All Downloads are FREE. Search and download functionalities are using the official Maven repository.

com.authlete.common.dto.TokenRequest Maven / Gradle / Ivy

/*
 * Copyright (C) 2014-2023 Authlete, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package com.authlete.common.dto;


import java.io.Serializable;
import java.util.Map;
import com.authlete.common.web.URLCoder;


/**
 * Request to Authlete's {@code /auth/token} API.
 *
 * 
*
*
parameters (REQUIRED)
*
*

* OAuth 2.0 token request parameters which are the request parameters * that the OAuth 2.0 token endpoint of the service implementation * received from the client application. *

*

* The value of {@code "parameters"} is the entire entity body (which * is formatted in {@code application/x-www-form-urlencoded}) of the * request from the client application. *

*
* *
clientId (OPTIONAL)
*
*

* The client ID extracted from {@code Authorization} header of * the token request from the client application. *

*

* If the token endpoint of the service implementation supports * Basic Authentication as a means of * client * authentication, and the request from the client application * contained its client ID in {@code Authorization} header, the * value should be extracted and set to this parameter. *

*
* *
clientSecret (OPTIONAL)
*
*

* The client secret extracted from {@code Authorization} header * of the token request from the client application. *

*

* If the token endpoint of the service implementation supports * Basic Authentication as a means of * client * authentication, and the request from the client application * contained its client secret in {@code Authorization} header, the * value should be extracted and set to this parameter. *

*
* *
clientCertificate (OPTIONAL)
*
*

* The client certificate from the MTLS of the token request from * the client application. * See RFC 8705 * (OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access * Tokens) for details. *

*
* *
clientCertificatePath (OPTIONAL)
*
*

* The certificate path presented by the client during client authentication. * The certificates are strings in PEM format. *

*
* *
properties (OPTIONAL)
*
*

* Extra properties to associate with an access token. Note that * {@code properties} parameter is accepted only when Content-Type * of the request is application/json, so don't use * application/x-www-form-urlencoded if you want to specify * {@code properties}. *

*
* *
dpop (OPTIONAL)
*
*

* The value of the {@code DPoP} HTTP header. * See RFC 9449 OAuth * 2.0 Demonstrating Proof of Possession (DPoP) for details. *

*
* *
htm (OPTIONAL)
*
*

* The HTTP method of the token request. In normal cases, the value should be * {@code "POST"}. If omitted, {@code "POST"} is used as the default value. * See RFC 9449 OAuth * 2.0 Demonstrating Proof of Possession (DPoP) for details. *

*
* *
htu (OPTIONAL)
*
*

* The URL of the token endpoint. If omitted, the {@code tokenEndpoint} property * of {@link Service} is used as the default value. * See RFC 9449 OAuth * 2.0 Demonstrating Proof of Possession (DPoP) for details. *

*
* *
jwtAtClaims (OPTIONAL; Authlete 2.3 onwards)
*
*

* Additional claims in JSON object format that are added to the payload part * of the JWT access token. See the description of {@link #getJwtAtClaims()} * for details. *

*
* *
accessToken (OPTIONAL)
*
*

* The representation of an access token that may be issued as a result of the * Authlete API call. See {@link #getAccessToken()} for details. *

*
* *
accessTokenDuration (OPTIONAL)
*
*

* The duration of the access token that may be issued as a result of the * Authlete API call. See {@link #getAccessTokenDuration()} for details. *

*
* *
dpopNonceRequired (OPTIONAL; Authlete 3.0 onwards)
*
*

* The flag indicating whether to require the DPoP proof JWT to include * the {@code nonce} claim. Even if the service's {@code dpopNonceRequired} * property is false, calling the {@code /auth/token} API with this * {@code dpopNonceRequired} parameter true will force the Authlete API to * check whether the DPoP proof JWT includes the expected nonce value. *

*
* *
*
* *

* An entity body of a token request may contain the client ID * ({@code client_id}) and the client secret ({@code client_secret}) * along with other request parameters as described in * RFC 6749, 2.3.1. Client Password. If the client credentials * are contained in both {@code Authorization} header and the entity * body, they must be identical. Otherwise, Authlete's {@code * /auth/token} API generates an error (it's not a service error but * a client error). *

