com.authlete.common.dto.BackchannelAuthenticationCompleteRequest Maven / Gradle / Ivy
/*
* Copyright (C) 2018-2023 Authlete, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.authlete.common.dto;
import java.io.Serializable;
import java.net.URI;
import java.util.Map;
import com.authlete.common.util.Utils;
/**
* Request to Authlete's {@code /api/backchannel/authentication/complete} API.
*
*
* After the implementation of the backchannel authentication endpoint returns
* JSON containing an {@code auth_req_id} to the client, the authorization
* server starts a background process that communicates with the authentication
* device of the end-user. On the authentication device, end-user
* authentication is performed and the end-user is asked whether they give
* authorization to the client or not. The authorization server will receive
* the result of end-user authentication and authorization from the
* authentication device.
*
*
*
* After the authorization server receives the result from the authentication
* device, or even in the case where the server gave up receiving a response
* from the authentication device for some reasons, the server should call the
* {@code /api/backchannel/authentication/complete} API to tell Authlete the
* result.
*
*
*
* When the end-user was authenticated and authorization was granted to the
* client by the end-user, the authorization server should call the API with
* {@code result=}{@link Result#AUTHORIZED AUTHORIZED}. In this successful
* case, the {@code subject} request parameter is mandatory. If the token
* delivery mode is "push", the API will generate an access token, an ID token
* and optionally a refresh token. On the other hand, if the token delivery
* mode is "poll" or "ping", the API will just update the database record so
* that {@code /api/auth/token} API can generate tokens later.
*
*
*
* When the authorization server received the decision of the end-user from
* the authentication device and it indicates that the end-user has rejected
* to give authorization to the client, the authorization server should call
* the API with {@code result=}{@link Result#ACCESS_DENIED ACCESS_DENIED}.
* In this case, if the token delivery mode is "push", the API will generate
* an error response that contains the {@code error} response parameter and
* optionally the {@code error_description} and {@code error_uri} response
* parameters (if the {@code errorDescription} and {@code errorUri} request
* parameters have been given). On the other hand, if the token delivery mode
* is "poll" or "ping", the API will just update the database record so that
* {@code /api/auth/token} API can generate an error response later. In any
* token delivery mode, the value of the {@code error} parameter will become
* {@code access_denied}.
*
*
*
* When the authorization server could not get the result of end-user
* authentication and authorization from the authentication device for some
* reasons, the authorization server should call the API with
* {@code result=}{@link Result#TRANSACTION_FAILED TRANSACTION_FAILED}. In
* this error case, the API will behave in the same way as in the case of
* {@code ACCESS_DENIED}. The only difference is that {@code expired_token}
* is used as the value of the {@code error} parameter.
*
*
* @since 2.32
*/
public class BackchannelAuthenticationCompleteRequest implements Serializable
{
private static final long serialVersionUID = 7L;
/**
* Types of results of end-user authentication and authorization.
*/
public enum Result
{
/**
* The end-user was authenticated and has granted authorization to
* the client application.
*/
AUTHORIZED((short)1),
/**
* The end-user denied the backchannel authentication request.
*/
ACCESS_DENIED((short)2),
/**
* The authorization server could not get the result of end-user
* authentication and authorization from the authentication device
* for some reasons.
*
*
* For example, the authorization server failed to communicate with
* the authentication device due to a network error, the device did
* not return a response within a reasonable time, etc.
*
*
*
* This result can be used as a generic error.
*
*
* @since 2.36
*/
TRANSACTION_FAILED((short)3),
;
private static final Result[] sValues = values();
private final short mValue;
private Result(short value)
{
mValue = value;
}
/**
* Get the integer representation of this enum instance.
*/
public short getValue()
{
return mValue;
}
/**
* Find an instance of this enum by a value.
*
* @param value
* The integer representation of the instance to find.
*
* @return
* An instance of this enum, or {@code null} if not found.
*/
public static Result getByValue(short value)
{
if (value < 1 || sValues.length < value)
{
// Not found.
return null;
}
return sValues[value - 1];
}
}
/**
* The ticket issued by Authlete's /api/backchannel/authentication API.
*/
private String ticket;
/**
* The result of the end-user authentication and authorization.
*/
private Result result;
/**
* The subject (= unique identifier) of the end-user.
*/
private String subject;
/**
* The value of the {@code sub} claim for the ID token. When this field
* is empty, {@code subject} is used as the value of the {@code sub}
* claim.
