001package com.nimbusds.openid.connect.provider.spi.tokens; 002 003 004import com.nimbusds.jwt.JWTClaimsSet; 005import net.jcip.annotations.ThreadSafe; 006 007 008/** 009 * Service Provider Interface (SPI) for encoding and decoding authorisations 010 * for self-contained access tokens into JWT claims sets. Implementations must 011 * be thread-safe. 012 * 013 * <p>Sample JWT claims set for a self-contained access token: 014 * 015 * <pre> 016 * { 017 * "sub" : "alice", 018 * "cid" : "65564eb0058d", 019 * "scp" : [ "openid", "email", "app:write" ], 020 * "iss" : "https://c2id.com", 021 * "iat" : 1360050000, 022 * "exp" : 1360050795, 023 * "aud" : [ "https://resource-1.example.com", "https://resource-2.example.com" ] 024 * } 025 * </pre> 026 * 027 * <p>Implementations should extend {@link BaseSelfContainedAccessTokenClaimsCodec} 028 * which encodes all token parameters for which there is an appropriate 029 * standard JWT claim, such as for the subject, issuer and expiration time. The 030 * implementation only needs to specify encodings for the remaining parameters, 031 * such as scope and client ID. 032 */ 033@ThreadSafe 034public interface SelfContainedAccessTokenClaimsCodec { 035 036 037 /** 038 * Encodes the specified access token authorisation into a JWT claims 039 * set. 040 * 041 * @param tokenAuthz The access token authorisation. Not {@code null}. 042 * @param context The token encoder context. Not {@code null}. 043 * 044 * @return The JWT claims set. 045 */ 046 JWTClaimsSet encode(final AccessTokenAuthorization tokenAuthz, final TokenEncoderContext context); 047 048 049 /** 050 * Decodes the specified JWT claims set into an access token 051 * authorisation. 052 * 053 * @param claimsSet The JWT claims set. Not {@code null}. 054 * @param context The token codec context. Not {@code null}. 055 * 056 * @return The access token authorisation. 057 * 058 * @throws TokenDecodeException If decoding failed. 059 */ 060 AccessTokenAuthorization decode(final JWTClaimsSet claimsSet, final TokenCodecContext context) 061 throws TokenDecodeException; 062}