All Downloads are FREE. Search and download functionalities are using the official Maven repository.

com.authlete.common.dto.Client Maven / Gradle / Ivy

Go to download

Authlete Java library used commonly by service implementations and the Authlete server.

There is a newer version: 4.16
Show newest version
/*
 * Copyright (C) 2014-2024 Authlete, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package com.authlete.common.dto;


import static com.authlete.common.util.MapUtils.put;
import static com.authlete.common.util.MapUtils.putJsonObject;
import java.io.Serializable;
import java.net.URI;
import java.util.ArrayList;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import com.authlete.common.types.ApplicationType;
import com.authlete.common.types.ClientAuthMethod;
import com.authlete.common.types.ClientRegistrationType;
import com.authlete.common.types.ClientType;
import com.authlete.common.types.DeliveryMode;
import com.authlete.common.types.FapiMode;
import com.authlete.common.types.GrantType;
import com.authlete.common.types.JWEAlg;
import com.authlete.common.types.JWEEnc;
import com.authlete.common.types.JWSAlg;
import com.authlete.common.types.ResponseMode;
import com.authlete.common.types.ResponseType;
import com.authlete.common.types.ServiceProfile;
import com.authlete.common.types.SubjectType;
import com.authlete.common.util.ClientMetadataControl;
import com.authlete.common.util.Utils;


/**
 * Information about a client application.
 *
 * 

* Some properties correspond to client metadata defined in related standard * specifications. See the implementation of * {@link #toStandardMetadata(ClientMetadataControl)} for exact mappings. *

* * @see OpenID Connect Dynamic Client Registration 1.0 * * @see RFC 7591 OAuth 2.0 Dynamic Client Registration Protocol * * @see RFC 8705 OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens * * @see JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) * * @see OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0 * * @see RFC 9396 OAuth 2.0 Rich Authorization Requests * * @see OpenID Connect for Identity Assurance 1.0 * * @see OpenID Federation 1.0 * * @see IANA OAuth Parameters / OAuth Dynamic Client Registration Metadata * * @see OpenID for Verifiable Credential Issuance */ public class Client implements Serializable { private static final long serialVersionUID = 38L; /* * Do not change variable names. They must match the variable names * in JSONs which are exchanged between clients and Authlete server. */ /** * Client number. * @since Authlete 1.1 */ private int number; /** * Service number. * @since Authlete 1.1 */ private int serviceNumber; /** * Developer unique ID. * @since Authlete 1.1 * @deprecated Authlete 3.0 */ @Deprecated private String developer; /** * Client ID. * @since Authlete 1.1 */ private long clientId; /** * Alias of Client ID. * @since Authlete 1.1 */ private String clientIdAlias; /** * True when the client ID alias is enabled. * @since Authlete 1.1 */ private boolean clientIdAliasEnabled; /** * Client secret. * @since Authlete 1.1 */ private String clientSecret; /** * Client type. * @since Authlete 1.1 */ private ClientType clientType; /** * Redirect URIs. * @since Authlete 1.1 */ private String[] redirectUris; /** * Response types. * @since Authlete 1.1 */ private ResponseType[] responseTypes; /** * Grant types. * @since Authlete 1.1 */ private GrantType[] grantTypes; /** * Application type. * @since Authlete 1.1 */ private ApplicationType applicationType; /** * Email addresses of contacts. * @since Authlete 1.1 */ private String[] contacts; /** * Client name. * @since Authlete 1.1 */ private String clientName; /** * Client names. * @since Authlete 1.1 */ private TaggedValue[] clientNames; /** * Logo URI. * @since Authlete 1.1 */ private URI logoUri; /** * Logo URIs. * @since Authlete 1.1 */ private TaggedValue[] logoUris; /** * Client URI. * @since Authlete 1.1 */ private URI clientUri; /** * Client URIs. * @since Authlete 1.1 */ private TaggedValue[] clientUris; /** * Policy URI. * @since Authlete 1.1 */ private URI policyUri; /** * Policy URIs. * @since Authlete 1.1 */ private TaggedValue[] policyUris; /** * Terms of Service URI. * @since Authlete 1.1 */ private URI tosUri; /** * Terms of Service URIs. * @since Authlete 1.1 */ private TaggedValue[] tosUris; /** * JSON Web Key Set URI. * @since Authlete 1.1 */ private URI jwksUri; /** * JSON Web Key Set. * @since Authlete 1.1 */ private String jwks; /** * Calculated sector identifier host component * * @since 2.61 * @since Authlete 2.2.1 */ private String derivedSectorIdentifier; /** * Sector identifier URI. * * @since 2.50 * @since Authlete 2.2.1 */ private URI sectorIdentifierUri; /** * @since Authlete 1.1 */ private SubjectType subjectType; /** * @since Authlete 1.1 */ private JWSAlg idTokenSignAlg; /** * @since Authlete 1.1 */ private JWEAlg idTokenEncryptionAlg; /** * @since Authlete 1.1 */ private JWEEnc idTokenEncryptionEnc; /** * @since Authlete 1.1 */ private JWSAlg userInfoSignAlg; /** * @since Authlete 1.1 */ private JWEAlg userInfoEncryptionAlg; /** * @since Authlete 1.1 */ private JWEEnc userInfoEncryptionEnc; /** * @since Authlete 1.1 */ private JWSAlg requestSignAlg; /** * @since Authlete 1.1 */ private JWEAlg requestEncryptionAlg; /** * @since Authlete 1.1 */ private JWEEnc requestEncryptionEnc; /** * @since Authlete 1.1 */ private ClientAuthMethod tokenAuthMethod; /** * @since Authlete 1.1 */ private JWSAlg tokenAuthSignAlg; /** * @since Authlete 1.1 */ private int defaultMaxAge; /** * @since Authlete 1.1 */ private String[] defaultAcrs; /** * @since Authlete 1.1 */ private boolean authTimeRequired; /** * @since Authlete 1.1 */ private URI loginUri; /** * @since Authlete 1.1 */ private String[] requestUris; /** * @since Authlete 1.1 */ private String description; /** * @since Authlete 1.1 */ private TaggedValue[] descriptions; /** * @since Authlete 1.1 */ private long createdAt; /** * @since Authlete 1.1 */ private long modifiedAt; /** * @since Authlete 1.1 */ private ClientExtension extension; /** * @since Authlete 1.1.17 */ private String tlsClientAuthSubjectDn; /** * @since Authlete 2.0.0 */ private String tlsClientAuthSanDns; /** * @since Authlete 2.0.0 */ private URI tlsClientAuthSanUri; /** * @since Authlete 2.0.0 */ private String tlsClientAuthSanIp; /** * @since Authlete 2.0.0 */ private String tlsClientAuthSanEmail; /** * @since Authlete 1.1.19 */ private boolean tlsClientCertificateBoundAccessTokens; /** * @since Authlete 1.1.19 */ private String selfSignedCertificateKeyId; /** * @since Authlete 2.3.0 */ private String softwareId; /** * @since Authlete 2.3.0 */ private String softwareVersion; /** * @since Authlete 2.0.0 */ private JWSAlg authorizationSignAlg; /** * @since Authlete 2.0.0 */ private JWEAlg authorizationEncryptionAlg; /** * @since Authlete 2.0.0 */ private JWEEnc authorizationEncryptionEnc; /** * @since Authlete 2.0.0 */ private DeliveryMode bcDeliveryMode; /** * @since Authlete 2.0.0 */ private URI bcNotificationEndpoint; /** * @since Authlete 2.0.0 */ private JWSAlg bcRequestSignAlg; /** * @since Authlete 2.0.0 */ private boolean bcUserCodeRequired; /** * @since Authlete 2.0.0 */ private boolean dynamicallyRegistered; /** * @since Authlete 2.0.0 */ private String registrationAccessTokenHash; /** * @since Authlete 2.2.7 */ private String[] authorizationDetailsTypes; /** * @since Authlete 2.2.1 */ private boolean parRequired; /** * @since Authlete 2.2.1 */ private boolean requestObjectRequired; /** * @since Authlete 2.2.3 */ private Pair[] attributes; /** * @since Authlete 2.2.10 */ private String customMetadata; /** * @since Authlete 2.2.10 */ private boolean frontChannelRequestObjectEncryptionRequired; /** * @since Authlete 2.2.10 */ private boolean requestObjectEncryptionAlgMatchRequired; /** * @since Authlete 2.2.10 */ private boolean requestObjectEncryptionEncMatchRequired; /** * @since Authlete 2.3.0 */ private String digestAlgorithm; /** * @since Authlete 2.3.0 */ private boolean singleAccessTokenPerSubject; /** * @since Authlete 2.3.0 */ private boolean pkceRequired; /** * @since Authlete 2.3.0 */ private boolean pkceS256Required; /** * @since Authlete 2.3.0 */ private String rsSignedRequestKeyId; /** * @since Authlete 2.3.0 * @deprecated */ @Deprecated private boolean rsRequestSigned; /** * @since Authlete 2.3.0 */ private boolean dpopRequired; /** * @since Authlete 2.3.7 */ private boolean locked; /** * @since Authlete 3.0.0 */ private FapiMode[] fapiModes; /** * @since Authlete 3.0.0 */ private ResponseMode[] responseModes; /** * @since Authlete 3.0.0 */ private boolean mtlsEndpointAliasesUsed; /* * For OpenID Federation 1.0. */ /** * @since Authlete 2.3.0 */ private URI entityId; /** * @since Authlete 2.3.0 */ private URI trustAnchorId; /** * @since Authlete 2.3.0 */ private String[] trustChain; /** * @since Authlete 2.3.0 */ private long trustChainExpiresAt; /** * @since Authlete 2.3.0 */ private long trustChainUpdatedAt; /** * @since Authlete 2.3.0 */ private String organizationName; /** * @since Authlete 2.3.0 */ private URI signedJwksUri; /** * @since Authlete 2.3.0 */ private ClientRegistrationType[] clientRegistrationTypes; /** * @since Authlete 2.3.0 */ private boolean automaticallyRegistered; /** * @since Authlete 2.3.0 */ private boolean explicitlyRegistered; /* * For Verifiable Credentials */ /** * @since Authlete 3.0 */ private URI credentialOfferEndpoint; /** * @since Authlete 3.0 */ private boolean credentialResponseEncryptionRequired; /** * Get the client number. * * @return * The client number. */ public int getNumber() { return number; } /** * Set the client number. * * @param number * The client number. * * @return * {@code this} object. */ public Client setNumber(int number) { this.number = number; return this; } /** * Get the number of the service which this client belongs to. * * @return * The service number */ public int getServiceNumber() { return serviceNumber; } /** * Set the number of the service which this client belongs to. * * @param number * The service number. * * @return * {@code this} object. */ public Client setServiceNumber(int number) { this.serviceNumber = number; return this; } /** * Get the unique ID of the developer of this client application. * * @return * The developer unique ID. */ public String getDeveloper() { return developer; } /** * Set the unique ID of the developer of this client application. * * @param developer * The developer unique ID. * * @return * {@code this} object. */ public Client setDeveloper(String developer) { this.developer = developer; return this; } /** * Get the client ID. * * @return * The client ID. */ public long getClientId() { return clientId; } /** * Set the client ID. * * @param clientId * The client ID. * * @return * {@code this} object. */ public Client setClientId(long clientId) { this.clientId = clientId; return this; } /** * Get the alias of the client ID. * *

* Note that the client ID alias is recognized only when this * client's {@code clientIdAliasEnabled} property is {@code true} * AND the {@link Service service}'s {@code clientIdAliasEnabled} * property is also {@code true}. *

* * @return * The alias of the client ID. This may be {@code null}. * * @since 2.1 */ public String getClientIdAlias() { return clientIdAlias; } /** * Set the alias of the client ID. * *

* Note that the client ID alias is recognized only when this * client's {@code clientIdAliasEnabled} property is {@code true} * AND the {@link Service service}'s {@code clientIdAliasEnabled} * property is also {@code true}. *

* * @param alias * The alias of the client ID. * * @return * {@code this} object. * * @since 2.1 */ public Client setClientIdAlias(String alias) { this.clientIdAlias = alias; return this; } /** * Get the flag which indicates whether the client ID alias * is enabled or not. * *

* Note that {@link Service} class also has * {@code clientIdAliasEnabled} property. If the service's * {@code clientIdAliasEnabled} property is {@code false}, * the client ID alias of this client is not recognized even * if this client's {@code clientIdAliasEnabled} property is * {@code true}. *

* * @return * {@code true} if the client ID alias is enabled. * * @since 2.2 */ public boolean isClientIdAliasEnabled() { return clientIdAliasEnabled; } /** * Enable/disable the client ID alias. * *

* Note that {@link Service} class also has * {@code clientIdAliasEnabled} property. If the service's * {@code clientIdAliasEnabled} property is {@code false}, * the client ID alias of this client is not recognized even * if this client's {@code clientIdAliasEnabled} property is * {@code true}. *

