Package org.forgerock.oauth.clients.oidc

Class OpenIDConnectClient

java.lang.Object

org.forgerock.oauth.clients.oauth2.OAuth2Client<OpenIDConnectClientConfiguration>

org.forgerock.oauth.clients.oidc.OpenIDConnectClient

All Implemented Interfaces:

OAuthClient

Direct Known Subclasses:

AppleClient

public class OpenIDConnectClient
extends OAuth2Client<OpenIDConnectClientConfiguration>

OpenID Connect Client Implementation that supports the Authorization Code Grant Flow.

Field Summary

Fields

Modifier and Type	Field	Description
static final String	ACR_VALUES	The acr values parameter.
static final String	AUD	Audience identifier.
static final String	CLAIMS	The claims parameter.
static final String	ID_TOKEN	ID Token value associated with the authenticated session.
static final String	NONCE	Opaque value used to mitigate replay attacks.
static final String	REQUEST	Parameter for an authentication request that is passing its parameters by value.
static final String	REQUEST_URI	Parameter for an authentication request that is passing its parameters by reference.
static final String	SUB	Subject identifier.

Fields inherited from class org.forgerock.oauth.clients.oauth2.OAuth2Client

ACCEPT_HEADER, ACCESS_TOKEN, addExpireTime, APPLICATION_JSON, AUTHORIZATION_CODE, AUTHORIZATION_HEADER, BASIC_AUTH, BEARER_TOKEN, CLIENT_ID, CLIENT_SECRET, clock, CODE, DATA, EXPIRE_TIME, EXPIRES_IN, GRANT_TYPE, HTTP_GET, HTTP_POST, httpHandler, LANDING_PAGE, PKCE_CODE_CHALLENGE, PKCE_CODE_CHALLENGE_METHOD, PKCE_CODE_VERIFIER, random, REDIRECT_URI, REFRESH_TOKEN, RESPONSE_MODE, RESPONSE_TYPE, SCOPE, STATE, TOKEN, TOKEN_TYPE, TOKEN_TYPE_HINT

Constructor Summary

Constructors

Constructor	Description
OpenIDConnectClient(Handler httpHandler, OpenIDConnectClientConfiguration config, Clock clock, SecureRandom random)	Constructs an OpenIDConnectClient using a provided Handler and OpenIDConnectClientConfiguration.
OpenIDConnectClient(Handler httpHandler, OpenIDConnectClientConfiguration config, Clock clock, SecureRandom random, OpenIdResolverService resolverService, OpenIdResolverServiceConfigurator serviceConfigurator)	Constructs an OpenIDConnectClient using a provided Handler, OpenIDConnectClientConfiguration, OpenIdResolverService and OpenIdResolverServiceConfigurator.

Method Summary

Modifier and Type	Method	Description
protected Form	buildQuery(String nonce)	Creates the query that will be passed to the request.
protected URI	createAuthRedirectUri(String state, String nonce)	Deprecated. Use createAuthRedirectUri(String, String, String) and specify a PKCE challenge.
protected URI	createAuthRedirectUri(String state, String pkceChallenge, String nonce)	Creates a URI that the user agent will be redirected to for authentication and authorization.
protected URI	createAuthRedirectUri(String state, String pkceChallenge, String nonce, DataStore dataStore)	Creates a URI that the user agent will be redirected to for authentication and authorization.
protected String	createNonce()	Generates a nonce value.
protected final UserInfo	createUserInfoFromIdTokenJwtClaims(JwtClaimsSet jwtClaims)	Creates an OpenIDConnectUserInfo object from id_token jwt Claims.
Promise<URI,OAuthException>	getAuthRedirect(DataStore dataStore, String data, URI landingPage)	Return the URI that the user agent should be redirected to, to authenticate and authorize access.
protected final JwtClaimsSet	getJwtClaimsSet(DataStore dataStore)	Retrieves the claims set from the data store.
protected static final String	getNonce(JsonValue storedData)	Returns the nonce value store in the data store.
Promise<? extends OAuth2SessionInfo,OAuthException>	getSessionInfo(DataStore dataStore)	Validate whether an Auth Server session is still active and valid.
Promise<UserInfo,OAuthException>	getUserInfo(DataStore dataStore)	Return the authenticated user's info from the external authentication server.
Promise<JsonValue,OAuthException>	handleNativePostAuth(Context context, DataStore dataStore, Map<String,List<String>> parameters)	Handle the data produced by the Auth Server as a result of a successful authentication and return the final redirect to the mobile device.
Promise<JsonValue,OAuthException>	handlePostAuth(DataStore dataStore, Map<String,List<String>> requestParameters)	Handle the data produced by the Auth Server as a result of a successful authentication and return the final redirect to the landing page specified in the OAuthClient.getAuthRedirect(DataStore, String, URI) call.
protected static final JsonValue	jwtClaimsAsJsonValue(JwtClaimsSet jwtClaims)	Returns the jwt claims as a JsonValue.
protected final Function<JsonValue,UserInfo,OAuthException>	mapToUserInfo(JwtClaimsSet jwtClaims)	Maps a retrieved raw profile from the user info endpoint to an OpenIDConnectUserInfo object.
protected final Function<JsonValue,JsonValue,OAuthException>	validateSub(DataStore dataStore)	Validates the sub Claim in the UserInfo Response is an exact match to the sub Claim in the ID Token.

