001/* 002 * oauth2-oidc-sdk 003 * 004 * Copyright 2012-2021, Connect2id Ltd and contributors. 005 * 006 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use 007 * this file except in compliance with the License. You may obtain a copy of the 008 * License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software distributed 013 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR 014 * CONDITIONS OF ANY KIND, either express or implied. See the License for the 015 * specific language governing permissions and limitations under the License. 016 */ 017 018package com.nimbusds.oauth2.sdk.as; 019 020 021import java.net.URI; 022import java.util.List; 023 024import net.minidev.json.JSONObject; 025 026import com.nimbusds.jose.EncryptionMethod; 027import com.nimbusds.jose.JWEAlgorithm; 028import com.nimbusds.jose.JWSAlgorithm; 029import com.nimbusds.langtag.LangTag; 030import com.nimbusds.oauth2.sdk.GrantType; 031import com.nimbusds.oauth2.sdk.ResponseMode; 032import com.nimbusds.oauth2.sdk.ResponseType; 033import com.nimbusds.oauth2.sdk.Scope; 034import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod; 035import com.nimbusds.oauth2.sdk.ciba.BackChannelTokenDeliveryMode; 036import com.nimbusds.oauth2.sdk.client.ClientType; 037import com.nimbusds.oauth2.sdk.id.Issuer; 038import com.nimbusds.oauth2.sdk.pkce.CodeChallengeMethod; 039import com.nimbusds.openid.connect.sdk.Prompt; 040 041 042/** 043 * Read-only OAuth 2.0 Authorisation Server (AS) metadata. 044 * 045 * <p>Related specifications: 046 * 047 * <ul> 048 * <li>OAuth 2.0 Authorization Server Metadata (RFC 8414) 049 * <li>OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound 050 * Access Tokens (RFC 8705) 051 * <li>OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer 052 * (DPoP) (draft-ietf-oauth-dpop-02) 053 * <li>Financial-grade API: JWT Secured Authorization Response Mode for 054 * OAuth 2.0 (JARM) 055 * <li>OAuth 2.0 Authorization Server Issuer Identification (RFC 9207) 056 * <li>Financial-grade API - Part 2: Read and Write API Security Profile 057 * <li>OAuth 2.0 Pushed Authorization Requests (RFC 9126) 058 * <li>OAuth 2.0 Device Authorization Grant (RFC 8628) 059 * <li>OpenID Connect Client Initiated Backchannel Authentication Flow - 060 * Core 1.0 061 * <li>OAuth 2.0 Incremental Authorization 062 * (draft-ietf-oauth-incremental-authz-04) 063 * <li>Initiating User Registration via OpenID Connect (draft 04) 064 * </ul> 065 */ 066public interface ReadOnlyAuthorizationServerMetadata extends ReadOnlyAuthorizationServerEndpointMetadata { 067 068 069 /** 070 * Gets the issuer identifier. Corresponds to the {@code issuer} 071 * metadata field. 072 * 073 * @return The issuer identifier. 074 */ 075 Issuer getIssuer(); 076 077 078 /** 079 * Gets the JSON Web Key (JWK) set URI. Corresponds to the 080 * {@code jwks_uri} metadata field. 081 * 082 * @return The JWK set URI, {@code null} if not specified. 083 */ 084 URI getJWKSetURI(); 085 086 087 /** 088 * Gets the supported scope values. Corresponds to the 089 * {@code scopes_supported} metadata field. 090 * 091 * @return The supported scope values, {@code null} if not specified. 092 */ 093 Scope getScopes(); 094 095 096 /** 097 * Gets the supported response type values. Corresponds to the 098 * {@code response_types_supported} metadata field. 099 * 100 * @return The supported response type values, {@code null} if not 101 * specified. 102 */ 103 List<ResponseType> getResponseTypes(); 104 105 106 /** 107 * Gets the supported response mode values. Corresponds to the 108 * {@code response_modes_supported}. 109 * 110 * @return The supported response mode values, {@code null} if not 111 * specified. 112 */ 113 List<ResponseMode> getResponseModes(); 114 115 116 /** 117 * Gets the supported OAuth 2.0 grant types. Corresponds to the 118 * {@code grant_types_supported} metadata field. 