Package net.shibboleth.oidc.profile.oauth2.config.impl

Class DefaultOAuth2TokenConfiguration

java.lang.Object

net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

net.shibboleth.utilities.java.support.component.AbstractIdentifiedInitializableComponent

net.shibboleth.utilities.java.support.component.AbstractIdentifiableInitializableComponent

net.shibboleth.idp.profile.config.AbstractProfileConfiguration

net.shibboleth.idp.profile.config.AbstractConditionalProfileConfiguration

net.shibboleth.oidc.profile.oauth2.config.impl.AbstractOAuth2ClientAuthenticableProfileConfiguration

net.shibboleth.oidc.profile.oauth2.config.impl.AbstractOAuth2FlowAwareProfileConfiguration

net.shibboleth.oidc.profile.config.impl.AbstractOIDCSSOConfiguration

net.shibboleth.oidc.profile.oauth2.config.impl.DefaultOAuth2TokenConfiguration

All Implemented Interfaces:

net.shibboleth.idp.authn.config.AuthenticationProfileConfiguration, net.shibboleth.idp.profile.config.AttributeResolvingProfileConfiguration, net.shibboleth.idp.profile.config.ConditionalProfileConfiguration, net.shibboleth.idp.profile.config.OverriddenIssuerProfileConfiguration, net.shibboleth.idp.profile.config.ProfileConfiguration, OIDCFlowAwareProfileConfiguration, OIDCIDTokenProducingProfileConfiguration, OIDCProfileConfiguration, OIDCSSOProfileConfiguration, OIDCSSOProviderConfiguration, OIDCSSORelyingPartyConfiguration, OAuth2AccessTokenProducingProfileConfiguration, OAuth2ClientAuthenticableClientProfileConfiguration, OAuth2ClientAuthenticableProfileConfiguration, OAuth2FlowAwareProfileConfiguration, OAuth2ProfileConfiguration, OAuth2RefreshTokenProducingProfileConfiguration, OAuth2TokenConfiguration, OAuth2TokenEncryptionProfileConfiguration, Component, DestructableComponent, IdentifiableComponent, IdentifiedComponent, InitializableComponent

public class DefaultOAuth2TokenConfiguration
extends AbstractOIDCSSOConfiguration
implements OAuth2TokenConfiguration

Implementation of an OIDC-aware OAuth 2 token endpoint profile configuration.

Field Summary

Fields

Modifier and Type	Field	Description
private Predicate<ProfileRequestContext>	enforceRefreshTokenRotationPredicate	Whether always revoke the refresh_token after it's used.
private Function<ProfileRequestContext,Set<String>>	grantTypesLookupStrategy	Enabled grant types.
private Predicate<ProfileRequestContext>	issueIdTokenViaRefreshTokenPredicate	Whether issue id_token when refresh_token is used.
private Function<ProfileRequestContext,BiFunction<ProfileRequestContext,Map<String,Object>,Map<String,Object>>>	refreshTokenClaimsSetManipulationStrategyLookupStrategy	Lookup function to supply strategy bi-function for manipulating refresh token claims set.

Fields inherited from class net.shibboleth.idp.profile.config.AbstractProfileConfiguration

DEFAULT_DISALLOWED_FEATURES

Fields inherited from interface net.shibboleth.oidc.profile.oauth2.config.OAuth2TokenConfiguration

PROFILE_ID

Fields inherited from interface net.shibboleth.oidc.profile.config.OIDCSSOProfileConfiguration

PROFILE_ID

Constructor Summary

Constructors

Constructor	Description
DefaultOAuth2TokenConfiguration()	Constructor.
DefaultOAuth2TokenConfiguration(String profileId)	Creates a new configuration instance.