Methods inherited from class org.forgerock.oauth.clients.oauth2.OAuth2Client

createAuthorizationState, createAuthRedirectUri, createPkceVerifier, createPostAuthResponse, createPostResponse, createRequestForIntrospectEndpoint, createRequestForTokenEndpoint, createRequestForTokenEndpoint, createRequestForTokenRefresh, createRequestForUserInfoEndpoint, getAccessToken, getAccessTokenInfo, getConfig, getFirstValueOrNull, getTokenEndpointHandler, mapToJsonValue, mapToUserInfo, refresh, storeResponse, throwIfNoClientSecret, validateClientId

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

ACR_VALUES

public static final String ACR_VALUES

The acr values parameter.

See Also:

• Constant Field Values

CLAIMS

public static final String CLAIMS

The claims parameter.

See Also:

• Constant Field Values

ID_TOKEN

public static final String ID_TOKEN

ID Token value associated with the authenticated session.

See Also:

• Constant Field Values

NONCE

public static final String NONCE

Opaque value used to mitigate replay attacks.

See Also:

• Constant Field Values

SUB

public static final String SUB

Subject identifier.

See Also:

• Constant Field Values

AUD

public static final String AUD

Audience identifier.

See Also:

• Constant Field Values

REQUEST_URI

public static final String REQUEST_URI

Parameter for an authentication request that is passing its parameters by reference.

See Also:

• Constant Field Values

REQUEST

public static final String REQUEST

Parameter for an authentication request that is passing its parameters by value.

See Also:

• Constant Field Values

Constructor Details

OpenIDConnectClient

public OpenIDConnectClient(Handler httpHandler,
 OpenIDConnectClientConfiguration config,
 Clock clock,
 SecureRandom random)

Constructs an OpenIDConnectClient using a provided Handler and OpenIDConnectClientConfiguration.

Parameters:

httpHandler - Handler used to make Http calls to auth and resource servers.

config - configuration that will be used to drive oauth flow.

clock - Clock instance

random - SecureRandom.

OpenIDConnectClient

public OpenIDConnectClient(Handler httpHandler,
 OpenIDConnectClientConfiguration config,
 Clock clock,
 SecureRandom random,
 OpenIdResolverService resolverService,
 OpenIdResolverServiceConfigurator serviceConfigurator)

Constructs an OpenIDConnectClient using a provided Handler, OpenIDConnectClientConfiguration, OpenIdResolverService and OpenIdResolverServiceConfigurator.

Parameters:

httpHandler - Handler used to make Http calls to auth and resource servers.

config - configuration that will be used to drive oauth flow.

clock - Clock instance

random - SecureRandom.

resolverService - OpenIdResolverServiceImpl. OpenID resolvers instance that also contains the JwksStoreCache. By providing the same instance of resolvers for every OpenIdConnectClient the same JwksCache will be used.

serviceConfigurator - OpenIdResolverServiceConfigurator.