* * @param enabled * {@code true} to enable the client ID alias. * {@code false} to disable it. * * @return * {@code this} object. * * @since 2.2 */ public Client setClientIdAliasEnabled(boolean enabled) { this.clientIdAliasEnabled = enabled; return this; } /** * Get the client secret. * * @return * The client secret. */ public String getClientSecret() { return clientSecret; } /** * Set the client secret. * * @param clientSecret * The client secret. * * @return * {@code this} object. */ public Client setClientSecret(String clientSecret) { this.clientSecret = clientSecret; return this; } /** * Get the client type. * * @return * The client type. */ public ClientType getClientType() { return clientType; } /** * Set the client type. * * @param clientType * The client type. * * @return * {@code this} object. */ public Client setClientType(ClientType clientType) { this.clientType = clientType; return this; } /** * Get the redirect URIs. * * @return * The redirect URIs. * * @see RFC 6749 (OAuth 2.0), 3.1.2. Redirection Endpoint */ public String[] getRedirectUris() { return redirectUris; } /** * Set the redirect URIs. * * @param uris * The redirect URIs. * * @return * {@code this} object. * * @see RFC 6749 (OAuth 2.0), 3.1.2. Redirection Endpoint */ public Client setRedirectUris(String[] uris) { this.redirectUris = uris; return this; } /** * Get {@code response_type} values that the client is declaring * that it will restrict itself to using. * * @return * The response types. */ public ResponseType[] getResponseTypes() { return responseTypes; } /** * Set {@code response_type} values that the client is declaring * that it will restrict itself to using. * * @param responseTypes * The response types. * * @return * {@code this} object. */ public Client setResponseTypes(ResponseType[] responseTypes) { this.responseTypes = responseTypes; return this; } /** * Get {@code grant_type} values that the client is declaring * that it will restrict itself to using. * * @return * The grant types. */ public GrantType[] getGrantTypes() { return grantTypes; } /** * Set {@code grant_type} values that the client is declaring * that it will restrict itself to using. * * @param grantTypes * The grant types. * * @return * {@code this} object. */ public Client setGrantTypes(GrantType[] grantTypes) { this.grantTypes = grantTypes; return this; } /** * Get the application type. * * @return * The application type. * * @see OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata */ public ApplicationType getApplicationType() { return applicationType; } /** * Set the application type. * * @param applicationType * The application type. * * @return * {@code this} object. * * @see OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata */ public Client setApplicationType(ApplicationType applicationType) { this.applicationType = applicationType; return this; } /** * Get the email addresses of contacts. * * @return * Email addresses of contacts. */ public String[] getContacts() { return contacts; } /** * Set the email addresses of contacts. * * @param contacts * Email addresses of contacts. * * @return * {@code this} object. */ public Client setContacts(String[] contacts) { this.contacts = contacts; return this; } /** * Get the client name. * * @return * The client name. */ public String getClientName() { return clientName; } /** * Set the client name. * * @param clientName * The client name. * * @return * {@code this} object. */ public Client setClientName(String clientName) { this.clientName = clientName; return this; } /** * Get the client names each of which has a language tag. * * @return * The client names each of which has a language tag. */ public TaggedValue[] getClientNames() { return clientNames; } /** * Set the client names each of which has a language tag. * * @param clientNames * The client names. * * @return * {@code this} object. */ public Client setClientNames(TaggedValue[] clientNames) { this.clientNames = clientNames; return this; } /** * Get the URI of the logo image. * * @return * The URI of the logo image. */ public URI getLogoUri() { return logoUri; } /** * Set the URI of the logo image. * * @param uri * The URI of the logo image. * * @return * {@code this} object. */ public Client setLogoUri(URI uri) { this.logoUri = uri; return this; } /** * Get the logo URIs each of which has a language tag. * * @return * The logo URIs. */ public TaggedValue[] getLogoUris() { return logoUris; } /** * Set the logo URIs each of which has a language tag. * * @param uris * The logo URIs. * * @return * {@code this} object. */ public Client setLogoUris(TaggedValue[] uris) { this.logoUris = uris; return this; } /** * Get the URI of the home page. * * @return * The URI of the home page. */ public URI getClientUri() { return clientUri; } /** * Set the URI of the home page. * * @param uri * The URI of the home page. * * @return * {@code this} object. */ public Client setClientUri(URI uri) { this.clientUri = uri; return this; } /** * Get the URIs of the home pages for specific languages. * * @return * The URIs of the home page for specific languages. */ public TaggedValue[] getClientUris() { return clientUris; } /** * Set the URIs of the home pages for specific languages. * * @param uris * The URIs of the home page for specific languages. * * @return * {@code this} object. */ public Client setClientUris(TaggedValue[] uris) { this.clientUris = uris; return this; } /** * Get the URI of the policy page which describes how * the client application uses the profile data of the * end-user. * * @return * The URI of the policy page. */ public URI getPolicyUri() { return policyUri; } /** * Set the URI of the policy page which describes how * the client application uses the profile data of the * end-user. * * @param uri * The URI of the policy page. * * @return * {@code this} object. */ public Client setPolicyUri(URI uri) { this.policyUri = uri; return this; } /** * Get the URIs of the policy pages for specific languages. * * @return * The URIs of the policy pages for specific languages. */ public TaggedValue[] getPolicyUris() { return policyUris; } /** * Set the URIs of the policy pages for specific languages. * * @param uris * The URIs of the policy pages for specific languages. * * @return * {@code this} object. */ public Client setPolicyUris(TaggedValue[] uris) { this.policyUris = uris; return this; } /** * Get the URI of the "Terms Of Service" page. * * @return * The URI of the "Terms Of Service" page. */ public URI getTosUri() { return tosUri; } /** * Set the URI of the "Terms Of Service" page. * * @param uri * The URI of the "Terms Of Service" page. * * @return * {@code this} object. */ public Client setTosUri(URI uri) { this.tosUri = uri; return this; } /** * Get the URIs of the "Terms Of Service" pages for specific languages. * * @return * The URIs of the "Terms Of Service" pages for specific languages. */ public TaggedValue[] getTosUris() { return tosUris; } /** * Set the URIs of the "Terms Of Service" pages for specific languages. * * @param uris * The URIs of the "Terms Of Service" pages for specific languages. * * @return * {@code this} object. */ public Client setTosUris(TaggedValue[] uris) { this.tosUris = uris; return this; } /** * Get the URI of the JSON Web Key Set of the client application. * * @return * The URI of the JSON Web Key Set of the client application. */ public URI getJwksUri() { return jwksUri; } /** * Set the URI of the JSON Web Key Set of the client application. * * @param uri * The URI of the JSON Web Key Set of the client application. * * @return * {@code this} object. */ public Client setJwksUri(URI uri) { this.jwksUri = uri; return this; } /** * Get the JSON Web Key Set. * * @return * The JSON Web Key Set. */ public String getJwks() { return jwks; } /** * Set the JSON Web Key Set. * * @param jwks * The JSON Web Key Set. * * @return * {@code this} object. */ public Client setJwks(String jwks) { this.jwks = jwks; return this; } /** * Get the sector identifier. * * @deprecated Since Authlete 2.2. Use {@link Client#getSectorIdentifierUri()} instead. * * @return * The sector identifier. */ @Deprecated public URI getSectorIdentifier() { return this.getSectorIdentifierUri(); } /** * Set the sector identifier. * * @deprecated Since Authlete 2.2. Use {@link Client#setSectorIdentifierUri(URI)} instead. * * @param sectorIdentifier * The sector identifier. * * @return * {@code this} object. */ @Deprecated public Client setSectorIdentifier(URI sectorIdentifier) { return this.setSectorIdentifierUri(sectorIdentifier); } /** * Get the value of the sector identifier URI. * *

* This represents the {@code sector_identifier_uri} client metadata which * is defined in 2. Client Metadata of OpenID Connect * Dynamic Client Registration 1.0. *

* * @return * The sector identifier URI. * * @since 2.50 */ public URI getSectorIdentifierUri() { return sectorIdentifierUri; } /** * Set the value of the sector identifier URI. * *

* This represents the {@code sector_identifier_uri} client metadata which * is defined in 2. Client Metadata of OpenID Connect * Dynamic Client Registration 1.0. *

* * @param uri * The sector identifier URI. * * @return * {@code this} object. * * @since 2.50 */ public Client setSectorIdentifierUri(URI uri) { this.sectorIdentifierUri = uri; return this; } /** * Get the sector identifier host component as derived from either the * {@code sector_identifier_uri} or the registered {@code redirect_uri}. * If no {@code sector_identifier_uri} is registered and multiple * {@code redirect_uri}s are also registered, this value is undefined * and the field returns {@code null}. * * @return * The derived sector identifier, if available, or {@code null} otherwise. * * @see OIDC Core, 8.1. Pairwise Identifier Algorithm * * @since 2.61 */ public String getDerivedSectorIdentifier() { return derivedSectorIdentifier; } /** * Set the sector identifier host component as derived from either the * {@code sector_identifier_uri} or the registered {@code redirect_uri}. * If no {@code sector_identifier_uri} is registered and multiple * {@code redirect_uri}s are also registered, this value is undefined * and the field is {@code null}. * * @param derivedSectorIdentifier * The derived sector identifier, if available, or {@code null} otherwise. * * @return * {@code this} object. * * @see OIDC Core, 8.1. Pairwise Identifier Algorithm * * @since 2.61 */ public Client setDerivedSectorIdentifier(String derivedSectorIdentifier) { this.derivedSectorIdentifier = derivedSectorIdentifier; return this; } /** * Get the subject type that this client application requests. * * @return * The subject type. * * @see Subject Identifier Types */ public SubjectType getSubjectType() { return subjectType; } /** * Set the subject type that this client application requests. * * @param subjectType * The subject type. * * @return * {@code this} object. * * @see Subject Identifier Types */ public Client setSubjectType(SubjectType subjectType) { this.subjectType = subjectType; return this; } /** * Get the JWS alg algorithm for signing the ID token * issued to this client. This property corresponds to * id_token_signed_response_alg in Client Metadata. * * @return * The JWS alg algorithm for signing the ID * token issued to this client. */ public JWSAlg getIdTokenSignAlg() { return idTokenSignAlg; } /** * Set the JWS alg algorithm for signing the ID token * issued to this client. This property corresponds to * id_token_signed_response_alg in Client Metadata. * * @param alg * The JWS alg algorithm for signing the * ID token issued to this client. * * @return * {@code this} object. */ public Client setIdTokenSignAlg(JWSAlg alg) { this.idTokenSignAlg = alg; return this; } /** * Get the JWE alg algorithm for encrypting the ID token * issued to this client. This property corresponds to * id_token_encrypted_response_algin Client Metadata. * * @return * The JWE alg algorithm for encrypting the * ID token issued to this client. */ public JWEAlg getIdTokenEncryptionAlg() { return idTokenEncryptionAlg; } /** * Set the JWE alg algorithm for encrypting the ID token * issued to this client. This property corresponds to * id_token_encrypted_response_algin Client Metadata. * * @param alg * The JWE alg algorithm for encrypting the * ID token issued to this client. * * @return * {@code this} object. */ public Client setIdTokenEncryptionAlg(JWEAlg alg) { this.idTokenEncryptionAlg = alg; return this; } /** * Get the JWE enc algorithm for encrypting the ID token * issued to this client. This property corresponds to * id_token_encrypted_response_encin Client Metadata. * * @return * The JWE enc algorithm for encrypting the * ID token issued to this client. */ public JWEEnc getIdTokenEncryptionEnc() { return idTokenEncryptionEnc; } /** * Set the JWE enc algorithm for encrypting the ID token * issued to this client. This property corresponds to * id_token_encrypted_response_encin Client Metadata. * * @param enc * The JWE enc algorithm for encrypting the * ID token issued to this client. * * @return * {@code this} object. */ public Client setIdTokenEncryptionEnc(JWEEnc enc) { this.idTokenEncryptionEnc = enc; return this; } /** * Get the JWS alg algorithm for signing UserInfo responses. * This property corresponds to userinfo_signed_response_alg * in Client Metadata. * * @return * The JWS alg algorithm for signing UserInfo responses. */ public JWSAlg getUserInfoSignAlg() { return userInfoSignAlg; } /** * Set the JWS alg algorithm for signing UserInfo responses. * This property corresponds to userinfo_signed_response_alg * in Client Metadata. * * @param alg * The JWS alg algorithm for signing UserInfo responses. * * @return * {@code this} object. */ public Client setUserInfoSignAlg(JWSAlg alg) { this.userInfoSignAlg = alg; return this; } /** * Get the JWE alg algorithm for encrypting UserInfo responses. * This property corresponds to userinfo_encrypted_response_alg * in Client Metadata. * * @return * The JWE alg algorithm for encrypting UserInfo responses. */ public JWEAlg getUserInfoEncryptionAlg() { return userInfoEncryptionAlg; } /** * Set the JWE alg algorithm for encrypting UserInfo responses. * This property corresponds to userinfo_encrypted_response_alg * in Client Metadata. * * @param alg * The JWE alg algorithm for encrypting UserInfo responses. * * @return * {@code this} object. */ public Client setUserInfoEncryptionAlg(JWEAlg alg) { this.userInfoEncryptionAlg = alg; return this; } /** * Get the JWE enc algorithm for encrypting UserInfo responses. * This property corresponds to userinfo_encrypted_response_enc * in Client Metadata. * * @return * The JWE enc algorithm for encrypting UserInfo responses. */ public JWEEnc getUserInfoEncryptionEnc() { return userInfoEncryptionEnc; } /** * Set the JWE enc algorithm for encrypting UserInfo responses. * This property corresponds to userinfo_encrypted_response_enc * in Client Metadata. * * @param enc * The JWE enc algorithm for encrypting UserInfo responses. * * @return * {@code this} object. */ public Client setUserInfoEncryptionEnc(JWEEnc enc) { this.userInfoEncryptionEnc = enc; return this; } /** * Get the JWS alg algorithm for signing request objects. * This property corresponds to request_object_signing_alg * in Client Metadata. * * @return * The JWS alg algorithm for signing request objects. */ public JWSAlg getRequestSignAlg() { return requestSignAlg; } /** * Set the JWS alg algorithm for signing request objects. * This property corresponds to request_object_signing_alg * in Client Metadata. * * @param alg * The JWS alg algorithm for signing request objects. * * @return * {@code this} object. */ public Client setRequestSignAlg(JWSAlg alg) { this.requestSignAlg = alg; return this; } /** * Get the JWE alg algorithm for encrypting request objects. * This property corresponds to request_object_encryption_alg * in Client Metadata. * * @return * The JWE alg algorithm for encrypting request objects. */ public JWEAlg getRequestEncryptionAlg() { return requestEncryptionAlg; } /** * Set the JWE alg algorithm for encrypting request objects. * This property corresponds to request_object_encryption_alg * in Client Metadata. * * @param alg * The JWE alg algorithm for encrypting request objects. * * @return * {@code this} object. */ public Client setRequestEncryptionAlg(JWEAlg alg) { this.requestEncryptionAlg = alg; return this; } /** * Get the JWE enc algorithm for encrypting request objects. * This property corresponds to request_object_encryption_enc * in Client Metadata. * * @return * The JWE enc algorithm for encrypting request objects. */ public JWEEnc getRequestEncryptionEnc() { return requestEncryptionEnc; } /** * Set the JWE enc algorithm for encrypting request objects. * This property corresponds to request_object_encryption_enc * in Client Metadata. * * @param enc * The JWE enc algorithm for encrypting request objects. * * @return * {@code this} object. */ public Client setRequestEncryptionEnc(JWEEnc enc) { this.requestEncryptionEnc = enc; return this; } /** * Get the client authentication method for the token endpoint. * This property corresponds to token_endpoint_auth_method * in Client Metadata. * * @return * The client authentication method for the token endpoint. */ public ClientAuthMethod getTokenAuthMethod() { return tokenAuthMethod; } /** * Set the client authentication method for the token endpoint. * This property corresponds to token_endpoint_auth_method * in Client Metadata. * * @param method * The client authentication method for the token endpoint. * * @return * {@code this} object. */ public Client setTokenAuthMethod(ClientAuthMethod method) { this.tokenAuthMethod = method; return this; } /** * Get the JWS alg algorithm for signing the JWT used to * authenticate the client at the token endpoint. This property corresponds * to token_endpoint_auth_signing_alg in Client Metadata. * * @return * The JWS alg algorithm for signing the JWT used to * authenticate the client at the token endpoint. */ public JWSAlg getTokenAuthSignAlg() { return tokenAuthSignAlg; } /** * Set the JWS alg algorithm for signing the JWT used to * authenticate the client at the token endpoint. This property corresponds * to token_endpoint_auth_signing_alg in Client Metadata. * * @param alg * The JWS alg algorithm for signing the JWT used to * authenticate the client at the token endpoint. * * @return * {@code this} object. */ public Client setTokenAuthSignAlg(JWSAlg alg) { this.tokenAuthSignAlg = alg; return this; } /** * Get the default value of the maximum authentication age in seconds. * This property corresponds to default_max_age in Client Metadata. * * @return * The default value of the maximum authentication age in seconds. */ public int getDefaultMaxAge() { return defaultMaxAge; } /** * Set the default value of the maximum authentication age in seconds. * This property corresponds to default_max_age in Client Metadata. * *

