Class OIDCClientMetadata


  • public class OIDCClientMetadata
    extends ClientMetadata
    OpenID Connect client metadata.

    Related specifications:

    • OpenID Connect Dynamic Client Registration 1.0, section 2.
    • OpenID Connect Session Management 1.0, section 5.1.1 (draft 28).
    • OpenID Connect Front-Channel Logout 1.0, section 2 (draft 02).
    • OpenID Connect Back-Channel Logout 1.0, section 2.2 (draft 04).
    • OpenID Connect Federation 1.0 (draft 14).
    • OAuth 2.0 Dynamic Client Registration Protocol (RFC 7591), section 2.
    • OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens (RFC 8705), sections 2.1.2 and 3.4.
    • Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)
    • Constructor Detail

      • OIDCClientMetadata

        public OIDCClientMetadata()
        Creates a new OpenID Connect client metadata instance.
      • OIDCClientMetadata

        public OIDCClientMetadata​(ClientMetadata metadata)
        Creates a new OpenID Connect client metadata instance from the specified base OAuth 2.0 client metadata.
        Parameters:
        metadata - The base OAuth 2.0 client metadata. Must not be null.
      • OIDCClientMetadata

        public OIDCClientMetadata​(OIDCClientMetadata metadata)
        Creates a shallow copy of the specified OpenID Connect client metadata instance.
        Parameters:
        metadata - The client metadata to copy. Must not be null.
    • Method Detail

      • getRegisteredParameterNames

        public static Set<StringgetRegisteredParameterNames()
        Gets the registered (standard) OpenID Connect client metadata parameter names.
        Returns:
        The registered OpenID Connect parameter names, as an unmodifiable set.
      • getApplicationType

        public ApplicationType getApplicationType()
        Gets the client application type. Corresponds to the application_type client metadata field.
        Returns:
        The client application type, null if not specified.
      • setApplicationType

        public void setApplicationType​(ApplicationType applicationType)
        Sets the client application type. Corresponds to the application_type client metadata field.
        Parameters:
        applicationType - The client application type, null if not specified.
      • getSubjectType

        public SubjectType getSubjectType()
        Gets the subject identifier type for responses to this client. Corresponds to the subject_type client metadata field.
        Returns:
        The subject identifier type, null if not specified.
      • setSubjectType

        public void setSubjectType​(SubjectType subjectType)
        Sets the subject identifier type for responses to this client. Corresponds to the subject_type client metadata field.
        Parameters:
        subjectType - The subject identifier type, null if not specified.
      • getSectorIDURI

        public URI getSectorIDURI()
        Gets the sector identifier URI. Corresponds to the sector_identifier_uri client metadata field.
        Returns:
        The sector identifier URI, null if not specified.
      • setSectorIDURI

        public void setSectorIDURI​(URI sectorIDURI)
        Sets the sector identifier URI. Corresponds to the sector_identifier_uri client metadata field. If set the URI will be checked for having an https scheme and a host component unless the URI is an URN.
        Parameters:
        sectorIDURI - The sector identifier URI, null if not specified.
        Throws:
        IllegalArgumentException - If the URI was found to be illegal.
      • resolveSectorID

        public SectorID resolveSectorID()
        Resolves the sector identifier from the client metadata.
        Returns:
        The sector identifier, null if the subject type is set to public.
        Throws:
        IllegalStateException - If resolution failed due to incomplete or inconsistent metadata.
      • getIDTokenJWSAlg

        public com.nimbusds.jose.JWSAlgorithm getIDTokenJWSAlg()
        Gets the JSON Web Signature (JWS) algorithm required for the ID Tokens issued to this client. Corresponds to the id_token_signed_response_alg client metadata field.
        Returns:
        The JWS algorithm, null if not specified.
      • setIDTokenJWSAlg

        public void setIDTokenJWSAlg​(com.nimbusds.jose.JWSAlgorithm idTokenJWSAlg)
        Sets the JSON Web Signature (JWS) algorithm required for the ID Tokens issued to this client. Corresponds to the id_token_signed_response_alg client metadata field.
        Parameters:
        idTokenJWSAlg - The JWS algorithm, null if not specified.
      • getIDTokenJWEAlg

        public com.nimbusds.jose.JWEAlgorithm getIDTokenJWEAlg()
        Gets the JSON Web Encryption (JWE) algorithm required for the ID Tokens issued to this client. Corresponds to the id_token_encrypted_response_alg client metadata field.
        Returns:
        The JWE algorithm, null if not specified.
      • setIDTokenJWEAlg

