Package net.shibboleth.oidc.profile.config.impl

Class DefaultOIDCAuthorizationConfiguration

java.lang.Object

net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

net.shibboleth.utilities.java.support.component.AbstractIdentifiedInitializableComponent

net.shibboleth.utilities.java.support.component.AbstractIdentifiableInitializableComponent

net.shibboleth.idp.profile.config.AbstractProfileConfiguration

net.shibboleth.idp.profile.config.AbstractConditionalProfileConfiguration

net.shibboleth.oidc.profile.oauth2.config.impl.AbstractOAuth2ClientAuthenticableProfileConfiguration

net.shibboleth.oidc.profile.oauth2.config.impl.AbstractOAuth2FlowAwareProfileConfiguration

net.shibboleth.oidc.profile.config.impl.AbstractOIDCSSOConfiguration

net.shibboleth.oidc.profile.config.impl.DefaultOIDCAuthorizationConfiguration

All Implemented Interfaces:

net.shibboleth.idp.authn.config.AuthenticationProfileConfiguration, net.shibboleth.idp.profile.config.AttributeResolvingProfileConfiguration, net.shibboleth.idp.profile.config.ConditionalProfileConfiguration, net.shibboleth.idp.profile.config.OverriddenIssuerProfileConfiguration, net.shibboleth.idp.profile.config.ProfileConfiguration, OIDCAuthenticationProfileConfiguration, OIDCAuthenticationRelyingPartyProfileConfiguration, OIDCAuthorizationConfiguration, OIDCFlowAwareProfileConfiguration, OIDCIDTokenProducingProfileConfiguration, OIDCProfileConfiguration, OIDCSSOProfileConfiguration, OIDCSSOProviderConfiguration, OIDCSSORelyingPartyConfiguration, OAuth2AccessTokenProducingProfileConfiguration, OAuth2AuthorizationCodeProducingProfileConfiguration, OAuth2AuthorizationProfileConfiguration, OAuth2ClientAuthenticableClientProfileConfiguration, OAuth2ClientAuthenticableProfileConfiguration, OAuth2FlowAwareProfileConfiguration, OAuth2ProfileConfiguration, OAuth2RefreshTokenProducingProfileConfiguration, OAuth2TokenEncryptionProfileConfiguration, Component, DestructableComponent, IdentifiableComponent, IdentifiedComponent, InitializableComponent

public class DefaultOIDCAuthorizationConfiguration
extends AbstractOIDCSSOConfiguration
implements OIDCAuthenticationRelyingPartyProfileConfiguration, OIDCAuthorizationConfiguration

Implementation of a profile configuration for the OpenID Connect authorization endpoint.

It is also usable as a Token endpoint configuration if no non-OIDC use cases are needed.

Nested Class Summary

Nested classes/interfaces inherited from interface net.shibboleth.oidc.profile.oauth2.config.OAuth2AuthorizationProfileConfiguration

OAuth2AuthorizationProfileConfiguration.HttpRequestMethod

Field Summary

Fields

Modifier and Type	Field	Description
private Predicate<ProfileRequestContext>	acrRequestAlwaysEssentialPredicate	Whether all acr claim requests should be treated as Essential.
private Function<ProfileRequestContext,Function<Collection<String>,Collection<Principal>>>	acrTranslationStrategyLookupStrategy	Lookup function to supply the strategy function for translating OIDC ACR claims.
private Function<ProfileRequestContext,Function<Collection<String>,Collection<Principal>>>	amrTranslationStrategyLookupStrategy	Lookup function to supply the strategy function for translating OIDC ACR claims.
private Function<ProfileRequestContext,BiFunction<ProfileRequestContext,Map<String,Object>,Map<String,Object>>>	authorizationCodeClaimsSetManipulationStrategyLookupStrategy	Lookup function to supply strategy bi-function for manipulating authorization code claims set.
private Function<ProfileRequestContext,Duration>	authorizeCodeLifetimeLookupStrategy	Lookup function to supply lifetime of authz code.
private Function<ProfileRequestContext,Set<String>>	deniedUserInfoAttributesLookupStrategy	Lookup function to supply attribute IDs to omit from UserInfo token.
private Predicate<ProfileRequestContext>	encodeConsentInTokensPredicate	Whether to encode consent in authorization code and access/refresh tokens.
private Function<ProfileRequestContext,Set<String>>	encodedAttributesLookupStrategy	Lookup function to supply attribute IDs to embed in authorization code or access token.
private Predicate<ProfileRequestContext>	encryptRequestObjectPredicate	Predicate used to determine if the generated request object should be encrypted.
private Function<ProfileRequestContext,String>	httpRequestMethodLookupStrategy	Which HTTP method should be used to issue OIDC authentication requests.
private Predicate<ProfileRequestContext>	includeIssuerInResponsePredicate	Whether to include iss parameter in the authentication response.
private Function<ProfileRequestContext,String>	loginHintLookupStrategy	Lookup function to determine the login_hint of an authentication request.
private Function<ProfileRequestContext,Duration>	maxAuthenticationAgeLookupStrategy	Lookup function to determine the max_age of an authentication request.
private Predicate<ProfileRequestContext>	proxiedAuthnInstantPredicate	Whether authentication results should carry the proxied auth_time in the id_token.
private Function<ProfileRequestContext,String>	redirectUriOverrideLookupStrategy	An override to specify a specific redirect_uri to use over the normally computed one.
private Function<ProfileRequestContext,String>	responseModeLookupStrategy	Lookup function to override the default response_mode for a given response_type.
private Function<ProfileRequestContext,String>	responseTypeLookupStrategy	Lookup function to retrieve the response_type.
private Predicate<ProfileRequestContext>	retrieveUserInfoEndpointClaims	Whether to make a UserInfo Endpoint request for End-User claims.
private Function<ProfileRequestContext,Set<String>>	scopesLookupStrategy	Lookup function to retrieve the scopes requested during authentication.
private Predicate<ProfileRequestContext>	signRequestObjectPredicate	Predicate used to determine if the generated request object should be signed.
private Predicate<ProfileRequestContext>	tlsServerValidationOnlyPredicate	Whether TLS server validation alone is sufficient to verify the id_token (true), or whether the id_token's signature should be validated (false).
private Predicate<ProfileRequestContext>	useRequestObjectPredicate	Whether to encode authentication request parameters inside a JWT request object .
private Function<ProfileRequestContext,String>	userInfoHttpRequestMethodLookupStrategy	Which HTTP method should be used to issue the UserInfo requests.

