com.nimbusds.openid.connect.provider.spi.tokens.introspection.BaseTokenIntrospectionResponseComposer Maven / Gradle / Ivy

Go to download

Show more of this group Show more artifacts with this name
Show all versions of c2id-server-sdk Show documentation

SDK for Connect2id Server extensions, such as OpenID Connect claims sources and OAuth 2.0 grant handlers

There is a newer version: 5.8

package com.nimbusds.openid.connect.provider.spi.tokens.introspection;


import java.sql.Date;

import net.jcip.annotations.ThreadSafe;

import com.nimbusds.oauth2.sdk.TokenIntrospectionSuccessResponse;
import com.nimbusds.oauth2.sdk.token.AccessTokenType;
import com.nimbusds.openid.connect.provider.spi.tokens.AccessTokenAuthorization;


/**
 * Base implementation of the SPI for composing token introspection (RFC 7662)
 * responses.
 *
 * Outputs the introspection details specified in:
 *
 * 

 *    OAuth 2.0 Token Introspection (RFC 7662), section 2.2;
 *    
OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound
 *        Access Tokens (RFC 8705), section 3.2;
 *    
OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer
 *        (DPoP) (draft-ietf-oauth-dpop-16), section 6.
 * 
 *
 * Parameters:
 *
 * 

 *     "active"
 *     
"scope"
 *     
"client_id"
 *     
"token_type"
 *     
"exp"
 *     
"iat"
 *     
"sub"
 *     
"aud"
 *     
"iss"
 *     
"jti"
 *     
"cnf.x5t#S256"
 *     
"cnf.jkt"
 * 
 *
 * The following non-standard access token parameters are not output by this
 * base implementation:
 *
 * 

 *     {@link AccessTokenAuthorization#getClaimNames() consented OpenID claim names}
 *     
{@link AccessTokenAuthorization#getClaimsLocales() preferred claims locales}
 *     
{@link AccessTokenAuthorization#getClaimsData() claims fullfilment data}
 *     
{@link AccessTokenAuthorization#getPresetClaims() preset OpenID claims}
 *     
{@link AccessTokenAuthorization#getSubjectSessionKey() subject session key}
 *     
{@link AccessTokenAuthorization#getActor() actor, in impersonation and delegation scenarios}
 *     
{@link AccessTokenAuthorization#getData() additional data}
 *     
{@link AccessTokenAuthorization#getOtherTopLevelParameters() custom top-level parameters}
 * 
 *
 * The extending class may implement output of the above non-standard
 * parameters. It may also choose not to output parameters if they are not
 * required by the client (resource server), e.g. for privacy and data
 * minimisation purposes.
 */
@ThreadSafe
public abstract class BaseTokenIntrospectionResponseComposer implements TokenIntrospectionResponseComposer {
	
	
	@Override
	public TokenIntrospectionSuccessResponse compose(final AccessTokenAuthorization tokenAuthz,
							 final TokenIntrospectionContext context) {
		
		if (tokenAuthz == null) {
			// Access token was found invalid or expired
			return new TokenIntrospectionSuccessResponse.Builder(false)
				.build();
		}
		
		AccessTokenType tokenType = tokenAuthz.getJWKThumbprintConfirmation() != null ?
			AccessTokenType.DPOP : AccessTokenType.BEARER;
		
		
		TokenIntrospectionSuccessResponse.Builder builder = new TokenIntrospectionSuccessResponse.Builder(true)
			.tokenType(tokenType)
			.subject(tokenAuthz.getSubject())
			.clientID(tokenAuthz.getClientID())
			.scope(tokenAuthz.getScope())
			.expirationTime(tokenAuthz.getExpirationTime() != null ? Date.from(tokenAuthz.getExpirationTime()) : null)
			.issueTime(tokenAuthz.getIssueTime() != null ? Date.from(tokenAuthz.getIssueTime()) : null)
			.issuer(tokenAuthz.getIssuer())
			.audience(tokenAuthz.getAudienceList())
			.jwtID(tokenAuthz.getJWTID());
		
		if (tokenAuthz.getClientCertificateConfirmation() != null) {
			builder = builder.x509CertificateConfirmation(tokenAuthz.getClientCertificateConfirmation());
		}
		
		if (tokenAuthz.getJWKThumbprintConfirmation() != null) {
			builder = builder.jwkThumbprintConfirmation(tokenAuthz.getJWKThumbprintConfirmation());
		}
		
		return builder.build();
	}
}