@ThreadSafe public interface ThirdPartySAML2GrantHandler extends SAML2GrantHandler
authorisation
on success. Must
throw a GeneralException
with an
invalid_grant
error code if the SAML 2.0 assertion is invalid.
The passed SAML 2.0 assertion is signed or MAC protected, and must be validated by the handler.
The handler should not specify access token lifetimes that exceed the validity period of the SAML 2.0 assertion by a significant period. The issue of refresh tokens is not permitted. Clients can refresh an expired access token by requesting a new one using the same assertion, if it is still valid, or with a new assertion.
Implementations must be thread-safe.
Related specifications:
GRANT_TYPE
Modifier and Type | Method and Description |
---|---|
ThirdPartyAssertionAuthorization |
processThirdPartyGrant(org.opensaml.saml.saml2.core.Assertion assertion,
com.nimbusds.oauth2.sdk.Scope scope,
com.nimbusds.oauth2.sdk.id.ClientID clientID,
boolean confidentialClient,
com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata clientMetadata)
Handles a SAML 2.0 assertion grant issued by a third-party security
token service.
|
getGrantType
ThirdPartyAssertionAuthorization processThirdPartyGrant(org.opensaml.saml.saml2.core.Assertion assertion, com.nimbusds.oauth2.sdk.Scope scope, com.nimbusds.oauth2.sdk.id.ClientID clientID, boolean confidentialClient, com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata clientMetadata) throws com.nimbusds.oauth2.sdk.GeneralException
The following client authentication / identification cases may be handled:
confidentialClient
flag will be true
. The
client_id and metadata arguments will be set.
client_id
using the optional token request
parameter, the confidentialClient
flag will be
false
and the client metadata will be set.
client_id
is passed
with the token request, the client information arguments
will be null
and the confidentialClient
flag
will be false
. The grant handler must resolve the
client_id
for the authorisation result from details
of the SAML 2.0 assertion. If such a use case is not
supported or permitted the grant handler should throw a
GeneralException
with an
invalid_request
error.
If the SAML 2.0 assertion is invalid the handler must throw a
GeneralException
with an
invalid_grant
error code.
If the requested scope is invalid, unknown, malformed, or exceeds
the scope granted by the resource owner the handler must throw a
GeneralException
with an
invalid_scope
error code.
assertion
- The SAML 2.0 assertion, to be validated by
the handler. Not null
.scope
- The requested scope, null
if not
specified.clientID
- The client identifier, null
if not
specified or if no client authentication
was provided.confidentialClient
- true
if the client is confidential
and has been authenticated, else
false
.clientMetadata
- The OAuth 2.0 / OpenID Connect client
metadata, null
if no
client_id
or client authentication
was provided.com.nimbusds.oauth2.sdk.GeneralException
- If the grant is invalid, or another
exception was encountered.Copyright © 2020 Connect2id Ltd.. All rights reserved.