Package com.nimbusds.oauth2.sdk.client

Class ClientMetadata

java.lang.Object
com.nimbusds.oauth2.sdk.client.ClientMetadata
Direct Known Subclasses:
OIDCClientMetadata
public class ClientMetadata extends Object
Client metadata.

Example client metadata, serialised to a JSON object: 

 {
  "redirect_uris"              : ["https://client.example.org/callback",
                                  "https://client.example.org/callback2"],
  "client_name"                : "My Example Client",
  "client_name#ja-Jpan-JP"     : "クライアント名",
  "token_endpoint_auth_method" : "client_secret_basic",
  "scope"                      : "read write dolphin",
  "logo_uri"                   : "https://client.example.org/logo.png",
  "jwks_uri"                   : "https://client.example.org/my_public_keys.jwks"
 }

Related specifications:

  • OAuth 2.0 Dynamic Client Registration Protocol (RFC 7591), section 2.
  • OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens (RFC 8705), sections 2.1.2 and 3.4.
  • OAuth 2.0 Demonstrating Proof of Possession (DPoP) (RFC 9449), section 5.2.
  • Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM).
  • OAuth 2.0 Pushed Authorization Requests (RFC 9126)
  • OAuth 2.0 Rich Authorization Requests (RFC 9396), section 10.
  • OpenID Connect Client Initiated Backchannel Authentication Flow - Core 1.0
  • OpenID Connect Federation 1.0 (draft 22)

  • Field Details

  • Constructor Details

    • ClientMetadata

      public ClientMetadata()
      Creates a new OAuth 2.0 client metadata instance.

    • ClientMetadata

      public ClientMetadata(ClientMetadata metadata)
      Creates a shallow copy of the specified OAuth 2.0 client metadata instance.
      Parameters:
      metadata - The client metadata to copy. Must not be null.

  • Method Details

    • getRegisteredParameterNames

      public static Set<String> getRegisteredParameterNames()
      Gets the registered (standard) OAuth 2.0 client metadata parameter names.
      Returns:
      The registered parameter names, as an unmodifiable set.

    • getRedirectionURIs

      public Set<URI> getRedirectionURIs()
      Gets the redirection URIs for this client. Corresponds to the redirect_uris client metadata field.
      Returns:
      The redirection URIs, null if not specified.

    • getRedirectionURI

      public URI getRedirectionURI()
      Gets one of the redirection URIs for this client. Corresponds to the redirect_uris client metadata field.
      Returns:
      The redirection URI, null if not specified.

    • getRedirectionURIStrings

      public Set<String> getRedirectionURIStrings()
      Gets the redirection URIs for this client as strings. Corresponds to the redirect_uris client metadata field.

      This short-hand method is intended to enable string-based URI comparison.

      Returns:
      The redirection URIs as strings, null if not specified.

    • setRedirectionURIs

      public void setRedirectionURIs(Set<URI> redirectURIs)
      Sets the redirection URIs for this client. Corresponds to the redirect_uris client metadata field.
      Parameters:
      redirectURIs - The redirection URIs, null if not specified. Valid redirection URIs must not contain a fragment.

    • setRedirectionURI

      public void setRedirectionURI(URI redirectURI)
      Sets a single redirection URI for this client. Corresponds to the redirect_uris client metadata field.
      Parameters:
      redirectURI - The redirection URIs, null if not specified. A valid redirection URI must not contain a fragment.

    • getScope

      public Scope getScope()
      Gets the scope values that the client can use when requesting access tokens. Corresponds to the scope client metadata field.
      Returns:
      The scope, null if not specified.

    • hasScopeValue

      public boolean hasScopeValue(Scope.Value scopeValue)
      Checks if the scope matadata field is set and contains the specified scope value.
      Parameters:
      scopeValue - The scope value. Must not be null.
      Returns:
      true if the scope value is contained, else false.

    • setScope

      public void setScope(Scope scope)
      Sets the scope values that the client can use when requesting access tokens. Corresponds to the scope client metadata field.
      Parameters:
      scope - The scope, null if not specified.

    • getResponseTypes

      public Set<ResponseType> getResponseTypes()
      Gets the expected OAuth 2.0 response types. Corresponds to the response_types client metadata field.
      Returns:
      The response types, null if not specified.

    • setResponseTypes

      public void setResponseTypes(Set<ResponseType> responseTypes)
      Sets the expected OAuth 2.0 response types. Corresponds to the response_types client metadata field.
      Parameters:
      responseTypes - The response types, null if not specified.

