001/* 002 * oauth2-oidc-sdk 003 * 004 * Copyright 2012-2016, Connect2id Ltd and contributors. 005 * 006 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use 007 * this file except in compliance with the License. You may obtain a copy of the 008 * License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software distributed 013 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR 014 * CONDITIONS OF ANY KIND, either express or implied. See the License for the 015 * specific language governing permissions and limitations under the License. 016 */ 017 018package com.nimbusds.oauth2.sdk; 019 020 021import java.util.Date; 022import java.util.List; 023 024import com.nimbusds.jwt.util.DateUtils; 025import com.nimbusds.oauth2.sdk.http.CommonContentTypes; 026import com.nimbusds.oauth2.sdk.http.HTTPResponse; 027import com.nimbusds.oauth2.sdk.id.*; 028import com.nimbusds.oauth2.sdk.token.AccessTokenType; 029import com.nimbusds.oauth2.sdk.util.JSONObjectUtils; 030import net.jcip.annotations.Immutable; 031import net.minidev.json.JSONObject; 032 033 034/** 035 * Token introspection success response. 036 * 037 * <p>Related specifications: 038 * 039 * <ul> 040 * <li>OAuth 2.0 Token Introspection (RFC 7662). 041 * </ul> 042 */ 043@Immutable 044public class TokenIntrospectionSuccessResponse extends TokenIntrospectionResponse implements SuccessResponse { 045 046 047 /** 048 * Builder for constructing token introspection success responses. 049 */ 050 public static class Builder { 051 052 053 /** 054 * Determines whether the token is active. 055 */ 056 private final boolean active; 057 058 059 /** 060 * The optional token scope. 061 */ 062 private Scope scope; 063 064 065 /** 066 * The optional client ID for the token. 067 */ 068 private ClientID clientID; 069 070 071 /** 072 * The optional username for the token. 073 */ 074 private String username; 075 076 077 /** 078 * The optional token type. 079 */ 080 private AccessTokenType tokenType; 081 082 083 /** 084 * The optional token expiration date. 085 */ 086 private Date exp; 087 088 089 /** 090 * The optional token issue date. 091 */ 092 private Date iat; 093 094 095 /** 096 * The optional token not-before date. 097 */ 098 private Date nbf; 099 100 101 /** 102 * The optional token subject. 103 */ 104 private Subject sub; 105 106 107 /** 108 * The optional token audience. 109 */ 110 private List<Audience> audList; 111 112 113 /** 114 * The optional token issuer. 115 */ 116 private Issuer iss; 117 118 119 /** 120 * The optional token identifier. 121 */ 122 private JWTID jti; 123 124 125 /** 126 * Optional custom parameters. 127 */ 128 private final JSONObject customParams = new JSONObject(); 129 130 131 /** 132 * Creates a new token introspection success response builder. 133 * 134 * @param active {@code true} if the token is active, else 135 * {@code false}. 136 */ 137 public Builder(final boolean active) { 138 139 this.active = active; 140 } 141 142 143 /** 144 * Sets the token scope. 145 * 146 * @param scope The token scope, {@code null} if not specified. 147 * 148 * @return This builder. 149 */ 150 public Builder scope(final Scope scope) { 151 this.scope = scope; 152 return this; 153 } 154 155 156 /** 157 * Sets the identifier for the OAuth 2.0 client that requested 158 * the token. 159 * 160 * @param clientID The client identifier, {@code null} if not 161 * specified. 162 * 163 * @return This builder. 164 */ 165 public Builder clientID(final ClientID clientID) { 166 this.clientID = clientID; 167 return this; 168 } 169 170 171 /** 172 * Sets the username of the resource owner who authorised the 173 * token. 174 * 175 * @param username The username, {@code null} if not specified. 176 * 177 * @return This builder. 