All Downloads are FREE. Search and download functionalities are using the official Maven repository.

com.nimbusds.openid.connect.sdk.AuthenticationSuccessResponse Maven / Gradle / Ivy

Go to download

OAuth 2.0 SDK with OpenID Connection extensions for developing client and server applications.

There is a newer version: 11.20.1
Show newest version
/*
 * oauth2-oidc-sdk
 *
 * Copyright 2012-2016, Connect2id Ltd and contributors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
 * this file except in compliance with the License. You may obtain a copy of the
 * License at
 *
 *    http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software distributed
 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
 * CONDITIONS OF ANY KIND, either express or implied. See the License for the
 * specific language governing permissions and limitations under the License.
 */

package com.nimbusds.openid.connect.sdk;


import java.net.URI;
import java.util.Collections;
import java.util.List;
import java.util.Map;

import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.oauth2.sdk.*;
import com.nimbusds.oauth2.sdk.http.HTTPRequest;
import com.nimbusds.oauth2.sdk.http.HTTPResponse;
import com.nimbusds.oauth2.sdk.id.Issuer;
import com.nimbusds.oauth2.sdk.id.State;
import com.nimbusds.oauth2.sdk.token.AccessToken;
import com.nimbusds.oauth2.sdk.util.MultivaluedMapUtils;
import com.nimbusds.oauth2.sdk.util.StringUtils;
import com.nimbusds.oauth2.sdk.util.URIUtils;
import net.jcip.annotations.Immutable;


/**
 * OpenID Connect authentication success response. Used to return an
 * authorisation code, access token and / or ID Token at the Authorisation
 * endpoint.
 *
 * 

Example HTTP response with code and ID Token (code flow): * *

 * HTTP/1.1 302 Found
 * Location: https://client.example.org/cb#
 * code=Qcb0Orv1zh30vL1MPRsbm-diHiMwcLyZvn1arpZv-Jxf_11jnpEX3Tgfvk
 * &id_token=eyJhbGciOiJSUzI1NiJ9.ew0KICAgICJpc3MiOiAiaHR0cDovL3Nlc
 * nZlci5leGFtcGxlLmNvbSIsDQogICAgInVzZXJfaWQiOiAiMjQ4Mjg5NzYxMDAxI
 * iwNCiAgICAiYXVkIjogInM2QmhkUmtxdDMiLA0KICAgICJub25jZSI6ICJuLTBTN
 * l9XekEyTWoiLA0KICAgICJleHAiOiAxMzExMjgxOTcwLA0KICAgICJpYXQiOiAxM
 * zExMjgwOTcwLA0KICAgICJjX2hhc2giOiAiTERrdEtkb1FhazNQazBjblh4Q2x0Q
 * mdfckNfM1RLVWI5T0xrNWZLTzl1QSINCn0.D6JxCgpOwlyuK7DPRu5hFOIJRSRDT
 * B7TQNRbOw9Vg9WroDi_XNzaqXCFSDH_YqcE-CBhoxD-Iq4eQL4E2jIjil47u7i68
 * Nheev7d8AJk4wfRimgpDhQX5K8YyGDWrTs7bhsMTPAPVa9bLIBndDZ2mEdmPcmR9
 * mXcwJI3IGF9JOaStYXJXMYWUMCmQARZEKG9JxIYPZNhFsqKe4TYQEmrq2s_HHQwk
 * XCGAmLBdptHY-Zx277qtidojQQFXzbD2Ak1ONT5sFjy3yxPnE87pNVtOEST5GJac
 * O1O88gmvmjNayu1-f5mr5Uc70QC6DjlKem3cUN5kudAQ4sLvFkUr8gkIQ
 * 
* *

