Interface CIBARequestHandler
- All Superinterfaces:
Lifecycle
Service Provider Interface (SPI) for handling Client-Initiated Backchannel
Authentication (CIBA) requests.
The Connect2id server performs the following processing prior to invoking this SPI:
- Authenticates the client and ensures it's authorised to make CIBA requests.
- If the CIBA request is signed, validates the JWT and extracts the request parameters.
- Ensures the client is allowed to use the type of submitted hint -
login_hint_token,id_token_hintorlogin_hint. - Resolves the hint subject and for a
login_hint_tokenalso the linked native IdP app session. - Ensures the
binding_message, if any, matches the configured legal pattern. - Ensures a
user_codeis submitted if required for the client.
The type of employed hint can be found out using
CIBARequest.getHintType().
Implementations must be thread-safe.
Related specifications:
- OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0.
-
Method Summary
Modifier and TypeMethodDescriptionvoidprocess(com.nimbusds.oauth2.sdk.token.AccessToken callbackToken, int expiresIn, com.nimbusds.oauth2.sdk.id.Subject resolvedSubject, com.nimbusds.oauth2.sdk.ciba.CIBARequest cibaRequest, HintContext hintCtx, com.nimbusds.oauth2.sdk.id.ClientID clientID, com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata clientMetadata, SubjectSessionContext sessionContext, InvocationContext invocationCtx) Handles a CIBA request that passed initial validation by the Connect2id server.
-
Method Details
-
process
void process(com.nimbusds.oauth2.sdk.token.AccessToken callbackToken, int expiresIn, com.nimbusds.oauth2.sdk.id.Subject resolvedSubject, com.nimbusds.oauth2.sdk.ciba.CIBARequest cibaRequest, HintContext hintCtx, com.nimbusds.oauth2.sdk.id.ClientID clientID, com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata clientMetadata, SubjectSessionContext sessionContext, InvocationContext invocationCtx) throws com.nimbusds.oauth2.sdk.GeneralException Handles a CIBA request that passed initial validation by the Connect2id server.- Parameters:
callbackToken- The callback token. Required to submit the CIBA authorisation to the Connect2id server after successful end-user authentication and consent.expiresIn- The lifetime of theauth_req_idand the callback token, in seconds.resolvedSubject- The end-user identifier resolved from the receivedlogin_hint_token,id_token_hintorlogin_hint.cibaRequest- The CIBA request.hintCtx- Additional context about the receivedlogin_hint_token,id_token_hintorlogin_hint.clientID- The client identifier.clientMetadata- The OAuth 2.0 / OpenID Connect client metadata.sessionContext- The session context for the resolved subject.invocationCtx- The invocation context.- Throws:
com.nimbusds.oauth2.sdk.GeneralException- If the request is rejected. Should include an appropriate HTTP status and error code.
-