* This value is used when the request from the client application does * not contain the max_age request parameter. *

* * @param defaultMaxAge * The default value of the maximum authentication age in seconds. * 0 means that no default value is set. * * @return * {@code this} object. */ public Client setDefaultMaxAge(int defaultMaxAge) { this.defaultMaxAge = defaultMaxAge; return this; } /** * Get the flag which indicates whether this client requires auth_time * claim to be embedded in the ID token. This property corresponds to * require_auth_time in Client Metadata. * * @return * The flag which indicates whether this client requires auth_time * claim to be embedded in the ID token. */ public boolean isAuthTimeRequired() { return authTimeRequired; } /** * Set the flag which indicates whether this client requires auth_time * claim to be embedded in the ID token. This property corresponds to * require_auth_time in Client Metadata. * * @param required * The flag which indicates whether this client requires auth_time * claim to be embedded in the ID token. * * @return * {@code this} object. */ public Client setAuthTimeRequired(boolean required) { this.authTimeRequired = required; return this; } /** * Get the default list of authentication context class references. * This property corresponds to default_acr_values in Client Metadata. * * @return * The default list of authentication context class references. */ public String[] getDefaultAcrs() { return defaultAcrs; } /** * Set the default list of authentication context class references. * This property corresponds to default_max_age in Client Metadata. * *

* This value is used when the request from the client application does * not contain the acr_values request parameter. *

* * @param defaultAcrs * The default list of authentication context class references. * * @return * {@code this} object. */ public Client setDefaultAcrs(String[] defaultAcrs) { this.defaultAcrs = defaultAcrs; return this; } /** * Get the URL that can initiate a login for this client application. * This property corresponds to initiate_login_uri in Client Metadata. * * @return * The URL that can initiate a login for this client application. */ public URI getLoginUri() { return loginUri; } /** * Set the URL that can initiate a login for this client application. * This property corresponds to initiate_login_uri in Client Metadata. * * @param uri * The URL that can initiate a login for this client application. * * @return * {@code this} object. */ public Client setLoginUri(URI uri) { this.loginUri = uri; return this; } /** * Get the request URIs that this client declares it may use. This property * corresponds to request_uris in Client Metadata. * * @return * The request URIs that this client declares it may use. */ public String[] getRequestUris() { return requestUris; } /** * Set the request URIs that this client declares it may use. This property * corresponds to request_uris in Client Metadata. * * @param uris * The request URIs that this client declares it may use. * * @return * {@code this} object. */ public Client setRequestUris(String[] uris) { this.requestUris = uris; return this; } /** * Get the description. * * @return * The description. */ public String getDescription() { return description; } /** * Set the description. * * @param description * The description. * * @return * {@code this} object. */ public Client setDescription(String description) { this.description = description; return this; } /** * Get the descriptions for specific languages. * * @return * The descriptions for specific languages. */ public TaggedValue[] getDescriptions() { return descriptions; } /** * Set the descriptions for specific languages. * * @param descriptions * The descriptions for specific languages. * * @return * {@code this} object. */ public Client setDescriptions(TaggedValue[] descriptions) { this.descriptions = descriptions; return this; } /** * Get the time at which this client was created. * * @return * The time at which this client was created. * The value is represented as milliseconds since * the UNIX epoch (1970-01-01). * * @since 1.6 */ public long getCreatedAt() { return createdAt; } /** * Set the time at which this client was created. * * @param createdAt * The time at which this client was created. * * @return * {@code this} object. * * @since 1.6 */ public Client setCreatedAt(long createdAt) { this.createdAt = createdAt; return this; } /** * Get the time at which this client was last modified. * * @return * The time at which this client was last modified. * The value is represented as milliseconds since * the UNIX epoch (1970-01-01). * * @since 1.6 */ public long getModifiedAt() { return modifiedAt; } /** * Set the time at which this client was last modified. * * @param modifiedAt * The time at which this client was modified. * * @return * {@code this} object. * * @since 1.6 */ public Client setModifiedAt(long modifiedAt) { this.modifiedAt = modifiedAt; return this; } /** * Get the extended information about this client. * * @return * The extended information about this client. * * @since 1.39 */ public ClientExtension getExtension() { return extension; } /** * Set the extended information about this client. * * @param extension * The extended information about this client. * * @return * {@code this} object. * * @since 1.39 */ public Client setExtension(ClientExtension extension) { this.extension = extension; return this; } /** * Get the string representation of the expected subject * distinguished name of the certificate this client will * use in mutual TLS authentication. * *

* See {@code tls_client_auth_subject_dn} in "2.3. Dynamic * Client Registration" in "Mutual TLS Profiles for * OAuth Clients" for details. *

* * @return * The expected subject distinguished name of the * client certificate. * * @since 2.7 */ public String getTlsClientAuthSubjectDn() { return tlsClientAuthSubjectDn; } /** * Set the string representation of the expected subject * distinguished name of the certificate this client will * use in mutual TLS authentication. * *

* See {@code tls_client_auth_subject_dn} in "2.3. Dynamic * Client Registration" in "Mutual TLS Profiles for * OAuth Clients" for details. *

* * @param name * The expected subject distinguished name of the * client certificate. * * @return * {@code this} object. * * @since 2.7 */ public Client setTlsClientAuthSubjectDn(String name) { this.tlsClientAuthSubjectDn = name; return this; } /** * Get the string representation of the expected DNS subject * alternative name of the certificate this client will * use in mutual TLS authentication. * *

* See {@code tls_client_auth_san_dns} in "2.3. Dynamic * Client Registration" in "Mutual TLS Profiles for * OAuth Clients" for details. *

* * @return * The expected DNS subject alternative name of the * client certificate. * * @since 2.38 */ public String getTlsClientAuthSanDns() { return tlsClientAuthSanDns; } /** * Set the string representation of the expected DNS subject * alternative name of the certificate this client will * use in mutual TLS authentication. * *

* See {@code tls_client_auth_san_dns} in "2.3. Dynamic * Client Registration" in "Mutual TLS Profiles for * OAuth Clients" for details. *

* * @param name * The expected DNS subject alternative name of the * client certificate. * * @return * {@code this} object. * * @since 2.38 */ public Client setTlsClientAuthSanDns(String tlsClientAuthSanDns) { this.tlsClientAuthSanDns = tlsClientAuthSanDns; return this; } /** * Get the string representation of the expected URI subject * alternative name of the certificate this client will * use in mutual TLS authentication. * *

* See {@code tls_client_auth_san_uri} in "2.3. Dynamic * Client Registration" in "Mutual TLS Profiles for * OAuth Clients" for details. *

* * @return * The expected URI subject alternative name of the * client certificate. * * @since 2.38 */ public URI getTlsClientAuthSanUri() { return tlsClientAuthSanUri; } /** * Set the string representation of the expected URI subject * alternative name of the certificate this client will * use in mutual TLS authentication. * *

* See {@code tls_client_auth_san_uri} in "2.3. Dynamic * Client Registration" in "Mutual TLS Profiles for * OAuth Clients" for details. *

* * @param name * The expected URI subject alternative name of the * client certificate. * * @return * {@code this} object. * * @since 2.38 */ public Client setTlsClientAuthSanUri(URI tlsClientAuthSanUri) { this.tlsClientAuthSanUri = tlsClientAuthSanUri; return this; } /** * Get the string representation of the expected IP address * subject alternative name of the certificate this client will * use in mutual TLS authentication. * *

* See {@code tls_client_auth_san_ip} in "2.3. Dynamic * Client Registration" in "Mutual TLS Profiles for * OAuth Clients" for details. *

* * @return * The expected IP address subject alternative name of the * client certificate. * * @since 2.38 */ public String getTlsClientAuthSanIp() { return tlsClientAuthSanIp; } /** * Set the string representation of the expected IP address * subject alternative name of the certificate this client will * use in mutual TLS authentication. * *

* See {@code tls_client_auth_san_ip} in "2.3. Dynamic * Client Registration" in "Mutual TLS Profiles for * OAuth Clients" for details. *

* * @param name * The expected IP address subject alternative name of the * client certificate. * * @return * {@code this} object. * * @since 2.38 */ public Client setTlsClientAuthSanIp(String tlsClientAuthSanIp) { this.tlsClientAuthSanIp = tlsClientAuthSanIp; return this; } /** * Get the string representation of the expected email address * subject alternative name of the certificate this client will * use in mutual TLS authentication. * *

