001package com.nimbusds.openid.connect.provider.spi.grants; 002 003 004import net.jcip.annotations.Immutable; 005 006import net.minidev.json.JSONObject; 007import org.checkerframework.checker.nullness.qual.Nullable; 008 009import com.nimbusds.oauth2.sdk.ParseException; 010import com.nimbusds.oauth2.sdk.Scope; 011import com.nimbusds.oauth2.sdk.id.ClientID; 012import com.nimbusds.oauth2.sdk.id.Subject; 013import com.nimbusds.oauth2.sdk.util.JSONObjectUtils; 014 015 016/** 017 * Authorisation produced by a {@link GrantHandler grant handler} of 018 * self-issued assertions (SAML 2.0 or JWT bearer). 019 * 020 * <p>Required authorisation details: 021 * 022 * <ul> 023 * <li>The subject (end-user). 024 * <li>The authorised scope. 025 * </ul> 026 * 027 * <p>All other parameters are optional or have suitable defaults. 028 */ 029@Immutable 030public class SelfIssuedAssertionAuthorization extends SubjectAuthorization { 031 032 033 /** 034 * Creates a new authorisation for a self-issued assertion grant where 035 * the client acts on behalf of a user. 036 * 037 * <p>See RFC 7521, section 6.3. 038 * 039 * @param subject The subject (end-user). Must not be {@code null}. 040 * @param scope The authorised scope values. Must not be 041 * {@code null}. 042 */ 043 public SelfIssuedAssertionAuthorization(final Subject subject, 044 final Scope scope) { 045 046 super(subject, scope, AccessTokenSpec.DEFAULT, IDTokenSpec.NONE, ClaimsSpec.NONE, null); 047 } 048 049 050 /** 051 * Creates a new authorisation for a self-issued assertion grant where 052 * the client acts on behalf of a user. 053 * 054 * <p>See RFC 7521, section 6.3. 055 * 056 * @param subject The subject (end-user). Must not be 057 * {@code null}. 058 * @param scope The authorised scope values. Must not be 059 * {@code null}. 060 * @param accessTokenSpec The access token specification. Must not be 061 * {@code null}. 062 * @param idTokenSpec The ID token specification. Must not be 063 * {@code null}. 064 * @param claimsSpec The OpenID claims specification. Must not be 065 * {@code null}. 066 * @param data Additional data as a JSON object, 067 * {@code null} if not specified. 068 */ 069 public SelfIssuedAssertionAuthorization(final Subject subject, 070 final Scope scope, 071 final AccessTokenSpec accessTokenSpec, 072 final IDTokenSpec idTokenSpec, 073 final ClaimsSpec claimsSpec, 074 final @Nullable JSONObject data) { 075 076 super(subject, scope, accessTokenSpec, idTokenSpec, claimsSpec, data); 077 } 078 079 080 /** 081 * Creates a new authorisation for a self-issued assertion grant where 082 * the client acts on its own behalf. 083 * 084 * <p>See RFC 7521, section 6.2. 085 * 086 * @param subject The client identifier. Must not be {@code null}. 087 * @param scope The authorised scope values. Must not be 088 * {@code null}. 089 */ 090 public SelfIssuedAssertionAuthorization(final ClientID subject, 091 final Scope scope) { 092 093 this(new Subject(subject.getValue()), scope, AccessTokenSpec.DEFAULT, IDTokenSpec.NONE, ClaimsSpec.NONE, null); 094 } 095 096 097 /** 098 * Creates a new authorisation for a self-issued assertion grant where 099 * the client acts on its own behalf. 100 * 101 * <p>See RFC 7521, section 6.2. 102 * 103 * @param subject The client identifier. Must not be 104 * {@code null}. 105 * @param scope The authorised scope values. Must not be 106 * {@code null}. 107 * @param accessTokenSpec The access token specification. Must not be 108 * {@code null}. 109 * @param data Additional data as a JSON object, 110 * {@code null} if not specified. 111 */ 112 public SelfIssuedAssertionAuthorization(final ClientID subject, 113 final Scope scope, 114 final AccessTokenSpec accessTokenSpec, 115 final @Nullable JSONObject data) { 116 117 this(new Subject(subject.getValue()), scope, accessTokenSpec, IDTokenSpec.NONE, ClaimsSpec.NONE, data); 118 } 119 120 121 /** 122 * Parses a self-issued assertion grant authorisation from the 123 * specified JSON object. 124 * 125 * @param jsonObject The JSON object to parse. Must not be 126 * {@code null}. 127 * 128 * @return The authorisation. 129 * 130 * @throws ParseException If parsing failed. 131 */ 132 public static SelfIssuedAssertionAuthorization parse(final JSONObject jsonObject) 133 throws ParseException { 134 135 SubjectAuthorization subAuthz = SubjectAuthorization.parse(jsonObject); 136 137 return new SelfIssuedAssertionAuthorization( 138 subAuthz.getSubject(), 139 subAuthz.getScope(), 140 subAuthz.getAccessTokenSpec(), 141 subAuthz.getIDTokenSpec(), 142 subAuthz.getClaimsSpec(), 143 subAuthz.getData()); 144 } 145 146 147 /** 148 * Parses a self-issued assertion grant authorisation from the 149 * specified JSON object string. 150 * 151 * @param json The JSON object string to parse. Must not be 152 * {@code null}. 153 * 154 * @return The authorisation. 155 * 156 * @throws ParseException If parsing failed. 157 */ 158 public static SelfIssuedAssertionAuthorization parse(final String json) 159 throws ParseException { 160 161 return parse(JSONObjectUtils.parse(json)); 162 } 163}