Package com.nimbusds.oauth2.sdk.as

Class AuthorizationServerMetadata

  • Direct Known Subclasses:
    OIDCProviderMetadata
    public class AuthorizationServerMetadata
extends AuthorizationServerEndpointMetadata
    OAuth 2.0 Authorisation Server (AS) metadata.

    Related specifications:

    • OAuth 2.0 Authorization Server Metadata (RFC 8414)
    • OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens (RFC 8705)
    • Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)
    • Financial-grade API - Part 2: Read and Write API Security Profile
    • OAuth 2.0 Pushed Authorization Requests (draft-lodderstedt-oauth-par-01)
    • OAuth 2.0 Device Flow for Browserless and Input Constrained Devices (draft-ietf-oauth-device-flow-14)

    • Constructor Detail

      • AuthorizationServerMetadata

        public AuthorizationServerMetadata​(Issuer issuer)
        Creates a new OAuth 2.0 Authorisation Server (AS) metadata instance.
        Parameters:
        issuer - The issuer identifier. Must be an URI using the https scheme with no query or fragment component. Must not be null.

    • Method Detail

      • getRegisteredParameterNames

        public static Set<StringgetRegisteredParameterNames()
        Gets the registered OpenID Connect provider metadata parameter names.
        Returns:
        The registered OpenID Connect provider metadata parameter names, as an unmodifiable set.

      • getIssuer

        public Issuer getIssuer()
        Gets the issuer identifier. Corresponds to the issuer metadata field.
        Returns:
        The issuer identifier.

      • getJWKSetURI

        public URI getJWKSetURI()
        Gets the JSON Web Key (JWK) set URI. Corresponds to the jwks_uri metadata field.
        Returns:
        The JWK set URI, null if not specified.

      • setJWKSetURI

        public void setJWKSetURI​(URI jwkSetURI)
        Sets the JSON Web Key (JWT) set URI. Corresponds to the jwks_uri metadata field.
        Parameters:
        jwkSetURI - The JWK set URI, null if not specified.

      • getScopes

        public Scope getScopes()
        Gets the supported scope values. Corresponds to the scopes_supported metadata field.
        Returns:
        The supported scope values, null if not specified.

      • setScopes

        public void setScopes​(Scope scope)
        Sets the supported scope values. Corresponds to the scopes_supported metadata field.
        Parameters:
        scope - The supported scope values, null if not specified.

      • getResponseTypes

        public List<ResponseTypegetResponseTypes()
        Gets the supported response type values. Corresponds to the response_types_supported metadata field.
        Returns:
        The supported response type values, null if not specified.

      • setResponseTypes

        public void setResponseTypes​(List<ResponseType> rts)
        Sets the supported response type values. Corresponds to the response_types_supported metadata field.
        Parameters:
        rts - The supported response type values, null if not specified.

      • getResponseModes

        public List<ResponseModegetResponseModes()
        Gets the supported response mode values. Corresponds to the response_modes_supported.
        Returns:
        The supported response mode values, null if not specified.

      • setResponseModes

        public void setResponseModes​(List<ResponseMode> rms)
        Sets the supported response mode values. Corresponds to the response_modes_supported.
        Parameters:
        rms - The supported response mode values, null if not specified.

      • getGrantTypes

        public List<GrantTypegetGrantTypes()
        Gets the supported OAuth 2.0 grant types. Corresponds to the grant_types_supported metadata field.
        Returns:
        The supported grant types, null if not specified.

      • setGrantTypes

        public void setGrantTypes​(List<GrantType> gts)
        Sets the supported OAuth 2.0 grant types. Corresponds to the grant_types_supported metadata field.
        Parameters:
        gts - The supported grant types, null if not specified.

      • getCodeChallengeMethods

        public List<CodeChallengeMethodgetCodeChallengeMethods()
        Gets the supported authorisation code challenge methods for PKCE. Corresponds to the code_challenge_methods_supported metadata field.
        Returns:
        The supported code challenge methods, null if not specified.

