Package com.authlete.common.dto

Class BackchannelAuthenticationResponse

  • All Implemented Interfaces:
    Serializable
    public class BackchannelAuthenticationResponse
extends ApiResponse
    Response from Authlete's /api/backchannel/authentication API.

    Authlete's /api/backchannel/authentication API returns JSON which can be mapped to this class. The authorization server implementation should retrieve the value of action from the response and take the following steps according to the value.

    BAD_REQUEST

    When the value of action is BAD_REQUEST, it means that the backchannel authentication request from the client application was wrong.

    The authorization server implementation should generate a response to the client application with 400 Bad Request and application/json.

    The getResponseContent() method returns a JSON string which describes the error, so it can be used as the entity body of the response.

    The following illustrates the response which the authorization server implementation should generate and return to the client application. 

     HTTP/1.1 400 Bad Request
 Content-Type: application/json
 Cache-Control: no-store
 Pragma: no-cache

 (The value returned from getResponseContent())

    UNAUTHORIZED

    When the value of action is UNAUTHORIZED, it means that client authentication of the backchannel authentication request failed. Note that client authentication is always required at the backchannel authentication endpoint. This implies that public clients are not allowed to use the backchannel authentication endpoint.

    The authorization server implementation should generate a response to the client application with 401 Unauthorized and application/json.

    The getResponseContent() method returns a JSON string which describes the error, so it can be used as the entity body of the response.

    The following illustrates the response which the authorization server implementation should generate and return to the client application. 

     HTTP/1.1 401 Unauthorized
 WWW-Authenticate: (challenge)
 Content-Type: application/json
 Cache-Control: no-store
 Pragma: no-cache

 (The value returned from getResponseContent())

    INTERNAL_SERVER_ERROR

    When the value of action is INTERNAL_SERVER_ERROR, it means that the API call from the authorization server implementation was wrong or that an error occurred in Authlete.

    In either case, from a viewpoint of the client application, it is an error on the server side. Therefore, the authorization server implementation should generate a response to the client application with 500 Internal Server Error and application/json.

    The getResponseContent() method returns a JSON string which describes the error, so it can be used as the entity body of the response.

    The following illustrates the response which the authorization server implementation should generate and return to the client application. 

     HTTP/1.1 500 Internal Server Error
 Content-Type: application/json
 Cache-Control: no-store
 Pragma: no-cache

 (The value returned from getResponseContent())

    USER_IDENTIFICATION

    When the value of action is USER_IDENTIFICATION, it means that the backchannel authentication request from the client application is valid. The authorization server implementation has to follow the steps below.

    1. [END-USER IDENTIFICATION]


      The first step is to determine the subject (= unique identifier) of the end-user from whom the client application wants to get authorization.


      According to the CIBA specification, a backchannel authentication request contains one (and only one) of the login_hint_token, id_token_hint and login_hint request parameters as a hint by which the authorization server identifies the subject of an end-user.


      The authorization server implementation can know which hint is included in the backchannel authentication request by calling the getHintType() method. The method returns a UserIdentificationHintType instance that indicates which hint is included. For example, when the method returns LOGIN_HINT, it means that the backchannel authentication request contains the login_hint request parameter as a hint.


      The getHint() method returns the value of the hint. For example, when the getHintType() method returns LOGIN_HINT, the getHint() method returns the value of the login_hint request parameter.


      It is up to the authorization server implementation how to determine the subject of the end-user from the hint. There are few things Authlete can help. Only one thing Authlete can do is to let the getSub() method return the value of the sub claim in the id_token_hint request parameter when the request parameter is used.



    2. [END-USER IDENTIFICATION ERROR]


      There are some cases where the authorization server implementation encounters an error during the user identification process. In any error case, the authorization server implementation has to return an HTTP response with the error response parameter to the client application. The following is an example of such error responses. 


       HTTP/1.1 400 Bad Request
 Content-Type: application/json
 Cache-Control: no-store
 Pragma: no-cache

 {"error":"unknown_user_id"}

      Authlete provides /api/backchannel/authentication/fail API that builds the response body (JSON) of an error response. However, because it is easy to build an error response manually, you may choose not to call the API. One good thing in using the API is that the API call can trigger deletion of the ticket which has been issued from Authlete's /api/backchannel/authentication API. If you don't call /api/backchannel/authentication/fail API, the ticket will continue to exist in the database until it is cleaned up by the batch program after the ticket expires.