Fields inherited from class net.shibboleth.idp.profile.config.AbstractProfileConfiguration

DEFAULT_DISALLOWED_FEATURES

Fields inherited from interface net.shibboleth.oidc.profile.config.OIDCAuthenticationProfileConfiguration

PROFILE_ID

Fields inherited from interface net.shibboleth.oidc.profile.config.OIDCAuthorizationConfiguration

PROFILE_ID

Fields inherited from interface net.shibboleth.oidc.profile.config.OIDCSSOProfileConfiguration

PROFILE_ID

Constructor Summary

Constructors

Constructor	Description
DefaultOIDCAuthorizationConfiguration()	Constructor.
DefaultOIDCAuthorizationConfiguration(String profileId)	Creates a new configuration instance.

Method Summary

Modifier and Type	Method	Description
Function<Collection<String>,Collection<Principal>>	getAuthenticationContextClassReferenceTranslationStrategy(ProfileRequestContext prc)
Function<Collection<String>,Collection<Principal>>	getAuthenticationMethodsReferencesTranslationStrategy(ProfileRequestContext prc)
BiFunction<ProfileRequestContext,Map<String,Object>,Map<String,Object>>	getAuthorizationCodeClaimsSetManipulationStrategy(ProfileRequestContext profileRequestContext)
Duration	getAuthorizeCodeLifetime(ProfileRequestContext profileRequestContext)
Set<String>	getDeniedUserInfoAttributes(ProfileRequestContext profileRequestContext)
Set<String>	getEncodedAttributes(ProfileRequestContext profileRequestContext)
OAuth2AuthorizationProfileConfiguration.HttpRequestMethod	getHttpRequestMethod(ProfileRequestContext profileRequestContext)
String	getLoginHint(ProfileRequestContext profileRequestContext)
Duration	getMaxAuthenticationAge(ProfileRequestContext profileRequestContext)
String	getRedirectUriOverride(ProfileRequestContext profileRequestContext)
String	getResponseMode(ProfileRequestContext profileRequestContext)
String	getResponseType(ProfileRequestContext profileRequestContext)
Set<String>	getScopes(ProfileRequestContext profileRequestContext)
OAuth2AuthorizationProfileConfiguration.HttpRequestMethod	getUserInfoHttpRequestMethod(ProfileRequestContext profileRequestContext)
boolean	isAcrRequestAlwaysEssential(ProfileRequestContext profileRequestContext)
boolean	isEncodeConsentInTokens(ProfileRequestContext profileRequestContext)
boolean	isEncryptRequestObject(ProfileRequestContext profileRequestContext)
boolean	isIncludeIssuerInResponse(ProfileRequestContext profileRequestContext)
boolean	isProxiedAuthnInstant(ProfileRequestContext profileRequestContext)
boolean	isRetrieveUserInfoEndpointClaims(ProfileRequestContext profileRequestContext)
boolean	isSignRequestObject(ProfileRequestContext profileRequestContext)
boolean	isTlsServerValidationSufficient(ProfileRequestContext profileRequestContext)
boolean	isUseRequestObject(ProfileRequestContext profileRequestContext)
void	setAcrRequestAlwaysEssential(boolean flag)	Set whether all acr claim requests should be treated as Essential.
void	setAcrRequestAlwaysEssentialPredicate(Predicate<ProfileRequestContext> condition)	Set condition for whether all acr claim requests should be treated as Essential.
void	setAuthenticationContextClassReferenceTranslationStrategyLookupStrategy(Function<ProfileRequestContext,Function<Collection<String>,Collection<Principal>>> strategy)	Set the lookup function to locate the Authentication Context Class Reference strategy used to translate between an inbound proxied OIDC ACR into an appropriate set of custom Principal objects to populate the subject.
void	setAuthenticationMethodsReferencesTranslationStrategyLookupStrategy(Function<ProfileRequestContext,Function<Collection<String>,Collection<Principal>>> strategy)	Set the lookup function to locate the Authentication Methods References strategy used to translate between an inbound proxied OIDC AMR into an appropriate set of custom Principal objects to populate the subject.
void	setAuthorizationCodeClaimsSetManipulationStrategy(BiFunction<ProfileRequestContext,Map<String,Object>,Map<String,Object>> strategy)	Set the bi-function for manipulating authorization code claims set.
void	setAuthorizationCodeClaimsSetManipulationStrategyLookupStrategy(Function<ProfileRequestContext,BiFunction<ProfileRequestContext,Map<String,Object>,Map<String,Object>>> strategy)	Set a lookup strategy for the bi-function for manipulating authorization code claims set.
void	setAuthorizeCodeLifetime(Duration lifetime)	Set the lifetime of authz code.
void	setAuthorizeCodeLifetimeLookupStrategy(Function<ProfileRequestContext,Duration> strategy)	Set a lookup strategy for the authz code lifetime.
void	setDeniedUserInfoAttributes(Collection<String> attributes)	Set the set of attribute IDs which should be omitted from the UserInfo token.
void	setDeniedUserInfoAttributesLookupStrategy(Function<ProfileRequestContext,Set<String>> strategy)	Set a lookup strategy for the set of attribute IDs which should be omitted from the UserInfo token.
void	setEncodeConsentInTokens(boolean flag)	Set whether to encode consent in authorization code and access/refresh tokens.
void	setEncodeConsentInTokensPredicate(Predicate<ProfileRequestContext> condition)	Set condition for whether to encode consent in authorization code and access/refresh tokens.
void	setEncodedAttributes(Collection<String> attributes)	Set the set of attribute IDs which should be encoded in encrypted form into the authorization code and/or access/refresh tokens to enable recovery on the back-channel.
void	setEncodedAttributesLookupStrategy(Function<ProfileRequestContext,Set<String>> strategy)	Set a lookup strategy for the attribute IDs which should be encoded in encrypted form into the authorization code and/or access/refresh tokens to enable recovery on the back-channel.
