001package com.nimbusds.openid.connect.provider.spi.tokens; 002 003 004import java.time.Instant; 005import java.util.List; 006import java.util.Map; 007import java.util.Set; 008 009import com.nimbusds.langtag.LangTag; 010import com.nimbusds.oauth2.sdk.Scope; 011import com.nimbusds.oauth2.sdk.auth.X509CertificateConfirmation; 012import com.nimbusds.oauth2.sdk.id.*; 013import net.minidev.json.JSONObject; 014import org.apache.commons.lang3.builder.ToStringBuilder; 015 016 017/** 018 * Mutable access token authorisation. 019 */ 020public final class MutableAccessTokenAuthorization implements AccessTokenAuthorization { 021 022 023 private Subject sub; 024 025 026 private Actor act; 027 028 029 private ClientID clientID; 030 031 032 private Scope scope; 033 034 035 private Instant exp; 036 037 038 private Instant iat; 039 040 041 private Issuer iss; 042 043 044 private List<Audience> audList; 045 046 047 private JWTID jti; 048 049 050 private Set<String> claimNames; 051 052 053 private List<LangTag> claimsLocales; 054 055 056 private JSONObject presetClaims; 057 058 059 private JSONObject data; 060 061 062 private X509CertificateConfirmation cnfX5t; 063 064 065 private Map<String, Object> otherTopLevelParams; 066 067 068 /** 069 * Creates a new empty mutable access token authorisation. 070 */ 071 public MutableAccessTokenAuthorization() { 072 } 073 074 075 /** 076 * Creates a new mutable access token authorisation from the specified 077 * one. 078 * 079 * @param source The source access token authorisation. Must not be 080 * {@code null}. 081 */ 082 public MutableAccessTokenAuthorization(final AccessTokenAuthorization source) { 083 sub = source.getSubject(); 084 act = source.getActor(); 085 clientID = source.getClientID(); 086 scope = source.getScope(); 087 exp = source.getExpirationTime(); 088 iat = source.getIssueTime(); 089 iss = source.getIssuer(); 090 audList = source.getAudienceList(); 091 jti = source.getJWTID(); 092 claimNames = source.getClaimNames(); 093 claimsLocales = source.getClaimsLocales(); 094 presetClaims = source.getPresetClaims(); 095 data = source.getData(); 096 cnfX5t = source.getClientCertificateConfirmation(); 097 otherTopLevelParams = source.getOtherTopLevelParameters(); 098 } 099 100 101 /** 102 * Sets the token subject. 103 * 104 * @param sub The subject, {@code null} if not specified. 105 * 106 * @return This object. 107 */ 108 public MutableAccessTokenAuthorization withSubject(final Subject sub) { 109 this.sub = sub; 110 return this; 111 } 112 113 114 @Override 115 public Subject getSubject() { 116 return sub; 117 } 118 119 120 /** 121 * Sets the token actor, in impersonation and delegation scenarios. 122 * 123 * @param act The actor, {@code null} if not specified. 124 * 125 * @return This object. 126 */ 127 public MutableAccessTokenAuthorization withActor(final Actor act) { 128 this.act = act; 129 return this; 130 } 131 132 133 @Override 134 public Actor getActor() { 135 return act; 136 } 137 138 139 /** 140 * Sets the identifier of the client to which the token is issued. 141 * 142 * @param clientID The client identifier, {@code null} if not 143 * specified. 144 * 145 * @return This object. 146 */ 147 public MutableAccessTokenAuthorization withClientID(final ClientID clientID) { 148 this.clientID = clientID; 149 return this; 150 } 151 152 153 @Override 154 public ClientID getClientID() { 155 return clientID; 156 } 157 158 159 /** 160 * Sets the scope of the token. 161 * 162 * @param scope The scope, {@code null} if not specified. 163 * 164 * @return This object. 165 */ 166 public MutableAccessTokenAuthorization withScope(final Scope scope) { 167 this.scope = scope; 168 return this; 169 } 170 171 172 @Override 173 public Scope getScope() { 174 return scope; 175 } 176 177 178 /** 179 * Sets the expiration time of the token. 180 * 181 * @param exp The expiration time, {@code null} if not specified. 182 * 183 * @return This object. 184 */ 185 public MutableAccessTokenAuthorization withExpirationTime(final Instant exp) { 186 this.exp = exp; 187 return this; 188 } 189 190 191 @Override 192 public Instant getExpirationTime() { 193 return exp; 194 } 195 196 197 /** 198 * Sets the issue time of the token. 199 * 200 * @param iat The issue time, {@code null} if not specified. 201 * 202 * @return This object. 203 */ 204 public MutableAccessTokenAuthorization withIssueTime(final Instant iat) { 205 this.iat = iat; 206 return this; 207 } 208 209 210 @Override 211 public Instant getIssueTime() { 212 return iat; 213 } 214 215 216 /** 217 * Sets the issuer of the token. 218 * 219 * @param iss The issuer, {@code null} if not specified. 