      Possible error cases that the authorization server implementation itself has to handle are as follows. Other error cases have already been covered by /api/backchannel/authentication API.


      error description
      expired_login_hint_token

      The authorization server implementation detected that the hint presented by the login_hint_token request parameter has expired.


      Note that the format of login_hint_token is not described in the CIBA Core spec at all and so there is no consensus on how to detect expiration of login_hint_token. Interpretation of login_hint_token is left to each authorization server implementation.

      unknown_user_id

      The authorization server implementation could not determine the subject of the end-user by the presented hint.

      unauthorized_client

      The authorization server implementation has custom rules to reject backchannel authentication requests from some particular clients and found that the client which has made the backchannel authentication request is one of the particular clients.


      Note that /api/backchannel/authentication API does not return action=USER_IDENTIFICATION in cases where the client does not exist or client authentication has failed. Therefore, the authorization server implementation will never have to use the error code unauthorized_client unless the server has intentionally implemented custom rules to reject backchannel authentication requests based on clients.

      missing_user_code

      The authorization server implementation has custom rules to require that a backchannel authentication request include a user code for some particular users and found that the user identified by the hint is one of the particular users.


      Note that /api/backchannel/authentication API does not return action=USER_IDENTIFICATION when both the backchannel_user_code_parameter_supported metadata of the server and the backchannel_user_code_parameter metadata of the client are true and the backchannel authentication request does not include the user_code request parameter. In this case, /api/backchannel/authentication API returns action=BAD_REQUEST with JSON containing "error":"missing_user_code". Therefore, the authorization server implementation will never have to use the error code missing_user_code unless the server has intentionally implemented custom rules to require a user code based on users even in the case where the backchannel_user_code_parameter metadata of the client which has made the backchannel authentication request is false.

      invalid_user_code

      The authorization server implementation detected that the presented user code is invalid.


      Note that the format of user_code is not described in the CIBA Core spec at all and so there is no consensus on how to judge whether a user code is valid or not. It is up to each authorization server implementation how to handle user codes.

      invalid_binding_message

      The authorization server implementation detected that the presented binding message is invalid.


      Note that the format of binding_message is not described in the CIBA Core spec at all and so there is no consensus on how to judge whether a binding message is valid or not. It is up to each authorization server implementation how to handle binding messages.

      invalid_target

      The authorization server implementation rejects the requested target resources.


      The error code "invalid_target" is from "Resource Indicators for OAuth 2.0". The specification defines the "resource" request parameter. By using the parameter, client applications can request target resources that should be bound to the access token being issued. If the authorization server wants to reject the request, call /api/backchannel/authentication/fail API with INVALID_TARGET.


      Note that "Resource Indicators for OAuth 2.0" is supported since Authlete 2.2. Older versions don't recognize the resource request parameter, so getResources() always returns null if the Authlete server you are using is older than 2.2.

      access_denined

      The authorization server implementation has custom rules to reject backchannel authentication requests without asking the end-user and respond to the client as if the end-user had rejected the request in some particular cases and found that the backchannel authentication request is one of the particular cases.


      The authorization server implementation will never have to use the error code access_denied at this timing unless the server has intentionally implemented custom rules to reject backchannel authentication requests without asking the end-user and respond to the client as if the end-user had rejected the request.



    3. [AUTH_REQ_ID ISSUE]


      If the authorization server implementation has successfully determined the subject of the end-user, the next action is to return an HTTP response to the client application which contains auth_req_id.


      Authlete provides /api/backchannel/authentication/issue API which generates a JSON containing auth_req_id, so, your next action is (1) call the API, (2) receive the response from the API, (3) build a response to the client application using the content of the API response, and (4) return the response to the client application. See the description of /api/backchannel/authentication/issue API for details.



    4. [END-USER AUTHENTICATION AND AUTHORIZATION]


      After sending a JSON containing auth_req_id back to the client application, the authorization server implementation starts to communicate with an authentication device of the end-user. It is assumed that end-user authentication is performed on the authentication device and the end-user confirms the content of the backchannel authentication request and grants authorization to the client application if everything is okay. The authorization server implementation must be able to receive the result of the end-user authentication and authorization from the authentication device.