*/ public class TokenRequest implements Serializable { private static final long serialVersionUID = 10L; /** * OAuth 2.0 token request parameters. */ private String parameters; /** * Client ID. */ private String clientId; /** * Client secret. */ private String clientSecret; /** * Client certificate (used in MTLS auth and bound access tokens). */ private String clientCertificate; /** * Client certificate path (used in PKI-based MTLS auth when * certificates are validated by the Authlete service). */ private String[] clientCertificatePath; /** * Extra properties to associate with an access token. */ private Property[] properties; /** * DPoP Header */ private String dpop; /** * HTTP Method (for DPoP validation). */ private String htm; /** * HTTP URL base (for DPoP validation). */ private String htu; /** * Additional claims that are added to the payload part of the JWT * access token. * * @since 3.35 * @since Authlete 2.3 */ private String jwtAtClaims; /** * The representation of an access token that may be issued as a * result of the Authlete API call. * * @since 3.24 * @since Authlete 2.2.27 */ private String accessToken; /** * The duration of the access token that may be issued as a result * of the Authlete API call. * * @since 3.64 * @since Authlete 2.2.41 * @since Authlete 2.3.5 * @since Authlete 3.0 */ private long accessTokenDuration; /** * Whether to check if the DPoP proof JWT includes the expected nonce value. * * @since 3.82 * @since Authlete 3.0 */ private boolean dpopNonceRequired; /** * Get the value of {@code parameters} which are the request * parameters that the OAuth 2.0 token endpoint of the service * implementation received from the client application. */ public String getParameters() { return parameters; } /** * Set the value of {@code parameters} which are the request * parameters that the OAuth 2.0 token endpoint of the service * implementation received from the client application. */ public TokenRequest setParameters(String parameters) { this.parameters = parameters; return this; } /** * Set the value of {@code parameters} which are the request * parameters that the OAuth 2.0 token endpoint of the service * implementation received from the client application. * *

* This method converts the given map into a string in {@code * x-www-form-urlencoded} and passes it to {@link * #setParameters(String)} method. *

* * @param parameters * Request parameters. * * @return * {@code this} object. * * @since 1.24 */ public TokenRequest setParameters(Map parameters) { return setParameters(URLCoder.formUrlEncode(parameters)); } /** * Get the client ID extracted from {@code Authorization} * header of the token request from the client application. */ public String getClientId() { return clientId; } /** * Set the client ID extracted from {@code Authorization} * header of the token request from the client application. */ public TokenRequest setClientId(String clientId) { this.clientId = clientId; return this; } /** * Get the client secret extracted from {@code Authorization} * header of the token request from the client application. */ public String getClientSecret() { return clientSecret; } /** * Set the client secret extracted from {@code Authorization} * header of the token request from the client application. */ public TokenRequest setClientSecret(String clientSecret) { this.clientSecret = clientSecret; return this; } /** * Get the client certificate from the MTLS of the token * request from the client application. * * @since 2.12 */ public String getClientCertificate() { return clientCertificate; } /** * Set the client certificate from the MTLS of the token * request from the client application. * * @since 2.12 */ public TokenRequest setClientCertificate(String clientCertificate) { this.clientCertificate = clientCertificate; return this; } /** * Get the extra properties to associate with an access token which * may be issued by this request. * * @return * Extra properties. * * @since 1.30 */ public Property[] getProperties() { return properties; } /** * Set extra properties to associate with an access token which may * be issued by this request. * *

* If the value of {@code grant_type} parameter contained in the token * request from the client application is {@code authorization_code}, * properties set by this method will be added as the extra properties * of a newly created access token. The extra properties specified when * the authorization code was issued (using {@link * AuthorizationIssueRequest#setProperties(Property[])}) will also be * used, but their values will be overwritten if the extra properties * set by this method have the same keys. In other words, extra * properties contained in this request will be merged into existing * extra properties which are associated with the authorization code. *

* *

* Otherwise, if the value of {@code grant_type} parameter contained * in the token request from the client application is {@code * refresh_token}, properties set by this method will be added to the * existing extra properties of the corresponding access token. Extra * properties having the same keys will be overwritten in the same * manner as the case of {@code grant_type=authorization_code}. *

* *

* Otherwise, if the value of {@code grant_type} parameter contained * in the token request from the client application is {@code * client_credentials}, properties set by this method will be used * simply as extra properties of a newly created access token. * Because Client Credentials flow does not have a preceding authorization * request, merging extra properties will not be performed. This is * different from the cases of {@code grant_type=authorization_code} * and {@code grant_type=refresh_token}. *

* *

* In other cases ({@code grant_type=password}), properties set by * this method will not be used. When you want to associate extra * properties with an access token which is issued using Resource Owner * Password Credentials flow, use {@link * TokenIssueRequest#setProperties(Property[])} method instead. *