178 */ 179 public Builder username(final String username) { 180 this.username = username; 181 return this; 182 } 183 184 185 /** 186 * Sets the token type. 187 * 188 * @param tokenType The token type, {@code null} if not 189 * specified. 190 * 191 * @return This builder. 192 */ 193 public Builder tokenType(final AccessTokenType tokenType) { 194 this.tokenType = tokenType; 195 return this; 196 } 197 198 199 /** 200 * Sets the token expiration time. 201 * 202 * @param exp The token expiration time, {@code null} if not 203 * specified. 204 * 205 * @return This builder. 206 */ 207 public Builder expirationTime(final Date exp) { 208 this.exp = exp; 209 return this; 210 } 211 212 213 /** 214 * Sets the token issue time. 215 * 216 * @param iat The token issue time, {@code null} if not 217 * specified. 218 * 219 * @return This builder. 220 */ 221 public Builder issueTime(final Date iat) { 222 this.iat = iat; 223 return this; 224 } 225 226 227 /** 228 * Sets the token not-before time. 229 * 230 * @param nbf The token not-before time, {@code null} if not 231 * specified. 232 * 233 * @return This builder. 234 */ 235 public Builder notBeforeTime(final Date nbf) { 236 this.nbf = nbf; 237 return this; 238 } 239 240 241 /** 242 * Sets the token subject. 243 * 244 * @param sub The token subject, {@code null} if not specified. 245 * 246 * @return This builder. 247 */ 248 public Builder subject(final Subject sub) { 249 this.sub = sub; 250 return this; 251 } 252 253 254 /** 255 * Sets the token audience. 256 * 257 * @param audList The token audience, {@code null} if not 258 * specified. 259 * 260 * @return This builder. 261 */ 262 public Builder audience(final List<Audience> audList) { 263 this.audList = audList; 264 return this; 265 } 266 267 268 /** 269 * Sets the token issuer. 270 * 271 * @param iss The token issuer, {@code null} if not specified. 272 * 273 * @return This builder. 274 */ 275 public Builder issuer(final Issuer iss) { 276 this.iss = iss; 277 return this; 278 } 279 280 281 /** 282 * Sets the token identifier. 283 * 284 * @param jti The token identifier, {@code null} if not 285 * specified. 286 * 287 * @return This builder. 288 */ 289 public Builder jwtID(final JWTID jti) { 290 this.jti = jti; 291 return this; 292 } 293 294 295 /** 296 * Sets a custom parameter. 297 * 298 * @param name The parameter name. Must not be {@code null}. 299 * @param value The parameter value. Should map to a JSON type. 300 * If {@code null} not specified. 301 * 302 * @return This builder. 303 */ 304 public Builder parameter(final String name, final Object value) { 305 if (value != null) { 306 customParams.put(name, value); 307 } 308 return this; 309 } 310 311 312 /** 313 * Builds a new token introspection success response. 314 * 315 * @return The token introspection success response. 316 */ 317 public TokenIntrospectionSuccessResponse build() { 318 319 JSONObject o = new JSONObject(); 320 o.put("active", active); 321 if (scope != null) o.put("scope", scope.toString()); 322 if (clientID != null) o.put("client_id", clientID.getValue()); 323 if (username != null) o.put("username", username); 324 if (tokenType != null) o.put("token_type", tokenType.getValue()); 325 if (exp != null) o.put("exp", DateUtils.toSecondsSinceEpoch(exp)); 326 if (iat != null) o.put("iat", DateUtils.toSecondsSinceEpoch(iat)); 327 if (nbf != null) o.put("nbf", DateUtils.toSecondsSinceEpoch(nbf)); 328 if (sub != null) o.put("sub", sub.getValue()); 329 if (audList != null) o.put("aud", Audience.toStringList(audList)); 330 if (iss != null) o.put("iss", iss.getValue()); 331 if (jti != null) o.put("jti", jti.getValue()); 332 o.putAll(customParams); 333 return new TokenIntrospectionSuccessResponse(o); 334 } 335 } 336 337 338 /** 339 * The parameters. 340 */ 341 private final JSONObject params; 342 343 344 /** 345 * Creates a new token introspection success response. 