119 * 120 * @return The supported grant types, {@code null} if not specified. 121 */ 122 List<GrantType> getGrantTypes(); 123 124 125 /** 126 * Gets the supported authorisation code challenge methods for PKCE. 127 * Corresponds to the {@code code_challenge_methods_supported} metadata 128 * field. 129 * 130 * @return The supported code challenge methods, {@code null} if not 131 * specified. 132 */ 133 List<CodeChallengeMethod> getCodeChallengeMethods(); 134 135 136 /** 137 * Gets the supported token endpoint authentication methods. 138 * Corresponds to the {@code token_endpoint_auth_methods_supported} 139 * metadata field. 140 * 141 * @return The supported token endpoint authentication methods, 142 * {@code null} if not specified. 143 */ 144 List<ClientAuthenticationMethod> getTokenEndpointAuthMethods(); 145 146 147 /** 148 * Gets the supported JWS algorithms for the {@code private_key_jwt} 149 * and {@code client_secret_jwt} token endpoint authentication methods. 150 * Corresponds to the 151 * {@code token_endpoint_auth_signing_alg_values_supported} metadata 152 * field. 153 * 154 * @return The supported JWS algorithms, {@code null} if not specified. 155 */ 156 List<JWSAlgorithm> getTokenEndpointJWSAlgs(); 157 158 159 /** 160 * Gets the supported introspection endpoint authentication methods. 161 * Corresponds to the 162 * {@code introspection_endpoint_auth_methods_supported} metadata 163 * field. 164 * 165 * @return The supported introspection endpoint authentication methods, 166 * {@code null} if not specified. 167 */ 168 List<ClientAuthenticationMethod> getIntrospectionEndpointAuthMethods(); 169 170 171 /** 172 * Gets the supported JWS algorithms for the {@code private_key_jwt} 173 * and {@code client_secret_jwt} introspection endpoint authentication 174 * methods. Corresponds to the 175 * {@code introspection_endpoint_auth_signing_alg_values_supported} 176 * metadata field. 177 * 178 * @return The supported JWS algorithms, {@code null} if not specified. 179 */ 180 List<JWSAlgorithm> getIntrospectionEndpointJWSAlgs(); 181 182 183 /** 184 * Gets the supported revocation endpoint authentication methods. 185 * Corresponds to the 186 * {@code revocation_endpoint_auth_methods_supported} metadata field. 187 * 188 * @return The supported revocation endpoint authentication methods, 189 * {@code null} if not specified. 190 */ 191 List<ClientAuthenticationMethod> getRevocationEndpointAuthMethods(); 192 193 194 /** 195 * Gets the supported JWS algorithms for the {@code private_key_jwt} 196 * and {@code client_secret_jwt} revocation endpoint authentication 197 * methods. Corresponds to the 198 * {@code revocation_endpoint_auth_signing_alg_values_supported} 199 * metadata field. 200 * 201 * @return The supported JWS algorithms, {@code null} if not specified. 202 */ 203 List<JWSAlgorithm> getRevocationEndpointJWSAlgs(); 204 205 206 /** 207 * Gets the supported JWS algorithms for request objects. Corresponds 208 * to the {@code request_object_signing_alg_values_supported} metadata 209 * field. 210 * 211 * @return The supported JWS algorithms, {@code null} if not specified. 212 */ 213 List<JWSAlgorithm> getRequestObjectJWSAlgs(); 214 215 216 /** 217 * Gets the supported JWE algorithms for request objects. Corresponds 218 * to the {@code request_object_encryption_alg_values_supported} 219 * metadata field. 220 * 221 * @return The supported JWE algorithms, {@code null} if not specified. 222 */ 223 List<JWEAlgorithm> getRequestObjectJWEAlgs(); 224 225 226 /** 227 * Gets the supported encryption methods for request objects. 228 * Corresponds to the 229 * {@code request_object_encryption_enc_values_supported} metadata 230 * field. 231 * 232 * @return The supported encryption methods, {@code null} if not 233 * specified. 