* *

* The argument {@code properties} is an array of properties. Each * property must be a pair of a string key and a string value. * That is, each property must be a string array of size 2. The key * must not be {@code null} or an empty string, but the value may be. *

* *

* Keys of extra properties will be used as labels of top-level * entries in a JSON response containing an access token which is * returned from an authorization server. An example is * {@code example_parameter}, which you can find in 5.1. Successful * Response in RFC 6749. The following code snippet is an example * to set one extra property having {@code example_parameter} as its * key and {@code example_value} as its value. *

* *
*
     * {@link Property}[] properties = { new {@link Property#Property(String, String)
     * Property}("example_parameter", "example_value") };
     * request.{@link #setProperties(Property[]) setProperties}(properties);
     * 
*
* *

* Keys listed below should not be used and they would be ignored on * the server side even if they were used. It's because they are reserved * in RFC 6749 and * OpenID Connect Core 1.0. *

* *
    *
  • {@code access_token} *
  • {@code token_type} *
  • {@code expires_in} *
  • {@code refresh_token} *
  • {@code scope} *
  • {@code error} *
  • {@code error_description} *
  • {@code error_uri} *
  • {@code id_token} *
* *

* Note that there is an upper limit on the total size of extra properties. * On the server side, the properties will be (1) converted to a multidimensional * string array, (2) converted to JSON, (3) encrypted by AES/CBC/PKCS5Padding, (4) * encoded by base64url, and then stored into the database. The length of the * resultant string must not exceed 65,535 in bytes. This is the upper limit, but * we think it is big enough. *

* * @param properties * Extra properties. * * @return * {@code this} object. * * @since 1.30 */ public TokenRequest setProperties(Property[] properties) { this.properties = properties; return this; } /** * Get the certificate path presented by the client during * client authentication. These certificates are strings in * PEM format. * * @return * The client certificate path as an array of strings * in PEM format. * * @since 2.15 */ public String[] getClientCertificatePath() { return clientCertificatePath; } /** * Set the certificate path presented by the client during * client authentication. These certificates are strings in * PEM format. * * @param clientCertificatePath * The client certificate path as an array of strings * in PEM format. * * @return * {@code this} object. * * @since 2.15 */ public TokenRequest setClientCertificatePath(String[] clientCertificatePath) { this.clientCertificatePath = clientCertificatePath; return this; } /** * Get the {@code DPoP} header presented by the client during the request * to the token endpoint. The header contains a signed JWT which includes * the public key that is paired with the private key used to sign the JWT. * *

* See RFC 9449 OAuth * 2.0 Demonstrating Proof of Possession (DPoP) for details. *

* * @return * The {@code DPoP} header string. * * @since 2.70 * * @see RFC 9449 OAuth 2.0 Demonstrating Proof of Possession (DPoP) */ public String getDpop() { return dpop; } /** * Set the {@code DPoP} header presented by the client during the request * to the token endpoint. The header contains a signed JWT which includes * the public key that is paired with the private key used to sign the JWT. * *

* See RFC 9449 OAuth * 2.0 Demonstrating Proof of Possession (DPoP) for details. *

* * @param dpop * The {@code DPoP} header string. * * @return * {@code this} object. * * @since 2.70 * * @see RFC 9449 OAuth 2.0 Demonstrating Proof of Possession (DPoP) */ public TokenRequest setDpop(String dpop) { this.dpop = dpop; return this; } /** * Get the HTTP method of the token request. This field is used to * validate the {@code DPoP} header. * *

* In normal cases, the value is {@code "POST"}. When this parameter * is omitted, {@code "POST"} is used as the default value. *

* *

* See RFC 9449 OAuth * 2.0 Demonstrating Proof of Possession (DPoP) for details. *

* * @return * The HTTP method as a string. For example, {@code "POST"}. * * @since 2.70 * * @see RFC 9449 OAuth 2.0 Demonstrating Proof of Possession (DPoP) */ public String getHtm() { return htm; } /** * Set the HTTP method of the token request. This field is used to * validate the {@code DPoP} header. * *

* In normal cases, the value is {@code "POST"}. When this parameter * is omitted, {@code "POST"} is used as the default value. *

* *

* See RFC 9449 OAuth * 2.0 Demonstrating Proof of Possession (DPoP) for details. *