void	setEncryptRequestObject(boolean flag)	Set whether the RequestObject should be encrypted.
void	setEncryptRequestObjectPredicate(Predicate<ProfileRequestContext> condition)	Set the predicate to determine if the RequestObject should be encrypted.
void	setHttpRequestMethod(OAuth2AuthorizationProfileConfiguration.HttpRequestMethod method)	Set the HTTP request method for an authentication request.
void	setHttpRequestMethodLookupStrategy(Function<ProfileRequestContext,String> strategy)	Set a lookup strategy to determine the HTTP request method for an authentication request.
void	setIncludeIssuerInResponse(boolean flag)	Set whether to include iss parameter in the authentication response.
void	setIncludeIssuerInResponsePredicate(Predicate<ProfileRequestContext> condition)	Set condition for whether to include iss parameter in the authentication response.
void	setLoginHint(String fixedLoginHint)	Set a fixed login_hint.
void	setLoginHintLookupStrategy(Function<ProfileRequestContext,String> strategy)	Set the lookup strategy for setting the login_hint.
void	setMaxAuthenticationAge(Duration age)	Set the max authentication age.
void	setMaxAuthenticationAgeLookupStrategy(Function<ProfileRequestContext,Duration> strategy)	Set a lookup strategy for the max authentication age.
void	setProxiedAuthnInstant(boolean flag)	Sets whether authentication results produced by use of this profile should carry the proxied assertion's auth_time from the id_token, rather than the current time.
void	setRedirectUriOverride(String uri)	Set the override redirect_uri.
void	setRedirectUriOverrideLookupStrategy(Function<ProfileRequestContext,String> strategy)	Set the redirect_uri lookup strategy used to locate an overridden redirect.
void	setResponseMode(String responseMode)	Set the response_mode to use for authorization requests.
void	setResponseModeLookupStrategy(Function<ProfileRequestContext,String> strategy)	Set the lookup strategy to determine the response_mode for authorization requests.
void	setResponseType(String responseType)	Set the response_type to use for authentication requests.
void	setResponseTypeLookupStrategy(Function<ProfileRequestContext,String> strategy)	Set the lookup strategy to determine the response_type for authentication requests.
void	setRetrieveUserInfoEndpointClaims(boolean flag)	Set whether to make a request to the UserInfo Endpoint to obtain authenticated End-User claims.
void	setRetrieveUserInfoEndpointClaims(Predicate<ProfileRequestContext> condition)	Set condition for whether to make a request to the UserInfo Endpoint to obtain authenticated End-User claims.
void	setScopes(Set<String> scopes)	Set the scopes to use for authentication requests.
void	setScopesLookupStrategy(Function<ProfileRequestContext,Set<String>> strategy)	Set the lookup strategy to determine the scopes to use for authentication requests.
void	setSignRequestObject(boolean flag)	Set whether the RequestObject should be signed.
void	setSignRequestObjectPredicate(Predicate<ProfileRequestContext> condition)	Set the predicate to determine if the RequestObject should be signed.
void	setTlsServerValidationSufficient(boolean flag)	Set whether TLS server validation alone is sufficient to verify the id_token (true), or whether the id_token's signature should be validated (false).
void	setTlsServerValidationSufficient(Predicate<ProfileRequestContext> condition)	Set the predicate to determine whether TLS server validation alone is sufficient to verify the id_token (true), or whether the id_token's signature should be validated (false).
void	setUseRequestObject(boolean flag)	Set whether the authentication request parameters should be passed in a single, self contained, JWT.
void	setUseRequestObjectPredicate(Predicate<ProfileRequestContext> condition)	Set condition for whether the authentication request parameters should be passed in a single, self contained, JWT.
void	setUserInfoHttpRequestMethod(OAuth2AuthorizationProfileConfiguration.HttpRequestMethod method)	Set the HTTP request method for an UserInfo request.
void	setUserInfoHttpRequestMethodLookupStrategy(Function<ProfileRequestContext,String> strategy)	Set a lookup strategy to determine the HTTP request method for an UserInfo request.

Methods inherited from class net.shibboleth.oidc.profile.config.impl.AbstractOIDCSSOConfiguration

getAccessTokenClaimsSetManipulationStrategy, getAccessTokenLifetime, getAccessTokenType, getAdditionalAudiencesForIdToken, getAlwaysIncludedAttributes, getIDTokenLifetime, getIDTokenManipulationStrategy, getIssuer, getRefreshTokenChainLifetime, getRefreshTokenLifetime, getRefreshTokenTimeout, isAllowPKCEPlain, isEncryptionOptional, isForcePKCE, isResolveAttributes, setAccessTokenClaimsSetManipulationStrategy, setAccessTokenClaimsSetManipulationStrategyLookupStrategy, setAccessTokenLifetime, setAccessTokenLifetimeLookupStrategy, setAccessTokenType, setAccessTokenTypeLookupStrategy, setAdditionalAudiencesForIdToken, setAdditionalAudiencesForIdTokenLookupStrategy, setAllowPKCEPlain, setAllowPKCEPlainPredicate, setAlwaysIncludedAttributes, setAlwaysIncludedAttributesLookupStrategy, setEncryptionOptional, setEncryptionOptionalPredicate, setForcePKCE, setForcePKCEPredicate, setIDTokenLifetime, setIDTokenLifetimeLookupStrategy, setIDTokenManipulationStrategy, setIDTokenManipulationStrategyLookupStrategy, setIssuer, setIssuerLookupStrategy, setRefreshTokenChainLifetime, setRefreshTokenChainLifetimeLookupStrategy, setRefreshTokenLifetime, setRefreshTokenLifetimeLookupStrategy, setRefreshTokenTimeout, setRefreshTokenTimeoutLookupStrategy, setResolveAttributes, setResolveAttributesPredicate

