001package com.nimbusds.openid.connect.provider.spi.tokens; 002 003 004import com.nimbusds.langtag.LangTag; 005import com.nimbusds.oauth2.sdk.Scope; 006import com.nimbusds.oauth2.sdk.auth.X509CertificateConfirmation; 007import com.nimbusds.oauth2.sdk.dpop.JWKThumbprintConfirmation; 008import com.nimbusds.oauth2.sdk.id.*; 009import com.nimbusds.openid.connect.sdk.SubjectType; 010import net.minidev.json.JSONObject; 011import org.checkerframework.checker.nullness.qual.Nullable; 012 013import java.time.Instant; 014import java.util.List; 015import java.util.Map; 016import java.util.Set; 017import java.util.StringJoiner; 018 019 020/** 021 * Mutable access token authorisation. 022 */ 023public final class MutableAccessTokenAuthorization implements AccessTokenAuthorization { 024 025 026 private @Nullable Subject sub; 027 028 029 private @Nullable Actor act; 030 031 032 private @Nullable ClientID clientID; 033 034 035 private @Nullable Scope scope; 036 037 038 private @Nullable Instant exp; 039 040 041 private @Nullable Instant iat; 042 043 044 private @Nullable Issuer iss; 045 046 047 private @Nullable List<Audience> audList; 048 049 050 private @Nullable SubjectType subjectType; 051 052 053 private @Nullable Subject localSubject; 054 055 056 private @Nullable JWTID jti; 057 058 059 private @Nullable Set<String> claimNames; 060 061 062 private @Nullable List<LangTag> claimsLocales; 063 064 065 private @Nullable JSONObject presetClaims; 066 067 068 private @Nullable JSONObject claimsData; 069 070 071 private @Nullable String subjectSessionKey; 072 073 074 private @Nullable JSONObject data; 075 076 077 private @Nullable X509CertificateConfirmation cnfX5t; 078 079 080 private @Nullable JWKThumbprintConfirmation cnfJkt; 081 082 083 private @Nullable Map<String, Object> otherTopLevelParams; 084 085 086 /** 087 * Creates a new empty mutable access token authorisation. 088 */ 089 public MutableAccessTokenAuthorization() { 090 } 091 092 093 /** 094 * Creates a new mutable access token authorisation from the specified 095 * one. 096 * 097 * @param source The source access token authorisation. Must not be 098 * {@code null}. 099 */ 100 public MutableAccessTokenAuthorization(final AccessTokenAuthorization source) { 101 sub = source.getSubject(); 102 act = source.getActor(); 103 clientID = source.getClientID(); 104 scope = source.getScope(); 105 exp = source.getExpirationTime(); 106 iat = source.getIssueTime(); 107 iss = source.getIssuer(); 108 audList = source.getAudienceList(); 109 subjectType = source.getSubjectType(); 110 localSubject = source.getLocalSubject(); 111 jti = source.getJWTID(); 112 claimNames = source.getClaimNames(); 113 claimsLocales = source.getClaimsLocales(); 114 presetClaims = source.getPresetClaims(); 115 claimsData = source.getClaimsData(); 116 subjectSessionKey = source.getSubjectSessionKey(); 117 data = source.getData(); 118 cnfX5t = source.getClientCertificateConfirmation(); 119 cnfJkt = source.getJWKThumbprintConfirmation(); 120 otherTopLevelParams = source.getOtherTopLevelParameters(); 121 } 122 123 124 /** 125 * Sets the access token subject. 126 * 127 * @param sub The subject, {@code null} if not specified. 128 * 129 * @return This object. 130 */ 131 public MutableAccessTokenAuthorization withSubject(final @Nullable Subject sub) { 132 this.sub = sub; 133 return this; 134 } 135 136 137 @Override 138 public @Nullable Subject getSubject() { 139 return sub; 140 } 141 142 143 /** 144 * Sets the access token actor, in impersonation and delegation 145 * scenarios. 146 * 147 * @param act The actor, {@code null} if not specified. 148 * 149 * @return This object. 150 */ 151 public MutableAccessTokenAuthorization withActor(final @Nullable Actor act) { 152 this.act = act; 153 return this; 154 } 155 156 157 @Override 158 public @Nullable Actor getActor() { 159 return act; 160 } 161 162 163 /** 164 * Sets the identifier of the client to which the access token is 165 * issued. 166 * 167 * @param clientID The client identifier, {@code null} if not 168 * specified. 169 * 170 * @return This object. 171 */ 172 public MutableAccessTokenAuthorization withClientID(final @Nullable ClientID clientID) { 173 this.clientID = clientID; 174 return this; 175 } 176 177 178 @Override 179 public @Nullable ClientID getClientID() { 180 return clientID; 181 } 182 183 184 /** 185 * Sets the scope of the access token. 186 * 187 * @param scope The scope, {@code null} if not specified. 