001package com.nimbusds.openid.connect.provider.spi.tokens.introspection; 002 003 004import net.jcip.annotations.ThreadSafe; 005 006import com.nimbusds.oauth2.sdk.TokenIntrospectionSuccessResponse; 007import com.nimbusds.openid.connect.provider.spi.tokens.AccessTokenAuthorization; 008 009 010/** 011 * The default Connect2id server implementation of the SPI for composing token 012 * introspection (RFC 7662) responses. 013 * 014 * <p>Outputs the following parameters, in addition to those output by the 015 * parent {@link BaseTokenIntrospectionResponseComposer}: 016 * 017 * <ul> 018 * <li>"act" actor, in impersonation and delegation scenarios 019 * <li>"dat" additional data 020 * <li>custom top-level parameters 021 * </ul> 022 * 023 * <p>The following OpenID claims related access token parameters are not 024 * output as they are intended for the internal use, such as at the UserInfo 025 * endpoint, and therefore should not be exposed to external resources. 026 * 027 * <ul> 028 * <li>{@link AccessTokenAuthorization#getClaimNames() consented OpenID claim names} 029 * <li>{@link AccessTokenAuthorization#getClaimsLocales() preferred claims locales} 030 * <li>{@link AccessTokenAuthorization#getClaimsData() claims fullfilment data} 031 * <li>{@link AccessTokenAuthorization#getPresetClaims() preset OpenID claims} 032 * <li>{@link AccessTokenAuthorization#getSubjectSessionKey() subject session key} 033 * </ul> 034 */ 035@ThreadSafe 036public class DefaultTokenIntrospectionResponseComposer extends BaseTokenIntrospectionResponseComposer { 037 038 039 @Override 040 public TokenIntrospectionSuccessResponse compose(final AccessTokenAuthorization tokenAuthz, 041 final TokenIntrospectionContext context) { 042 043 TokenIntrospectionSuccessResponse response = super.compose(tokenAuthz, context); 044 045 if (! response.isActive()) { 046 // Token invalid or expired 047 return response; 048 } 049 050 TokenIntrospectionSuccessResponse.Builder builder = new TokenIntrospectionSuccessResponse.Builder(response); 051 052 if (tokenAuthz.getActor() != null) { 053 builder.parameter("act", tokenAuthz.getActor().toJSONObject()); 054 } 055 056 if (tokenAuthz.getData() != null) { 057 builder.parameter("dat", tokenAuthz.getData()); 058 } 059 060 if (tokenAuthz.getOtherTopLevelParameters() != null) { 061 tokenAuthz.getOtherTopLevelParameters().forEach(builder::parameter); 062 } 063 064 return builder.build(); 065 } 066}