* * @param htm * The HTTP method as a string. For example, {@code "POST"}. * * @return * {@code this} object. * * @since 2.70 * * @see RFC 9449 OAuth 2.0 Demonstrating Proof of Possession (DPoP) */ public TokenRequest setHtm(String htm) { this.htm = htm; return this; } /** * Get the URL of the token endpoint. This field is used to validate * the {@code DPoP} header. * *

* If this parameter is omitted, the {@code tokenEndpoint} property * of the {@link Service} is used as the default value. *

* *

* See RFC 9449 OAuth * 2.0 Demonstrating Proof of Possession (DPoP) for details. *

* * @return * The URL of the token endpoint. * * @since 2.70 * * @see RFC 9449 OAuth 2.0 Demonstrating Proof of Possession (DPoP) */ public String getHtu() { return htu; } /** * Set the URL of the token endpoint. This field is used to validate * the {@code DPoP} header. * *

* If this parameter is omitted, the {@code tokenEndpoint} property * of the {@link Service} is used as the default value. *

* *

* See RFC 9449 OAuth * 2.0 Demonstrating Proof of Possession (DPoP) for details. *

* * @param htu * The URL of the token endpoint. * * @return * {@code this} object. * * @since 2.70 * * @see RFC 9449 OAuth 2.0 Demonstrating Proof of Possession (DPoP) */ public TokenRequest setHtu(String htu) { this.htu = htu; return this; } /** * Get the additional claims in JSON object format that are added to the * payload part of the JWT access token. * *

* This request parameter has a meaning only when the format of access * tokens issued by this service is JWT. In other words, it has a meaning * only when the {@code accessTokenSignAlg} property of the {@link Service} * holds a non-null value. See the description of the {@link * Service#getAccessTokenSignAlg() getAccessTokenSignAlg()} method for * details. *

* *

* Note that this {@code jwtAtClaims} request parameter to the {@code * /auth/token} API works only in the client credentials flow (RFC 6749 Section * 4.4). For other flows, additional claims need to be passed to * Authlete through other APIs. For example, to embed additional claims * in an access token that is issued by the authorization code flow * (RFC 6749 * Section 4.1), the {@code jwtAtClaims} request parameter of the * {@code /auth/authorization/issue} API has to be used. *

* * @return * Additional claims that are added to the payload part of the * JWT access token. * * @since 3.35 * @since Authlete 2.3 */ public String getJwtAtClaims() { return jwtAtClaims; } /** * Set the additional claims in JSON object format that are added to the * payload part of the JWT access token. * *

* This request parameter has a meaning only when the format of access * tokens issued by this service is JWT. In other words, it has a meaning * only when the {@code accessTokenSignAlg} property of the {@link Service} * holds a non-null value. See the description of the {@link * Service#getAccessTokenSignAlg() getAccessTokenSignAlg()} method for * details. *

* *

* Note that this {@code jwtAtClaims} request parameter to the {@code * /auth/token} API works only in the client credentials flow (RFC 6749 Section * 4.4). For other flows, additional claims need to be passed to * Authlete through other APIs. For example, to embed additional claims * in an access token that is issued by the authorization code flow * (RFC 6749 * Section 4.1), the {@code jwtAtClaims} request parameter of the * {@code /auth/authorization/issue} API has to be used. *

* * @param claims * Additional claims that are added to the payload part of the * JWT access token. * * @return * {@code this} object. * * @since 3.35 * @since Authlete 2.3 */ public TokenRequest setJwtAtClaims(String claims) { this.jwtAtClaims = claims; return this; } /** * Get the representation of an access token that may be issued as a * result of the Authlete API call. * *

* Basically, it is the Authlete server's role to generate an access token. * However, some systems may have inflexible restrictions on the format of * access tokens. Such systems may use this {@code accessToken} request * parameter to specify the representation of an access token by themselves * instead of leaving the access token generation task to the Authlete server. *

* *

* Usually, the Authlete server (1) generates a random 256-bit value, (2) * base64url-encodes the value into a 43-character string, and (3) uses the * resultant string as the representation of an access token. The Authlete * implementation is written on the assumption that the 256-bit entropy is * big enough. Therefore, make sure that the entropy of the value of the * {@code accessToken} request parameter is big enough, too. *

* *

* The entropy does not necessarily have to be equal to or greater than 256 * bits. For example, 192-bit random values (which will become 32-character * strings when encoded by base64url) may be enough. However, note that if * the entropy is too low, access token string values will collide and * Authlete API calls will fail. *

* *

* When no access token is generated as a result of the Authlete API call, * this {@code accessToken} request parameter is not used. *

