Class OIDCClientMetadata
- java.lang.Object
-
- com.nimbusds.oauth2.sdk.client.ClientMetadata
-
- com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata
-
public class OIDCClientMetadata extends ClientMetadata
OpenID Connect client metadata.Related specifications:
- OpenID Connect Dynamic Client Registration 1.0, section 2.
- OpenID Connect Session Management 1.0, section 5.1.1 (draft 28).
- OpenID Connect Front-Channel Logout 1.0, section 2 (draft 02).
- OpenID Connect Back-Channel Logout 1.0, section 2.2 (draft 04).
- OpenID Connect Federation 1.0 (draft 14).
- OAuth 2.0 Dynamic Client Registration Protocol (RFC 7591), section 2.
- OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens (RFC 8705), sections 2.1.2 and 3.4.
- Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)
-
-
Field Summary
-
Fields inherited from class com.nimbusds.oauth2.sdk.client.ClientMetadata
PROHIBITED_REDIRECT_URI_SCHEMES
-
-
Constructor Summary
Constructors Constructor Description OIDCClientMetadata()
Creates a new OpenID Connect client metadata instance.OIDCClientMetadata(ClientMetadata metadata)
Creates a new OpenID Connect client metadata instance from the specified base OAuth 2.0 client metadata.OIDCClientMetadata(OIDCClientMetadata metadata)
Creates a shallow copy of the specified OpenID Connect client metadata instance.
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description void
applyDefaults()
Applies the client metadata defaults where no values have been specified.ApplicationType
getApplicationType()
Gets the client application type.URI
getBackChannelLogoutURI()
Gets the back-channel logout URI.List<ACR>
getDefaultACRs()
Gets the default Authentication Context Class Reference (ACR) values.int
getDefaultMaxAge()
Gets the default maximum authentication age.URI
getFrontChannelLogoutURI()
Gets the front-channel logout URI.com.nimbusds.jose.JWEAlgorithm
getIDTokenJWEAlg()
Gets the JSON Web Encryption (JWE) algorithm required for the ID Tokens issued to this client.com.nimbusds.jose.EncryptionMethod
getIDTokenJWEEnc()
Gets the JSON Web Encryption (JWE) method required for the ID Tokens issued to this client.com.nimbusds.jose.JWSAlgorithm
getIDTokenJWSAlg()
Gets the JSON Web Signature (JWS) algorithm required for the ID Tokens issued to this client.URI
getInitiateLoginURI()
Gets the HTTPS URI that the authorisation server can call to initiate a login at the client.Set<URI>
getPostLogoutRedirectionURIs()
Gets the post logout redirection URIs.static Set<String>
getRegisteredParameterNames()
Gets the registered (standard) OpenID Connect client metadata parameter names.URI
getSectorIDURI()
Gets the sector identifier URI.SubjectType
getSubjectType()
Gets the subject identifier type for responses to this client.com.nimbusds.jose.JWEAlgorithm
getUserInfoJWEAlg()
Gets the JSON Web Encryption (JWE) algorithm required for the UserInfo responses to this client.com.nimbusds.jose.EncryptionMethod
getUserInfoJWEEnc()
Gets the JSON Web Encryption (JWE) method required for the UserInfo responses to this client.com.nimbusds.jose.JWSAlgorithm
getUserInfoJWSAlg()
Gets the JSON Web Signature (JWS) algorithm required for the UserInfo responses to this client.static OIDCClientMetadata
parse(net.minidev.json.JSONObject jsonObject)
Parses an OpenID Connect client metadata instance from the specified JSON object.boolean
requiresAuthTime()
Gets the default requirement for theauth_time
claim in the ID Token.void
requiresAuthTime(boolean requiresAuthTime)
Sets the default requirement for theauth_time
claim in the ID Token.boolean
requiresBackChannelLogoutSession()
Gets the requirement for a session identifier on back-channel logout.void
requiresBackChannelLogoutSession(boolean requiresSession)
Sets the requirement for a session identifier on back-channel logout.boolean
requiresFrontChannelLogoutSession()
Gets the requirement for a session identifier on front-channel logout.void
requiresFrontChannelLogoutSession(boolean requiresSession)
Sets the requirement for a session identifier on front-channel logout.SectorID
resolveSectorID()
Resolves the sector identifier from the client metadata.void
setApplicationType(ApplicationType applicationType)
Sets the client application type.void