    • getGrantTypes

      public Set<GrantType> getGrantTypes()
      Gets the expected OAuth 2.0 grant types. Corresponds to the grant_types client metadata field.
      Returns:
      The grant types, null if not specified.

    • setGrantTypes

      public void setGrantTypes(Set<GrantType> grantTypes)
      Sets the expected OAuth 2.0 grant types. Corresponds to the grant_types client metadata field.
      Parameters:
      grantTypes - The grant types, null if not specified.

    • getEmailContacts

      public List<String> getEmailContacts()
      Gets the administrator email contacts for the client. Corresponds to the contacts client metadata field.
      Returns:
      The administrator email contacts, null if not specified.

    • setEmailContacts

      public void setEmailContacts(List<String> contacts)
      Sets the administrator email contacts for the client. Corresponds to the contacts client metadata field.
      Parameters:
      contacts - The administrator email contacts, null if not specified.

    • getName

      public String getName()
      Gets the client name. Corresponds to the client_name client metadata field, with no language tag.
      Returns:
      The client name, null if not specified.

    • getName

      public String getName(com.nimbusds.langtag.LangTag langTag)
      Gets the client name. Corresponds to the client_name client metadata field, with an optional language tag.
      Parameters:
      langTag - The language tag of the entry, null to get the non-tagged entry.
      Returns:
      The client name, null if not specified.

    • getNameEntries

      public Map<com.nimbusds.langtag.LangTag,String> getNameEntries()
      Gets the client name entries. Corresponds to the client_name client metadata field.
      Returns:
      The client name entries, empty map if none.

    • setName

      public void setName(String name)
      Sets the client name. Corresponds to the client_name client metadata field, with no language tag.
      Parameters:
      name - The client name, null if not specified.

    • setName

      public void setName(String name, com.nimbusds.langtag.LangTag langTag)
      Sets the client name. Corresponds to the client_name client metadata field, with an optional language tag.
      Parameters:
      name - The client name. Must not be null.
      langTag - The language tag, null if not specified.

    • getLogoURI

      public URI getLogoURI()
      Gets the client application logo. Corresponds to the logo_uri client metadata field, with no language tag.
      Returns:
      The logo URI, null if not specified.

    • getLogoURI

      public URI getLogoURI(com.nimbusds.langtag.LangTag langTag)
      Gets the client application logo. Corresponds to the logo_uri client metadata field, with an optional language tag.
      Parameters:
      langTag - The language tag, null if not specified.
      Returns:
      The logo URI, null if not specified.

    • getLogoURIEntries

      public Map<com.nimbusds.langtag.LangTag,URI> getLogoURIEntries()
      Gets the client application logo entries. Corresponds to the logo_uri client metadata field.
      Returns:
      The logo URI entries, empty map if none.

    • setLogoURI

      public void setLogoURI(URI logoURI)
      Sets the client application logo. Corresponds to the logo_uri client metadata field, with no language tag.
      Parameters:
      logoURI - The logo URI, null if not specified.

    • setLogoURI

      public void setLogoURI(URI logoURI, com.nimbusds.langtag.LangTag langTag)
      Sets the client application logo. Corresponds to the logo_uri client metadata field, with an optional language tag.
      Parameters:
      logoURI - The logo URI. Must not be null.
      langTag - The language tag, null if not specified.

    • getURI

      public URI getURI()
      Gets the client home page. Corresponds to the client_uri client metadata field, with no language tag.
      Returns:
      The client URI, null if not specified.

    • getURI

      public URI getURI(com.nimbusds.langtag.LangTag langTag)
      Gets the client home page. Corresponds to the client_uri client metadata field, with an optional language tag.
      Parameters:
      langTag - The language tag, null if not specified.
      Returns:
      The client URI, null if not specified.

    • getURIEntries

      public Map<com.nimbusds.langtag.LangTag,URI> getURIEntries()
      Gets the client home page entries. Corresponds to the client_uri client metadata field.
      Returns:
      The client URI entries, empty map if none.

    • setURI

      public void setURI(URI uri)
      Sets the client home page. Corresponds to the client_uri client metadata field, with no language tag.
      Parameters:
      uri - The client URI, null if not specified. The URI scheme must be https or http.

