Source code

001package com.nimbusds.openid.connect.provider.spi.grants;
002
003
004import com.nimbusds.oauth2.sdk.GeneralException;
005import com.nimbusds.oauth2.sdk.GrantType;
006import com.nimbusds.oauth2.sdk.ResourceOwnerPasswordCredentialsGrant;
007import com.nimbusds.oauth2.sdk.Scope;
008import com.nimbusds.oauth2.sdk.id.ClientID;
009
010import com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata;
011
012
013/**
014 * Service Provider Interface (SPI) for handling OAuth 2.0 resource owner
015 * password credentials grants. Returns the matching
016 * {@link PasswordGrantAuthorization authorisation} on success. Must throw an
017 * {@link GeneralException} with an
018 * {@link com.nimbusds.oauth2.sdk.OAuth2Error#INVALID_GRANT invalid_grant}
019 * error code if the user credentials are invalid.
020 *
021 * <p>Implementations must be thread-safe.
022 *
023 * <p>Related specifications:
024 *
025 * <ul>
026 *     <li>OAuth 2.0 (RFC 6749), sections 1.3.3 and 4.3.
027 * </ul>
028 */
029public interface PasswordGrantHandler extends GrantHandler {
030
031
032        /**
033         * The handled grant type.
034         */
035        GrantType GRANT_TYPE = GrantType.PASSWORD;
036
037
038        /**
039         * Handles a resource owner password credentials grant.
040         *
041         * @param grant              The resource owner password credentials
042         *                           grant. Not {@code null}.
043         * @param scope              The requested scope, {@code null} if not
044         *                           specified.
045         * @param clientID           The client identifier. Not {@code null}.
046         * @param confidentialClient {@code true} if the client is confidential
047         *                           and has been authenticated, else
048         *                           {@code false}.
049         * @param clientMetadata     The OpenID Connect client metadata. Not
050         *                           {@code null}.
051         *
052         * <p>If the user credentials are invalid the handler must throw a
053         * {@link GeneralException exception} with an
054         * {@link com.nimbusds.oauth2.sdk.OAuth2Error#INVALID_GRANT
055         * invalid_grant} error code.
056         *
057         * <p>If the requested scope is invalid, unknown, malformed, or exceeds
058         * the scope granted by the resource owner the handler must throw a
059         * {@link GeneralException} with an
060         * {@link com.nimbusds.oauth2.sdk.OAuth2Error#INVALID_SCOPE
061         * invalid_scope} error code.
062         *
063         * @return The authorisation.
064         *
065         * @throws GeneralException If the grant is invalid, or another
066         *                          exception was encountered.
067         */
068        PasswordGrantAuthorization processGrant(final ResourceOwnerPasswordCredentialsGrant grant,
069                                                final Scope scope,
070                                                final ClientID clientID,
071                                                final boolean confidentialClient,
072                                                final OIDCClientMetadata clientMetadata)
073                throws GeneralException;
074}