001/* 002 * oauth2-oidc-sdk 003 * 004 * Copyright 2012-2021, Connect2id Ltd and contributors. 005 * 006 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use 007 * this file except in compliance with the License. You may obtain a copy of the 008 * License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software distributed 013 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR 014 * CONDITIONS OF ANY KIND, either express or implied. See the License for the 015 * specific language governing permissions and limitations under the License. 016 */ 017 018package com.nimbusds.oauth2.sdk.as; 019 020 021import java.net.URI; 022import java.util.List; 023import java.util.Map; 024 025import net.minidev.json.JSONObject; 026 027import com.nimbusds.jose.EncryptionMethod; 028import com.nimbusds.jose.JWEAlgorithm; 029import com.nimbusds.jose.JWSAlgorithm; 030import com.nimbusds.jose.jwk.JWKSet; 031import com.nimbusds.langtag.LangTag; 032import com.nimbusds.oauth2.sdk.GrantType; 033import com.nimbusds.oauth2.sdk.ResponseMode; 034import com.nimbusds.oauth2.sdk.ResponseType; 035import com.nimbusds.oauth2.sdk.Scope; 036import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod; 037import com.nimbusds.oauth2.sdk.ciba.BackChannelTokenDeliveryMode; 038import com.nimbusds.oauth2.sdk.client.ClientType; 039import com.nimbusds.oauth2.sdk.id.Issuer; 040import com.nimbusds.oauth2.sdk.pkce.CodeChallengeMethod; 041import com.nimbusds.openid.connect.sdk.Prompt; 042import com.nimbusds.openid.connect.sdk.federation.registration.ClientRegistrationType; 043import com.nimbusds.openid.connect.sdk.op.EndpointName; 044 045 046/** 047 * Read-only OAuth 2.0 Authorisation Server (AS) metadata. 048 * 049 * <p>Related specifications: 050 * 051 * <ul> 052 * <li>OAuth 2.0 Authorization Server Metadata (RFC 8414) 053 * <li>OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound 054 * Access Tokens (RFC 8705) 055 * <li>OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer 056 * (DPoP) (draft-ietf-oauth-dpop-11) 057 * <li>Financial-grade API: JWT Secured Authorization Response Mode for 058 * OAuth 2.0 (JARM) 059 * <li>OAuth 2.0 Authorization Server Issuer Identification (RFC 9207) 060 * <li>Financial-grade API - Part 2: Read and Write API Security Profile 061 * <li>OAuth 2.0 Pushed Authorization Requests (RFC 9126) 062 * <li>OAuth 2.0 Device Authorization Grant (RFC 8628) 063 * <li>OpenID Connect Client Initiated Backchannel Authentication Flow - 064 * Core 1.0 065 * <li>OAuth 2.0 Incremental Authorization 066 * (draft-ietf-oauth-incremental-authz-04) 067 * <li>Initiating User Registration via OpenID Connect (draft 04) 068 * <li>OpenID Connect Federation 1.0 (draft 22) 069 * </ul> 070 */ 071public interface ReadOnlyAuthorizationServerMetadata extends ReadOnlyAuthorizationServerEndpointMetadata { 072 073 074 /** 075 * Gets the issuer identifier. Corresponds to the {@code issuer} 076 * metadata field. 077 * 078 * @return The issuer identifier. 079 */ 080 Issuer getIssuer(); 081 082 083 /** 084 * Gets the JSON Web Key (JWK) set URI. Corresponds to the 085 * {@code jwks_uri} metadata field. 086 * 087 * @return The JWK set URI, {@code null} if not specified. 088 */ 089 URI getJWKSetURI(); 090 091 092 /** 093 * Gets the supported scope values. Corresponds to the 094 * {@code scopes_supported} metadata field. 095 * 096 * @return The supported scope values, {@code null} if not specified. 097 */ 098 Scope getScopes(); 099 100 101 /** 102 * Gets the supported response type values. Corresponds to the 103 * {@code response_types_supported} metadata field. 104 * 105 * @return The supported response type values, {@code null} if not 106 * specified. 107 */ 108 List<ResponseType> getResponseTypes(); 109 110 111 /** 112 * Gets the supported response mode values. Corresponds to the 113 * {@code response_modes_supported}. 114 * 115 * @return The supported response mode values, {@code null} if not 116 * specified. 117 */ 118 List<ResponseMode> getResponseModes(); 119 120 121 /** 122 * Gets the supported OAuth 2.0 grant types. Corresponds to the 123 * {@code grant_types_supported} metadata field. 124 * 125 * @return The supported grant types, {@code null} if not specified. 126 */ 127 List<GrantType> getGrantTypes(); 128 129 130 /** 131 * Gets the supported authorisation code challenge methods for PKCE. 132 * Corresponds to the {@code code_challenge_methods_supported} metadata 133 * field. 