* See {@code tls_client_auth_san_email} in "2.3. Dynamic * Client Registration" in "Mutual TLS Profiles for * OAuth Clients" for details. *

* * @return * The expected email address subject alternative name of the * client certificate. * * @since 2.38 */ public String getTlsClientAuthSanEmail() { return tlsClientAuthSanEmail; } /** * Set the string representation of the expected email address * subject alternative name of the certificate this client will * use in mutual TLS authentication. * *

* See {@code tls_client_auth_san_email} in "2.3. Dynamic * Client Registration" in "Mutual TLS Profiles for * OAuth Clients" for details. *

* * @param name * The expected email address subject alternative name of the * client certificate. * * @return * {@code this} object. * * @since 2.38 */ public Client setTlsClientAuthSanEmail(String tlsClientAuthSanEmail) { this.tlsClientAuthSanEmail = tlsClientAuthSanEmail; return this; } /** * Does this client use TLS client certificate bound access tokens? * * @return * {@code true} if this client uses TLS client certificate bound * access tokens. * * @since 2.19 */ public boolean isTlsClientCertificateBoundAccessTokens() { return tlsClientCertificateBoundAccessTokens; } /** * Set whether this client uses TLS client certificate bound access tokens * or not. * * @param use * {@code true} to indicate that this client uses TLS client * certificate bound access tokens. * * @return * {@code this} object. * * @since 2.19 */ public Client setTlsClientCertificateBoundAccessTokens(boolean use) { this.tlsClientCertificateBoundAccessTokens = use; return this; } /** * Get the key ID of a JWK containing a self-signed certificate of this client. * *

* See "2.2. Self-Signed Certificate Mutual TLS OAuth Client Authentication * Method" in "OAuth 2.0 Mutual TLS Client Authentication and Certificate * Bound Access Tokens" for details. *

* * @return * A key ID of a JWK. This may be {@code null}. * * @since 2.20 */ public String getSelfSignedCertificateKeyId() { return selfSignedCertificateKeyId; } /** * Set the key ID of a JWK containing a self-signed certificate of this client. * Unless this value is set to {@code null}, Authlete uses this value to look * up the corresponding JWK for client authentication using mutual TLS utilizing * self-signed certificates. * *

* See "2.2. Self-Signed Certificate Mutual TLS OAuth Client Authentication * Method" in "OAuth 2.0 Mutual TLS Client Authentication and Certificate * Bound Access Tokens" for details. *

* * @param keyId * A key ID of a JWK. This may be {@code null}. * * @return * {@code this} object. * * @since 2.20 */ public Client setSelfSignedCertificateKeyId(String keyId) { this.selfSignedCertificateKeyId = keyId; return this; } /** * Get the unique identifier string assigned by the client developer or * software publisher used by registration endpoints to identify the client * software to be dynamically registered. * *

* This property corresponds to the {@code software_id} metadata defined in * 2. Client * Metadata of RFC 7591 * (OAuth 2.0 Dynamic Client Registration Protocol). *

* * @return * The unique identifier of the client software. * * @since 2.24 */ public String getSoftwareId() { return softwareId; } /** * Set a unique identifier string assigned by the client developer or * software publisher used by registration endpoints to identify the client * software to be dynamically registered. * *

* This property corresponds to the {@code software_id} metadata defined in * 2. Client * Metadata of RFC 7591 * (OAuth 2.0 Dynamic Client Registration Protocol). *

* * @param softwareId * A unique identifier of the client software. * * @return * {@code this} object. * * @since 2.24 */ public Client setSoftwareId(String softwareId) { this.softwareId = softwareId; return this; } /** * Get the version identifier string for the client software identified by * the software ID. * *

* This property corresponds to the {@code software_version} metadata * defined in 2. * Client Metadata of RFC 7591 (OAuth 2.0 Dynamic Client Registration Protocol). *

* * @return * The version of the client software. * * @since 2.24 */ public String getSoftwareVersion() { return softwareVersion; } /** * Set a version identifier string for the client software identified by * the software ID. * *

* This property corresponds to the {@code software_version} metadata * defined in 2. * Client Metadata of RFC 7591 (OAuth 2.0 Dynamic Client Registration Protocol). *

* * @param softwareVersion * A version of the client software. * * @return * {@code this} object. * * @since 2.24 */ public Client setSoftwareVersion(String softwareVersion) { this.softwareVersion = softwareVersion; return this; } /** * Get the JWS {@code alg} algorithm for signing authorization responses. * This property corresponds to {@code authorization_signed_response_alg} in * 5. Client Metadata of Financial-grade API: JWT Secured Authorization Response Mode for * OAuth 2.0 (JARM). * * @return * The JWS {@code alg} algorithm for signing authorization responses. * * @since 2.27 */ public JWSAlg getAuthorizationSignAlg() { return authorizationSignAlg; } /** * Set the JWS {@code alg} algorithm for signing authorization responses. * This property corresponds to {@code authorization_signed_response_alg} in * 5. Client Metadata of Financial-grade API: JWT Secured Authorization Response Mode for * OAuth 2.0 (JARM). * * @param alg * The JWS {@code alg} algorithm for signing authorization responses. * * @return * {@code this} object. * * @since 2.27 */ public Client setAuthorizationSignAlg(JWSAlg alg) { this.authorizationSignAlg = alg; return this; } /** * Get the JWE {@code alg} algorithm for encrypting authorization responses. * This property corresponds to {@code authorization_encrypted_response_alg} in * 5. Client Metadata of Financial-grade API: JWT Secured Authorization Response Mode for * OAuth 2.0 (JARM). * * @return * The JWE {@code alg} algorithm for encrypting authorization responses. * * @since 2.27 */ public JWEAlg getAuthorizationEncryptionAlg() { return authorizationEncryptionAlg; } /** * Set the JWE {@code alg} algorithm for encrypting authorization responses. * This property corresponds to {@code authorization_encrypted_response_alg} in * 5. Client Metadata of Financial-grade API: JWT Secured Authorization Response Mode for * OAuth 2.0 (JARM). * * @param alg * The JWE {@code alg} algorithm for encrypting authorization responses. * * @return * {@code this} object. * * @since 2.27 */ public Client setAuthorizationEncryptionAlg(JWEAlg alg) { this.authorizationEncryptionAlg = alg; return this; } /** * Get the JWE {@code enc} algorithm for encrypting authorization responses. * This property corresponds to {@code authorization_encrypted_response_enc} in * 5. Client Metadata of Financial-grade API: JWT Secured Authorization Response Mode for * OAuth 2.0 (JARM). * * @return * The JWE {@code enc} algorithm for encrypting authorization responses. * * @since 2.27 */ public JWEEnc getAuthorizationEncryptionEnc() { return authorizationEncryptionEnc; } /** * Set the JWE {@code enc} algorithm for encrypting authorization responses. * This property corresponds to {@code authorization_encrypted_response_enc} in * 5. Client Metadata of Financial-grade API: JWT Secured Authorization Response Mode for * OAuth 2.0 (JARM). * * @param enc * The JWE {@code enc} algorithm for encrypting authorization responses. * * @return * {@code this} object. * * @since 2.27 */ public Client setAuthorizationEncryptionEnc(JWEEnc enc) { this.authorizationEncryptionEnc = enc; return this; } /** * Get the backchannel token delivery mode. This property corresponds * to the {@code backchannel_token_delivery_mode} metadata. * *

* The backchannel token delivery mode is defined in the specification * of the CIBA (Client Initiated Backchannel Authentication). *

* * @return * The backchannel token delivery mode. * * @since 2.32 */ public DeliveryMode getBcDeliveryMode() { return bcDeliveryMode; } /** * Set the backchannel token delivery mode. This property corresponds * to the {@code backchannel_token_delivery_mode} metadata. * *

* The backchannel token delivery mode is defined in the specification * of CIBA (Client Initiated Backchannel Authentication). *

* * @param mode * The backchannel token delivery mode. * * @return * {@code this} object. * * @since 2.32 */ public Client setBcDeliveryMode(DeliveryMode mode) { this.bcDeliveryMode = mode; return this; } /** * Get the backchannel client notification endpoint. This property * corresponds to the {@code backchannel_client_notification_endpoint} * metadata. * *

* The backchannel client notification endpoint is defined in the * specification of CIBA (Client Initiated Backchannel Authentication). *

* * @return * The backchannel client notification endpoint. * * @since 2.32 */ public URI getBcNotificationEndpoint() { return bcNotificationEndpoint; } /** * Set the backchannel client notification endpoint. This property * corresponds to the {@code backchannel_client_notification_endpoint} * metadata. * *

* The backchannel client notification endpoint is defined in the * specification of CIBA (Client Initiated Backchannel Authentication). *

* * @param endpoint * The backchannel client notification endpoint. * * @return * {@code this} object. * * @since 2.32 */ public Client setBcNotificationEndpoint(URI endpoint) { this.bcNotificationEndpoint = endpoint; return this; } /** * Get the signature algorithm of the request to the backchannel * authentication endpoint. This property corresponds to the * {@code backchannel_authentication_request_signing_alg} metadata. * * @return * The signature algorithm of the request to the backchannel * authentication endpoint. * * @since 2.32 */ public JWSAlg getBcRequestSignAlg() { return bcRequestSignAlg; } /** * Set the signature algorithm of the request to the backchannel * authentication endpoint. This property corresponds to the * {@code backchannel_authentication_request_signing_alg} metadata. * *

* The specification of CIBA (Client Initiated Backchannel Authentication) * allows asymmetric algorithms only. *

* * @param alg * The signature algorithm of the request to the backchannel * authentication endpoint. * * @return * {@code this} object. * * @since 2.32 */ public Client setBcRequestSignAlg(JWSAlg alg) { this.bcRequestSignAlg = alg; return this; } /** * Get the boolean flag which indicates whether a user code is required * when this client makes a backchannel authentication request. This * property corresponds to the {@code backchannel_user_code_parameter} * metadata. * * @return * {@code true} if a user code is required when this client * makes a backchannel authentication request. * * @since 2.32 */ public boolean isBcUserCodeRequired() { return bcUserCodeRequired; } /** * Set the boolean flag which indicates whether a user code is required * when this client makes a backchannel authentication request. This * property corresponds to the {@code backchannel_user_code_parameter} * metadata. * * @param required * {@code true} to indicate that a user code is required when * this client makes a backchannel authentication request. * * @return * {@code this} object. * * @since 2.32 */ public Client setBcUserCodeRequired(boolean required) { this.bcUserCodeRequired = required; return this; } /** * Get the flag which indicates whether this client has been registered dynamically. * * @param dynamicallyRegistered * {@code true} if the client has been registered dynamically. * * @return * {@code this} object. * * @since 2.39 */ public boolean isDynamicallyRegistered() { return dynamicallyRegistered; } /** * Set the flag which indicates whether this client has been registered dynamically. * * @param dynamicallyRegistered * {@code true} if the client has been registered dynamically. * * @return * {@code this} object. * * @since 2.39 */ public Client setDynamicallyRegistered(boolean dynamicallyRegistered) { this.dynamicallyRegistered = dynamicallyRegistered; return this; } /** * Get the hash of the registration access token for this client. * * @return * The hash of the registration access token for this client. * * @since 2.39 */ public String getRegistrationAccessTokenHash() { return registrationAccessTokenHash; } /** * Set the hash of the registration access token for this client. * * @param registrationAccessToken * The hash of the registration access token for this client. * * @return * {@code this} object. * * @since 2.39 */ public Client setRegistrationAccessTokenHash(String registrationAccessToken) { this.registrationAccessTokenHash = registrationAccessToken; return this; } /** * Get the authorization details types that this client may use as values * of the {@code "type"} field in {@code "authorization_details"}. * *

* This property corresponds to the {@code "authorization_details_types"} * metadata. See "OAuth 2.0 Rich Authorization Requests" (RAR) for details. *

* *

* Note that the property name was renamed from {@code authorizationDataTypes} * to {@code authorizationDetailsTypes} to align with the change made by * the 5th draft of the RAR specification. *

* * @return * Authorization details types used in {@code "authorization_details"}. * * @since 2.91 */ public String[] getAuthorizationDetailsTypes() { return authorizationDetailsTypes; } /** * Set the authorization details types that this client may use as values * of the {@code "type"} field in {@code "authorization_details"}. * *

* This property corresponds to the {@code "authorization_details_types"} * metadata. See "OAuth 2.0 Rich Authorization Requests" (RAR) for details. *

* *

* Note that the property name was renamed from {@code authorizationDataTypes} * to {@code authorizationDetailsTypes} to align with the change made by * the 5th draft of the RAR specification. *

* * @param types * Authorization details types used in {@code "authorization_details"}. * * @return * {@code this} object. * * @since 2.91 */ public Client setAuthorizationDetailsTypes(String[] types) { this.authorizationDetailsTypes = types; return this; } /** * Get the flag indicating whether this client is required to use the * pushed authorization request endpoint. * *

