Package com.authlete.common.dto

Class Client

    • Constructor Detail

      • Client

        public Client()

    • Method Detail

      • getNumber

        public int getNumber()
        Get the client number.
        Returns:
        The client number.

      • setNumber

        public Client setNumber​(int number)
        Set the client number.
        Parameters:
        number - The client number.
        Returns:
        this object.

      • getServiceNumber

        public int getServiceNumber()
        Get the number of the service which this client belongs to.
        Returns:
        The service number

      • setServiceNumber

        public Client setServiceNumber​(int number)
        Set the number of the service which this client belongs to.
        Parameters:
        number - The service number.
        Returns:
        this object.

      • getDeveloper

        public String getDeveloper()
        Get the unique ID of the developer of this client application.
        Returns:
        The developer unique ID.

      • setDeveloper

        public Client setDeveloper​(String developer)
        Set the unique ID of the developer of this client application.
        Parameters:
        developer - The developer unique ID.
        Returns:
        this object.

      • getClientId

        public long getClientId()
        Get the client ID.
        Returns:
        The client ID.

      • setClientId

        public Client setClientId​(long clientId)
        Set the client ID.
        Parameters:
        clientId - The client ID.
        Returns:
        this object.

      • getClientIdAlias

        public String getClientIdAlias()
        Get the alias of the client ID.

        Note that the client ID alias is recognized only when this client's clientIdAliasEnabled property is true AND the service's clientIdAliasEnabled property is also true.

        Returns:
        The alias of the client ID. This may be null.
        Since:
        2.1

      • setClientIdAlias

        public Client setClientIdAlias​(String alias)
        Set the alias of the client ID.

        Note that the client ID alias is recognized only when this client's clientIdAliasEnabled property is true AND the service's clientIdAliasEnabled property is also true.

        Parameters:
        alias - The alias of the client ID.
        Returns:
        this object.
        Since:
        2.1

      • isClientIdAliasEnabled

        public boolean isClientIdAliasEnabled()
        Get the flag which indicates whether the client ID alias is enabled or not.

        Note that Service class also has clientIdAliasEnabled property. If the service's clientIdAliasEnabled property is false, the client ID alias of this client is not recognized even if this client's clientIdAliasEnabled property is true.

        Returns:
        true if the client ID alias is enabled.
        Since:
        2.2

      • setClientIdAliasEnabled

        public Client setClientIdAliasEnabled​(boolean enabled)
        Enable/disable the client ID alias.

        Note that Service class also has clientIdAliasEnabled property. If the service's clientIdAliasEnabled property is false, the client ID alias of this client is not recognized even if this client's clientIdAliasEnabled property is true.

        Parameters:
        enabled - true to enable the client ID alias. false to disable it.
        Returns:
        this object.
        Since:
        2.2

      • getClientSecret

        public String getClientSecret()
        Get the client secret.
        Returns:
        The client secret.

      • setClientSecret

        public Client setClientSecret​(String clientSecret)
        Set the client secret.
        Parameters:
        clientSecret - The client secret.
        Returns:
        this object.

      • getClientType

        public ClientType getClientType()
        Get the client type.
        Returns:
        The client type.

      • setClientType

        public Client setClientType​(ClientType clientType)
        Set the client type.
        Parameters:
        clientType - The client type.
        Returns:
        this object.

      • getResponseTypes

        public ResponseType[] getResponseTypes()
        Get response_type values that the client is declaring that it will restrict itself to using.
        Returns:
        The response types.

      • setResponseTypes

        public Client setResponseTypes​(ResponseType[] responseTypes)
        Set response_type values that the client is declaring that it will restrict itself to using.
        Parameters:
        responseTypes - The response types.
        Returns:
        this object.

      • getGrantTypes

        public GrantType[] getGrantTypes()
        Get grant_type values that the client is declaring that it will restrict itself to using.
        Returns:
        The grant types.

      • setGrantTypes

        public Client setGrantTypes​(GrantType[] grantTypes)
        Set grant_type values that the client is declaring that it will restrict itself to using.
        Parameters:
        grantTypes - The grant types.
        Returns:
        this object.