134 * 135 * @return The supported code challenge methods, {@code null} if not 136 * specified. 137 */ 138 List<CodeChallengeMethod> getCodeChallengeMethods(); 139 140 141 /** 142 * Gets the supported token endpoint authentication methods. 143 * Corresponds to the {@code token_endpoint_auth_methods_supported} 144 * metadata field. 145 * 146 * @return The supported token endpoint authentication methods, 147 * {@code null} if not specified. 148 */ 149 List<ClientAuthenticationMethod> getTokenEndpointAuthMethods(); 150 151 152 /** 153 * Gets the supported JWS algorithms for the {@code private_key_jwt} 154 * and {@code client_secret_jwt} token endpoint authentication methods. 155 * Corresponds to the 156 * {@code token_endpoint_auth_signing_alg_values_supported} metadata 157 * field. 158 * 159 * @return The supported JWS algorithms, {@code null} if not specified. 160 */ 161 List<JWSAlgorithm> getTokenEndpointJWSAlgs(); 162 163 164 /** 165 * Gets the supported introspection endpoint authentication methods. 166 * Corresponds to the 167 * {@code introspection_endpoint_auth_methods_supported} metadata 168 * field. 169 * 170 * @return The supported introspection endpoint authentication methods, 171 * {@code null} if not specified. 172 */ 173 List<ClientAuthenticationMethod> getIntrospectionEndpointAuthMethods(); 174 175 176 /** 177 * Gets the supported JWS algorithms for the {@code private_key_jwt} 178 * and {@code client_secret_jwt} introspection endpoint authentication 179 * methods. Corresponds to the 180 * {@code introspection_endpoint_auth_signing_alg_values_supported} 181 * metadata field. 182 * 183 * @return The supported JWS algorithms, {@code null} if not specified. 184 */ 185 List<JWSAlgorithm> getIntrospectionEndpointJWSAlgs(); 186 187 188 /** 189 * Gets the supported revocation endpoint authentication methods. 190 * Corresponds to the 191 * {@code revocation_endpoint_auth_methods_supported} metadata field. 192 * 193 * @return The supported revocation endpoint authentication methods, 194 * {@code null} if not specified. 195 */ 196 List<ClientAuthenticationMethod> getRevocationEndpointAuthMethods(); 197 198 199 /** 200 * Gets the supported JWS algorithms for the {@code private_key_jwt} 201 * and {@code client_secret_jwt} revocation endpoint authentication 202 * methods. Corresponds to the 203 * {@code revocation_endpoint_auth_signing_alg_values_supported} 204 * metadata field. 205 * 206 * @return The supported JWS algorithms, {@code null} if not specified. 207 */ 208 List<JWSAlgorithm> getRevocationEndpointJWSAlgs(); 209 210 211 /** 212 * Gets the supported JWS algorithms for request objects. Corresponds 213 * to the {@code request_object_signing_alg_values_supported} metadata 214 * field. 215 * 216 * @return The supported JWS algorithms, {@code null} if not specified. 217 */ 218 List<JWSAlgorithm> getRequestObjectJWSAlgs(); 219 220 221 /** 222 * Gets the supported JWE algorithms for request objects. Corresponds 223 * to the {@code request_object_encryption_alg_values_supported} 224 * metadata field. 225 * 226 * @return The supported JWE algorithms, {@code null} if not specified. 227 */ 228 List<JWEAlgorithm> getRequestObjectJWEAlgs(); 229 230 231 /** 232 * Gets the supported encryption methods for request objects. 233 * Corresponds to the 234 * {@code request_object_encryption_enc_values_supported} metadata 235 * field. 236 * 237 * @return The supported encryption methods, {@code null} if not 238 * specified. 239 */ 240 List<EncryptionMethod> getRequestObjectJWEEncs(); 241 242 243 /** 244 * Gets the support for the {@code request} authorisation request 245 * parameter. Corresponds to the {@code request_parameter_supported} 246 * metadata field. 247 * 248 * @return {@code true} if the {@code reqeust} parameter is supported, 249 * else {@code false}. 250 */ 251 boolean supportsRequestParam(); 252 253 254 /** 255 * Gets the support for the {@code request_uri} authorisation request 256 * parameter. Corresponds to the 257 * {@code request_uri_parameter_supported} metadata field. 258 * 259 * @return {@code true} if the {@code request_uri} parameter is 260 * supported, else {@code false}. 261 */ 262 boolean supportsRequestURIParam(); 263 264 265 /** 266 * Gets the requirement for the {@code request_uri} parameter 267 * pre-registration. Corresponds to the 268 * {@code require_request_uri_registration} metadata field. 