220 * 221 * @return This object. 222 */ 223 public MutableAccessTokenAuthorization withIssuer(final Issuer iss) { 224 this.iss = iss; 225 return this; 226 } 227 228 229 @Override 230 public Issuer getIssuer() { 231 return iss; 232 } 233 234 235 /** 236 * Sets the audience list of the token, which may be the logical 237 * names of the intended resource servers. 238 * 239 * @param audList The audience list, {@code null} if not specified. 240 * 241 * @return This object. 242 */ 243 public MutableAccessTokenAuthorization withAudienceList(final List<Audience> audList) { 244 this.audList = audList; 245 return this; 246 } 247 248 249 @Override 250 public List<Audience> getAudienceList() { 251 return audList; 252 } 253 254 255 /** 256 * Sets the JSON Web Token (JWT) identifier of the token. 257 * 258 * @param jti The JWT ID, {@code null} if not specified or applicable. 259 * 260 * @return This object. 261 */ 262 public MutableAccessTokenAuthorization withJWTID(final JWTID jti) { 263 this.jti = jti; 264 return this; 265 } 266 267 268 @Override 269 public JWTID getJWTID() { 270 return jti; 271 } 272 273 274 /** 275 * Sets the names of the consented OpenID claims to be accessed at 276 * the UserInfo endpoint. 277 * 278 * @param claimNames The claim names, {@code null} if not specified. 279 * 280 * @return This object. 281 */ 282 public MutableAccessTokenAuthorization withClaimNames(final Set<String> claimNames) { 283 this.claimNames = claimNames; 284 return this; 285 } 286 287 288 @Override 289 public Set<String> getClaimNames() { 290 return claimNames; 291 } 292 293 294 /** 295 * Sets the preferred locales for the consented OpenID claims. 296 * 297 * @param claimsLocales The preferred claims locales, {@code null} if 298 * not specified. 299 * 300 * @return This object. 301 */ 302 public MutableAccessTokenAuthorization withClaimsLocales(final List<LangTag> claimsLocales) { 303 this.claimsLocales = claimsLocales; 304 return this; 305 } 306 307 308 @Override 309 public List<LangTag> getClaimsLocales() { 310 return claimsLocales; 311 } 312 313 314 /** 315 * Sets the preset OpenID claims to be included in the UserInfo 316 * response. 317 * 318 * @param presetClaims The preset OpenID claims, {@code null} if not 319 * specified. 320 * 321 * @return This object. 322 */ 323 public MutableAccessTokenAuthorization withPresetClaims(final JSONObject presetClaims) { 324 this.presetClaims = presetClaims; 325 return this; 326 } 327 328 329 @Override 330 public JSONObject getPresetClaims() { 331 return presetClaims; 332 } 333 334 335 /** 336 * Sets the optional data for the token. 337 * 338 * @param data The optional data, represented as a JSON object, 339 * {@code null} if not specified. 340 * 341 * @return This object. 342 */ 343 public MutableAccessTokenAuthorization withData(final JSONObject data) { 344 this.data = data; 345 return this; 346 } 347 348 349 @Override 350 public JSONObject getData() { 351 return data; 352 } 353 354 355 /** 356 * Sets the client X.509 certificate confirmation (SHA-256 thumbprint) 357 * for mutual TLS. 358 * 359 * @param cnfX5t The client X.509 certificate confirmation, 360 * {@code null} if not specified. 361 * 362 * @return This object. 363 */ 364 public MutableAccessTokenAuthorization withClientCertificateConfirmation(final X509CertificateConfirmation cnfX5t) { 365 this.cnfX5t = cnfX5t; 366 return this; 367 } 368 369 370 @Override 371 public X509CertificateConfirmation getClientCertificateConfirmation() { 372 return cnfX5t; 373 } 374 375 376 /** 377 * Sets the other top-level parameters. 378 * 379 * @param params Other top-level parameters, the values should map to 380 * JSON entities, {@code null} if none. 381 * 382 * @return This object. 383 */ 384 public MutableAccessTokenAuthorization withOtherTopLevelParameters(final Map<String, Object> params) { 385 otherTopLevelParams = params; 386 return this; 387 } 388 389 390 @Override 391 public Map<String, Object> getOtherTopLevelParameters() { 392 return otherTopLevelParams; 393 } 394 395 396 @Override 397 public String toString() { 398 return new ToStringBuilder(this) 399 .append("sub", sub) 400 .append("act", act) 401 .append("client_id", clientID) 402 .append("scope", scope) 403 .append("exp", exp) 404 .append("iat", iat) 405 .append("iss", iss) 406 .append("aud", audList) 407 .append("jti", jti) 408 .append("claim_names", claimNames) 409 .append("claims_locales", claimsLocales) 410 .append("preset_claims", presetClaims) 411 .append("data", data) 412 .append("cnf", cnfX5t) 413 .append("other", otherTopLevelParams) 414 .toString(); 415 } 416}