188 * 189 * @return This object. 190 */ 191 public MutableAccessTokenAuthorization withScope(final @Nullable Scope scope) { 192 this.scope = scope; 193 return this; 194 } 195 196 197 @Override 198 public @Nullable Scope getScope() { 199 return scope; 200 } 201 202 203 /** 204 * Sets the expiration time of the access token. 205 * 206 * @param exp The expiration time, {@code null} if not specified. 207 * 208 * @return This object. 209 */ 210 public MutableAccessTokenAuthorization withExpirationTime(final @Nullable Instant exp) { 211 this.exp = exp; 212 return this; 213 } 214 215 216 @Override 217 public @Nullable Instant getExpirationTime() { 218 return exp; 219 } 220 221 222 /** 223 * Sets the issue time of the access token. 224 * 225 * @param iat The issue time, {@code null} if not specified. 226 * 227 * @return This object. 228 */ 229 public MutableAccessTokenAuthorization withIssueTime(final @Nullable Instant iat) { 230 this.iat = iat; 231 return this; 232 } 233 234 235 @Override 236 public @Nullable Instant getIssueTime() { 237 return iat; 238 } 239 240 241 /** 242 * Sets the issuer of the access token. 243 * 244 * @param iss The issuer, {@code null} if not specified. 245 * 246 * @return This object. 247 */ 248 public MutableAccessTokenAuthorization withIssuer(final @Nullable Issuer iss) { 249 this.iss = iss; 250 return this; 251 } 252 253 254 @Override 255 public @Nullable Issuer getIssuer() { 256 return iss; 257 } 258 259 260 /** 261 * Sets the audience list of the access token, which may be the logical 262 * names of the intended resource servers. 263 * 264 * @param audList The audience list, {@code null} if not specified. 265 * 266 * @return This object. 267 */ 268 public MutableAccessTokenAuthorization withAudienceList(final @Nullable List<Audience> audList) { 269 this.audList = audList; 270 return this; 271 } 272 273 274 @Override 275 public @Nullable List<Audience> getAudienceList() { 276 return audList; 277 } 278 279 280 /** 281 * Sets the access token subject type. 282 * 283 * @param subjectType The subject type, {@code null} if not specified 284 * (may imply {@link SubjectType#PUBLIC public}). 285 * 286 * @return This object. 287 */ 288 public MutableAccessTokenAuthorization withSubjectType(final @Nullable SubjectType subjectType) { 289 this.subjectType = subjectType; 290 return this; 291 } 292 293 294 @Override 295 public @Nullable SubjectType getSubjectType() { 296 return subjectType; 297 } 298 299 300 /** 301 * Sets the access token local (system) subject. 302 * 303 * @param localSubject The local (system) subject, {@code null} if not 304 * specified or for a pairwise 305 * {@link #getSubjectType() subject type} that 306 * couldn't be reversed. 307 * 308 * @return This object. 309 */ 310 public MutableAccessTokenAuthorization withLocalSubject(final @Nullable Subject localSubject) { 311 this.localSubject = localSubject; 312 return this; 313 } 314 315 316 @Override 317 public @Nullable Subject getLocalSubject() { 318 if (SubjectType.PUBLIC == getSubjectType()) { 319 return getSubject(); 320 } else { 321 return localSubject; 322 } 323 } 324 325 326 /** 327 * Sets the JSON Web Token (JWT) identifier of the access token. 328 * 329 * @param jti The JWT ID, {@code null} if not specified or applicable. 330 * 331 * @return This object. 332 */ 333 public MutableAccessTokenAuthorization withJWTID(final @Nullable JWTID jti) { 334 this.jti = jti; 335 return this; 336 } 337 338 339 @Override 340 public @Nullable JWTID getJWTID() { 341 return jti; 342 } 343 344 345 /** 346 * Sets the names of the consented OpenID claims to be accessed at 347 * the UserInfo endpoint. 348 * 349 * @param claimNames The claim names, {@code null} if not specified. 350 * 351 * @return This object. 352 */ 353 public MutableAccessTokenAuthorization withClaimNames(final @Nullable Set<String> claimNames) { 354 this.claimNames = claimNames; 355 return this; 356 } 357 358 359 @Override 360 public @Nullable Set<String> getClaimNames() { 361 return claimNames; 362 } 363 364 365 /** 366 * Sets the preferred locales for the consented OpenID claims. 367 * 368 * @param claimsLocales The preferred claims locales, {@code null} if 369 * not specified. 370 * 371 * @return This object. 372 */ 373 public MutableAccessTokenAuthorization withClaimsLocales(final @Nullable List<LangTag> claimsLocales) { 374 this.claimsLocales = claimsLocales; 375 return this; 376 } 377 378 379 @Override 380 public @Nullable List<LangTag> getClaimsLocales() { 381 return claimsLocales; 382 } 383 384 385 /** 386 * Sets the preset OpenID claims to be included in the UserInfo 387 * response. 