001/* 002 * oauth2-oidc-sdk 003 * 004 * Copyright 2012-2021, Connect2id Ltd and contributors. 005 * 006 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use 007 * this file except in compliance with the License. You may obtain a copy of the 008 * License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software distributed 013 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR 014 * CONDITIONS OF ANY KIND, either express or implied. See the License for the 015 * specific language governing permissions and limitations under the License. 016 */ 017 018package com.nimbusds.oauth2.sdk.as; 019 020 021import java.net.URI; 022import java.util.List; 023 024import net.minidev.json.JSONObject; 025 026import com.nimbusds.jose.EncryptionMethod; 027import com.nimbusds.jose.JWEAlgorithm; 028import com.nimbusds.jose.JWSAlgorithm; 029import com.nimbusds.langtag.LangTag; 030import com.nimbusds.oauth2.sdk.GrantType; 031import com.nimbusds.oauth2.sdk.ResponseMode; 032import com.nimbusds.oauth2.sdk.ResponseType; 033import com.nimbusds.oauth2.sdk.Scope; 034import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod; 035import com.nimbusds.oauth2.sdk.ciba.BackChannelTokenDeliveryMode; 036import com.nimbusds.oauth2.sdk.client.ClientType; 037import com.nimbusds.oauth2.sdk.id.Issuer; 038import com.nimbusds.oauth2.sdk.pkce.CodeChallengeMethod; 039 040 041/** 042 * Read-only OAuth 2.0 Authorisation Server (AS) metadata. 043 * 044 * <p>Related specifications: 045 * 046 * <ul> 047 * <li>OAuth 2.0 Authorization Server Metadata (RFC 8414) 048 * <li>OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound 049 * Access Tokens (RFC 8705) 050 * <li>OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer 051 * (DPoP) (draft-ietf-oauth-dpop-02) 052 * <li>Financial-grade API: JWT Secured Authorization Response Mode for 053 * OAuth 2.0 (JARM) 054 * <li>OAuth 2.0 Authorization Server Issuer Identification (RFC 9207) 055 * <li>Financial-grade API - Part 2: Read and Write API Security Profile 056 * <li>OAuth 2.0 Pushed Authorization Requests (RFC 9126) 057 * <li>OAuth 2.0 Device Authorization Grant (RFC 8628) 058 * <li>OpenID Connect Client Initiated Backchannel Authentication Flow - 059 * Core 1.0 060 * <li>OAuth 2.0 Incremental Authorization 061 * (draft-ietf-oauth-incremental-authz-04) 062 * </ul> 063 */ 064public interface ReadOnlyAuthorizationServerMetadata extends ReadOnlyAuthorizationServerEndpointMetadata { 065 066 067 /** 068 * Gets the issuer identifier. Corresponds to the {@code issuer} 069 * metadata field. 070 * 071 * @return The issuer identifier. 072 */ 073 Issuer getIssuer(); 074 075 076 /** 077 * Gets the JSON Web Key (JWK) set URI. Corresponds to the 078 * {@code jwks_uri} metadata field. 079 * 080 * @return The JWK set URI, {@code null} if not specified. 081 */ 082 URI getJWKSetURI(); 083 084 085 /** 086 * Gets the supported scope values. Corresponds to the 087 * {@code scopes_supported} metadata field. 088 * 089 * @return The supported scope values, {@code null} if not specified. 090 */ 091 Scope getScopes(); 092 093 094 /** 095 * Gets the supported response type values. Corresponds to the 096 * {@code response_types_supported} metadata field. 097 * 098 * @return The supported response type values, {@code null} if not 099 * specified. 100 */ 101 List<ResponseType> getResponseTypes(); 102 103 104 /** 105 * Gets the supported response mode values. Corresponds to the 106 * {@code response_modes_supported}. 107 * 108 * @return The supported response mode values, {@code null} if not 109 * specified. 110 */ 111 List<ResponseMode> getResponseModes(); 112 113 114 /** 115 * Gets the supported OAuth 2.0 grant types. Corresponds to the 116 * {@code grant_types_supported} metadata field. 