Class AuthorizationRequest

  • All Implemented Interfaces:
    Message, Request
    Direct Known Subclasses:
    AuthenticationRequest

    @Immutable
    public class AuthorizationRequest
    extends AbstractRequest
    Authorisation request. Used to authenticate an end-user and request the end-user's consent to grant the client access to a protected resource. Supports custom request parameters.

    Extending classes may define additional request parameters as well as enforce tighter requirements on the base parameters.

    Example HTTP request:

     https://server.example.com/authorize?
     response_type=code
     &client_id=s6BhdRkqt3
     &state=xyz
     &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
     

    Related specifications:

    • OAuth 2.0 (RFC 6749), sections 4.1.1 and 4.2.1.
    • OAuth 2.0 Multiple Response Type Encoding Practices 1.0.
    • OAuth 2.0 Form Post Response Mode 1.0.
    • Proof Key for Code Exchange by OAuth Public Clients (RFC 7636).
    • Resource Indicators for OAuth 2.0 (RFC 8707)
    • OAuth 2.0 Incremental Authorization (draft-ietf-oauth-incremental-authz-04)
    • The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR) draft-ietf-oauth-jwsreq-29
    • Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)
    • Field Detail

      • prompt

        protected final Prompt prompt
        The requested prompt (optional).
    • Constructor Detail

      • AuthorizationRequest

        public AuthorizationRequest​(URI uri,
                                    ResponseType rt,
                                    ResponseMode rm,
                                    ClientID clientID,
                                    URI redirectURI,
                                    Scope scope,
                                    State state)
        Creates a new authorisation request.
        Parameters:
        uri - The URI of the authorisation endpoint. May be null if the toHTTPRequest(com.nimbusds.oauth2.sdk.http.HTTPRequest.Method) method will not be used.
        rt - The response type. Corresponds to the response_type parameter. Must not be null.
        rm - The response mode. Corresponds to the optional response_mode parameter. Use of this parameter is not recommended unless a non-default response mode is requested (e.g. form_post).
        clientID - The client identifier. Corresponds to the client_id parameter. Must not be null.
        redirectURI - The redirection URI. Corresponds to the optional redirect_uri parameter. null if not specified.
        scope - The request scope. Corresponds to the optional scope parameter. null if not specified.
        state - The state. Corresponds to the recommended state parameter. null if not specified.
      • AuthorizationRequest

        public AuthorizationRequest​(URI uri,
                                    ResponseType rt,
                                    ResponseMode rm,
                                    ClientID clientID,
                                    URI redirectURI,
                                    Scope scope,
                                    State state,
                                    CodeChallenge codeChallenge,
                                    CodeChallengeMethod codeChallengeMethod,
                                    List<URI> resources,
                                    boolean includeGrantedScopes,
                                    com.nimbusds.jwt.JWT requestObject,
                                    URI requestURI,
                                    Prompt prompt,
                                    Map<String,​List<String>> customParams)
        Creates a new authorisation request with extension and custom parameters.
        Parameters:
        uri - The URI of the authorisation endpoint. May be null if the toHTTPRequest(com.nimbusds.oauth2.sdk.http.HTTPRequest.Method) method will not be used.
        rt - The response type. Corresponds to the response_type parameter. Must not be null, unless a request a request object or URI is specified.
        rm - The response mode. Corresponds to the optional response_mode parameter. Use of this parameter is not recommended unless a non-default response mode is requested (e.g. form_post).
        clientID - The client identifier. Corresponds to the client_id parameter. Must not be null, unless a request object or URI is specified.
        redirectURI - The redirection URI. Corresponds to the optional redirect_uri parameter. null if not specified.
        scope - The request scope. Corresponds to the optional scope parameter. null if not specified.
        state - The state. Corresponds to the recommended state parameter. null if not specified.
        codeChallenge - The code challenge for PKCE, null if not specified.
        codeChallengeMethod - The code challenge method for PKCE, null if not specified.
        resources - The resource URI(s), null if not specified.
        includeGrantedScopes - true to request incremental authorisation.
        requestObject - The request object. Corresponds to the optional request parameter. Must not be specified together with a request object URI. null if not specified.
        requestURI - The request object URI. Corresponds to the optional request_uri parameter. Must not be specified together with a request object. null if not specified.
        prompt - The requested prompt. Corresponds to the optional prompt parameter.
        customParams - Custom parameters, empty map or null if none.
    • Method Detail

