Class OidcIdTokenProperties
- All Implemented Interfaces:
Serializable
OidcIdTokenProperties
.- Since:
- 6.6.0
- See Also:
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionHard timeout to kill the id token and expire it.boolean
As per OpenID Connect Core section 5.4, "The Claims requested by theprofile
,email
,address
, andphone
scope values are returned from the userinfo endpoint", except forresponse_type
=id_token
, where they are returned in the id_token (as there is no access token issued that could be used to access the userinfo endpoint).setIncludeIdTokenClaims
(boolean includeIdTokenClaims) As per OpenID Connect Core section 5.4, "The Claims requested by theprofile
,email
,address
, andphone
scope values are returned from the userinfo endpoint", except forresponse_type
=id_token
, where they are returned in the id_token (as there is no access token issued that could be used to access the userinfo endpoint).setMaxTimeToLiveInSeconds
(String maxTimeToLiveInSeconds) Hard timeout to kill the id token and expire it.
-
Constructor Details
-
OidcIdTokenProperties
public OidcIdTokenProperties()
-
-
Method Details
-
getMaxTimeToLiveInSeconds
Hard timeout to kill the id token and expire it. -
isIncludeIdTokenClaims
public boolean isIncludeIdTokenClaims()As per OpenID Connect Core section 5.4, "The Claims requested by theprofile
,email
,address
, andphone
scope values are returned from the userinfo endpoint", except forresponse_type
=id_token
, where they are returned in the id_token (as there is no access token issued that could be used to access the userinfo endpoint). The Claims requested by the profile, email, address, and phone scope values are returned from the userinfo endpoint when aresponse_type
value is used that results in an access token being issued. However, when no access token is issued (which is the case for theresponse_type
valueid_token
), the resulting Claims are returned in the ID Token.Setting this flag to true will force CAS to include claims in the ID token regardless of the response type. Note that this setting MUST ONLY be used as a last resort, to stay compliant with the specification as much as possible. DO NOT use this setting without due consideration.
Note that this setting is set to
true
by default mainly provided to preserve backward compatibility with previous CAS versions that included claims into the ID token without considering the response type. The behavior of this setting may change and it may be removed in future CAS releases. -
setMaxTimeToLiveInSeconds
Hard timeout to kill the id token and expire it.- Returns:
this
.
-
setIncludeIdTokenClaims
As per OpenID Connect Core section 5.4, "The Claims requested by theprofile
,email
,address
, andphone
scope values are returned from the userinfo endpoint", except forresponse_type
=id_token
, where they are returned in the id_token (as there is no access token issued that could be used to access the userinfo endpoint). The Claims requested by the profile, email, address, and phone scope values are returned from the userinfo endpoint when aresponse_type
value is used that results in an access token being issued. However, when no access token is issued (which is the case for theresponse_type
valueid_token
), the resulting Claims are returned in the ID Token.Setting this flag to true will force CAS to include claims in the ID token regardless of the response type. Note that this setting MUST ONLY be used as a last resort, to stay compliant with the specification as much as possible. DO NOT use this setting without due consideration.
Note that this setting is set to
true
by default mainly provided to preserve backward compatibility with previous CAS versions that included claims into the ID token without considering the response type. The behavior of this setting may change and it may be removed in future CAS releases.- Returns:
this
.
-