Source code

001/*
002 * oauth2-oidc-sdk
003 *
004 * Copyright 2012-2016, Connect2id Ltd and contributors.
005 *
006 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
007 * this file except in compliance with the License. You may obtain a copy of the
008 * License at
009 *
010 *    http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software distributed
013 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
014 * CONDITIONS OF ANY KIND, either express or implied. See the License for the
015 * specific language governing permissions and limitations under the License.
016 */
017
018package com.nimbusds.openid.connect.sdk.claims;
019
020
021import net.jcip.annotations.Immutable;
022
023import com.nimbusds.jose.JWSAlgorithm;
024
025import com.nimbusds.oauth2.sdk.ResponseType;
026import com.nimbusds.oauth2.sdk.token.AccessToken;
027
028
029/**
030 * Access token hash ({@code at_hash}).
031 *
032 * <p>Related specifications:
033 *
034 * <ul>
035 *     <li>OpenID Connect Core 1.0, section 3.1.3.6.
036 * </ul>
037 */
038@Immutable
039public final class AccessTokenHash extends HashClaim {
040
041
042        /**
043         * Checks if an access token hash claim must be included in ID tokens
044         * for the specified response type.
045         *
046         * @param responseType The OpenID Connect response type. Must not be
047         *                     {@code null}.
048         *
049         * @return {@code true} if the access token hash is required, else
050         *         {@code false}.
051         */
052        public static boolean isRequiredInIDTokenClaims(final ResponseType responseType) {
053
054                // Only required in implicit flow for 'token id_token' and
055                // hybrid flow for 'code id_token token'
056                // Disregard authz / token endpoint!
057                return new ResponseType("token", "id_token").equals(responseType) ||
058                        new ResponseType("code", "id_token", "token").equals(responseType);
059
060        }
061
062
063        /**
064         * Creates a new access token hash with the specified value.
065         *
066         * @param value The access token hash value. Must not be {@code null}.
067         */
068        public AccessTokenHash(final String value) {
069        
070                super(value);
071        }
072
073
074        /**
075         * Computes the hash for the specified access token and reference JSON
076         * Web Signature (JWS) algorithm.
077         *
078         * @param accessToken The access token. Must not be {@code null}.
079         * @param alg         The reference JWS algorithm. Must not be
080         *                    {@code null}.
081         *
082         * @return The access token hash, or {@code null} if the JWS algorithm
083         *         is not supported.
084         */
085        public static AccessTokenHash compute(final AccessToken accessToken, final JWSAlgorithm alg) {
086
087                String value = computeValue(accessToken, alg);
088
089                if (value == null)
090                        return null;
091
092                return new AccessTokenHash(value);
093        }
094
095
096        @Override
097        public boolean equals(final Object object) {
098        
099                return object instanceof AccessTokenHash &&
100                       this.toString().equals(object.toString());
101        }
102}