Methods inherited from class net.shibboleth.oidc.profile.oauth2.config.impl.AbstractOAuth2FlowAwareProfileConfiguration

isAuthorizationCodeFlowEnabled, isHybridFlowEnabled, isImplicitFlowEnabled, isRefreshTokensEnabled, setAuthorizationCodeFlowEnabled, setAuthorizationCodeFlowEnabledPredicate, setHybridFlowEnabled, setHybridFlowEnabledPredicate, setImplicitFlowEnabled, setImplicitFlowEnabledPredicate, setRefreshTokensEnabled, setRefreshTokensEnabledPredicate

Methods inherited from class net.shibboleth.oidc.profile.oauth2.config.impl.AbstractOAuth2ClientAuthenticableProfileConfiguration

getAuthenticationFlows, getClaimsValidator, getClientCredential, getClientId, getDefaultAuthenticationMethods, getPostAuthenticationFlows, getProxyCount, getTokenEndpointAuthMethod, getTokenEndpointAuthMethods, isForceAuthn, setAuthenticationFlows, setAuthenticationFlowsLookupStrategy, setClaimsValidator, setClaimsValidatorLookupStrategy, setClientCredential, setClientCredentialLookupStrategy, setClientId, setClientIdLookupStrategy, setDefaultAuthenticationMethods, setDefaultAuthenticationMethodsLookupStrategy, setForceAuthn, setForceAuthnPredicate, setPostAuthenticationFlows, setPostAuthenticationFlowsLookupStrategy, setProxyCount, setProxyCountLookupStrategy, setTokenEndpointAuthMethod, setTokenEndpointAuthMethodLookupStrategy, setTokenEndpointAuthMethods, setTokenEndpointAuthMethodsLookupStrategy

Methods inherited from class net.shibboleth.idp.profile.config.AbstractConditionalProfileConfiguration

getActivationCondition, setActivationCondition

Methods inherited from class net.shibboleth.idp.profile.config.AbstractProfileConfiguration

equals, getDisallowedFeatures, getInboundInterceptorFlows, getOutboundInterceptorFlows, getSecurityConfiguration, hashCode, isFeatureDisallowed, setDisallowedFeatures, setDisallowedFeaturesLookupStrategy, setInboundFlowsLookupStrategy, setInboundInterceptorFlows, setInboundInterceptorFlowsLookupStrategy, setOutboundFlowsLookupStrategy, setOutboundInterceptorFlows, setOutboundInterceptorFlowsLookupStrategy, setSecurityConfiguration, setSecurityConfigurationLookupStrategy

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractIdentifiableInitializableComponent

setId

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractIdentifiedInitializableComponent

doInitialize, getId

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

destroy, doDestroy, initialize, isDestroyed, isInitialized

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface net.shibboleth.idp.profile.config.AttributeResolvingProfileConfiguration

isResolveAttributes

Methods inherited from interface net.shibboleth.idp.authn.config.AuthenticationProfileConfiguration

getAuthenticationFlows, getDefaultAuthenticationMethods, getPostAuthenticationFlows, getProxyCount, isForceAuthn, isLocal

Methods inherited from interface net.shibboleth.idp.profile.config.ConditionalProfileConfiguration

getActivationCondition

Methods inherited from interface net.shibboleth.utilities.java.support.component.IdentifiedComponent

getId

Methods inherited from interface net.shibboleth.oidc.profile.oauth2.config.OAuth2AccessTokenProducingProfileConfiguration

getAccessTokenClaimsSetManipulationStrategy, getAccessTokenLifetime, getAccessTokenType

Methods inherited from interface net.shibboleth.oidc.profile.oauth2.config.OAuth2ClientAuthenticableClientProfileConfiguration

getClientCredential, getClientId, getTokenEndpointAuthMethod

Methods inherited from interface net.shibboleth.oidc.profile.oauth2.config.OAuth2ClientAuthenticableProfileConfiguration

getClaimsValidator, getTokenEndpointAuthMethods

Methods inherited from interface net.shibboleth.oidc.profile.oauth2.config.OAuth2FlowAwareProfileConfiguration

isAuthorizationCodeFlowEnabled, isImplicitFlowEnabled, isRefreshTokensEnabled

Methods inherited from interface net.shibboleth.oidc.profile.oauth2.config.OAuth2RefreshTokenProducingProfileConfiguration

getRefreshTokenChainLifetime, getRefreshTokenLifetime, getRefreshTokenTimeout

Methods inherited from interface net.shibboleth.oidc.profile.oauth2.config.OAuth2TokenEncryptionProfileConfiguration

isEncryptionOptional

Methods inherited from interface net.shibboleth.oidc.profile.config.OIDCFlowAwareProfileConfiguration

isHybridFlowEnabled

Methods inherited from interface net.shibboleth.oidc.profile.config.OIDCIDTokenProducingProfileConfiguration

getAdditionalAudiencesForIdToken, getAlwaysIncludedAttributes, getIDTokenLifetime, getIDTokenManipulationStrategy

Methods inherited from interface net.shibboleth.oidc.profile.config.OIDCSSOProfileConfiguration

isAllowPKCEPlain, isForcePKCE

Methods inherited from interface net.shibboleth.idp.profile.config.OverriddenIssuerProfileConfiguration

getIssuer

Methods inherited from interface net.shibboleth.idp.profile.config.ProfileConfiguration

getInboundInterceptorFlows, getOutboundInterceptorFlows, getSecurityConfiguration

