Class CIBARequest

  • All Implemented Interfaces:
    Message, Request

    @Immutable
    public class CIBARequest
    extends AbstractAuthenticatedRequest

    CIBA request to an OpenID provider / OAuth 2.0 authorisation server backend authentication endpoint. Supports plan as well as signed (JWT) requests.

    Example HTTP request:

     POST /bc-authorize HTTP/1.1
     Host: server.example.com
     Content-Type: application/x-www-form-urlencoded
    
     scope=openid%20email%20example-scope&
     client_notification_token=8d67dc78-7faa-4d41-aabd-67707b374255&
     binding_message=W4SCT&
     login_hint_token=eyJraWQiOiJsdGFjZXNidyIsImFsZyI6IkVTMjU2In0.eyJ
     zdWJfaWQiOnsic3ViamVjdF90eXBlIjoicGhvbmUiLCJwaG9uZSI6IisxMzMwMjg
     xODAwNCJ9fQ.Kk8jcUbHjJAQkRSHyDuFQr3NMEOSJEZc85VfER74tX6J9CuUllr8
     9WKUHUR7MA0-mWlptMRRhdgW1ZDt7g1uwQ&
     client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3A
     client-assertion-type%3Ajwt-bearer&
     client_assertion=eyJraWQiOiJsdGFjZXNidyIsImFsZyI6IkVTMjU2In0.eyJ
     pc3MiOiJzNkJoZFJrcXQzIiwic3ViIjoiczZCaGRSa3F0MyIsImF1ZCI6Imh0dHB
     zOi8vc2VydmVyLmV4YW1wbGUuY29tIiwianRpIjoiYmRjLVhzX3NmLTNZTW80RlN
     6SUoyUSIsImlhdCI6MTUzNzgxOTQ4NiwiZXhwIjoxNTM3ODE5Nzc3fQ.Ybr8mg_3
     E2OptOSsA8rnelYO_y1L-yFaF_j1iemM3ntB61_GN3APe5cl_-5a6cvGlP154XAK
     7fL-GaZSdnd9kg
     

    Related specifications:

    • OpenID Connect CIBA Flow - Core 1.0, section 7.1.
    • Constructor Detail

      • CIBARequest

        @Deprecated
        public CIBARequest​(URI uri,
                           ClientAuthentication clientAuth,
                           Scope scope,
                           BearerAccessToken clientNotificationToken,
                           List<ACR> acrValues,
                           String loginHintTokenString,
                           com.nimbusds.jwt.JWT idTokenHint,
                           String loginHint,
                           String bindingMessage,
                           Secret userCode,
                           Integer requestedExpiry,
                           Map<String,​List<String>> customParams)
        Deprecated.
        Creates a new CIBA request.
        Parameters:
        uri - The endpoint URI, null if not specified.
        clientAuth - The client authentication. Must not be null.
        scope - The requested scope. Must not be empty or null.
        clientNotificationToken - The client notification token, null if not specified.
        acrValues - The requested ACR values, null if not specified.
        loginHintTokenString - The login hint token string, null if not specified.
        idTokenHint - The ID Token hint, null if not specified.
        loginHint - The login hint, null if not specified.
        bindingMessage - The binding message, null if not specified.
        userCode - The user code, null if not specified.
        requestedExpiry - The required expiry (as positive integer), null if not specified.
        customParams - Custom parameters, empty or null if not specified.
      • CIBARequest

        public CIBARequest​(URI uri,
                           ClientAuthentication clientAuth,
                           Scope scope,
                           BearerAccessToken clientNotificationToken,
                           List<ACR> acrValues,
                           String loginHintTokenString,
                           com.nimbusds.jwt.JWT idTokenHint,
                           String loginHint,
                           String bindingMessage,
                           Secret userCode,
                           Integer requestedExpiry,
                           OIDCClaimsRequest claims,
                           Map<String,​List<String>> customParams)
        Creates a new CIBA request.
        Parameters:
        uri - The endpoint URI, null if not specified.
        clientAuth - The client authentication. Must not be null.
        scope - The requested scope. Must not be empty or null.
        clientNotificationToken - The client notification token, null if not specified.
        acrValues - The requested ACR values, null if not specified.
        loginHintTokenString - The login hint token string, null if not specified.
        idTokenHint - The ID Token hint, null if not specified.
        loginHint - The login hint, null if not specified.
        bindingMessage - The binding message, null if not specified.
        userCode - The user code, null if not specified.
        requestedExpiry - The required expiry (as positive integer), null if not specified.
        claims - The individual OpenID claims to be returned. Corresponds to the optional claims parameter. null if not specified.
        customParams - Custom parameters, empty or null if not specified.
      • CIBARequest

        public CIBARequest​(URI uri,
                           ClientAuthentication clientAuth,
                           com.nimbusds.jwt.SignedJWT signedRequest)
        Creates a new CIBA signed request.
        Parameters:
        uri - The endpoint URI, null if not specified.
        clientAuth - The client authentication. Must not be null.
        signedRequest - The signed request JWT. Must not be null.
    • Method Detail

