Package net.shibboleth.idp.plugin.oidc.op.token.support

Class TokenClaimsSet

java.lang.Object

net.shibboleth.idp.plugin.oidc.op.token.support.TokenClaimsSet

Direct Known Subclasses:

AccessTokenClaimsSet, AuthorizeCodeClaimsSet, RefreshTokenClaimsSet

@NotThreadSafe
public class TokenClaimsSet
extends Object

Class to extend for token claims sets. Offers the base functionality to Authorize Code, Refresh Token and Access Token.

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	TokenClaimsSet.Builder<T extends TokenClaimsSet>	Abstract builder to extend builders from that are instantiating claims sets extending TokenClaimsSet.

Field Summary

Fields

Modifier and Type	Field	Description
static String	KEY_AC_ID	Identifier for the token.
static String	KEY_ACR	Authentication context class reference value of the performed authentication.
static String	KEY_AUDIENCE	Audiences of the token request.
static String	KEY_AUTH_TIME	Authentication time of the performed authentication.
static String	KEY_CLAIMS	Claims request of the original authentication request.
static String	KEY_CLIENTID	Client id of the rp the token is generated for.
static String	KEY_CODE_CHALLENGE	Code Challenge.
static String	KEY_CONSENT_ENABLED	Whether consent has been enabled.
static String	KEY_CONSENTED_CLAIMS	Claims/Attributes having consent.
static String	KEY_DELIVERY_CLAIMS	Claims set for token delivery.
static String	KEY_DELIVERY_CLAIMS_IDTOKEN	Claims set for token delivery, id token only.
static String	KEY_DELIVERY_CLAIMS_USERINFO	Claims set for token delivery, user info only.
static String	KEY_EXPIRATION_TIME	Expiration time of the token.
static String	KEY_ISSUED_AT	Issue time of the token.
static String	KEY_ISSUER	OP issuer.
static String	KEY_LEGACY_CLIENTID	Client id of the rp the token is generated for (old constant).
static String	KEY_NONCE	Nonce of the original authentication request.
static String	KEY_NOTBEFORE_TIME	Not before time of the token.
static String	KEY_REDIRECT_URI	Redirect uri of the original authentication request.
static String	KEY_SCOPE	Scope of the token request.
static String	KEY_SUBJECT	Subject of the user.
static String	KEY_TYPE	Type of the token.
static String	KEY_USER_PRINCIPAL	User principal representing authenticated user.
private org.slf4j.Logger	log	Class logger.
private com.nimbusds.jwt.JWTClaimsSet	tokenClaimsSet	Claims set for the claim.

Constructor Summary

Constructors

Modifier	Constructor	Description
protected	TokenClaimsSet()	Default constructor for some subclasses.
protected	TokenClaimsSet(com.nimbusds.jwt.JWTClaimsSet jwt)	Constructor.

Method Summary

Modifier and Type	Method	Description
String	getACR()	Get acr of the performed authentication.
List<String>	getAudience()	Get audience of the token.
Instant	getAuthenticationTime()	Get auth time of the user.
com.nimbusds.openid.connect.sdk.OIDCClaimsRequest	getClaimsRequest()	Get claims request of the authentication request.
com.nimbusds.jwt.JWTClaimsSet	getClaimsSet()	Get the token claims set.
com.nimbusds.oauth2.sdk.id.ClientID	getClientID()	Get Client ID of the token.
String	getCodeChallenge()	Get code challenge of the authentication request.
List<Object>	getConsentedClaims()	Get consented claims.
com.nimbusds.openid.connect.sdk.claims.ClaimsSet	getDeliveryClaims()	Get token delivery claims.
Instant	getExp()	Get expiration time of the token.
String	getID()	Get the id of the token.
com.nimbusds.openid.connect.sdk.claims.ClaimsSet	getIDTokenDeliveryClaims()	Get id token token delivery claims.
Instant	getIssuedAt()	Get issuance time of the token.
String	getIssuer()	Get the issuer.
com.nimbusds.openid.connect.sdk.Nonce	getNonce()	Get nonce of the authentication request.
Instant	getNotBefore()	Get not before time of the token, if any.
String	getPrincipal()	Get principal of the user.
URI	getRedirectURI()	Get redirect uri of the request.
com.nimbusds.oauth2.sdk.Scope	getScope()	Get scope of the token.
String	getSubject()	Get subject claim.
String	getType()	Get type of the claims set.
com.nimbusds.openid.connect.sdk.claims.ClaimsSet	getUserinfoDeliveryClaims()	Get user info response token delivery claims.
boolean	isConsentEnabled()	Get whether consent has been enabled.
boolean	isExpired()	Deprecated, for removal: This API element is subject to removal in a future version.
boolean	isTimeValid()	Check if the token is valid with respect to expiration and not before limits.
String	serialize()	Serialize the token as JSON String.
String	serialize(DataSealer dataSealer)	Serialize the token as JSON String wrapped with sealer.
void	setClaimsSet(com.nimbusds.jwt.JWTClaimsSet claimsSet)	Set the token claims set.
protected static void	verifyParsedClaims(String tokenType, com.nimbusds.jwt.JWTClaimsSet tokenClaimsSet)	Helper to verify parsed claims are what is expected.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

KEY_AC_ID

@Nonnull
@NotEmpty
public static final String KEY_AC_ID

Identifier for the token.