Field Detail

acrRequestAlwaysEssentialPredicate

@Nonnull
private Predicate<ProfileRequestContext> acrRequestAlwaysEssentialPredicate

Whether all acr claim requests should be treated as Essential.

encodeConsentInTokensPredicate

@Nonnull
private Predicate<ProfileRequestContext> encodeConsentInTokensPredicate

Whether to encode consent in authorization code and access/refresh tokens.

authorizeCodeLifetimeLookupStrategy

@Nonnull
private Function<ProfileRequestContext,Duration> authorizeCodeLifetimeLookupStrategy

Lookup function to supply lifetime of authz code.

encodedAttributesLookupStrategy

@Nonnull
private Function<ProfileRequestContext,Set<String>> encodedAttributesLookupStrategy

Lookup function to supply attribute IDs to embed in authorization code or access token.

useRequestObjectPredicate

@Nonnull
private Predicate<ProfileRequestContext> useRequestObjectPredicate

Whether to encode authentication request parameters inside a JWT request object .

signRequestObjectPredicate

@Nonnull
private Predicate<ProfileRequestContext> signRequestObjectPredicate

Predicate used to determine if the generated request object should be signed. Default returns true.

encryptRequestObjectPredicate

@Nonnull
private Predicate<ProfileRequestContext> encryptRequestObjectPredicate

Predicate used to determine if the generated request object should be encrypted. Default returns false.

deniedUserInfoAttributesLookupStrategy

@Nonnull
private Function<ProfileRequestContext,Set<String>> deniedUserInfoAttributesLookupStrategy

Lookup function to supply attribute IDs to omit from UserInfo token.

includeIssuerInResponsePredicate

@Nonnull
private Predicate<ProfileRequestContext> includeIssuerInResponsePredicate

Whether to include iss parameter in the authentication response.

retrieveUserInfoEndpointClaims

@Nonnull
private Predicate<ProfileRequestContext> retrieveUserInfoEndpointClaims

Whether to make a UserInfo Endpoint request for End-User claims.

redirectUriOverrideLookupStrategy

@Nonnull
private Function<ProfileRequestContext,String> redirectUriOverrideLookupStrategy

An override to specify a specific redirect_uri to use over the normally computed one.

responseTypeLookupStrategy

@Nonnull
private Function<ProfileRequestContext,String> responseTypeLookupStrategy

Lookup function to retrieve the response_type.

scopesLookupStrategy

@Nonnull
private Function<ProfileRequestContext,Set<String>> scopesLookupStrategy

Lookup function to retrieve the scopes requested during authentication.

acrTranslationStrategyLookupStrategy

@Nonnull
private Function<ProfileRequestContext,Function<Collection<String>,Collection<Principal>>> acrTranslationStrategyLookupStrategy

Lookup function to supply the strategy function for translating OIDC ACR claims.

amrTranslationStrategyLookupStrategy

@Nonnull
private Function<ProfileRequestContext,Function<Collection<String>,Collection<Principal>>> amrTranslationStrategyLookupStrategy

Lookup function to supply the strategy function for translating OIDC ACR claims.

proxiedAuthnInstantPredicate

@Nonnull
private Predicate<ProfileRequestContext> proxiedAuthnInstantPredicate

Whether authentication results should carry the proxied auth_time in the id_token.

httpRequestMethodLookupStrategy

@Nonnull
private Function<ProfileRequestContext,String> httpRequestMethodLookupStrategy

Which HTTP method should be used to issue OIDC authentication requests. Supported values are POST and GET. The default is GET.

authorizationCodeClaimsSetManipulationStrategyLookupStrategy

@Nonnull
private Function<ProfileRequestContext,BiFunction<ProfileRequestContext,Map<String,Object>,Map<String,Object>>> authorizationCodeClaimsSetManipulationStrategyLookupStrategy

Lookup function to supply strategy bi-function for manipulating authorization code claims set.

maxAuthenticationAgeLookupStrategy

@Nonnull
private Function<ProfileRequestContext,Duration> maxAuthenticationAgeLookupStrategy

Lookup function to determine the max_age of an authentication request.

loginHintLookupStrategy

@Nonnull
private Function<ProfileRequestContext,String> loginHintLookupStrategy

Lookup function to determine the login_hint of an authentication request.

userInfoHttpRequestMethodLookupStrategy

@Nonnull
private Function<ProfileRequestContext,String> userInfoHttpRequestMethodLookupStrategy

Which HTTP method should be used to issue the UserInfo requests. Supported values are POST and GET. The default is GET.

responseModeLookupStrategy

@Nonnull
private Function<ProfileRequestContext,String> responseModeLookupStrategy

Lookup function to override the default response_mode for a given response_type.

tlsServerValidationOnlyPredicate

@Nonnull
private Predicate<ProfileRequestContext> tlsServerValidationOnlyPredicate

Whether TLS server validation alone is sufficient to verify the id_token (true), or whether the id_token's signature should be validated (false). The default is false, the id_token signature should be validated.

Constructor Detail

DefaultOIDCAuthorizationConfiguration

public DefaultOIDCAuthorizationConfiguration()

Constructor.

DefaultOIDCAuthorizationConfiguration

public DefaultOIDCAuthorizationConfiguration(@Nonnull @NotEmpty
                                             String profileId)

Creates a new configuration instance.

Parameters:

profileId - Unique profile identifier.

Method Detail

isAcrRequestAlwaysEssential

public boolean isAcrRequestAlwaysEssential(@Nullable
                                           ProfileRequestContext profileRequestContext)

Specified by:

isAcrRequestAlwaysEssential in interface OIDCAuthorizationConfiguration

setAcrRequestAlwaysEssential

public void setAcrRequestAlwaysEssential(boolean flag)

Set whether all acr claim requests should be treated as Essential.

Parameters:

flag - flag to set

setAcrRequestAlwaysEssentialPredicate

public void setAcrRequestAlwaysEssentialPredicate(@Nonnull
                                                  Predicate<ProfileRequestContext> condition)

Set condition for whether all acr claim requests should be treated as Essential.

