Package net.shibboleth.oidc.profile.config

Class AbstractOIDCSSOConfiguration

    • Constructor Detail

      • AbstractOIDCSSOConfiguration

        public AbstractOIDCSSOConfiguration​(@Nonnull @NotEmpty
                                    String profileId)
        Creates a new configuration instance.
        Parameters:
        profileId - Unique profile identifier.

    • Method Detail

      • getIssuer

        @Nullable
@NotEmpty
public String getIssuer​(@Nullable
                        ProfileRequestContext profileRequestContext)
        Specified by:
        getIssuer in interface net.shibboleth.idp.profile.config.OverriddenIssuerProfileConfiguration

      • setIssuer

        public void setIssuer​(@Nullable @NotEmpty
                      String issuer)
        Set overridden issuer value.
        Parameters:
        issuer - issuer value

      • setIssuerLookupStrategy

        public void setIssuerLookupStrategy​(@Nonnull
                                    Function<ProfileRequestContext,​String> strategy)
        Sets lookup strategy for overridden issuer value.
        Parameters:
        strategy - lookup strategy

      • isResolveAttributes

        public boolean isResolveAttributes​(@Nullable
                                   ProfileRequestContext profileRequestContext)
        Specified by:
        isResolveAttributes in interface net.shibboleth.idp.profile.config.AttributeResolvingProfileConfiguration

      • setResolveAttributes

        public void setResolveAttributes​(boolean flag)
        Set whether attributes should be resolved during the profile.
        Parameters:
        flag - flag to set

      • setResolveAttributesPredicate

        public void setResolveAttributesPredicate​(@Nonnull
                                          Predicate<ProfileRequestContext> condition)
        Set a condition to determine whether attributes should be resolved during the profile.
        Parameters:
        condition - condition to set

      • isEncryptionOptional

        public boolean isEncryptionOptional​(@Nullable
                                    ProfileRequestContext profileRequestContext)
        Get whether encryption is optional in the face of a missing key, etc.
        Parameters:
        profileRequestContext - current profile request context
        Returns:
        true iff encryption is optional

      • setEncryptionOptional

        public void setEncryptionOptional​(boolean flag)
        Set whether encryption is optional in the face of a missing key, etc.
        Parameters:
        flag - flag to set

      • setEncryptionOptionalPredicate

        public void setEncryptionOptionalPredicate​(@Nonnull
                                           Predicate<ProfileRequestContext> condition)
        Set a condition to determine whether encryption is optional in the face of a missing key, etc.
        Parameters:
        condition - condition to set

      • isForcePKCE

        public boolean isForcePKCE​(@Nullable
                           ProfileRequestContext profileRequestContext)
        Get whether client is required to use PKCE.
        Parameters:
        profileRequestContext - profile request context
        Returns:
        whether client is required to use PKCE

      • setForcePKCE

        public void setForcePKCE​(boolean flag)
        Set whether client is required to use PKCE.
        Parameters:
        flag - flag to set

      • setForcePKCEPredicate

        public void setForcePKCEPredicate​(@Nonnull
                                  Predicate<ProfileRequestContext> condition)
        Set condition for whether client is required to use PKCE.
        Parameters:
        condition - condition to set

      • isAllowPKCEPlain

        public boolean isAllowPKCEPlain​(@Nullable
                                ProfileRequestContext profileRequestContext)
        Get whether client is allowed to use PKCE code challenge method plain.
        Parameters:
        profileRequestContext - profile request context
        Returns:
        whether client is allowed to use PKCE code challenge method plain

      • setAllowPKCEPlain

        public void setAllowPKCEPlain​(boolean flag)
        Set whether client is allowed to use PKCE code challenge method plain.
        Parameters:
        flag - flag to set

      • setAllowPKCEPlainPredicate

        public void setAllowPKCEPlainPredicate​(@Nonnull
                                       Predicate<ProfileRequestContext> condition)
        Set condition for whether client is allowed to use PKCE code challenge method plain.
        Parameters:
        condition - condition to set

      • getIDTokenLifetime

        @Positive
@Nonnull
public Duration getIDTokenLifetime​(@Nullable
                                   ProfileRequestContext profileRequestContext)
        /** Get ID token lifetime.

        Defaults to 1 hour.

        Parameters:
        profileRequestContext - profile request context
        Returns:
        ID token lifetime

      • setIDTokenLifetime

        public void setIDTokenLifetime​(@Positive @Nonnull
                               Duration lifetime)
        Set the lifetime of an id token.
        Parameters:
        lifetime - lifetime of an id token in milliseconds

      • setIDTokenLifetimeLookupStrategy

        public void setIDTokenLifetimeLookupStrategy​(@Nonnull
                                             Function<ProfileRequestContext,​Duration> strategy)
        Set a lookup strategy for the ID token lifetime.
        Parameters:
        strategy - lookup strategy

      • getAccessTokenType

        @Nullable
@NotEmpty
public String getAccessTokenType​(@Nullable
                                 ProfileRequestContext profileRequestContext)
        Get access token type.
        Parameters:
        profileRequestContext - profile request context
        Returns:
        access token type, or null for unspecified/opaque
        Since:
        2.1.0

      • setAccessTokenType

        public void setAccessTokenType​(@Nullable @NotEmpty
                               String type)
        Set access token type.
        Parameters:
        type - token type, or null for unspecified/opaque
        Since:
        2.1.0

      • setAccessTokenTypeLookupStrategy

        public void setAccessTokenTypeLookupStrategy​(@Nonnull
                                             Function<ProfileRequestContext,​String> strategy)
        Set lookup strategy for access token type.
        Parameters:
        strategy - lookup strategy
        Since:
        2.1.0

      • getAccessTokenLifetime

        @Positive
@Nonnull
public Duration getAccessTokenLifetime​(@Nullable
                                       ProfileRequestContext profileRequestContext)
        Get access token lifetime.