388 * 389 * @param presetClaims The preset OpenID claims, {@code null} if not 390 * specified. 391 * 392 * @return This object. 393 */ 394 public MutableAccessTokenAuthorization withPresetClaims(final @Nullable JSONObject presetClaims) { 395 this.presetClaims = presetClaims; 396 return this; 397 } 398 399 400 @Override 401 public @Nullable JSONObject getPresetClaims() { 402 return presetClaims; 403 } 404 405 406 /** 407 * Sets the OpenID claims fulfillment data for the claims source at the 408 * UserInfo endpoint. 409 * 410 * @param claimsData The OpenID claims fulfillment data, {@code null} 411 * if not specified. 412 * 413 * @return This object. 414 */ 415 public MutableAccessTokenAuthorization withClaimsData(final @Nullable JSONObject claimsData) { 416 this.claimsData = claimsData; 417 return this; 418 } 419 420 421 @Override 422 public @Nullable JSONObject getClaimsData() { 423 return claimsData; 424 } 425 426 427 /** 428 * Sets the associated subject (end-user) session key (session ID with 429 * omitted HMAC). 430 * 431 * @param subjectSessionKey The subject session key, {@code null} if 432 * not available. 433 */ 434 public MutableAccessTokenAuthorization withSubjectSessionkey(final @Nullable String subjectSessionKey) { 435 this.subjectSessionKey = subjectSessionKey; 436 return this; 437 } 438 439 440 @Override 441 public @Nullable String getSubjectSessionKey() { 442 return subjectSessionKey; 443 } 444 445 446 /** 447 * Sets the optional data for the access token. 448 * 449 * @param data The optional data, represented as a JSON object, 450 * {@code null} if not specified. 451 * 452 * @return This object. 453 */ 454 public MutableAccessTokenAuthorization withData(final @Nullable JSONObject data) { 455 this.data = data; 456 return this; 457 } 458 459 460 @Override 461 public @Nullable JSONObject getData() { 462 return data; 463 } 464 465 466 /** 467 * Sets the client X.509 certificate confirmation (SHA-256 thumbprint) 468 * for mutual TLS. 469 * 470 * @param cnfX5t The client X.509 certificate confirmation, 471 * {@code null} if none. 472 * 473 * @return This object. 474 */ 475 public MutableAccessTokenAuthorization withClientCertificateConfirmation(final @Nullable X509CertificateConfirmation cnfX5t) { 476 this.cnfX5t = cnfX5t; 477 return this; 478 } 479 480 481 @Override 482 public @Nullable X509CertificateConfirmation getClientCertificateConfirmation() { 483 return cnfX5t; 484 } 485 486 487 /** 488 * Sets the JWK SHA-256 thumbprint confirmation for DPoP. 489 * 490 * @param cnfJkt The JWK thumbprint confirmation, {@code null} if none. 491 * 492 * @return This object. 493 */ 494 public MutableAccessTokenAuthorization withJWKThumbprintConfirmation(final @Nullable JWKThumbprintConfirmation cnfJkt) { 495 this.cnfJkt = cnfJkt; 496 return this; 497 } 498 499 500 @Override 501 public @Nullable JWKThumbprintConfirmation getJWKThumbprintConfirmation() { 502 return cnfJkt; 503 } 504 505 506 /** 507 * Sets the other top-level parameters. 508 * 509 * @param params Other top-level parameters, the values should map to 510 * JSON entities, {@code null} if none. 511 * 512 * @return This object. 513 */ 514 public MutableAccessTokenAuthorization withOtherTopLevelParameters(final @Nullable Map<String, Object> params) { 515 otherTopLevelParams = params; 516 return this; 517 } 518 519 520 @Override 521 public @Nullable Map<String, Object> getOtherTopLevelParameters() { 522 return otherTopLevelParams; 523 } 524 525 526 @Override 527 public String toString() { 528 return new StringJoiner(", ", MutableAccessTokenAuthorization.class.getSimpleName() + "[", "]") 529 .add("sub=" + sub) 530 .add("act=" + act) 531 .add("clientID=" + clientID) 532 .add("scope=" + scope) 533 .add("exp=" + exp) 534 .add("iat=" + iat) 535 .add("iss=" + iss) 536 .add("audList=" + audList) 537 .add("subType=" + subjectType) 538 .add("localSub=" + localSubject) 539 .add("jti=" + jti) 540 .add("claimNames=" + claimNames) 541 .add("claimsLocales=" + claimsLocales) 542 .add("presetClaims=" + presetClaims) 543 .add("claimsData=" + claimsData) 544 .add("subjectSessionKey=" + subjectSessionKey) 545 .add("data=" + data) 546 .add("cnfX5t=" + cnfX5t) 547 .add("cnfJkt=" + cnfJkt) 548 .add("otherTopLevelParams=" + otherTopLevelParams) 549 .toString(); 550 } 551}