Package net.shibboleth.oidc.profile.config

Class OIDCAuthorizationConfiguration

    • Field Detail

      • acrRequestAlwaysEssentialPredicate

        @Nonnull
private Predicate<ProfileRequestContext> acrRequestAlwaysEssentialPredicate
        Whether all acr claim requests should be treated as Essential.

      • encodeConsentInTokensPredicate

        @Nonnull
private Predicate<ProfileRequestContext> encodeConsentInTokensPredicate
        Whether to encode consent in authorization code and access/refresh tokens.

      • authorizeCodeLifetimeLookupStrategy

        @Nonnull
private Function<ProfileRequestContext,​Duration> authorizeCodeLifetimeLookupStrategy
        Lookup function to supply lifetime of authz code.

      • encodedAttributesLookupStrategy

        @Nonnull
private Function<ProfileRequestContext,​Set<String>> encodedAttributesLookupStrategy
        Lookup function to supply attribute IDs to embed in authorization code or access token.

      • useRequestObjectPredicate

        @Nonnull
private Predicate<ProfileRequestContext> useRequestObjectPredicate
        Whether to encode authentication request parameters inside a JWT request object .

      • deniedUserInfoAttributesLookupStrategy

        @Nonnull
private Function<ProfileRequestContext,​Set<String>> deniedUserInfoAttributesLookupStrategy
        Lookup function to supply attribute IDs to omit from UserInfo token.

      • includeIssuerInResponsePredicate

        @Nonnull
private Predicate<ProfileRequestContext> includeIssuerInResponsePredicate
        Whether to include iss parameter in the authentication response.

      • httpRequestMethodLookupStrategy

        @Nonnull
private Function<ProfileRequestContext,​String> httpRequestMethodLookupStrategy
        Which HTTP method should be used to issue OIDC authentication requests. Supported values are POST and GET. The default is GET.

    • Constructor Detail

      • OIDCAuthorizationConfiguration

        public OIDCAuthorizationConfiguration()
        Constructor.

      • OIDCAuthorizationConfiguration

        public OIDCAuthorizationConfiguration​(@Nonnull @NotEmpty
                                      String profileId)
        Creates a new configuration instance.
        Parameters:
        profileId - Unique profile identifier.

    • Method Detail

      • isAcrRequestAlwaysEssential

        public boolean isAcrRequestAlwaysEssential​(@Nullable
                                           ProfileRequestContext profileRequestContext)
        Get whether all acr claim requests should be treated as Essential.
        Parameters:
        profileRequestContext - profile request context
        Returns:
        whether all acr claim requests should be treated as Essential

      • setAcrRequestAlwaysEssential

        public void setAcrRequestAlwaysEssential​(boolean flag)
        Set whether all acr claim requests should be treated as Essential.
        Parameters:
        flag - flag to set

      • setAcrRequestAlwaysEssentialPredicate

        public void setAcrRequestAlwaysEssentialPredicate​(@Nonnull
                                                  Predicate<ProfileRequestContext> condition)
        Set condition for whether all acr claim requests should be treated as Essential.
        Parameters:
        condition - condition to set

      • isUseRequestObject

        public boolean isUseRequestObject​(@Nullable
                                  ProfileRequestContext profileRequestContext)
        Should authentication request parameters should be passed in a single, self contained, JWT?
        Parameters:
        profileRequestContext - the profile request context
        Returns:
        whether authentication request parameters should be passed in a single, self contained, JWT

      • setUseRequestObject

        public void setUseRequestObject​(boolean flag)
        Set whether the authentication request parameters should be passed in a single, self contained, JWT.
        Parameters:
        flag - flag to set

      • setUseRequestObjectPredicate

        public void setUseRequestObjectPredicate​(@Nonnull
                                         Predicate<ProfileRequestContext> condition)
        Set condition for whether the authentication request parameters should be passed in a single, self contained, JWT.
        Parameters:
        condition - condition to set

      • isEncodeConsentInTokens

        public boolean isEncodeConsentInTokens​(@Nullable
                                       ProfileRequestContext profileRequestContext)
        Get whether to encode consent in authorization code and access/refresh tokens.
        Parameters:
        profileRequestContext - profile request context
        Returns:
        whether to encode consent in authorization code and access/refresh tokens

      • setEncodeConsentInTokens

        public void setEncodeConsentInTokens​(boolean flag)
        Set whether to encode consent in authorization code and access/refresh tokens.
        Parameters:
        flag - flag to set

      • setEncodeConsentInTokensPredicate

        public void setEncodeConsentInTokensPredicate​(@Nonnull
                                              Predicate<ProfileRequestContext> condition)
        Set condition for whether to encode consent in authorization code and access/refresh tokens.
        Parameters:
        condition - condition to set

      • getAuthorizeCodeLifetime

        @Positive
@Nonnull
public Duration getAuthorizeCodeLifetime​(@Nullable
                                         ProfileRequestContext profileRequestContext)
        Get authz code lifetime.

        Defaults to 5 minutes.

