Package com.nimbusds.openid.connect.sdk.federation.entities

Class EntityStatementClaimsSet

java.lang.Object
com.nimbusds.openid.connect.sdk.claims.ClaimsSet
com.nimbusds.openid.connect.sdk.claims.CommonClaimsSet
com.nimbusds.openid.connect.sdk.federation.entities.CommonFederationClaimsSet
com.nimbusds.openid.connect.sdk.federation.entities.EntityStatementClaimsSet
All Implemented Interfaces:
net.minidev.json.JSONAware
public class EntityStatementClaimsSet extends CommonFederationClaimsSet
Federation entity statement claims set, serialisable to a JSON object.

Example claims set: 

 {
   "iss": "https://feide.no",
   "sub": "https://ntnu.no",
   "iat": 1516239022,
   "exp": 1516298022,
   "crit": ["jti"],
   "jti": "7l2lncFdY6SlhNia",
   "policy_language_crit": ["regexp"],
   "metadata": {
      "openid_provider": {
         "issuer": "https://ntnu.no",
         "organization_name": "NTNU",
      },
      "oauth_client": {
         "organization_name": "NTNU"
      }
   },
   "metadata_policy": {
      "openid_provider": {
         "id_token_signing_alg_values_supported": {
             "subset_of": ["RS256", "RS384", "RS512"]
         },
         "op_policy_uri": {
             "regexp": "^https:\/\/[\\w-]+\\.example\\.com\/[\\w-]+\\.html"}
         },
      "oauth_client": {
         "grant_types": {
         "subset_of": ["authorization_code", "client_credentials"]},
         "scope": {
         "subset_of": ["openid", "profile", "email", "phone"]}
      }
   },
   "constraints": {
      "max_path_length": 2
   },
   "jwks": {
      "keys": [
         {
            "alg": "RS256",
            "e": "AQAB",
            "key_ops": ["verify"],
            "kid": "key1",
            "kty": "RSA",
            "n": "pnXBOusEANuug6ewezb9J_...",
            "use": "sig"
         }
      ]
   }
 }

Related specifications:

  • OpenID Connect Federation 1.0, section 3.1.

  • Field Details

  • Constructor Details

    • EntityStatementClaimsSet

      public EntityStatementClaimsSet(Issuer iss, Subject sub, Date iat, Date exp, com.nimbusds.jose.jwk.JWKSet jwks)
      Creates a new federation entity statement claims set with the minimum required claims.
      Parameters:
      iss - The issuer. Must not be null.
      sub - The subject. Must not be null.
      iat - The issue time. Must not be null.
      exp - The expiration time. Must not be null.
      jwks - The entity public JWK set, null if not required.

    • EntityStatementClaimsSet

      public EntityStatementClaimsSet(EntityID iss, EntityID sub, Date iat, Date exp, com.nimbusds.jose.jwk.JWKSet jwks)
      Creates a new federation entity statement claims set with the minimum required claims.
      Parameters:
      iss - The issuer. Must not be null.
      sub - The subject. Must not be null.
      iat - The issue time. Must not be null.
      exp - The expiration time. Must not be null.
      jwks - The entity public JWK set, null if not required.

    • EntityStatementClaimsSet

      public EntityStatementClaimsSet(com.nimbusds.jwt.JWTClaimsSet jwtClaimsSet) throws ParseException
      Creates a new federation entity statement claims set from the specified JWT claims set.
      Parameters:
      jwtClaimsSet - The JWT claims set. Must not be null.
      Throws:
      ParseException - If the JWT claims set doesn't represent a valid federation entity statement claims set.

  • Method Details

    • getStandardClaimNames

      public static Set<String> getStandardClaimNames()
      Gets the names of the standard top-level claims.
      Returns:
      The names of the standard top-level claims (read-only set).

    • validateRequiredClaimsPresence

      public void validateRequiredClaimsPresence() throws ParseException
      Validates this claims set for having all minimum required claims for an entity statement. If a selt-statement check for the presence of metadata. If critical extension claims are listed their presence is also checked.
      Overrides:
      validateRequiredClaimsPresence in class CommonFederationClaimsSet
      Throws:
      ParseException - If the validation failed and a required claim is missing.

    • isSelfStatement

      public boolean isSelfStatement()
      Returns true if this is a self-statement (issuer and subject match).
      Returns:
      true for a self-statement, false if not.

    • getJWKSet

      public com.nimbusds.jose.jwk.JWKSet getJWKSet()
      Gets the entity JWK set. Corresponds to the jwks claim.
      Returns:
      The entity JWK set, null if not specified or parsing failed.

    • getAuthorityHints

      public List<EntityID> getAuthorityHints()
      Gets the entity IDs of the intermediate entities or trust anchors. Corresponds to the authority_hints claim.
      Returns:
      The entity IDs, null or empty list for a trust anchor, or if parsing failed.

    • setAuthorityHints

      public void setAuthorityHints(List<EntityID> trustChain)
      Sets the entity IDs of the intermediate entities or trust anchors. Corresponds to the authority_hints claim.
      Parameters:
      trustChain - The entity IDs, null or empty list for a trust anchor.

    • hasMetadata

      public boolean hasMetadata()
      Returns true if a metadata field is present. Corresponds to the metadata claim.
      Returns:
      true if a metadata field for an OpenID relying party, an OpenID provider, an OAuth authorisation server, an OAuth client, an OAuth protected resource, a federation entity, or a trust mark issuer is present.

