001package com.nimbusds.openid.connect.provider.spi.tokens; 002 003 004import java.time.Instant; 005import java.util.List; 006import java.util.Set; 007 008import com.nimbusds.langtag.LangTag; 009import com.nimbusds.oauth2.sdk.Scope; 010import com.nimbusds.oauth2.sdk.auth.X509CertificateConfirmation; 011import com.nimbusds.oauth2.sdk.id.*; 012import net.minidev.json.JSONObject; 013 014 015/** 016 * Mutable access token authorisation. 017 */ 018public final class MutableAccessTokenAuthorization implements AccessTokenAuthorization { 019 020 021 private Subject sub; 022 023 024 private Actor act; 025 026 027 private ClientID clientID; 028 029 030 private Scope scope; 031 032 033 private Instant exp; 034 035 036 private Instant iat; 037 038 039 private Issuer iss; 040 041 042 private List<Audience> audList; 043 044 045 private JWTID jti; 046 047 048 private Set<String> claimNames; 049 050 051 private List<LangTag> claimsLocales; 052 053 054 private JSONObject presetClaims; 055 056 057 private JSONObject data; 058 059 060 private X509CertificateConfirmation cnfX5t; 061 062 063 /** 064 * Creates a new empty mutable access token authorisation. 065 */ 066 public MutableAccessTokenAuthorization() { 067 } 068 069 070 /** 071 * Creates a new mutable access token authorisation from the specified 072 * one. 073 * 074 * @param source The source access token authorisation. Must not be 075 * {@code null}. 076 */ 077 public MutableAccessTokenAuthorization(final AccessTokenAuthorization source) { 078 sub = source.getSubject(); 079 act = source.getActor(); 080 clientID = source.getClientID(); 081 scope = source.getScope(); 082 exp = source.getExpirationTime(); 083 iat = source.getIssueTime(); 084 iss = source.getIssuer(); 085 audList = source.getAudienceList(); 086 jti = source.getJWTID(); 087 claimNames = source.getClaimNames(); 088 claimsLocales = source.getClaimsLocales(); 089 presetClaims = source.getPresetClaims(); 090 data = source.getData(); 091 cnfX5t = source.getClientCertificateConfirmation(); 092 } 093 094 095 /** 096 * Sets the token subject. 097 * 098 * @param sub The subject, {@code null} if not specified. 099 * 100 * @return This object. 101 */ 102 public MutableAccessTokenAuthorization withSubject(final Subject sub) { 103 this.sub = sub; 104 return this; 105 } 106 107 108 @Override 109 public Subject getSubject() { 110 return sub; 111 } 112 113 114 /** 115 * Sets the token actor, in impersonation and delegation scenarios. 116 * 117 * @param act The actor, {@code null} if not specified. 118 * 119 * @return This object. 120 */ 121 public MutableAccessTokenAuthorization withActor(final Actor act) { 122 this.act = act; 123 return this; 124 } 125 126 127 @Override 128 public Actor getActor() { 129 return act; 130 } 131 132 133 /** 134 * Sets the identifier of the client to which the token is issued. 135 * 136 * @param clientID The client identifier, {@code null} if not 137 * specified. 138 * 139 * @return This object. 140 */ 141 public MutableAccessTokenAuthorization withClientID(final ClientID clientID) { 142 this.clientID = clientID; 143 return this; 144 } 145 146 147 @Override 148 public ClientID getClientID() { 149 return clientID; 150 } 151 152 153 /** 154 * Sets the scope of the token. 155 * 156 * @param scope The scope, {@code null} if not specified. 157 * 158 * @return This object. 159 */ 160 public MutableAccessTokenAuthorization withScope(final Scope scope) { 161 this.scope = scope; 162 return this; 163 } 164 165 166 @Override 167 public Scope getScope() { 168 return scope; 169 } 170 171 172 /** 173 * Sets the expiration time of the token. 174 * 175 * @param exp The expiration time, {@code null} if not specified. 176 * 177 * @return This object. 178 */ 179 public MutableAccessTokenAuthorization withExpirationTime(final Instant exp) { 180 this.exp = exp; 181 return this; 182 } 183 184 185 @Override 186 public Instant getExpirationTime() { 187 return exp; 188 } 189 190 191 /** 192 * Sets the issue time of the token. 