Package com.nimbusds.openid.connect.sdk
Class AuthenticationRequest
- java.lang.Object
-
- com.nimbusds.oauth2.sdk.AbstractRequest
-
- com.nimbusds.oauth2.sdk.AuthorizationRequest
-
- com.nimbusds.openid.connect.sdk.AuthenticationRequest
-
@Immutable public class AuthenticationRequest extends AuthorizationRequest
OpenID Connect authentication request. Intended to authenticate an end-user and request the end-user's authorisation to release information to the client. Supports custom request parameters.Example HTTP request (code flow):
https://server.example.com/op/authorize? response_type=code%20id_token &client_id=s6BhdRkqt3 &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb &scope=openid &nonce=n-0S6_WzA2Mj &state=af0ifjsldkj
Related specifications:
- OpenID Connect Core 1.0, section 3.1.2.1.
- Proof Key for Code Exchange by OAuth Public Clients (RFC 7636).
- Resource Indicators for OAuth 2.0 (RFC 8707)
- The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR) draft-ietf-oauth-jwsreq-21
- Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)
- OpenID Connect for Identity Assurance 1.0, section 8.
- OpenID Connect Federation 1.0 (draft 10).
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
AuthenticationRequest.Builder
Builder for constructing OpenID Connect authentication requests.
-
Field Summary
Fields Modifier and Type Field Description static int
PURPOSE_MAX_LENGTH
The purpose string parameter maximum length.static int
PURPOSE_MIN_LENGTH
The purpose string parameter minimal length.-
Fields inherited from class com.nimbusds.oauth2.sdk.AuthorizationRequest
prompt
-
-
Constructor Summary
Constructors Constructor Description AuthenticationRequest(URI uri, ResponseType rt, ResponseMode rm, Scope scope, ClientID clientID, URI redirectURI, State state, Nonce nonce, Display display, Prompt prompt, int maxAge, List<com.nimbusds.langtag.LangTag> uiLocales, List<com.nimbusds.langtag.LangTag> claimsLocales, com.nimbusds.jwt.JWT idTokenHint, String loginHint, List<ACR> acrValues, ClaimsRequest claims, String purpose, PrivateKeyJWT privateKeyJWTAuth, com.nimbusds.jwt.JWT requestObject, URI requestURI, CodeChallenge codeChallenge, CodeChallengeMethod codeChallengeMethod, List<URI> resources, boolean includeGrantedScopes, Map<String,List<String>> customParams)
Creates a new OpenID Connect authentication request with extension and custom parameters.AuthenticationRequest(URI uri, ResponseType rt, Scope scope, ClientID clientID, URI redirectURI, State state, Nonce nonce)
Creates a new minimal OpenID Connect authentication request.
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description List<ACR>
getACRValues()
Gets the requested Authentication Context Class Reference values.ClaimsRequest
getClaims()
Gets the individual claims to be returned.List<com.nimbusds.langtag.LangTag>
getClaimsLocales()
Gets the end-user's preferred languages and scripts for the claims being returned, ordered by preference.Display
getDisplay()
Gets the requested display type.com.nimbusds.jwt.JWT
getIDTokenHint()
Gets the ID Token hint.String
getLoginHint()
Gets the login hint.int
getMaxAge()
Gets the required maximum authentication age.Nonce
getNonce()
Gets the nonce.PrivateKeyJWT
getPrivateKeyJWTAuthentication()
Gets the private key JWT authentication for automatic OpenID Connect federation.String
getPurpose()
Gets the transaction specific purpose.static Set<String>
getRegisteredParameterNames()
Returns the registered (standard) OpenID Connect authentication request parameter names.List<com.nimbusds.langtag.LangTag>
getUILocales()
Gets the end-user's preferred languages and scripts for the user interface, ordered by preference.static AuthenticationRequest
parse(HTTPRequest httpRequest)
Parses an authentication request from the specified HTTP GET or HTTP POST request.static AuthenticationRequest
parse(String query)
Parses an OpenID Connect authentication request from the specified URI query string.static AuthenticationRequest
parse(URI uri)
Parses an OpenID Connect authentication request from the specified URI.static AuthenticationRequest
parse(URI uri, String query)
Parses an OpenID Connect authentication request from the specified URI query string.static AuthenticationRequest
parse(URI uri, Map<String,List<String>> params)
Parses an OpenID Connect authentication request from the specified URI and query parameters.static AuthenticationRequest
parse(Map<String,List<String>> params)