117 * 118 * @return The supported grant types, {@code null} if not specified. 119 */ 120 List<GrantType> getGrantTypes(); 121 122 123 /** 124 * Gets the supported authorisation code challenge methods for PKCE. 125 * Corresponds to the {@code code_challenge_methods_supported} metadata 126 * field. 127 * 128 * @return The supported code challenge methods, {@code null} if not 129 * specified. 130 */ 131 List<CodeChallengeMethod> getCodeChallengeMethods(); 132 133 134 /** 135 * Gets the supported token endpoint authentication methods. 136 * Corresponds to the {@code token_endpoint_auth_methods_supported} 137 * metadata field. 138 * 139 * @return The supported token endpoint authentication methods, 140 * {@code null} if not specified. 141 */ 142 List<ClientAuthenticationMethod> getTokenEndpointAuthMethods(); 143 144 145 /** 146 * Gets the supported JWS algorithms for the {@code private_key_jwt} 147 * and {@code client_secret_jwt} token endpoint authentication methods. 148 * Corresponds to the 149 * {@code token_endpoint_auth_signing_alg_values_supported} metadata 150 * field. 151 * 152 * @return The supported JWS algorithms, {@code null} if not specified. 153 */ 154 List<JWSAlgorithm> getTokenEndpointJWSAlgs(); 155 156 157 /** 158 * Gets the supported introspection endpoint authentication methods. 159 * Corresponds to the 160 * {@code introspection_endpoint_auth_methods_supported} metadata 161 * field. 162 * 163 * @return The supported introspection endpoint authentication methods, 164 * {@code null} if not specified. 165 */ 166 List<ClientAuthenticationMethod> getIntrospectionEndpointAuthMethods(); 167 168 169 /** 170 * Gets the supported JWS algorithms for the {@code private_key_jwt} 171 * and {@code client_secret_jwt} introspection endpoint authentication 172 * methods. Corresponds to the 173 * {@code introspection_endpoint_auth_signing_alg_values_supported} 174 * metadata field. 175 * 176 * @return The supported JWS algorithms, {@code null} if not specified. 177 */ 178 List<JWSAlgorithm> getIntrospectionEndpointJWSAlgs(); 179 180 181 /** 182 * Gets the supported revocation endpoint authentication methods. 183 * Corresponds to the 184 * {@code revocation_endpoint_auth_methods_supported} metadata field. 185 * 186 * @return The supported revocation endpoint authentication methods, 187 * {@code null} if not specified. 188 */ 189 List<ClientAuthenticationMethod> getRevocationEndpointAuthMethods(); 190 191 192 /** 193 * Gets the supported JWS algorithms for the {@code private_key_jwt} 194 * and {@code client_secret_jwt} revocation endpoint authentication 195 * methods. Corresponds to the 196 * {@code revocation_endpoint_auth_signing_alg_values_supported} 197 * metadata field. 198 * 199 * @return The supported JWS algorithms, {@code null} if not specified. 200 */ 201 List<JWSAlgorithm> getRevocationEndpointJWSAlgs(); 202 203 204 /** 205 * Gets the supported JWS algorithms for request objects. Corresponds 206 * to the {@code request_object_signing_alg_values_supported} metadata 207 * field. 208 * 209 * @return The supported JWS algorithms, {@code null} if not specified. 210 */ 211 List<JWSAlgorithm> getRequestObjectJWSAlgs(); 212 213 214 /** 215 * Gets the supported JWE algorithms for request objects. Corresponds 216 * to the {@code request_object_encryption_alg_values_supported} 217 * metadata field. 218 * 219 * @return The supported JWE algorithms, {@code null} if not specified. 220 */ 221 List<JWEAlgorithm> getRequestObjectJWEAlgs(); 222 223 224 /** 225 * Gets the supported encryption methods for request objects. 226 * Corresponds to the 227 * {@code request_object_encryption_enc_values_supported} metadata 228 * field. 229 * 230 * @return The supported encryption methods, {@code null} if not 231 * specified. 