Package com.nimbusds.openid.connect.sdk.claims

Class IDTokenClaimsSet

java.lang.Object
com.nimbusds.openid.connect.sdk.claims.ClaimsSet
com.nimbusds.openid.connect.sdk.claims.CommonClaimsSet
com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet
All Implemented Interfaces:
net.minidev.json.JSONAware
public class IDTokenClaimsSet extends CommonClaimsSet
ID token claims set, serialisable to a JSON object.

Example ID token claims set: 

 {
   "iss"       : "https://server.example.com",
   "sub"       : "24400320",
   "aud"       : "s6BhdRkqt3",
   "nonce"     : "n-0S6_WzA2Mj",
   "exp"       : 1311281970,
   "iat"       : 1311280970,
   "auth_time" : 1311280969,
   "acr"       : "urn:mace:incommon:iap:silver",
   "at_hash"   : "MTIzNDU2Nzg5MDEyMzQ1Ng"
 }

Related specifications:

  • OpenID Connect Core 1.0, section 2.
  • OpenID Connect Front-Channel Logout 1.0, section 3.
  • Financial Services – Financial API - Part 2: Read and Write API Security Profile, section 5.1.

  • Field Details

  • Constructor Details

    • IDTokenClaimsSet

      public IDTokenClaimsSet(Issuer iss, Subject sub, List<Audience> aud, Date exp, Date iat)
      Creates a new minimal ID token claims set. Note that the ID token may require additional claims to be present depending on the original OpenID Connect authorisation request.
      Parameters:
      iss - The issuer. Must not be null.
      sub - The subject. Must not be null.
      aud - The audience. Must not be null.
      exp - The expiration time. Must not be null.
      iat - The issue time. Must not be null.

    • IDTokenClaimsSet

      public IDTokenClaimsSet(com.nimbusds.jwt.JWTClaimsSet jwtClaimsSet) throws ParseException
      Creates a new ID token claims set from the specified JSON Web Token (JWT) claims set.
      Parameters:
      jwtClaimsSet - The JWT claims set. Must not be null.
      Throws:
      ParseException - If the JWT claims set doesn't represent a valid ID token claims set.

  • Method Details

    • getStandardClaimNames

      public static Set<String> getStandardClaimNames()
      Gets the names of the standard top-level ID token claims.
      Returns:
      The names of the standard top-level ID token claims (read-only set).

    • hasRequiredClaims

      public boolean hasRequiredClaims(ResponseType responseType, boolean iatAuthzEndpoint)
      Checks if this ID token claims set contains all required claims for the specified OpenID Connect response type.
      Parameters:
      responseType - The OpenID Connect response type. Must not be null.
      iatAuthzEndpoint - Specifies the endpoint where the ID token was issued (required for hybrid flow). true if the ID token was issued at the authorisation endpoint, false if the ID token was issued at the token endpoint.
      Returns:
      true if the required claims are contained, else false.

    • hasRequiredClaims

      @Deprecated public boolean hasRequiredClaims(ResponseType responseType)
      Deprecated.
      Use hasRequiredClaims(ResponseType, boolean) instead.
      Parameters:
      responseType - The OpenID Connect response type. Must not be null.
      Returns:
      true if the required claims are contained, else false.

    • getAuthenticationTime

      public Date getAuthenticationTime()
      Gets the subject authentication time. Corresponds to the auth_time claim.
      Returns:
      The authentication time, null if not specified or parsing failed.

    • setAuthenticationTime

      public void setAuthenticationTime(Date authTime)
      Sets the subject authentication time. Corresponds to the auth_time claim.
      Parameters:
      authTime - The authentication time, null if not specified.

    • getNonce

      public Nonce getNonce()
      Gets the ID token nonce. Corresponds to the nonce claim.
      Returns:
      The nonce, null if not specified or parsing failed.

    • setNonce

      public void setNonce(Nonce nonce)
      Sets the ID token nonce. Corresponds to the nonce claim.
      Parameters:
      nonce - The nonce, null if not specified.

    • getAccessTokenHash

      public AccessTokenHash getAccessTokenHash()
      Gets the access token hash. Corresponds to the at_hash claim.
      Returns:
      The access token hash, null if not specified or parsing failed.

