001/* 002 * oauth2-oidc-sdk 003 * 004 * Copyright 2012-2021, Connect2id Ltd and contributors. 005 * 006 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use 007 * this file except in compliance with the License. You may obtain a copy of the 008 * License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software distributed 013 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR 014 * CONDITIONS OF ANY KIND, either express or implied. See the License for the 015 * specific language governing permissions and limitations under the License. 016 */ 017 018package com.nimbusds.oauth2.sdk.as; 019 020 021import java.net.URI; 022import java.util.List; 023import java.util.Map; 024 025import com.nimbusds.oauth2.sdk.rar.AuthorizationType; 026import net.minidev.json.JSONObject; 027 028import com.nimbusds.jose.EncryptionMethod; 029import com.nimbusds.jose.JWEAlgorithm; 030import com.nimbusds.jose.JWSAlgorithm; 031import com.nimbusds.jose.jwk.JWKSet; 032import com.nimbusds.langtag.LangTag; 033import com.nimbusds.oauth2.sdk.GrantType; 034import com.nimbusds.oauth2.sdk.ResponseMode; 035import com.nimbusds.oauth2.sdk.ResponseType; 036import com.nimbusds.oauth2.sdk.Scope; 037import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod; 038import com.nimbusds.oauth2.sdk.ciba.BackChannelTokenDeliveryMode; 039import com.nimbusds.oauth2.sdk.client.ClientType; 040import com.nimbusds.oauth2.sdk.id.Issuer; 041import com.nimbusds.oauth2.sdk.pkce.CodeChallengeMethod; 042import com.nimbusds.openid.connect.sdk.Prompt; 043import com.nimbusds.openid.connect.sdk.federation.registration.ClientRegistrationType; 044import com.nimbusds.openid.connect.sdk.op.EndpointName; 045 046 047/** 048 * Read-only OAuth 2.0 Authorisation Server (AS) metadata. 049 * 050 * <p>Related specifications: 051 * 052 * <ul> 053 * <li>OAuth 2.0 Authorization Server Metadata (RFC 8414) 054 * <li>OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound 055 * Access Tokens (RFC 8705) 056 * <li>OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer 057 * (DPoP) (RFC 9449) 058 * <li>Financial-grade API: JWT Secured Authorization Response Mode for 059 * OAuth 2.0 (JARM) 060 * <li>OAuth 2.0 Authorization Server Issuer Identification (RFC 9207) 061 * <li>Financial-grade API - Part 2: Read and Write API Security Profile 062 * <li>OAuth 2.0 Pushed Authorization Requests (RFC 9126) 063 * <li>OAuth 2.0 Rich Authorization Requests (RFC 9396) 064 * <li>OAuth 2.0 Device Authorization Grant (RFC 8628) 065 * <li>OpenID Connect Client Initiated Backchannel Authentication Flow - 066 * Core 1.0 067 * <li>OAuth 2.0 Incremental Authorization 068 * (draft-ietf-oauth-incremental-authz-04) 069 * <li>Initiating User Registration via OpenID Connect 1.0 070 * <li>OpenID Connect Federation 1.0 (draft 22) 071 * </ul> 072 */ 073public interface ReadOnlyAuthorizationServerMetadata extends ReadOnlyAuthorizationServerEndpointMetadata { 074 075 076 /** 077 * Gets the issuer identifier. Corresponds to the {@code issuer} 078 * metadata field. 079 * 080 * @return The issuer identifier. 081 */ 082 Issuer getIssuer(); 083 084 085 /** 086 * Gets the JSON Web Key (JWK) set URI. Corresponds to the 087 * {@code jwks_uri} metadata field. 088 * 089 * @return The JWK set URI, {@code null} if not specified. 090 */ 091 URI getJWKSetURI(); 092 093 094 /** 095 * Gets the supported scope values. Corresponds to the 096 * {@code scopes_supported} metadata field. 097 * 098 * @return The supported scope values, {@code null} if not specified. 099 */ 100 Scope getScopes(); 101 102 103 /** 104 * Gets the supported response type values. Corresponds to the 105 * {@code response_types_supported} metadata field. 106 * 107 * @return The supported response type values, {@code null} if not 108 * specified. 109 */ 110 List<ResponseType> getResponseTypes(); 111 112 113 /** 114 * Gets the supported response mode values. Corresponds to the 115 * {@code response_modes_supported}. 116 * 117 * @return The supported response mode values, {@code null} if not 118 * specified. 119 */ 120 List<ResponseMode> getResponseModes(); 121 122 123 /** 124 * Gets the supported OAuth 2.0 grant types. Corresponds to the 125 * {@code grant_types_supported} metadata field. 126 * 127 * @return The supported grant types, {@code null} if not specified. 128 */ 129 List<GrantType> getGrantTypes(); 130 131 132 /** 133 * Gets the supported authorisation code challenge methods for PKCE. 134 * Corresponds to the {@code code_challenge_methods_supported} metadata 135 * field. 