*/
private String sub;
/**
* The time at which the end-user was authenticated.
*/
private long authTime;
/**
* The authentication context class reference.
*/
private String acr;
/**
* Additional claims in JSON format.
*/
private String claims;
/**
* Extra properties associated with the access token.
*/
private Property[] properties;
/**
* Scopes associated with the access token. If this field is {@code null},
* the scopes specified in the original backchannel authentication request
* are used. In other cases, the scopes here will replace the original
* scopes contained in the original request.
*/
private String[] scopes;
/**
* JSON that represents additional JWS header parameters for the ID token.
*
* @since 2.79
*/
private String idtHeaderParams;
/**
* Claims that the user has consented for the client application to know.
*
* @since 3.7
*/
private String[] consentedClaims;
/**
* Additional claims that are added to the payload part of the JWT
* access token.
*
* @since 3.23
* @since Authlete 2.3
*/
private String jwtAtClaims;
/**
* The representation of an access token that may be issued as a
* result of the Authlete API call.
*
* @since 3.24
* @since Authlete 2.2.27
*/
private String accessToken;
/**
* The type of the {@code aud} claim in the ID token being issued.
*
* @since 3.57
* @since Authlete 2.3.3
*/
private String idTokenAudType;
/**
* The description of the error. This property is referred to when the
* result is not AUTHORIZED.
*/
private String errorDescription;
/**
* The URI of a document which describes the error in detail. This property
* is referred to when the result is not AUTHORIZED.
*/
private URI errorUri;
/**
* Get the ticket which is necessary to call Authlete's
* {@code /api/backchannel/authentication/complete} API.
*
* @return
* The ticket.
*/
public String getTicket()
{
return ticket;
}
/**
* Set the ticket which is necessary to call Authlete's
* {@code /api/backchannel/authentication/complete} API.
* This request parameter is mandatory.
*
* @param ticket
* The ticket previously issued by Authlete's
* {@code /api/backchannel/authentication} API.
*
* @return
* {@code this} object.
*/
public BackchannelAuthenticationCompleteRequest setTicket(String ticket)
{
this.ticket = ticket;
return this;
}
/**
* Get the result of end-user authentication and authorization.
*
* @return
* The result of end-user authentication and authorization.
*/
public Result getResult()
{
return result;
}
/**
* Set the result of end-user authentication and authorization.
* This request parameter is mandatory.
*
* @param result
* The result of end-user authentication and authorization.
*
* @return
* {@code this} object.
*/
public BackchannelAuthenticationCompleteRequest setResult(Result result)
{
this.result = result;
return this;
}
/**
* Get the subject (= unique identifier) of the end-user who has granted
* authorization to the client application.
*
*
* This {@code subject} property is used as the value of the subject
* associated with the access token and as the value of the {@code sub}
* claim in the ID token.
*
*
*
* Note that, if {@link #getSub()} returns a non-empty value, it is used
* as the value of the {@code sub} claim in the ID token. However, even
* in the case, the value of the subject associated with the access token
* is still the value of this {@code subject} property.
*
*
* @return
* The subject (= unique identifier) of the end-user.
*
* @see #getSub()
*/
public String getSubject()
{
return subject;
}
/**
* Set the subject (= unique identifier) of the end-user who has granted
* authorization to the client application. This request parameter is
* mandatory when {@link #getResult()} returns {@link Result#AUTHORIZED
* AUTHORIZED}.
*
*
* This {@code subject} property is used as the value of the subject
* associated with the access token and as the value of the {@code sub}
* claim in the ID token.
*
*
*
* Note that, if {@link #getSub()} returns a non-empty value, it is used
* as the value of the {@code sub} claim in the ID token. However, even
* in the case, the value of the subject associated with the access token
* is still the value set by this method.
*
*
* @param subject
* The subject (= unique identifier) of the end-user.
*
* @return
* {@code this} object.
*
* @see #setSub(String)
*/
public BackchannelAuthenticationCompleteRequest setSubject(String subject)
{
this.subject = subject;
return this;
}
/**
* Get the value of the {@code sub} claim that should be used in the ID
* token. If this method returns {@code null} or its value is empty, the
* value returned by {@link #getSubject()} is used as the value of the
* {@code sub} claim. The main purpose of this {@code sub} property is
* to hide the actual value of the subject from client applications.