      • getContacts

        public String[] getContacts()
        Get the email addresses of contacts.
        Returns:
        Email addresses of contacts.

      • setContacts

        public Client setContacts​(String[] contacts)
        Set the email addresses of contacts.
        Parameters:
        contacts - Email addresses of contacts.
        Returns:
        this object.

      • getClientName

        public String getClientName()
        Get the client name.
        Returns:
        The client name.

      • setClientName

        public Client setClientName​(String clientName)
        Set the client name.
        Parameters:
        clientName - The client name.
        Returns:
        this object.

      • getClientNames

        public TaggedValue[] getClientNames()
        Get the client names each of which has a language tag.
        Returns:
        The client names each of which has a language tag.

      • setClientNames

        public Client setClientNames​(TaggedValue[] clientNames)
        Set the client names each of which has a language tag.
        Parameters:
        clientNames - The client names.
        Returns:
        this object.

      • getLogoUri

        public URI getLogoUri()
        Get the URI of the logo image.
        Returns:
        The URI of the logo image.

      • setLogoUri

        public Client setLogoUri​(URI uri)
        Set the URI of the logo image.
        Parameters:
        uri - The URI of the logo image.
        Returns:
        this object.

      • getLogoUris

        public TaggedValue[] getLogoUris()
        Get the logo URIs each of which has a language tag.
        Returns:
        The logo URIs.

      • setLogoUris

        public Client setLogoUris​(TaggedValue[] uris)
        Set the logo URIs each of which has a language tag.
        Parameters:
        uris - The logo URIs.
        Returns:
        this object.

      • getClientUri

        public URI getClientUri()
        Get the URI of the home page.
        Returns:
        The URI of the home page.

      • setClientUri

        public Client setClientUri​(URI uri)
        Set the URI of the home page.
        Parameters:
        uri - The URI of the home page.
        Returns:
        this object.

      • getClientUris

        public TaggedValue[] getClientUris()
        Get the URIs of the home pages for specific languages.
        Returns:
        The URIs of the home page for specific languages.

      • setClientUris

        public Client setClientUris​(TaggedValue[] uris)
        Set the URIs of the home pages for specific languages.
        Parameters:
        uris - The URIs of the home page for specific languages.
        Returns:
        this object.

      • getPolicyUri

        public URI getPolicyUri()
        Get the URI of the policy page which describes how the client application uses the profile data of the end-user.
        Returns:
        The URI of the policy page.

      • setPolicyUri

        public Client setPolicyUri​(URI uri)
        Set the URI of the policy page which describes how the client application uses the profile data of the end-user.
        Parameters:
        uri - The URI of the policy page.
        Returns:
        this object.

      • getPolicyUris

        public TaggedValue[] getPolicyUris()
        Get the URIs of the policy pages for specific languages.
        Returns:
        The URIs of the policy pages for specific languages.

      • setPolicyUris

        public Client setPolicyUris​(TaggedValue[] uris)
        Set the URIs of the policy pages for specific languages.
        Parameters:
        uris - The URIs of the policy pages for specific languages.
        Returns:
        this object.

      • getTosUri

        public URI getTosUri()
        Get the URI of the "Terms Of Service" page.
        Returns:
        The URI of the "Terms Of Service" page.

      • setTosUri

        public Client setTosUri​(URI uri)
        Set the URI of the "Terms Of Service" page.
        Parameters:
        uri - The URI of the "Terms Of Service" page.
        Returns:
        this object.

      • getTosUris

        public TaggedValue[] getTosUris()
        Get the URIs of the "Terms Of Service" pages for specific languages.
        Returns:
        The URIs of the "Terms Of Service" pages for specific languages.

      • setTosUris

        public Client setTosUris​(TaggedValue[] uris)
        Set the URIs of the "Terms Of Service" pages for specific languages.
        Parameters:
        uris - The URIs of the "Terms Of Service" pages for specific languages.
        Returns:
        this object.