      How to communicate with an authentication device and achieve end-user authentication and authorization is up to each authorization server implementation, but the following request parameters of the backchannel authentication request should be taken into consideration in any implementation.


      parameter method description
      acr_values getAcrs()

      A backchannel authentication request may contain an array of ACRs (Authentication Context Class References) in preference order. If multiple authentication devices are registered for the end-user, the authorization server implementation should take the ACRs into consideration when selecting the best authentication device.

      scope getScopes(), getDynamicScopes()

      A backchannel authentication request always contains a list of scopes. At least, openid is included in the list (otherwise /api/backchannel/authentication API returns action=BAD_REQUEST). It would be better to show the requested scopes to the end-user on the authentication device or somewhere appropriate.


      If the scope request parameter contains address, email, phone and/or profile, they are interpreted as defined in 5.4. Requesting Claims using Scope Values of OpenID Connect Core 1.0. That is, they are expanded into a list of claim names. The getClaimNames() method returns the expanded result.

      The scope request parameter may contain dynamic scopes. They are obtained through getDynamicScopes() method. See the description of the DynamicScope class for details about dynamic scopes.

      binding_message getBindingMessage()

      A backchannel authentication request may contain a binding message. It is a human readable identifier or message intended to be displayed on both the consumption device (client application) and the authentication device.

      user_code getUserCode()

      A backchannel authentication request may contain a user code. It is a secret code, such as password or pin, known only to the end-user but verifiable by the authorization server. The user code should be used to authorize sending a request to the authentication device.



    5. [END-USER AUTHENTICATION AND AUTHORIZATION COMPLETION]


      After receiving the result of end-user authentication and authorization, the authorization server implementation must call Authlete's /api/backchannel/authentication/complete to tell Authlete the result and pass necessary data so that Authlete can generate an ID token, an access token and optionally a refresh token. See the description of the API for details.



    6. [CLIENT NOTIFICATION]


      When the backchannel token delivery mode is either ping or push, the authorization server implementation must send a notification to the pre-registered notification endpoint of the client after the end-user authentication and authorization. In this case, getAction() method of BackchannelAuthenticationCompleteResponse (a response from /api/backchannel/authentication/complete API) returns NOTIFICATION. See the description of /api/backchannel/authentication/complete API for details.



    7. [TOKEN REQUEST]


      When the backchannel token delivery mode is either ping or poll, the client application will make a token request to the token endpoint to get an ID token, an access token and optionally a refresh token.


      A token request that corresponds to a backchannel authentication request uses urn:openid:params:grant-type:ciba as the value of the grant_type request parameter. Authlete's /api/auth/token API recognizes the grant type automatically and behaves properly, so the existing token endpoint implementation does not have to be changed to support CIBA.

    Since:
    2.32
    See Also:
    Serialized Form

    • Constructor Detail

      • BackchannelAuthenticationResponse

        public BackchannelAuthenticationResponse()

    • Method Detail

      • getResponseContent

        public String getResponseContent()
        Get the content that can be used to generate a response to the client application.

        When this method returns a non-null value, it is JSON containing error information. When getAction() returns USER_IDENTIFICATION, this method returns null.

        Returns:
        The content of a response to the client.

      • setResponseContent

        public BackchannelAuthenticationResponse setResponseContent​(String responseContent)
        Set the content that can be used to generate a response to the client application.
        Parameters:
        responseContent - The content of a response to the client.
        Returns:
        this object.

      • getClientId

        public long getClientId()
        Get the client ID of the client application that has made the backchannel authentication request.
        Returns:
        The client ID of the client application.

      • setClientId

        public BackchannelAuthenticationResponse setClientId​(long clientId)
        Set the client ID of the client application that has made the backchannel authentication request.
        Parameters:
        clientId - The client ID of the client application.
        Returns:
        this object.

      • getClientIdAlias

        public String getClientIdAlias()
        Get the client ID alias of the client application that has made the backchannel authentication request.
        Returns:
        The client ID alias of the client application.

      • setClientIdAlias

        public BackchannelAuthenticationResponse setClientIdAlias​(String alias)
        Set the client ID alias of the client application that has made the backchannel authentication request.
        Parameters:
        alias - The client ID alias of the client application.
        Returns:
        this object.

      • isClientIdAliasUsed

        public boolean isClientIdAliasUsed()
        Get the flag which indicates whether the client ID alias was used in the backchannel authentication request.
        Returns:
        true if the client ID alias was used in the request.