* * @return * The representation of an access token that may be issued as a * result of the Authlete API call. * * @since 3.24 * @since Authlete 2.2.27 */ public String getAccessToken() { return accessToken; } /** * Set the representation of an access token that may be issued as a * result of the Authlete API call. * *

* Basically, it is the Authlete server's role to generate an access token. * However, some systems may have inflexible restrictions on the format of * access tokens. Such systems may use this {@code accessToken} request * parameter to specify the representation of an access token by themselves * instead of leaving the access token generation task to the Authlete server. *

* *

* Usually, the Authlete server (1) generates a random 256-bit value, (2) * base64url-encodes the value into a 43-character string, and (3) uses the * resultant string as the representation of an access token. The Authlete * implementation is written on the assumption that the 256-bit entropy is * big enough. Therefore, make sure that the entropy of the value of the * {@code accessToken} request parameter is big enough, too. *

* *

* The entropy does not necessarily have to be equal to or greater than 256 * bits. For example, 192-bit random values (which will become 32-character * strings when encoded by base64url) may be enough. However, note that if * the entropy is too low, access token string values will collide and * Authlete API calls will fail. *

* *

* When no access token is generated as a result of the Authlete API call, * this {@code accessToken} request parameter is not used. *

* * @param accessToken * The representation of an access token that may be issued as a * result of the Authlete API call. * * @return * {@code this} object. * * @since 3.24 * @since Authlete 2.2.27 */ public TokenRequest setAccessToken(String accessToken) { this.accessToken = accessToken; return this; } /** * Get the duration of the access token that may be issued as a result of * the Authlete API call. * *

* When this request parameter holds a positive integer, it is used as the * duration of the access token. In other cases, this request parameter is * ignored. *

* * @return * The duration of the access token in seconds. * * @since 3.64 * @since Authlete 2.2.41 * @since Authlete 2.3.5 * @since Authlete 3.0 */ public long getAccessTokenDuration() { return accessTokenDuration; } /** * Set the duration of the access token that may be issued as a result of * the Authlete API call. * *

* When this request parameter holds a positive integer, it is used as the * duration of the access token. In other cases, this request parameter is * ignored. *

* * @param duration * The duration of the access token in seconds. * * @return * {@code this} request parameter. * * @since 3.64 * @since Authlete 2.2.41 * @since Authlete 2.3.5 * @since Authlete 3.0 */ public TokenRequest setAccessTokenDuration(long duration) { this.accessTokenDuration = duration; return this; } /** * Get the flag indicating whether to check if the DPoP proof JWT includes * the expected {@code nonce} value. * *

* If this request parameter is {@code true} or if the service's * {@code dpopNonceRequired} property ({@link Service#isDpopNonceRequired()}) * is {@code true}, the {@code /auth/token} API checks if the DPoP proof * JWT includes the expected {@code nonce} value. In this case, the response * from the {@code /auth/token} API will include the {@code dpopNonce} * response parameter, which should be used as the value of the * {@code DPoP-Nonce} HTTP header. *

* * @return * {@code true} if the {@code /auth/token} API checks whether the * DPoP proof JWT includes the expected {@code nonce} value, even * if the service's {@code dpopNonceRequired} property is false. * * @since 3.82 * @since Authlete 3.0 * * @see RFC 9449 OAuth 2.0 Demonstrating Proof of Possession (DPoP) */ public boolean isDpopNonceRequired() { return dpopNonceRequired; } /** * Set the flag indicating whether to check if the DPoP proof JWT includes * the expected {@code nonce} value. * *

* If this request parameter is {@code true} or if the service's * {@code dpopNonceRequired} property ({@link Service#isDpopNonceRequired()}) * is {@code true}, the {@code /auth/token} API checks if the DPoP proof * JWT includes the expected {@code nonce} value. In this case, the response * from the {@code /auth/token} API will include the {@code dpopNonce} * response parameter, which should be used as the value of the * {@code DPoP-Nonce} HTTP header. *

* * @param required * {@code true} to have the {@code /auth/token} API check whether * the DPoP proof JWT includes the expected {@code nonce} value, * even if the service's {@code dpopNonceRequired} property is false. * * @return * {@code this} object. * * @since 3.82 * @since Authlete 3.0 * * @see RFC 9449 OAuth 2.0 Demonstrating Proof of Possession (DPoP) */ public TokenRequest setDpopNonceRequired(boolean required) { this.dpopNonceRequired = required; return this; } }




© 2015 - 2025 Weber Informatics LLC | Privacy Policy