* This property corresponds to the * {@code require_pushed_authorization_requests} client metadata defined * in "OAuth 2.0 Pushed Authorization Requests". *

* * @return * {@code true} if this client is required to use the pushed * authorization request endpoint. * * @since 2.77 */ public boolean isParRequired() { return parRequired; } /** * Set the flag indicating whether this client is required to use the * pushed authorization request endpoint. * *

* This property corresponds to the * {@code require_pushed_authorization_requests} client metadata defined * in "OAuth 2.0 Pushed Authorization Requests". *

* * @param required * {@code true} to indicate that this client is required to use * the pushed authorization request endpoint. * * @return * {@code this} object. * * @since 2.77 */ public Client setParRequired(boolean required) { this.parRequired = required; return this; } /** * Get the flag indicating whether authorization requests from this client * are always required to utilize a request object by using either * {@code request} or {@code request_uri} request parameter. * *

* If this flag is {@code true} and the service's {@link * Service#isTraditionalRequestObjectProcessingApplied() * isTraditionalRequestObjectProcessingApplied()} returns {@code false}, * authorization requests from this client are processed as if * {@code require_signed_request_object} client metadata of this client is * {@code true}. The metadata is defined in JAR (JWT Secured Authorization * Request). *

* * @return * {@code true} if authorization requests from this client are * always required to utilize a request object. * * @since 2.80 */ public boolean isRequestObjectRequired() { return requestObjectRequired; } /** * Set the flag indicating whether authorization requests from this client * are always required to utilize a request object by using either * {@code request} or {@code request_uri} request parameter. * *

* See the description of {@link #isRequestObjectRequired()} for details. *

* * @param required * {@code true} to require that authorization requests from this * client always utilize a request object. * * @return * {@code this} object. * * @since 2.80 */ public Client setRequestObjectRequired(boolean required) { this.requestObjectRequired = required; return this; } /** * Get attributes. * *

* The feature of "client attributes" is available since Authlete 2.2. *

* * @return * Attributes. * * @since 2.87 */ public Pair[] getAttributes() { return attributes; } /** * Set attributes. * *

* The feature of "client attributes" is available since Authlete 2.2. *

* * @param attributes * Attributes. * * @return * {@code this} object. * * @since 2.87 */ public Client setAttributes(Pair[] attributes) { this.attributes = attributes; return this; } /** * Load attributes from an iterable. * *

* The feature of "client attributes" is available since Authlete 2.2. *

* * @param attributes * Attributes. * * @return * {@code this} object. * * @since 2.89 */ public Client loadAttributes(Iterable attributes) { if (attributes == null) { this.attributes = null; return this; } List list = new ArrayList(); for (Pair attribute : attributes) { if (attribute == null || attribute.getKey() == null) { continue; } list.add(attribute); } int size = list.size(); if (size == 0) { this.attributes = null; return this; } Pair[] array = new Pair[size]; this.attributes = list.toArray(array); return this; } /** * Get the custom client metadata in JSON format. * *

* Standard specifications define client metadata as necessary. * The following are such examples. *

* *
    *
  1. OpenID Connect Dynamic Client Registration 1.0 *
  2. RFC 7591 OAuth 2.0 Dynamic Client Registration Protocol *
  3. RFC 8705 OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens *
  4. OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0 *
  5. RFC 9101 The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR) *
  6. Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) *
  7. RFC 9126 OAuth 2.0 Pushed Authorization Requests *
  8. RFC 9396 OAuth 2.0 Rich Authorization Requests *
* *

* Standard client metadata included in Client Registration Request and * Client Update Request (cf. OIDC * DynReg, RFC * 7591 and RFC 7592) are, if supported by Authlete, set to corresponding * properties of the client application. For example, the value of * the {@code client_name} client metadata in Client Registration/Update * Request is set to the {@code clientName} property. On the other hand, * unrecognized client metadata are discarded. *

* *

* By listing up custom client metadata in advance by using the * {@code supportedCustomClientMetadata} property of {@link Service}, * Authlete can recognize them and stores their values into the database. * The stored custom client metadata values can be referenced by this * method. *

* * @return * Custom client metadata in JSON format. * * @see Service#getSupportedCustomClientMetadata() * * @since 2.93 */ public String getCustomMetadata() { return customMetadata; } /** * Set the custom client metadata in JSON format. * *

* Standard specifications define client metadata as necessary. * The following are such examples. *

* *
    *
  1. OpenID Connect Dynamic Client Registration 1.0 *
  2. RFC 7591 OAuth 2.0 Dynamic Client Registration Protocol *
  3. RFC 8705 OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens *
  4. OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0 *
  5. RFC 9101 The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR) *
  6. Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) *
  7. RFC 9126 OAuth 2.0 Pushed Authorization Requests *
  8. RFC 9396 OAuth 2.0 Rich Authorization Requests *
* *

* Standard client metadata included in Client Registration Request and * Client Update Request (cf. OIDC * DynReg, RFC * 7591 and RFC 7592) are, if supported by Authlete, set to corresponding * properties of the client application. For example, the value of * the {@code client_name} client metadata in Client Registration/Update * Request is set to the {@code clientName} property. On the other hand, * unrecognized client metadata are discarded. *

* *

* By listing up custom client metadata in advance by using the * {@code supportedCustomClientMetadata} property of {@link Service}, * Authlete can recognize them and stores their values into the database. * The stored custom client metadata values can be referenced by * {@link #getCustomMetadata()}. *

* * @param metadata * Custom client metadata in JSON format. * * @return * {@code this} object. * * @see Service#getSupportedCustomClientMetadata() * * @since 2.93 */ public Client setCustomMetadata(String metadata) { this.customMetadata = metadata; return this; } /** * Get the flag indicating whether encryption of request object is required * when the request object is passed through the front channel. * *

* This flag does not affect the processing of request objects at the * Pushed Authorization Request Endpoint, which is defined in RFC 9126 OAuth 2.0 * Pushed Authorization Requests. Unecrypted request objects are * accepted at the endpoint even if this flag is {@code true}. *

* *

* This flag does not indicate whether a request object is always required. * There is a different flag, {@code requestObjectRequired}, for the purpose. * See the description of {@link #isRequestObjectRequired()} for details. *

* *

* Even if this flag is {@code false}, encryption of request object is * required if the {@code Service.frontChannelRequestObjectEncryptionRequired} * flag is {@code true}. *

* * @return * {@code true} if encryption of request object is required when * the request object is passed through the front channel. * * @see #isRequestObjectRequired() * @see Service#isFrontChannelRequestObjectEncryptionRequired() * * @since 2.96 */ public boolean isFrontChannelRequestObjectEncryptionRequired() { return frontChannelRequestObjectEncryptionRequired; } /** * Set the flag indicating whether encryption of request object is required * when the request object is passed through the front channel. * *

* This flag does not affect the processing of request objects at the * Pushed Authorization Request Endpoint, which is defined in RFC 9126 OAuth 2.0 * Pushed Authorization Requests. Unecrypted request objects are * accepted at the endpoint even if this flag is {@code true}. *

* *

* This flag does not indicate whether a request object is always required. * There is a different flag, {@code requestObjectRequired}, for the purpose. * See the description of {@link #isRequestObjectRequired()} for details. *

* *

* Even if this flag is {@code false}, encryption of request object is * required if the {@code Service.frontChannelRequestObjectEncryptionRequired} * flag is {@code true}. *

* * @param required * {@code true} to require that request objects passed through the * front channel be encrypted. * * @return * {@code this} object. * * @see #isRequestObjectRequired() * @see Service#isFrontChannelRequestObjectEncryptionRequired() * * @since 2.96 */ public Client setFrontChannelRequestObjectEncryptionRequired(boolean required) { this.frontChannelRequestObjectEncryptionRequired = required; return this; } /** * Get the flag indicating whether the JWE {@code alg} of encrypted request * object must match the {@code request_object_encryption_alg} client metadata. * *

* The {@code request_object_encryption_alg} client metadata itself is defined * in OpenID Connect Dynamic Client Registration 1.0 as follows. *

* *
*
*
{@code request_object_encryption_alg}
*
*

* OPTIONAL. JWE [JWE] {@code alg} algorithm [JWA] the RP is declaring that * it may use for encrypting Request Objects sent to the OP. This parameter * SHOULD be included when symmetric encryption will be used, since this * signals to the OP that a {@code client_secret} value needs to be returned * from which the symmetric key will be derived, that might not otherwise be * returned. The RP MAY still use other supported encryption algorithms or * send unencrypted Request Objects, even when this parameter is present. * If both signing and encryption are requested, the Request Object will be * signed then encrypted, with the result being a Nested JWT, as defined in * [JWT]. The default, if omitted, is that the RP is not declaring whether * it might encrypt any Request Objects. *

*
*
*
* *

* The point here is "The RP MAY still use other supported encryption * algorithms or send unencrypted Request Objects, even when this parameter * is present." *

* *

* The property that represents the client metadata is * {@code requestEncryptionAlg}. See the description of * {@link #getRequestEncryptionAlg()} for details. *

* *

* Even if this flag is {@code false}, the match is required if the * {@code Service.requestObjectEncryptionAlgMatchRequired} flag is {@code true}. *

* * @return * {@code true} if the JWE {@code alg} of encrypted request object * must match the {@code request_object_encryption_alg} client metadata. * * @see #getRequestEncryptionAlg() * @see Service#isRequestObjectEncryptionAlgMatchRequired() * * @since 2.96 */ public boolean isRequestObjectEncryptionAlgMatchRequired() { return requestObjectEncryptionAlgMatchRequired; } /** * Set the flag indicating whether the JWE {@code alg} of encrypted request * object must match the {@code request_object_encryption_alg} client metadata. * *

* The {@code request_object_encryption_alg} client metadata itself is defined * in OpenID Connect Dynamic Client Registration 1.0 as follows. *

* *
*
*
{@code request_object_encryption_alg}
*
*

* OPTIONAL. JWE [JWE] {@code alg} algorithm [JWA] the RP is declaring that * it may use for encrypting Request Objects sent to the OP. This parameter * SHOULD be included when symmetric encryption will be used, since this * signals to the OP that a {@code client_secret} value needs to be returned * from which the symmetric key will be derived, that might not otherwise be * returned. The RP MAY still use other supported encryption algorithms or * send unencrypted Request Objects, even when this parameter is present. * If both signing and encryption are requested, the Request Object will be * signed then encrypted, with the result being a Nested JWT, as defined in * [JWT]. The default, if omitted, is that the RP is not declaring whether * it might encrypt any Request Objects. *

*
*
*
* *

* The point here is "The RP MAY still use other supported encryption * algorithms or send unencrypted Request Objects, even when this parameter * is present." *

* *

* The property that represents the client metadata is * {@code requestEncryptionAlg}. See the description of * {@link #getRequestEncryptionAlg()} for details. *

* *

* Even if this flag is {@code false}, the match is required if the * {@code Service.requestObjectEncryptionAlgMatchRequired} flag is {@code true}. *

* * @param required * {@code true} to require that the JWE {@code alg} of encrypted * request object match the {@code request_object_encryption_alg} * client metadata. * * @return * {@code this} object. * * @see #getRequestEncryptionAlg() * @see Service#isRequestObjectEncryptionAlgMatchRequired() * * @since 2.96 */ public Client setRequestObjectEncryptionAlgMatchRequired(boolean required) { this.requestObjectEncryptionAlgMatchRequired = required; return this; } /** * Get the flag indicating whether the JWE {@code enc} of encrypted request * object must match the {@code request_object_encryption_enc} client metadata. * *

* The {@code request_object_encryption_enc} client metadata itself is defined * in OpenID Connect Dynamic Client Registration 1.0 as follows. *

* *
*
*
{@code request_object_encryption_enc}
*
*

* OPTIONAL. JWE {@code enc} algorithm [JWA] the RP is declaring that it may * use for encrypting Request Objects sent to the OP. If * {@code request_object_encryption_alg} is specified, the default for this * value is {@code A128CBC-HS256}. When {@code request_object_encryption_enc} * is included, {@code request_object_encryption_alg} MUST also be provided. *

*
*
*
* *

* The property that represents the client metadata is * {@code requestEncryptionEnc}. See the description of * {@link #getRequestEncryptionEnc()} for details. *

* *

* Even if this flag is {@code false}, the match is required if the * {@code Service.requestObjectEncryptionEncMatchRequired} flag is {@code true}. *

* * @return * {@code true} if the JWE {@code enc} of encrypted request object * must match the {@code request_object_encryption_enc} client metadata. * * @see #getRequestEncryptionEnc() * @see Service#isRequestObjectEncryptionEncMatchRequired() * * @since 2.96 */ public boolean isRequestObjectEncryptionEncMatchRequired() { return requestObjectEncryptionEncMatchRequired; } /** * Set the flag indicating whether the JWE {@code enc} of encrypted request * object must match the {@code request_object_encryption_enc} client metadata. * *