269 * 270 * @return {@code true} if the {@code request_uri} parameter values 271 * must be pre-registered, else {@code false}. 272 */ 273 boolean requiresRequestURIRegistration(); 274 275 276 /** 277 * Gets the support for the {@code iss} authorisation response 278 * parameter. Corresponds to the 279 * {@code authorization_response_iss_parameter_supported} metadata 280 * field. 281 * 282 * @return {@code true} if the {@code iss} authorisation response 283 * parameter is provided, else {@code false}. 284 */ 285 boolean supportsAuthorizationResponseIssuerParam(); 286 287 288 /** 289 * Gets the supported UI locales. Corresponds to the 290 * {@code ui_locales_supported} metadata field. 291 * 292 * @return The supported UI locales, {@code null} if not specified. 293 */ 294 List<LangTag> getUILocales(); 295 296 297 /** 298 * Gets the service documentation URI. Corresponds to the 299 * {@code service_documentation} metadata field. 300 * 301 * @return The service documentation URI, {@code null} if not 302 * specified. 303 */ 304 URI getServiceDocsURI(); 305 306 307 /** 308 * Gets the provider's policy regarding relying party use of data. 309 * Corresponds to the {@code op_policy_uri} metadata field. 310 * 311 * @return The policy URI, {@code null} if not specified. 312 */ 313 URI getPolicyURI(); 314 315 316 /** 317 * Gets the provider's terms of service. Corresponds to the 318 * {@code op_tos_uri} metadata field. 319 * 320 * @return The terms of service URI, {@code null} if not specified. 321 */ 322 URI getTermsOfServiceURI(); 323 324 325 /** 326 * Gets the aliases for communication with mutual TLS. Corresponds to 327 * the {@code mtls_endpoint_aliases} metadata field. 328 * 329 * @return The aliases for communication with mutual TLS, {@code null} 330 * when no aliases are defined. 331 */ 332 ReadOnlyAuthorizationServerEndpointMetadata getReadOnlyMtlsEndpointAliases(); 333 334 335 /** 336 * Gets the support for TLS client certificate bound access tokens. 337 * Corresponds to the 338 * {@code tls_client_certificate_bound_access_tokens} metadata field. 339 * 340 * @return {@code true} if TLS client certificate bound access tokens 341 * are supported, else {@code false}. 342 */ 343 boolean supportsTLSClientCertificateBoundAccessTokens(); 344 345 346 /** 347 * Gets the support for TLS client certificate bound access tokens. 348 * Corresponds to the 349 * {@code tls_client_certificate_bound_access_tokens} metadata field. 350 * 351 * @return {@code true} if TLS client certificate bound access tokens 352 * are supported, else {@code false}. 353 */ 354 @Deprecated 355 boolean supportsMutualTLSSenderConstrainedAccessTokens(); 356 357 358 /** 359 * Gets the supported JWS algorithms for Demonstrating 360 * Proof-of-Possession at the Application Layer (DPoP). Corresponds to 361 * the "dpop_signing_alg_values_supported" metadata field. 362 * 363 * @return The supported JWS algorithms for DPoP, {@code null} if none. 364 */ 365 List<JWSAlgorithm> getDPoPJWSAlgs(); 366 367 368 /** 369 * Gets the supported JWS algorithms for JWT-encoded authorisation 370 * responses. Corresponds to the 371 * {@code authorization_signing_alg_values_supported} metadata field. 372 * 373 * @return The supported JWS algorithms, {@code null} if not specified. 374 */ 375 List<JWSAlgorithm> getAuthorizationJWSAlgs(); 376 377 378 /** 379 * Gets the supported JWE algorithms for JWT-encoded authorisation 380 * responses. Corresponds to the 381 * {@code authorization_encryption_alg_values_supported} metadata 382 * field. 383 * 384 * @return The supported JWE algorithms, {@code null} if not specified. 385 */ 386 List<JWEAlgorithm> getAuthorizationJWEAlgs(); 387 388 389 /** 390 * Gets the supported encryption methods for JWT-encoded authorisation 391 * responses. Corresponds to the 392 * {@code authorization_encryption_enc_values_supported} metadata 393 * field. 394 * 395 * @return The supported encryption methods, {@code null} if not 396 * specified. 397 */ 398 List<EncryptionMethod> getAuthorizationJWEEncs(); 399 400 401 /** 402 * Gets the requirement for pushed authorisation requests (PAR). 403 * Corresponds to the {@code pushed_authorization_request_endpoint} 404 * metadata field. 405 * 406 * @return {@code true} if PAR is required, else {@code false}. 407 */ 408 boolean requiresPushedAuthorizationRequests(); 409 410 411 /** 412 * Gets the supported OAuth 2.0 client types for incremental 413 * authorisation. Corresponds to the 414 * {@code incremental_authz_types_supported} metadata field. 