    • setURI

      public void setURI(URI uri, com.nimbusds.langtag.LangTag langTag)
      Sets the client home page. Corresponds to the client_uri client metadata field, with an optional language tag.
      Parameters:
      uri - The URI. The URI scheme must be https or http. Must not be null.
      langTag - The language tag, null if not specified.

    • getPolicyURI

      public URI getPolicyURI()
      Gets the client policy for use of end-user data. Corresponds to the policy_uri client metadata field, with no language tag.
      Returns:
      The policy URI, null if not specified.

    • getPolicyURI

      public URI getPolicyURI(com.nimbusds.langtag.LangTag langTag)
      Gets the client policy for use of end-user data. Corresponds to the policy_uri client metadata field, with an optional language tag.
      Parameters:
      langTag - The language tag, null if not specified.
      Returns:
      The policy URI, null if not specified.

    • getPolicyURIEntries

      public Map<com.nimbusds.langtag.LangTag,URI> getPolicyURIEntries()
      Gets the client policy entries for use of end-user data. Corresponds to the policy_uri client metadata field.
      Returns:
      The policy URI entries, empty map if none.

    • setPolicyURI

      public void setPolicyURI(URI policyURI)
      Sets the client policy for use of end-user data. Corresponds to the policy_uri client metadata field, with no language tag.
      Parameters:
      policyURI - The policy URI, null if not specified. The URI scheme must be https or http.

    • setPolicyURI

      public void setPolicyURI(URI policyURI, com.nimbusds.langtag.LangTag langTag)
      Sets the client policy for use of end-user data. Corresponds to the policy_uri client metadata field, with an optional language tag.
      Parameters:
      policyURI - The policy URI. The URI scheme must be https or http. Must not be null.
      langTag - The language tag, null if not specified.

    • getTermsOfServiceURI

      public URI getTermsOfServiceURI()
      Gets the client's terms of service. Corresponds to the tos_uri client metadata field, with no language tag.
      Returns:
      The terms of service URI, null if not specified.

    • getTermsOfServiceURI

      public URI getTermsOfServiceURI(com.nimbusds.langtag.LangTag langTag)
      Gets the client's terms of service. Corresponds to the tos_uri client metadata field, with an optional language tag.
      Parameters:
      langTag - The language tag, null if not specified.
      Returns:
      The terms of service URI, null if not specified.

    • getTermsOfServiceURIEntries

      public Map<com.nimbusds.langtag.LangTag,URI> getTermsOfServiceURIEntries()
      Gets the client's terms of service entries. Corresponds to the tos_uri client metadata field.
      Returns:
      The terms of service URI entries, empty map if none.

    • setTermsOfServiceURI

      public void setTermsOfServiceURI(URI tosURI)
      Sets the client's terms of service. Corresponds to the tos_uri client metadata field, with no language tag.
      Parameters:
      tosURI - The terms of service URI, null if not specified. The URI scheme must be https or http.

    • setTermsOfServiceURI

      public void setTermsOfServiceURI(URI tosURI, com.nimbusds.langtag.LangTag langTag)
      Sets the client's terms of service. Corresponds to the tos_uri client metadata field, with an optional language tag.
      Parameters:
      tosURI - The terms of service URI. The URI scheme must not be https or http. Must not be null.
      langTag - The language tag, null if not specified.

    • getTokenEndpointAuthMethod

      public ClientAuthenticationMethod getTokenEndpointAuthMethod()
      Gets the Token endpoint authentication method. Corresponds to the token_endpoint_auth_method client metadata field.
      Returns:
      The Token endpoint authentication method, null if not specified.

    • setTokenEndpointAuthMethod

      public void setTokenEndpointAuthMethod(ClientAuthenticationMethod authMethod)
      Sets the Token endpoint authentication method. Corresponds to the token_endpoint_auth_method client metadata field.
      Parameters:
      authMethod - The Token endpoint authentication method, null if not specified.

    • getTokenEndpointAuthJWSAlg

      public com.nimbusds.jose.JWSAlgorithm getTokenEndpointAuthJWSAlg()
      Gets the JSON Web Signature (JWS) algorithm required for private_key_jwt and client_secret_jwt authentication at the Token endpoint. Corresponds to the token_endpoint_auth_signing_alg client metadata field.
      Returns:
      The JWS algorithm, null if not specified.