Method Summary

Modifier and Type	Method	Description
Set<String>	getGrantTypes(ProfileRequestContext profileRequestContext)
BiFunction<ProfileRequestContext,Map<String,Object>,Map<String,Object>>	getRefreshTokenClaimsSetManipulationStrategy(ProfileRequestContext profileRequestContext)
boolean	isEnforceRefreshTokenRotation(ProfileRequestContext profileRequestContext)
boolean	isIssueIdTokenViaRefreshToken(ProfileRequestContext profileRequestContext)
void	setEnforceRefreshTokenRotation(boolean flag)	Set whether always revoke the refresh_token after it's used.
void	setEnforceRefreshTokenRotationPredicate(Predicate<ProfileRequestContext> condition)	Set condition for whether always revoke the refresh_token after it's used.
void	setGrantTypes(Collection<String> types)	Set the enabled grant types.
void	setGrantTypesLookupStrategy(Function<ProfileRequestContext,Set<String>> strategy)	Set a lookup strategy for the enabled grant types.
void	setIssueIdTokenViaRefreshToken(boolean flag)	Set whether the id_token is issued when refresh token grant is used.
void	setIssueIdTokenViaRefreshTokenPredicate(Predicate<ProfileRequestContext> condition)	Set condition for whether the id_token is issued when refresh token grant is used.
void	setRefreshTokenClaimsSetManipulationStrategy(BiFunction<ProfileRequestContext,Map<String,Object>,Map<String,Object>> strategy)	Set the bi-function for manipulating refresh token claims set.
void	setRefreshTokenClaimsSetManipulationStrategyLookupStrategy(Function<ProfileRequestContext,BiFunction<ProfileRequestContext,Map<String,Object>,Map<String,Object>>> strategy)	Set a lookup strategy for the bi-function for manipulating refresh token claims set.

Methods inherited from class net.shibboleth.oidc.profile.config.impl.AbstractOIDCSSOConfiguration

getAccessTokenClaimsSetManipulationStrategy, getAccessTokenLifetime, getAccessTokenType, getAdditionalAudiencesForIdToken, getAlwaysIncludedAttributes, getIDTokenLifetime, getIDTokenManipulationStrategy, getIssuer, getRefreshTokenChainLifetime, getRefreshTokenLifetime, getRefreshTokenTimeout, isAllowPKCEPlain, isEncryptionOptional, isForcePKCE, isResolveAttributes, setAccessTokenClaimsSetManipulationStrategy, setAccessTokenClaimsSetManipulationStrategyLookupStrategy, setAccessTokenLifetime, setAccessTokenLifetimeLookupStrategy, setAccessTokenType, setAccessTokenTypeLookupStrategy, setAdditionalAudiencesForIdToken, setAdditionalAudiencesForIdTokenLookupStrategy, setAllowPKCEPlain, setAllowPKCEPlainPredicate, setAlwaysIncludedAttributes, setAlwaysIncludedAttributesLookupStrategy, setEncryptionOptional, setEncryptionOptionalPredicate, setForcePKCE, setForcePKCEPredicate, setIDTokenLifetime, setIDTokenLifetimeLookupStrategy, setIDTokenManipulationStrategy, setIDTokenManipulationStrategyLookupStrategy, setIssuer, setIssuerLookupStrategy, setRefreshTokenChainLifetime, setRefreshTokenChainLifetimeLookupStrategy, setRefreshTokenLifetime, setRefreshTokenLifetimeLookupStrategy, setRefreshTokenTimeout, setRefreshTokenTimeoutLookupStrategy, setResolveAttributes, setResolveAttributesPredicate

Methods inherited from class net.shibboleth.oidc.profile.oauth2.config.impl.AbstractOAuth2FlowAwareProfileConfiguration

isAuthorizationCodeFlowEnabled, isHybridFlowEnabled, isImplicitFlowEnabled, isRefreshTokensEnabled, setAuthorizationCodeFlowEnabled, setAuthorizationCodeFlowEnabledPredicate, setHybridFlowEnabled, setHybridFlowEnabledPredicate, setImplicitFlowEnabled, setImplicitFlowEnabledPredicate, setRefreshTokensEnabled, setRefreshTokensEnabledPredicate

Methods inherited from class net.shibboleth.oidc.profile.oauth2.config.impl.AbstractOAuth2ClientAuthenticableProfileConfiguration

getAuthenticationFlows, getClaimsValidator, getClientCredential, getClientId, getDefaultAuthenticationMethods, getPostAuthenticationFlows, getProxyCount, getTokenEndpointAuthMethod, getTokenEndpointAuthMethods, isForceAuthn, setAuthenticationFlows, setAuthenticationFlowsLookupStrategy, setClaimsValidator, setClaimsValidatorLookupStrategy, setClientCredential, setClientCredentialLookupStrategy, setClientId, setClientIdLookupStrategy, setDefaultAuthenticationMethods, setDefaultAuthenticationMethodsLookupStrategy, setForceAuthn, setForceAuthnPredicate, setPostAuthenticationFlows, setPostAuthenticationFlowsLookupStrategy, setProxyCount, setProxyCountLookupStrategy, setTokenEndpointAuthMethod, setTokenEndpointAuthMethodLookupStrategy, setTokenEndpointAuthMethods, setTokenEndpointAuthMethodsLookupStrategy