See Also:

Constant Field Values

KEY_TYPE

@Nonnull
@NotEmpty
public static final String KEY_TYPE

Type of the token.

See Also:

Constant Field Values

KEY_ISSUER

@Nonnull
@NotEmpty
public static final String KEY_ISSUER

OP issuer.

See Also:

Constant Field Values

KEY_USER_PRINCIPAL

@Nonnull
@NotEmpty
public static final String KEY_USER_PRINCIPAL

User principal representing authenticated user.

See Also:

Constant Field Values

KEY_SUBJECT

@Nonnull
@NotEmpty
public static final String KEY_SUBJECT

Subject of the user.

See Also:

Constant Field Values

KEY_CLIENTID

@Nonnull
@NotEmpty
public static final String KEY_CLIENTID

Client id of the rp the token is generated for.

See Also:

Constant Field Values

KEY_LEGACY_CLIENTID

@Nonnull
@NotEmpty
public static final String KEY_LEGACY_CLIENTID

Client id of the rp the token is generated for (old constant).

See Also:

Constant Field Values

KEY_EXPIRATION_TIME

@Nonnull
@NotEmpty
public static final String KEY_EXPIRATION_TIME

Expiration time of the token.

See Also:

Constant Field Values

KEY_NOTBEFORE_TIME

@Nonnull
@NotEmpty
public static final String KEY_NOTBEFORE_TIME

Not before time of the token.

See Also:

Constant Field Values

KEY_ISSUED_AT

@Nonnull
@NotEmpty
public static final String KEY_ISSUED_AT

Issue time of the token.

See Also:

Constant Field Values

KEY_ACR

@Nonnull
@NotEmpty
public static final String KEY_ACR

Authentication context class reference value of the performed authentication.

See Also:

Constant Field Values

KEY_NONCE

@Nonnull
@NotEmpty
public static final String KEY_NONCE

Nonce of the original authentication request.

See Also:

Constant Field Values

KEY_AUTH_TIME

@Nonnull
@NotEmpty
public static final String KEY_AUTH_TIME

Authentication time of the performed authentication.

See Also:

Constant Field Values

KEY_REDIRECT_URI

@Nonnull
@NotEmpty
public static final String KEY_REDIRECT_URI

Redirect uri of the original authentication request.

See Also:

Constant Field Values

KEY_SCOPE

@Nonnull
@NotEmpty
public static final String KEY_SCOPE

Scope of the token request.

See Also:

Constant Field Values

KEY_AUDIENCE

@Nonnull
@NotEmpty
public static final String KEY_AUDIENCE

Audiences of the token request.

See Also:

Constant Field Values

KEY_CLAIMS

@Nonnull
@NotEmpty
public static final String KEY_CLAIMS

Claims request of the original authentication request.

See Also:

Constant Field Values

KEY_DELIVERY_CLAIMS

@Nonnull
@NotEmpty
public static final String KEY_DELIVERY_CLAIMS

Claims set for token delivery.

See Also:

Constant Field Values

KEY_DELIVERY_CLAIMS_IDTOKEN

@Nonnull
@NotEmpty
public static final String KEY_DELIVERY_CLAIMS_IDTOKEN

Claims set for token delivery, id token only.

See Also:

Constant Field Values

KEY_DELIVERY_CLAIMS_USERINFO

@Nonnull
@NotEmpty
public static final String KEY_DELIVERY_CLAIMS_USERINFO

Claims set for token delivery, user info only.

See Also:

Constant Field Values

KEY_CONSENTED_CLAIMS

@Nonnull
@NotEmpty
public static final String KEY_CONSENTED_CLAIMS

Claims/Attributes having consent.

See Also:

Constant Field Values

KEY_CONSENT_ENABLED

@Nonnull
@NotEmpty
public static final String KEY_CONSENT_ENABLED

Whether consent has been enabled.

See Also:

Constant Field Values

KEY_CODE_CHALLENGE

@Nonnull
@NotEmpty
public static final String KEY_CODE_CHALLENGE

Code Challenge.

See Also:

Constant Field Values

tokenClaimsSet

@Nullable
private com.nimbusds.jwt.JWTClaimsSet tokenClaimsSet

Claims set for the claim.

log

@Nonnull
private org.slf4j.Logger log

Class logger.

Constructor Detail

TokenClaimsSet

protected TokenClaimsSet()

Default constructor for some subclasses.

TokenClaimsSet

protected TokenClaimsSet(@Nonnull
                         com.nimbusds.jwt.JWTClaimsSet jwt)

Constructor.