232 */ 233 List<EncryptionMethod> getRequestObjectJWEEncs(); 234 235 236 /** 237 * Gets the support for the {@code request} authorisation request 238 * parameter. Corresponds to the {@code request_parameter_supported} 239 * metadata field. 240 * 241 * @return {@code true} if the {@code reqeust} parameter is supported, 242 * else {@code false}. 243 */ 244 boolean supportsRequestParam(); 245 246 247 /** 248 * Gets the support for the {@code request_uri} authorisation request 249 * parameter. Corresponds to the 250 * {@code request_uri_parameter_supported} metadata field. 251 * 252 * @return {@code true} if the {@code request_uri} parameter is 253 * supported, else {@code false}. 254 */ 255 boolean supportsRequestURIParam(); 256 257 258 /** 259 * Gets the requirement for the {@code request_uri} parameter 260 * pre-registration. Corresponds to the 261 * {@code require_request_uri_registration} metadata field. 262 * 263 * @return {@code true} if the {@code request_uri} parameter values 264 * must be pre-registered, else {@code false}. 265 */ 266 boolean requiresRequestURIRegistration(); 267 268 269 /** 270 * Gets the support for the {@code iss} authorisation response 271 * parameter. Corresponds to the 272 * {@code authorization_response_iss_parameter_supported} metadata 273 * field. 274 * 275 * @return {@code true} if the {@code iss} authorisation response 276 * parameter is provided, else {@code false}. 277 */ 278 boolean supportsAuthorizationResponseIssuerParam(); 279 280 281 /** 282 * Gets the supported UI locales. Corresponds to the 283 * {@code ui_locales_supported} metadata field. 284 * 285 * @return The supported UI locales, {@code null} if not specified. 286 */ 287 List<LangTag> getUILocales(); 288 289 290 /** 291 * Gets the service documentation URI. Corresponds to the 292 * {@code service_documentation} metadata field. 293 * 294 * @return The service documentation URI, {@code null} if not 295 * specified. 296 */ 297 URI getServiceDocsURI(); 298 299 300 /** 301 * Gets the provider's policy regarding relying party use of data. 302 * Corresponds to the {@code op_policy_uri} metadata field. 303 * 304 * @return The policy URI, {@code null} if not specified. 305 */ 306 URI getPolicyURI(); 307 308 309 /** 310 * Gets the provider's terms of service. Corresponds to the 311 * {@code op_tos_uri} metadata field. 312 * 313 * @return The terms of service URI, {@code null} if not specified. 314 */ 315 URI getTermsOfServiceURI(); 316 317 318 /** 319 * Gets the aliases for communication with mutual TLS. Corresponds to 320 * the {@code mtls_endpoint_aliases} metadata field. 321 * 322 * @return The aliases for communication with mutual TLS, {@code null} 323 * when no aliases are defined. 324 */ 325 ReadOnlyAuthorizationServerEndpointMetadata getReadOnlyMtlsEndpointAliases(); 326 327 328 /** 329 * Gets the support for TLS client certificate bound access tokens. 330 * Corresponds to the 331 * {@code tls_client_certificate_bound_access_tokens} metadata field. 332 * 333 * @return {@code true} if TLS client certificate bound access tokens 334 * are supported, else {@code false}. 335 */ 336 boolean supportsTLSClientCertificateBoundAccessTokens(); 337 338 339 /** 340 * Gets the support for TLS client certificate bound access tokens. 341 * Corresponds to the 342 * {@code tls_client_certificate_bound_access_tokens} metadata field. 343 * 344 * @return {@code true} if TLS client certificate bound access tokens 345 * are supported, else {@code false}. 346 */ 347 @Deprecated 348 boolean supportsMutualTLSSenderConstrainedAccessTokens(); 349 350 351 /** 352 * Gets the supported JWS algorithms for Demonstrating 353 * Proof-of-Possession at the Application Layer (DPoP). Corresponds to 354 * the "dpop_signing_alg_values_supported" metadata field. 