Class AuthenticationRequestResolver<C extends com.nimbusds.jose.proc.SecurityContext>


  • @ThreadSafe
    public class AuthenticationRequestResolver<C extends com.nimbusds.jose.proc.SecurityContext>
    extends Object
    Resolves the final OpenID Connect authentication request by superseding its parameters with those found in the optional OpenID Connect request object. The request object is encoded as a JSON Web Token (JWT) and can be specified directly (inline) using the request parameter, or by URL using the request_uri parameter.

    To process signed and optionally encrypted request objects a JWT processor for the expected JWS / JWE algorithms must be provided at construction time.

    To fetch OpenID Connect request objects specified by URL a JWT retriever must be provided, otherwise only inlined request objects can be processed.

    Related specifications:

    • OpenID Connect Core 1.0, section 6.
    • Constructor Detail

      • AuthenticationRequestResolver

        public AuthenticationRequestResolver()
        Creates a new minimal OpenID Connect authentication request resolver. It will not process OpenID Connect request objects and will throw a ResolveException if the authentication request includes a request or request_uri parameter.
      • AuthenticationRequestResolver

        public AuthenticationRequestResolver​(com.nimbusds.jwt.proc.JWTProcessor<C> jwtProcessor)
        Creates a new OpenID Connect authentication request resolver that supports OpenID Connect request objects passed by value (using the authentication request parameter). It will throw a ResolveException if the authentication request includes a request_uri parameter.
        Parameters:
        jwtProcessor - A configured JWT processor providing JWS validation and optional JWE decryption of the request objects. Must not be null.
      • AuthenticationRequestResolver

        public AuthenticationRequestResolver​(com.nimbusds.jwt.proc.JWTProcessor<C> jwtProcessor,
                                             com.nimbusds.jose.util.ResourceRetriever jwtRetriever)
        Creates a new OpenID Connect request object resolver that supports OpenID Connect request objects passed by value (using the authentication request parameter) or by reference (using the authentication request_uri parameter).
        Parameters:
        jwtProcessor - A configured JWT processor providing JWS validation and optional JWE decryption of the request objects. Must not be null.
        jwtRetriever - A configured JWT retriever for OpenID Connect request objects passed by URI. Must not be null.
    • Method Detail

      • getJWTProcessor

        public com.nimbusds.jwt.proc.JWTProcessor<CgetJWTProcessor()
        Returns the JWT processor.
        Returns:
        The JWT processor, null if not specified.
      • getJWTRetriever

        public com.nimbusds.jose.util.ResourceRetriever getJWTRetriever()
        Returns the JWT retriever.
        Returns:
        The JWT retriever, null if not specified.
      • reformatClaims

        public static Map<String,​List<String>> reformatClaims​(com.nimbusds.jwt.JWTClaimsSet claimsSet)
        Reformats the specified JWT claims set to a java.util.Map instance.
        Parameters:
        claimsSet - The JWT claims set to reformat. Must not be null.
        Returns:
        The JWT claims set as an unmodifiable map of string keys / string values.
      • resolve

        public AuthenticationRequest resolve​(AuthenticationRequest request,
                                             C securityContext)
                                      throws ResolveException,
                                             com.nimbusds.jose.JOSEException
        Resolves the specified OpenID Connect authentication request by superseding its parameters with those found in the optional OpenID Connect request object (if any).
        Parameters:
        request - The OpenID Connect authentication request. Must not be null.
        securityContext - Optional security context to pass to the JWT processor, null if not specified.
        Returns:
        The resolved authentication request, or the original unmodified request if no OpenID Connect request object was specified.
        Throws:
        ResolveException - If the request couldn't be resolved.
        com.nimbusds.jose.JOSEException - If an invalid request JWT is found.