        Parameters:
        profileRequestContext - profile request context
        Returns:
        authz code lifetime

      • setAuthorizeCodeLifetime

        public void setAuthorizeCodeLifetime​(@Positive @Nonnull
                                     Duration lifetime)
        Set the lifetime of authz code.
        Parameters:
        lifetime - lifetime of authz code

      • setAuthorizeCodeLifetimeLookupStrategy

        public void setAuthorizeCodeLifetimeLookupStrategy​(@Nonnull
                                                   Function<ProfileRequestContext,​Duration> strategy)
        Set a lookup strategy for the authz code lifetime.
        Parameters:
        strategy - lookup strategy

      • setHttpRequestMethodLookupStrategy

        public void setHttpRequestMethodLookupStrategy​(@Nonnull
                                               Function<ProfileRequestContext,​String> strategy)
        Set a lookup strategy to determine the HTTP request method for an authentication request.
        Parameters:
        strategy - the strategy to set.

      • getEncodedAttributes

        @Nonnull
@NonnullElements
@NotLive
public Set<String> getEncodedAttributes​(@Nullable
                                        ProfileRequestContext profileRequestContext)
        Get the set of attribute IDs which should be encoded in encrypted form into the authorization code and/or access/refresh tokens to enable recovery on the back-channel.
        Parameters:
        profileRequestContext - profile request context
        Returns:
        the attribute IDs to encode

      • setEncodedAttributes

        public void setEncodedAttributes​(@Nullable @NonnullElements
                                 Collection<String> attributes)
        Set the set of attribute IDs which should be encoded in encrypted form into the authorization code and/or access/refresh tokens to enable recovery on the back-channel.
        Parameters:
        attributes - the attribute IDs to encode

      • setEncodedAttributesLookupStrategy

        public void setEncodedAttributesLookupStrategy​(@Nonnull
                                               Function<ProfileRequestContext,​Set<String>> strategy)
        Set a lookup strategy for the attribute IDs which should be encoded in encrypted form into the authorization code and/or access/refresh tokens to enable recovery on the back-channel.
        Parameters:
        strategy - lookup strategy

      • getDeniedUserInfoAttributes

        @Nonnull
@NonnullElements
@NotLive
public Set<String> getDeniedUserInfoAttributes​(@Nullable
                                               ProfileRequestContext profileRequestContext)
        Get the set of attribute IDs which should be omitted from the UserInfo token.

        Default behavior is to include all claims, but omiited claims also affect the set that may need to be embedded for recovery into the access/refresh tokens.

        Parameters:
        profileRequestContext - profile request context
        Returns:
        the attribute IDs to omit from UserInfo token

      • setDeniedUserInfoAttributes

        public void setDeniedUserInfoAttributes​(@Nullable @NonnullElements
                                        Collection<String> attributes)
        Set the set of attribute IDs which should be omitted from the UserInfo token.

        Default behavior is to include all claims, but omiited claims also affect the set that may need to be embedded for recovery into the access/refresh tokens.

        Parameters:
        attributes - the attribute IDs to omit from UserInfo token

      • setDeniedUserInfoAttributesLookupStrategy

        public void setDeniedUserInfoAttributesLookupStrategy​(@Nonnull
                                                      Function<ProfileRequestContext,​Set<String>> strategy)
        Set a lookup strategy for the set of attribute IDs which should be omitted from the UserInfo token.
        Parameters:
        strategy - lookup strategy

      • isIncludeIssuerInResponse

        public boolean isIncludeIssuerInResponse​(@Nullable
                                         ProfileRequestContext profileRequestContext)
        Get whether to include iss parameter in the authentication response.
        Parameters:
        profileRequestContext - profile request context
        Returns:
        whether to include iss parameter in the authentication response
        Since:
        2.1.0

      • setIncludeIssuerInResponse

        public void setIncludeIssuerInResponse​(boolean flag)
        Set whether to include iss parameter in the authentication response.
        Parameters:
        flag - flag to set
        Since:
        2.1.0

      • setIncludeIssuerInResponsePredicate

        public void setIncludeIssuerInResponsePredicate​(@Nonnull
                                                Predicate<ProfileRequestContext> condition)
        Set condition for whether to include iss parameter in the authentication response.
        Parameters:
        condition - condition to set
        Since:
        2.1.0

      • getAuthorizationCodeClaimsSetManipulationStrategy

        @Nonnull
public BiFunction<ProfileRequestContext,​Map<String,​Object>,​Map<String,​Object>> getAuthorizationCodeClaimsSetManipulationStrategy​(@Nullable
                                                                                                                                                         ProfileRequestContext profileRequestContext)
        Get the bi-function for manipulating authorization code claims set.
        Parameters:
        profileRequestContext - profile request context
        Returns:
        the bi-function for manipulating authorization code claims set
        Since:
        2.1.0

      • setAuthorizationCodeClaimsSetManipulationStrategy

        public void setAuthorizationCodeClaimsSetManipulationStrategy​(@Nullable
                                                              BiFunction<ProfileRequestContext,​Map<String,​Object>,​Map<String,​Object>> strategy)
        Set the bi-function for manipulating authorization code claims set.
        Parameters:
        strategy - bi-function for manipulating authorization code claims set
        Since:
        2.1.0