        Defaults to 10 minutes.

        Parameters:
        profileRequestContext - profile request context
        Returns:
        access token lifetime

      • setAccessTokenLifetime

        public void setAccessTokenLifetime​(@Positive @Nonnull
                                   Duration lifetime)
        Set the lifetime of an access token.
        Parameters:
        lifetime - lifetime of an access token in milliseconds

      • setAccessTokenLifetimeLookupStrategy

        public void setAccessTokenLifetimeLookupStrategy​(@Nullable
                                                 Function<ProfileRequestContext,​Duration> strategy)
        Set a lookup strategy for the access token lifetime.
        Parameters:
        strategy - lookup strategy

      • getRefreshTokenLifetime

        @Nonnull
@Positive
public Duration getRefreshTokenLifetime​(@Nullable
                                        ProfileRequestContext profileRequestContext)
        Get refresh token lifetime.

        Defaults to 2 hours.

        Parameters:
        profileRequestContext - profile request context
        Returns:
        refresh token lifetime

      • setRefreshTokenLifetime

        public void setRefreshTokenLifetime​(@Nonnull @Positive
                                    Duration lifetime)
        Set the lifetime of refresh token.
        Parameters:
        lifetime - lifetime of an refresh token

      • setRefreshTokenLifetimeLookupStrategy

        public void setRefreshTokenLifetimeLookupStrategy​(@Nullable
                                                  Function<ProfileRequestContext,​Duration> strategy)
        Set a lookup strategy for the refresh token lifetime.
        Parameters:
        strategy - lookup strategy

      • getAdditionalAudiencesForIdToken

        @Nonnull
@NonnullElements
@NotLive
public Set<String> getAdditionalAudiencesForIdToken​(@Nullable
                                                    ProfileRequestContext profileRequestContext)
        Get the set of audiences, in addition to the relying party(ies) to which the IdP is issuing the ID Token, with which the token may be shared.
        Parameters:
        profileRequestContext - profile request context
        Returns:
        the additional audiences

      • setAdditionalAudiencesForIdToken

        public void setAdditionalAudiencesForIdToken​(@Nullable @NonnullElements
                                             Collection<String> audiences)
        Set the set of audiences, in addition to the relying party(ies) to which the IdP is issuing the ID Token, with which the token may be shared.
        Parameters:
        audiences - the additional audiences

      • setAdditionalAudiencesForIdTokenLookupStrategy

        public void setAdditionalAudiencesForIdTokenLookupStrategy​(@Nonnull
                                                           Function<ProfileRequestContext,​Set<String>> strategy)
        Set a lookup strategy for the set of audiences, in addition to the relying party(ies) to which the IdP is issuing the ID Token, with which the token may be shared.
        Parameters:
        strategy - lookup strategy

      • getAlwaysIncludedAttributes

        @Nonnull
@NonnullElements
@NotLive
public Set<String> getAlwaysIncludedAttributes​(@Nullable
                                               ProfileRequestContext profileRequestContext)
        Get the set of attribute IDs which should be included in the ID token regardless of response_type.

        Default behavior is to include claims only with the implicit id_token type only, while any use of a back-channel relies on the user_info endpoint to get the claims. This setting forces certain attributes to be added to the ID token regardless of flow.

        Parameters:
        profileRequestContext - profile request context
        Returns:
        the attribute IDs to include in all cases

      • setAlwaysIncludedAttributes

        public void setAlwaysIncludedAttributes​(@Nullable @NonnullElements
                                        Collection<String> attributes)
        Set the set of attribute IDs which should be included in the ID token regardless of response_type.

        Default behavior is to include claims only with the implicit id_token type only, while any use of a back-channel relies on the user_info endpoint to get the claims. This setting forces certain attributes to be added to the ID token regardless of flow.

        Parameters:
        attributes - the attribute IDs to include in all cases

      • setAlwaysIncludedAttributesLookupStrategy

        public void setAlwaysIncludedAttributesLookupStrategy​(@Nonnull
                                                      Function<ProfileRequestContext,​Set<String>> strategy)
        Set a lookup strategy for the attribute IDs which should be included in the ID token regardless of response_type.
        Parameters:
        strategy - lookup strategy

      • setIDTokenManipulationStrategy

        public void setIDTokenManipulationStrategy​(@Nullable
                                           BiFunction<ProfileRequestContext,​Map<String,​Object>,​Map<String,​Object>> strategy)
        Set the bi-function for manipulating id_token claims.
        Parameters:
        strategy - bi-function for manipulating id_token claims
        Since:
        2.1.0

      • getAccessTokenClaimsSetManipulationStrategy

        @Nonnull
public BiFunction<ProfileRequestContext,​Map<String,​Object>,​Map<String,​Object>> getAccessTokenClaimsSetManipulationStrategy​(@Nullable
                                                                                                                                                   ProfileRequestContext profileRequestContext)
        Get the bi-function for manipulating access token claims set.
        Parameters:
        profileRequestContext - profile request context
        Returns:
        the bi-function for manipulating access token claims set
        Since:
        2.1.0

      • setAccessTokenClaimsSetManipulationStrategy

        public void setAccessTokenClaimsSetManipulationStrategy​(@Nullable
                                                        BiFunction<ProfileRequestContext,​Map<String,​Object>,​Map<String,​Object>> strategy)
        Set the bi-function for manipulating access token claims set.
        Parameters:
        strategy - bi-function for manipulating access token claims set
        Since:
        2.1.0