346 * 347 * @param params The response parameters. Must contain at least the 348 * required {@code active} parameter and not be 349 * {@code null}. 350 */ 351 public TokenIntrospectionSuccessResponse(final JSONObject params) { 352 353 if (! (params.get("active") instanceof Boolean)) { 354 throw new IllegalArgumentException("Missing / invalid boolean active parameter"); 355 } 356 357 this.params = params; 358 } 359 360 361 /** 362 * Returns the active status for the token. Corresponds to the 363 * {@code active} claim. 364 * 365 * @return {@code true} if the token is active, else {@code false}. 366 */ 367 public boolean isActive() { 368 369 try { 370 return JSONObjectUtils.getBoolean(params, "active"); 371 } catch (ParseException e) { 372 return false; // always false on error 373 } 374 } 375 376 377 /** 378 * Returns the scope of the token. Corresponds to the {@code scope} 379 * claim. 380 * 381 * @return The token scope, {@code null} if not specified. 382 */ 383 public Scope getScope() { 384 385 try { 386 return Scope.parse(JSONObjectUtils.getString(params, "scope")); 387 } catch (ParseException e) { 388 return null; 389 } 390 } 391 392 393 /** 394 * Returns the identifier of the OAuth 2.0 client that requested the 395 * token. Corresponds to the {@code client_id} claim. 396 * 397 * @return The client identifier, {@code null} if not specified. 398 */ 399 public ClientID getClientID() { 400 401 try { 402 return new ClientID(JSONObjectUtils.getString(params, "client_id")); 403 } catch (ParseException e) { 404 return null; 405 } 406 } 407 408 409 /** 410 * Returns the username of the resource owner who authorised the token. 411 * Corresponds to the {@code username} claim. 412 * 413 * @return The username, {@code null} if not specified. 414 */ 415 public String getUsername() { 416 417 try { 418 return JSONObjectUtils.getString(params, "username"); 419 } catch (ParseException e) { 420 return null; 421 } 422 } 423 424 425 /** 426 * Returns the access token type. Corresponds to the {@code token_type} 427 * claim. 428 * 429 * @return The token type, {@code null} if not specified. 430 */ 431 public AccessTokenType getTokenType() { 432 433 try { 434 return new AccessTokenType(JSONObjectUtils.getString(params, "token_type")); 435 } catch (ParseException e) { 436 return null; 437 } 438 } 439 440 441 /** 442 * Returns the token expiration time. Corresponds to the {@code exp} 443 * claim. 444 * 445 * @return The token expiration time, {@code null} if not specified. 446 */ 447 public Date getExpirationTime() { 448 449 try { 450 return DateUtils.fromSecondsSinceEpoch(JSONObjectUtils.getLong(params, "exp")); 451 } catch (ParseException e) { 452 return null; 453 } 454 } 455 456 457 /** 458 * Returns the token issue time. Corresponds to the {@code iat} claim. 459 * 460 * @return The token issue time, {@code null} if not specified. 461 */ 462 public Date getIssueTime() { 463 464 try { 465 return DateUtils.fromSecondsSinceEpoch(JSONObjectUtils.getLong(params, "iat")); 466 } catch (ParseException e) { 467 return null; 468 } 469 } 470 471 472 /** 473 * Returns the token not-before time. Corresponds to the {@code nbf} 474 * claim. 475 * 476 * @return The token not-before time, {@code null} if not specified. 477 */ 478 public Date getNotBeforeTime() { 479 480 try { 481 return DateUtils.fromSecondsSinceEpoch(JSONObjectUtils.getLong(params, "nbf")); 482 } catch (ParseException e) { 483 return null; 484 } 485 } 486 487 488 /** 489 * Returns the subject of the token, usually a machine-readable 490 * identifier of the resource owner who authorised the token. 491 * Corresponds to the {@code sub} claim. 492 * 493 * @return The token subject, {@code null} if not specified. 