Parses an OpenID Connect authentication request from the specified URI query parameters.com.nimbusds.jwt.JWTClaimsSet
toJWTClaimsSet()
Returns the parameters for this authorisation request as a JSON Web Token (JWT) claims set.Map<String,List<String>>
toParameters()
Returns the URI query parameters for this authorisation request.-
Methods inherited from class com.nimbusds.oauth2.sdk.AuthorizationRequest
getClientID, getCodeChallenge, getCodeChallengeMethod, getCustomParameter, getCustomParameters, getPrompt, getRedirectionURI, getRequestObject, getRequestURI, getResources, getResponseMode, getResponseType, getScope, getState, impliedResponseMode, includeGrantedScopes, specifiesRequestObject, toHTTPRequest, toHTTPRequest, toQueryString, toURI
-
Methods inherited from class com.nimbusds.oauth2.sdk.AbstractRequest
getEndpointURI
-
-
-
-
Field Detail
-
PURPOSE_MIN_LENGTH
public static final int PURPOSE_MIN_LENGTH
The purpose string parameter minimal length.- See Also:
- Constant Field Values
-
PURPOSE_MAX_LENGTH
public static final int PURPOSE_MAX_LENGTH
The purpose string parameter maximum length.- See Also:
- Constant Field Values
-
-
Constructor Detail
-
AuthenticationRequest
public AuthenticationRequest(URI uri, ResponseType rt, Scope scope, ClientID clientID, URI redirectURI, State state, Nonce nonce)
Creates a new minimal OpenID Connect authentication request.- Parameters:
uri
- The URI of the OAuth 2.0 authorisation endpoint. May benull
if theAuthorizationRequest.toHTTPRequest(com.nimbusds.oauth2.sdk.http.HTTPRequest.Method)
method will not be used.rt
- The response type. Corresponds to theresponse_type
parameter. Must specify a valid OpenID Connect response type. Must not benull
.scope
- The request scope. Corresponds to thescope
parameter. Must contain anopenid value
. Must not benull
.clientID
- The client identifier. Corresponds to theclient_id
parameter. Must not benull
.redirectURI
- The redirection URI. Corresponds to theredirect_uri
parameter. Must not benull
.state
- The state. Corresponds to thestate
parameter. May benull
.nonce
- The nonce. Corresponds to thenonce
parameter. May benull
for code flow.
-
AuthenticationRequest
public AuthenticationRequest(URI uri, ResponseType rt, ResponseMode rm, Scope scope, ClientID clientID, URI redirectURI, State state, Nonce nonce, Display display, Prompt prompt, int maxAge, List<com.nimbusds.langtag.LangTag> uiLocales, List<com.nimbusds.langtag.LangTag> claimsLocales, com.nimbusds.jwt.JWT idTokenHint, String loginHint, List<ACR> acrValues, ClaimsRequest claims, String purpose, PrivateKeyJWT privateKeyJWTAuth, com.nimbusds.jwt.JWT requestObject, URI requestURI, CodeChallenge codeChallenge, CodeChallengeMethod codeChallengeMethod, List<URI> resources, boolean includeGrantedScopes, Map<String,List<String>> customParams)
Creates a new OpenID Connect authentication request with extension and custom parameters.- Parameters:
uri
- The URI of the OAuth 2.0 authorisation endpoint. May benull
if theAuthorizationRequest.toHTTPRequest(com.nimbusds.oauth2.sdk.http.HTTPRequest.Method)
method will not be used.rt
- The response type set. Corresponds to theresponse_type
parameter. Must specify a valid OpenID Connect response type. Must not benull
.rm
- The response mode. Corresponds to the optionalresponse_mode
parameter. Use of this parameter is not recommended unless a non-default response mode is requested (e.g. form_post).scope
- The request scope. Corresponds to thescope
parameter. Must contain anopenid value
. Must not benull
.clientID
- The client identifier. Corresponds to theclient_id
parameter. Must not benull
.redirectURI
- The redirection URI. Corresponds to theredirect_uri
parameter. Must not benull
unless set by means of the optionalrequest_object
/request_uri
parameter.state
- The state. Corresponds to the recommendedstate
parameter.null
if not specified.nonce
- The nonce. Corresponds to thenonce
parameter. May benull
for code flow.display
- The requested display type. Corresponds to the optionaldisplay
parameter.null
if not specified.prompt
- The requested prompt. Corresponds to the optionalprompt
parameter.null
if not specified.maxAge
- The required maximum authentication age, in seconds. Corresponds to the optionalmax_age
parameter. -1 if not specified, zero impliesprompt=login
.uiLocales
- The preferred languages and scripts for the user interface. Corresponds to the optionalui_locales
parameter.null
if not specified.claimsLocales