Parameters:

condition - condition to set

isUseRequestObject

public boolean isUseRequestObject(@Nullable
                                  ProfileRequestContext profileRequestContext)

Specified by:

isUseRequestObject in interface OIDCAuthenticationProfileConfiguration

setUseRequestObject

public void setUseRequestObject(boolean flag)

Set whether the authentication request parameters should be passed in a single, self contained, JWT.

Parameters:

flag - flag to set

setUseRequestObjectPredicate

public void setUseRequestObjectPredicate(@Nonnull
                                         Predicate<ProfileRequestContext> condition)

Set condition for whether the authentication request parameters should be passed in a single, self contained, JWT.

Parameters:

condition - condition to set

isEncodeConsentInTokens

public boolean isEncodeConsentInTokens(@Nullable
                                       ProfileRequestContext profileRequestContext)

Specified by:

isEncodeConsentInTokens in interface OIDCAuthorizationConfiguration

setEncodeConsentInTokens

public void setEncodeConsentInTokens(boolean flag)

Set whether to encode consent in authorization code and access/refresh tokens.

Parameters:

flag - flag to set

setEncodeConsentInTokensPredicate

public void setEncodeConsentInTokensPredicate(@Nonnull
                                              Predicate<ProfileRequestContext> condition)

Set condition for whether to encode consent in authorization code and access/refresh tokens.

Parameters:

condition - condition to set

isRetrieveUserInfoEndpointClaims

public boolean isRetrieveUserInfoEndpointClaims(@Nonnull
                                                ProfileRequestContext profileRequestContext)

Specified by:

isRetrieveUserInfoEndpointClaims in interface OIDCAuthenticationRelyingPartyProfileConfiguration

setRetrieveUserInfoEndpointClaims

public void setRetrieveUserInfoEndpointClaims(boolean flag)

Set whether to make a request to the UserInfo Endpoint to obtain authenticated End-User claims.

Parameters:

flag - flag to set

Since:

2.2.0

setRetrieveUserInfoEndpointClaims

public void setRetrieveUserInfoEndpointClaims(@Nonnull
                                              Predicate<ProfileRequestContext> condition)

Set condition for whether to make a request to the UserInfo Endpoint to obtain authenticated End-User claims.

Parameters:

condition - condition to set

Since:

2.2.0

isSignRequestObject

public boolean isSignRequestObject(@Nullable
                                   ProfileRequestContext profileRequestContext)

Specified by:

isSignRequestObject in interface OIDCAuthenticationRelyingPartyProfileConfiguration

setSignRequestObject

public void setSignRequestObject(boolean flag)

Set whether the RequestObject should be signed.

Parameters:

flag - flag to set

Since:

2.2.0

setSignRequestObjectPredicate

public void setSignRequestObjectPredicate(Predicate<ProfileRequestContext> condition)

Set the predicate to determine if the RequestObject should be signed.

Parameters:

condition - the condition

Since:

2.2.0

isEncryptRequestObject

public boolean isEncryptRequestObject(@Nullable
                                      ProfileRequestContext profileRequestContext)

Specified by:

isEncryptRequestObject in interface OIDCAuthenticationRelyingPartyProfileConfiguration

setEncryptRequestObject

public void setEncryptRequestObject(boolean flag)

Set whether the RequestObject should be encrypted.

Parameters:

flag - flag to set

Since:

2.2.0

setEncryptRequestObjectPredicate

public void setEncryptRequestObjectPredicate(Predicate<ProfileRequestContext> condition)

Set the predicate to determine if the RequestObject should be encrypted.

Parameters:

condition - the condition

Since:

2.2.0

setRedirectUriOverrideLookupStrategy

public void setRedirectUriOverrideLookupStrategy(@Nonnull
                                                 Function<ProfileRequestContext,String> strategy)

Set the redirect_uri lookup strategy used to locate an overridden redirect.

Parameters:

strategy - the strategy to use.

Since:

2.2.0

setRedirectUriOverride

public void setRedirectUriOverride(@Nullable
                                   String uri)

Set the override redirect_uri.

Parameters:

uri - the redirect_uri

Since:

2.2.0

getRedirectUriOverride

public String getRedirectUriOverride(@Nullable
                                     ProfileRequestContext profileRequestContext)

Specified by:

getRedirectUriOverride in interface OIDCAuthenticationRelyingPartyProfileConfiguration

getAuthorizeCodeLifetime

@Positive
@Nonnull
public Duration getAuthorizeCodeLifetime(@Nullable
                                         ProfileRequestContext profileRequestContext)

Specified by:

getAuthorizeCodeLifetime in interface OAuth2AuthorizationCodeProducingProfileConfiguration

setAuthorizeCodeLifetime

public void setAuthorizeCodeLifetime(@Positive @Nonnull
                                     Duration lifetime)

Set the lifetime of authz code.

Parameters:

lifetime - lifetime of authz code

setAuthorizeCodeLifetimeLookupStrategy

public void setAuthorizeCodeLifetimeLookupStrategy(@Nonnull
                                                   Function<ProfileRequestContext,Duration> strategy)

Set a lookup strategy for the authz code lifetime.

Parameters:

strategy - lookup strategy

setHttpRequestMethodLookupStrategy

public void setHttpRequestMethodLookupStrategy(@Nonnull
                                               Function<ProfileRequestContext,String> strategy)

Set a lookup strategy to determine the HTTP request method for an authentication request.

Parameters:

strategy - the strategy to set.

setHttpRequestMethod

public void setHttpRequestMethod(@Nonnull @NotEmpty
                                 OAuth2AuthorizationProfileConfiguration.HttpRequestMethod method)

Set the HTTP request method for an authentication request.