    • setTokenEndpointAuthJWSAlg

      public void setTokenEndpointAuthJWSAlg(com.nimbusds.jose.JWSAlgorithm authJWSAlg)
      Sets the JSON Web Signature (JWS) algorithm required for private_key_jwt and client_secret_jwt authentication at the Token endpoint. Corresponds to the token_endpoint_auth_signing_alg client metadata field.
      Parameters:
      authJWSAlg - The JWS algorithm, null if not specified.

    • getJWKSetURI

      public URI getJWKSetURI()
      Gets the URI for this client's JSON Web Key (JWK) set containing key(s) that are used in signing requests to the server and key(s) for encrypting responses. Corresponds to the jwks_uri client metadata field.
      Returns:
      The JWK set URI, null if not specified.

    • setJWKSetURI

      public void setJWKSetURI(URI jwkSetURI)
      Sets the URI for this client's JSON Web Key (JWK) set containing key(s) that are used in signing requests to the server and key(s) for encrypting responses. Corresponds to the jwks_uri client metadata field.
      Parameters:
      jwkSetURI - The JWK set URI, null if not specified.

    • getSignedJWKSetURI

      public URI getSignedJWKSetURI()
      Gets the URI for this client's signed JSON Web Key (JWK) set containing key(s) that are used in signing requests to the server and key(s) for encrypting responses. Corresponds to the signed_jwks_uri client metadata field. Intended for use in OpenID Connect Federation 1.0.
      Returns:
      The signed JWK set URI, null if not specified.

    • setSignedJWKSetURI

      public void setSignedJWKSetURI(URI signedJWKSetURI)
      Sets the URI for this client's signed JSON Web Key (JWK) set containing key(s) that are used in signing requests to the server and key(s) for encrypting responses. Corresponds to the signed_jwks_uri client metadata field. Intended for use in OpenID Connect Federation 1.0.
      Parameters:
      signedJWKSetURI - The signed JWK set URI, null if not specified.

    • getJWKSet

      public com.nimbusds.jose.jwk.JWKSet getJWKSet()
      Gets this client's JSON Web Key (JWK) set containing key(s) that are used in signing requests to the server and key(s) for encrypting responses. Intended as an alternative to getJWKSetURI() for native clients. Corresponds to the jwks client metadata field.
      Returns:
      The JWK set, null if not specified.

    • setJWKSet

      public void setJWKSet(com.nimbusds.jose.jwk.JWKSet jwkSet)
      Sets this client's JSON Web Key (JWK) set containing key(s) that are used in signing requests to the server and key(s) for encrypting responses. Intended as an alternative to getJWKSetURI() for native clients. Corresponds to the jwks client metadata field.
      Parameters:
      jwkSet - The JWK set, null if not specified.

    • getRequestObjectURIs

      public Set<URI> getRequestObjectURIs()
      Gets the pre-registered request object URIs. Corresponds to the request_uris client metadata field.
      Returns:
      The request object URIs, null if not specified.

    • setRequestObjectURIs

      public void setRequestObjectURIs(Set<URI> requestObjectURIs)
      Sets the pre-registered request object URIs. Corresponds to the request_uris client metadata field.
      Parameters:
      requestObjectURIs - The request object URIs, null if not specified.

    • getRequestObjectJWSAlg

      public com.nimbusds.jose.JWSAlgorithm getRequestObjectJWSAlg()
      Gets the JSON Web Signature (JWS) algorithm required for request objects sent by this client. Corresponds to the request_object_signing_alg client metadata field.
      Returns:
      The JWS algorithm, null if not specified.

    • setRequestObjectJWSAlg

      public void setRequestObjectJWSAlg(com.nimbusds.jose.JWSAlgorithm requestObjectJWSAlg)
      Sets the JSON Web Signature (JWS) algorithm required for request objects sent by this client. Corresponds to the request_object_signing_alg client metadata field.
      Parameters:
      requestObjectJWSAlg - The JWS algorithm, null if not specified.

    • getRequestObjectJWEAlg

      public com.nimbusds.jose.JWEAlgorithm getRequestObjectJWEAlg()
      Gets the JSON Web Encryption (JWE) algorithm required for request objects sent by this client. Corresponds to the request_object_encryption_alg client metadata field.
      Returns:
      The JWE algorithm, null if not specified.

    • setRequestObjectJWEAlg

      public void setRequestObjectJWEAlg(com.nimbusds.jose.JWEAlgorithm requestObjectJWEAlg)
      Sets the JSON Web Encryption (JWE) algorithm required for request objects sent by this client. Corresponds to the request_object_encryption_alg client metadata field.
      Parameters:
      requestObjectJWEAlg - The JWE algorithm, null if not specified.