Parameters:

jwt - the claim set to wrap

Since:

3.1.0

Method Detail

verifyParsedClaims

protected static void verifyParsedClaims(@Nonnull @NotEmpty
                                         String tokenType,
                                         @Nonnull
                                         com.nimbusds.jwt.JWTClaimsSet tokenClaimsSet)
                                  throws ParseException

Helper to verify parsed claims are what is expected.

Parameters:

tokenType - The type of the expected token

tokenClaimsSet - token claims set

Throws:

ParseException - if claims set is not expected one.

serialize

@Nonnull
@NotEmpty
public String serialize()

Serialize the token as JSON String.

Returns:

token as JSON String

serialize

@Nonnull
public String serialize(@Nonnull
                        DataSealer dataSealer)
                 throws DataSealerException

Serialize the token as JSON String wrapped with sealer.

Parameters:

dataSealer - data sealer to wrap the JSON serialization

Returns:

token as JSON String wrapped with sealer

Throws:

DataSealerException - is thrown if unwrapping fails

setClaimsSet

public void setClaimsSet(@Nonnull
                         com.nimbusds.jwt.JWTClaimsSet claimsSet)

Set the token claims set.

Parameters:

claimsSet - What to set

getClaimsSet

@Nullable
public com.nimbusds.jwt.JWTClaimsSet getClaimsSet()

Get the token claims set.

Returns:

token claims set

getIssuer

@Nonnull
@NotEmpty
public String getIssuer()

Get the issuer.

Returns:

issuer

Since:

3.1.0

getIssuedAt

@Nonnull
public Instant getIssuedAt()

Get issuance time of the token.

Returns:

issuance time

Since:

3.1.0

getExp

@Nonnull
public Instant getExp()

Get expiration time of the token.

Returns:

expiration time of the token

getNotBefore

@Nullable
public Instant getNotBefore()

Get not before time of the token, if any.

Returns:

not before time of the token

Since:

3.1.0

isExpired

@Deprecated(since="3.1.0",
            forRemoval=true)
public boolean isExpired()

Deprecated, for removal: This API element is subject to removal in a future version.

Check if the token is expired.

Replaced by isTimeValid() method that enforces both bounds.

Returns:

true if the token is expired, otherwise false

isTimeValid

public boolean isTimeValid()

Check if the token is valid with respect to expiration and not before limits.

Returns:

true iff token is time valid

Since:

3.1.0

getRedirectURI

@Nullable
public URI getRedirectURI()

Get redirect uri of the request.

Returns:

redirect uri of the request, null if not located.

getACR

@Nullable
public String getACR()

Get acr of the performed authentication.

Returns:

acr of the performed authentication.

getType

@Nullable
public String getType()

Get type of the claims set.

Returns:

Type of the claims set.

getPrincipal

@Nullable
public String getPrincipal()

Get principal of the user.

Returns:

principal of the user.

getSubject

@Nullable
public String getSubject()

Get subject claim.

Returns:

subject claim

Since:

3.1.0

getAuthenticationTime

@Nullable
public Instant getAuthenticationTime()

Get auth time of the user.

Returns:

auth time of the user.

getNonce

@Nullable
public com.nimbusds.openid.connect.sdk.Nonce getNonce()

Get nonce of the authentication request.

Returns:

nonce of the authentication request.

getClaimsRequest

@Nullable
public com.nimbusds.openid.connect.sdk.OIDCClaimsRequest getClaimsRequest()

Get claims request of the authentication request.

Returns:

claims request in authentication request, null if not existing.

getDeliveryClaims

@Nullable
public com.nimbusds.openid.connect.sdk.claims.ClaimsSet getDeliveryClaims()

Get token delivery claims.

Returns:

token delivery claims

getIDTokenDeliveryClaims

@Nullable
public com.nimbusds.openid.connect.sdk.claims.ClaimsSet getIDTokenDeliveryClaims()

Get id token token delivery claims.

Returns:

id token token delivery claims

getUserinfoDeliveryClaims

@Nullable
public com.nimbusds.openid.connect.sdk.claims.ClaimsSet getUserinfoDeliveryClaims()

Get user info response token delivery claims.

Returns:

user info response token delivery claims

getConsentedClaims

@Nullable
@NonnullElements
public List<Object> getConsentedClaims()

Get consented claims.

Returns:

consented claims

isConsentEnabled

public boolean isConsentEnabled()

Get whether consent has been enabled.

Returns:

whether consent has been enabled

getScope

@Nullable
public com.nimbusds.oauth2.sdk.Scope getScope()

Get scope of the token.

Returns:

scope of the token

getAudience

@Nonnull
@NonnullElements
@NotLive
@Unmodifiable
public List<String> getAudience()

Get audience of the token.

Returns:

audience of the token

Since:

3.1.0

getCodeChallenge

@Nullable
public String getCodeChallenge()

Get code challenge of the authentication request.

Returns:

code challenge of the authentication request.

getID

@Nullable
public String getID()

Get the id of the token.

Returns:

id of the token

getClientID

@Nullable
public com.nimbusds.oauth2.sdk.id.ClientID getClientID()

Get Client ID of the token.

Returns:

Client ID of the token