      • setClientIdAliasUsed

        public BackchannelAuthenticationResponse setClientIdAliasUsed​(boolean used)
        Set the flag which indicates whether the client ID alias was used in the backchannel authentication request.
        Parameters:
        used - true to indicate that the client ID alias was used in the request.
        Returns:
        this object.

      • getClientEntityId

        public URI getClientEntityId()
        Get the entity ID of the client.

        "Entity ID" is a technical term defined in OpenID Federation 1.0.

        Returns:
        The entity ID of the client.
        Since:
        3.37, Authlete 2.3
        See Also:
        OpenID Federation 1.0

      • isClientEntityIdUsed

        public boolean isClientEntityIdUsed()
        Get the flag which indicates whether the entity ID of the client was used in the backchannel authentication request as a client ID.

        "Entity ID" is a technical term defined in OpenID Federation 1.0.

        Returns:
        true if the entity ID of the client was used in the request as a client ID.
        Since:
        3.37, Authlete 2.3
        See Also:
        OpenID Federation 1.0

      • setClientEntityIdUsed

        public BackchannelAuthenticationResponse setClientEntityIdUsed​(boolean used)
        Set the flag which indicates whether the entity ID of the client was used in the backchannel authentication request as a client ID.

        "Entity ID" is a technical term defined in OpenID Federation 1.0.

        Parameters:
        used - true to indicate that the entity ID of the client was used in the request as a client ID.
        Returns:
        this object.
        Since:
        3.37, Authlete 2.3
        See Also:
        OpenID Federation 1.0

      • getClientIdentifier

        public String getClientIdentifier()
        Get the client identifier used in the backchannel authentication request.

        When isClientIdAliasUsed() returns true, this method returns the same value as getClientIdAlias() does. Otherwise, if isClientEntityIdUsed() returns true, this method returns the same value as getClientEntityId().toString() does. In other cases, this method returns the string representation of the value returned from getClientId().

        Returns:
        The client identifier used in the backchannel authentication request.

      • getClientName

        public String getClientName()
        Get the name of the client application which has made the backchannel authentication request.
        Returns:
        The name of the client application.

      • setClientName

        public BackchannelAuthenticationResponse setClientName​(String name)
        Set the name of the client application which has made the backchannel authentication request.
        Parameters:
        name - The name of the client application.
        Returns:
        this object.

      • getClientAuthMethod

        public ClientAuthMethod getClientAuthMethod()
        Get the client authentication method that should be performed at the backchannel authentication endpoint.

        If the client could not be identified by the information in the request, this method returns null.

        Returns:
        The client authentication method that should be performed at the backchannel authentication endpoint.
        Since:
        2.50

      • setClientAuthMethod

        public BackchannelAuthenticationResponse setClientAuthMethod​(ClientAuthMethod method)
        Set the client authentication method that should be performed at the backchannel authentication endpoint.
        Parameters:
        method - The client authentication method that should be performed at the backchannel authentication endpoint.
        Returns:
        this object.
        Since:
        2.50

      • getDeliveryMode

        public DeliveryMode getDeliveryMode()
        Get the backchannel token delivery mode of the client application.
        Returns:
        The backchannel token delivery mode.

      • setDeliveryMode

        public BackchannelAuthenticationResponse setDeliveryMode​(DeliveryMode mode)
        Set the backchannel token delivery mode of the client application.
        Parameters:
        mode - The backchannel token delivery mode.
        Returns:
        this object.

      • getScopes

        public Scope[] getScopes()
        Get the scopes requested by the backchannel authentication request.

        Basically, this method returns the value of the "scope" request parameter in the backchannel authentication request. However, because unregistered scopes are dropped on Authlete side, if the "scope" request parameter contains unknown scopes, the list returned by this method becomes different from the value of the "scope" request parameter.

        Note that Scope.getDescription() method and Scope.getDescriptions() method of each element (Scope instance) in the array returned from this method always return null even if descriptions of the scopes are registered.

        Returns:
        The requested scopes.

      • setScopes

        public BackchannelAuthenticationResponse setScopes​(Scope[] scopes)
        Set the scopes requested by the backchannel authentication request.
        Parameters:
        scopes - The requested scopes.
        Returns:
        this object.