Methods inherited from class net.shibboleth.idp.profile.config.AbstractConditionalProfileConfiguration

getActivationCondition, setActivationCondition

Methods inherited from class net.shibboleth.idp.profile.config.AbstractProfileConfiguration

equals, getDisallowedFeatures, getInboundInterceptorFlows, getOutboundInterceptorFlows, getSecurityConfiguration, hashCode, isFeatureDisallowed, setDisallowedFeatures, setDisallowedFeaturesLookupStrategy, setInboundFlowsLookupStrategy, setInboundInterceptorFlows, setInboundInterceptorFlowsLookupStrategy, setOutboundFlowsLookupStrategy, setOutboundInterceptorFlows, setOutboundInterceptorFlowsLookupStrategy, setSecurityConfiguration, setSecurityConfigurationLookupStrategy

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractIdentifiableInitializableComponent

setId

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractIdentifiedInitializableComponent

doInitialize, getId

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

destroy, doDestroy, initialize, isDestroyed, isInitialized

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface net.shibboleth.idp.profile.config.AttributeResolvingProfileConfiguration

isResolveAttributes

Methods inherited from interface net.shibboleth.idp.authn.config.AuthenticationProfileConfiguration

getAuthenticationFlows, getDefaultAuthenticationMethods, getPostAuthenticationFlows, getProxyCount, isForceAuthn, isLocal

Methods inherited from interface net.shibboleth.idp.profile.config.ConditionalProfileConfiguration

getActivationCondition

Methods inherited from interface net.shibboleth.utilities.java.support.component.IdentifiedComponent

getId

Methods inherited from interface net.shibboleth.oidc.profile.oauth2.config.OAuth2AccessTokenProducingProfileConfiguration

getAccessTokenClaimsSetManipulationStrategy, getAccessTokenLifetime, getAccessTokenType

Methods inherited from interface net.shibboleth.oidc.profile.oauth2.config.OAuth2ClientAuthenticableClientProfileConfiguration

getClientCredential, getClientId, getTokenEndpointAuthMethod

Methods inherited from interface net.shibboleth.oidc.profile.oauth2.config.OAuth2ClientAuthenticableProfileConfiguration

getClaimsValidator, getTokenEndpointAuthMethods

Methods inherited from interface net.shibboleth.oidc.profile.oauth2.config.OAuth2FlowAwareProfileConfiguration

isAuthorizationCodeFlowEnabled, isImplicitFlowEnabled, isRefreshTokensEnabled

Methods inherited from interface net.shibboleth.oidc.profile.oauth2.config.OAuth2RefreshTokenProducingProfileConfiguration

getRefreshTokenChainLifetime, getRefreshTokenLifetime, getRefreshTokenTimeout

Methods inherited from interface net.shibboleth.oidc.profile.oauth2.config.OAuth2TokenEncryptionProfileConfiguration

isEncryptionOptional

Methods inherited from interface net.shibboleth.oidc.profile.config.OIDCFlowAwareProfileConfiguration

isHybridFlowEnabled

Methods inherited from interface net.shibboleth.oidc.profile.config.OIDCIDTokenProducingProfileConfiguration

getAdditionalAudiencesForIdToken, getAlwaysIncludedAttributes, getIDTokenLifetime, getIDTokenManipulationStrategy

Methods inherited from interface net.shibboleth.oidc.profile.config.OIDCSSOProfileConfiguration

isAllowPKCEPlain, isForcePKCE

Methods inherited from interface net.shibboleth.idp.profile.config.ProfileConfiguration

getInboundInterceptorFlows, getOutboundInterceptorFlows, getSecurityConfiguration

Field Detail

grantTypesLookupStrategy

@Nonnull
private Function<ProfileRequestContext,Set<String>> grantTypesLookupStrategy

Enabled grant types.

refreshTokenClaimsSetManipulationStrategyLookupStrategy

@Nonnull
private Function<ProfileRequestContext,BiFunction<ProfileRequestContext,Map<String,Object>,Map<String,Object>>> refreshTokenClaimsSetManipulationStrategyLookupStrategy

Lookup function to supply strategy bi-function for manipulating refresh token claims set.

enforceRefreshTokenRotationPredicate

@Nonnull
private Predicate<ProfileRequestContext> enforceRefreshTokenRotationPredicate

Whether always revoke the refresh_token after it's used.

issueIdTokenViaRefreshTokenPredicate

@Nonnull
private Predicate<ProfileRequestContext> issueIdTokenViaRefreshTokenPredicate

Whether issue id_token when refresh_token is used.