    • getRequestObjectJWEEnc

      public com.nimbusds.jose.EncryptionMethod getRequestObjectJWEEnc()
      Gets the JSON Web Encryption (JWE) method required for request objects sent by this client. Corresponds to the request_object_encryption_enc client metadata field.
      Returns:
      The JWE method, null if not specified.

    • setRequestObjectJWEEnc

      public void setRequestObjectJWEEnc(com.nimbusds.jose.EncryptionMethod requestObjectJWEEnc)
      Sets the JSON Web Encryption (JWE) method required for request objects sent by this client. Corresponds to the request_object_encryption_enc client metadata field.
      Parameters:
      requestObjectJWEEnc - The JWE method, null if not specified.

    • getSoftwareID

      public SoftwareID getSoftwareID()
      Gets the identifier for the OAuth 2.0 client software. Corresponds to the software_id client metadata field.
      Returns:
      The software identifier, null if not specified.

    • setSoftwareID

      public void setSoftwareID(SoftwareID softwareID)
      Sets the identifier for the OAuth 2.0 client software. Corresponds to the software_id client metadata field.
      Parameters:
      softwareID - The software identifier, null if not specified.

    • getSoftwareVersion

      public SoftwareVersion getSoftwareVersion()
      Gets the version identifier for the OAuth 2.0 client software. Corresponds to the software_version client metadata field.
      Returns:
      The version identifier, null if not specified.

    • setSoftwareVersion

      public void setSoftwareVersion(SoftwareVersion softwareVersion)
      Sets the version identifier for the OAuth 2.0 client software. Corresponds to the software_version client metadata field.
      Parameters:
      softwareVersion - The version identifier, null if not specified.

    • getSoftwareStatement

      public com.nimbusds.jwt.SignedJWT getSoftwareStatement()
      Gets the software statement. Corresponds to the software_statement client metadata field.
      Returns:
      The signed software statement, null if not specified.

    • setSoftwareStatement

      public void setSoftwareStatement(com.nimbusds.jwt.SignedJWT softwareStatement)
      Sets the software statement. Corresponds to the software_statement client metadata field.
      Parameters:
      softwareStatement - The signed software statement, null if not specified.

    • getTLSClientCertificateBoundAccessTokens

      public boolean getTLSClientCertificateBoundAccessTokens()
      Gets the preference for TLS client certificate bound access tokens. Corresponds to the tls_client_certificate_bound_access_tokens client metadata field.
      Returns:
      true indicates a preference for TLS client certificate bound access tokens, false if none.

    • setTLSClientCertificateBoundAccessTokens

      public void setTLSClientCertificateBoundAccessTokens(boolean tlsClientCertBoundTokens)
      Sets the preference for TLS client certificate bound access tokens. Corresponds to the tls_client_certificate_bound_access_tokens client metadata field.
      Parameters:
      tlsClientCertBoundTokens - true indicates a preference for TLS client certificate bound access tokens, false if none.

    • getMutualTLSSenderConstrainedAccessTokens

      @Deprecated public boolean getMutualTLSSenderConstrainedAccessTokens()
      Deprecated.
      Sets the preference for TLS client certificate bound access tokens. Corresponds to the tls_client_certificate_bound_access_tokens client metadata field.
      Returns:
      true indicates a preference for TLS client certificate bound access tokens, false if none.

    • setMutualTLSSenderConstrainedAccessTokens

      @Deprecated public void setMutualTLSSenderConstrainedAccessTokens(boolean tlsSenderAccessTokens)
      Deprecated.
      Gets the preference for TLS client certificate bound access tokens. Corresponds to the tls_client_certificate_bound_access_tokens client metadata field.
      Parameters:
      tlsSenderAccessTokens - true indicates a preference for TLS client certificate bound access tokens, false if none.

    • getTLSClientAuthSubjectDN

      public String getTLSClientAuthSubjectDN()
      Gets the expected subject distinguished name (DN) of the client X.509 certificate in mutual TLS authentication. Corresponds to the tls_client_auth_subject_dn client metadata field.
      Returns:
      The expected subject distinguished name (DN) of the client X.509 certificate, null if not specified.

