Package org.forgerock.openig.filter.oauth2.client

Class ClientRegistration

  • public final class ClientRegistration
extends Object
    A configuration for an OpenID Connect Provider. Options: 
     
 {
   "clientId"                        : expression        [REQUIRED]
   "issuer"                          : String / Issuer   [REQUIRED - the issuer name, or its inlined declaration. ]
   "scopes"                          : [ expressions ]   [OPTIONAL - specific scopes to use for this client
                                                                     registration. ]
   "registrationHandler"             : handler           [OPTIONAL - handler to use during client registration to
                                                                     access endpoints that do not require client
                                                                     authentication. As such, this handler should not
                                                                     be configured with a client authentication filter
                                                                     (1). By default this uses the 'ClientHandler'
                                                                     provided in heap. ]
   "authenticatedRegistrationHandler": handler           [OPTIONAL - handler to use during client registration to
                                                                     access endpoints that do require client
                                                                     authentication for the 'clientId'. This handler
                                                                     should be configured with a client authentication
                                                                     filter (1). By default the 'registrationHandler'
                                                                     is reused as-is, with no authentication filter. ]
 }
    1. See ClientSecretBasicAuthenticationFilterHeaplet, ClientSecretPostAuthenticationFilterHeaplet, PrivateKeyJwtClientAuthenticationFilterHeaplet, and EncryptedPrivateKeyJwtClientAuthenticationFilterHeaplet
    Example of use: 
     
 {
     "name": "MyClientRegistration",
     "type": "ClientRegistration",
     "config": {
         "clientId": "OpenIG",
         "scopes": [
             "openid",
             "profile"
         ],
         "issuer": "OpenAM",
         "authenticatedRegistrationHandler": "FRClientHandlerWithClientSecretBASICFilter"
         }
     }
 
 }
    or, with inlined Issuer declaration: 
     
 {
     "name": "MyClientRegistration",
     "type": "ClientRegistration",
     "config": {
         "clientId": "OpenIG",
         "scopes": [
             "openid",
             "profile"
         ],
         "issuer": {
             "name": "myIssuer",
             "type": "Issuer",
             "config": {
                 "wellKnownEndpoint": "http://server.com:8090/openam/oauth2/.well-known/openid-configuration"
             }
         },
         "authenticatedRegistrationHandler": "FRClientHandlerWithClientSecretPOSTFilter"
     }
 }
    or, with inlined 'client_secret_basic' authentication: 
     
 {
     "name": "MyClientRegistration",
     "type": "ClientRegistration",
     "config": {
         "clientId": "OpenIG",
         "scopes": [
             "openid",
             "profile"
         ],
         "issuer": "OpenAM",
         "authenticatedRegistrationHandler": {
             "type": "Chain",
             "config": {
                 "filters": [ {
                     "type": "ClientSecretBasicAuthenticationFilter",
                     "config": {
                         "clientId": "OpenIG",
                         "clientSecretId": "client.secret.id",
                         "secretsProvider" : "SystemAndEnvSecretStore-1"
                     }
                 } ],
                 "handler": "ForgeRockClientHandler"
             }
         }
     }
 }
    The following client authentication configuration is deprecated as of IG 7.2:
    • tokenEndpointAuthMethod: previously, the indicator of the type of client authentication to apply - with default of 'client_secret_basic'.
    • clientSecretId: previously, a label of a Purpose required to read a GenericSecret required to authenticate the client when using authentication method 'client_secret_basic' or 'client_secret_post'.
    • privateKeyJwtSecretId: previously the label of a Purpose identifying the secret used with 'private_key_jwt' authentication.
    • tokenEndpointAuthSigningAlg: previously the signing algorithm used with 'private_key_jwt' authentication - with default of RS256.
    • claims: previously, claims used in 'private_key_jwt' authentication. The "aud" claim would default to the URL of the Authorization Server's Token endpoint.
    • jwtExpirationTimeout: previously, the JWT expiration duration when using 'private_key_jwt' authentication - with a default of 1 minute.
    See Also:
    OpenID Connect Dynamic Client Registration 1.0 , OpenID Client Authentication

    • Constructor Detail

      • ClientRegistration

        public ClientRegistration​(String clientId,
                          String name,
                          List<String> scopes,
                          Issuer issuer,
                          Handler registrationHandler,
                          Handler authenticatedRegistrationHandler)
        Creates a Client Registration.
        Parameters:
        clientId - The ID of this client registration.
        name - The name of this client registration. Can be null. If it is null, the clientId is used.
        scopes - The list of scopes for this client registration, not null.
        issuer - The Issuer of this Client, not null.
        registrationHandler - The handler used to send request to the AS.
        authenticatedRegistrationHandler - The handler used to send request to the AS that require client authentication.

    • Method Detail

      • getName

        public String getName()
        Returns the name of this client registration.
        Returns:
        the name of this client registration.

      • getAccessToken

        public Promise<JsonValue,​OAuth2ErrorException> getAccessToken​(Context context,
                                                                    String code,
                                                                    String callbackUri)
        Exchanges the authorization code for an access token and optional ID token, and then update the session state.
        Parameters:
        context - The current context.
        code - The authorization code.
        callbackUri - The callback URI.
        Returns:
        A promise completed with either the json content of the response if status return code of the response is 200 OK or with an OAuth2ErrorException in case of errors.

      • getClientId

        public String getClientId()
        Returns the client ID of this client registration.
        Returns:
        the client ID.

      • getIssuer

        public Issuer getIssuer()
        Returns the Issuer for this client registration.
        Returns:
        the Issuer for this client registration.

      • refreshAccessToken

        public Promise<JsonValue,​OAuth2ErrorException> refreshAccessToken​(Context context,
                                                                        org.forgerock.openig.filter.oauth2.client.OAuth2Session session)
        Refreshes the actual access token, making a refresh request to the token end-point.
        Parameters:
        context - The current context.
        session - The current session.
        Returns:
        A promise completed either with the JSON content of the response if status return code of the response is 200 OK, or with an OAuth2ErrorException if an error occurs when contacting the authorization server or if the returned response status code is different than 200 OK.

      • getScopes

        public List<String> getScopes()
        Returns the list of scopes of this client registration.
        Returns:
        the the list of scopes of this client registration.

      • getUserInfo

        public Promise<JsonValue,​OAuth2ErrorException> getUserInfo​(Context context,
                                                                 org.forgerock.openig.filter.oauth2.client.OAuth2Session session)
        Returns a Promise completed either with the json value of the user info obtained from the authorization server if the response from the authorization server has a status code of 200, or with an exception, meaning the access token may have expired.
        Parameters:
        context - The current context.
        session - The current session to use.
        Returns:
        A promise completed either with a JsonValue containing the requested user info, or with an OAuth2ErrorException if an error occurs when contacting the authorization server or if the returned response status code is different than 200 OK (That may signify that the access token has expired).