* The {@code request_object_encryption_enc} client metadata itself is defined * in OpenID Connect Dynamic Client Registration 1.0 as follows. *

* *
*
*
{@code request_object_encryption_enc}
*
*

* OPTIONAL. JWE {@code enc} algorithm [JWA] the RP is declaring that it may * use for encrypting Request Objects sent to the OP. If * {@code request_object_encryption_alg} is specified, the default for this * value is {@code A128CBC-HS256}. When {@code request_object_encryption_enc} * is included, {@code request_object_encryption_alg} MUST also be provided. *

*
*
*
* *

* The property that represents the client metadata is * {@code requestEncryptionEnc}. See the description of * {@link #getRequestEncryptionEnc()} for details. *

* *

* Even if this flag is {@code false}, the match is required if the * {@code Service.requestObjectEncryptionEncMatchRequired} flag is {@code true}. *

* * @param required * {@code true} to require that the JWE {@code enc} of encrypted * request object match the {@code request_object_encryption_enc} * client metadata. * * @return * {@code this} object. * * @see #getRequestEncryptionEnc() * @see Service#isRequestObjectEncryptionEncMatchRequired() * * @since 2.96 */ public Client setRequestObjectEncryptionEncMatchRequired(boolean required) { this.requestObjectEncryptionEncMatchRequired = required; return this; } /** * Get the digest algorithm that this client requests the server to use * when it computes digest values of external attachments, which may be referenced from within ID tokens * or userinfo responses (or any place that can have the {@code * verified_claims} claim). * *

* Possible values are listed in the Hash Algorithm Registry of IANA (Internet Assigned Numbers Authority), * but the server does not necessarily support all the values there. When * this property is omitted, {@code "sha-256"} is used as the default * algorithm. *

* *

* This property corresponds to the {@code digest_algorithm} client metadata * which was defined by the third implementer's draft of "OpenID Connect for Identity Assurance 1.0". *

* *

* This property is recognized by Authlete 2.3 and newer versions. *

* * @return * The digest algorithm that this client requests the server to use * when it computes digest values of external attachments. * * @since 3.13 * * @see OpenID Connect for Identity Assurance 1.0 * * @see Hash Algorithm Registry */ public String getDigestAlgorithm() { return digestAlgorithm; } /** * Set the digest algorithm that this client requests the server to use * when it computes digest values of external attachments, which may be referenced from within ID tokens * or userinfo responses (or any place that can have the {@code * verified_claims} claim). * *

* Possible values are listed in the Hash Algorithm Registry of IANA (Internet Assigned Numbers Authority), * but the server does not necessarily support all the values there. When * this property is omitted, {@code "sha-256"} is used as the default * algorithm. *

* *

* This property corresponds to the {@code digest_algorithm} client metadata * which was defined by the third implementer's draft of "OpenID Connect for Identity Assurance 1.0". *

* *

* This property is recognized by Authlete 2.3 and newer versions. *

* * @param algorithm * The digest algorithm that this client requests the server to use * when it computes digest values of external attachments. * * @return * {@code this} object. * * @since 3.13 * * @see OpenID Connect for Identity Assurance 1.0 * * @see Hash Algorithm Registry */ public Client setDigestAlgorithm(String algorithm) { this.digestAlgorithm = algorithm; return this; } /** * Get the flag which indicates whether the number of access tokens * per subject (and per client) is at most one or can be more. * *

* If this flag is {@code true}, an attempt to issue a new access * token invalidates existing access tokens associated with the * same subject and the same client. *

* *

* Even if this flag is {@code false}, invalidation of existing access * tokens is executed if the {@code singleAccessTokenPerSubject} * property of the {@link Service} this client application belongs to * is {@code true}. (cf. {@link Service#isSingleAccessTokenPerSubject()}) *

* *

* Note that, however, attempts by Client Credentials Flow do not * invalidate existing access tokens because access tokens issued * by Client Credentials Flow are not associated with any end-user's * subject. Also note that an attempt by Refresh Token Flow * invalidates the coupled access token only and this invalidation * is always performed regardless of whether this flag is {@code * true} or {@code false}. *

* * @return * {@code true} if the number of access tokens per subject * (and per client) is at most one. * * @since 3.25 * @since Authlete 2.3 * * @see Service#isSingleAccessTokenPerSubject() */ public boolean isSingleAccessTokenPerSubject() { return singleAccessTokenPerSubject; } /** * Set the flag which indicates whether the number of access tokens * per subject (and per client) is at most one or can be more. * *

* If {@code true} is set, an attempt to issue a new access token * invalidates existing access tokens associated with the same * subject and the same client. *

* *

* Even if this flag is {@code false}, invalidation of existing access * tokens is executed if the {@code singleAccessTokenPerSubject} * property of the {@link Service} this client application belongs to * is {@code true}. (cf. {@link Service#setSingleAccessTokenPerSubject(boolean)}) *

* *

* Note that, however, attempts by Client Credentials Flow do not * invalidate existing access tokens because access tokens issued * by Client Credentials Flow are not associated with any end-user's * subject. Also note that an attempt by Refresh Token Flow * invalidates the coupled access token only and this invalidation * is always performed regardless of whether this flag is {@code * true} or {@code false}. *

* * @param single * {@code true} to set the maximum number of access tokens * per subject (and per client) to 1. * * @return * {@code this} object. * * @since 3.25 * @since Authlete 2.3 * * @see Service#setSingleAccessTokenPerSubject(boolean) */ public Client setSingleAccessTokenPerSubject(boolean single) { this.singleAccessTokenPerSubject = single; return this; } /** * Get the flag indicating whether PKCE (RFC 7636) is required * whenever this client makes an authorization request by the authorization * code flow. * *

* Note that even if this flag is {@code false}, PKCE is required if * {@link Service#isPkceRequired() Service.pkceRequired} is {@code true}. *

* * @return * {@code true} if PKCE is required whenever this client makes * an authorization request by the authorization code flow. * * @since 3.29 * @since Authlete 2.3 * * @see Service#isPkceRequired() * @see RFC 7636 Proof Key for Code Exchange by OAuth Public Clients */ public boolean isPkceRequired() { return pkceRequired; } /** * Set the flag indicating whether PKCE (RFC 7636) is required * whenever this client makes an authorization request by the authorization * code flow. * *

* Note that even if this flag is {@code false}, PKCE is required if * {@link Service#isPkceRequired() Service.pkceRequired} is {@code true}. *

* * @param required * {@code true} to require PKCE whenever this client makes an * authorization request by the authorization code flow. * * @return * {@code this} object. * * @since 3.29 * @since Authlete 2.3 * * @see Service#setPkceRequired(boolean) * @see RFC 7636 Proof Key for Code Exchange by OAuth Public Clients */ public Client setPkceRequired(boolean required) { this.pkceRequired = required; return this; } /** * Get the flag indicating whether {@code S256} must be used as the code * challenge method whenever this client uses PKCE (RFC 7636). * *

* Note that even if this flag is {@code false}, {@code S256} is required * if {@link Service#isPkceS256Required() Service.pkceS256Required} is * {@code true}. *

* * @return * {@code true} if {@code S256} must be used as the code challenge * method whenever this client uses PKCE. * * @since 3.29 * @since Authlete 2.3 * * @see Service#setPkceS256Required(boolean) * @see RFC 7636 Proof Key for Code Exchange by OAuth Public Clients */ public boolean isPkceS256Required() { return pkceS256Required; } /** * Set the flag indicating whether {@code S256} must be used as the code * challenge method whenever this client uses PKCE (RFC 7636). * * @param required * {@code true} to require {@code S256} as the code challenge * method whenever this client uses PKCE. * * @return * {@code this} object. * * @since 3.29 * @since Authlete 2.3 * * @see Service#setPkceS256Required(boolean) * @see RFC 7636 Proof Key for Code Exchange by OAuth Public Clients */ public Client setPkceS256Required(boolean required) { this.pkceS256Required = required; return this; } /** * Get the entity ID of this client. * *

* This property holds a non-null value only when this client has been * registered by the mechanism defined in OpenID * Federation 1.0. *

* * @return * The entity ID. * * @since 3.33 * @since Authlete 2.3 * * @see OpenID Federation 1.0 */ public URI getEntityId() { return entityId; } /** * Set the entity ID of this client. * *

* This property holds a non-null value only when this client has been * registered by the mechanism defined in OpenID * Federation 1.0. *

* * @param entityId * The entity ID. * * @return * {@code this} object. * * @since 3.33 * @since Authlete 2.3 * * @see OpenID Federation 1.0 */ public Client setEntityId(URI entityId) { this.entityId = entityId; return this; } /** * Get the entity ID of the trust anchor of the trust chain that was used * when this client was registered or updated by the mechanism defined in * OpenID Federation 1.0. * * @return * The entity ID of the trust anchor. * * @since 3.33 * @since Authlete 2.3 * * @see OpenID Federation 1.0 */ public URI getTrustAnchorId() { return trustAnchorId; } /** * Set the entity ID of the trust anchor of the trust chain that was used * when this client was registered or updated by the mechanism defined in * OpenID Federation 1.0. * * @param trustAnchorId * The entity ID of the trust anchor. * * @return * {@code this} object. * * @since 3.33 * @since Authlete 2.3 * * @see OpenID Federation 1.0 */ public Client setTrustAnchorId(URI trustAnchorId) { this.trustAnchorId = trustAnchorId; return this; } /** * Get the trust chain that was used when this client was registered or * updated by the mechanism defined in * OpenID Federation 1.0. * *

* The elements in the array are entity statements that are ordered from * the entity configuration of this client to the entity statement of the * trust anchor. There may be one or more entity statements of intermediate * entities in between. The format of the elements is a signed JWT (JWS). *

* * @return * The trust chain. * * @since 3.33 * @since Authlete 2.3 * * @see OpenID Federation 1.0 */ public String[] getTrustChain() { return trustChain; } /** * Set the trust chain that was used when this client was registered or * updated by the mechanism defined in * OpenID Federation 1.0. * *

* The elements in the array are entity statements that are ordered from * the entity configuration of this client to the entity statement of the * trust anchor. There may be one or more entity statements of intermediate * entities in between. The format of the elements is a signed JWT (JWS). *

* * @param trustChain * The trust chain. * * @return * {@code this} object. * * @since 3.33 * @since Authlete 2.3 * * @see OpenID Federation 1.0 */ public Client setTrustChain(String[] trustChain) { this.trustChain = trustChain; return this; } /** * Get the expiration time of the trust chain that was used when this client * was registered or updated by the mechanism defined in * OpenID Federation 1.0. The value is represented as * milliseconds elapsed since the Unix epoch (1970-01-01). * * @return * The expiration time of the trust chain. * * @since 3.33 * @since Authlete 2.3 * * @see OpenID Federation 1.0 */ public long getTrustChainExpiresAt() { return trustChainExpiresAt; } /** * Set the expiration time of the trust chain that was used when this client * was registered or updated by the mechanism defined in * OpenID Federation 1.0. The value is represented as * milliseconds elapsed since the Unix epoch (1970-01-01). * * @param expiresAt * The expiration time of the trust chain. * * @return * {@code this} object. * * @since 3.33 * @since Authlete 2.3 * * @see OpenID Federation 1.0 */ public Client setTrustChainExpiresAt(long expiresAt) { this.trustChainExpiresAt = expiresAt; return this; } /** * Get the time at which the trust chain was updated by the mechanism defined * in OpenID Federation 1.0. * * @return * The time at which the trust chain was updated. * * @since 3.33 * @since Authlete 2.3 * * @see OpenID Federation 1.0 */ public long getTrustChainUpdatedAt() { return trustChainUpdatedAt; } /** * Set the time at which the trust chain was updated by the mechanism defined * in OpenID Federation 1.0. * * @param updatedAt * The time at which the trust chain was updated. * * @return * {@code this} object. * * @since 3.33 * @since Authlete 2.3 * * @see OpenID Federation 1.0 */ public Client setTrustChainUpdatedAt(long updatedAt) { this.trustChainUpdatedAt = updatedAt; return this; } /** * Get the human-readable name representing the organization that manages * this client. This property corresponds to the {@code organization_name} * client metadata that is defined in OpenID * Federation 1.0. * * @return * The name of the organization that manages this client. * * @since 3.34 * @since Authlete 2.3 * * @see OpenID Federation 1.0 */ public String getOrganizationName() { return organizationName; } /** * Set the human-readable name representing the organization that manages * this client. This property corresponds to the {@code organization_name} * client metadata that is defined in OpenID * Federation 1.0. * * @param name * The name of the organization that manages this client. * * @return * {@code this} object. * * @since 3.34 * @since Authlete 2.3 * * @see OpenID Federation 1.0 */ public Client setOrganizationName(String name) { this.organizationName = name; return this; } /** * Get the URI of the endpoint that returns this client's JWK Set document in * the JWT format. This property corresponds to the {@code signed_jwks_uri} * client metadata defined in OpenID * Federation 1.0. * * @return * The URI of the endpoint that returns this client's JWK Set * document in the JWT format. * * @since 3.34 * @since Authlete 2.3 * * @see OpenID Federation 1.0 */ public URI getSignedJwksUri() { return signedJwksUri; } /** * Set the URI of the endpoint that returns this client's JWK Set document in * the JWT format. This property corresponds to the {@code signed_jwks_uri} * client metadata defined in OpenID * Federation 1.0. * * @param uri * The URI of the endpoint that returns this client's JWK Set * document in the JWT format. * * @return * {@code this} object. * * @since 3.34 * @since Authlete 2.3 * * @see OpenID Federation 1.0 */ public Client setSignedJwksUri(URI uri) { this.signedJwksUri = uri; return this; } /** * Get the client registration types that the client has declared it may use. * *