193 * 194 * @param iat The issue time, {@code null} if not specified. 195 * 196 * @return This object. 197 */ 198 public MutableAccessTokenAuthorization withIssueTime(final Instant iat) { 199 this.iat = iat; 200 return this; 201 } 202 203 204 @Override 205 public Instant getIssueTime() { 206 return iat; 207 } 208 209 210 /** 211 * Sets the issuer of the token. 212 * 213 * @param iss The issuer, {@code null} if not specified. 214 * 215 * @return This object. 216 */ 217 public MutableAccessTokenAuthorization withIssuer(final Issuer iss) { 218 this.iss = iss; 219 return this; 220 } 221 222 223 @Override 224 public Issuer getIssuer() { 225 return iss; 226 } 227 228 229 /** 230 * Sets the audience list of the token, which may be the logical 231 * names of the intended resource servers. 232 * 233 * @param audList The audience list, {@code null} if not specified. 234 * 235 * @return This object. 236 */ 237 public MutableAccessTokenAuthorization withAudienceList(final List<Audience> audList) { 238 this.audList = audList; 239 return this; 240 } 241 242 243 @Override 244 public List<Audience> getAudienceList() { 245 return audList; 246 } 247 248 249 /** 250 * Sets the JSON Web Token (JWT) identifier of the token. 251 * 252 * @param jti The JWT ID, {@code null} if not specified or applicable. 253 * 254 * @return This object. 255 */ 256 public MutableAccessTokenAuthorization withJWTID(final JWTID jti) { 257 this.jti = jti; 258 return this; 259 } 260 261 262 @Override 263 public JWTID getJWTID() { 264 return jti; 265 } 266 267 268 /** 269 * Sets the names of the consented OpenID claims to be accessed at 270 * the UserInfo endpoint. 271 * 272 * @param claimNames The claim names, {@code null} if not specified. 273 * 274 * @return This object. 275 */ 276 public MutableAccessTokenAuthorization withClaimNames(final Set<String> claimNames) { 277 this.claimNames = claimNames; 278 return this; 279 } 280 281 282 @Override 283 public Set<String> getClaimNames() { 284 return claimNames; 285 } 286 287 288 /** 289 * Sets the preferred locales for the consented OpenID claims. 290 * 291 * @param claimsLocales The preferred claims locales, {@code null} if 292 * not specified. 293 * 294 * @return This object. 295 */ 296 public MutableAccessTokenAuthorization withClaimsLocales(final List<LangTag> claimsLocales) { 297 this.claimsLocales = claimsLocales; 298 return this; 299 } 300 301 302 @Override 303 public List<LangTag> getClaimsLocales() { 304 return claimsLocales; 305 } 306 307 308 /** 309 * Sets the preset OpenID claims to be included in the UserInfo 310 * response. 311 * 312 * @param presetClaims The preset OpenID claims, {@code null} if not 313 * specified. 314 * 315 * @return This object. 316 */ 317 public MutableAccessTokenAuthorization withPresetClaims(final JSONObject presetClaims) { 318 this.presetClaims = presetClaims; 319 return this; 320 } 321 322 323 @Override 324 public JSONObject getPresetClaims() { 325 return presetClaims; 326 } 327 328 329 /** 330 * Sets the optional data for the token. 331 * 332 * @param data The optional data, represented as a JSON object, 333 * {@code null} if not specified. 334 * 335 * @return This object. 336 */ 337 public MutableAccessTokenAuthorization withData(final JSONObject data) { 338 this.data = data; 339 return this; 340 } 341 342 343 @Override 344 public JSONObject getData() { 345 return data; 346 } 347 348 349 /** 350 * Sets the client X.509 certificate confirmation (SHA-256 thumbprint) 351 * for mutual TLS. 352 * 353 * @param cnfX5t The client X.509 certificate confirmation, 354 * {@code null} if not specified. 355 * 356 * @return This object. 357 */ 358 public MutableAccessTokenAuthorization withClientCertificateConfirmation(final X509CertificateConfirmation cnfX5t) { 359 this.cnfX5t = cnfX5t; 360 return this; 361 } 362 363 364 @Override 365 public X509CertificateConfirmation getClientCertificateConfirmation() { 366 return cnfX5t; 367 } 368}