Package com.nimbusds.openid.connect.sdk.rp

Class OIDCClientMetadata

java.lang.Object
com.nimbusds.oauth2.sdk.client.ClientMetadata
com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata
public class OIDCClientMetadata extends ClientMetadata
OpenID Connect client metadata.

Related specifications:

  • OpenID Connect Dynamic Client Registration 1.0, section 2.
  • OpenID Connect Session Management 1.0, section 5.1.1 (draft 28).
  • OpenID Connect Front-Channel Logout 1.0, section 2 (draft 02).
  • OpenID Connect Back-Channel Logout 1.0, section 2.2 (draft 07).
  • OpenID Connect for Identity Assurance 1.0 (draft 12).
  • OpenID Connect Federation 1.0 (draft 14).
  • OAuth 2.0 Dynamic Client Registration Protocol (RFC 7591), section 2.
  • OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens (RFC 8705), sections 2.1.2 and 3.4.
  • OAuth 2.0 Demonstrating Proof of Possession (DPoP) (RFC 9449), section 5.2.
  • Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)
  • OAuth 2.0 Pushed Authorization Requests (RFC 9126)
  • OAuth 2.0 Rich Authorization Requests (RFC 9396), section 10.

  • Constructor Details

    • OIDCClientMetadata

      public OIDCClientMetadata()
      Creates a new OpenID Connect client metadata instance.

    • OIDCClientMetadata

      public OIDCClientMetadata(ClientMetadata metadata)
      Creates a new OpenID Connect client metadata instance from the specified base OAuth 2.0 client metadata.
      Parameters:
      metadata - The base OAuth 2.0 client metadata. Must not be null.

    • OIDCClientMetadata

      public OIDCClientMetadata(OIDCClientMetadata metadata)
      Creates a shallow copy of the specified OpenID Connect client metadata instance.
      Parameters:
      metadata - The client metadata to copy. Must not be null.

  • Method Details

    • getRegisteredParameterNames

      public static Set<String> getRegisteredParameterNames()
      Gets the registered (standard) OpenID Connect client metadata parameter names.
      Returns:
      The registered OpenID Connect parameter names, as an unmodifiable set.

    • getApplicationType

      public ApplicationType getApplicationType()
      Gets the client application type. Corresponds to the application_type client metadata field.
      Returns:
      The client application type, null if not specified.

    • setApplicationType

      public void setApplicationType(ApplicationType applicationType)
      Sets the client application type. Corresponds to the application_type client metadata field.
      Parameters:
      applicationType - The client application type, null if not specified.

    • getSubjectType

      public SubjectType getSubjectType()
      Gets the subject identifier type for responses to this client. Corresponds to the subject_type client metadata field.
      Returns:
      The subject identifier type, null if not specified.

    • setSubjectType

      public void setSubjectType(SubjectType subjectType)
      Sets the subject identifier type for responses to this client. Corresponds to the subject_type client metadata field.
      Parameters:
      subjectType - The subject identifier type, null if not specified.

    • getSectorIDURI

      public URI getSectorIDURI()
      Gets the sector identifier URI. Corresponds to the sector_identifier_uri client metadata field.
      Returns:
      The sector identifier URI, null if not specified.

    • setSectorIDURI

      public void setSectorIDURI(URI sectorIDURI)
      Sets the sector identifier URI. Corresponds to the sector_identifier_uri client metadata field. If set the URI will be checked for having an https scheme and a host component unless the URI is an URN.
      Parameters:
      sectorIDURI - The sector identifier URI, null if not specified.
      Throws:
      IllegalArgumentException - If the URI was found to be illegal.

    • resolveSectorID

      public SectorID resolveSectorID()
      Resolves the sector identifier from the client metadata.
      Returns:
      The sector identifier, null if the subject type is set to public.
      Throws:
      IllegalStateException - If resolution failed due to incomplete or inconsistent metadata.

    • getIDTokenJWSAlg

      public com.nimbusds.jose.JWSAlgorithm getIDTokenJWSAlg()
      Gets the JSON Web Signature (JWS) algorithm required for the ID Tokens issued to this client. Corresponds to the id_token_signed_response_alg client metadata field.
      Returns:
      The JWS algorithm, null if not specified.

    • setIDTokenJWSAlg

      public void setIDTokenJWSAlg(com.nimbusds.jose.JWSAlgorithm idTokenJWSAlg)
      Sets the JSON Web Signature (JWS) algorithm required for the ID Tokens issued to this client. Corresponds to the id_token_signed_response_alg client metadata field.
      Parameters:
      idTokenJWSAlg - The JWS algorithm, null if not specified.

    • getIDTokenJWEAlg

      public com.nimbusds.jose.JWEAlgorithm getIDTokenJWEAlg()
      Gets the JSON Web Encryption (JWE) algorithm required for the ID Tokens issued to this client. Corresponds to the id_token_encrypted_response_alg client metadata field.
      Returns:
      The JWE algorithm, null if not specified.