      • setCodeChallengeMethods

        public void setCodeChallengeMethods​(List<CodeChallengeMethod> codeChallengeMethods)
        Gets the supported authorisation code challenge methods for PKCE. Corresponds to the code_challenge_methods_supported metadata field.
        Parameters:
        codeChallengeMethods - The supported code challenge methods, null if not specified.

      • getTokenEndpointAuthMethods

        public List<ClientAuthenticationMethodgetTokenEndpointAuthMethods()
        Gets the supported token endpoint authentication methods. Corresponds to the token_endpoint_auth_methods_supported metadata field.
        Returns:
        The supported token endpoint authentication methods, null if not specified.

      • setTokenEndpointAuthMethods

        public void setTokenEndpointAuthMethods​(List<ClientAuthenticationMethod> authMethods)
        Sets the supported token endpoint authentication methods. Corresponds to the token_endpoint_auth_methods_supported metadata field.
        Parameters:
        authMethods - The supported token endpoint authentication methods, null if not specified.

      • getTokenEndpointJWSAlgs

        public List<com.nimbusds.jose.JWSAlgorithm> getTokenEndpointJWSAlgs()
        Gets the supported JWS algorithms for the private_key_jwt and client_secret_jwt token endpoint authentication methods. Corresponds to the token_endpoint_auth_signing_alg_values_supported metadata field.
        Returns:
        The supported JWS algorithms, null if not specified.

      • setTokenEndpointJWSAlgs

        public void setTokenEndpointJWSAlgs​(List<com.nimbusds.jose.JWSAlgorithm> jwsAlgs)
        Sets the supported JWS algorithms for the private_key_jwt and client_secret_jwt token endpoint authentication methods. Corresponds to the token_endpoint_auth_signing_alg_values_supported metadata field.
        Parameters:
        jwsAlgs - The supported JWS algorithms, null if not specified. Must not contain the none algorithm.

      • getIntrospectionEndpointAuthMethods

        public List<ClientAuthenticationMethodgetIntrospectionEndpointAuthMethods()
        Gets the supported introspection endpoint authentication methods. Corresponds to the introspection_endpoint_auth_methods_supported metadata field.
        Returns:
        The supported introspection endpoint authentication methods, null if not specified.

      • setIntrospectionEndpointAuthMethods

        public void setIntrospectionEndpointAuthMethods​(List<ClientAuthenticationMethod> authMethods)
        Sets the supported introspection endpoint authentication methods. Corresponds to the introspection_endpoint_auth_methods_supported metadata field.
        Parameters:
        authMethods - The supported introspection endpoint authentication methods, null if not specified.

      • getIntrospectionEndpointJWSAlgs

        public List<com.nimbusds.jose.JWSAlgorithm> getIntrospectionEndpointJWSAlgs()
        Gets the supported JWS algorithms for the private_key_jwt and client_secret_jwt introspection endpoint authentication methods. Corresponds to the introspection_endpoint_auth_signing_alg_values_supported metadata field.
        Returns:
        The supported JWS algorithms, null if not specified.

      • setIntrospectionEndpointJWSAlgs

        public void setIntrospectionEndpointJWSAlgs​(List<com.nimbusds.jose.JWSAlgorithm> jwsAlgs)
        Sets the supported JWS algorithms for the private_key_jwt and client_secret_jwt introspection endpoint authentication methods. Corresponds to the introspection_endpoint_auth_signing_alg_values_supported metadata field.
        Parameters:
        jwsAlgs - The supported JWS algorithms, null if not specified. Must not contain the none algorithm.

      • getRevocationEndpointAuthMethods

        public List<ClientAuthenticationMethodgetRevocationEndpointAuthMethods()
        Gets the supported revocation endpoint authentication methods. Corresponds to the revocation_endpoint_auth_methods_supported metadata field.
        Returns:
        The supported revocation endpoint authentication methods, null if not specified.

