001package com.nimbusds.openid.connect.provider.spi.tokens; 002 003 004import java.time.Instant; 005import java.util.List; 006import java.util.Set; 007 008import com.nimbusds.langtag.LangTag; 009import com.nimbusds.oauth2.sdk.Scope; 010import com.nimbusds.oauth2.sdk.auth.X509CertificateConfirmation; 011import com.nimbusds.oauth2.sdk.id.*; 012import net.minidev.json.JSONObject; 013import org.apache.commons.lang3.builder.ToStringBuilder; 014 015 016/** 017 * Mutable access token authorisation. 018 */ 019public final class MutableAccessTokenAuthorization implements AccessTokenAuthorization { 020 021 022 private Subject sub; 023 024 025 private Actor act; 026 027 028 private ClientID clientID; 029 030 031 private Scope scope; 032 033 034 private Instant exp; 035 036 037 private Instant iat; 038 039 040 private Issuer iss; 041 042 043 private List<Audience> audList; 044 045 046 private JWTID jti; 047 048 049 private Set<String> claimNames; 050 051 052 private List<LangTag> claimsLocales; 053 054 055 private JSONObject presetClaims; 056 057 058 private JSONObject data; 059 060 061 private X509CertificateConfirmation cnfX5t; 062 063 064 /** 065 * Creates a new empty mutable access token authorisation. 066 */ 067 public MutableAccessTokenAuthorization() { 068 } 069 070 071 /** 072 * Creates a new mutable access token authorisation from the specified 073 * one. 074 * 075 * @param source The source access token authorisation. Must not be 076 * {@code null}. 077 */ 078 public MutableAccessTokenAuthorization(final AccessTokenAuthorization source) { 079 sub = source.getSubject(); 080 act = source.getActor(); 081 clientID = source.getClientID(); 082 scope = source.getScope(); 083 exp = source.getExpirationTime(); 084 iat = source.getIssueTime(); 085 iss = source.getIssuer(); 086 audList = source.getAudienceList(); 087 jti = source.getJWTID(); 088 claimNames = source.getClaimNames(); 089 claimsLocales = source.getClaimsLocales(); 090 presetClaims = source.getPresetClaims(); 091 data = source.getData(); 092 cnfX5t = source.getClientCertificateConfirmation(); 093 } 094 095 096 /** 097 * Sets the token subject. 098 * 099 * @param sub The subject, {@code null} if not specified. 100 * 101 * @return This object. 102 */ 103 public MutableAccessTokenAuthorization withSubject(final Subject sub) { 104 this.sub = sub; 105 return this; 106 } 107 108 109 @Override 110 public Subject getSubject() { 111 return sub; 112 } 113 114 115 /** 116 * Sets the token actor, in impersonation and delegation scenarios. 117 * 118 * @param act The actor, {@code null} if not specified. 119 * 120 * @return This object. 121 */ 122 public MutableAccessTokenAuthorization withActor(final Actor act) { 123 this.act = act; 124 return this; 125 } 126 127 128 @Override 129 public Actor getActor() { 130 return act; 131 } 132 133 134 /** 135 * Sets the identifier of the client to which the token is issued. 136 * 137 * @param clientID The client identifier, {@code null} if not 138 * specified. 139 * 140 * @return This object. 141 */ 142 public MutableAccessTokenAuthorization withClientID(final ClientID clientID) { 143 this.clientID = clientID; 144 return this; 145 } 146 147 148 @Override 149 public ClientID getClientID() { 150 return clientID; 151 } 152 153 154 /** 155 * Sets the scope of the token. 156 * 157 * @param scope The scope, {@code null} if not specified. 158 * 159 * @return This object. 160 */ 161 public MutableAccessTokenAuthorization withScope(final Scope scope) { 162 this.scope = scope; 163 return this; 164 } 165 166 167 @Override 168 public Scope getScope() { 169 return scope; 170 } 171 172 173 /** 174 * Sets the expiration time of the token. 175 * 176 * @param exp The expiration time, {@code null} if not specified. 177 * 178 * @return This object. 179 */ 180 public MutableAccessTokenAuthorization withExpirationTime(final Instant exp) { 181 this.exp = exp; 182 return this; 183 } 184 185 186 @Override 187 public Instant getExpirationTime() { 188 return exp; 189 } 190 191 192 /** 193 * Sets the issue time of the token. 194 * 195 * @param iat The issue time, {@code null} if not specified. 196 * 197 * @return This object. 