136 * 137 * @return The supported code challenge methods, {@code null} if not 138 * specified. 139 */ 140 List<CodeChallengeMethod> getCodeChallengeMethods(); 141 142 143 /** 144 * Gets the supported token endpoint authentication methods. 145 * Corresponds to the {@code token_endpoint_auth_methods_supported} 146 * metadata field. 147 * 148 * @return The supported token endpoint authentication methods, 149 * {@code null} if not specified. 150 */ 151 List<ClientAuthenticationMethod> getTokenEndpointAuthMethods(); 152 153 154 /** 155 * Gets the supported JWS algorithms for the {@code private_key_jwt} 156 * and {@code client_secret_jwt} token endpoint authentication methods. 157 * Corresponds to the 158 * {@code token_endpoint_auth_signing_alg_values_supported} metadata 159 * field. 160 * 161 * @return The supported JWS algorithms, {@code null} if not specified. 162 */ 163 List<JWSAlgorithm> getTokenEndpointJWSAlgs(); 164 165 166 /** 167 * Gets the supported introspection endpoint authentication methods. 168 * Corresponds to the 169 * {@code introspection_endpoint_auth_methods_supported} metadata 170 * field. 171 * 172 * @return The supported introspection endpoint authentication methods, 173 * {@code null} if not specified. 174 */ 175 List<ClientAuthenticationMethod> getIntrospectionEndpointAuthMethods(); 176 177 178 /** 179 * Gets the supported JWS algorithms for the {@code private_key_jwt} 180 * and {@code client_secret_jwt} introspection endpoint authentication 181 * methods. Corresponds to the 182 * {@code introspection_endpoint_auth_signing_alg_values_supported} 183 * metadata field. 184 * 185 * @return The supported JWS algorithms, {@code null} if not specified. 186 */ 187 List<JWSAlgorithm> getIntrospectionEndpointJWSAlgs(); 188 189 190 /** 191 * Gets the supported revocation endpoint authentication methods. 192 * Corresponds to the 193 * {@code revocation_endpoint_auth_methods_supported} metadata field. 194 * 195 * @return The supported revocation endpoint authentication methods, 196 * {@code null} if not specified. 197 */ 198 List<ClientAuthenticationMethod> getRevocationEndpointAuthMethods(); 199 200 201 /** 202 * Gets the supported JWS algorithms for the {@code private_key_jwt} 203 * and {@code client_secret_jwt} revocation endpoint authentication 204 * methods. Corresponds to the 205 * {@code revocation_endpoint_auth_signing_alg_values_supported} 206 * metadata field. 207 * 208 * @return The supported JWS algorithms, {@code null} if not specified. 209 */ 210 List<JWSAlgorithm> getRevocationEndpointJWSAlgs(); 211 212 213 /** 214 * Gets the supported JWS algorithms for request objects. Corresponds 215 * to the {@code request_object_signing_alg_values_supported} metadata 216 * field. 217 * 218 * @return The supported JWS algorithms, {@code null} if not specified. 219 */ 220 List<JWSAlgorithm> getRequestObjectJWSAlgs(); 221 222 223 /** 224 * Gets the supported JWE algorithms for request objects. Corresponds 225 * to the {@code request_object_encryption_alg_values_supported} 226 * metadata field. 227 * 228 * @return The supported JWE algorithms, {@code null} if not specified. 229 */ 230 List<JWEAlgorithm> getRequestObjectJWEAlgs(); 231 232 233 /** 234 * Gets the supported encryption methods for request objects. 235 * Corresponds to the 236 * {@code request_object_encryption_enc_values_supported} metadata 237 * field. 238 * 239 * @return The supported encryption methods, {@code null} if not 240 * specified. 241 */ 242 List<EncryptionMethod> getRequestObjectJWEEncs(); 243 244 245 /** 246 * Gets the support for the {@code request} authorisation request 247 * parameter. Corresponds to the {@code request_parameter_supported} 248 * metadata field. 249 * 250 * @return {@code true} if the {@code reqeust} parameter is supported, 251 * else {@code false}. 252 */ 253 boolean supportsRequestParam(); 254 255 256 /** 257 * Gets the support for the {@code request_uri} authorisation request 258 * parameter. Corresponds to the 259 * {@code request_uri_parameter_supported} metadata field. 260 * 261 * @return {@code true} if the {@code request_uri} parameter is 262 * supported, else {@code false}. 263 */ 264 boolean supportsRequestURIParam(); 265 266 267 /** 268 * Gets the requirement for the {@code request_uri} parameter 269 * pre-registration. Corresponds to the 270 * {@code require_request_uri_registration} metadata field. 271 * 272 * @return {@code true} if the {@code request_uri} parameter values 273 * must be pre-registered, else {@code false}. 