    • getRPInformation

      public OIDCClientInformation getRPInformation()
      Gets the OpenID relying party information (metadata plus client_id and potentially other client information fields) if present for this entity. Corresponds to the metadata.openid_relying_party claim.
      Returns:
      The RP information, null if not specified or if parsing failed.

    • setRPInformation

      public void setRPInformation(OIDCClientInformation rpInfo)
      Sets the OpenID relying party information (metadata plus client_id and potentially other client information fields) if present for this entity. Corresponds to the metadata.openid_relying_party claim.
      Parameters:
      rpInfo - The RP information, null if not specified or if parsing failed.

    • setTrustMarkIssuerMetadata

      @Deprecated public void setTrustMarkIssuerMetadata(TrustMarkIssuerMetadata trustMarkIssuerMetadata)
      Deprecated.
      Sets the trust mark issuer metadata for this entity. Corresponds to the metadata.trust_mark_issuer claim.
      Parameters:
      trustMarkIssuerMetadata - The trust mark issuer metadata, null if not specified.

    • getMetadataPolicyJSONObject

      public net.minidev.json.JSONObject getMetadataPolicyJSONObject()
      Gets the complete metadata policy JSON object. Corresponds to the metadata_policy claim.
      Returns:
      The metadata policy JSON object, null if not specified or if parsing failed.

    • setMetadataPolicyJSONObject

      public void setMetadataPolicyJSONObject(net.minidev.json.JSONObject metadataPolicy)
      Sets the complete metadata policy JSON object. Corresponds to the metadata_policy claim.
      Parameters:
      metadataPolicy - The metadata policy JSON object, null if not specified.

    • getMetadataPolicy

      public MetadataPolicy getMetadataPolicy(EntityType type) throws PolicyViolationException
      Gets the metadata policy for the specified type. Corresponds to the metadata_policy claim.
      Parameters:
      type - The entity type. Must not be null.
      Returns:
      The metadata policy, null or if JSON parsing failed.
      Throws:
      PolicyViolationException - On a policy violation.

    • setMetadataPolicy

      public void setMetadataPolicy(EntityType type, MetadataPolicy metadataPolicy)
      Sets the metadata policy for the specified type. Corresponds to the metadata_policy claim.
      Parameters:
      type - The entity type. Must not be null.
      metadataPolicy - The metadata policy, null if not specified.

    • getTrustAnchorID

      public EntityID getTrustAnchorID()
      Gets the used trust anchor in a explicit client registration in OpenID Connect Federation 1.0. Intended for entity statements issued by an OpenID provider for a Relying party performing explicit client registration only. Corresponds to the trust_anchor_id claim.
      Returns:
      The trust anchor ID, null if not specified.

    • setTrustAnchorID

      public void setTrustAnchorID(EntityID trustAnchorID)
      Sets the used trust anchor in a explicit client registration in OpenID Connect Federation 1.0. Intended for entity statements issued by an OpenID provider for a Relying party performing explicit client registration only. Corresponds to the trust_anchor_id claim.
      Parameters:
      trustAnchorID - The trust anchor ID, null if not specified.

    • getConstraints

      public TrustChainConstraints getConstraints()
      Gets the trust chain constraints for subordinate entities. Corresponds to the constraints claim.
      Returns:
      The trust chain constraints, null if not specified or if parsing failed.

    • setConstraints

      public void setConstraints(TrustChainConstraints constraints)
      Sets the trust chain constraint for subordinate entities. Corresponds to the constraints claim.
      Parameters:
      constraints - The trust chain constraints, null if not specified.

    • setTrustMarks

      public void setTrustMarks(List<TrustMarkEntry> marks)
      Sets the trust marks. Corresponds to the trust_marks claim.
      Overrides:
      setTrustMarks in class CommonFederationClaimsSet
      Parameters:
      marks - The trust marks, null if not specified.

    • getTrustMarksIssuers

      public Map<Identifier,List<Issuer>> getTrustMarksIssuers()
      Gets the trust marks issuers. Corresponds to the trust_marks_issuers claim.
      Returns:
      The trust marks issuers, null if not specified or parsing failed.

    • setTrustMarksIssuers

      public void setTrustMarksIssuers(Map<Identifier,List<Issuer>> issuers)
      Sets the trust marks issuers. Corresponds to the trust_marks_issuers claim.
      Parameters:
      issuers - The trust marks issuers, null if not specified.

    • getCriticalExtensionClaims

      public List<String> getCriticalExtensionClaims()
      Gets the names of the critical extension claims. Corresponds to the crit claim.
      Returns:
      The names of the critical extension claims, null if not specified or if parsing failed.

    • setCriticalExtensionClaims

      public void setCriticalExtensionClaims(List<String> claimNames)
      Sets the names of the critical extension claims. Corresponds to the crit claim.
      Parameters:
      claimNames - The names of the critical extension claims, null if not specified. Must not be an empty list.

    • getCriticalPolicyExtensions

      public List<String> getCriticalPolicyExtensions()
      Gets the names of the critical policy extensions. Corresponds to the policy_language_crit claim.
      Returns:
      The names of the critical policy extensions or if parsing failed.

    • setCriticalPolicyExtensions

      public void setCriticalPolicyExtensions(List<String> extNames)
      Sets the names of the critical policy extensions. Corresponds to the policy_language_crit claim.
      Parameters:
      extNames - The names of the critical policy extensions, null if not specified. Must not be an empty list.