      • getJwksUri

        public URI getJwksUri()
        Get the URI of the JSON Web Key Set of the client application.
        Returns:
        The URI of the JSON Web Key Set of the client application.

      • setJwksUri

        public Client setJwksUri​(URI uri)
        Set the URI of the JSON Web Key Set of the client application.
        Parameters:
        uri - The URI of the JSON Web Key Set of the client application.
        Returns:
        this object.

      • getJwks

        public String getJwks()
        Get the JSON Web Key Set.
        Returns:
        The JSON Web Key Set.

      • setJwks

        public Client setJwks​(String jwks)
        Set the JSON Web Key Set.
        Parameters:
        jwks - The JSON Web Key Set.
        Returns:
        this object.

      • getSectorIdentifier

        @Deprecated
public URI getSectorIdentifier()
        Deprecated.
        Since Authlete 2.2. Use getSectorIdentifierUri() instead.
        Get the sector identifier.
        Returns:
        The sector identifier.

      • setSectorIdentifier

        @Deprecated
public Client setSectorIdentifier​(URI sectorIdentifier)
        Deprecated.
        Since Authlete 2.2. Use setSectorIdentifierUri(URI) instead.
        Set the sector identifier.
        Parameters:
        sectorIdentifier - The sector identifier.
        Returns:
        this object.

      • getDerivedSectorIdentifier

        public String getDerivedSectorIdentifier()
        Get the sector identifier host component as derived from either the sector_identifier_uri or the registered redirect_uri. If no sector_identifier_uri is registered and multiple redirect_uris are also registered, this value is undefined and the field returns null.
        Returns:
        The derived sector identifier, if available, or null otherwise.
        Since:
        2.61
        See Also:
        OIDC Core, 8.1. Pairwise Identifier Algorithm

      • setDerivedSectorIdentifier

        public Client setDerivedSectorIdentifier​(String derivedSectorIdentifier)
        Set the sector identifier host component as derived from either the sector_identifier_uri or the registered redirect_uri. If no sector_identifier_uri is registered and multiple redirect_uris are also registered, this value is undefined and the field is null.
        Parameters:
        derivedSectorIdentifier - The derived sector identifier, if available, or null otherwise.
        Returns:
        this object.
        Since:
        2.61
        See Also:
        OIDC Core, 8.1. Pairwise Identifier Algorithm

      • getSubjectType

        public SubjectType getSubjectType()
        Get the subject type that this client application requests.
        Returns:
        The subject type.
        See Also:
        Subject Identifier Types

      • setSubjectType

        public Client setSubjectType​(SubjectType subjectType)
        Set the subject type that this client application requests.
        Parameters:
        subjectType - The subject type.
        Returns:
        this object.
        See Also:
        Subject Identifier Types

      • getIdTokenSignAlg

        public JWSAlg getIdTokenSignAlg()
        Get the JWS alg algorithm for signing the ID token issued to this client. This property corresponds to id_token_signed_response_alg in Client Metadata.
        Returns:
        The JWS alg algorithm for signing the ID token issued to this client.

      • setIdTokenSignAlg

        public Client setIdTokenSignAlg​(JWSAlg alg)
        Set the JWS alg algorithm for signing the ID token issued to this client. This property corresponds to id_token_signed_response_alg in Client Metadata.
        Parameters:
        alg - The JWS alg algorithm for signing the ID token issued to this client.
        Returns:
        this object.

      • getIdTokenEncryptionAlg

        public JWEAlg getIdTokenEncryptionAlg()
        Get the JWE alg algorithm for encrypting the ID token issued to this client. This property corresponds to id_token_encrypted_response_algin Client Metadata.
        Returns:
        The JWE alg algorithm for encrypting the ID token issued to this client.

      • setIdTokenEncryptionAlg

        public Client setIdTokenEncryptionAlg​(JWEAlg alg)
        Set the JWE alg algorithm for encrypting the ID token issued to this client. This property corresponds to id_token_encrypted_response_algin Client Metadata.
        Parameters:
        alg - The JWE alg algorithm for encrypting the ID token issued to this client.
        Returns:
        this object.

