Source code

001package com.nimbusds.openid.connect.sdk.claims;
002
003
004import net.jcip.annotations.Immutable;
005
006import com.nimbusds.jose.JWSAlgorithm;
007
008import com.nimbusds.oauth2.sdk.ResponseType;
009import com.nimbusds.oauth2.sdk.token.AccessToken;
010
011
012/**
013 * Access token hash ({@code at_hash}).
014 *
015 * <p>Related specifications:
016 *
017 * <ul>
018 *     <li>OpenID Connect Core 1.0, section 3.1.3.6.
019 * </ul>
020 */
021@Immutable
022public final class AccessTokenHash extends HashClaim {
023
024
025        /**
026         * Checks if an access token hash claim must be included in ID tokens
027         * for the specified response type.
028         *
029         * @param responseType The OpenID Connect response type. Must not be
030         *                     {@code null}.
031         *
032         * @return {@code true} if the access token hash is required, else
033         *         {@code false}.
034         */
035        public static boolean isRequiredInIDTokenClaims(final ResponseType responseType) {
036
037                // Only required in implicit flow for 'token id_token' and
038                // hybrid flow for 'code id_token token'
039                // Disregard authz / token endpoint!
040                return new ResponseType("token", "id_token").equals(responseType) ||
041                        new ResponseType("code", "id_token", "token").equals(responseType);
042
043        }
044
045
046        /**
047         * Creates a new access token hash with the specified value.
048         *
049         * @param value The access token hash value. Must not be {@code null}.
050         */
051        public AccessTokenHash(final String value) {
052        
053                super(value);
054        }
055
056
057        /**
058         * Computes the hash for the specified access token and reference JSON
059         * Web Signature (JWS) algorithm.
060         *
061         * @param accessToken The access token. Must not be {@code null}.
062         * @param alg         The reference JWS algorithm. Must not be
063         *                    {@code null}.
064         *
065         * @return The access token hash, or {@code null} if the JWS algorithm
066         *         is not supported.
067         */
068        public static AccessTokenHash compute(final AccessToken accessToken, final JWSAlgorithm alg) {
069
070                String value = computeValue(accessToken, alg);
071
072                if (value == null)
073                        return null;
074
075                return new AccessTokenHash(value);
076        }
077
078
079        @Override
080        public boolean equals(final Object object) {
081        
082                return object instanceof AccessTokenHash &&
083                       this.toString().equals(object.toString());
084        }
085}