Class BaseTokenIntrospectionResponseComposer

java.lang.Object
com.nimbusds.openid.connect.provider.spi.tokens.introspection.BaseTokenIntrospectionResponseComposer
All Implemented Interfaces:
Lifecycle, TokenIntrospectionResponseComposer
Direct Known Subclasses:
DefaultTokenIntrospectionResponseComposer

@ThreadSafe public abstract class BaseTokenIntrospectionResponseComposer extends Object implements TokenIntrospectionResponseComposer
Base implementation of the SPI for composing token introspection (RFC 7662) responses.

Outputs the introspection details specified in:

  • OAuth 2.0 Token Introspection (RFC 7662), section 2.2;
  • OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens (RFC 8705), section 3.2;
  • OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP) (draft-ietf-oauth-dpop-16), section 6.

Parameters:

  • "active"
  • "scope"
  • "client_id"
  • "token_type"
  • "exp"
  • "iat"
  • "sub"
  • "aud"
  • "iss"
  • "jti"
  • "cnf.x5t#S256"
  • "cnf.jkt"

The following non-standard access token parameters are not output by this base implementation:

The extending class may implement output of the above non-standard parameters. It may also choose not to output parameters if they are not required by the client (resource server), e.g. for privacy and data minimisation purposes.

  • Constructor Details

  • Method Details

    • compose

      public com.nimbusds.oauth2.sdk.TokenIntrospectionSuccessResponse compose(AccessTokenAuthorization tokenAuthz, TokenIntrospectionContext context)
      Description copied from interface: TokenIntrospectionResponseComposer
      Composes a token introspection response.

      If the access token was found to be invalid or expired the method should simply return

       if (tokenAuthz == null) {
              return new TokenIntrospectionSuccessResponse.Builder(false)
                  .build();
       }
       
      Specified by:
      compose in interface TokenIntrospectionResponseComposer
      Parameters:
      tokenAuthz - The access token authorisation, null if the token was found to be invalid or expired (implies "active":false).
      context - The token introspection context. Not null.
      Returns:
      The token introspection success response (for "active":true as well as "active":false access tokens.