      • getRegisteredParameterNames

        public static Set<StringgetRegisteredParameterNames()
        Returns the registered (standard) OAuth 2.0 authorisation request parameter names.
        Returns:
        The registered OAuth 2.0 authorisation request parameter names, as a unmodifiable set.
      • getResponseMode

        public ResponseMode getResponseMode()
        Gets the optional response mode. Corresponds to the optional response_mode parameter.
        Returns:
        The response mode, null if not specified.
      • impliedResponseMode

        public ResponseMode impliedResponseMode()
        Returns the implied response mode, determined by the optional response_mode parameter, and if that isn't specified, by the response_type.

        If the jwt response mode shortcut from JARM is explicitly requested expands it to query.jwt or fragment.jwt depending on the response type (response_type).

        Returns:
        The implied response mode.
      • getClientID

        public ClientID getClientID()
        Gets the client identifier. Corresponds to the client_id parameter.
        Returns:
        The client identifier.
      • getRedirectionURI

        public URI getRedirectionURI()
        Gets the redirection URI. Corresponds to the optional redirection_uri parameter.
        Returns:
        The redirection URI, null if not specified.
      • getScope

        public Scope getScope()
        Gets the scope. Corresponds to the optional scope parameter.
        Returns:
        The scope, null if not specified.
      • getState

        public State getState()
        Gets the state. Corresponds to the recommended state parameter.
        Returns:
        The state, null if not specified.
      • getCodeChallenge

        public CodeChallenge getCodeChallenge()
        Returns the code challenge for PKCE.
        Returns:
        The code challenge, null if not specified.
      • getResources

        public List<URIgetResources()
        Returns the resource server URI.
        Returns:
        The resource URI(s), null if not specified.
      • includeGrantedScopes

        public boolean includeGrantedScopes()
        Returns true if incremental authorisation is requested.
        Returns:
        true if incremental authorisation is requested, else false.
      • getRequestObject

        public com.nimbusds.jwt.JWT getRequestObject()
        Gets the request object. Corresponds to the optional request parameter.
        Returns:
        The request object, null if not specified.
      • getRequestURI

        public URI getRequestURI()
        Gets the request object URI. Corresponds to the optional request_uri parameter.
        Returns:
        The request object URI, null if not specified.
      • specifiesRequestObject

        public boolean specifiesRequestObject()
        Returns true if this is a JWT secured authentication request.
        Returns:
        true if a request object via a request or request_uri parameter is specified, else false.
      • getPrompt

        public Prompt getPrompt()
        Gets the requested prompt. Corresponds to the optional prompt parameter.
        Returns:
        The requested prompt, null if not specified.
      • getCustomParameters

        public Map<String,​List<String>> getCustomParameters()
        Returns the additional custom parameters.
        Returns:
        The additional custom parameters as a unmodifiable map, empty map if none.
      • getCustomParameter

        public List<StringgetCustomParameter​(String name)
        Returns the specified custom parameter.
        Parameters:
        name - The parameter name. Must not be null.
        Returns:
        The parameter value(s), null if not specified.
      • toParameters

        public Map<String,​List<String>> toParameters()
        Returns the URI query parameters for this authorisation request. Query parameters which are part of the authorisation endpoint are not included.

        Example parameters:

         response_type = code
         client_id     = s6BhdRkqt3
         state         = xyz
         redirect_uri  = https://client.example.com/cb
         
        Returns:
        The parameters.
      • toJWTClaimsSet

        public com.nimbusds.jwt.JWTClaimsSet toJWTClaimsSet()
        Returns the parameters for this authorisation request as a JSON Web Token (JWT) claims set. Intended for creating a request object.
        Returns:
        The parameters as JWT claim set.
      • toQueryString

        public String toQueryString()
        Returns the URI query string for this authorisation request.

