001package com.nimbusds.openid.connect.provider.spi.tokens; 002 003 004import java.time.Instant; 005import java.util.List; 006import java.util.Map; 007import java.util.Set; 008import java.util.StringJoiner; 009 010import net.minidev.json.JSONObject; 011 012import com.nimbusds.langtag.LangTag; 013import com.nimbusds.oauth2.sdk.Scope; 014import com.nimbusds.oauth2.sdk.auth.X509CertificateConfirmation; 015import com.nimbusds.oauth2.sdk.dpop.JWKThumbprintConfirmation; 016import com.nimbusds.oauth2.sdk.id.*; 017import com.nimbusds.openid.connect.sdk.SubjectType; 018 019 020/** 021 * Mutable access token authorisation. 022 */ 023public final class MutableAccessTokenAuthorization implements AccessTokenAuthorization { 024 025 026 private Subject sub; 027 028 029 private Actor act; 030 031 032 private ClientID clientID; 033 034 035 private Scope scope; 036 037 038 private Instant exp; 039 040 041 private Instant iat; 042 043 044 private Issuer iss; 045 046 047 private List<Audience> audList; 048 049 050 private SubjectType subjectType; 051 052 053 private Subject localSubject; 054 055 056 private JWTID jti; 057 058 059 private Set<String> claimNames; 060 061 062 private List<LangTag> claimsLocales; 063 064 065 private JSONObject presetClaims; 066 067 068 private JSONObject claimsData; 069 070 071 private JSONObject data; 072 073 074 private X509CertificateConfirmation cnfX5t; 075 076 077 private JWKThumbprintConfirmation cnfJkt; 078 079 080 private Map<String, Object> otherTopLevelParams; 081 082 083 /** 084 * Creates a new empty mutable access token authorisation. 085 */ 086 public MutableAccessTokenAuthorization() { 087 } 088 089 090 /** 091 * Creates a new mutable access token authorisation from the specified 092 * one. 093 * 094 * @param source The source access token authorisation. Must not be 095 * {@code null}. 096 */ 097 public MutableAccessTokenAuthorization(final AccessTokenAuthorization source) { 098 sub = source.getSubject(); 099 act = source.getActor(); 100 clientID = source.getClientID(); 101 scope = source.getScope(); 102 exp = source.getExpirationTime(); 103 iat = source.getIssueTime(); 104 iss = source.getIssuer(); 105 audList = source.getAudienceList(); 106 subjectType = source.getSubjectType(); 107 localSubject = source.getLocalSubject(); 108 jti = source.getJWTID(); 109 claimNames = source.getClaimNames(); 110 claimsLocales = source.getClaimsLocales(); 111 presetClaims = source.getPresetClaims(); 112 claimsData = source.getClaimsData(); 113 data = source.getData(); 114 cnfX5t = source.getClientCertificateConfirmation(); 115 cnfJkt = source.getJWKThumbprintConfirmation(); 116 otherTopLevelParams = source.getOtherTopLevelParameters(); 117 } 118 119 120 /** 121 * Sets the access token subject. 122 * 123 * @param sub The subject, {@code null} if not specified. 124 * 125 * @return This object. 126 */ 127 public MutableAccessTokenAuthorization withSubject(final Subject sub) { 128 this.sub = sub; 129 return this; 130 } 131 132 133 @Override 134 public Subject getSubject() { 135 return sub; 136 } 137 138 139 /** 140 * Sets the access token actor, in impersonation and delegation 141 * scenarios. 142 * 143 * @param act The actor, {@code null} if not specified. 144 * 145 * @return This object. 146 */ 147 public MutableAccessTokenAuthorization withActor(final Actor act) { 148 this.act = act; 149 return this; 150 } 151 152 153 @Override 154 public Actor getActor() { 155 return act; 156 } 157 158 159 /** 160 * Sets the identifier of the client to which the access token is 161 * issued. 162 * 163 * @param clientID The client identifier, {@code null} if not 164 * specified. 165 * 166 * @return This object. 167 */ 168 public MutableAccessTokenAuthorization withClientID(final ClientID clientID) { 169 this.clientID = clientID; 170 return this; 171 } 172 173 174 @Override 175 public ClientID getClientID() { 176 return clientID; 177 } 178 179 180 /** 181 * Sets the scope of the access token. 182 * 183 * @param scope The scope, {@code null} if not specified. 