Constructor Detail

DefaultOAuth2TokenConfiguration

public DefaultOAuth2TokenConfiguration()

Constructor.

DefaultOAuth2TokenConfiguration

public DefaultOAuth2TokenConfiguration(@Nonnull @NotEmpty
                                       String profileId)

Creates a new configuration instance.

Parameters:

profileId - unique profile identifier

Method Detail

getGrantTypes

@Nonnull
@NonnullElements
@NotLive
@Unmodifiable
public Set<String> getGrantTypes(@Nullable
                                 ProfileRequestContext profileRequestContext)

Specified by:

getGrantTypes in interface OAuth2TokenConfiguration

setGrantTypes

public void setGrantTypes(@Nonnull @NonnullElements
                          Collection<String> types)

Set the enabled grant types.

Parameters:

types - types to enable

setGrantTypesLookupStrategy

public void setGrantTypesLookupStrategy(@Nonnull
                                        Function<ProfileRequestContext,Set<String>> strategy)

Set a lookup strategy for the enabled grant types.

Parameters:

strategy - lookup strategy

getRefreshTokenClaimsSetManipulationStrategy

@Nonnull
public BiFunction<ProfileRequestContext,Map<String,Object>,Map<String,Object>> getRefreshTokenClaimsSetManipulationStrategy(@Nullable
                                                                                                                                                    ProfileRequestContext profileRequestContext)

Specified by:

getRefreshTokenClaimsSetManipulationStrategy in interface OAuth2TokenConfiguration

setRefreshTokenClaimsSetManipulationStrategy

public void setRefreshTokenClaimsSetManipulationStrategy(@Nullable
                                                         BiFunction<ProfileRequestContext,Map<String,Object>,Map<String,Object>> strategy)

Set the bi-function for manipulating refresh token claims set.

Parameters:

strategy - bi-function for manipulating refresh token claims set

Since:

2.1.0

setRefreshTokenClaimsSetManipulationStrategyLookupStrategy

public void setRefreshTokenClaimsSetManipulationStrategyLookupStrategy(@Nonnull
                                                                       Function<ProfileRequestContext,BiFunction<ProfileRequestContext,Map<String,Object>,Map<String,Object>>> strategy)

Set a lookup strategy for the bi-function for manipulating refresh token claims set.

Parameters:

strategy - lookup strategy

Since:

2.1.0

isEnforceRefreshTokenRotation

@Nonnull
public boolean isEnforceRefreshTokenRotation(@Nullable
                                             ProfileRequestContext profileRequestContext)

Specified by:

isEnforceRefreshTokenRotation in interface OAuth2TokenConfiguration

setEnforceRefreshTokenRotation

public void setEnforceRefreshTokenRotation(boolean flag)

Set whether always revoke the refresh_token after it's used.

Parameters:

flag - flag to set

Since:

2.1.0

setEnforceRefreshTokenRotationPredicate

public void setEnforceRefreshTokenRotationPredicate(@Nonnull
                                                    Predicate<ProfileRequestContext> condition)

Set condition for whether always revoke the refresh_token after it's used.

Parameters:

condition - condition to set

Since:

2.1.0

isIssueIdTokenViaRefreshToken

@Nonnull
public boolean isIssueIdTokenViaRefreshToken(@Nullable
                                             ProfileRequestContext profileRequestContext)

Specified by:

isIssueIdTokenViaRefreshToken in interface OAuth2TokenConfiguration

setIssueIdTokenViaRefreshToken

public void setIssueIdTokenViaRefreshToken(boolean flag)

Set whether the id_token is issued when refresh token grant is used.

Parameters:

flag - flag to set

Since:

2.2.0

setIssueIdTokenViaRefreshTokenPredicate

public void setIssueIdTokenViaRefreshTokenPredicate(@Nonnull
                                                    Predicate<ProfileRequestContext> condition)

Set condition for whether the id_token is issued when refresh token grant is used.

Parameters:

condition - condition to set

Since:

2.2.0