        Note that the '?' character preceding the query string in an URI is not included in the returned string.

        Example URI query string:

         response_type=code
         &client_id=s6BhdRkqt3
         &state=xyz
         &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
         
        Returns:
        The URI query string.
      • toURI

        public URI toURI()
        Returns the complete URI representation for this authorisation request, consisting of the authorization endpoint URI with the query string appended.

        Example URI:

         https://server.example.com/authorize?
         response_type=code
         &client_id=s6BhdRkqt3
         &state=xyz
         &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
         
        Returns:
        The URI representation.
      • toHTTPRequest

        public HTTPRequest toHTTPRequest​(HTTPRequest.Method method)
        Returns the matching HTTP request.
        Parameters:
        method - The HTTP request method which can be GET or POST. Must not be null.
        Returns:
        The HTTP request.
      • toHTTPRequest

        public HTTPRequest toHTTPRequest()
        Description copied from interface: Request
        Returns the matching HTTP request.
        Returns:
        The HTTP request.
      • parse

        public static AuthorizationRequest parse​(Map<String,​List<String>> params)
                                          throws ParseException
        Parses an authorisation request from the specified URI query parameters.

        Example parameters:

         response_type = code
         client_id     = s6BhdRkqt3
         state         = xyz
         redirect_uri  = https://client.example.com/cb
         
        Parameters:
        params - The parameters. Must not be null.
        Returns:
        The authorisation request.
        Throws:
        ParseException - If the parameters couldn't be parsed to an authorisation request.
      • parse

        public static AuthorizationRequest parse​(URI uri,
                                                 Map<String,​List<String>> params)
                                          throws ParseException
        Parses an authorisation request from the specified URI and query parameters.

        Example parameters:

         response_type = code
         client_id     = s6BhdRkqt3
         state         = xyz
         redirect_uri  = https://client.example.com/cb
         
        Parameters:
        uri - The URI of the authorisation endpoint. May be null if the toHTTPRequest() method will not be used.
        params - The parameters. Must not be null.
        Returns:
        The authorisation request.
        Throws:
        ParseException - If the parameters couldn't be parsed to an authorisation request.
      • parse

        public static AuthorizationRequest parse​(String query)
                                          throws ParseException
        Parses an authorisation request from the specified URI query string.

        Example URI query string:

         response_type=code
         &client_id=s6BhdRkqt3
         &state=xyz
         &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
         
        Parameters:
        query - The URI query string. Must not be null.
        Returns:
        The authorisation request.
        Throws:
        ParseException - If the query string couldn't be parsed to an authorisation request.
      • parse

        public static AuthorizationRequest parse​(URI uri,
                                                 String query)
                                          throws ParseException
        Parses an authorisation request from the specified URI and query string.

        Example URI query string:

         response_type=code
         &client_id=s6BhdRkqt3
         &state=xyz
         &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
         
        Parameters:
        uri - The URI of the authorisation endpoint. May be null if the toHTTPRequest() method will not be used.
        query - The URI query string. Must not be null.
        Returns:
        The authorisation request.
        Throws:
        ParseException - If the query string couldn't be parsed to an authorisation request.
      • parse

        public static AuthorizationRequest parse​(URI uri)
                                          throws ParseException
        Parses an authorisation request from the specified URI.

        Example URI:

         https://server.example.com/authorize?
         response_type=code
         &client_id=s6BhdRkqt3
         &state=xyz
         &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
         
        Parameters:
        uri - The URI. Must not be null.
        Returns:
        The authorisation request.
        Throws:
        ParseException - If the URI couldn't be parsed to an authorisation request.
      • parse

        public static AuthorizationRequest parse​(HTTPRequest httpRequest)
                                          throws ParseException
        Parses an authorisation request from the specified HTTP request.

        Example HTTP request (GET):

         https://server.example.com/authorize?
         response_type=code
         &client_id=s6BhdRkqt3
         &state=xyz
         &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
         
        Parameters:
        httpRequest - The HTTP request. Must not be null.
        Returns:
        The authorisation request.
        Throws:
        ParseException - If the HTTP request couldn't be parsed to an authorisation request.