184 * 185 * @return This object. 186 */ 187 public MutableAccessTokenAuthorization withScope(final Scope scope) { 188 this.scope = scope; 189 return this; 190 } 191 192 193 @Override 194 public Scope getScope() { 195 return scope; 196 } 197 198 199 /** 200 * Sets the expiration time of the access token. 201 * 202 * @param exp The expiration time, {@code null} if not specified. 203 * 204 * @return This object. 205 */ 206 public MutableAccessTokenAuthorization withExpirationTime(final Instant exp) { 207 this.exp = exp; 208 return this; 209 } 210 211 212 @Override 213 public Instant getExpirationTime() { 214 return exp; 215 } 216 217 218 /** 219 * Sets the issue time of the access token. 220 * 221 * @param iat The issue time, {@code null} if not specified. 222 * 223 * @return This object. 224 */ 225 public MutableAccessTokenAuthorization withIssueTime(final Instant iat) { 226 this.iat = iat; 227 return this; 228 } 229 230 231 @Override 232 public Instant getIssueTime() { 233 return iat; 234 } 235 236 237 /** 238 * Sets the issuer of the access token. 239 * 240 * @param iss The issuer, {@code null} if not specified. 241 * 242 * @return This object. 243 */ 244 public MutableAccessTokenAuthorization withIssuer(final Issuer iss) { 245 this.iss = iss; 246 return this; 247 } 248 249 250 @Override 251 public Issuer getIssuer() { 252 return iss; 253 } 254 255 256 /** 257 * Sets the audience list of the access token, which may be the logical 258 * names of the intended resource servers. 259 * 260 * @param audList The audience list, {@code null} if not specified. 261 * 262 * @return This object. 263 */ 264 public MutableAccessTokenAuthorization withAudienceList(final List<Audience> audList) { 265 this.audList = audList; 266 return this; 267 } 268 269 270 @Override 271 public List<Audience> getAudienceList() { 272 return audList; 273 } 274 275 276 /** 277 * Sets the access token subject type. 278 * 279 * @param subjectType The subject type, {@code null} if not specified 280 * (may imply {@link SubjectType#PUBLIC public}). 281 * 282 * @return This object. 283 */ 284 public MutableAccessTokenAuthorization withSubjectType(final SubjectType subjectType) { 285 this.subjectType = subjectType; 286 return this; 287 } 288 289 290 @Override 291 public SubjectType getSubjectType() { 292 return subjectType; 293 } 294 295 296 /** 297 * Sets the access token local (system) subject. 298 * 299 * @param localSubject The local (system) subject, {@code null} if not 300 * specified or for a pairwise 301 * {@link #getSubjectType() subject type} that 302 * couldn't be reversed. 303 * 304 * @return This object. 305 */ 306 public MutableAccessTokenAuthorization withLocalSubject(final Subject localSubject) { 307 this.localSubject = localSubject; 308 return this; 309 } 310 311 312 @Override 313 public Subject getLocalSubject() { 314 if (SubjectType.PUBLIC == getSubjectType()) { 315 return getSubject(); 316 } else { 317 return localSubject; 318 } 319 } 320 321 322 /** 323 * Sets the JSON Web Token (JWT) identifier of the access token. 324 * 325 * @param jti The JWT ID, {@code null} if not specified or applicable. 326 * 327 * @return This object. 328 */ 329 public MutableAccessTokenAuthorization withJWTID(final JWTID jti) { 330 this.jti = jti; 331 return this; 332 } 333 334 335 @Override 336 public JWTID getJWTID() { 337 return jti; 338 } 339 340 341 /** 342 * Sets the names of the consented OpenID claims to be accessed at 343 * the UserInfo endpoint. 344 * 345 * @param claimNames The claim names, {@code null} if not specified. 346 * 347 * @return This object. 348 */ 349 public MutableAccessTokenAuthorization withClaimNames(final Set<String> claimNames) { 350 this.claimNames = claimNames; 351 return this; 352 } 353 354 355 @Override 356 public Set<String> getClaimNames() { 357 return claimNames; 358 } 359 360 361 /** 362 * Sets the preferred locales for the consented OpenID claims. 363 * 364 * @param claimsLocales The preferred claims locales, {@code null} if 365 * not specified. 