Parameters:

method - the HTTP method to set, either POST or GET.

getHttpRequestMethod

public OAuth2AuthorizationProfileConfiguration.HttpRequestMethod getHttpRequestMethod(@Nullable
                                                                                      ProfileRequestContext profileRequestContext)

Specified by:

getHttpRequestMethod in interface OAuth2AuthorizationProfileConfiguration

getEncodedAttributes

@Nonnull
@NonnullElements
@NotLive
public Set<String> getEncodedAttributes(@Nullable
                                        ProfileRequestContext profileRequestContext)

Specified by:

getEncodedAttributes in interface OIDCAuthorizationConfiguration

setEncodedAttributes

public void setEncodedAttributes(@Nullable @NonnullElements
                                 Collection<String> attributes)

Set the set of attribute IDs which should be encoded in encrypted form into the authorization code and/or access/refresh tokens to enable recovery on the back-channel.

Parameters:

attributes - the attribute IDs to encode

setEncodedAttributesLookupStrategy

public void setEncodedAttributesLookupStrategy(@Nonnull
                                               Function<ProfileRequestContext,Set<String>> strategy)

Set a lookup strategy for the attribute IDs which should be encoded in encrypted form into the authorization code and/or access/refresh tokens to enable recovery on the back-channel.

Parameters:

strategy - lookup strategy

getDeniedUserInfoAttributes

@Nonnull
@NonnullElements
@NotLive
public Set<String> getDeniedUserInfoAttributes(@Nullable
                                               ProfileRequestContext profileRequestContext)

Specified by:

getDeniedUserInfoAttributes in interface OIDCAuthorizationConfiguration

setDeniedUserInfoAttributes

public void setDeniedUserInfoAttributes(@Nullable @NonnullElements
                                        Collection<String> attributes)

Set the set of attribute IDs which should be omitted from the UserInfo token.

Default behavior is to include all claims, but omiited claims also affect the set that may need to be embedded for recovery into the access/refresh tokens.

Parameters:

attributes - the attribute IDs to omit from UserInfo token

setDeniedUserInfoAttributesLookupStrategy

public void setDeniedUserInfoAttributesLookupStrategy(@Nonnull
                                                      Function<ProfileRequestContext,Set<String>> strategy)

Set a lookup strategy for the set of attribute IDs which should be omitted from the UserInfo token.

Parameters:

strategy - lookup strategy

isIncludeIssuerInResponse

public boolean isIncludeIssuerInResponse(@Nullable
                                         ProfileRequestContext profileRequestContext)

Specified by:

isIncludeIssuerInResponse in interface OIDCAuthorizationConfiguration

setIncludeIssuerInResponse

public void setIncludeIssuerInResponse(boolean flag)

Set whether to include iss parameter in the authentication response.

Parameters:

flag - flag to set

Since:

2.1.0

setIncludeIssuerInResponsePredicate

public void setIncludeIssuerInResponsePredicate(@Nonnull
                                                Predicate<ProfileRequestContext> condition)

Set condition for whether to include iss parameter in the authentication response.

Parameters:

condition - condition to set

Since:

2.1.0

setResponseTypeLookupStrategy

public void setResponseTypeLookupStrategy(@Nonnull
                                          Function<ProfileRequestContext,String> strategy)

Set the lookup strategy to determine the response_type for authentication requests.

Parameters:

strategy - the strategy to use

Since:

2.2.0

setResponseType

public void setResponseType(@Nullable
                            String responseType)

Set the response_type to use for authentication requests.

Parameters:

responseType - the response_type to use

Since:

2.2.0

getResponseType

public String getResponseType(@Nullable
                              ProfileRequestContext profileRequestContext)

Specified by:

getResponseType in interface OAuth2AuthorizationProfileConfiguration

getAuthorizationCodeClaimsSetManipulationStrategy

@Nonnull
public BiFunction<ProfileRequestContext,Map<String,Object>,Map<String,Object>> getAuthorizationCodeClaimsSetManipulationStrategy(@Nullable
                                                                                                                                                         ProfileRequestContext profileRequestContext)

Specified by:

getAuthorizationCodeClaimsSetManipulationStrategy in interface OAuth2AuthorizationCodeProducingProfileConfiguration

setAuthorizationCodeClaimsSetManipulationStrategy

public void setAuthorizationCodeClaimsSetManipulationStrategy(@Nullable
                                                              BiFunction<ProfileRequestContext,Map<String,Object>,Map<String,Object>> strategy)

Set the bi-function for manipulating authorization code claims set.

Parameters:

strategy - bi-function for manipulating authorization code claims set

Since:

2.1.0

setAuthorizationCodeClaimsSetManipulationStrategyLookupStrategy

public void setAuthorizationCodeClaimsSetManipulationStrategyLookupStrategy(@Nonnull
                                                                            Function<ProfileRequestContext,BiFunction<ProfileRequestContext,Map<String,Object>,Map<String,Object>>> strategy)

Set a lookup strategy for the bi-function for manipulating authorization code claims set.

Parameters:

strategy - lookup strategy

Since:

2.1.0

setScopesLookupStrategy

public void setScopesLookupStrategy(@Nonnull
                                    Function<ProfileRequestContext,Set<String>> strategy)

Set the lookup strategy to determine the scopes to use for authentication requests.

Parameters:

strategy - the strategy to use

Since:

2.2.0

setScopes

public void setScopes(@Nullable @NonnullElements
                      Set<String> scopes)

Set the scopes to use for authentication requests.

Parameters:

scopes - the scopes

Since:

2.2.0

getScopes

@Nullable
public Set<String> getScopes(@Nullable
                             ProfileRequestContext profileRequestContext)

Specified by:

getScopes in interface OAuth2AuthorizationProfileConfiguration

setAuthenticationMethodsReferencesTranslationStrategyLookupStrategy

public void setAuthenticationMethodsReferencesTranslationStrategyLookupStrategy(@Nonnull
                                                                                Function<ProfileRequestContext,Function<Collection<String>,Collection<Principal>>> strategy)

Set the lookup function to locate the Authentication Methods References strategy used to translate between an inbound proxied OIDC AMR into an appropriate set of custom Principal objects to populate the subject.