setBackChannelLogoutURI(URI backChannelLogoutURI)
Sets the back-channel logout URI.void
setDefaultACRs(List<ACR> defaultACRs)
Sets the default Authentication Context Class Reference (ACR) values.void
setDefaultMaxAge(int defaultMaxAge)
Sets the default maximum authentication age.void
setFrontChannelLogoutURI(URI frontChannelLogoutURI)
Sets the front-channel logout URI.void
setIDTokenJWEAlg(com.nimbusds.jose.JWEAlgorithm idTokenJWEAlg)
Sets the JSON Web Encryption (JWE) algorithm required for the ID Tokens issued to this client.void
setIDTokenJWEEnc(com.nimbusds.jose.EncryptionMethod idTokenJWEEnc)
Sets the JSON Web Encryption (JWE) method required for the ID Tokens issued to this client.void
setIDTokenJWSAlg(com.nimbusds.jose.JWSAlgorithm idTokenJWSAlg)
Sets the JSON Web Signature (JWS) algorithm required for the ID Tokens issued to this client.void
setInitiateLoginURI(URI loginURI)
Sets the HTTPS URI that the authorisation server can call to initiate a login at the client.void
setPostLogoutRedirectionURIs(Set<URI> logoutURIs)
Sets the post logout redirection URIs.void
setSectorIDURI(URI sectorIDURI)
Sets the sector identifier URI.void
setSubjectType(SubjectType subjectType)
Sets the subject identifier type for responses to this client.void
setUserInfoJWEAlg(com.nimbusds.jose.JWEAlgorithm userInfoJWEAlg)
Sets the JSON Web Encryption (JWE) algorithm required for the UserInfo responses to this client.void
setUserInfoJWEEnc(com.nimbusds.jose.EncryptionMethod userInfoJWEEnc)
Sets the JSON Web Encryption (JWE) method required for the UserInfo responses to this client.void
setUserInfoJWSAlg(com.nimbusds.jose.JWSAlgorithm userInfoJWSAlg)
Sets the JSON Web Signature (JWS) algorithm required for the UserInfo responses to this client.net.minidev.json.JSONObject
toJSONObject(boolean includeCustomFields)
Returns the JSON object representation of this client metadata.-
Methods inherited from class com.nimbusds.oauth2.sdk.client.ClientMetadata
getAuthorizationJWEAlg, getAuthorizationJWEEnc, getAuthorizationJWSAlg, getBackChannelAuthRequestJWSAlg, getBackChannelClientNotificationEndpoint, getBackChannelTokenDeliveryMode, getClientRegistrationTypes, getCustomField, getCustomFields, getEmailContacts, getGrantTypes, getJWKSet, getJWKSetURI, getLogoURI, getLogoURI, getLogoURIEntries, getMutualTLSSenderConstrainedAccessTokens, getName, getName, getNameEntries, getOrganizationName, getPolicyURI, getPolicyURI, getPolicyURIEntries, getRedirectionURI, getRedirectionURIs, getRedirectionURIStrings, getRequestObjectJWEAlg, getRequestObjectJWEEnc, getRequestObjectJWSAlg, getRequestObjectURIs, getResponseTypes, getScope, getSoftwareID, getSoftwareStatement, getSoftwareVersion, getTermsOfServiceURI, getTermsOfServiceURI, getTermsOfServiceURIEntries, getTLSClientAuthSanDNS, getTLSClientAuthSanEmail, getTLSClientAuthSanIP, getTLSClientAuthSanURI, getTLSClientAuthSubjectDN, getTLSClientCertificateBoundAccessTokens, getTokenEndpointAuthJWSAlg, getTokenEndpointAuthMethod, getURI, getURI, getURIEntries, hasScopeValue, requiresPushedAuthorizationRequests, requiresPushedAuthorizationRequests, setAuthorizationJWEAlg, setAuthorizationJWEEnc, setAuthorizationJWSAlg, setBackChannelAuthRequestJWSAlg, setBackChannelClientNotificationEndpoint, setBackChannelTokenDeliveryMode, setClientRegistrationTypes, setCustomField, setCustomFields, setEmailContacts, setGrantTypes, setJWKSet, setJWKSetURI, setLogoURI, setLogoURI, setMutualTLSSenderConstrainedAccessTokens, setName, setName, setOrganizationName, setPolicyURI, setPolicyURI, setRedirectionURI, setRedirectionURIs, setRequestObjectJWEAlg, setRequestObjectJWEEnc, setRequestObjectJWSAlg, setRequestObjectURIs, setResponseTypes, setScope, setSoftwareID, setSoftwareStatement, setSoftwareVersion, setSupportsBackChannelUserCodeParam, setTermsOfServiceURI, setTermsOfServiceURI, setTLSClientAuthSanDNS, setTLSClientAuthSanEmail, setTLSClientAuthSanIP, setTLSClientAuthSanURI, setTLSClientAuthSubjectDN, setTLSClientCertificateBoundAccessTokens, setTokenEndpointAuthJWSAlg, setTokenEndpointAuthMethod, setURI, setURI, supportsBackChannelUserCodeParam, toJSONObject, toString
-
-
-
-
Constructor Detail
-
OIDCClientMetadata
public OIDCClientMetadata()
Creates a new OpenID Connect client metadata instance.