Related specifications: * *

    *
  • OpenID Connect Core 1.0, section 3.1.2.5, 3.1.2.6, 3.2.2.5, 3.2.2.6, * 3.3.2.5 and 3.3.2.6 *
  • OpenID Connect Session Management 1.0 - draft 23, section 3 *
  • OAuth 2.0 (RFC 6749), section 3.1 *
  • OAuth 2.0 Multiple Response Type Encoding Practices 1.0 *
  • OAuth 2.0 Form Post Response Mode 1.0 *
  • Financial-grade API: JWT Secured Authorization Response Mode for * OAuth 2.0 (JARM) *
  • OAuth 2.0 Authorization Server Issuer Identification (RFC 9207) *
*/ @Immutable public class AuthenticationSuccessResponse extends AuthorizationSuccessResponse implements AuthenticationResponse { /** * The ID token, if requested. */ private final JWT idToken; /** * The session state, required if session management is supported. */ private final State sessionState; /** * Creates a new OpenID Connect authentication success response. * * @param redirectURI The requested redirection URI. Must not be * {@code null}. * @param code The authorisation code, {@code null} if not * requested. * @param idToken The ID token (ready for output), {@code null} if * not requested. * @param accessToken The UserInfo access token, {@code null} if not * requested. * @param state The state, {@code null} if not requested. * @param sessionState The session state, {@code null} if session * management is not supported. * @param rm The response mode, {@code null} if not * specified. */ public AuthenticationSuccessResponse(final URI redirectURI, final AuthorizationCode code, final JWT idToken, final AccessToken accessToken, final State state, final State sessionState, final ResponseMode rm) { this(redirectURI, code, idToken, accessToken, state, sessionState, null, rm); } /** * Creates a new OpenID Connect authentication success response. * * @param redirectURI The requested redirection URI. Must not be * {@code null}. * @param code The authorisation code, {@code null} if not * requested. * @param idToken The ID token (ready for output), {@code null} if * not requested. * @param accessToken The UserInfo access token, {@code null} if not * requested. * @param state The state, {@code null} if not requested. * @param sessionState The session state, {@code null} if session * management is not supported. * @param rm The response mode, {@code null} if not * specified. */ public AuthenticationSuccessResponse(final URI redirectURI, final AuthorizationCode code, final JWT idToken, final AccessToken accessToken, final State state, final State sessionState, final Issuer issuer, final ResponseMode rm) { super(redirectURI, code, accessToken, state, issuer, rm); this.idToken = idToken; this.sessionState = sessionState; } /** * Creates a new JSON Web Token (JWT) secured OpenID Connect * authentication success response. * * @param redirectURI The requested redirection URI. Must not be * {@code null}. * @param jwtResponse The JWT-secured response. Must not be * {@code null}. * @param rm The response mode, {@code null} if not specified. */ public AuthenticationSuccessResponse(final URI redirectURI, final JWT jwtResponse, final ResponseMode rm) { super(redirectURI, jwtResponse, rm); idToken = null; sessionState = null; } @Override public ResponseType impliedResponseType() { ResponseType rt = new ResponseType(); if (getAuthorizationCode() != null) { rt.add(ResponseType.Value.CODE); } if (getIDToken() != null) { rt.add(OIDCResponseTypeValue.ID_TOKEN); } if (getAccessToken() != null) { rt.add(ResponseType.Value.TOKEN); } return rt; } @Override public ResponseMode impliedResponseMode() { if (getResponseMode() != null) { return getResponseMode(); } else { if (getJWTResponse() != null) { // JARM return ResponseMode.JWT; } else if (getAccessToken() != null || getIDToken() != null) { return ResponseMode.FRAGMENT; } else { return ResponseMode.QUERY; } } } /** * Gets the requested ID token. * * @return The ID token (ready for output), {@code null} if not * requested. */ public JWT getIDToken() { return idToken; } /** * Gets the session state for session management. * * @return The session store, {@code null} if session management is not * supported. */ public State getSessionState() { return sessionState; } @Override public Map> toParameters() { Map> params = super.toParameters(); if (getJWTResponse() != null) { // JARM, no other top-level parameters return params; } if (idToken != null) { try { params.put("id_token", Collections.singletonList(idToken.serialize())); } catch (IllegalStateException e) { throw new SerializeException("Couldn't serialize ID token: " + e.getMessage(), e); } } if (sessionState != null) { params.put("session_state", Collections.singletonList(sessionState.getValue())); } return params; } @Override public AuthenticationSuccessResponse toSuccessResponse() { return this; } @Override public AuthenticationErrorResponse toErrorResponse() { throw new ClassCastException("Cannot cast to AuthenticationErrorResponse"); } /** * Parses an OpenID Connect authentication success response. * * @param redirectURI The base redirection URI. Must not be * {@code null}. * @param params The response parameters to parse. Must not be * {@code null}. * * @return The OpenID Connect authentication success response. * * @throws ParseException If the parameters couldn't be parsed to an * OpenID Connect authentication success * response. */ public static AuthenticationSuccessResponse parse(final URI redirectURI, final Map> params) throws ParseException { AuthorizationSuccessResponse asr = AuthorizationSuccessResponse.parse(redirectURI, params); // JARM, ignore other top level params if (asr.getJWTResponse() != null) { return new AuthenticationSuccessResponse(redirectURI, asr.getJWTResponse(), asr.getResponseMode()); } // Parse id_token parameter String idTokenString = MultivaluedMapUtils.getFirstValue(params, "id_token"); JWT idToken = null; if (idTokenString != null) { try { idToken = JWTParser.parse(idTokenString); } catch (java.text.ParseException e) { throw new ParseException("Invalid ID Token JWT: " + e.getMessage(), e); } } // Parse the optional session_state parameter State sessionState = null; if (StringUtils.isNotBlank(MultivaluedMapUtils.getFirstValue(params, "session_state"))) { sessionState = new State(MultivaluedMapUtils.getFirstValue(params, "session_state")); } return new AuthenticationSuccessResponse(redirectURI, asr.getAuthorizationCode(), idToken, asr.getAccessToken(), asr.getState(), sessionState, asr.getIssuer(), null); } /** * Parses an OpenID Connect authentication success response. * *