* This property corresponds to the {@code client_registration_types} client * metadata defined in OpenID * Federation 1.0. *

* * @return * Client registration types. * * @since 3.36 * @since Authlete 2.3 * * @see OpenID Federation 1.0 */ public ClientRegistrationType[] getClientRegistrationTypes() { return clientRegistrationTypes; } /** * Set the client registration types that the client has declared it may use. * *

* This property corresponds to the {@code client_registration_types} client * metadata defined in OpenID * Federation 1.0. *

* * @param types * Client registration types. * * @return * {@code this} object. * * @see OpenID Federation 1.0 */ public Client setClientRegistrationTypes(ClientRegistrationType[] types) { this.clientRegistrationTypes = types; return this; } /** * Get the key ID of the JWK containing the public key used to verify HTTP * message signatures signed by this client. * *

* When an HTTP message signature signed by this client includes the * {@code keyid} parameter (RFC 9421 * HTTP Message Signatures, Section 2.3. Signature Parameters), * the specified key ID is used to identify the public key. If the * parameter is missing, the value of this {@code rsSignedRequestKeyId} * property is referenced as a fallback. If both are missing, HTTP * message signature verification fails. *

* *

* The JWK identified by the key ID must include the {@code alg} property * (RFC * 7518 JSON Web Algorithms (JWA), Section 3.1. "alg" (Algorithm) Header * Parameter Values for JWS). *

* * @return * The key ID of the JWK containing the public key used to verify * HTTP message signatures signed by this client. * * @since 3.39 * @since Authlete 2.3 */ public String getRsSignedRequestKeyId() { return rsSignedRequestKeyId; } /** * Set the key ID of the JWK containing the public key used to verify HTTP * message signatures signed by this client. * *

* When an HTTP message signature signed by this client includes the * {@code keyid} parameter (RFC 9421 * HTTP Message Signatures, Section 2.3. Signature Parameters), * the specified key ID is used to identify the public key. If the * parameter is missing, the value of this {@code rsSignedRequestKeyId} * property is referenced as a fallback. If both are missing, HTTP * message signature verification fails. *

* *

* The JWK identified by the key ID must include the {@code alg} property * (RFC * 7518 JSON Web Algorithms (JWA), Section 3.1. "alg" (Algorithm) Header * Parameter Values for JWS). *

* * @param keyId * The key ID of the JWK containing the public key used to verify * HTTP message signatures signed by this client. * * @return * {@code this} object. * * @since 3.39 * @since Authlete 2.3 */ public Client setRsSignedRequestKeyId(String keyId) { this.rsSignedRequestKeyId = keyId; return this; } /** * Get whether the client is expected to sign requests to the resource server. * If {@code true}, introspection requests and userinfo requests will be checked * for a signature and the signature will be validated against the key identified * by {@link #getRsSignedRequestKeyId()}. * * @return * {@code true} if the client signs requests to the resource server, * {@code false} otherwise. * * @since 3.39 * @since Authlete 2.3 * @deprecated */ @Deprecated public boolean isRsRequestSigned() { return rsRequestSigned; } /** * Set whether the client is expected to sign requests to the resource server. * If {@code true}, introspection requests and userinfo requests will be checked * for a signature and the will be signature validated against the key identified * by {@link #getRsSignedRequestKeyId()}. * * @param signed * {@code true} if the client signs requests to the resource server, * {@code false} otherwise. * * @return * {@code this} object. * * @since 3.39 * @since Authlete 2.3 * @deprecated */ @Deprecated public Client setRsRequestSigned(boolean signed) { this.rsRequestSigned = signed; return this; } /** * Get the flag indicating whether this client was registered by the * "automatic" client registration of OpenID Federation. * * @return * {@code true} if this client was registered by the automatic * client registration. * * @since 3.46 * @since Authlete 2.3 * * @see OpenID Federation 1.0 */ public boolean isAutomaticallyRegistered() { return automaticallyRegistered; } /** * Set the flag indicating whether this client was registered by the * "automatic" client registration of OpenID Federation. * * @param auto * {@code true} to indicate that this client was registered by * the automatic client registration. * * @return * {@code this} object. * * @since 3.46 * @since Authlete 2.3 * * @see OpenID Federation 1.0 */ public Client setAutomaticallyRegistered(boolean auto) { this.automaticallyRegistered = auto; return this; } /** * Get the flag indicating whether this client was registered by the * "explicit" client registration of OpenID Federation. * * @return * {@code true} if this client was registered by the explicit * client registration. * * @since 3.46 * @since Authlete 2.3 * * @see OpenID Federation 1.0 */ public boolean isExplicitlyRegistered() { return explicitlyRegistered; } /** * Set the flag indicating whether this client was registered by the * "explicit" client registration of OpenID Federation. * * @param explicit * {@code true} to indicate that this client was registered by * the explicit client registration. * * @return * {@code this} object. * * @since 3.46 * @since Authlete 2.3 * * @see OpenID Federation 1.0 */ public Client setExplicitlyRegistered(boolean explicit) { this.explicitlyRegistered = explicit; return this; } /** * Set the flag indicating whether this client requires DPoP access tokens. * * @return * {@code true} to indicate that this client requires DPoP access tokens. * * @since 3.49 * @since Authlete 2.3 * * @see RFC 9449 OAuth 2.0 Demonstrating Proof of Possession (DPoP) */ public boolean isDpopRequired() { return dpopRequired; } /** * Get the flag indicating whether this client requires DPoP access tokens. * * @param required * {@code true} to indicate that this client requires DPoP access tokens. * * @return * {@code this} object. * * @since 3.49 * @since Authlete 2.3 * * @see RFC 9449 OAuth 2.0 Demonstrating Proof of Possession (DPoP) */ public Client setDpopRequired(boolean dpopRequired) { this.dpopRequired = dpopRequired; return this; } /** * Get the URL of the credential offer endpoint at which this client * (wallet) receives a credential offer from the credential issuer. * *

* This property corresponds to the {@code credential_offer_endpoint} * client metadata that is defined in OpenID for Verifiable Credential Issuance. *

* * @return * The URL of the credential offer endpoint. * * @since 3.59 * @since Authlete 3.0 * * @see OpenID for Verifiable Credential Issuance */ public URI getCredentialOfferEndpoint() { return credentialOfferEndpoint; } /** * Set the URL of the credential offer endpoint at which this client * (wallet) receives a credential offer from the credential issuer. * *

* This property corresponds to the {@code credential_offer_endpoint} * client metadata that is defined in OpenID for Verifiable Credential Issuance. *

* * @param endpoint * The URL of the credential offer endpoint. * * @return * {@code this} object. * * @since 3.59 * @since Authlete 3.0 * * @see OpenID for Verifiable Credential Issuance */ public Client setCredentialOfferEndpoint(URI endpoint) { this.credentialOfferEndpoint = endpoint; return this; } /** * Get the flag which indicates whether this client is locked. * * @return * {@code true} if this client is locked. * * @since 3.75 */ public boolean isLocked() { return locked; } /** * Set the flag which indicates whether this client is locked. * * @param locked * {@code true} to indicate that this client is locked. * * @return * {@code this} object. * * @since 3.75 */ public Client setLocked(boolean locked) { this.locked = locked; return this; } /** * Get the FAPI modes for this client. * *

* When the value of this property is not {@code null}, Authlete always processes * requests from this client based on the specified FAPI modes if the FAPI feature * is enabled in Authlete, the {@link ServiceProfile#FAPI FAPI} profile is supported * by the service, and the FAPI modes for the service are set to {@code null}. *

*

* For instance, when this property is set to an array containing {@link * FapiMode#FAPI1_ADVANCED FAPI1_ADVANCED} only, Authlete always processes * requests from this client based on " * Financial-grade API Security Profile 1.0 - Part 2: Advanced" if the FAPI feature * is enabled in Authlete, the {@link ServiceProfile#FAPI FAPI} profile is supported * by the service, and the FAPI modes for the service are set to {@code null}. *

* * @return * The FAPI modes for this client. * * @since 3.80 * @since Authlete 3.0 * * @see Financial-grade API Security Profile 1.0 - Part 2: Advanced */ public FapiMode[] getFapiModes() { return fapiModes; } /** * Set the FAPI modes for this client. * *

* When the value of this property is not {@code null}, Authlete always processes * requests from this client based on the specified FAPI modes if the FAPI feature * is enabled in Authlete, the {@link ServiceProfile#FAPI FAPI} profile is supported * by the service, and the FAPI modes for the service are set to {@code null}. *

*

* For instance, when this property is set to an array containing {@link * FapiMode#FAPI1_ADVANCED FAPI1_ADVANCED} only, Authlete always processes * requests from this client based on " * Financial-grade API Security Profile 1.0 - Part 2: Advanced" if the FAPI feature * is enabled in Authlete, the {@link ServiceProfile#FAPI FAPI} profile is supported * by the service, and the FAPI modes for the service are set to {@code null}. *

* * @param modes * The FAPI modes for this client. * * @return * {@code this} object. * * @since 3.80 * @since Authlete 3.0 * * @see Financial-grade API Security Profile 1.0 - Part 2: Advanced */ public Client setFapiModes(FapiMode[] modes) { this.fapiModes = modes; return this; } /** * Get the flag indicating whether credential responses to this client * must be always encrypted or not. * *

* When this flag is {@code true}, credential requests from this client * must always include encryption-related parameters such as * {@code credential_response_encryption_alg}. *

* *

* Even if this flag is {@code false}, encryption-related parameters * are always required when the service's * {@code credentialIssuerMetadata.requireCredentialResponseEncryption} * property is {@code true}. *

* * @return * {@code true} if credential responses to this client must be * always encrypted. * * @since 3.86 * @since Authlete 3.0 * * @see OpenID for Verifiable Credential Issuance */ public boolean isCredentialResponseEncryptionRequired() { return credentialResponseEncryptionRequired; } /** * Set the flag indicating whether credential responses to this client * must be always encrypted or not. * *

* When this flag is {@code true}, credential requests from this client * must always include encryption-related parameters such as * {@code credential_response_encryption_alg}. *

* *

* Even if this flag is {@code false}, encryption-related parameters * are always required when the service's * {@code credentialIssuerMetadata.requireCredentialResponseEncryption} * property is {@code true}. *

* * @param required * {@code true} to require credential requests from this client * to always include encryption-related parameters such as * {@code credential_response_encryption_alg}. * * @return * {@code this} object. * * @since 3.86 * @since Authlete 3.0 * * @see OpenID for Verifiable Credential Issuance */ public Client setCredentialResponseEncryptionRequired(boolean required) { this.credentialResponseEncryptionRequired = required; return this; } /** * Get a {@code Map} instance that represents a set of standard client * metadata. * *

* This method is an alias of {@link #toStandardMetadata(ClientMetadataControl) * toStandardMetadata}{@code (null)}. *

* * @return * A {@code Map} instance that represents a set of standard client * metadata. */ public Map toStandardMetadata() { return toStandardMetadata(null); } /** * Get the response modes that this client may use. * *

* This property corresponds to the {@code response_modes} client metadata * that is defined in FAPI 2.0 Message Signing, 5.3.3. Client Metadata. *

* * @return * The response modes that this client may use. * * @since 3.92 * @since Authlete 3.0 * * @see FAPI 2.0 Message Signing, 5.3.3. Client Metadata */ public ResponseMode[] getResponseModes() { return responseModes; } /** * Set the response modes that this client may use. * *

* This property corresponds to the {@code response_modes} client metadata * that is defined in FAPI 2.0 Message Signing, 5.3.3. Client Metadata. *

* * @param modes * The response modes that this client may use. * * @return * {@code this} object. * * @since 3.92 * @since Authlete 3.0 * * @see FAPI 2.0 Message Signing, 5.3.3. Client Metadata */ public Client setResponseModes(ResponseMode[] modes) { this.responseModes = modes; return this; } /** * Get the flag indicating whether the client intends to prefer mutual TLS * endpoints over non-MTLS endpoints. * *