366 * 367 * @return This object. 368 */ 369 public MutableAccessTokenAuthorization withClaimsLocales(final List<LangTag> claimsLocales) { 370 this.claimsLocales = claimsLocales; 371 return this; 372 } 373 374 375 @Override 376 public List<LangTag> getClaimsLocales() { 377 return claimsLocales; 378 } 379 380 381 /** 382 * Sets the preset OpenID claims to be included in the UserInfo 383 * response. 384 * 385 * @param presetClaims The preset OpenID claims, {@code null} if not 386 * specified. 387 * 388 * @return This object. 389 */ 390 public MutableAccessTokenAuthorization withPresetClaims(final JSONObject presetClaims) { 391 this.presetClaims = presetClaims; 392 return this; 393 } 394 395 396 @Override 397 public JSONObject getPresetClaims() { 398 return presetClaims; 399 } 400 401 402 /** 403 * Sets the claims fulfillment data for the claims source at the 404 * UserInfo endpoint. 405 * 406 * @param claimsData The claims fulfillment data, {@code null} if not 407 * specified. 408 * 409 * @return This object. 410 */ 411 public MutableAccessTokenAuthorization withClaimsData(final JSONObject claimsData) { 412 this.claimsData = claimsData; 413 return this; 414 } 415 416 417 @Override 418 public JSONObject getClaimsData() { 419 return claimsData; 420 } 421 422 423 /** 424 * Sets the optional data for the access token. 425 * 426 * @param data The optional data, represented as a JSON object, 427 * {@code null} if not specified. 428 * 429 * @return This object. 430 */ 431 public MutableAccessTokenAuthorization withData(final JSONObject data) { 432 this.data = data; 433 return this; 434 } 435 436 437 @Override 438 public JSONObject getData() { 439 return data; 440 } 441 442 443 /** 444 * Sets the client X.509 certificate confirmation (SHA-256 thumbprint) 445 * for mutual TLS. 446 * 447 * @param cnfX5t The client X.509 certificate confirmation, 448 * {@code null} if none. 449 * 450 * @return This object. 451 */ 452 public MutableAccessTokenAuthorization withClientCertificateConfirmation(final X509CertificateConfirmation cnfX5t) { 453 this.cnfX5t = cnfX5t; 454 return this; 455 } 456 457 458 @Override 459 public X509CertificateConfirmation getClientCertificateConfirmation() { 460 return cnfX5t; 461 } 462 463 464 /** 465 * Sets the JWK SHA-256 thumbprint confirmation for DPoP. 466 * 467 * @param cnfJkt The JWK thumbprint confirmation, {@code null} if none. 468 * 469 * @return This object. 470 */ 471 public MutableAccessTokenAuthorization withJWKThumbprintConfirmation(final JWKThumbprintConfirmation cnfJkt) { 472 this.cnfJkt = cnfJkt; 473 return this; 474 } 475 476 477 @Override 478 public JWKThumbprintConfirmation getJWKThumbprintConfirmation() { 479 return cnfJkt; 480 } 481 482 483 /** 484 * Sets the other top-level parameters. 485 * 486 * @param params Other top-level parameters, the values should map to 487 * JSON entities, {@code null} if none. 488 * 489 * @return This object. 490 */ 491 public MutableAccessTokenAuthorization withOtherTopLevelParameters(final Map<String, Object> params) { 492 otherTopLevelParams = params; 493 return this; 494 } 495 496 497 @Override 498 public Map<String, Object> getOtherTopLevelParameters() { 499 return otherTopLevelParams; 500 } 501 502 503 @Override 504 public String toString() { 505 return new StringJoiner(", ", MutableAccessTokenAuthorization.class.getSimpleName() + "[", "]") 506 .add("sub=" + sub) 507 .add("act=" + act) 508 .add("clientID=" + clientID) 509 .add("scope=" + scope) 510 .add("exp=" + exp) 511 .add("iat=" + iat) 512 .add("iss=" + iss) 513 .add("audList=" + audList) 514 .add("subType=" + subjectType) 515 .add("localSub=" + localSubject) 516 .add("jti=" + jti) 517 .add("claimNames=" + claimNames) 518 .add("claimsLocales=" + claimsLocales) 519 .add("presetClaims=" + presetClaims) 520 .add("claimsData=" + claimsData) 521 .add("data=" + data) 522 .add("cnfX5t=" + cnfX5t) 523 .add("cnfJkt=" + cnfJkt) 524 .add("otherTopLevelParams=" + otherTopLevelParams) 525 .toString(); 526 } 527}