      • getIdTokenEncryptionEnc

        public JWEEnc getIdTokenEncryptionEnc()
        Get the JWE enc algorithm for encrypting the ID token issued to this client. This property corresponds to id_token_encrypted_response_encin Client Metadata.
        Returns:
        The JWE enc algorithm for encrypting the ID token issued to this client.

      • setIdTokenEncryptionEnc

        public Client setIdTokenEncryptionEnc​(JWEEnc enc)
        Set the JWE enc algorithm for encrypting the ID token issued to this client. This property corresponds to id_token_encrypted_response_encin Client Metadata.
        Parameters:
        enc - The JWE enc algorithm for encrypting the ID token issued to this client.
        Returns:
        this object.

      • getUserInfoSignAlg

        public JWSAlg getUserInfoSignAlg()
        Get the JWS alg algorithm for signing UserInfo responses. This property corresponds to userinfo_signed_response_alg in Client Metadata.
        Returns:
        The JWS alg algorithm for signing UserInfo responses.

      • setUserInfoSignAlg

        public Client setUserInfoSignAlg​(JWSAlg alg)
        Set the JWS alg algorithm for signing UserInfo responses. This property corresponds to userinfo_signed_response_alg in Client Metadata.
        Parameters:
        alg - The JWS alg algorithm for signing UserInfo responses.
        Returns:
        this object.

      • getUserInfoEncryptionAlg

        public JWEAlg getUserInfoEncryptionAlg()
        Get the JWE alg algorithm for encrypting UserInfo responses. This property corresponds to userinfo_encrypted_response_alg in Client Metadata.
        Returns:
        The JWE alg algorithm for encrypting UserInfo responses.

      • setUserInfoEncryptionAlg

        public Client setUserInfoEncryptionAlg​(JWEAlg alg)
        Set the JWE alg algorithm for encrypting UserInfo responses. This property corresponds to userinfo_encrypted_response_alg in Client Metadata.
        Parameters:
        alg - The JWE alg algorithm for encrypting UserInfo responses.
        Returns:
        this object.

      • getUserInfoEncryptionEnc

        public JWEEnc getUserInfoEncryptionEnc()
        Get the JWE enc algorithm for encrypting UserInfo responses. This property corresponds to userinfo_encrypted_response_enc in Client Metadata.
        Returns:
        The JWE enc algorithm for encrypting UserInfo responses.

      • setUserInfoEncryptionEnc

        public Client setUserInfoEncryptionEnc​(JWEEnc enc)
        Set the JWE enc algorithm for encrypting UserInfo responses. This property corresponds to userinfo_encrypted_response_enc in Client Metadata.
        Parameters:
        enc - The JWE enc algorithm for encrypting UserInfo responses.
        Returns:
        this object.

      • getRequestSignAlg

        public JWSAlg getRequestSignAlg()
        Get the JWS alg algorithm for signing request objects. This property corresponds to request_object_signing_alg in Client Metadata.
        Returns:
        The JWS alg algorithm for signing request objects.

      • setRequestSignAlg

        public Client setRequestSignAlg​(JWSAlg alg)
        Set the JWS alg algorithm for signing request objects. This property corresponds to request_object_signing_alg in Client Metadata.
        Parameters:
        alg - The JWS alg algorithm for signing request objects.
        Returns:
        this object.

      • getRequestEncryptionAlg

        public JWEAlg getRequestEncryptionAlg()
        Get the JWE alg algorithm for encrypting request objects. This property corresponds to request_object_encryption_alg in Client Metadata.
        Returns:
        The JWE alg algorithm for encrypting request objects.

      • setRequestEncryptionAlg

        public Client setRequestEncryptionAlg​(JWEAlg alg)
        Set the JWE alg algorithm for encrypting request objects. This property corresponds to request_object_encryption_alg in Client Metadata.
        Parameters:
        alg - The JWE alg algorithm for encrypting request objects.
        Returns:
        this object.