      • setRevocationEndpointAuthMethods

        public void setRevocationEndpointAuthMethods​(List<ClientAuthenticationMethod> authMethods)
        Sets the supported revocation endpoint authentication methods. Corresponds to the revocation_endpoint_auth_methods_supported metadata field.
        Parameters:
        authMethods - The supported revocation endpoint authentication methods, null if not specified.

      • getRevocationEndpointJWSAlgs

        public List<com.nimbusds.jose.JWSAlgorithm> getRevocationEndpointJWSAlgs()
        Gets the supported JWS algorithms for the private_key_jwt and client_secret_jwt revocation endpoint authentication methods. Corresponds to the revocation_endpoint_auth_signing_alg_values_supported metadata field.
        Returns:
        The supported JWS algorithms, null if not specified.

      • setRevocationEndpointJWSAlgs

        public void setRevocationEndpointJWSAlgs​(List<com.nimbusds.jose.JWSAlgorithm> jwsAlgs)
        Sets the supported JWS algorithms for the private_key_jwt and client_secret_jwt revocation endpoint authentication methods. Corresponds to the revocation_endpoint_auth_signing_alg_values_supported metadata field.
        Parameters:
        jwsAlgs - The supported JWS algorithms, null if not specified. Must not contain the none algorithm.

      • getRequestObjectJWSAlgs

        public List<com.nimbusds.jose.JWSAlgorithm> getRequestObjectJWSAlgs()
        Gets the supported JWS algorithms for request objects. Corresponds to the request_object_signing_alg_values_supported metadata field.
        Returns:
        The supported JWS algorithms, null if not specified.

      • setRequestObjectJWSAlgs

        public void setRequestObjectJWSAlgs​(List<com.nimbusds.jose.JWSAlgorithm> requestObjectJWSAlgs)
        Sets the supported JWS algorithms for request objects. Corresponds to the request_object_signing_alg_values_supported metadata field.
        Parameters:
        requestObjectJWSAlgs - The supported JWS algorithms, null if not specified.

      • getRequestObjectJWEAlgs

        public List<com.nimbusds.jose.JWEAlgorithm> getRequestObjectJWEAlgs()
        Gets the supported JWE algorithms for request objects. Corresponds to the request_object_encryption_alg_values_supported metadata field.
        Returns:
        The supported JWE algorithms, null if not specified.

      • setRequestObjectJWEAlgs

        public void setRequestObjectJWEAlgs​(List<com.nimbusds.jose.JWEAlgorithm> requestObjectJWEAlgs)
        Sets the supported JWE algorithms for request objects. Corresponds to the request_object_encryption_alg_values_supported metadata field.
        Parameters:
        requestObjectJWEAlgs - The supported JWE algorithms, null if not specified.

      • getRequestObjectJWEEncs

        public List<com.nimbusds.jose.EncryptionMethod> getRequestObjectJWEEncs()
        Gets the supported encryption methods for request objects. Corresponds to the request_object_encryption_enc_values_supported metadata field.
        Returns:
        The supported encryption methods, null if not specified.

      • setRequestObjectJWEEncs

        public void setRequestObjectJWEEncs​(List<com.nimbusds.jose.EncryptionMethod> requestObjectJWEEncs)
        Sets the supported encryption methods for request objects. Corresponds to the request_object_encryption_enc_values_supported metadata field.
        Parameters:
        requestObjectJWEEncs - The supported encryption methods, null if not specified.

      • supportsRequestParam

        public boolean supportsRequestParam()
        Gets the support for the request authorisation request parameter. Corresponds to the request_parameter_supported metadata field.
        Returns:
        true if the reqeust parameter is supported, else false.

      • setSupportsRequestParam

        public void setSupportsRequestParam​(boolean requestParamSupported)
        Sets the support for the request authorisation request parameter. Corresponds to the request_parameter_supported metadata field.
        Parameters:
        requestParamSupported - true if the reqeust parameter is supported, else false.