* This property corresponds to the {@code use_mtls_endpoint_aliases} client * metadata that is defined in FAPI 2.0 Security Profile, 8.1.1. use_mtls_endpoint_aliases. *

* * @return * The flag indicating whether the client intends to prefer mutual TLS * endpoints over non-MTLS endpoints. * * @since 4.10 * @since Authlete 3.0 * * @see FAPI 2.0 Security Profile, 8.1.1. use_mtls_endpoint_aliases */ public boolean isMtlsEndpointAliasesUsed() { return mtlsEndpointAliasesUsed; } /** * Set the flag indicating whether the client intends to prefer mutual TLS * endpoints over non-MTLS endpoints. * *

* This property corresponds to the {@code use_mtls_endpoint_aliases} client * metadata that is defined in FAPI 2.0 Security Profile, 8.1.1. use_mtls_endpoint_aliases. *

* * @return * The flag indicating whether the client intends to prefer mutual TLS * endpoints over non-MTLS endpoints. * * @since 4.10 * @since Authlete 3.0 * * @see FAPI 2.0 Security Profile, 8.1.1. use_mtls_endpoint_aliases */ public Client setMtlsEndpointAliasesUsed(boolean mtlsEndpointAliasesUsed) { this.mtlsEndpointAliasesUsed = mtlsEndpointAliasesUsed; return this; } /** * Get a {@code Map} instance that represents a set of standard client * metadata. * *

* This method creates a new {@code Map} instance per call. Modifying the * Map instance does not affect this {@link Client} instance. *

* * @param control * Flags to control output of this method. If {@code null} is given, * a new {@link ClientMetadataControl} instance is created and used. * * @return * A {@code Map} instance that represents a set of standard client * metadata. * * @since 3.45 * * @see OpenID Connect Dynamic Client Registration 1.0 * * @see RFC 7591 OAuth 2.0 Dynamic Client Registration Protocol * * @see RFC 8705 OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens * * @see JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) * * @see OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0 * * @see RFC 9396 OAuth 2.0 Rich Authorization Requests * * @see OpenID Connect for Identity Assurance 1.0 * * @see OpenID Federation 1.0 * * @see IANA OAuth Parameters / OAuth Dynamic Client Registration Metadata * * @see OpenID for Verifiable Credential Issuance */ public Map toStandardMetadata(ClientMetadataControl control) { if (control == null) { control = new ClientMetadataControl(); } boolean nullIncluded = control.isNullIncluded(); boolean zeroIncluded = control.isZeroIncluded(); boolean falseIncluded = control.isFalseIncluded(); Map metadata = new LinkedHashMap(); // client_id putClientId(metadata, control); //---------------------------------------------------------------------- // OpenID Connect Dynamic Client Registration 1.0 //---------------------------------------------------------------------- // redirect_uris put(metadata, "redirect_uris", getRedirectUris(), nullIncluded); // response_types put(metadata, "response_types", getResponseTypes(), nullIncluded); // grant_types put(metadata, "grant_types", getGrantTypes(), nullIncluded); // application_type put(metadata, "application_type", getApplicationType(), nullIncluded); // contacts put(metadata, "contacts", getContacts(), nullIncluded); // client_name put(metadata, "client_name", getClientName(), nullIncluded); // client_name#{language-tag} put(metadata, "client_name", getClientNames(), nullIncluded); // logo_uri put(metadata, "logo_uri", getLogoUri(), nullIncluded); // logo_uri#{language-tag} put(metadata, "logo_uri", getLogoUris(), nullIncluded); // client_uri put(metadata, "client_uri", getClientUri(), nullIncluded); // client_uri#{language-tag} put(metadata, "client_uri", getClientUris(), nullIncluded); // policy_uri put(metadata, "policy_uri", getPolicyUri(), nullIncluded); // policy_uri#{language-tag} put(metadata, "policy_uri", getPolicyUris(), nullIncluded); // tos_uri put(metadata, "tos_uri", getTosUri(), nullIncluded); // tos_uri#{language-tag} put(metadata, "tos_uri", getTosUris(), nullIncluded); // jwks_uri put(metadata, "jwks_uri", getJwksUri(), nullIncluded); // jwks putJsonObject(metadata, "jwks", getJwks(), nullIncluded); // sector_identifier_uri put(metadata, "sector_identifier_uri", getSectorIdentifierUri(), nullIncluded); // subject_type put(metadata, "subject_type", getSubjectType(), nullIncluded); // id_token_signed_response_alg put(metadata, "id_token_signed_response_alg", getIdTokenSignAlg(), nullIncluded); // id_token_encrypted_response_alg put(metadata, "id_token_encrypted_response_alg", getIdTokenEncryptionAlg(), nullIncluded); // id_token_encrypted_response_enc put(metadata, "id_token_encrypted_response_enc", getIdTokenEncryptionEnc(), nullIncluded); // userinfo_signed_response_alg put(metadata, "userinfo_signed_response_alg", getUserInfoSignAlg(), nullIncluded); // userinfo_encrypted_response_alg put(metadata, "userinfo_encrypted_response_alg", getUserInfoEncryptionAlg(), nullIncluded); // userinfo_encrypted_response_enc put(metadata, "userinfo_encrypted_response_enc", getUserInfoEncryptionEnc(), nullIncluded); // request_object_signing_alg put(metadata, "request_object_signing_alg", getRequestSignAlg(), nullIncluded); // request_object_encryption_alg put(metadata, "request_object_encryption_alg", getRequestEncryptionAlg(), nullIncluded); // request_object_encryption_enc put(metadata, "request_object_encryption_enc", getRequestEncryptionEnc(), nullIncluded); // token_endpoint_auth_method put(metadata, "token_endpoint_auth_method", getTokenAuthMethod(), nullIncluded); // token_endpoint_auth_signing_alg put(metadata, "token_endpoint_auth_signing_alg", getTokenAuthSignAlg(), nullIncluded); // default_max_age put(metadata, "default_max_age", getDefaultMaxAge(), zeroIncluded); // require_auth_time put(metadata, "require_auth_time", isAuthTimeRequired(), falseIncluded); // default_acr_values put(metadata, "default_acr_values", getDefaultAcrs(), nullIncluded); // initiate_login_uri put(metadata, "initiate_login_uri", getLoginUri(), nullIncluded); // request_uris put(metadata, "request_uris", getRequestUris(), nullIncluded); //---------------------------------------------------------------------- // RFC 7591 OAuth 2.0 Dynamic Client Registration Protocol //---------------------------------------------------------------------- // scope putScope(metadata, control); // software_id put(metadata, "software_id", getSoftwareId(), nullIncluded); // software_version put(metadata, "software_version", getSoftwareVersion(), nullIncluded); // client_secret putClientSecret(metadata, control); // client_id_issued_at putClientIdIssuedAt(metadata, control); //---------------------------------------------------------------------- // RFC 8705 OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens //---------------------------------------------------------------------- // tls_client_auth_subject_dn put(metadata, "tls_client_auth_subject_dn", getTlsClientAuthSubjectDn(), nullIncluded); // tls_client_auth_san_dns put(metadata, "tls_client_auth_san_dns", getTlsClientAuthSanDns(), nullIncluded); // tls_client_auth_san_uri put(metadata, "tls_client_auth_san_uri", getTlsClientAuthSanUri(), nullIncluded); // tls_client_auth_san_ip put(metadata, "tls_client_auth_san_ip", getTlsClientAuthSanIp(), nullIncluded); // tls_client_auth_san_email put(metadata, "tls_client_auth_san_email", getTlsClientAuthSanEmail(), nullIncluded); // tls_client_certificate_bound_access_tokens put(metadata, "tls_client_certificate_bound_access_tokens", isTlsClientCertificateBoundAccessTokens(), falseIncluded); //---------------------------------------------------------------------- // JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) //---------------------------------------------------------------------- // authorization_signed_response_alg put(metadata, "authorization_signed_response_alg", getAuthorizationSignAlg(), nullIncluded); // authorization_encrypted_response_alg put(metadata, "authorization_encrypted_response_alg", getAuthorizationEncryptionAlg(), nullIncluded); // authorization_encrypted_response_enc put(metadata, "authorization_encrypted_response_enc", getAuthorizationEncryptionEnc(), nullIncluded); //---------------------------------------------------------------------- // OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0 //---------------------------------------------------------------------- // backchannel_token_delivery_mode put(metadata, "backchannel_token_delivery_mode", getBcDeliveryMode(), nullIncluded); // backchannel_client_notification_endpoint put(metadata, "backchannel_client_notification_endpoint", getBcNotificationEndpoint(), nullIncluded); // backchannel_authentication_request_signing_alg put(metadata, "backchannel_authentication_request_signing_alg", getBcRequestSignAlg(), nullIncluded); // backchannel_user_code_parameter put(metadata, "backchannel_user_code_parameter", isBcUserCodeRequired(), falseIncluded); //---------------------------------------------------------------------- // OAuth 2.0 Rich Authorization Requests //---------------------------------------------------------------------- // authorization_details_types put(metadata, "authorization_details_types", getAuthorizationDetailsTypes(), nullIncluded); //---------------------------------------------------------------------- // OpenID Connect for Identity Assurance 1.0 //---------------------------------------------------------------------- // digest_algorithm put(metadata, "digest_algorithm", getDigestAlgorithm(), nullIncluded); //---------------------------------------------------------------------- // OpenID Federation 1.0 //---------------------------------------------------------------------- // organization_name put(metadata, "organization_name", getOrganizationName(), nullIncluded); // signed_jwks_uri put(metadata, "signed_jwks_uri", getSignedJwksUri(), nullIncluded); // client_registration_types put(metadata, "client_registration_types", getClientRegistrationTypes(), nullIncluded); //---------------------------------------------------------------------- // OpenID for Verifiable Credential Issuance //---------------------------------------------------------------------- // credential_offer_endpoint put(metadata, "credential_offer_endpoint", getCredentialOfferEndpoint(), nullIncluded); //---------------------------------------------------------------------- // FAPI 2.0 Security Profile, 8.1.1. use_mtls_endpoint_aliases //---------------------------------------------------------------------- // use_mtls_endpoint_aliases put(metadata, "use_mtls_endpoint_aliases", isMtlsEndpointAliasesUsed(), falseIncluded); //---------------------------------------------------------------------- // FAPI 2.0 Message Signing, 5.3.3. Client Metadata //---------------------------------------------------------------------- // response_modes put(metadata, "response_modes", getResponseModes(), nullIncluded); //---------------------------------------------------------------------- // Custom Metadata //---------------------------------------------------------------------- putCustomMetadata(metadata, control); return metadata; } private void putClientId(Map metadata, ClientMetadataControl control) { String value; // If "alias" is preferred, enabled and available. if (control.isAliasPreferred() && isClientIdAliasEnabled() && getClientIdAlias() != null) { // Use the client ID alias as the value of "client_id". value = getClientIdAlias(); } // If "entity ID" is preferred and available. else if (control.isEntityIdPreferred() && getEntityId() != null) { // Use the entity ID as the value of "client_id". value = getEntityId().toString(); } else { // Use the original numeric client ID as the value of "client_id". value = String.valueOf(getClientId()); } metadata.put("client_id", value); } private void putClientSecret(Map metadata, ClientMetadataControl control) { if (!control.isSecretIncluded()) { return; } // The client secret is available only when the client type is "confidential". String value = (getClientType() == ClientType.CONFIDENTIAL) ? getClientSecret() : null; put(metadata, "client_secret", value, control.isNullIncluded()); } private void putClientIdIssuedAt(Map metadata, ClientMetadataControl control) { // Convert milliseconds to seconds. long value = getCreatedAt() / 1000L; put(metadata, "client_id_issued_at", value, control.isZeroIncluded()); } private void putScope(Map metadata, ClientMetadataControl control) { ClientExtension extension = getExtension(); String value = null; // If the "requestable scopes" feature is enabled. if (extension != null && extension.isRequestableScopesEnabled()) { // Concatenate the requestable scopes. value = Utils.join(extension.getRequestableScopes(), " "); } put(metadata, "scope", value, control.isNullIncluded()); } @SuppressWarnings("unchecked") private void putCustomMetadata(Map metadata, ClientMetadataControl control) { if (!control.isCustomIncluded()) { return; } String json = getCustomMetadata(); // If custom metadata are not set. if (json == null) { return; } Map custom; try { // Parse the custom metadata as JSON. custom = Utils.fromJson(json, Map.class); } catch (Exception cause) { // Failed to parse the custom metadata as JSON. return; } // If the result of parsing the custom metadata is unavailable. if (custom == null) { return; } // Merge the custom metadata into the metadata. put(metadata, custom, control); } }




© 2015 - 2025 Weber Informatics LLC | Privacy Policy