    • setTLSClientAuthSubjectDN

      public void setTLSClientAuthSubjectDN(String subjectDN)
      Sets the expected subject distinguished name (DN) of the client X.509 certificate in mutual TLS authentication. Corresponds to the tls_client_auth_subject_dn client metadata field.
      Parameters:
      subjectDN - The expected subject distinguished name (DN) of the client X.509 certificate, null if not specified.

    • getTLSClientAuthSanDNS

      public String getTLSClientAuthSanDNS()
      Gets the expected dNSName SAN entry in the X.509 certificate, which the OAuth client will use in mutual TLS authentication. Corresponds to the tls_client_auth_san_dns client metadata field.
      Returns:
      The expected dNSName SAN entry in the X.509 certificate, null if not specified.

    • setTLSClientAuthSanDNS

      public void setTLSClientAuthSanDNS(String dns)
      Sets the expected dNSName SAN entry in the X.509 certificate, which the OAuth client will use in mutual TLS authentication. Corresponds to the tls_client_auth_san_dns client metadata field.
      Parameters:
      dns - The expected dNSName SAN entry in the X.509 certificate, null if not specified.

    • getTLSClientAuthSanURI

      public String getTLSClientAuthSanURI()
      Gets the expected uniformResourceIdentifier SAN entry in the X.509 certificate, which the OAuth client will use in mutual TLS authentication. Corresponds to the tls_client_auth_san_uri client metadata field.
      Returns:
      The expected uniformResourceIdentifier SAN entry in the X.509 certificate, null if not specified.

    • setTLSClientAuthSanURI

      public void setTLSClientAuthSanURI(String uri)
      Sets the expected uniformResourceIdentifier SAN entry in the X.509 certificate, which the OAuth client will use in mutual TLS authentication. Corresponds to the tls_client_auth_san_uri client metadata field.
      Parameters:
      uri - The expected uniformResourceIdentifier SAN entry in the X.509 certificate, null if not specified.

    • getTLSClientAuthSanIP

      public String getTLSClientAuthSanIP()
      Gets the expected iPAddress SAN entry in the X.509 certificate, which the OAuth client will use in mutual TLS authentication. Corresponds to the tls_client_auth_san_ip client metadata field.
      Returns:
      The expected iPAddress SAN entry in the X.509 certificate, null if not specified.

    • setTLSClientAuthSanIP

      public void setTLSClientAuthSanIP(String ip)
      Sets the expected iPAddress SAN entry in the X.509 certificate, which the OAuth client will use in mutual TLS authentication. Corresponds to the tls_client_auth_san_ip client metadata field.
      Parameters:
      ip - The expected iPAddress SAN entry in the X.509 certificate, null if not specified.

    • getTLSClientAuthSanEmail

      public String getTLSClientAuthSanEmail()
      Gets the expected rfc822Name SAN entry in the X.509 certificate, which the OAuth client will use in mutual TLS authentication. Corresponds to the tls_client_auth_san_email client metadata field.
      Returns:
      The expected rfc822Name SAN entry in the X.509 certificate, null if not specified.

    • setTLSClientAuthSanEmail

      public void setTLSClientAuthSanEmail(String email)
      Sets the expected rfc822Name SAN entry in the X.509 certificate, which the OAuth client will use in mutual TLS authentication. Corresponds to the tls_client_auth_san_email client metadata field.
      Parameters:
      email - The expected rfc822Name SAN entry in the X.509 certificate, null if not specified.

    • getDPoPBoundAccessTokens

      public boolean getDPoPBoundAccessTokens()
      Gets the preference for DPoP bound access tokens. Corresponds to the dpop_bound_access_tokens client metadata field.
      Returns:
      true indicates a preference for DPoP bound access tokens, false if none.

    • setDPoPBoundAccessTokens

      public void setDPoPBoundAccessTokens(boolean dPoPBoundAccessTokens)
      Sets the preference for DPoP bound access tokens. Corresponds to the dpop_bound_access_tokens client metadata field.
      Parameters:
      dPoPBoundAccessTokens - true indicates a preference for DPoP bound access tokens, false if none.

    • getAuthorizationJWSAlg

      public com.nimbusds.jose.JWSAlgorithm getAuthorizationJWSAlg()
      Gets the JWS algorithm for JWT-encoded authorisation responses. Corresponds to the authorization_signed_response_alg client metadata field.
      Returns:
      The JWS algorithm, null if not specified.

