001package com.nimbusds.openid.connect.provider.spi.tokens.introspection;
002
003
004import net.jcip.annotations.ThreadSafe;
005
006import com.nimbusds.oauth2.sdk.TokenIntrospectionSuccessResponse;
007import com.nimbusds.openid.connect.provider.spi.tokens.AccessTokenAuthorization;
008
009
010/**
011 * The default Connect2id server implementation of the SPI for composing token
012 * introspection (RFC 7662) responses.
013 *
014 * <p>Outputs the following parameters, in addition to those output by the
015 * parent {@link BaseTokenIntrospectionResponseComposer}:
016 *
017 * <ul>
018 *     <li>"act" actor, in impersonation and delegation scenarios
019 *     <li>"dat" additional data
020 *     <li>custom top-level parameters
021 * </ul>
022 *
023 * <p>The following OpenID claims related access token parameters are not
024 * output as they are intended for the internal use, such as at the UserInfo
025 * endpoint, and therefore should not be exposed to external resources.
026 *
027 * <ul>
028 *     <li>{@link AccessTokenAuthorization#getClaimNames() consented OpenID claim names}
029 *     <li>{@link AccessTokenAuthorization#getClaimsLocales() preferred claims locales}
030 *     <li>{@link AccessTokenAuthorization#getClaimsData() claims fullfilment data}
031 *     <li>{@link AccessTokenAuthorization#getPresetClaims() preset OpenID claims}
032 *     <li>{@link AccessTokenAuthorization#getSubjectSessionKey() subject session key}
033 * </ul>
034 */
035@ThreadSafe
036public class DefaultTokenIntrospectionResponseComposer extends BaseTokenIntrospectionResponseComposer {
037        
038        
039        @Override
040        public TokenIntrospectionSuccessResponse compose(final AccessTokenAuthorization tokenAuthz,
041                                                         final TokenIntrospectionContext context) {
042                
043                TokenIntrospectionSuccessResponse response = super.compose(tokenAuthz, context);
044                
045                if (! response.isActive()) {
046                        // Token invalid or expired
047                        return response;
048                }
049
050                TokenIntrospectionSuccessResponse.Builder builder = new TokenIntrospectionSuccessResponse.Builder(response);
051                
052                if (tokenAuthz.getActor() != null) {
053                        builder.parameter("act", tokenAuthz.getActor().toJSONObject());
054                }
055                
056                if (tokenAuthz.getData() != null) {
057                        builder.parameter("dat", tokenAuthz.getData());
058                }
059                
060                if (tokenAuthz.getOtherTopLevelParameters() != null) {
061                        tokenAuthz.getOtherTopLevelParameters().forEach(builder::parameter);
062                }
063                
064                return builder.build();
065        }
066}