      • getRequestEncryptionEnc

        public JWEEnc getRequestEncryptionEnc()
        Get the JWE enc algorithm for encrypting request objects. This property corresponds to request_object_encryption_enc in Client Metadata.
        Returns:
        The JWE enc algorithm for encrypting request objects.

      • setRequestEncryptionEnc

        public Client setRequestEncryptionEnc​(JWEEnc enc)
        Set the JWE enc algorithm for encrypting request objects. This property corresponds to request_object_encryption_enc in Client Metadata.
        Parameters:
        enc - The JWE enc algorithm for encrypting request objects.
        Returns:
        this object.

      • getTokenAuthMethod

        public ClientAuthMethod getTokenAuthMethod()
        Get the client authentication method for the token endpoint. This property corresponds to token_endpoint_auth_method in Client Metadata.
        Returns:
        The client authentication method for the token endpoint.

      • setTokenAuthMethod

        public Client setTokenAuthMethod​(ClientAuthMethod method)
        Set the client authentication method for the token endpoint. This property corresponds to token_endpoint_auth_method in Client Metadata.
        Parameters:
        method - The client authentication method for the token endpoint.
        Returns:
        this object.

      • getTokenAuthSignAlg

        public JWSAlg getTokenAuthSignAlg()
        Get the JWS alg algorithm for signing the JWT used to authenticate the client at the token endpoint. This property corresponds to token_endpoint_auth_signing_alg in Client Metadata.
        Returns:
        The JWS alg algorithm for signing the JWT used to authenticate the client at the token endpoint.

      • setTokenAuthSignAlg

        public Client setTokenAuthSignAlg​(JWSAlg alg)
        Set the JWS alg algorithm for signing the JWT used to authenticate the client at the token endpoint. This property corresponds to token_endpoint_auth_signing_alg in Client Metadata.
        Parameters:
        alg - The JWS alg algorithm for signing the JWT used to authenticate the client at the token endpoint.
        Returns:
        this object.

      • getDefaultMaxAge

        public int getDefaultMaxAge()
        Get the default value of the maximum authentication age in seconds. This property corresponds to default_max_age in Client Metadata.
        Returns:
        The default value of the maximum authentication age in seconds.

      • setDefaultMaxAge

        public Client setDefaultMaxAge​(int defaultMaxAge)
        Set the default value of the maximum authentication age in seconds. This property corresponds to default_max_age in Client Metadata.

        This value is used when the request from the client application does not contain the max_age request parameter.

        Parameters:
        defaultMaxAge - The default value of the maximum authentication age in seconds. 0 means that no default value is set.
        Returns:
        this object.

      • isAuthTimeRequired

        public boolean isAuthTimeRequired()
        Get the flag which indicates whether this client requires auth_time claim to be embedded in the ID token. This property corresponds to require_auth_time in Client Metadata.
        Returns:
        The flag which indicates whether this client requires auth_time claim to be embedded in the ID token.

      • setAuthTimeRequired

        public Client setAuthTimeRequired​(boolean required)
        Set the flag which indicates whether this client requires auth_time claim to be embedded in the ID token. This property corresponds to require_auth_time in Client Metadata.
        Parameters:
        required - The flag which indicates whether this client requires auth_time claim to be embedded in the ID token.
        Returns:
        this object.

      • getDefaultAcrs

        public String[] getDefaultAcrs()
        Get the default list of authentication context class references. This property corresponds to default_acr_values in Client Metadata.
        Returns:
        The default list of authentication context class references.

      • setDefaultAcrs

        public Client setDefaultAcrs​(String[] defaultAcrs)
        Set the default list of authentication context class references. This property corresponds to default_max_age in Client Metadata.

        This value is used when the request from the client application does not contain the acr_values request parameter.

        Parameters:
        defaultAcrs - The default list of authentication context class references.
        Returns:
        this object.

