failed.

    • getAuthorityHints

      public List<EntityID> getAuthorityHints()
      Gets the entity IDs of the intermediate entities or trust anchors.
      Returns:
      The entity IDs, null or empty list for a trust anchor, or if parsing failed.

    • setAuthorityHints

      public void setAuthorityHints(List<EntityID> trustChain)
      Sets the entity IDs of the intermediate entities or trust anchors.
      Parameters:
      trustChain - The entity IDs, null or empty list for a trust anchor.

    • hasMetadata

      public boolean hasMetadata()
      Returns true if a metadata field is present.
      Returns:
      true if for a metadata field for an OpenID relying party, OpenID provider, OAuth authorisation server, OAuth client, OAuth protected resource or a federation entity is present.

    • getMetadata

      public net.minidev.json.JSONObject getMetadata(FederationMetadataType type)
      Gets the metadata for the specified type. Use a typed getter, such as getRPMetadata(), when available.
      Parameters:
      type - The type. Must not be null.
      Returns:
      The metadata, null if not specified.

    • setMetadata

      public void setMetadata(FederationMetadataType type, net.minidev.json.JSONObject metadata)
      Sets the metadata for the specified type. Use a typed setter, such as setRPMetadata(com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata), when available.
      Parameters:
      type - The type. Must not be null.
      metadata - The metadata, null if not specified.

    • getRPMetadata

      public OIDCClientMetadata getRPMetadata()
      Gets the OpenID relying party metadata if present for this entity.
      Returns:
      The RP metadata, null if not specified or if parsing failed.

    • setRPMetadata

      public void setRPMetadata(OIDCClientMetadata rpMetadata)
      Sets the OpenID relying party metadata if present for this entity.
      Parameters:
      rpMetadata - The RP metadata, null if not specified.

    • getOPMetadata

      public OIDCProviderMetadata getOPMetadata()
      Gets the OpenID provider metadata if present for this entity.
      Returns:
      The OP metadata, null if not specified or if parsing failed.

    • setOPMetadata

      public void setOPMetadata(OIDCProviderMetadata opMetadata)
      Gets the OpenID provider metadata if present for this entity.
      Parameters:
      opMetadata - The OP metadata, null if not specified.

    • getOAuthClientMetadata

      public ClientMetadata getOAuthClientMetadata()
      Gets the OAuth 2.0 client metadata if present for this entity.
      Returns:
      The client metadata, null if not specified or if parsing failed.

    • setOAuthClientMetadata

      public void setOAuthClientMetadata(ClientMetadata clientMetadata)
      Sets the OAuth 2.0 client metadata if present for this entity.
      Parameters:
      clientMetadata - The client metadata, null if not specified.

    • getASMetadata

      public AuthorizationServerMetadata getASMetadata()
      Gets the OAuth 2.0 authorisation server metadata if present for this entity.
      Returns:
      The AS metadata, null if not specified or if parsing failed.

    • setASMetadata

      public void setASMetadata(AuthorizationServerMetadata asMetadata)
      Sets the OAuth 2.0 authorisation server metadata if present for this entity.
      Parameters:
      asMetadata - The AS metadata, null if not specified.

    • getFederationEntityMetadata

      public FederationEntityMetadata getFederationEntityMetadata()
      Gets the federation entity metadata if present for this entity.
      Returns:
      The federation entity metadata, null if not specified or if parsing failed.

    • setFederationEntityMetadata

      public void setFederationEntityMetadata(FederationEntityMetadata entityMetadata)
      Sets the federation entity metadata if present for this entity.
      Parameters:
      entityMetadata - The federation entity metadata, null if not specified.

    • getMetadataPolicyJSONObject

      public net.minidev.json.JSONObject getMetadataPolicyJSONObject()
      Gets the complete metadata policy JSON object.
      Returns:
      The metadata policy JSON object, null if not specified or if parsing failed.

    • setMetadataPolicyJSONObject

      public void setMetadataPolicyJSONObject(net.minidev.json.JSONObject metadataPolicy)
      Sets the complete metadata policy JSON object.
      Parameters:
      metadataPolicy - The metadata policy JSON object, null if not specified.

    • getMetadataPolicy

      public MetadataPolicy getMetadataPolicy(FederationMetadataType type) throws PolicyViolationException
      Gets the metadata policy for the specified type.
      Parameters:
      type - The type. Must not be null.
      Returns:
      The metadata policy, null or if JSON parsing failed.
      Throws:
      PolicyViolationException - On a policy violation.

    • setMetadataPolicy

      public void setMetadataPolicy(FederationMetadataType type, MetadataPolicy metadataPolicy)
      Sets the metadata policy for the specified type.
      Parameters:
      type - The type. Must not be null.
      metadataPolicy - The metadata policy, null if not specified.

    • getTrustAnchorID

      public EntityID getTrustAnchorID()
      Gets the used trust anchor in a explicit client registration in OpenID Connect Federation 1.0. Intended for entity statements issued by an OpenID provider for a Relying party performing explicit client registration only.Corresponds to the trust_anchor_id client metadata field.
      Returns:
      The trust anchor ID, null if not specified.

    • setTrustAnchorID

      public void setTrustAnchorID(EntityID trustAnchorID)
      Sets the used trust anchor in a explicit client registration in OpenID Connect Federation 1.0. Intended for entity statements issued by an OpenID provider for a Relying party performing explicit client registration only.Corresponds to the trust_anchor_id client metadata field.
      Parameters:
      trustAnchorID - The trust anchor ID, null if not specified.

    • getConstraints

      public TrustChainConstraints getConstraints()
      Gets the trust chain constraints for subordinate entities.
      Returns:
      The trust chain constraints, null if not specified or if parsing failed.

    • setConstraints

      public void setConstraints(TrustChainConstraints constraints)
      Sets the trust chain constraint for subordinate entities.
      Parameters:
      constraints - The trust chain constraints, null if not specified.

    • getCriticalExtensionClaims

      public List<String> getCriticalExtensionClaims()
      Gets the names of the critical extension claims.
      Returns:
      The names of the critical extension claims, null if not specified or if parsing failed.

    • setCriticalExtensionClaims

      public void setCriticalExtensionClaims(List<String> claimNames)
      Sets the names of the critical extension claims.
      Parameters:
      claimNames - The names of the critical extension claims, null if not specified. Must not be an empty list.

    • getCriticalPolicyExtensions

      public List<String> getCriticalPolicyExtensions()
      Gets the names of the critical policy extensions.
      Returns:
      The names of the critical policy extensions or if parsing failed.

    • setCriticalPolicyExtensions

      public void setCriticalPolicyExtensions(List<String> extNames)
      Sets the names of the critical policy extensions.
      Parameters:
      extNames - The names of the critical policy extensions, null if not specified. Must not be an empty list.