198 */ 199 public MutableAccessTokenAuthorization withIssueTime(final Instant iat) { 200 this.iat = iat; 201 return this; 202 } 203 204 205 @Override 206 public Instant getIssueTime() { 207 return iat; 208 } 209 210 211 /** 212 * Sets the issuer of the token. 213 * 214 * @param iss The issuer, {@code null} if not specified. 215 * 216 * @return This object. 217 */ 218 public MutableAccessTokenAuthorization withIssuer(final Issuer iss) { 219 this.iss = iss; 220 return this; 221 } 222 223 224 @Override 225 public Issuer getIssuer() { 226 return iss; 227 } 228 229 230 /** 231 * Sets the audience list of the token, which may be the logical 232 * names of the intended resource servers. 233 * 234 * @param audList The audience list, {@code null} if not specified. 235 * 236 * @return This object. 237 */ 238 public MutableAccessTokenAuthorization withAudienceList(final List<Audience> audList) { 239 this.audList = audList; 240 return this; 241 } 242 243 244 @Override 245 public List<Audience> getAudienceList() { 246 return audList; 247 } 248 249 250 /** 251 * Sets the JSON Web Token (JWT) identifier of the token. 252 * 253 * @param jti The JWT ID, {@code null} if not specified or applicable. 254 * 255 * @return This object. 256 */ 257 public MutableAccessTokenAuthorization withJWTID(final JWTID jti) { 258 this.jti = jti; 259 return this; 260 } 261 262 263 @Override 264 public JWTID getJWTID() { 265 return jti; 266 } 267 268 269 /** 270 * Sets the names of the consented OpenID claims to be accessed at 271 * the UserInfo endpoint. 272 * 273 * @param claimNames The claim names, {@code null} if not specified. 274 * 275 * @return This object. 276 */ 277 public MutableAccessTokenAuthorization withClaimNames(final Set<String> claimNames) { 278 this.claimNames = claimNames; 279 return this; 280 } 281 282 283 @Override 284 public Set<String> getClaimNames() { 285 return claimNames; 286 } 287 288 289 /** 290 * Sets the preferred locales for the consented OpenID claims. 291 * 292 * @param claimsLocales The preferred claims locales, {@code null} if 293 * not specified. 294 * 295 * @return This object. 296 */ 297 public MutableAccessTokenAuthorization withClaimsLocales(final List<LangTag> claimsLocales) { 298 this.claimsLocales = claimsLocales; 299 return this; 300 } 301 302 303 @Override 304 public List<LangTag> getClaimsLocales() { 305 return claimsLocales; 306 } 307 308 309 /** 310 * Sets the preset OpenID claims to be included in the UserInfo 311 * response. 312 * 313 * @param presetClaims The preset OpenID claims, {@code null} if not 314 * specified. 315 * 316 * @return This object. 317 */ 318 public MutableAccessTokenAuthorization withPresetClaims(final JSONObject presetClaims) { 319 this.presetClaims = presetClaims; 320 return this; 321 } 322 323 324 @Override 325 public JSONObject getPresetClaims() { 326 return presetClaims; 327 } 328 329 330 /** 331 * Sets the optional data for the token. 332 * 333 * @param data The optional data, represented as a JSON object, 334 * {@code null} if not specified. 335 * 336 * @return This object. 337 */ 338 public MutableAccessTokenAuthorization withData(final JSONObject data) { 339 this.data = data; 340 return this; 341 } 342 343 344 @Override 345 public JSONObject getData() { 346 return data; 347 } 348 349 350 /** 351 * Sets the client X.509 certificate confirmation (SHA-256 thumbprint) 352 * for mutual TLS. 353 * 354 * @param cnfX5t The client X.509 certificate confirmation, 355 * {@code null} if not specified. 356 * 357 * @return This object. 358 */ 359 public MutableAccessTokenAuthorization withClientCertificateConfirmation(final X509CertificateConfirmation cnfX5t) { 360 this.cnfX5t = cnfX5t; 361 return this; 362 } 363 364 365 @Override 366 public X509CertificateConfirmation getClientCertificateConfirmation() { 367 return cnfX5t; 368 } 369 370 371 @Override 372 public String toString() { 373 return new ToStringBuilder(this) 374 .append("sub", sub) 375 .append("act", act) 376 .append("client_id", clientID) 377 .append("scope", scope) 378 .append("exp", exp) 379 .append("iat", iat) 380 .append("iss", iss) 381 .append("aud", audList) 382 .append("jti", jti) 383 .append("claim_names", claimNames) 384 .append("claims_locales", claimsLocales) 385 .append("preset_claims", presetClaims) 386 .append("data", data) 387 .append("cnf", cnfX5t) 388 .toString(); 389 } 390}