Method Details

jwtClaimsAsJsonValue

protected static final JsonValue jwtClaimsAsJsonValue(JwtClaimsSet jwtClaims)
                                               throws OAuthException

Returns the jwt claims as a JsonValue.

Parameters:

jwtClaims - jwt claims.

Returns:

jwt claims as a JsonValue.

Throws:

OAuthException - when object mapper error converting jwt claims to Map.

getNonce

protected static final String getNonce(JsonValue storedData)

Returns the nonce value store in the data store.

Parameters:

storedData - the stored authentication and authorization information.

Returns:

nonce

getAuthRedirect

public Promise<URI,OAuthException> getAuthRedirect(DataStore dataStore,
 String data,
 URI landingPage)

Description copied from interface: OAuthClient

Return the URI that the user agent should be redirected to, to authenticate and authorize access.

Specified by:

getAuthRedirect in interface OAuthClient

Overrides:

getAuthRedirect in class OAuth2Client<OpenIDConnectClientConfiguration>

Parameters:

dataStore - The data store that contains information about the OAuth interaction.

data - A value which will be stored in the data store to be returned as part of the final landing page redirect response, this MUST be URI safe.

landingPage - The final page a user agent should be sent following successful authentication.

Returns:

Promise, with a type of URI, suitable for redirecting the user agent for external authentication and authorization and an Promise, with a type of OAuthException, when an error occurs.

handlePostAuth

public Promise<JsonValue,OAuthException> handlePostAuth(DataStore dataStore,
 Map<String,List<String>> requestParameters)

Description copied from interface: OAuthClient

Handle the data produced by the Auth Server as a result of a successful authentication and return the final redirect to the landing page specified in the OAuthClient.getAuthRedirect(DataStore, String, URI) call. Validate the request as secure. The returned JsonValue response will also contain the data passed to OAuthClient.getAuthRedirect(DataStore, String, URI).

Specified by:

handlePostAuth in interface OAuthClient

Overrides:

handlePostAuth in class OAuth2Client<OpenIDConnectClientConfiguration>

Parameters:

dataStore - The data store that contains information about the OAuth interaction.

requestParameters - The request parameters containing the data produced by the external authentication server.

Returns:

Promise, with a type of JsonValue, containing the landing page and the data value that was stored in the data store during the OAuthClient.getAuthRedirect(DataStore, String, URI) call; Promise, with a type of OAuthException, when an error occurs.

handleNativePostAuth

public Promise<JsonValue,OAuthException> handleNativePostAuth(Context context,
 DataStore dataStore,
 Map<String,List<String>> parameters)

Description copied from interface: OAuthClient

Handle the data produced by the Auth Server as a result of a successful authentication and return the final redirect to the mobile device. Validate the request as secure. The returned JsonValue response will also contain the data passed to OAuthClient.getAuthRedirect(DataStore, String, URI).

Specified by:

handleNativePostAuth in interface OAuthClient

Overrides:

handleNativePostAuth in class OAuth2Client<OpenIDConnectClientConfiguration>

Parameters:

context - Context chain used to keep a relationship between requests (tracking)

dataStore - The data store that contains information about the OAuth interaction.

parameters - The parameters containing the data sent by the external mobile device.

Returns:

Promise, with a type of JsonValue, containing the data value that was stored in the data store during the OAuthClient.getAuthRedirect(DataStore, String, URI) call; Promise, with a type of OAuthException, when an error occurs.

getUserInfo

public Promise<UserInfo,OAuthException> getUserInfo(DataStore dataStore)

Description copied from interface: OAuthClient

Return the authenticated user's info from the external authentication server.

Specified by:

getUserInfo in interface OAuthClient

Overrides:

getUserInfo in class OAuth2Client<OpenIDConnectClientConfiguration>

Parameters:

dataStore - The data store that contains information about the OAuth interaction.