*
*
* Note that the value of the {@code subject} request parameter is used
* as the value of the subject associated with the access token regardless
* of whether this {@code sub} property is a non-empty value or not. In
* other words, this {@code sub} property affects only the {@code sub}
* claim in the ID token.
*
*
* @return
* The value of the {@code sub} claim.
*
* @see #getSubject()
*/
public String getSub()
{
return sub;
}
/**
* Set the value of the {@code sub} claim that should be used in the ID
* token. If this method returns {@code null} or its value is empty, the
* value returned by {@link #getSubject()} is used as the value of the
* {@code sub} claim. The main purpose of this {@code sub} property is
* to hide the actual value of the subject from client applications.
*
*
* Note that the value of the {@code subject} request parameter is used
* as the value of the subject associated with the access token regardless
* of whether this {@code sub} property is a non-empty value or not. In
* other words, this {@code sub} property affects only the {@code sub}
* claim in the ID token.
*
*
* @param sub
* The value of the {@code sub} claim.
*
* @return
* {@code this} object.
*
* @see #setSubject(String)
*/
public BackchannelAuthenticationCompleteRequest setSub(String sub)
{
this.sub = sub;
return this;
}
/**
* Get the time at which the end-user was authenticated.
*
* @return
* The time at which the end-user was authenticated.
* It is the number of seconds since 1970-01-01.
*/
public long getAuthTime()
{
return authTime;
}
/**
* Set the time at which the end-user was authenticated. When this request
* parameter holds a positive number, the {@code auth_time} claim will be
* embedded in the ID token.
*
* @param authTime
* The time at which the end-user was authenticated.
* It is the number of seconds since 1970-01-01.
*
* @return
* {@code this} object.
*/
public BackchannelAuthenticationCompleteRequest setAuthTime(long authTime)
{
this.authTime = authTime;
return this;
}
/**
* Get the reference of the authentication context class which the
* end-user authentication satisfied.
*
* @return
* The authentication context class reference.
*/
public String getAcr()
{
return acr;
}
/**
* Set the reference of the authentication context class which the
* end-user authentication satisfied. When this request parameter
* holds a non-null value, the {@code acr} claim will be embedded
* in the ID token.
*
* @param acr
* The authentication context class reference.
*
* @return
* {@code this} object.
*/
public BackchannelAuthenticationCompleteRequest setAcr(String acr)
{
this.acr = acr;
return this;
}
/**
* Get additional claims which will be embedded in the ID token.
*
* @return
* Additional claims in JSON format which will be embedded in the
* ID token. See the description of {@link #setClaims(String)} for
* details about the format.
*
* @see #setClaims(String)
*/
public String getClaims()
{
return claims;
}
/**
* Set additional claims which will be embedded in the ID token.
*
*
* The authorization server implementation is required to retrieve values
* of requested claims of the end-user from its database and format them
* in JSON format.
*
*
*
* For example, if "given_name"
claim,
* "family_name"
claim and "email"
claim are
* requested, the authorization server implementation should generate
* a JSON object like the following:
*
*
*
* {
* "given_name": "Takahiko",
* "family_name": "Kawasaki",
* "email": "[email protected]"
* }
*
*
*
* and set its string representation by this method.
*
*
*
* See OpenID Connect Core 1.0, 5.1. Standard Claims for further details about the format.
*
*
* @param claims
* Additional claims in JSON format.
*
* @return
* {@code this} object.
*
* @see OpenID Connect Core 1.0, 5.1. Standard Claims
*/
public BackchannelAuthenticationCompleteRequest setClaims(String claims)
{
this.claims = claims;
return this;
}
/**
* Set additional claims which will be embedded in the ID token.
*
*
* The argument is converted into a JSON string and passed to
* {@link #setClaims(String)} method.
*
*
* @param claims
* Additional claims. Keys are claim names.
*
* @return
* {@code this} object.
*/
public BackchannelAuthenticationCompleteRequest setClaims(Map claims)
{
if (claims == null || claims.size() == 0)
{
this.claims = null;
}
else
{
setClaims(Utils.toJson(claims));
}
return this;
}
/**
* Get the extra properties associated with the access token.
*
* @return
* Extra properties.
*/
public Property[] getProperties()
{
return properties;
}
/**
* Set extra properties associated with the access token.
*
*
* Keys of extra properties will be used as labels of top-level entries
* in a JSON response returned from the authorization server. An example
* is {@code example_parameter}, which you can find in 5.1. Successful
* Response in RFC 6749. The following code snippet is an example
* to set one extra property having {@code example_parameter} as its
* key and {@code example_value} as its value.