415 * 416 * @return The supported client types for incremental authorisation, 417 * {@code null} if not specified. 418 */ 419 List<ClientType> getIncrementalAuthorizationTypes(); 420 421 422 /** 423 * Gets the supported CIBA token delivery modes. Corresponds to the 424 * {@code backchannel_token_delivery_modes_supported} metadata field. 425 * 426 * @return The CIBA token delivery modes, {@code null} if not 427 * specified. 428 */ 429 List<BackChannelTokenDeliveryMode> getBackChannelTokenDeliveryModes(); 430 431 432 /** 433 * Gets the supported JWS algorithms for CIBA requests. Corresponds to 434 * the {@code backchannel_authentication_request_signing_alg_values_supported} 435 * metadata field. 436 * 437 * @return The supported JWS algorithms, {@code null} if not specified. 438 */ 439 List<JWSAlgorithm> getBackChannelAuthenticationRequestJWSAlgs(); 440 441 442 /** 443 * Gets the support for the {@code user_code} CIBA request parameter. 444 * Corresponds to the {@code backchannel_user_code_parameter_supported} 445 * metadata field. 446 * 447 * @return {@code true} if the {@code user_code} parameter is 448 * supported, else {@code false}. 449 */ 450 boolean supportsBackChannelUserCodeParam(); 451 452 453 /** 454 * Gets the supported {@link Prompt.Type prompt types}. Corresponds to 455 * the {@code prompt_values_supported} metadata field. 456 * 457 * @return The supported prompt types, {@code null} if not specified. 458 */ 459 List<Prompt.Type> getPromptTypes(); 460 461 462 463 464 465 /** 466 * Gets the organisation name (OpenID Connect Federation 1.0). 467 * Corresponds to the {@code organization_name} metadata field. 468 * 469 * @return The organisation name, {@code null} if not specified. 470 */ 471 String getOrganizationName(); 472 473 474 /** 475 * Gets the JWK set (OpenID Connect Federation 1.0). Corresponds to the 476 * {@code jwks} metadata field. 477 * 478 * @return The JWK set, {@code null} if not specified. 479 */ 480 JWKSet getJWKSet(); 481 482 483 /** 484 * Gets the signed JWK set URI (OpenID Connect Federation 1.0). 485 * Corresponds to the {@code signed_jwks_uri} metadata field. 486 * 487 * @return The signed JWK set URI, {@code null} if not specified. 488 */ 489 URI getSignedJWKSetURI(); 490 491 492 /** 493 * Gets the supported OpenID Connect Federation 1.0 client registration 494 * types. Corresponds to the 495 * {@code client_registration_types_supported} metadata field. 496 * 497 * @return The supported client registration types, {@code null} if not 498 * specified. 499 */ 500 List<ClientRegistrationType> getClientRegistrationTypes(); 501 502 503 /** 504 * Gets the supported request authentication methods for automatic 505 * OpenID Connect Federation 1.0 client registration. Corresponds to 506 * the {@code request_authentication_methods_supported} field. 507 * 508 * @return The supported request authentication methods for automatic 509 * federation client registration, {@code null} if not specified. 510 */ 511 Map<EndpointName, List<ClientAuthenticationMethod>> getClientRegistrationAuthnMethods(); 512 513 514 /** 515 * Gets the supported JWS algorithms for authenticating automatic 516 * OpenID Connect Federation 1.0 client registration requests. 517 * Corresponds to the 518 * {@code request_authentication_signing_alg_values_supported}. 519 * 520 * @return The supported JWS algorithms, {@code null} if not specified. 521 */ 522 List<JWSAlgorithm> getClientRegistrationAuthnJWSAlgs(); 523 524 525 /** 526 * Gets the specified custom (not registered) parameter. 527 * 528 * @param name The parameter name. Must not be {@code null}. 529 * @return The parameter value, {@code null} if not specified. 530 */ 531 Object getCustomParameter(String name); 532 533 534 /** 535 * Gets the specified custom (not registered) URI parameter. 536 * 537 * @param name The parameter name. Must not be {@code null}. 538 * @return The parameter URI value, {@code null} if not specified. 539 */ 540 URI getCustomURIParameter(String name); 541 542 543 /** 544 * Gets the custom (not registered) parameters. 545 * 546 * @return The custom parameters, empty JSON object if none. 547 */ 548 JSONObject getCustomParameters(); 549 550 551 /** 552 * Returns the JSON object representation of the metadata. 553 * 554 * @return The JSON object representation. 555 */ 556 JSONObject toJSONObject(); 557}