      • getDynamicScopes

        public DynamicScope[] getDynamicScopes()
        Get the dynamic scopes which the client application requested by the scope request parameter. See the description of DynamicScope for details.
        Returns:
        The list of dynamic scopes.
        Since:
        2.92
        See Also:
        DynamicScope

      • setDynamicScopes

        public BackchannelAuthenticationResponse setDynamicScopes​(DynamicScope[] dynamicScopes)
        Set the dynamic scopes which the client application requested by the scope request parameter. See the description of DynamicScope for details.
        Parameters:
        dynamicScopes - The list of dynamic scopes.
        Returns:
        this object.
        Since:
        2.92
        See Also:
        DynamicScope

      • setClaimNames

        public BackchannelAuthenticationResponse setClaimNames​(String[] names)
        Set the names of the claims which were requested indirectly via some special scopes.
        Parameters:
        names - The names of the requested claims.
        Returns:
        this object.

      • getClientNotificationToken

        public String getClientNotificationToken()
        Get the client notification token included in the backchannel authentication request. It is the value of the client_notification_token request parameter.

        When the backchannel token delivery mode is "ping" or "push", the backchannel authentication request must include a client notification token.

        Returns:
        The client notification token included in the backchannel authentication request.

      • setClientNotificationToken

        public BackchannelAuthenticationResponse setClientNotificationToken​(String token)
        Set the client notification token included in the backchannel authentication request. It is the value of the client_notification_token request parameter.

        When the backchannel token delivery mode is "ping" or "push", the backchannel authentication request must include a client notification token.

        Parameters:
        token - The client notification token included in the backchannel authentication request.
        Returns:
        this object.

      • getAcrs

        public String[] getAcrs()
        Get the list of ACR values requested by the backchannel authentication request.

        Basically, this method returns the value of the "acr_values" request parameter in the backchannel authentication request. However, because unsupported ACR values are dropped on Authlete side, if the "acr_values" request parameter contains unrecognized ACR values, the list returned by this method becomes different from the value of the "acr_values" request parameter.

        Returns:
        The list of requested ACR values.

      • setAcrs

        public BackchannelAuthenticationResponse setAcrs​(String[] acrs)
        Set the list of ACR values requested by the backchannel authentication request.
        Parameters:
        acrs - The list of requested ACR values.
        Returns:
        this object.

      • getHintType

        public UserIdentificationHintType getHintType()
        Get the type of the hint for end-user identification which was included in the backchannel authentication request.

        When the backchannel authentication request contains "id_token_hint", this method returns ID_TOKEN_HINT. Likewise, this method returns LOGIN_HINT when the request contains "login_hint", or returns LOGIN_HINT_TOKEN when the request contains "login_hint_token".

        Note that a backchannel authentication request must include one and only one hint among "id_token_hint", "login_hint" and "login_hint_token".

        Returns:
        The type of the hint for end-user identification.

      • setHintType

        public BackchannelAuthenticationResponse setHintType​(UserIdentificationHintType hintType)
        Set the type of the hint for end-user identification which was included in the backchannel authentication request.
        Parameters:
        hintType - The type of the hint for end-user identification.
        Returns:
        this object.

      • getHint

        public String getHint()
        Get the value of the hint for end-user identification.

        When getHintType() returns ID_TOKEN_HINT, this method returns the value of the "id_token_hint" request parameter. Likewise, this method returns the value of the "login_hint" request parameter when getHintType() returns LOGIN_HINT, or returns the value of the "login_hint_token" request parameter when getHintType() returns LOGIN_HINT_TOKEN.

        Returns:
        The value of the hint for end-user identification.

      • setHint

        public BackchannelAuthenticationResponse setHint​(String hint)
        Set the value of the hint for end-user identification.
        Parameters:
        hint - The value of the hint for end-user identification.
        Returns:
        this object.

      • getSub

        public String getSub()
        Get the value of the "sub" claim contained in the ID token hint included in the backchannel authentication request.

        This method works only when the backchannel authentication request contains the "id_token_hint" request parameter.

        Returns:
        The value of the "sub" claim contained in the ID token hint.

      • setSub

        public BackchannelAuthenticationResponse setSub​(String sub)
        Set the value of the "sub" claim contained in the ID token hint included in the backchannel authentication request.
        Parameters:
        sub - The value of the "sub" claim contained in the ID token hint.
        Returns:
        this object.

      • getUserCode

        public String getUserCode()
        Get the user code included in the backchannel authentication request. It is the value of the "user_code" request parameter.
        Returns:
        The user code.