*
*
*
*
* {@link Property}[] properties = { new {@link Property#Property(String, String)
* Property}("example_parameter", "example_value") };
* request.{@link #setProperties(Property[]) setProperties}(properties);
*
*
*
*
* Note that there is an upper limit on the total size of extra
* properties. On Authlete side, the properties will be (1) converted
* to a multidimensional string array, (2) converted to JSON, (3) encrypted
* by AES/CBC/PKCS5Padding, (4) encoded by base64url, and then stored into
* the database. The length of the resultant string must not exceed 65,535
* in bytes. This is the upper limit, but we think it is big enough.
*
*
* @param properties
* Extra properties.
*
* @return
* {@code this} object.
*/
public BackchannelAuthenticationCompleteRequest setProperties(Property[] properties)
{
this.properties = properties;
return this;
}
/**
* Get scopes associated with the access token. If this method returns a
* non-null value, the set of scopes will be used instead of the scopes
* specified in the original backchannel authentication request.
*
* @return
* Scopes to replace the scopes specified in the original
* backchannel authentication request with. When {@code null} is
* returned from this method, replacement is not performed.
*/
public String[] getScopes()
{
return scopes;
}
/**
* Set scopes associated with the access token. If {@code null} (the
* default value) is set, the scopes specified in the original backchannel
* authentication request are used. In other cases, the scopes given to
* this method will replace the original scopes contained in the original
* request.
*
*
*
* Even scopes that are not included in the original request can be
* included.
*
*
*
* Note that because the CIBA specification requires {@code "openid"} as a
* mandatory scope, {@code "openid"} should be always included.
*
*
* @param scopes
* Scopes associated with the access token. If a non-null value is
* set, the original scopes requested by the client application are
* replaced.
*
* @return
* {@code this} object.
*/
public BackchannelAuthenticationCompleteRequest setScopes(String[] scopes)
{
this.scopes = scopes;
return this;
}
/**
* Get JSON that represents additional JWS header parameters for the ID token.
*
* @return
* JSON that represents additional JWS header parameters for the ID token.
*
* @since 2.79
*/
public String getIdtHeaderParams()
{
return idtHeaderParams;
}
/**
* Set JSON that represents additional JWS header parameters for the ID token.
*
* @param params
* JSON that represents additional JWS header parameters for the ID token.
*
* @return
* {@code this} object.
*
* @since 2.79
*/
public BackchannelAuthenticationCompleteRequest setIdtHeaderParams(String params)
{
this.idtHeaderParams = params;
return this;
}
/**
* Get the claims that the user has consented for the client application
* to know.
*
*
* See the description of {@link #setConsentedClaims(String[])} for
* details.
*
*
* @return
* Consented claims.
*
* @since 3.7
*/
public String[] getConsentedClaims()
{
return consentedClaims;
}
/**
* Set the claims that the user has consented for the client application
* to know.
*
*
* If the {@code claims} request parameter holds JSON, Authlete extracts
* claims from the JSON and embeds them in an ID token (cf. {@link
* #setClaims(String)}). However, the claims are not necessarily identical
* to the set of claims that the user has actually consented for the client
* application to know.
*
*
*
* For example, if the user has allowed the {@code profile} scope to be
* tied to an access token being issued, it technically means that the
* user has consented for the client application to know the following
* claims based on the mapping defined in OpenID Connect Core 1.0 Section 5.4. Requesting Claims using Scope Values: {@code name},
* {@code family_name}, {@code given_name}, {@code middle_name},
* {@code nickname}, {@code preferred_username}, {@code profile},
* {@code picture}, {@code website}, {@code gender}, {@code birthdate},
* {@code zoneinfo}, {@code locale} and {@code updated_at}. However,
* JSON of the {@code claims} request parameter does not necessarily
* include all the claims. It may be simply because the authorization
* server does not support other claims or because the authorization
* server intends to return requested claims from the UserInfo Endpoint instead of embedding them in an ID token, or
* for some other reasons. Therefore, Authlete does not assume that the
* claims in the JSON of the {@code claims} request parameter represent
* the complete set of consented claims.
*
*
*
* This {@code consentedClaims} request parameter (supported from Authlete
* 2.3) can be used to convey the exact set of consented claims to Authlete.
