001/* 002 * oauth2-oidc-sdk 003 * 004 * Copyright 2012-2016, Connect2id Ltd and contributors. 005 * 006 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use 007 * this file except in compliance with the License. You may obtain a copy of the 008 * License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software distributed 013 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR 014 * CONDITIONS OF ANY KIND, either express or implied. See the License for the 015 * specific language governing permissions and limitations under the License. 016 */ 017 018package com.nimbusds.openid.connect.sdk.claims; 019 020 021import net.jcip.annotations.Immutable; 022 023import com.nimbusds.jose.JWSAlgorithm; 024import com.nimbusds.jose.jwk.Curve; 025import com.nimbusds.oauth2.sdk.ResponseType; 026import com.nimbusds.oauth2.sdk.token.AccessToken; 027 028 029/** 030 * Access token hash ({@code at_hash}). 031 * 032 * <p>Related specifications: 033 * 034 * <ul> 035 * <li>OpenID Connect Core 1.0, section 3.1.3.6. 036 * </ul> 037 */ 038@Immutable 039public final class AccessTokenHash extends HashClaim { 040 041 042 private static final long serialVersionUID = -2260085393906006318L; 043 044 045 /** 046 * Checks if an access token hash claim must be included in ID tokens 047 * for the specified response type. 048 * 049 * @param responseType The OpenID Connect response type. Must not be 050 * {@code null}. 051 * 052 * @return {@code true} if the access token hash is required, else 053 * {@code false}. 054 */ 055 public static boolean isRequiredInIDTokenClaims(final ResponseType responseType) { 056 057 // Only required in implicit flow for 'token id_token' and 058 // hybrid flow for 'code id_token token' 059 // Disregard authz / token endpoint! 060 return ResponseType.IDTOKEN_TOKEN.equals(responseType) || ResponseType.CODE_IDTOKEN_TOKEN.equals(responseType); 061 062 } 063 064 065 /** 066 * Creates a new access token hash with the specified value. 067 * 068 * @param value The access token hash value. Must not be {@code null}. 069 */ 070 public AccessTokenHash(final String value) { 071 072 super(value); 073 } 074 075 076 /** 077 * Computes the hash for the specified access token and reference JSON 078 * Web Signature (JWS) algorithm. 079 * 080 * @param accessToken The access token. Must not be {@code null}. 081 * @param alg The reference JWS algorithm. Must not be 082 * {@code null}. 083 * 084 * @return The access token hash, or {@code null} if the JWS algorithm 085 * is not supported. 086 * 087 * @deprecated Use {@link #compute(AccessToken, JWSAlgorithm, Curve)} 088 * instead. 089 */ 090 @Deprecated 091 public static AccessTokenHash compute(final AccessToken accessToken, final JWSAlgorithm alg) { 092 093 String value = computeValue(accessToken, alg); 094 095 if (value == null) 096 return null; 097 098 return new AccessTokenHash(value); 099 } 100 101 102 /** 103 * Computes the hash for the specified access token and reference JSON 104 * Web Signature (JWS) algorithm. 105 * 106 * @param accessToken The access token. Must not be {@code null}. 107 * @param alg The reference JWS algorithm. Must not be 108 * {@code null}. 109 * @param crv The JWK curve used with the JWS algorithm, 110 * {@code null} if not applicable. 111 * 112 * @return The access token hash, or {@code null} if the JWS algorithm 113 * is not supported. 114 */ 115 public static AccessTokenHash compute(final AccessToken accessToken, 116 final JWSAlgorithm alg, 117 final Curve crv) { 118 119 String value = computeValue(accessToken, alg, crv); 120 121 if (value == null) 122 return null; 123 124 return new AccessTokenHash(value); 125 } 126 127 128 @Override 129 public boolean equals(final Object object) { 130 131 return object instanceof AccessTokenHash && 132 this.toString().equals(object.toString()); 133 } 134}