package com.nimbusds.openid.connect.provider.spi.claims;


import com.nimbusds.openid.connect.provider.spi.internal.sessionstore.SubjectSession;
import net.minidev.json.JSONObject;
import org.checkerframework.checker.nullness.qual.Nullable;

import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.token.AccessToken;
import com.nimbusds.openid.connect.provider.spi.InvocationContext;
import com.nimbusds.openid.connect.provider.spi.tokens.TokenEncoderContext;
import com.nimbusds.openid.connect.sdk.claims.ClaimsTransport;


/**
 * OpenID Connect claims request context. The supplied context parameters can
 * be used in the processing and accounting of a claims request.
 */
public interface ClaimsSourceRequestContext extends InvocationContext {
        
        
        /**
         * Returns the claims transport, if applicable.
         *
         * @return {@link ClaimsTransport#USERINFO UserInfo} or
         *         {@link ClaimsTransport#ID_TOKEN ID token}, {@code null} if
         *         the claims source SPI is invoked for another purpose (e.g.
         *         in a {@link TokenEncoderContext}).
         */
        ClaimsTransport getClaimsTransport();
        
        
        /**
         * Returns the optional claims fulfillment data.
         *
         * @return The claims fulfillment data, {@code null} if not specified.
         */
        @Nullable JSONObject getClaimsData();


        /**
         * Returns the identifier of the OAuth 2.0 client (client_id).
         *
         * @return The client ID. Not {@code null}.
         */
        ClientID getClientID();
        
        
        /**
         * Returns the client IP address.
         *
         * @return The client IP address, {@code null} if not available.
         */
        @Nullable String getClientIPAddress();
        
        
        /**
         * Returns the received and successfully validated UserInfo access
         * token for the claims request. If a claims request is triggered in a
         * OpenID Connect implicit and hybrid flows, where the claims are
         * returned as part of the ID token, an access token is not involved
         * and hence not returned by this method.
         *
         * <p>The claims source may use the UserInfo access token for the
         * retrieval of aggregated and distributed claims, where the same token
         * is recognised by the upstream claims providers. See OpenID Connect
         * Core 1.0, section 5.6.
         *
         * @return The UserInfo access token, {@code null} if the claims
         *         request wasn't triggered by a UserInfo request.
         */
        @Nullable AccessToken getUserInfoAccessToken();


        /**
         * Returns the associated subject (end-user) session where the claims
         * sourcing was authorised.
         *
         * <p>The subject session is supplied in the following cases:
         *
         * <ul>
         *     <li>Claims sourcing for the UserInfo endpoint where the subject
         *         session where the claims consent occurred is still present
         *         (not expired or closed)
         *     <li>Claims sourcing for ID token issue in response to an OAuth
         *         2.0 authorisation code, implicit (including OpenID Connect
         *         hybrid response type) and refresh token grants.
         *     <li>Claims sourcing for a direct authorisation request where a
         *         valid subject session ID was supplied, or a new subject
         *         session was created.
         * </ul>
         *
         * @return The subject session, {@code null} if closed or expired, or
         *         not available (due to the session key not being encoded into
         *         the access token where applicable, or other reasons).
         */
        @Nullable SubjectSession getSubjectSession();
}