* Authlete saves the information into its database and makes them
* referrable in responses from the {@code /api/auth/introspection} API
* and the {@code /api/auth/userinfo} API.
*
*
*
* In addition, the information conveyed via this {@code consentedClaims}
* request parameter is used to compute the exact value of the {@code
* claims} parameter in responses from the Grant Management Endpoint, which
* is defined in Grant Management for OAuth 2.0.
*
*
*
* When this request parameter is missing or its value is empty, Authlete
* computes the set of consented claims from the consented scopes (e.g.
* {@code profile}) and the claims in the JSON of the {@code claims}
* request parameter although Authlete knows the possibility that the
* computed set may be different from the actual set of consented claims.
* Especially, the computed set may not include claims that the
* authorization server returns from the UserInfo Endpoint. Therefore,
* if you want to control the exact set of consented claims, utilize this
* request parameter.
*
*
* @param claims
* Consented claims.
*
* @return
* {@code this} object.
*
* @since 3.7
*/
public BackchannelAuthenticationCompleteRequest setConsentedClaims(String[] claims)
{
this.consentedClaims = claims;
return this;
}
/**
* Get the description of the error. This corresponds to the
* {@code error_description} property in the response to the client.
*
* @return
* The description of the error.
*/
public String getErrorDescription()
{
return errorDescription;
}
/**
* Set the description of the error. This corresponds to the
* {@code error_description} property in the response to the client.
*
*
* If this optional request parameter is given, its value is used as the
* value of the {@code error_description} property, but it is used only
* when the result is not {@link Result#AUTHORIZED AUTHORIZED}.
*
*
*
* To comply with the specification strictly, the description must not
* include characters outside the set %x20-21 / %x23-5B / %x5D-7E.
*
*
* @param description
* The description of the error.
*
* @return
* {@code this} object.
*/
public BackchannelAuthenticationCompleteRequest setErrorDescription(String description)
{
this.errorDescription = description;
return this;
}
/**
* Get the URI of a document which describes the error in detail. This
* corresponds to the {@code error_uri} property in the response to the
* client.
*
* @return
* The URI of a document which describes the error in detail.
*/
public URI getErrorUri()
{
return errorUri;
}
/**
* Set the URI of a document which describes the error in detail. This
* corresponds to the {@code error_uri} property in the response to the
* client.
*
*
* If this optional request parameter is given, its value is used as the
* value of the {@code error_uri} property, but it is used only when the
* result is not {@link Result#AUTHORIZED AUTHORIZED}.
*
*
* @param uri
* The URI of a document which describes the error in detail.
*
* @return
* {@code this} object.
*/
public BackchannelAuthenticationCompleteRequest setErrorUri(URI uri)
{
this.errorUri = uri;
return this;
}
/**
* Get the additional claims in JSON object format that are added to the
* payload part of the JWT access token.
*
*
* This request parameter has a meaning only when the format of access
* tokens issued by this service is JWT. In other words, it has a meaning
* only when the {@code accessTokenSignAlg} property of the {@link Service}
* holds a non-null value. See the description of the {@link
* Service#getAccessTokenSignAlg() getAccessTokenSignAlg()} method for
* details.
*
*
* @return
* Additional claims that are added to the payload part of the JWT
* access token.
*
* @since 3.23
*/
public String getJwtAtClaims()
{
return jwtAtClaims;
}
/**
* Set the additional claims in JSON object format that are added to the
* payload part of the JWT access token.
*
*
* This request parameter has a meaning only when the format of access
* tokens issued by this service is JWT. In other words, it has a meaning
* only when the {@code accessTokenSignAlg} property of the {@link Service}
* holds a non-null value. See the description of the {@link
* Service#getAccessTokenSignAlg() getAccessTokenSignAlg()} method for
* details.
*
*
* @param claims
* Additional claims that are added to the payload part of the JWT
* access token.
*
* @return
* {@code this} object.
*
* @since 3.23
*/
public BackchannelAuthenticationCompleteRequest setJwtAtClaims(String claims)
{
this.jwtAtClaims = claims;
return this;
}
/**
* Get the representation of an access token that may be issued as a
* result of the Authlete API call.
*
*
* Basically, it is the Authlete server's role to generate an access token.
* However, some systems may have inflexible restrictions on the format of
* access tokens. Such systems may use this {@code accessToken} request
* parameter to specify the representation of an access token by themselves
* instead of leaving the access token generation task to the Authlete server.