    • setAuthorizationJWSAlg

      public void setAuthorizationJWSAlg(com.nimbusds.jose.JWSAlgorithm authzJWSAlg)
      Sets the JWS algorithm for JWT-encoded authorisation responses. Corresponds to the authorization_signed_response_alg client metadata field.
      Parameters:
      authzJWSAlg - The JWS algorithm, null if not specified. Must not be "none".

    • getAuthorizationJWEAlg

      public com.nimbusds.jose.JWEAlgorithm getAuthorizationJWEAlg()
      Gets the JWE algorithm for JWT-encoded authorisation responses. Corresponds to the authorization_encrypted_response_alg client metadata field.
      Returns:
      The JWE algorithm, null if not specified.

    • setAuthorizationJWEAlg

      public void setAuthorizationJWEAlg(com.nimbusds.jose.JWEAlgorithm authzJWEAlg)
      Sets the JWE algorithm for JWT-encoded authorisation responses. Corresponds to the authorization_encrypted_response_alg client metadata field.
      Parameters:
      authzJWEAlg - The JWE algorithm, null if not specified.

    • getAuthorizationJWEEnc

      public com.nimbusds.jose.EncryptionMethod getAuthorizationJWEEnc()
      Sets the encryption method for JWT-encoded authorisation responses. Corresponds to the authorization_encrypted_response_enc client metadata field.
      Returns:
      The encryption method, null if specified.

    • setAuthorizationJWEEnc

      public void setAuthorizationJWEEnc(com.nimbusds.jose.EncryptionMethod authzJWEEnc)
      Sets the encryption method for JWT-encoded authorisation responses. Corresponds to the authorization_encrypted_response_enc client metadata field.
      Parameters:
      authzJWEEnc - The encryption method, null if specified.

    • requiresPushedAuthorizationRequests

      public boolean requiresPushedAuthorizationRequests()
      Gets the requirement for pushed authorisation requests (PAR). Corresponds to the pushed_authorization_request_endpoint client metadata field.
      Returns:
      true if PAR is required, else false.

    • requiresPushedAuthorizationRequests

      public void requiresPushedAuthorizationRequests(boolean requirePAR)
      Sets the requirement for pushed authorisation requests (PAR). Corresponds to the pushed_authorization_request_endpoint client metadata field.
      Parameters:
      requirePAR - true if PAR is required, else false.

    • getAuthorizationDetailsTypes

      public List<AuthorizationType> getAuthorizationDetailsTypes()
      Gets the authorisation details types for Rich Authorisation Requests (RAR). Corresponds to the authorization_details_types metadata field.
      Returns:
      The authorisation types, null if not specified.

    • setAuthorizationDetailsTypes

      public void setAuthorizationDetailsTypes(List<AuthorizationType> authzTypes)
      Sets the authorisation details types for Rich Authorisation Requests (RAR). Corresponds to the authorization_details_types metadata field.
      Parameters:
      authzTypes - The authorisation types, null if not specified.

    • getBackChannelTokenDeliveryMode

      public BackChannelTokenDeliveryMode getBackChannelTokenDeliveryMode()
      Gets the CIBA token delivery mode. Corresponds to the backchannel_token_delivery_mode metadata field.
      Returns:
      The CIBA token delivery mode, null if not specified.

    • setBackChannelTokenDeliveryMode

      public void setBackChannelTokenDeliveryMode(BackChannelTokenDeliveryMode backChannelTokenDeliveryMode)
      Sets the CIBA token delivery mode. Corresponds to the backchannel_token_delivery_mode metadata field.
      Parameters:
      backChannelTokenDeliveryMode - The CIBA token delivery mode, null if not specified.

    • getBackChannelClientNotificationEndpoint

      public URI getBackChannelClientNotificationEndpoint()
      Gets the CIBA client notification endpoint URI for the ping or push delivery modes. Corresponds to the backchannel_client_notification_endpoint metadata field.
      Returns:
      The CIBA client notification endpoint URI, null if not specified.

    • setBackChannelClientNotificationEndpoint

      public void setBackChannelClientNotificationEndpoint(URI backChannelClientNotificationEndpoint)
      Sets the CIBA client notification endpoint URI for the ping or push delivery modes. Corresponds to the backchannel_client_notification_endpoint metadata field.
      Parameters:
      backChannelClientNotificationEndpoint - The CIBA client notification endpoint URI, null if not specified.

    • getBackChannelAuthRequestJWSAlg

      public com.nimbusds.jose.JWSAlgorithm getBackChannelAuthRequestJWSAlg()
      Gets the JWS algorithm for CIBA requests. Corresponds to the backchannel_authentication_request_signing_alg metadata field.
      Returns:
      The JWS algorithm for CIBA requests, null if not specified.