- The preferred languages and scripts for claims being returned. Corresponds to the optionalclaims_locales
parameter.null
if not specified.idTokenHint
- The ID Token hint. Corresponds to the optionalid_token_hint
parameter.null
if not specified.loginHint
- The login hint. Corresponds to the optionallogin_hint
parameter.null
if not specified.acrValues
- The requested Authentication Context Class Reference values. Corresponds to the optionalacr_values
parameter.null
if not specified.claims
- The individual claims to be returned. Corresponds to the optionalclaims
parameter.null
if not specified.purpose
- The transaction specific purpose,null
if not specified.privateKeyJWTAuth
- The private key JWT authentication,null
if not specified.requestObject
- The request object. Corresponds to the optionalrequest
parameter. Must not be specified together with a request object URI.null
if not specified.requestURI
- The request object URI. Corresponds to the optionalrequest_uri
parameter. Must not be specified together with a request object.null
if not specified.codeChallenge
- The code challenge for PKCE,null
if not specified.codeChallengeMethod
- The code challenge method for PKCE,null
if not specified.resources
- The resource URI(s),null
if not specified.includeGrantedScopes
-true
to request incremental authorisation.customParams
- Additional custom parameters, empty map ornull
if none.
-
-
Method Detail
-
getRegisteredParameterNames
public static Set<String> getRegisteredParameterNames()
Returns the registered (standard) OpenID Connect authentication request parameter names.- Returns:
- The registered OpenID Connect authentication request parameter names, as a unmodifiable set.
-
getNonce
public Nonce getNonce()
Gets the nonce. Corresponds to the conditionally optionalnonce
parameter.- Returns:
- The nonce,
null
if not specified.
-
getDisplay
public Display getDisplay()
Gets the requested display type. Corresponds to the optionaldisplay
parameter.- Returns:
- The requested display type,
null
if not specified.
-
getMaxAge
public int getMaxAge()
Gets the required maximum authentication age. Corresponds to the optionalmax_age
parameter.- Returns:
- The maximum authentication age, in seconds; -1 if not
specified, zero implies
prompt=login
.
-
getUILocales
public List<com.nimbusds.langtag.LangTag> getUILocales()
Gets the end-user's preferred languages and scripts for the user interface, ordered by preference. Corresponds to the optionalui_locales
parameter.- Returns:
- The preferred UI locales,
null
if not specified.
-
getClaimsLocales
public List<com.nimbusds.langtag.LangTag> getClaimsLocales()
Gets the end-user's preferred languages and scripts for the claims being returned, ordered by preference. Corresponds to the optionalclaims_locales
parameter.- Returns:
- The preferred claims locales,
null
if not specified.
-
getIDTokenHint
public com.nimbusds.jwt.JWT getIDTokenHint()
Gets the ID Token hint. Corresponds to the conditionally optionalid_token_hint
parameter.- Returns:
- The ID Token hint,
null
if not specified.
-
getLoginHint
public String getLoginHint()
Gets the login hint. Corresponds to the optionallogin_hint
parameter.- Returns:
- The login hint,
null
if not specified.
-
getACRValues
public List<ACR> getACRValues()
Gets the requested Authentication Context Class Reference values. Corresponds to the optionalacr_values
parameter.- Returns:
- The requested ACR values,
null
if not specified.
-
getClaims
public ClaimsRequest getClaims()
Gets the individual claims to be returned. Corresponds to the optionalclaims
parameter.- Returns:
- The individual claims to be returned,
null
if not specified.
-
getPurpose
public String getPurpose()
Gets the transaction specific purpose. Corresponds to the optionalpurpose
parameter.- Returns:
- The purpose,
null
if not specified.
-
getPrivateKeyJWTAuthentication
public PrivateKeyJWT getPrivateKeyJWTAuthentication()
Gets the private key JWT authentication for automatic OpenID Connect federation.- Returns:
- The private key JWT authentication,
null
if not specified.
-
toParameters
public Map<String,List<String>> toParameters()
Description copied from class:AuthorizationRequest
Returns the URI query parameters for this authorisation request. Query parameters which are part of the authorisation endpoint are not included.Example parameters:
response_type = code client_id = s6BhdRkqt3 state = xyz redirect_uri = https://client.example.com/cb
- Overrides:
toParameters
in classAuthorizationRequest
- Returns:
- The parameters.
