001package com.nimbusds.openid.connect.sdk.claims; 002 003 004import net.jcip.annotations.Immutable; 005 006import com.nimbusds.jose.JWSAlgorithm; 007 008import com.nimbusds.oauth2.sdk.ResponseType; 009import com.nimbusds.oauth2.sdk.token.AccessToken; 010 011 012/** 013 * Access token hash ({@code at_hash}). 014 * 015 * <p>Related specifications: 016 * 017 * <ul> 018 * <li>OpenID Connect Core 1.0, section 3.1.3.6. 019 * </ul> 020 */ 021@Immutable 022public final class AccessTokenHash extends HashClaim { 023 024 025 /** 026 * Checks if an access token hash claim must be included in ID tokens 027 * for the specified response type. 028 * 029 * @param responseType The OpenID Connect response type. Must not be 030 * {@code null}. 031 * 032 * @return {@code true} if the access token hash is required, else 033 * {@code false}. 034 */ 035 public static boolean isRequiredInIDTokenClaims(final ResponseType responseType) { 036 037 // Only required in implicit flow for 'token id_token' and 038 // hybrid flow for 'code id_token token' 039 // Disregard authz / token endpoint! 040 if ( new ResponseType("token", "id_token").equals(responseType) || 041 new ResponseType("code", "id_token", "token").equals(responseType)) { 042 043 return true; 044 } 045 046 return false; 047 } 048 049 050 /** 051 * Creates a new access token hash with the specified value. 052 * 053 * @param value The access token hash value. Must not be {@code null}. 054 */ 055 public AccessTokenHash(final String value) { 056 057 super(value); 058 } 059 060 061 /** 062 * Computes the hash for the specified access token and reference JSON 063 * Web Signature (JWS) algorithm. 064 * 065 * @param accessToken The access token. Must not be {@code null}. 066 * @param alg The reference JWS algorithm. Must not be 067 * {@code null}. 068 * 069 * @return The access token hash, or {@code null} if the JWS algorithm 070 * is not supported. 071 */ 072 public static AccessTokenHash compute(final AccessToken accessToken, final JWSAlgorithm alg) { 073 074 String value = computeValue(accessToken, alg); 075 076 if (value == null) 077 return null; 078 079 return new AccessTokenHash(value); 080 } 081 082 083 @Override 084 public boolean equals(final Object object) { 085 086 return object instanceof AccessTokenHash && 087 this.toString().equals(object.toString()); 088 } 089}