001package com.nimbusds.openid.connect.provider.spi.grants; 002 003 004import com.nimbusds.oauth2.sdk.GeneralException; 005import com.nimbusds.oauth2.sdk.GrantType; 006import com.nimbusds.oauth2.sdk.ResourceOwnerPasswordCredentialsGrant; 007import com.nimbusds.oauth2.sdk.Scope; 008import com.nimbusds.oauth2.sdk.id.ClientID; 009 010import com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata; 011 012 013/** 014 * Service Provider Interface (SPI) for handling OAuth 2.0 resource owner 015 * password credentials grants. Returns the matching 016 * {@link PasswordGrantAuthorization authorisation} on success. Must throw an 017 * {@link GeneralException} with an 018 * {@link com.nimbusds.oauth2.sdk.OAuth2Error#INVALID_GRANT invalid_grant} 019 * error code if the user credentials are invalid. 020 * 021 * <p>Implementations must be thread-safe. 022 * 023 * <p>Related specifications: 024 * 025 * <ul> 026 * <li>OAuth 2.0 (RFC 6749), sections 1.3.3 and 4.3. 027 * </ul> 028 */ 029public interface PasswordGrantHandler extends GrantHandler { 030 031 032 /** 033 * The handled grant type. 034 */ 035 GrantType GRANT_TYPE = GrantType.PASSWORD; 036 037 038 /** 039 * Handles a resource owner password credentials grant. 040 * 041 * @param grant The resource owner password credentials 042 * grant. Not {@code null}. 043 * @param scope The requested scope, {@code null} if not 044 * specified. 045 * @param clientID The client identifier. Not {@code null}. 046 * @param confidentialClient {@code true} if the client is confidential 047 * and has been authenticated, else 048 * {@code false}. 049 * @param clientMetadata The OpenID Connect client metadata. Not 050 * {@code null}. 051 * 052 * <p>If the user credentials are invalid the handler must throw a 053 * {@link GeneralException exception} with an 054 * {@link com.nimbusds.oauth2.sdk.OAuth2Error#INVALID_GRANT 055 * invalid_grant} error code. 056 * 057 * <p>If the requested scope is invalid, unknown, malformed, or exceeds 058 * the scope granted by the resource owner the handler must throw a 059 * {@link GeneralException} with an 060 * {@link com.nimbusds.oauth2.sdk.OAuth2Error#INVALID_SCOPE 061 * invalid_scope} error code. 062 * 063 * @return The authorisation. 064 * 065 * @throws GeneralException If the grant is invalid, or another 066 * exception was encountered. 067 */ 068 PasswordGrantAuthorization processGrant(final ResourceOwnerPasswordCredentialsGrant grant, 069 final Scope scope, 070 final ClientID clientID, 071 final boolean confidentialClient, 072 final OIDCClientMetadata clientMetadata) 073 throws GeneralException; 074}