-
toJWTClaimsSet
public com.nimbusds.jwt.JWTClaimsSet toJWTClaimsSet()
Description copied from class:AuthorizationRequest
Returns the parameters for this authorisation request as a JSON Web Token (JWT) claims set. Intended for creating a request object.- Overrides:
toJWTClaimsSet
in classAuthorizationRequest
- Returns:
- The parameters as JWT claim set.
-
parse
public static AuthenticationRequest parse(Map<String,List<String>> params) throws ParseException
Parses an OpenID Connect authentication request from the specified URI query parameters.Example parameters:
response_type = token id_token client_id = s6BhdRkqt3 redirect_uri = https://client.example.com/cb scope = openid profile state = af0ifjsldkj nonce = -0S6_WzA2Mj
- Parameters:
params
- The parameters. Must not benull
.- Returns:
- The OpenID Connect authentication request.
- Throws:
ParseException
- If the parameters couldn't be parsed to an OpenID Connect authentication request.
-
parse
public static AuthenticationRequest parse(URI uri, Map<String,List<String>> params) throws ParseException
Parses an OpenID Connect authentication request from the specified URI and query parameters.Example parameters:
response_type = token id_token client_id = s6BhdRkqt3 redirect_uri = https://client.example.com/cb scope = openid profile state = af0ifjsldkj nonce = -0S6_WzA2Mj
- Parameters:
uri
- The URI of the OAuth 2.0 authorisation endpoint. May benull
if theAuthorizationRequest.toHTTPRequest(com.nimbusds.oauth2.sdk.http.HTTPRequest.Method)
method will not be used.params
- The parameters. Must not benull
.- Returns:
- The OpenID Connect authentication request.
- Throws:
ParseException
- If the parameters couldn't be parsed to an OpenID Connect authentication request.
-
parse
public static AuthenticationRequest parse(String query) throws ParseException
Parses an OpenID Connect authentication request from the specified URI query string.Example URI query string:
response_type=token%20id_token &client_id=s6BhdRkqt3 &redirect_uri=https%3A%2F%2Fclient.example.com%2Fcb &scope=openid%20profile &state=af0ifjsldkj &nonce=n-0S6_WzA2Mj
- Parameters:
query
- The URI query string. Must not benull
.- Returns:
- The OpenID Connect authentication request.
- Throws:
ParseException
- If the query string couldn't be parsed to an OpenID Connect authentication request.
-
parse
public static AuthenticationRequest parse(URI uri, String query) throws ParseException
Parses an OpenID Connect authentication request from the specified URI query string.Example URI query string:
response_type=token%20id_token &client_id=s6BhdRkqt3 &redirect_uri=https%3A%2F%2Fclient.example.com%2Fcb &scope=openid%20profile &state=af0ifjsldkj &nonce=n-0S6_WzA2Mj
- Parameters:
uri
- The URI of the OAuth 2.0 authorisation endpoint. May benull
if theAuthorizationRequest.toHTTPRequest(com.nimbusds.oauth2.sdk.http.HTTPRequest.Method)
method will not be used.query
- The URI query string. Must not benull
.- Returns:
- The OpenID Connect authentication request.
- Throws:
ParseException
- If the query string couldn't be parsed to an OpenID Connect authentication request.
-
parse
public static AuthenticationRequest parse(URI uri) throws ParseException
Parses an OpenID Connect authentication request from the specified URI.Example URI:
https://server.example.com/authorize? response_type=token%20id_token &client_id=s6BhdRkqt3 &redirect_uri=https%3A%2F%2Fclient.example.com%2Fcb &scope=openid%20profile &state=af0ifjsldkj &nonce=n-0S6_WzA2Mj
- Parameters:
uri
- The URI. Must not benull
.- Returns:
- The OpenID Connect authentication request.
- Throws:
ParseException
- If the query string couldn't be parsed to an OpenID Connect authentication request.
-
parse
public static AuthenticationRequest parse(HTTPRequest httpRequest) throws ParseException
Parses an authentication request from the specified HTTP GET or HTTP POST request.Example HTTP request (GET):
https://server.example.com/op/authorize? response_type=code%20id_token &client_id=s6BhdRkqt3 &redirect_uri=https%3A%2F%2Fclient.example.com%2Fcb &scope=openid &nonce=n-0S6_WzA2Mj &state=af0ifjsldkj
- Parameters:
httpRequest
- The HTTP request. Must not benull
.- Returns:
- The OpenID Connect authentication request.
- Throws:
ParseException
- If the HTTP request couldn't be parsed to an OpenID Connect authentication request.
-
-