Package com.nimbusds.oauth2.sdk.ciba

Class CIBARequest

  • All Implemented Interfaces:
    Message, Request
    @Immutable
public class CIBARequest
extends AbstractAuthenticatedRequest

    CIBA request to an OpenID provider / OAuth 2.0 authorisation server backend authentication endpoint. Supports plan as well as signed (JWT) requests.

    Example HTTP request: 

     POST /bc-authorize HTTP/1.1
 Host: server.example.com
 Content-Type: application/x-www-form-urlencoded

 scope=openid%20email%20example-scope&
 client_notification_token=8d67dc78-7faa-4d41-aabd-67707b374255&
 binding_message=W4SCT&
 login_hint_token=eyJraWQiOiJsdGFjZXNidyIsImFsZyI6IkVTMjU2In0.eyJ
 zdWJfaWQiOnsic3ViamVjdF90eXBlIjoicGhvbmUiLCJwaG9uZSI6IisxMzMwMjg
 xODAwNCJ9fQ.Kk8jcUbHjJAQkRSHyDuFQr3NMEOSJEZc85VfER74tX6J9CuUllr8
 9WKUHUR7MA0-mWlptMRRhdgW1ZDt7g1uwQ&
 client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3A
 client-assertion-type%3Ajwt-bearer&
 client_assertion=eyJraWQiOiJsdGFjZXNidyIsImFsZyI6IkVTMjU2In0.eyJ
 pc3MiOiJzNkJoZFJrcXQzIiwic3ViIjoiczZCaGRSa3F0MyIsImF1ZCI6Imh0dHB
 zOi8vc2VydmVyLmV4YW1wbGUuY29tIiwianRpIjoiYmRjLVhzX3NmLTNZTW80RlN
 6SUoyUSIsImlhdCI6MTUzNzgxOTQ4NiwiZXhwIjoxNTM3ODE5Nzc3fQ.Ybr8mg_3
 E2OptOSsA8rnelYO_y1L-yFaF_j1iemM3ntB61_GN3APe5cl_-5a6cvGlP154XAK
 7fL-GaZSdnd9kg

    Related specifications:

    • OpenID Connect CIBA Flow - Core 1.0, section 7.1.

    • Constructor Detail

      • CIBARequest

        public CIBARequest​(URI uri,
                   ClientAuthentication clientAuth,
                   Scope scope,
                   BearerAccessToken clientNotificationToken,
                   List<ACR> acrValues,
                   String loginHintTokenString,
                   com.nimbusds.jwt.JWT idTokenHint,
                   String loginHint,
                   String bindingMessage,
                   Secret userCode,
                   Integer requestedExpiry,
                   Map<String,​List<String>> customParams)
        Creates a new CIBA request.
        Parameters:
        uri - The endpoint URI, null if not specified.
        clientAuth - The client authentication. Must not be null.
        scope - The requested scope. Must not be empty or null.
        clientNotificationToken - The client notification token, null if not specified.
        acrValues - The requested ACR values, null if not specified.
        loginHintTokenString - The login hint token string, null if not specified.
        idTokenHint - The ID Token hint, null if not specified.
        loginHint - The login hint, null if not specified.
        bindingMessage - The binding message, null if not specified.
        userCode - The user code, null if not specified.
        requestedExpiry - The required expiry (as positive integer), null if not specified.
        customParams - Custom parameters, empty or null if not specified.

      • CIBARequest

        public CIBARequest​(URI uri,
                   ClientAuthentication clientAuth,
                   com.nimbusds.jwt.SignedJWT signedRequest)
        Creates a new CIBA signed request.
        Parameters:
        uri - The endpoint URI, null if not specified.
        clientAuth - The client authentication. Must not be null.
        signedRequest - The signed request JWT. Must not be null.

    • Method Detail

      • getRegisteredParameterNames

        public static Set<StringgetRegisteredParameterNames()
        Returns the registered (standard) CIBA request parameter names.
        Returns:
        The registered CIBA request parameter names, as a unmodifiable set.

      • getScope

        public Scope getScope()
        Gets the scope. Corresponds to the optional scope parameter.
        Returns:
        The scope, null for a signed request.

      • getClientNotificationToken

        public BearerAccessToken getClientNotificationToken()
        Gets the client notification token, required for the CIBA ping and push token delivery modes. Corresponds to the client_notification_token parameter.
        Returns:
        The client notification token, null if not specified.

      • getACRValues

        public List<ACRgetACRValues()
        Gets the requested Authentication Context Class Reference values. Corresponds to the optional acr_values parameter.
        Returns:
        The requested ACR values, null if not specified.

      • getLoginHintTokenString

        public String getLoginHintTokenString()
        Gets the login hint token string, containing information identifying the end-user for whom authentication is being requested. Corresponds to the login_hint_token parameter.
        Returns:
        The login hint token string, null if not specified.

      • getIDTokenHint

        public com.nimbusds.jwt.JWT getIDTokenHint()
        Gets the ID Token hint, passed as a hint to identify the end-user for whom authentication is being requested. Corresponds to the id_token_hint parameter.
        Returns:
        The ID Token hint, null if not specified.

      • getLoginHint

        public String getLoginHint()
        Gets the login hint (email address, phone number, etc), about the end-user for whom authentication is being requested. Corresponds to the login_hint parameter.
        Returns:
        The login hint, null if not specified.

      • getBindingMessage

        public String getBindingMessage()
        Gets the human readable binding message for the display at the consumption and authentication devices. Corresponds to the binding_message parameter.
        Returns:
        The binding message, null if not specified.

      • getUserCode

        public Secret getUserCode()
        Gets the user secret code (password, PIN, etc) to authorise the CIBA request with the authentication device. Corresponds to the user_code parameter.
        Returns:
        The user code, null if not specified.

      • getRequestedExpiry

        public Integer getRequestedExpiry()
        Gets the requested expiration for the auth_req_id. Corresponds to the requested_expiry parameter.
        Returns:
        The required expiry (as positive integer), null if not specified.

      • getCustomParameters

        public Map<String,​List<String>> getCustomParameters()
        Returns the additional custom parameters.
        Returns:
        The additional custom parameters as a unmodifiable map, empty map if none.

      • getCustomParameter

        public List<StringgetCustomParameter​(String name)
        Returns the specified custom parameter.
        Parameters:
        name - The parameter name. Must not be null.
        Returns:
        The parameter value(s), null if not specified.

      • isSigned

        public boolean isSigned()
        Returns true if this request is signed.
        Returns:
        true for a signed request, false for a plain request.

      • getRequestJWT

        public com.nimbusds.jwt.SignedJWT getRequestJWT()
        Returns the JWT for a signed request.
        Returns:
        The request JWT.

      • toParameters

        public Map<String,​List<String>> toParameters()
        Returns the for parameters for this CIBA request. Parameters which are part of the client authentication are not included.
        Returns:
        The parameters.

      • toJWTClaimsSet

        public com.nimbusds.jwt.JWTClaimsSet toJWTClaimsSet()
        Returns the parameters for this CIBA request as a JSON Web Token (JWT) claims set. Intended for creating a signed CIBA request.
        Returns:
        The parameters as JWT claim set.

      • parse

        public static CIBARequest parse​(HTTPRequest httpRequest)
                         throws ParseException
        Parses a CIBA request from the specified HTTP request.
        Parameters:
        httpRequest - The HTTP request. Must not be null.
        Returns:
        The CIBA request.
        Throws:
        ParseException - If parsing failed.