      • supportsRequestURIParam

        public boolean supportsRequestURIParam()
        Gets the support for the request_uri authorisation request parameter. Corresponds the request_uri_parameter_supported metadata field.
        Returns:
        true if the request_uri parameter is supported, else false.

      • setSupportsRequestURIParam

        public void setSupportsRequestURIParam​(boolean requestURIParamSupported)
        Sets the support for the request_uri authorisation request parameter. Corresponds the request_uri_parameter_supported metadata field.
        Parameters:
        requestURIParamSupported - true if the request_uri parameter is supported, else false.

      • requiresRequestURIRegistration

        public boolean requiresRequestURIRegistration()
        Gets the requirement for the request_uri parameter pre-registration. Corresponds to the require_request_uri_registration metadata field.
        Returns:
        true if the request_uri parameter values must be pre-registered, else false.

      • setRequiresRequestURIRegistration

        public void setRequiresRequestURIRegistration​(boolean requireRequestURIReg)
        Sets the requirement for the request_uri parameter pre-registration. Corresponds to the require_request_uri_registration metadata field.
        Parameters:
        requireRequestURIReg - true if the request_uri parameter values must be pre-registered, else false.

      • getUILocales

        public List<com.nimbusds.langtag.LangTag> getUILocales()
        Gets the supported UI locales. Corresponds to the ui_locales_supported metadata field.
        Returns:
        The supported UI locales, null if not specified.

      • setUILocales

        public void setUILocales​(List<com.nimbusds.langtag.LangTag> uiLocales)
        Sets the supported UI locales. Corresponds to the ui_locales_supported metadata field.
        Parameters:
        uiLocales - The supported UI locales, null if not specified.

      • getServiceDocsURI

        public URI getServiceDocsURI()
        Gets the service documentation URI. Corresponds to the service_documentation metadata field.
        Returns:
        The service documentation URI, null if not specified.

      • setServiceDocsURI

        public void setServiceDocsURI​(URI serviceDocsURI)
        Sets the service documentation URI. Corresponds to the service_documentation metadata field.
        Parameters:
        serviceDocsURI - The service documentation URI, null if not specified.

      • getPolicyURI

        public URI getPolicyURI()
        Gets the provider's policy regarding relying party use of data. Corresponds to the op_policy_uri metadata field.
        Returns:
        The policy URI, null if not specified.

      • setPolicyURI

        public void setPolicyURI​(URI policyURI)
        Sets the provider's policy regarding relying party use of data. Corresponds to the op_policy_uri metadata field.
        Parameters:
        policyURI - The policy URI, null if not specified.

      • getTermsOfServiceURI

        public URI getTermsOfServiceURI()
        Gets the provider's terms of service. Corresponds to the op_tos_uri metadata field.
        Returns:
        The terms of service URI, null if not specified.

      • setTermsOfServiceURI

        public void setTermsOfServiceURI​(URI tosURI)
        Sets the provider's terms of service. Corresponds to the op_tos_uri metadata field.
        Parameters:
        tosURI - The terms of service URI, null if not specified.

      • getMtlsEndpointAliases

        public AuthorizationServerEndpointMetadata getMtlsEndpointAliases()
        Gets the aliases for communication with mutual TLS. Corresponds to the mtls_endpoint_aliases metadata field.
        Returns:
        The aliases for communication with mutual TLS, or null when no aliases are defined.

      • setMtlsEndpointAliases

        public void setMtlsEndpointAliases​(AuthorizationServerEndpointMetadata mtlsEndpointAliases)
        Sets the aliases for communication with mutual TLS. Corresponds to the mtls_endpoint_aliases metadata field.
        Parameters:
        mtlsEndpointAliases - The aliases for communication with mutual TLS, or null when no aliases are defined.

      • supportsTLSClientCertificateBoundAccessTokens

        public boolean supportsTLSClientCertificateBoundAccessTokens()
        Gets the support for TLS client certificate bound access tokens. Corresponds to the tls_client_certificate_bound_access_tokens metadata field.
        Returns:
        true if TLS client certificate bound access tokens are supported, else false.