-
OIDCClientMetadata
public OIDCClientMetadata(ClientMetadata metadata)
Creates a new OpenID Connect client metadata instance from the specified base OAuth 2.0 client metadata.- Parameters:
metadata
- The base OAuth 2.0 client metadata. Must not benull
.
-
OIDCClientMetadata
public OIDCClientMetadata(OIDCClientMetadata metadata)
Creates a shallow copy of the specified OpenID Connect client metadata instance.- Parameters:
metadata
- The client metadata to copy. Must not benull
.
-
-
Method Detail
-
getRegisteredParameterNames
public static Set<String> getRegisteredParameterNames()
Gets the registered (standard) OpenID Connect client metadata parameter names.- Returns:
- The registered OpenID Connect parameter names, as an unmodifiable set.
-
getApplicationType
public ApplicationType getApplicationType()
Gets the client application type. Corresponds to theapplication_type
client metadata field.- Returns:
- The client application type,
null
if not specified.
-
setApplicationType
public void setApplicationType(ApplicationType applicationType)
Sets the client application type. Corresponds to theapplication_type
client metadata field.- Parameters:
applicationType
- The client application type,null
if not specified.
-
getSubjectType
public SubjectType getSubjectType()
Gets the subject identifier type for responses to this client. Corresponds to thesubject_type
client metadata field.- Returns:
- The subject identifier type,
null
if not specified.
-
setSubjectType
public void setSubjectType(SubjectType subjectType)
Sets the subject identifier type for responses to this client. Corresponds to thesubject_type
client metadata field.- Parameters:
subjectType
- The subject identifier type,null
if not specified.
-
getSectorIDURI
public URI getSectorIDURI()
Gets the sector identifier URI. Corresponds to thesector_identifier_uri
client metadata field.- Returns:
- The sector identifier URI,
null
if not specified.
-
setSectorIDURI
public void setSectorIDURI(URI sectorIDURI)
Sets the sector identifier URI. Corresponds to thesector_identifier_uri
client metadata field. If set the URI will be checked for having anhttps
scheme and a host component unless the URI is an URN.- Parameters:
sectorIDURI
- The sector identifier URI,null
if not specified.- Throws:
IllegalArgumentException
- If the URI was found to be illegal.
-
resolveSectorID
public SectorID resolveSectorID()
Resolves the sector identifier from the client metadata.- Returns:
- The sector identifier,
null
if the subject type is set to public. - Throws:
IllegalStateException
- If resolution failed due to incomplete or inconsistent metadata.
-
getIDTokenJWSAlg
public com.nimbusds.jose.JWSAlgorithm getIDTokenJWSAlg()
Gets the JSON Web Signature (JWS) algorithm required for the ID Tokens issued to this client. Corresponds to theid_token_signed_response_alg
client metadata field.- Returns:
- The JWS algorithm,
null
if not specified.
-
setIDTokenJWSAlg
public void setIDTokenJWSAlg(com.nimbusds.jose.JWSAlgorithm idTokenJWSAlg)
Sets the JSON Web Signature (JWS) algorithm required for the ID Tokens issued to this client. Corresponds to theid_token_signed_response_alg
client metadata field.- Parameters:
idTokenJWSAlg
- The JWS algorithm,null
if not specified.
-
getIDTokenJWEAlg
public com.nimbusds.jose.JWEAlgorithm getIDTokenJWEAlg()
Gets the JSON Web Encryption (JWE) algorithm required for the ID Tokens issued to this client. Corresponds to theid_token_encrypted_response_alg
client metadata field.- Returns:
- The JWE algorithm,
null
if not specified.
-
setIDTokenJWEAlg
public void setIDTokenJWEAlg(com.nimbusds.jose.JWEAlgorithm idTokenJWEAlg)
Sets the JSON Web Encryption (JWE) algorithm required for the ID Tokens issued to this client. Corresponds to theid_token_encrypted_response_alg
client metadata field.- Parameters:
idTokenJWEAlg
- The JWE algorithm,null
if not specified.