Returns:

Promise, with a type of UserInfo, containing the available user info. Promise, with a type of OAuthException, when an error occurs.

getSessionInfo

public Promise<? extends OAuth2SessionInfo,OAuthException> getSessionInfo(DataStore dataStore)

Description copied from interface: OAuthClient

Validate whether an Auth Server session is still active and valid.

Specified by:

getSessionInfo in interface OAuthClient

Overrides:

getSessionInfo in class OAuth2Client<OpenIDConnectClientConfiguration>

Parameters:

dataStore - The data store that contains information about the OAuth interaction.

Returns:

Promise, with a type of SessionInfo, representing information about the session. Promise, with a type of OAuthException, when an error occurs.

validateSub

protected final Function<JsonValue,JsonValue,OAuthException> validateSub(DataStore dataStore)

Validates the sub Claim in the UserInfo Response is an exact match to the sub Claim in the ID Token.

Parameters:

dataStore - data store holding authentication and authorization information.

Returns:

the JsonValue that contained the nonce to inspect;

mapToUserInfo

protected final Function<JsonValue,UserInfo,OAuthException> mapToUserInfo(JwtClaimsSet jwtClaims)

Maps a retrieved raw profile from the user info endpoint to an OpenIDConnectUserInfo object.

Parameters:

jwtClaims - jwt claims from an id_token.

Returns:

the raw profile retrieved as an OpenIDConnectUserInfo object.

createUserInfoFromIdTokenJwtClaims

protected final UserInfo createUserInfoFromIdTokenJwtClaims(JwtClaimsSet jwtClaims)
                                                     throws OAuthException

Creates an OpenIDConnectUserInfo object from id_token jwt Claims.

Parameters:

jwtClaims - jwt claims from an id_token.

Returns:

OpenIDConnectUserInfo object.

Throws:

OAuthException - if error occurs while converting the JwtClaimsSet to JsonValue.

createAuthRedirectUri

protected URI createAuthRedirectUri(String state,
 String pkceChallenge,
 String nonce)

Creates a URI that the user agent will be redirected to for authentication and authorization.

Parameters:

state - opaque value used to prevent CSRF attacks.

pkceChallenge - opaque value used to prevent code interception/injection attacks.

nonce - opaque value used to mitigate replay attacks of an id_token.

Returns:

URI

createAuthRedirectUri

protected URI createAuthRedirectUri(String state,
 String pkceChallenge,
 String nonce,
 DataStore dataStore)
                             throws OAuthException

Creates a URI that the user agent will be redirected to for authentication and authorization.

Parameters:

state - opaque value used to prevent CSRF attacks.

pkceChallenge - opaque value used to prevent code interception/injection attacks.

nonce - opaque value used to mitigate replay attacks of an id_token.

dataStore - The data store that contains information about the OAuth interaction.

Returns:

URI

Throws:

OAuthException - when an error occurs while retrieving the data.

buildQuery

protected Form buildQuery(String nonce)

Creates the query that will be passed to the request. This method is meant to tbe overridden when adding additional fields to the query is necessary.

Parameters:

nonce - opaque value used to mitigate replay attacks of an id_token.

Returns:

the query

createAuthRedirectUri

@Deprecated
protected URI createAuthRedirectUri(String state,
 String nonce)

Deprecated.

Use createAuthRedirectUri(String, String, String) and specify a PKCE challenge.

Creates a URI that the user agent will be redirected to for authentication and authorization.

Overrides:

createAuthRedirectUri in class OAuth2Client<OpenIDConnectClientConfiguration>

Parameters:

state - opaque value used to prevent CSRF attacks.

nonce - opaque value used to mitigate replay attacks of an id_token.

Returns:

URI

createNonce

protected String createNonce()

Generates a nonce value.

Returns:

nonce value.

getJwtClaimsSet

protected final JwtClaimsSet getJwtClaimsSet(DataStore dataStore)
                                      throws OAuthException

Retrieves the claims set from the data store.

Parameters:

dataStore - the data store.

Returns:

JwtClaimSet set of claims authorized by the user.

Throws:

OAuthException - when error occurs while retrieving the claims set.