      • setSupportsTLSClientCertificateBoundAccessTokens

        public void setSupportsTLSClientCertificateBoundAccessTokens​(boolean tlsClientCertBoundTokens)
        Sets the support for TLS client certificate bound access tokens. Corresponds to the tls_client_certificate_bound_access_tokens metadata field.
        Parameters:
        tlsClientCertBoundTokens - true if TLS client certificate bound access tokens are supported, else false.

      • supportsMutualTLSSenderConstrainedAccessTokens

        @Deprecated
public boolean supportsMutualTLSSenderConstrainedAccessTokens()
        Deprecated.
        Gets the support for TLS client certificate bound access tokens. Corresponds to the tls_client_certificate_bound_access_tokens metadata field.
        Returns:
        true if TLS client certificate bound access tokens are supported, else false.

      • setSupportsMutualTLSSenderConstrainedAccessTokens

        @Deprecated
public void setSupportsMutualTLSSenderConstrainedAccessTokens​(boolean mutualTLSSenderConstrainedAccessTokens)
        Deprecated.
        Sets the support for TLS client certificate bound access tokens. Corresponds to the tls_client_certificate_bound_access_tokens metadata field.
        Parameters:
        mutualTLSSenderConstrainedAccessTokens - true if TLS client certificate bound access tokens are supported, else false.

      • getAuthorizationJWSAlgs

        public List<com.nimbusds.jose.JWSAlgorithm> getAuthorizationJWSAlgs()
        Gets the supported JWS algorithms for JWT-encoded authorisation responses. Corresponds to the authorization_signing_alg_values_supported metadata field.
        Returns:
        The supported JWS algorithms, null if not specified.

      • setAuthorizationJWSAlgs

        public void setAuthorizationJWSAlgs​(List<com.nimbusds.jose.JWSAlgorithm> authzJWSAlgs)
        Sets the supported JWS algorithms for JWT-encoded authorisation responses. Corresponds to the authorization_signing_alg_values_supported metadata field.
        Parameters:
        authzJWSAlgs - The supported JWS algorithms, null if not specified.

      • getAuthorizationJWEAlgs

        public List<com.nimbusds.jose.JWEAlgorithm> getAuthorizationJWEAlgs()
        Gets the supported JWE algorithms for JWT-encoded authorisation responses. Corresponds to the authorization_encryption_alg_values_supported metadata field.
        Returns:
        The supported JWE algorithms, null if not specified.

      • setAuthorizationJWEAlgs

        public void setAuthorizationJWEAlgs​(List<com.nimbusds.jose.JWEAlgorithm> authzJWEAlgs)
        Sets the supported JWE algorithms for JWT-encoded authorisation responses. Corresponds to the authorization_encryption_alg_values_supported metadata field.
        Parameters:
        authzJWEAlgs - The supported JWE algorithms, null if not specified.

      • getAuthorizationJWEEncs

        public List<com.nimbusds.jose.EncryptionMethod> getAuthorizationJWEEncs()
        Gets the supported encryption methods for JWT-encoded authorisation responses. Corresponds to the authorization_encryption_enc_values_supported metadata field.
        Returns:
        The supported encryption methods, null if not specified.

      • setAuthorizationJWEEncs

        public void setAuthorizationJWEEncs​(List<com.nimbusds.jose.EncryptionMethod> authzJWEEncs)
        Sets the supported encryption methods for JWT-encoded authorisation responses. Corresponds to the authorization_encryption_enc_values_supported metadata field.
        Parameters:
        authzJWEEncs - The supported encryption methods, null if not specified.

      • getCustomParameter

        public Object getCustomParameter​(String name)
        Gets the specified custom (not registered) parameter.
        Parameters:
        name - The parameter name. Must not be null.
        Returns:
        The parameter value, null if not specified.