-
getIDTokenJWEEnc
public com.nimbusds.jose.EncryptionMethod getIDTokenJWEEnc()
Gets the JSON Web Encryption (JWE) method required for the ID Tokens issued to this client. Corresponds to theid_token_encrypted_response_enc
client metadata field.- Returns:
- The JWE method,
null
if not specified.
-
setIDTokenJWEEnc
public void setIDTokenJWEEnc(com.nimbusds.jose.EncryptionMethod idTokenJWEEnc)
Sets the JSON Web Encryption (JWE) method required for the ID Tokens issued to this client. Corresponds to theid_token_encrypted_response_enc
client metadata field.- Parameters:
idTokenJWEEnc
- The JWE method,null
if not specified.
-
getUserInfoJWSAlg
public com.nimbusds.jose.JWSAlgorithm getUserInfoJWSAlg()
Gets the JSON Web Signature (JWS) algorithm required for the UserInfo responses to this client. Corresponds to theuserinfo_signed_response_alg
client metadata field.- Returns:
- The JWS algorithm,
null
if not specified.
-
setUserInfoJWSAlg
public void setUserInfoJWSAlg(com.nimbusds.jose.JWSAlgorithm userInfoJWSAlg)
Sets the JSON Web Signature (JWS) algorithm required for the UserInfo responses to this client. Corresponds to theuserinfo_signed_response_alg
client metadata field.- Parameters:
userInfoJWSAlg
- The JWS algorithm,null
if not specified.
-
getUserInfoJWEAlg
public com.nimbusds.jose.JWEAlgorithm getUserInfoJWEAlg()
Gets the JSON Web Encryption (JWE) algorithm required for the UserInfo responses to this client. Corresponds to theuserinfo_encrypted_response_alg
client metadata field.- Returns:
- The JWE algorithm,
null
if not specified.
-
setUserInfoJWEAlg
public void setUserInfoJWEAlg(com.nimbusds.jose.JWEAlgorithm userInfoJWEAlg)
Sets the JSON Web Encryption (JWE) algorithm required for the UserInfo responses to this client. Corresponds to theuserinfo_encrypted_response_alg
client metadata field.- Parameters:
userInfoJWEAlg
- The JWE algorithm,null
if not specified.
-
getUserInfoJWEEnc
public com.nimbusds.jose.EncryptionMethod getUserInfoJWEEnc()
Gets the JSON Web Encryption (JWE) method required for the UserInfo responses to this client. Corresponds to theuserinfo_encrypted_response_enc
client metadata field.- Returns:
- The JWE method,
null
if not specified.
-
setUserInfoJWEEnc
public void setUserInfoJWEEnc(com.nimbusds.jose.EncryptionMethod userInfoJWEEnc)
Sets the JSON Web Encryption (JWE) method required for the UserInfo responses to this client. Corresponds to theuserinfo_encrypted_response_enc
client metadata field.- Parameters:
userInfoJWEEnc
- The JWE method,null
if not specified.
-
getDefaultMaxAge
public int getDefaultMaxAge()
Gets the default maximum authentication age. Corresponds to thedefault_max_age
client metadata field.- Returns:
- The default max authentication age, in seconds. If not specified -1.
-
setDefaultMaxAge
public void setDefaultMaxAge(int defaultMaxAge)
Sets the default maximum authentication age. Corresponds to thedefault_max_age
client metadata field.- Parameters:
defaultMaxAge
- The default max authentication age, in seconds. If not specified -1.
-
requiresAuthTime
public boolean requiresAuthTime()
Gets the default requirement for theauth_time
claim in the ID Token. Corresponds to therequire_auth_time
client metadata field.- Returns:
- If
true
theauth_Time
claim in the ID Token is required by default.
-
requiresAuthTime
public void requiresAuthTime(boolean requiresAuthTime)
Sets the default requirement for theauth_time
claim in the ID Token. Corresponds to therequire_auth_time
client metadata field.- Parameters:
requiresAuthTime
- Iftrue
theauth_Time
claim in the ID Token is required by default.
-
getDefaultACRs
public List<ACR> getDefaultACRs()
Gets the default Authentication Context Class Reference (ACR) values. Corresponds to thedefault_acr_values
client metadata field.- Returns:
- The default ACR values, by order of preference,
null
if not specified.
-
setDefaultACRs
public void setDefaultACRs(List<ACR> defaultACRs)
Sets the default Authentication Context Class Reference (ACR) values. Corresponds to thedefault_acr_values
client metadata field.- Parameters:
defaultACRs
- The default ACRs, by order of preference,null
if not specified.