        public void setIDTokenJWEAlg​(com.nimbusds.jose.JWEAlgorithm idTokenJWEAlg)
        Sets the JSON Web Encryption (JWE) algorithm required for the ID Tokens issued to this client. Corresponds to the id_token_encrypted_response_alg client metadata field.
        Parameters:
        idTokenJWEAlg - The JWE algorithm, null if not specified.
      • getIDTokenJWEEnc

        public com.nimbusds.jose.EncryptionMethod getIDTokenJWEEnc()
        Gets the JSON Web Encryption (JWE) method required for the ID Tokens issued to this client. Corresponds to the id_token_encrypted_response_enc client metadata field.
        Returns:
        The JWE method, null if not specified.
      • setIDTokenJWEEnc

        public void setIDTokenJWEEnc​(com.nimbusds.jose.EncryptionMethod idTokenJWEEnc)
        Sets the JSON Web Encryption (JWE) method required for the ID Tokens issued to this client. Corresponds to the id_token_encrypted_response_enc client metadata field.
        Parameters:
        idTokenJWEEnc - The JWE method, null if not specified.
      • getUserInfoJWSAlg

        public com.nimbusds.jose.JWSAlgorithm getUserInfoJWSAlg()
        Gets the JSON Web Signature (JWS) algorithm required for the UserInfo responses to this client. Corresponds to the userinfo_signed_response_alg client metadata field.
        Returns:
        The JWS algorithm, null if not specified.
      • setUserInfoJWSAlg

        public void setUserInfoJWSAlg​(com.nimbusds.jose.JWSAlgorithm userInfoJWSAlg)
        Sets the JSON Web Signature (JWS) algorithm required for the UserInfo responses to this client. Corresponds to the userinfo_signed_response_alg client metadata field.
        Parameters:
        userInfoJWSAlg - The JWS algorithm, null if not specified.
      • getUserInfoJWEAlg

        public com.nimbusds.jose.JWEAlgorithm getUserInfoJWEAlg()
        Gets the JSON Web Encryption (JWE) algorithm required for the UserInfo responses to this client. Corresponds to the userinfo_encrypted_response_alg client metadata field.
        Returns:
        The JWE algorithm, null if not specified.
      • setUserInfoJWEAlg

        public void setUserInfoJWEAlg​(com.nimbusds.jose.JWEAlgorithm userInfoJWEAlg)
        Sets the JSON Web Encryption (JWE) algorithm required for the UserInfo responses to this client. Corresponds to the userinfo_encrypted_response_alg client metadata field.
        Parameters:
        userInfoJWEAlg - The JWE algorithm, null if not specified.
      • getUserInfoJWEEnc

        public com.nimbusds.jose.EncryptionMethod getUserInfoJWEEnc()
        Gets the JSON Web Encryption (JWE) method required for the UserInfo responses to this client. Corresponds to the userinfo_encrypted_response_enc client metadata field.
        Returns:
        The JWE method, null if not specified.
      • setUserInfoJWEEnc

        public void setUserInfoJWEEnc​(com.nimbusds.jose.EncryptionMethod userInfoJWEEnc)
        Sets the JSON Web Encryption (JWE) method required for the UserInfo responses to this client. Corresponds to the userinfo_encrypted_response_enc client metadata field.
        Parameters:
        userInfoJWEEnc - The JWE method, null if not specified.
      • getDefaultMaxAge

        public int getDefaultMaxAge()
        Gets the default maximum authentication age. Corresponds to the default_max_age client metadata field.
        Returns:
        The default max authentication age, in seconds. If not specified -1.
      • setDefaultMaxAge

        public void setDefaultMaxAge​(int defaultMaxAge)
        Sets the default maximum authentication age. Corresponds to the default_max_age client metadata field.
        Parameters:
        defaultMaxAge - The default max authentication age, in seconds. If not specified -1.
      • requiresAuthTime

        public boolean requiresAuthTime()
        Gets the default requirement for the auth_time claim in the ID Token. Corresponds to the require_auth_time client metadata field.
        Returns:
        If true the auth_Time claim in the ID Token is required by default.
      • requiresAuthTime

        public void requiresAuthTime​(boolean requiresAuthTime)
        Sets the default requirement for the auth_time claim in the ID Token. Corresponds to the require_auth_time client metadata field.
        Parameters:
        requiresAuthTime - If true the auth_Time claim in the ID Token is required by default.
      • getDefaultACRs

        public List<ACRgetDefaultACRs()
        Gets the default Authentication Context Class Reference (ACR) values. Corresponds to the default_acr_values client metadata field.
        Returns:
        The default ACR values, by order of preference, null if not specified.
      • setDefaultACRs

        public void setDefaultACRs​(List<ACR> defaultACRs)
        Sets the default Authentication Context Class Reference (ACR) values. Corresponds to the default_acr_values client metadata field.
        Parameters:
        defaultACRs - The default ACRs, by order of preference, null if not specified.
      • getInitiateLoginURI