      • getCustomURIParameter

        public URI getCustomURIParameter​(String name)
        Gets the specified custom (not registered) URI parameter.
        Parameters:
        name - The parameter name. Must not be null.
        Returns:
        The parameter URI value, null if not specified.

      • setCustomParameter

        public void setCustomParameter​(String name,
                               Object value)
        Sets the specified custom (not registered) parameter.
        Parameters:
        name - The parameter name. Must not be null.
        value - The parameter value, null if not specified.

      • getCustomParameters

        public net.minidev.json.JSONObject getCustomParameters()
        Gets the custom (not registered) parameters.
        Returns:
        The custom parameters, empty JSON object if none.

      • applyDefaults

        public void applyDefaults()
        Applies the OAuth 2.0 Authorisation Server metadata defaults where no values have been specified.
        • The response modes default to ["query", "fragment"].
        • The grant types default to ["authorization_code", "implicit"].
        • The token endpoint authentication methods default to ["client_secret_basic"].

      • parse

        public static AuthorizationServerMetadata parse​(net.minidev.json.JSONObject jsonObject)
                                         throws ParseException
        Parses an OAuth 2.0 Authorisation Server metadata from the specified JSON object.
        Parameters:
        jsonObject - The JSON object to parse. Must not be null.
        Returns:
        The OAuth 2.0 Authorisation Server metadata.
        Throws:
        ParseException - If the JSON object couldn't be parsed to an OAuth 2.0 Authorisation Server metadata.

      • parse

        public static AuthorizationServerMetadata parse​(String s)
                                         throws ParseException
        Parses an OAuth 2.0 Authorisation Server metadata from the specified JSON object string.
        Parameters:
        s - The JSON object sting to parse. Must not be null.
        Returns:
        The OAuth 2.0 Authorisation Server metadata.
        Throws:
        ParseException - If the JSON object string couldn't be parsed to an OAuth 2.0 Authorisation Server metadata.

      • resolveURL

        public static URL resolveURL​(Issuer issuer)
                      throws GeneralException
        Resolves OAuth 2.0 authorisation server metadata URL from the specified issuer identifier.
        Parameters:
        issuer - The issuer identifier. Must represent a valid HTTPS or HTTP URL. Must not be null.
        Returns:
        The OAuth 2.0 authorisation server metadata URL.
        Throws:
        GeneralException - If the issuer identifier is invalid.

      • resolve

        public static AuthorizationServerMetadata resolve​(Issuer issuer)
                                           throws GeneralException,
                                                  IOException
        Resolves OAuth 2.0 authorisation server metadata from the specified issuer identifier. The metadata is downloaded by HTTP GET from [issuer-url]/.well-known/oauth-authorization-server.
        Parameters:
        issuer - The issuer identifier. Must represent a valid HTTPS or HTTP URL. Must not be null.
        Returns:
        The OAuth 2.0 authorisation server metadata.
        Throws:
        GeneralException - If the issuer identifier or the downloaded metadata are invalid.
        IOException - On a HTTP exception.

      • resolve

        public static AuthorizationServerMetadata resolve​(Issuer issuer,
                                                  int connectTimeout,
                                                  int readTimeout)
                                           throws GeneralException,
                                                  IOException
        Resolves OAuth 2.0 authorisation server metadata from the specified issuer identifier. The metadata is downloaded by HTTP GET from [issuer-url]/.well-known/oauth-authorization-server.
        Parameters:
        issuer - The issuer identifier. Must represent a valid HTTPS or HTTP URL. Must not be null.
        connectTimeout - The HTTP connect timeout, in milliseconds. Zero implies no timeout. Must not be negative.
        readTimeout - The HTTP response read timeout, in milliseconds. Zero implies no timeout. Must not be negative.
        Returns:
        The OAuth 2.0 authorisation server metadata.
        Throws:
        GeneralException - If the issuer identifier or the downloaded metadata are invalid.
        IOException - On a HTTP exception.