    • setIDTokenJWEAlg

      public void setIDTokenJWEAlg(com.nimbusds.jose.JWEAlgorithm idTokenJWEAlg)
      Sets the JSON Web Encryption (JWE) algorithm required for the ID Tokens issued to this client. Corresponds to the id_token_encrypted_response_alg client metadata field.
      Parameters:
      idTokenJWEAlg - The JWE algorithm, null if not specified.

    • getIDTokenJWEEnc

      public com.nimbusds.jose.EncryptionMethod getIDTokenJWEEnc()
      Gets the JSON Web Encryption (JWE) method required for the ID Tokens issued to this client. Corresponds to the id_token_encrypted_response_enc client metadata field.
      Returns:
      The JWE method, null if not specified.

    • setIDTokenJWEEnc

      public void setIDTokenJWEEnc(com.nimbusds.jose.EncryptionMethod idTokenJWEEnc)
      Sets the JSON Web Encryption (JWE) method required for the ID Tokens issued to this client. Corresponds to the id_token_encrypted_response_enc client metadata field.
      Parameters:
      idTokenJWEEnc - The JWE method, null if not specified.

    • getUserInfoJWSAlg

      public com.nimbusds.jose.JWSAlgorithm getUserInfoJWSAlg()
      Gets the JSON Web Signature (JWS) algorithm required for the UserInfo responses to this client. Corresponds to the userinfo_signed_response_alg client metadata field.
      Returns:
      The JWS algorithm, null if not specified.

    • setUserInfoJWSAlg

      public void setUserInfoJWSAlg(com.nimbusds.jose.JWSAlgorithm userInfoJWSAlg)
      Sets the JSON Web Signature (JWS) algorithm required for the UserInfo responses to this client. Corresponds to the userinfo_signed_response_alg client metadata field.
      Parameters:
      userInfoJWSAlg - The JWS algorithm, null if not specified.

    • getUserInfoJWEAlg

      public com.nimbusds.jose.JWEAlgorithm getUserInfoJWEAlg()
      Gets the JSON Web Encryption (JWE) algorithm required for the UserInfo responses to this client. Corresponds to the userinfo_encrypted_response_alg client metadata field.
      Returns:
      The JWE algorithm, null if not specified.

    • setUserInfoJWEAlg

      public void setUserInfoJWEAlg(com.nimbusds.jose.JWEAlgorithm userInfoJWEAlg)
      Sets the JSON Web Encryption (JWE) algorithm required for the UserInfo responses to this client. Corresponds to the userinfo_encrypted_response_alg client metadata field.
      Parameters:
      userInfoJWEAlg - The JWE algorithm, null if not specified.

    • getUserInfoJWEEnc

      public com.nimbusds.jose.EncryptionMethod getUserInfoJWEEnc()
      Gets the JSON Web Encryption (JWE) method required for the UserInfo responses to this client. Corresponds to the userinfo_encrypted_response_enc client metadata field.
      Returns:
      The JWE method, null if not specified.

    • setUserInfoJWEEnc

      public void setUserInfoJWEEnc(com.nimbusds.jose.EncryptionMethod userInfoJWEEnc)
      Sets the JSON Web Encryption (JWE) method required for the UserInfo responses to this client. Corresponds to the userinfo_encrypted_response_enc client metadata field.
      Parameters:
      userInfoJWEEnc - The JWE method, null if not specified.

    • getDefaultMaxAge

      public int getDefaultMaxAge()
      Gets the default maximum authentication age. Corresponds to the default_max_age client metadata field.
      Returns:
      The default max authentication age, in seconds. If not specified -1.

    • setDefaultMaxAge

      public void setDefaultMaxAge(int defaultMaxAge)
      Sets the default maximum authentication age. Corresponds to the default_max_age client metadata field.
      Parameters:
      defaultMaxAge - The default max authentication age, in seconds. If not specified -1.

    • requiresAuthTime

      public boolean requiresAuthTime()
      Gets the default requirement for the auth_time claim in the ID Token. Corresponds to the require_auth_time client metadata field.
      Returns:
      If true the auth_Time claim in the ID Token is required by default.

    • requiresAuthTime

      public void requiresAuthTime(boolean requiresAuthTime)
      Sets the default requirement for the auth_time claim in the ID Token. Corresponds to the require_auth_time client metadata field.
      Parameters:
      requiresAuthTime - If true the auth_Time claim in the ID Token is required by default.

    • getDefaultACRs

      public List<ACR> getDefaultACRs()
      Gets the default Authentication Context Class Reference (ACR) values. Corresponds to the default_acr_values client metadata field.
      Returns:
      The default ACR values, by order of preference, null if not specified.

    • setDefaultACRs

      public void setDefaultACRs(List<ACR> defaultACRs)
      Sets the default Authentication Context Class Reference (ACR) values. Corresponds to the default_acr_values client metadata field.
      Parameters:
      defaultACRs - The default ACRs, by order of preference, null if not specified.

    • getInitiateLoginURI

      public URI getInitiateLoginURI()
      Gets the HTTPS URI that the authorisation server can call to initiate a login at the client. Corresponds to the initiate_login_uri client metadata field.
      Returns:
      The login URI, null if not specified.