    • setBackChannelAuthRequestJWSAlg

      public void setBackChannelAuthRequestJWSAlg(com.nimbusds.jose.JWSAlgorithm backChannelAuthRequestJWSAlg)
      Sets the JWS algorithm for CIBA requests. Corresponds to the backchannel_authentication_request_signing_alg metadata field.
      Parameters:
      backChannelAuthRequestJWSAlg - The JWS algorithm for CIBA requests, null if not specified.

    • supportsBackChannelUserCodeParam

      public boolean supportsBackChannelUserCodeParam()
      Gets the support for the user_code CIBA request parameter. Corresponds to the backchannel_user_code_parameter metadata field.
      Returns:
      true if the user_code parameter is supported, else false.

    • setSupportsBackChannelUserCodeParam

      public void setSupportsBackChannelUserCodeParam(boolean backChannelUserCodeParam)
      Sets the support for the user_code CIBA request parameter. Corresponds to the backchannel_user_code_parameter metadata field.
      Parameters:
      backChannelUserCodeParam - true if the user_code parameter is supported, else false.

    • getClientRegistrationTypes

      public List<ClientRegistrationType> getClientRegistrationTypes()
      Gets the supported OpenID Connect Federation 1.0 client registration types. Corresponds to the client_registration_types metadata field.
      Returns:
      The supported registration types, null if not specified.

    • setClientRegistrationTypes

      public void setClientRegistrationTypes(List<ClientRegistrationType> regTypes)
      Sets the supported OpenID Connect Federation 1.0 client registration types. Corresponds to the client_registration_types metadata field.
      Parameters:
      regTypes - The supported registration types, null if not specified.

    • getOrganizationName

      public String getOrganizationName()
      Gets the organisation name in OpenID Connect Federation 1.0. Corresponds to the organization_name metadata field.
      Returns:
      The organisation name, null if not specified.

    • setOrganizationName

      public void setOrganizationName(String organizationName)
      Sets the organisation name in OpenID Connect Federation 1.0. Corresponds to the organization_name metadata field.
      Parameters:
      organizationName - The organisation name, null if not specified.

    • getCustomField

      public Object getCustomField(String name)
      Gets the specified custom metadata field.
      Parameters:
      name - The field name. Must not be null.
      Returns:
      The field value, typically serialisable to a JSON entity, null if none.

    • getCustomFields

      public net.minidev.json.JSONObject getCustomFields()
      Gets the custom metadata fields.
      Returns:
      The custom metadata fields, as a JSON object, empty object if none.

    • setCustomField

      public void setCustomField(String name, Object value)
      Sets the specified custom metadata field.
      Parameters:
      name - The field name. Must not be null.
      value - The field value. Should serialise to a JSON entity.

    • setCustomFields

      public void setCustomFields(net.minidev.json.JSONObject customFields)
      Sets the custom metadata fields.
      Parameters:
      customFields - The custom metadata fields, as a JSON object, empty object if none. Must not be null.

    • applyDefaults

      public void applyDefaults()
      Applies the client metadata defaults where no values have been specified.
      • The response types default to ["code"].
      • The grant types default to ["authorization_code"].
      • The client authentication method defaults to "client_secret_basic", unless the grant type is "implicit" only.
      • The encryption method for JWT-encoded authorisation responses defaults to A128CBC-HS256 if a JWE algorithm is set.

    • toJSONObject

      public net.minidev.json.JSONObject toJSONObject()
      Returns the JSON object representation of this client metadata, including any custom fields.
      Returns:
      The JSON object.

    • toJSONObject

      public net.minidev.json.JSONObject toJSONObject(boolean includeCustomFields)
      Returns the JSON object representation of this client metadata.
      Parameters:
      includeCustomFields - true to include any custom metadata fields, false to omit them.
      Returns:
      The JSON object.

    • toString

      public String toString()
      Overrides:
      toString in class Object

    • parse

      public static ClientMetadata parse(net.minidev.json.JSONObject jsonObject) throws ParseException
      Parses a client metadata instance from the specified JSON object.
      Parameters:
      jsonObject - The JSON object to parse. Must not be null.
      Returns:
      The client metadata.
      Throws:
      ParseException - If the JSON object couldn't be parsed to a client metadata instance.