355 * 356 * @return The supported JWS algorithms for DPoP, {@code null} if none. 357 */ 358 List<JWSAlgorithm> getDPoPJWSAlgs(); 359 360 361 /** 362 * Gets the supported JWS algorithms for JWT-encoded authorisation 363 * responses. Corresponds to the 364 * {@code authorization_signing_alg_values_supported} metadata field. 365 * 366 * @return The supported JWS algorithms, {@code null} if not specified. 367 */ 368 List<JWSAlgorithm> getAuthorizationJWSAlgs(); 369 370 371 /** 372 * Gets the supported JWE algorithms for JWT-encoded authorisation 373 * responses. Corresponds to the 374 * {@code authorization_encryption_alg_values_supported} metadata 375 * field. 376 * 377 * @return The supported JWE algorithms, {@code null} if not specified. 378 */ 379 List<JWEAlgorithm> getAuthorizationJWEAlgs(); 380 381 382 /** 383 * Gets the supported encryption methods for JWT-encoded authorisation 384 * responses. Corresponds to the 385 * {@code authorization_encryption_enc_values_supported} metadata 386 * field. 387 * 388 * @return The supported encryption methods, {@code null} if not 389 * specified. 390 */ 391 List<EncryptionMethod> getAuthorizationJWEEncs(); 392 393 394 /** 395 * Gets the requirement for pushed authorisation requests (PAR). 396 * Corresponds to the {@code pushed_authorization_request_endpoint} 397 * metadata field. 398 * 399 * @return {@code true} if PAR is required, else {@code false}. 400 */ 401 boolean requiresPushedAuthorizationRequests(); 402 403 404 /** 405 * Gets the supported OAuth 2.0 client types for incremental 406 * authorisation. Corresponds to the 407 * {@code incremental_authz_types_supported} metadata field. 408 * 409 * @return The supported client types for incremental authorisation, 410 * {@code null} if not specified. 411 */ 412 List<ClientType> getIncrementalAuthorizationTypes(); 413 414 415 /** 416 * Gets the supported CIBA token delivery modes. Corresponds to the 417 * {@code backchannel_token_delivery_modes_supported} metadata field. 418 * 419 * @return The CIBA token delivery modes, {@code null} if not 420 * specified. 421 */ 422 List<BackChannelTokenDeliveryMode> getBackChannelTokenDeliveryModes(); 423 424 425 /** 426 * Gets the supported JWS algorithms for CIBA requests. Corresponds to 427 * the {@code backchannel_authentication_request_signing_alg_values_supported} 428 * metadata field. 429 * 430 * @return The supported JWS algorithms, {@code null} if not specified. 431 */ 432 List<JWSAlgorithm> getBackChannelAuthenticationRequestJWSAlgs(); 433 434 435 /** 436 * Gets the support for the {@code user_code} CIBA request parameter. 437 * Corresponds to the {@code backchannel_user_code_parameter_supported} 438 * metadata field. 439 * 440 * @return {@code true} if the {@code user_code} parameter is 441 * supported, else {@code false}. 442 */ 443 boolean supportsBackChannelUserCodeParam(); 444 445 446 /** 447 * Gets the specified custom (not registered) parameter. 448 * 449 * @param name The parameter name. Must not be {@code null}. 450 * @return The parameter value, {@code null} if not specified. 451 */ 452 Object getCustomParameter(String name); 453 454 455 /** 456 * Gets the specified custom (not registered) URI parameter. 457 * 458 * @param name The parameter name. Must not be {@code null}. 459 * @return The parameter URI value, {@code null} if not specified. 460 */ 461 URI getCustomURIParameter(String name); 462 463 464 /** 465 * Gets the custom (not registered) parameters. 466 * 467 * @return The custom parameters, empty JSON object if none. 468 */ 469 JSONObject getCustomParameters(); 470 471 472 /** 473 * Returns the JSON object representation of the metadata. 474 * 475 * @return The JSON object representation. 476 */ 477 JSONObject toJSONObject(); 478}