274 */ 275 boolean requiresRequestURIRegistration(); 276 277 278 /** 279 * Gets the support for the {@code iss} authorisation response 280 * parameter. Corresponds to the 281 * {@code authorization_response_iss_parameter_supported} metadata 282 * field. 283 * 284 * @return {@code true} if the {@code iss} authorisation response 285 * parameter is provided, else {@code false}. 286 */ 287 boolean supportsAuthorizationResponseIssuerParam(); 288 289 290 /** 291 * Gets the supported UI locales. Corresponds to the 292 * {@code ui_locales_supported} metadata field. 293 * 294 * @return The supported UI locales, {@code null} if not specified. 295 */ 296 List<LangTag> getUILocales(); 297 298 299 /** 300 * Gets the service documentation URI. Corresponds to the 301 * {@code service_documentation} metadata field. 302 * 303 * @return The service documentation URI, {@code null} if not 304 * specified. 305 */ 306 URI getServiceDocsURI(); 307 308 309 /** 310 * Gets the provider's policy regarding relying party use of data. 311 * Corresponds to the {@code op_policy_uri} metadata field. 312 * 313 * @return The policy URI, {@code null} if not specified. 314 */ 315 URI getPolicyURI(); 316 317 318 /** 319 * Gets the provider's terms of service. Corresponds to the 320 * {@code op_tos_uri} metadata field. 321 * 322 * @return The terms of service URI, {@code null} if not specified. 323 */ 324 URI getTermsOfServiceURI(); 325 326 327 /** 328 * Gets the aliases for communication with mutual TLS. Corresponds to 329 * the {@code mtls_endpoint_aliases} metadata field. 330 * 331 * @return The aliases for communication with mutual TLS, {@code null} 332 * when no aliases are defined. 333 */ 334 ReadOnlyAuthorizationServerEndpointMetadata getReadOnlyMtlsEndpointAliases(); 335 336 337 /** 338 * Gets the support for TLS client certificate bound access tokens. 339 * Corresponds to the 340 * {@code tls_client_certificate_bound_access_tokens} metadata field. 341 * 342 * @return {@code true} if TLS client certificate bound access tokens 343 * are supported, else {@code false}. 344 */ 345 boolean supportsTLSClientCertificateBoundAccessTokens(); 346 347 348 /** 349 * Gets the support for TLS client certificate bound access tokens. 350 * Corresponds to the 351 * {@code tls_client_certificate_bound_access_tokens} metadata field. 352 * 353 * @return {@code true} if TLS client certificate bound access tokens 354 * are supported, else {@code false}. 355 */ 356 @Deprecated 357 boolean supportsMutualTLSSenderConstrainedAccessTokens(); 358 359 360 /** 361 * Gets the supported JWS algorithms for Demonstrating 362 * Proof-of-Possession at the Application Layer (DPoP). Corresponds to 363 * the "dpop_signing_alg_values_supported" metadata field. 364 * 365 * @return The supported JWS algorithms for DPoP, {@code null} if none. 366 */ 367 List<JWSAlgorithm> getDPoPJWSAlgs(); 368 369 370 /** 371 * Gets the supported JWS algorithms for JWT-encoded authorisation 372 * responses. Corresponds to the 373 * {@code authorization_signing_alg_values_supported} metadata field. 374 * 375 * @return The supported JWS algorithms, {@code null} if not specified. 376 */ 377 List<JWSAlgorithm> getAuthorizationJWSAlgs(); 378 379 380 /** 381 * Gets the supported JWE algorithms for JWT-encoded authorisation 382 * responses. Corresponds to the 383 * {@code authorization_encryption_alg_values_supported} metadata 384 * field. 385 * 386 * @return The supported JWE algorithms, {@code null} if not specified. 387 */ 388 List<JWEAlgorithm> getAuthorizationJWEAlgs(); 389 390 391 /** 392 * Gets the supported encryption methods for JWT-encoded authorisation 393 * responses. Corresponds to the 394 * {@code authorization_encryption_enc_values_supported} metadata 395 * field. 396 * 397 * @return The supported encryption methods, {@code null} if not 398 * specified. 399 */ 400 List<EncryptionMethod> getAuthorizationJWEEncs(); 401 402 403 /** 404 * Gets the requirement for pushed authorisation requests (PAR). 405 * Corresponds to the {@code pushed_authorization_request_endpoint} 406 * metadata field. 407 * 408 * @return {@code true} if PAR is required, else {@code false}. 409 */ 410 boolean requiresPushedAuthorizationRequests(); 411 412 413 /** 414 * Gets the supported authorisation details types for Rich 415 * Authorisation Requests (RAR). Corresponds to the 416 * {@code authorization_details_types_supported} metadata field. 417 * 418 * @return The supported authorisation types, {@code null} if not 419 * specified. 