*
*
*
* Usually, the Authlete server (1) generates a random 256-bit value, (2)
* base64url-encodes the value into a 43-character string, and (3) uses the
* resultant string as the representation of an access token. The Authlete
* implementation is written on the assumption that the 256-bit entropy is
* big enough. Therefore, make sure that the entropy of the value of the
* {@code accessToken} request parameter is big enough, too.
*
*
*
* The entropy does not necessarily have to be equal to or greater than 256
* bits. For example, 192-bit random values (which will become 32-character
* strings when encoded by base64url) may be enough. However, note that if
* the entropy is too low, access token string values will collide and
* Authlete API calls will fail.
*
*
*
* When no access token is generated as a result of the Authlete API call,
* this {@code accessToken} request parameter is not used.
* Note that the Authlete API generates an access token only when the flow
* is CIBA PUSH. In the cases of CIBA POLL and CIBA PING, an access token
* is generated at the token endpoint.
*
*
* @return
* The representation of an access token that may be issued as a
* result of the Authlete API call.
*
* @since 3.24
* @since Authlete 2.2.27
*/
public String getAccessToken()
{
return accessToken;
}
/**
* Set the representation of an access token that may be issued as a
* result of the Authlete API call.
*
*
* Basically, it is the Authlete server's role to generate an access token.
* However, some systems may have inflexible restrictions on the format of
* access tokens. Such systems may use this {@code accessToken} request
* parameter to specify the representation of an access token by themselves
* instead of leaving the access token generation task to the Authlete server.
*
*
*
* Usually, the Authlete server (1) generates a random 256-bit value, (2)
* base64url-encodes the value into a 43-character string, and (3) uses the
* resultant string as the representation of an access token. The Authlete
* implementation is written on the assumption that the 256-bit entropy is
* big enough. Therefore, make sure that the entropy of the value of the
* {@code accessToken} request parameter is big enough, too.
*
*
*
* The entropy does not necessarily have to be equal to or greater than 256
* bits. For example, 192-bit random values (which will become 32-character
* strings when encoded by base64url) may be enough. However, note that if
* the entropy is too low, access token string values will collide and
* Authlete API calls will fail.
*
*
*
* When no access token is generated as a result of the Authlete API call,
* this {@code accessToken} request parameter is not used.
* Note that the Authlete API generates an access token only when the flow
* is CIBA PUSH. In the cases of CIBA POLL and CIBA PING, an access token
* is generated at the token endpoint.
*
*
* @param accessToken
* The representation of an access token that may be issued as a
* result of the Authlete API call.
*
* @return
* {@code this} object.
*
* @since 3.24
* @since Authlete 2.2.27
*/
public BackchannelAuthenticationCompleteRequest setAccessToken(String accessToken)
{
this.accessToken = accessToken;
return this;
}
/**
* Get the type of the {@code aud} claim of the ID token being issued.
* Valid values are as follows.
*
*
*
*
* Value
* Description
*
*
* {@code "array"}
* The type of the {@code aud} claim is always an array of strings.
*
*
* {@code "string"}
* The type of the {@code aud} claim is always a single string.
*
*
* null
* The type of the {@code aud} claim remains the same as before.
*
*
*
*
*
* This request parameter takes precedence over the {@code idTokenAudType}
* property of {@link Service} (cf. {@link Service#getIdTokenAudType()}).
*
*
* @return
* The type of the {@code aud} claim in ID tokens.
*
* @since 3.57
* @since Authlete 2.3.3
*/
public String getIdTokenAudType()
{
return idTokenAudType;
}
/**
* Set the type of the {@code aud} claim of the ID token being issued.
* Valid values are as follows.
*
*
*
*
* Value
* Description
*
*
* {@code "array"}
* The type of the {@code aud} claim is always an array of strings.
*
*
* {@code "string"}
* The type of the {@code aud} claim is always a single string.
*
*
* null
* The type of the {@code aud} claim remains the same as before.
*
*
*
*
*
* This request parameter takes precedence over the {@code idTokenAudType}
* property of {@link Service} (cf. {@link Service#getIdTokenAudType()}).
*
*
* @param type
* The type of the {@code aud} claim in ID tokens.
*
* @return
* {@code this} object.
*
* @since 3.57
* @since Authlete 2.3.3
*/
public BackchannelAuthenticationCompleteRequest setIdTokenAudType(String type)
{
this.idTokenAudType = type;
return this;
}
}