234 */ 235 List<EncryptionMethod> getRequestObjectJWEEncs(); 236 237 238 /** 239 * Gets the support for the {@code request} authorisation request 240 * parameter. Corresponds to the {@code request_parameter_supported} 241 * metadata field. 242 * 243 * @return {@code true} if the {@code reqeust} parameter is supported, 244 * else {@code false}. 245 */ 246 boolean supportsRequestParam(); 247 248 249 /** 250 * Gets the support for the {@code request_uri} authorisation request 251 * parameter. Corresponds to the 252 * {@code request_uri_parameter_supported} metadata field. 253 * 254 * @return {@code true} if the {@code request_uri} parameter is 255 * supported, else {@code false}. 256 */ 257 boolean supportsRequestURIParam(); 258 259 260 /** 261 * Gets the requirement for the {@code request_uri} parameter 262 * pre-registration. Corresponds to the 263 * {@code require_request_uri_registration} metadata field. 264 * 265 * @return {@code true} if the {@code request_uri} parameter values 266 * must be pre-registered, else {@code false}. 267 */ 268 boolean requiresRequestURIRegistration(); 269 270 271 /** 272 * Gets the support for the {@code iss} authorisation response 273 * parameter. Corresponds to the 274 * {@code authorization_response_iss_parameter_supported} metadata 275 * field. 276 * 277 * @return {@code true} if the {@code iss} authorisation response 278 * parameter is provided, else {@code false}. 279 */ 280 boolean supportsAuthorizationResponseIssuerParam(); 281 282 283 /** 284 * Gets the supported UI locales. Corresponds to the 285 * {@code ui_locales_supported} metadata field. 286 * 287 * @return The supported UI locales, {@code null} if not specified. 288 */ 289 List<LangTag> getUILocales(); 290 291 292 /** 293 * Gets the service documentation URI. Corresponds to the 294 * {@code service_documentation} metadata field. 295 * 296 * @return The service documentation URI, {@code null} if not 297 * specified. 298 */ 299 URI getServiceDocsURI(); 300 301 302 /** 303 * Gets the provider's policy regarding relying party use of data. 304 * Corresponds to the {@code op_policy_uri} metadata field. 305 * 306 * @return The policy URI, {@code null} if not specified. 307 */ 308 URI getPolicyURI(); 309 310 311 /** 312 * Gets the provider's terms of service. Corresponds to the 313 * {@code op_tos_uri} metadata field. 314 * 315 * @return The terms of service URI, {@code null} if not specified. 316 */ 317 URI getTermsOfServiceURI(); 318 319 320 /** 321 * Gets the aliases for communication with mutual TLS. Corresponds to 322 * the {@code mtls_endpoint_aliases} metadata field. 323 * 324 * @return The aliases for communication with mutual TLS, {@code null} 325 * when no aliases are defined. 326 */ 327 ReadOnlyAuthorizationServerEndpointMetadata getReadOnlyMtlsEndpointAliases(); 328 329 330 /** 331 * Gets the support for TLS client certificate bound access tokens. 332 * Corresponds to the 333 * {@code tls_client_certificate_bound_access_tokens} metadata field. 334 * 335 * @return {@code true} if TLS client certificate bound access tokens 336 * are supported, else {@code false}. 337 */ 338 boolean supportsTLSClientCertificateBoundAccessTokens(); 339 340 341 /** 342 * Gets the support for TLS client certificate bound access tokens. 343 * Corresponds to the 344 * {@code tls_client_certificate_bound_access_tokens} metadata field. 345 * 346 * @return {@code true} if TLS client certificate bound access tokens 347 * are supported, else {@code false}. 348 */ 349 @Deprecated 350 boolean supportsMutualTLSSenderConstrainedAccessTokens(); 351 352 353 /** 354 * Gets the supported JWS algorithms for Demonstrating 355 * Proof-of-Possession at the Application Layer (DPoP). Corresponds to 356 * the "dpop_signing_alg_values_supported" metadata field. 357 * 358 * @return The supported JWS algorithms for DPoP, {@code null} if none. 359 */ 360 List<JWSAlgorithm> getDPoPJWSAlgs(); 361 362 363 /** 364 * Gets the supported JWS algorithms for JWT-encoded authorisation 365 * responses. Corresponds to the 366 * {@code authorization_signing_alg_values_supported} metadata field. 