494 */ 495 public Subject getSubject() { 496 497 try { 498 return new Subject(JSONObjectUtils.getString(params, "sub")); 499 } catch (ParseException e) { 500 return null; 501 } 502 } 503 504 505 /** 506 * Returns the intended audience for the token. Corresponds to the 507 * {@code aud} claim. 508 * 509 * @return The token audience, {@code null} if not specified. 510 */ 511 public List<Audience> getAudience() { 512 // Try string array first, then string 513 try { 514 return Audience.create(JSONObjectUtils.getStringList(params, "aud")); 515 } catch (ParseException e) { 516 try { 517 return new Audience(JSONObjectUtils.getString(params, "aud")).toSingleAudienceList(); 518 } catch (ParseException e2) { 519 return null; 520 } 521 } 522 } 523 524 525 /** 526 * Returns the token issuer. Corresponds to the {@code iss} claim. 527 * 528 * @return The token issuer, {@code null} if not specified. 529 */ 530 public Issuer getIssuer() { 531 532 try { 533 return new Issuer(JSONObjectUtils.getString(params, "iss")); 534 } catch (ParseException e) { 535 return null; 536 } 537 } 538 539 540 /** 541 * Returns the token identifier. Corresponds to the {@code jti} 542 * claim. 543 * 544 * @return The token identifier, {@code null} if not specified. 545 */ 546 public JWTID getJWTID() { 547 548 try { 549 return new JWTID(JSONObjectUtils.getString(params, "jti")); 550 } catch (ParseException e) { 551 return null; 552 } 553 } 554 555 556 /** 557 * Returns a JSON object representation of this token introspection 558 * success response. 559 * 560 * <p>Example JSON object: 561 * 562 * <pre> 563 * { 564 * "active" : true, 565 * "client_id" : "l238j323ds-23ij4", 566 * "username" : "jdoe", 567 * "scope" : "read write dolphin", 568 * "sub" : "Z5O3upPC88QrAjx00dis", 569 * "aud" : "https://protected.example.net/resource", 570 * "iss" : "https://server.example.com/", 571 * "exp" : 1419356238, 572 * "iat" : 1419350238, 573 * "extension_field" : "twenty-seven" 574 * } 575 * </pre> 576 * 577 * @return The JSON object. 578 */ 579 public JSONObject toJSONObject() { 580 581 return new JSONObject(params); 582 } 583 584 585 @Override 586 public boolean indicatesSuccess() { 587 588 return true; 589 } 590 591 592 @Override 593 public HTTPResponse toHTTPResponse() { 594 595 HTTPResponse httpResponse = new HTTPResponse(HTTPResponse.SC_OK); 596 httpResponse.setContentType(CommonContentTypes.APPLICATION_JSON); 597 httpResponse.setContent(params.toJSONString()); 598 return httpResponse; 599 } 600 601 602 /** 603 * Parses a token introspection success response from the specified 604 * JSON object. 605 * 606 * @param jsonObject The JSON object to parse. Must not be {@code null}. 607 * 608 * @return The token introspection success response. 609 * 610 * @throws ParseException If the JSON object couldn't be parsed to a 611 * token introspection success response. 612 */ 613 public static TokenIntrospectionSuccessResponse parse(final JSONObject jsonObject) 614 throws ParseException { 615 616 try { 617 return new TokenIntrospectionSuccessResponse(jsonObject); 618 } catch (IllegalArgumentException e) { 619 throw new ParseException(e.getMessage(), e); 620 } 621 } 622 623 624 /** 625 * Parses an token introspection success response from the specified 626 * HTTP response. 627 * 628 * @param httpResponse The HTTP response. Must not be {@code null}. 629 * 630 * @return The token introspection success response. 631 * 632 * @throws ParseException If the HTTP response couldn't be parsed to a 633 * token introspection success response. 634 */ 635 public static TokenIntrospectionSuccessResponse parse(final HTTPResponse httpResponse) 636 throws ParseException { 637 638 httpResponse.ensureStatusCode(HTTPResponse.SC_OK); 639 JSONObject jsonObject = httpResponse.getContentAsJSONObject(); 640 return parse(jsonObject); 641 } 642}