    • setInitiateLoginURI

      public void setInitiateLoginURI(URI loginURI)
      Sets the HTTPS URI that the authorisation server can call to initiate a login at the client. Corresponds to the initiate_login_uri client metadata field.
      Parameters:
      loginURI - The login URI, null if not specified. The URI scheme must be https.

    • getPostLogoutRedirectionURIs

      public Set<URI> getPostLogoutRedirectionURIs()
      Gets the post logout redirection URIs. Corresponds to the post_logout_redirect_uris client metadata field.
      Returns:
      The logout redirection URIs, null if not specified.

    • setPostLogoutRedirectionURIs

      public void setPostLogoutRedirectionURIs(Set<URI> logoutURIs)
      Sets the post logout redirection URIs. Corresponds to the post_logout_redirect_uris client metadata field.
      Parameters:
      logoutURIs - The post logout redirection URIs, null if not specified.

    • getFrontChannelLogoutURI

      public URI getFrontChannelLogoutURI()
      Gets the front-channel logout URI. Corresponds to the frontchannel_logout_uri client metadata field.
      Returns:
      The front-channel logout URI, null if not specified.

    • setFrontChannelLogoutURI

      public void setFrontChannelLogoutURI(URI frontChannelLogoutURI)
      Sets the front-channel logout URI. Corresponds to the frontchannel_logout_uri client metadata field.
      Parameters:
      frontChannelLogoutURI - The front-channel logout URI, null if not specified.

    • requiresFrontChannelLogoutSession

      public boolean requiresFrontChannelLogoutSession()
      Gets the requirement for a session identifier on front-channel logout. Corresponds to the frontchannel_logout_session_required client metadata field.
      Returns:
      true if a session identifier is required, else false.

    • requiresFrontChannelLogoutSession

      public void requiresFrontChannelLogoutSession(boolean requiresSession)
      Sets the requirement for a session identifier on front-channel logout. Corresponds to the frontchannel_logout_session_required client metadata field.
      Parameters:
      requiresSession - true if a session identifier is required, else false.

    • getBackChannelLogoutURI

      public URI getBackChannelLogoutURI()
      Gets the back-channel logout URI. Corresponds to the backchannel_logout_uri client metadata field.
      Returns:
      The back-channel logout URI, null if not specified.

    • setBackChannelLogoutURI

      public void setBackChannelLogoutURI(URI backChannelLogoutURI)
      Sets the back-channel logout URI. Corresponds to the backchannel_logout_uri client metadata field.
      Parameters:
      backChannelLogoutURI - The back-channel logout URI, null if not specified. The URI scheme must be https or http.

    • requiresBackChannelLogoutSession

      public boolean requiresBackChannelLogoutSession()
      Gets the requirement for a session identifier on back-channel logout. Corresponds to the backchannel_logout_session_required client metadata field.
      Returns:
      true if a session identifier is required, else false.

    • requiresBackChannelLogoutSession

      public void requiresBackChannelLogoutSession(boolean requiresSession)
      Sets the requirement for a session identifier on back-channel logout. Corresponds to the backchannel_logout_session_required client metadata field.
      Parameters:
      requiresSession - true if a session identifier is required, else false.

    • getAttachmentDigestAlg

      public HashAlgorithm getAttachmentDigestAlg()
      Gets the digest algorithm for the external evidence attachments in OpenID Connect for Identity Assurance 1.0. Corresponds to the digest_algorithm client metadata field.
      Returns:
      The digest algorithm, null if not specified.

    • setAttachmentDigestAlg

      public void setAttachmentDigestAlg(HashAlgorithm hashAlg)
      Sets the digest algorithm for the external evidence attachments in OpenID Connect for Identity Assurance 1.0. Corresponds to the digest_algorithm client metadata field.
      Parameters:
      hashAlg - The digest algorithm, null if not specified.

    • applyDefaults

      public void applyDefaults()
      Applies the client metadata defaults where no values have been specified.
      • The response types default to ["code"].
      • The grant types default to "authorization_code".
      • The client authentication method defaults to "client_secret_basic".
      • The application type defaults to ApplicationType.WEB.
      • The ID token JWS algorithm defaults to "RS256".
      Overrides:
      applyDefaults in class ClientMetadata

    • toJSONObject

      public net.minidev.json.JSONObject toJSONObject(boolean includeCustomFields)
      Description copied from class: ClientMetadata
      Returns the JSON object representation of this client metadata.
      Overrides:
      toJSONObject in class ClientMetadata
      Parameters:
      includeCustomFields - true to include any custom metadata fields, false to omit them.
      Returns:
      The JSON object.

    • parse

      public static OIDCClientMetadata parse(net.minidev.json.JSONObject jsonObject) throws ParseException
      Parses an OpenID Connect client metadata instance from the specified JSON object.
      Parameters:
      jsonObject - The JSON object to parse. Must not be null.
      Returns:
      The OpenID Connect client metadata.
      Throws:
      ParseException - If the JSON object couldn't be parsed to an OpenID Connect client metadata instance.