420 */ 421 List<AuthorizationType> getAuthorizationDetailsTypes(); 422 423 424 /** 425 * Gets the supported OAuth 2.0 client types for incremental 426 * authorisation. Corresponds to the 427 * {@code incremental_authz_types_supported} metadata field. 428 * 429 * @return The supported client types for incremental authorisation, 430 * {@code null} if not specified. 431 */ 432 List<ClientType> getIncrementalAuthorizationTypes(); 433 434 435 /** 436 * Gets the supported CIBA token delivery modes. Corresponds to the 437 * {@code backchannel_token_delivery_modes_supported} metadata field. 438 * 439 * @return The CIBA token delivery modes, {@code null} if not 440 * specified. 441 */ 442 List<BackChannelTokenDeliveryMode> getBackChannelTokenDeliveryModes(); 443 444 445 /** 446 * Gets the supported JWS algorithms for CIBA requests. Corresponds to 447 * the {@code backchannel_authentication_request_signing_alg_values_supported} 448 * metadata field. 449 * 450 * @return The supported JWS algorithms, {@code null} if not specified. 451 */ 452 List<JWSAlgorithm> getBackChannelAuthenticationRequestJWSAlgs(); 453 454 455 /** 456 * Gets the support for the {@code user_code} CIBA request parameter. 457 * Corresponds to the {@code backchannel_user_code_parameter_supported} 458 * metadata field. 459 * 460 * @return {@code true} if the {@code user_code} parameter is 461 * supported, else {@code false}. 462 */ 463 boolean supportsBackChannelUserCodeParam(); 464 465 466 /** 467 * Gets the supported {@link Prompt.Type prompt types}. Corresponds to 468 * the {@code prompt_values_supported} metadata field. 469 * 470 * @return The supported prompt types, {@code null} if not specified. 471 */ 472 List<Prompt.Type> getPromptTypes(); 473 474 475 476 477 478 /** 479 * Gets the organisation name (OpenID Connect Federation 1.0). 480 * Corresponds to the {@code organization_name} metadata field. 481 * 482 * @return The organisation name, {@code null} if not specified. 483 */ 484 String getOrganizationName(); 485 486 487 /** 488 * Gets the JWK set (OpenID Connect Federation 1.0). Corresponds to the 489 * {@code jwks} metadata field. 490 * 491 * @return The JWK set, {@code null} if not specified. 492 */ 493 JWKSet getJWKSet(); 494 495 496 /** 497 * Gets the signed JWK set URI (OpenID Connect Federation 1.0). 498 * Corresponds to the {@code signed_jwks_uri} metadata field. 499 * 500 * @return The signed JWK set URI, {@code null} if not specified. 501 */ 502 URI getSignedJWKSetURI(); 503 504 505 /** 506 * Gets the supported OpenID Connect Federation 1.0 client registration 507 * types. Corresponds to the 508 * {@code client_registration_types_supported} metadata field. 509 * 510 * @return The supported client registration types, {@code null} if not 511 * specified. 512 */ 513 List<ClientRegistrationType> getClientRegistrationTypes(); 514 515 516 /** 517 * Gets the supported request authentication methods for automatic 518 * OpenID Connect Federation 1.0 client registration. Corresponds to 519 * the {@code request_authentication_methods_supported} field. 520 * 521 * @return The supported request authentication methods for automatic 522 * federation client registration, {@code null} if not specified. 523 */ 524 Map<EndpointName, List<ClientAuthenticationMethod>> getClientRegistrationAuthnMethods(); 525 526 527 /** 528 * Gets the supported JWS algorithms for authenticating automatic 529 * OpenID Connect Federation 1.0 client registration requests. 530 * Corresponds to the 531 * {@code request_authentication_signing_alg_values_supported}. 532 * 533 * @return The supported JWS algorithms, {@code null} if not specified. 534 */ 535 List<JWSAlgorithm> getClientRegistrationAuthnJWSAlgs(); 536 537 538 /** 539 * Gets the specified custom (not registered) parameter. 540 * 541 * @param name The parameter name. Must not be {@code null}. 542 * @return The parameter value, {@code null} if not specified. 543 */ 544 Object getCustomParameter(String name); 545 546 547 /** 548 * Gets the specified custom (not registered) URI parameter. 549 * 550 * @param name The parameter name. Must not be {@code null}. 551 * @return The parameter URI value, {@code null} if not specified. 552 */ 553 URI getCustomURIParameter(String name); 554 555 556 /** 557 * Gets the custom (not registered) parameters. 558 * 559 * @return The custom parameters, empty JSON object if none. 560 */ 561 JSONObject getCustomParameters(); 562 563 564 /** 565 * Returns the JSON object representation of the metadata. 566 * 567 * @return The JSON object representation. 568 */ 569 JSONObject toJSONObject(); 570}