Package com.nimbusds.openid.connect.provider.spi.nativesso

Interface DeviceSSOHandler

All Superinterfaces:

Lifecycle

@ThreadSafe
public interface DeviceSSOHandler
extends Lifecycle

Service Provider Interface (SPI) for handling device Single Sign-On (SSO).

Implementations must be thread-safe.

Related specifications:

• OpenID Connect Native SSO for Mobile Apps 1.0

Method Summary

Modifier and Type	Method	Description
BackChannelDeviceSSOAuthorization	processBackChannelRequest(com.nimbusds.oauth2.sdk.id.Subject subject, com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet idTokenClaimsSet, SubjectSession deviceSession, TokenRequestParameters tokenRequestParams, com.nimbusds.oauth2.sdk.id.ClientID clientID, boolean confidentialClient, com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata clientMetadata, DeviceSSOHandlerContext handlerCtx)	Handles a back-channel device SSO request, represented by a token exchange request (RFC 8693), from a client registered with the Connect2id server.

Methods inherited from interface com.nimbusds.openid.connect.provider.spi.Lifecycle

init, isEnabled, shutdown

Method Details

processBackChannelRequest

BackChannelDeviceSSOAuthorization processBackChannelRequest(com.nimbusds.oauth2.sdk.id.Subject subject,
 com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet idTokenClaimsSet,
 SubjectSession deviceSession,
 TokenRequestParameters tokenRequestParams,
 com.nimbusds.oauth2.sdk.id.ClientID clientID,
 boolean confidentialClient,
 com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata clientMetadata,
 DeviceSSOHandlerContext handlerCtx)
                                                     throws com.nimbusds.oauth2.sdk.GeneralException

Handles a back-channel device SSO request, represented by a token exchange request (RFC 8693), from a client registered with the Connect2id server. Prior to calling this method the Connect2id server has successfully identified / authenticated the client and validated the received ID token (subject_token), device secret (device_secret) and their binding.

If the requested scope is invalid, unknown, malformed, or exceeds the scope granted by the resource owner the handler must throw a GeneralException with an invalid_scope error code.

If the requested scope requires a higher end-user authentication level (ACR) than recorded in the device session, or explicit consent by the end-user, the handler must throw a GeneralException with an interaction_required error code.

Parameters:

subject - The local subject (end-user) of the validated ID token to sign-in. If the ID token was issued with a pairwise subject identifier, this is the resolved (decrypted) identifier value. Not null.

idTokenClaimsSet - The claims set of the received and successfully validated ID token. Note that the ID token subject identifier may be pairwise (encrypted). Use the subject argument which provides the local identifier value. Not null.

deviceSession - The device session corresponding to the received and successfully validated device secret. Not null.

tokenRequestParams - The token request parameters, such as the requested scope. Not null.

clientID - The client identifier. Not null.

confidentialClient - true if the client is confidential and has been authenticated, else false.

clientMetadata - The OAuth 2.0 client / OpenID relying party metadata. Not null.

handlerCtx - The handler context. Not null.

Returns:

The authorisation.

Throws:

com.nimbusds.oauth2.sdk.GeneralException - If the request was denied, or another exception was encountered.