        public URI getInitiateLoginURI()
        Gets the HTTPS URI that the authorisation server can call to initiate a login at the client. Corresponds to the initiate_login_uri client metadata field.
        Returns:
        The login URI, null if not specified.
      • setInitiateLoginURI

        public void setInitiateLoginURI​(URI loginURI)
        Sets the HTTPS URI that the authorisation server can call to initiate a login at the client. Corresponds to the initiate_login_uri client metadata field.
        Parameters:
        loginURI - The login URI, null if not specified. The URI scheme must be https.
      • getPostLogoutRedirectionURIs

        public Set<URIgetPostLogoutRedirectionURIs()
        Gets the post logout redirection URIs. Corresponds to the post_logout_redirect_uris client metadata field.
        Returns:
        The logout redirection URIs, null if not specified.
      • setPostLogoutRedirectionURIs

        public void setPostLogoutRedirectionURIs​(Set<URI> logoutURIs)
        Sets the post logout redirection URIs. Corresponds to the post_logout_redirect_uris client metadata field.
        Parameters:
        logoutURIs - The post logout redirection URIs, null if not specified.
      • getFrontChannelLogoutURI

        public URI getFrontChannelLogoutURI()
        Gets the front-channel logout URI. Corresponds to the frontchannel_logout_uri client metadata field.
        Returns:
        The front-channel logout URI, null if not specified.
      • setFrontChannelLogoutURI

        public void setFrontChannelLogoutURI​(URI frontChannelLogoutURI)
        Sets the front-channel logout URI. Corresponds to the frontchannel_logout_uri client metadata field.
        Parameters:
        frontChannelLogoutURI - The front-channel logout URI, null if not specified. The URI scheme must be https or http.
      • requiresFrontChannelLogoutSession

        public boolean requiresFrontChannelLogoutSession()
        Gets the requirement for a session identifier on front-channel logout. Corresponds to the frontchannel_logout_session_required client metadata field.
        Returns:
        true if a session identifier is required, else false.
      • requiresFrontChannelLogoutSession

        public void requiresFrontChannelLogoutSession​(boolean requiresSession)
        Sets the requirement for a session identifier on front-channel logout. Corresponds to the frontchannel_logout_session_required client metadata field.
        Parameters:
        requiresSession - true if a session identifier is required, else false.
      • getBackChannelLogoutURI

        public URI getBackChannelLogoutURI()
        Gets the back-channel logout URI. Corresponds to the backchannel_logout_uri client metadata field.
        Returns:
        The back-channel logout URI, null if not specified.
      • setBackChannelLogoutURI

        public void setBackChannelLogoutURI​(URI backChannelLogoutURI)
        Sets the back-channel logout URI. Corresponds to the backchannel_logout_uri client metadata field.
        Parameters:
        backChannelLogoutURI - The back-channel logout URI, null if not specified. The URI scheme must be https or http.
      • requiresBackChannelLogoutSession

        public boolean requiresBackChannelLogoutSession()
        Gets the requirement for a session identifier on back-channel logout. Corresponds to the backchannel_logout_session_required client metadata field.
        Returns:
        true if a session identifier is required, else false.
      • requiresBackChannelLogoutSession

        public void requiresBackChannelLogoutSession​(boolean requiresSession)
        Sets the requirement for a session identifier on back-channel logout. Corresponds to the backchannel_logout_session_required client metadata field.
        Parameters:
        requiresSession - true if a session identifier is required, else false.
      • applyDefaults

        public void applyDefaults()
        Applies the client metadata defaults where no values have been specified.
        • The response types default to ["code"].
        • The grant types default to "authorization_code".
        • The client authentication method defaults to "client_secret_basic".
        • The application type defaults to ApplicationType.WEB.
        • The ID token JWS algorithm defaults to "RS256".
        Overrides:
        applyDefaults in class ClientMetadata
      • toJSONObject

        public net.minidev.json.JSONObject toJSONObject​(boolean includeCustomFields)
        Description copied from class: ClientMetadata
        Returns the JSON object representation of this client metadata.
        Overrides:
        toJSONObject in class ClientMetadata
        Parameters:
        includeCustomFields - true to include any custom metadata fields, false to omit them.
        Returns:
        The JSON object.
      • parse

        public static OIDCClientMetadata parse​(net.minidev.json.JSONObject jsonObject)
                                        throws ParseException
        Parses an OpenID Connect client metadata instance from the specified JSON object.
        Parameters:
        jsonObject - The JSON object to parse. Must not be null.
        Returns:
        The OpenID Connect client metadata.
        Throws:
        ParseException - If the JSON object couldn't be parsed to an OpenID Connect client metadata instance.