      • setUserCode

        public BackchannelAuthenticationResponse setUserCode​(String userCode)
        Set the user code included in the backchannel authentication request. It is the value of the "user_code" request parameter.
        Parameters:
        userCode - The user code.
        Returns:
        this object.

      • getRequestedExpiry

        public int getRequestedExpiry()
        Get the requested expiry for the authentication request ID (auth_req_id). It is the value of the "requested_expiry" request parameter.
        Returns:
        The requested expiry in seconds.
        Since:
        2.35

      • setRequestedExpiry

        public BackchannelAuthenticationResponse setRequestedExpiry​(int seconds)
        Set the requested expiry for the authentication request ID (auth_req_id). It is the value of the "requested_expiry" request parameter.
        Parameters:
        seconds - The requested expiry in seconds.
        Returns:
        this object.
        Since:
        2.35

      • isUserCodeRequired

        public boolean isUserCodeRequired()
        Get the flag which indicates whether a user code is required.

        This method returns true when both the backchannel_user_code_parameter metadata of the client (= Client's bcUserCodeRequired property) and the backchannel_user_code_parameter_supported metadata of the service (= Service's backchannelUserCodeParameterSupported property) are true.

        Returns:
        true when a user code is required.
        Since:
        2.33

      • setUserCodeRequired

        public BackchannelAuthenticationResponse setUserCodeRequired​(boolean required)
        Set the flag which indicates whether a user code is required.
        Parameters:
        required - true to indicate that a user code is required.
        Returns:
        this object.
        Since:
        2.33

      • getBindingMessage

        public String getBindingMessage()
        Get the binding message included in the backchannel authentication request. It is the value of the "binding_message" request parameter.
        Returns:
        The binding message.

      • setBindingMessage

        public BackchannelAuthenticationResponse setBindingMessage​(String message)
        Set the binding message included in the backchannel authentication request. It is the value of the "binding_message" request parameter.
        Parameters:
        message - The binding message.
        Returns:
        this object.

      • getRequestContext

        public String getRequestContext()
        Get the request context of the backchannel authentication request. It is the value of the "request_context" claim in the signed authentication request and its format is JSON. "request_context" is a new claim added by the FAPI-CIBA profile.

        This method returns null if the backchannel authentication request does not include a "request" request parameter or the JWT specified by the request parameter does not include a "request_context" claim.

        Returns:
        The request context in JSON format.
        Since:
        2.45

      • setRequestContext

        public BackchannelAuthenticationResponse setRequestContext​(String context)
        Set the request context of the backchannel authentication request. It is the value of the "request_context" claim in the signed authentication request and its format is JSON. "request_context" is a new claim added by the FAPI-CIBA profile.
        Parameters:
        context - The request context in JSON format.
        Returns:
        this object.
        Since:
        2.45

      • getResources

        public URI[] getResources()
        Get the resources specified by the resource request parameters or by the resource property in the request object. If both are given, the values in the request object take precedence. See "Resource Indicators for OAuth 2.0" for details.
        Returns:
        Target resources.
        Since:
        2.62

      • setResources

        public BackchannelAuthenticationResponse setResources​(URI[] resources)
        Set the resources specified by the resource request parameters or by the resource property in the request object. If both are given, the values in the request object should be set. See "Resource Indicators for OAuth 2.0" for details.
        Parameters:
        resources - Target resources.
        Returns:
        this object.
        Since:
        2.62

      • getAuthorizationDetails

        public AuthzDetails getAuthorizationDetails()
        Get the authorization details. This represents the value of the "authorization_details" request parameter which is defined in "OAuth 2.0 Rich Authorization Requests".
        Returns:
        Authorization details.
        Since:
        2.56

      • setAuthorizationDetails

        public BackchannelAuthenticationResponse setAuthorizationDetails​(AuthzDetails details)
        Set the authorization details. This represents the value of the "authorization_details" request parameter which is defined in "OAuth 2.0 Rich Authorization Requests".
        Parameters:
        details - Authorization details.
        Returns:
        this object.
        Since:
        2.56

      • getGrantSubject

        public String getGrantSubject()
        Get the subject of the user who has given the grant which is identified by the grant_id request parameter.

        Authlete 2.3 and newer versions support Grant Management for OAuth 2.0. A backchannel authentication request may contain a grant_id request parameter which is defined in the specification. If the value of the request parameter is valid, getGrantSubject() will return the subject of the user who has given the grant to the client application. Authorization server implementations may use the value returned from getGrantSubject() in order to determine the user to authenticate.