367 * 368 * @return The supported JWS algorithms, {@code null} if not specified. 369 */ 370 List<JWSAlgorithm> getAuthorizationJWSAlgs(); 371 372 373 /** 374 * Gets the supported JWE algorithms for JWT-encoded authorisation 375 * responses. Corresponds to the 376 * {@code authorization_encryption_alg_values_supported} metadata 377 * field. 378 * 379 * @return The supported JWE algorithms, {@code null} if not specified. 380 */ 381 List<JWEAlgorithm> getAuthorizationJWEAlgs(); 382 383 384 /** 385 * Gets the supported encryption methods for JWT-encoded authorisation 386 * responses. Corresponds to the 387 * {@code authorization_encryption_enc_values_supported} metadata 388 * field. 389 * 390 * @return The supported encryption methods, {@code null} if not 391 * specified. 392 */ 393 List<EncryptionMethod> getAuthorizationJWEEncs(); 394 395 396 /** 397 * Gets the requirement for pushed authorisation requests (PAR). 398 * Corresponds to the {@code pushed_authorization_request_endpoint} 399 * metadata field. 400 * 401 * @return {@code true} if PAR is required, else {@code false}. 402 */ 403 boolean requiresPushedAuthorizationRequests(); 404 405 406 /** 407 * Gets the supported OAuth 2.0 client types for incremental 408 * authorisation. Corresponds to the 409 * {@code incremental_authz_types_supported} metadata field. 410 * 411 * @return The supported client types for incremental authorisation, 412 * {@code null} if not specified. 413 */ 414 List<ClientType> getIncrementalAuthorizationTypes(); 415 416 417 /** 418 * Gets the supported CIBA token delivery modes. Corresponds to the 419 * {@code backchannel_token_delivery_modes_supported} metadata field. 420 * 421 * @return The CIBA token delivery modes, {@code null} if not 422 * specified. 423 */ 424 List<BackChannelTokenDeliveryMode> getBackChannelTokenDeliveryModes(); 425 426 427 /** 428 * Gets the supported JWS algorithms for CIBA requests. Corresponds to 429 * the {@code backchannel_authentication_request_signing_alg_values_supported} 430 * metadata field. 431 * 432 * @return The supported JWS algorithms, {@code null} if not specified. 433 */ 434 List<JWSAlgorithm> getBackChannelAuthenticationRequestJWSAlgs(); 435 436 437 /** 438 * Gets the support for the {@code user_code} CIBA request parameter. 439 * Corresponds to the {@code backchannel_user_code_parameter_supported} 440 * metadata field. 441 * 442 * @return {@code true} if the {@code user_code} parameter is 443 * supported, else {@code false}. 444 */ 445 boolean supportsBackChannelUserCodeParam(); 446 447 448 /** 449 * Gets the supported {@link Prompt.Type prompt types}. Corresponds to 450 * the {@code prompt_values_supported} metadata field. 451 * 452 * @return The supported prompt types, {@code null} if not specified. 453 */ 454 List<Prompt.Type> getPromptTypes(); 455 456 457 /** 458 * Gets the specified custom (not registered) parameter. 459 * 460 * @param name The parameter name. Must not be {@code null}. 461 * @return The parameter value, {@code null} if not specified. 462 */ 463 Object getCustomParameter(String name); 464 465 466 /** 467 * Gets the specified custom (not registered) URI parameter. 468 * 469 * @param name The parameter name. Must not be {@code null}. 470 * @return The parameter URI value, {@code null} if not specified. 471 */ 472 URI getCustomURIParameter(String name); 473 474 475 /** 476 * Gets the custom (not registered) parameters. 477 * 478 * @return The custom parameters, empty JSON object if none. 479 */ 480 JSONObject getCustomParameters(); 481 482 483 /** 484 * Returns the JSON object representation of the metadata. 485 * 486 * @return The JSON object representation. 487 */ 488 JSONObject toJSONObject(); 489}