Source code

001package com.nimbusds.openid.connect.provider.spi.nativesso;
002
003
004import com.nimbusds.oauth2.sdk.Scope;
005import com.nimbusds.openid.connect.provider.spi.grants.AccessTokenSpec;
006import com.nimbusds.openid.connect.provider.spi.grants.ClaimsSpec;
007import com.nimbusds.openid.connect.provider.spi.grants.IDTokenSpec;
008import com.nimbusds.openid.connect.provider.spi.grants.RefreshTokenSpec;
009import com.nimbusds.openid.connect.sdk.OIDCScopeValue;
010import com.nimbusds.openid.connect.sdk.nativesso.DeviceSSOScopeValue;
011import net.jcip.annotations.Immutable;
012import net.minidev.json.JSONObject;
013import org.checkerframework.checker.nullness.qual.Nullable;
014
015import java.util.Objects;
016
017
018/**
019 * Back-channel device SSO authorisation.
020 *
021 * <p>Required authorisation details:
022 *
023 * <ul>
024 *     <li>The authorised scope. Must include the {@code openid} and
025 *         {@code device_sso} scope values.
026 *     <li>An ID token issue must be authorised.
027 * </ul>
028 *
029 * <p>All other parameters are optional or have suitable defaults.
030 */
031@Immutable
032public class BackChannelDeviceSSOAuthorization {
033
034
035        /**
036         * The authorised scope.
037         */
038        private final Scope scope;
039
040
041        /**
042         * The access token specification.
043         */
044        private final AccessTokenSpec accessTokenSpec;
045
046
047        /**
048         * The refresh token specification.
049         */
050        private final RefreshTokenSpec refreshTokenSpec;
051
052
053        /**
054         * The ID token specification.
055         */
056        private final IDTokenSpec idTokenSpec;
057
058
059        /**
060         * The OpenID Connect claims spec.
061         */
062        private final ClaimsSpec claimsSpec;
063
064
065        /**
066         * Optional authorisation data as a JSON object, {@code null} if not
067         * specified.
068         */
069        private final @Nullable JSONObject data;
070
071
072        /**
073         * Creates a new Back-channel device SSO authorisation for a subject
074         * (end-user).
075         *
076         * @param scope            The authorised scope. Must not be
077         *                         {@code null}.
078         * @param accessTokenSpec  The access token specification. Must not be
079         *                         {@code null}.
080         * @param refreshTokenSpec The refresh token specification. Must not be
081         *                         {@code null}.
082         * @param idTokenSpec      The ID token specification. Must not be
083         *                         {@code null}.
084         * @param claimsSpec       The OpenID claims specification. Must not be
085         *                         {@code null}.
086         * @param data             Additional data as a JSON object,
087         *                         {@code null} if not specified.
088         */
089        public BackChannelDeviceSSOAuthorization(final Scope scope,
090                                                 final AccessTokenSpec accessTokenSpec,
091                                                 final RefreshTokenSpec refreshTokenSpec,
092                                                 final IDTokenSpec idTokenSpec,
093                                                 final ClaimsSpec claimsSpec,
094                                                 final @Nullable JSONObject data) {
095
096                this.scope = Objects.requireNonNull(scope);
097                this.accessTokenSpec = Objects.requireNonNull(accessTokenSpec);
098                this.refreshTokenSpec = Objects.requireNonNull(refreshTokenSpec);
099
100                if (scope.contains(OIDCScopeValue.OPENID) && ! idTokenSpec.issue()) {
101                        throw new IllegalArgumentException("ID token issue must be authorized for scope openid");
102                }
103                this.idTokenSpec = idTokenSpec;
104
105                this.claimsSpec = Objects.requireNonNull(claimsSpec);
106                this.data = data;
107        }
108
109
110        /**
111         * Returns the authorised scope.
112         *
113         * @return The authorised scope.
114         */
115        public Scope getScope() {
116                return scope;
117        }
118
119
120        /**
121         * Returns the access token specification.
122         *
123         * @return The access token specification.
124         */
125        public AccessTokenSpec getAccessTokenSpec() {
126                return accessTokenSpec;
127        }
128
129
130        /**
131         * Returns the refresh token specification.
132         *
133         * @return The refresh token specification.
134         */
135        public RefreshTokenSpec getRefreshTokenSpec() {
136                return refreshTokenSpec;
137        }
138
139
140        /**
141         * Returns the ID token specification.
142         *
143         * @return The ID token specification.
144         */
145        public IDTokenSpec getIDTokenSpec() {
146                return idTokenSpec;
147        }
148
149
150        /**
151         * Returns the OpenID claims specification.
152         *
153         * @return The OpenID claims specification.
154         */
155        public ClaimsSpec getClaimsSpec() {
156                return claimsSpec;
157        }
158
159
160        /**
161         * Returns the additional data as a JSON object.
162         *
163         * @return The additional data, {@code null} if not specified.
164         */
165        public @Nullable JSONObject getData() {
166                return data;
167        }
168}