Use a relative URI if the host, port and path details are not * known: * *

	 * URI relUrl = new URI("https:///?code=Qcb0Orv1...&state=af0ifjsldkj");
	 * 
* *

Example URI: * *

	 * https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=xyz
	 * 
* * @param uri The URI to parse. Can be absolute or relative, with a * fragment or query string containing the authentication * response parameters. Must not be {@code null}. * * @return The OpenID Connect authentication success response. * * @throws ParseException If the redirection URI couldn't be parsed to * an OpenID Connect authentication success * response. */ public static AuthenticationSuccessResponse parse(final URI uri) throws ParseException { return parse(URIUtils.getBaseURI(uri), parseResponseParameters(uri)); } /** * Parses an OpenID Connect authentication success response from the * specified initial HTTP 302 redirect response generated at the * authorisation endpoint. * *

Example HTTP response: * *

	 * HTTP/1.1 302 Found
	 * Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=xyz
	 * 
* * @see #parse(HTTPRequest) * * @param httpResponse The HTTP response to parse. Must not be * {@code null}. * * @return The OpenID Connect authentication success response. * * @throws ParseException If the HTTP response couldn't be parsed to an * OpenID Connect authentication success * response. */ public static AuthenticationSuccessResponse parse(final HTTPResponse httpResponse) throws ParseException { URI location = httpResponse.getLocation(); if (location == null) throw new ParseException("Missing redirection URI / HTTP Location header"); return parse(location); } /** * Parses an OpenID Connect authentication success response from the * specified HTTP request at the client redirection (callback) URI. * Applies to {@code query}, {@code fragment} and {@code form_post} * response modes. * *

Example HTTP request (authentication success): * *

	 * GET /cb?code=SplxlOBeZQQYbYS6WxSbIA&state=xyz HTTP/1.1
	 * Host: client.example.com
	 * 
* * @see #parse(HTTPResponse) * * @param httpRequest The HTTP request to parse. Must not be * {@code null}. * * @return The authentication success response. * * @throws ParseException If the HTTP request couldn't be parsed to an * OpenID Connect authentication success * response. */ public static AuthenticationSuccessResponse parse(final HTTPRequest httpRequest) throws ParseException { return parse(httpRequest.getURI(), parseResponseParameters(httpRequest)); } }




© 2015 - 2024 Weber Informatics LLC | Privacy Policy