      • getRegisteredParameterNames

        public static Set<StringgetRegisteredParameterNames()
        Returns the registered (standard) CIBA request parameter names.
        Returns:
        The registered CIBA request parameter names, as a unmodifiable set.
      • getScope

        public Scope getScope()
        Returns the scope. Corresponds to the optional scope parameter.
        Returns:
        The scope, null for a signed request.
      • getClientNotificationToken

        public BearerAccessToken getClientNotificationToken()
        Returns the client notification token, required for the CIBA ping and push token delivery modes. Corresponds to the client_notification_token parameter.
        Returns:
        The client notification token, null if not specified.
      • getACRValues

        public List<ACRgetACRValues()
        Returns the requested Authentication Context Class Reference values. Corresponds to the optional acr_values parameter.
        Returns:
        The requested ACR values, null if not specified.
      • getLoginHintTokenString

        public String getLoginHintTokenString()
        Returns the login hint token string, containing information identifying the end-user for whom authentication is being requested. Corresponds to the login_hint_token parameter.
        Returns:
        The login hint token string, null if not specified.
      • getIDTokenHint

        public com.nimbusds.jwt.JWT getIDTokenHint()
        Returns the ID Token hint, passed as a hint to identify the end-user for whom authentication is being requested. Corresponds to the id_token_hint parameter.
        Returns:
        The ID Token hint, null if not specified.
      • getLoginHint

        public String getLoginHint()
        Returns the login hint (email address, phone number, etc), about the end-user for whom authentication is being requested. Corresponds to the login_hint parameter.
        Returns:
        The login hint, null if not specified.
      • getBindingMessage

        public String getBindingMessage()
        Returns the human-readable binding message for the display at the consumption and authentication devices. Corresponds to the binding_message parameter.
        Returns:
        The binding message, null if not specified.
      • getUserCode

        public Secret getUserCode()
        Returns the user secret code (password, PIN, etc) to authorise the CIBA request with the authentication device. Corresponds to the user_code parameter.
        Returns:
        The user code, null if not specified.
      • getRequestedExpiry

        public Integer getRequestedExpiry()
        Returns the requested expiration for the auth_req_id. Corresponds to the requested_expiry parameter.
        Returns:
        The required expiry (as positive integer), null if not specified.
      • getOIDCClaims

        public OIDCClaimsRequest getOIDCClaims()
        Returns the individual OpenID claims to be returned. Corresponds to the optional claims parameter.
        Returns:
        The individual claims to be returned, null if not specified.
      • getCustomParameters

        public Map<String,​List<String>> getCustomParameters()
        Returns the additional custom parameters.
        Returns:
        The additional custom parameters as a unmodifiable map, empty map if none.
      • getCustomParameter

        public List<StringgetCustomParameter​(String name)
        Returns the specified custom parameter.
        Parameters:
        name - The parameter name. Must not be null.
        Returns:
        The parameter value(s), null if not specified.
      • isSigned

        public boolean isSigned()
        Returns true if this request is signed.
        Returns:
        true for a signed request, false for a plain request.
      • getRequestJWT

        public com.nimbusds.jwt.SignedJWT getRequestJWT()
        Returns the JWT for a signed request.
        Returns:
        The request JWT.
      • toParameters

        public Map<String,​List<String>> toParameters()
        Returns the for parameters for this CIBA request. Parameters which are part of the client authentication are not included.
        Returns:
        The parameters.
      • toJWTClaimsSet

        public com.nimbusds.jwt.JWTClaimsSet toJWTClaimsSet()
        Returns the parameters for this CIBA request as a JSON Web Token (JWT) claims set. Intended for creating a signed CIBA request.
        Returns:
        The parameters as JWT claim set.
      • parse

        public static CIBARequest parse​(HTTPRequest httpRequest)
                                 throws ParseException
        Parses a CIBA request from the specified HTTP request.
        Parameters:
        httpRequest - The HTTP request. Must not be null.
        Returns:
        The CIBA request.
        Throws:
        ParseException - If parsing failed.