-
getInitiateLoginURI
public URI getInitiateLoginURI()
Gets the HTTPS URI that the authorisation server can call to initiate a login at the client. Corresponds to theinitiate_login_uri
client metadata field.- Returns:
- The login URI,
null
if not specified.
-
setInitiateLoginURI
public void setInitiateLoginURI(URI loginURI)
Sets the HTTPS URI that the authorisation server can call to initiate a login at the client. Corresponds to theinitiate_login_uri
client metadata field.- Parameters:
loginURI
- The login URI,null
if not specified. The URI scheme must be https.
-
getPostLogoutRedirectionURIs
public Set<URI> getPostLogoutRedirectionURIs()
Gets the post logout redirection URIs. Corresponds to thepost_logout_redirect_uris
client metadata field.- Returns:
- The logout redirection URIs,
null
if not specified.
-
setPostLogoutRedirectionURIs
public void setPostLogoutRedirectionURIs(Set<URI> logoutURIs)
Sets the post logout redirection URIs. Corresponds to thepost_logout_redirect_uris
client metadata field.- Parameters:
logoutURIs
- The post logout redirection URIs,null
if not specified.
-
getFrontChannelLogoutURI
public URI getFrontChannelLogoutURI()
Gets the front-channel logout URI. Corresponds to thefrontchannel_logout_uri
client metadata field.- Returns:
- The front-channel logout URI,
null
if not specified.
-
setFrontChannelLogoutURI
public void setFrontChannelLogoutURI(URI frontChannelLogoutURI)
Sets the front-channel logout URI. Corresponds to thefrontchannel_logout_uri
client metadata field.- Parameters:
frontChannelLogoutURI
- The front-channel logout URI,null
if not specified. The URI scheme must be https or http.
-
requiresFrontChannelLogoutSession
public boolean requiresFrontChannelLogoutSession()
Gets the requirement for a session identifier on front-channel logout. Corresponds to thefrontchannel_logout_session_required
client metadata field.- Returns:
true
if a session identifier is required, elsefalse
.
-
requiresFrontChannelLogoutSession
public void requiresFrontChannelLogoutSession(boolean requiresSession)
Sets the requirement for a session identifier on front-channel logout. Corresponds to thefrontchannel_logout_session_required
client metadata field.- Parameters:
requiresSession
-true
if a session identifier is required, elsefalse
.
-
getBackChannelLogoutURI
public URI getBackChannelLogoutURI()
Gets the back-channel logout URI. Corresponds to thebackchannel_logout_uri
client metadata field.- Returns:
- The back-channel logout URI,
null
if not specified.
-
setBackChannelLogoutURI
public void setBackChannelLogoutURI(URI backChannelLogoutURI)
Sets the back-channel logout URI. Corresponds to thebackchannel_logout_uri
client metadata field.- Parameters:
backChannelLogoutURI
- The back-channel logout URI,null
if not specified. The URI scheme must be https or http.
-
requiresBackChannelLogoutSession
public boolean requiresBackChannelLogoutSession()
Gets the requirement for a session identifier on back-channel logout. Corresponds to thebackchannel_logout_session_required
client metadata field.- Returns:
true
if a session identifier is required, elsefalse
.
-
requiresBackChannelLogoutSession
public void requiresBackChannelLogoutSession(boolean requiresSession)
Sets the requirement for a session identifier on back-channel logout. Corresponds to thebackchannel_logout_session_required
client metadata field.- Parameters:
requiresSession
-true
if a session identifier is required, elsefalse
.
-
applyDefaults
public void applyDefaults()
Applies the client metadata defaults where no values have been specified.- The response types default to
["code"]
. - The grant types default to
"authorization_code".
- The client authentication method defaults to "client_secret_basic".
- The application type defaults to
ApplicationType.WEB
. - The ID token JWS algorithm defaults to "RS256".
- Overrides:
applyDefaults
in classClientMetadata
- The response types default to
-
toJSONObject
public net.minidev.json.JSONObject toJSONObject(boolean includeCustomFields)
Description copied from class:ClientMetadata
Returns the JSON object representation of this client metadata.- Overrides:
toJSONObject
in classClientMetadata
- Parameters:
includeCustomFields
-true
to include any custom metadata fields,false
to omit them.- Returns:
- The JSON object.
-
parse
public static OIDCClientMetadata parse(net.minidev.json.JSONObject jsonObject) throws ParseException
Parses an OpenID Connect client metadata instance from the specified JSON object.- Parameters:
jsonObject
- The JSON object to parse. Must not benull
.- Returns:
- The OpenID Connect client metadata.
- Throws:
ParseException
- If the JSON object couldn't be parsed to an OpenID Connect client metadata instance.
-
-