001package com.nimbusds.openid.connect.provider.spi.grants; 002 003 004import net.jcip.annotations.Immutable; 005 006import net.minidev.json.JSONObject; 007 008import com.nimbusds.oauth2.sdk.ParseException; 009import com.nimbusds.oauth2.sdk.Scope; 010import com.nimbusds.oauth2.sdk.id.ClientID; 011import com.nimbusds.oauth2.sdk.id.Subject; 012import com.nimbusds.oauth2.sdk.util.JSONObjectUtils; 013 014 015/** 016 * Authorisation produced by a {@link GrantHandler grant handler} of 017 * self-issued assertions (SAML 2.0 or JWT bearer). 018 * 019 * <p>Required authorisation details: 020 * 021 * <ul> 022 * <li>The subject (end-user). 023 * <li>The authorised scope. 024 * </ul> 025 * 026 * <p>All other parameters are optional or have suitable defaults. 027 */ 028@Immutable 029public class SelfIssuedAssertionAuthorization extends SubjectAuthorization { 030 031 032 /** 033 * Creates a new authorisation for a self-issued assertion grant where 034 * the client acts on behalf of a user. 035 * 036 * <p>See RFC 7521, section 6.3. 037 * 038 * @param subject The subject (end-user). Must not be {@code null}. 039 * @param scope The authorised scope values. Must not be 040 * {@code null}. 041 */ 042 public SelfIssuedAssertionAuthorization(final Subject subject, 043 final Scope scope) { 044 045 super(subject, scope, AccessTokenSpec.DEFAULT, IDTokenSpec.NONE, ClaimsSpec.NONE, null); 046 } 047 048 049 /** 050 * Creates a new authorisation for a self-issued assertion grant where 051 * the client acts on behalf of a user. 052 * 053 * <p>See RFC 7521, section 6.3. 054 * 055 * @param subject The subject (end-user). Must not be 056 * {@code null}. 057 * @param scope The authorised scope values. Must not be 058 * {@code null}. 059 * @param accessTokenSpec The access token specification. Must not be 060 * {@code null}. 061 * @param idTokenSpec The ID token specification. Must not be 062 * {@code null}. 063 * @param claimsSpec The claims specification. Must not be 064 * {@code null}. 065 * @param data Additional data as a JSON object, 066 * {@code null} if not specified. 067 */ 068 public SelfIssuedAssertionAuthorization(final Subject subject, 069 final Scope scope, 070 final AccessTokenSpec accessTokenSpec, 071 final IDTokenSpec idTokenSpec, 072 final ClaimsSpec claimsSpec, 073 final JSONObject data) { 074 075 super(subject, scope, accessTokenSpec, idTokenSpec, claimsSpec, data); 076 } 077 078 079 /** 080 * Creates a new authorisation for a self-issued assertion grant where 081 * the client acts on its own behalf. 082 * 083 * <p>See RFC 7521, section 6.2. 084 * 085 * @param subject The client identifier. Must not be {@code null}. 086 * @param scope The authorised scope values. Must not be 087 * {@code null}. 088 */ 089 public SelfIssuedAssertionAuthorization(final ClientID subject, 090 final Scope scope) { 091 092 this(new Subject(subject.getValue()), scope, AccessTokenSpec.DEFAULT, IDTokenSpec.NONE, ClaimsSpec.NONE, null); 093 } 094 095 096 /** 097 * Creates a new authorisation for a self-issued assertion grant where 098 * the client acts on its own behalf. 099 * 100 * <p>See RFC 7521, section 6.2. 101 * 102 * @param subject The client identifier. Must not be 103 * {@code null}. 104 * @param scope The authorised scope values. Must not be 105 * {@code null}. 106 * @param accessTokenSpec The access token specification. Must not be 107 * {@code null}. 108 * @param data Additional data as a JSON object, 109 * {@code null} if not specified. 110 */ 111 public SelfIssuedAssertionAuthorization(final ClientID subject, 112 final Scope scope, 113 final AccessTokenSpec accessTokenSpec, 114 final JSONObject data) { 115 116 this(new Subject(subject.getValue()), scope, accessTokenSpec, IDTokenSpec.NONE, ClaimsSpec.NONE, data); 117 } 118 119 120 /** 121 * Parses a self-issued assertion grant authorisation from the 122 * specified JSON object. 123 * 124 * @param jsonObject The JSON object to parse. Must not be 125 * {@code null}. 126 * 127 * @return The authorisation. 128 * 129 * @throws ParseException If parsing failed. 130 */ 131 public static SelfIssuedAssertionAuthorization parse(final JSONObject jsonObject) 132 throws ParseException { 133 134 SubjectAuthorization subAuthz = SubjectAuthorization.parse(jsonObject); 135 136 return new SelfIssuedAssertionAuthorization( 137 subAuthz.getSubject(), 138 subAuthz.getScope(), 139 subAuthz.getAccessTokenSpec(), 140 subAuthz.getIDTokenSpec(), 141 subAuthz.getClaimsSpec(), 142 subAuthz.getData()); 143 } 144 145 146 /** 147 * Parses a self-issued assertion grant authorisation from the 148 * specified JSON object string. 149 * 150 * @param json The JSON object string to parse. Must not be 151 * {@code null}. 152 * 153 * @return The authorisation. 154 * 155 * @throws ParseException If parsing failed. 156 */ 157 public static SelfIssuedAssertionAuthorization parse(final String json) 158 throws ParseException { 159 160 return parse(JSONObjectUtils.parse(json)); 161 } 162}