        The user your system will authenticate during the authorization process (or has already authenticated) may be different from the user of the grant. The first implementer's draft of "Grant Management for OAuth 2.0" does not mention anything about the case, so the behavior in the case is left to implementations. Authlete will not perform the grant management action when the subject passed to Authlete does not match the user of the grant.

        Returns:
        The subject of the user who has given the grant.
        Since:
        3.1
        See Also:
        Grant Management for OAuth 2.0

      • setGrantSubject

        public BackchannelAuthenticationResponse setGrantSubject​(String subject)
        Set the subject of the user who has given the grant which is identified by the grant_id request parameter.

        Authlete 2.3 and newer versions support Grant Management for OAuth 2.0. A backchannel authentication request may contain a grant_id request parameter which is defined in the specification. If the value of the request parameter is valid, getGrantSubject() will return the subject of the user who has given the grant to the client application. Authorization server implementations may use the value returned from getGrantSubject() in order to determine the user to authenticate.

        The user your system will authenticate during the authorization process (or has already authenticated) may be different from the user of the grant. The first implementer's draft of "Grant Management for OAuth 2.0" does not mention anything about the case, so the behavior in the case is left to implementations. Authlete will not perform the grant management action when the subject passed to Authlete does not match the user of the grant.

        Parameters:
        subject - The subject of the user who has given the grant.
        Returns:
        this object.
        Since:
        3.1
        See Also:
        Grant Management for OAuth 2.0

      • getGrant

        public Grant getGrant()
        Get the content of the grant which is identified by the grant_id request parameter.

        The user your system will authenticate during the authorization process (or has already authenticated) may be different from the user of the grant. Be careful when your system displays the content of the grant.

        Returns:
        The content of the grant.
        Since:
        3.1
        See Also:
        Grant Management for OAuth 2.0

      • setGrant

        public BackchannelAuthenticationResponse setGrant​(Grant grant)
        Set the content of the grant which is identified by the grant_id request parameter.

        The user your system will authenticate during the authorization process (or has already authenticated) may be different from the user of the grant. Be careful when your system displays the content of the grant.

        Parameters:
        grant - The content of the grant.
        Returns:
        this object.
        Since:
        3.1
        See Also:
        Grant Management for OAuth 2.0

      • getServiceAttributes

        public Pair[] getServiceAttributes()
        Get the attributes of the service that the client application belongs to.

        This property is available since Authlete 2.2.

        Returns:
        The attributes of the service.
        Since:
        2.88

      • setServiceAttributes

        public BackchannelAuthenticationResponse setServiceAttributes​(Pair[] attributes)
        Set the attributes of the service that the client application belongs to.

        This property is available since Authlete 2.2.

        Parameters:
        attributes - The attributes of the service.
        Returns:
        this object.
        Since:
        2.88

      • getClientAttributes

        public Pair[] getClientAttributes()
        Get the attributes of the client.

        This property is available since Authlete 2.2.

        Returns:
        The attributes of the client.
        Since:
        2.88

      • setClientAttributes

        public BackchannelAuthenticationResponse setClientAttributes​(Pair[] attributes)
        Set the attributes of the client.

        This property is available since Authlete 2.2.

        Parameters:
        attributes - The attributes of the client.
        Returns:
        this object.
        Since:
        2.88

      • getWarnings

        public String[] getWarnings()
        Get the warnings raised during processing the backchannel authentication request.
        Returns:
        Warnings. This may be null.

      • setWarnings

        public BackchannelAuthenticationResponse setWarnings​(String[] warnings)
        Set the warnings raised during processing the backchannel authentication request.
        Parameters:
        warnings - Warnings.
        Returns:
        this object.

      • getTicket

        public String getTicket()
        Get the ticket that is necessary for the implementation of the backchannel authentication endpoint to call /api/backchannel/authentication/* API.
        Returns:
        The ticket issued from /api/backchannel/authentication API.

      • setTicket

        public BackchannelAuthenticationResponse setTicket​(String ticket)
        Set the ticket that is necessary for the implementation of the backchannel authentication endpoint to call /api/backchannel/authentication/* API.
        Parameters:
        ticket - The ticket issued from /api/backchannel/authentication API.
        Returns:
        this object.