Parameters:

strategy - translation function

Since:

2.2.0

getAuthenticationMethodsReferencesTranslationStrategy

@Nullable
public Function<Collection<String>,Collection<Principal>> getAuthenticationMethodsReferencesTranslationStrategy(@Nullable
                                                                                                                      ProfileRequestContext prc)

Specified by:

getAuthenticationMethodsReferencesTranslationStrategy in interface OIDCAuthenticationProfileConfiguration

setAuthenticationContextClassReferenceTranslationStrategyLookupStrategy

public void setAuthenticationContextClassReferenceTranslationStrategyLookupStrategy(@Nullable
                                                                                    Function<ProfileRequestContext,Function<Collection<String>,Collection<Principal>>> strategy)

Set the lookup function to locate the Authentication Context Class Reference strategy used to translate between an inbound proxied OIDC ACR into an appropriate set of custom Principal objects to populate the subject.

Parameters:

strategy - translation function

Since:

2.2.0

getAuthenticationContextClassReferenceTranslationStrategy

@Nullable
public Function<Collection<String>,Collection<Principal>> getAuthenticationContextClassReferenceTranslationStrategy(@Nullable
                                                                                                                          ProfileRequestContext prc)

Specified by:

getAuthenticationContextClassReferenceTranslationStrategy in interface OIDCAuthenticationProfileConfiguration

isProxiedAuthnInstant

public boolean isProxiedAuthnInstant(@Nullable
                                     ProfileRequestContext profileRequestContext)

Specified by:

isProxiedAuthnInstant in interface OIDCAuthenticationRelyingPartyProfileConfiguration

setProxiedAuthnInstant

public void setProxiedAuthnInstant(boolean flag)

Sets whether authentication results produced by use of this profile should carry the proxied assertion's auth_time from the id_token, rather than the current time.

Parameters:

flag - flag to set

Since:

2.2.0

getMaxAuthenticationAge

@Nullable
public Duration getMaxAuthenticationAge(@Nullable
                                        ProfileRequestContext profileRequestContext)

Specified by:

getMaxAuthenticationAge in interface OIDCAuthenticationProfileConfiguration

setMaxAuthenticationAge

public void setMaxAuthenticationAge(@Positive @Nonnull
                                    Duration age)

Set the max authentication age.

Parameters:

age - the max authentication age

Since:

2.2.0

setMaxAuthenticationAgeLookupStrategy

public void setMaxAuthenticationAgeLookupStrategy(@Nonnull
                                                  Function<ProfileRequestContext,Duration> strategy)

Set a lookup strategy for the max authentication age.

Parameters:

strategy - lookup strategy

Since:

2.2.0

setLoginHintLookupStrategy

public void setLoginHintLookupStrategy(@Nonnull
                                       Function<ProfileRequestContext,String> strategy)

Set the lookup strategy for setting the login_hint.

Parameters:

strategy - lookup strategy

Since:

2.2.0

setLoginHint

public void setLoginHint(String fixedLoginHint)

Set a fixed login_hint. Will apply to all requests.

Parameters:

fixedLoginHint - the login_hint

Since:

2.2.0

getLoginHint

@Nullable
public String getLoginHint(@Nullable
                           ProfileRequestContext profileRequestContext)

Specified by:

getLoginHint in interface OIDCAuthenticationProfileConfiguration

setUserInfoHttpRequestMethodLookupStrategy

public void setUserInfoHttpRequestMethodLookupStrategy(@Nonnull
                                                       Function<ProfileRequestContext,String> strategy)

Set a lookup strategy to determine the HTTP request method for an UserInfo request.

Parameters:

strategy - the strategy to set.

Since:

2.2.0

setUserInfoHttpRequestMethod

public void setUserInfoHttpRequestMethod(@Nonnull @NotEmpty
                                         OAuth2AuthorizationProfileConfiguration.HttpRequestMethod method)

Set the HTTP request method for an UserInfo request.

Parameters:

method - the HTTP method to set, either POST or GET.

Since:

2.2.0

getUserInfoHttpRequestMethod

@Nullable
public OAuth2AuthorizationProfileConfiguration.HttpRequestMethod getUserInfoHttpRequestMethod(@Nullable
                                                                                              ProfileRequestContext profileRequestContext)

Specified by:

getUserInfoHttpRequestMethod in interface OIDCAuthenticationRelyingPartyProfileConfiguration

setResponseModeLookupStrategy

public void setResponseModeLookupStrategy(@Nonnull
                                          Function<ProfileRequestContext,String> strategy)

Set the lookup strategy to determine the response_mode for authorization requests.

Parameters:

strategy - the strategy to use

Since:

2.2.0

setResponseMode

public void setResponseMode(@Nonnull
                            String responseMode)

Set the response_mode to use for authorization requests.

Parameters:

responseMode - the response_mode to use

Since:

2.2.0

getResponseMode

public String getResponseMode(@Nullable
                              ProfileRequestContext profileRequestContext)

Specified by:

getResponseMode in interface OAuth2AuthorizationProfileConfiguration

setTlsServerValidationSufficient

public void setTlsServerValidationSufficient(boolean flag)

Set whether TLS server validation alone is sufficient to verify the id_token (true), or whether the id_token's signature should be validated (false).

Parameters:

flag - flag to set

Since:

2.2.0

setTlsServerValidationSufficient

public void setTlsServerValidationSufficient(@Nonnull
                                             Predicate<ProfileRequestContext> condition)

Set the predicate to determine whether TLS server validation alone is sufficient to verify the id_token (true), or whether the id_token's signature should be validated (false).

Parameters:

condition - condition to set

Since:

2.2.0

isTlsServerValidationSufficient

public boolean isTlsServerValidationSufficient(ProfileRequestContext profileRequestContext)

Specified by:

isTlsServerValidationSufficient in interface OIDCAuthenticationRelyingPartyProfileConfiguration