    • setAccessTokenHash

      public void setAccessTokenHash(AccessTokenHash atHash)
      Sets the access token hash. Corresponds to the at_hash claim.
      Parameters:
      atHash - The access token hash, null if not specified.

    • getCodeHash

      public CodeHash getCodeHash()
      Gets the authorisation code hash. Corresponds to the c_hash claim.
      Returns:
      The authorisation code hash, null if not specified or parsing failed.

    • setCodeHash

      public void setCodeHash(CodeHash cHash)
      Sets the authorisation code hash. Corresponds to the c_hash claim.
      Parameters:
      cHash - The authorisation code hash, null if not specified.

    • getStateHash

      public StateHash getStateHash()
      Gets the state hash. Corresponds to the s_hash claim.
      Returns:
      The state hash, null if not specified or parsing failed.

    • setStateHash

      public void setStateHash(StateHash sHash)
      Sets the state hash. Corresponds to the s_hash claim.
      Parameters:
      sHash - The state hash, null if not specified.

    • getACR

      public ACR getACR()
      Gets the Authentication Context Class Reference (ACR). Corresponds to the acr claim.
      Returns:
      The Authentication Context Class Reference (ACR), null if not specified or parsing failed.

    • setACR

      public void setACR(ACR acr)
      Sets the Authentication Context Class Reference (ACR). Corresponds to the acr claim.
      Parameters:
      acr - The Authentication Context Class Reference (ACR), null if not specified.

    • getAMR

      public List<AMR> getAMR()
      Gets the Authentication Methods References (AMRs). Corresponds to the amr claim.
      Returns:
      The Authentication Methods Reference (AMR) list, null if not specified or parsing failed.

    • setAMR

      public void setAMR(List<AMR> amr)
      Sets the Authentication Methods References (AMRs). Corresponds to the amr claim.
      Parameters:
      amr - The Authentication Methods Reference (AMR) list, null if not specified.

    • getAuthorizedParty

      public AuthorizedParty getAuthorizedParty()
      Gets the authorised party for the ID token. Corresponds to the azp claim.
      Returns:
      The authorised party, null if not specified or parsing failed.

    • setAuthorizedParty

      public void setAuthorizedParty(AuthorizedParty azp)
      Sets the authorised party for the ID token. Corresponds to the azp claim.
      Parameters:
      azp - The authorised party, null if not specified.

    • getSubjectJWK

      public com.nimbusds.jose.jwk.JWK getSubjectJWK()
      Gets the subject's JSON Web Key (JWK) for a self-issued OpenID Connect provider. Corresponds to the sub_jwk claim.
      Returns:
      The subject's JWK, null if not specified or parsing failed.

    • setSubjectJWK

      public void setSubjectJWK(com.nimbusds.jose.jwk.JWK subJWK)
      Sets the subject's JSON Web Key (JWK) for a self-issued OpenID Connect provider. Corresponds to the sub_jwk claim.
      Parameters:
      subJWK - The subject's JWK (must be public), null if not specified.

    • parse

      public static IDTokenClaimsSet parse(net.minidev.json.JSONObject jsonObject) throws ParseException
      Parses an ID token claims set from the specified JSON object.
      Parameters:
      jsonObject - The JSON object to parse. Must not be null.
      Returns:
      The ID token claims set.
      Throws:
      ParseException - If parsing failed.

    • parse

      public static IDTokenClaimsSet parse(String json) throws ParseException
      Parses an ID token claims set from the specified JSON object string.
      Parameters:
      json - The JSON object string to parse. Must not be null.
      Returns:
      The ID token claims set.
      Throws:
      ParseException - If parsing failed.

    • getExpirationTime

      public Date getExpirationTime()
      Gets the token expiration time. Corresponds to the exp claim.
      Returns:
      The expiration time.

    • getSessionID

      public SessionID getSessionID()
      Gets the session ID. Corresponds to the sid claim.
      Returns:
      The session ID, null if not specified.

    • setSessionID

      public void setSessionID(SessionID sid)
      Sets the session ID. Corresponds to the sid claim.
      Parameters:
      sid - The session ID, null if not specified.