      • getLoginUri

        public URI getLoginUri()
        Get the URL that can initiate a login for this client application. This property corresponds to initiate_login_uri in Client Metadata.
        Returns:
        The URL that can initiate a login for this client application.

      • setLoginUri

        public Client setLoginUri​(URI uri)
        Set the URL that can initiate a login for this client application. This property corresponds to initiate_login_uri in Client Metadata.
        Parameters:
        uri - The URL that can initiate a login for this client application.
        Returns:
        this object.

      • getRequestUris

        public String[] getRequestUris()
        Get the request URIs that this client declares it may use. This property corresponds to request_uris in Client Metadata.
        Returns:
        The request URIs that this client declares it may use.

      • setRequestUris

        public Client setRequestUris​(String[] uris)
        Set the request URIs that this client declares it may use. This property corresponds to request_uris in Client Metadata.
        Parameters:
        uris - The request URIs that this client declares it may use.
        Returns:
        this object.

      • getDescription

        public String getDescription()
        Get the description.
        Returns:
        The description.

      • setDescription

        public Client setDescription​(String description)
        Set the description.
        Parameters:
        description - The description.
        Returns:
        this object.

      • getDescriptions

        public TaggedValue[] getDescriptions()
        Get the descriptions for specific languages.
        Returns:
        The descriptions for specific languages.

      • setDescriptions

        public Client setDescriptions​(TaggedValue[] descriptions)
        Set the descriptions for specific languages.
        Parameters:
        descriptions - The descriptions for specific languages.
        Returns:
        this object.

      • getCreatedAt

        public long getCreatedAt()
        Get the time at which this client was created.
        Returns:
        The time at which this client was created. The value is represented as milliseconds since the UNIX epoch (1970-01-01).
        Since:
        1.6

      • setCreatedAt

        public Client setCreatedAt​(long createdAt)
        Set the time at which this client was created.
        Parameters:
        createdAt - The time at which this client was created.
        Returns:
        this object.
        Since:
        1.6

      • getModifiedAt

        public long getModifiedAt()
        Get the time at which this client was last modified.
        Returns:
        The time at which this client was last modified. The value is represented as milliseconds since the UNIX epoch (1970-01-01).
        Since:
        1.6

      • setModifiedAt

        public Client setModifiedAt​(long modifiedAt)
        Set the time at which this client was last modified.
        Parameters:
        modifiedAt - The time at which this client was modified.
        Returns:
        this object.
        Since:
        1.6

      • getExtension

        public ClientExtension getExtension()
        Get the extended information about this client.
        Returns:
        The extended information about this client.
        Since:
        1.39

      • setExtension

        public Client setExtension​(ClientExtension extension)
        Set the extended information about this client.
        Parameters:
        extension - The extended information about this client.
        Returns:
        this object.
        Since:
        1.39

      • getTlsClientAuthSubjectDn

        public String getTlsClientAuthSubjectDn()
        Get the string representation of the expected subject distinguished name of the certificate this client will use in mutual TLS authentication.

        See tls_client_auth_subject_dn in "2.3. Dynamic Client Registration" in "Mutual TLS Profiles for OAuth Clients" for details.

        Returns:
        The expected subject distinguished name of the client certificate.
        Since:
        2.7

      • setTlsClientAuthSubjectDn

        public Client setTlsClientAuthSubjectDn​(String name)
        Set the string representation of the expected subject distinguished name of the certificate this client will use in mutual TLS authentication.

        See tls_client_auth_subject_dn in "2.3. Dynamic Client Registration" in "Mutual TLS Profiles for OAuth Clients" for details.

        Parameters:
        name - The expected subject distinguished name of the client certificate.
        Returns:
        this object.
        Since:
        2.7

      • getTlsClientAuthSanDns

        public String getTlsClientAuthSanDns()
        Get the string representation of the expected DNS subject alternative name of the certificate this client will use in mutual TLS authentication.

        See tls_client_auth_san_dns in "2.3. Dynamic Client Registration" in "Mutual TLS Profiles for OAuth Clients" for details.

        Returns:
        The expected DNS subject alternative name of the client certificate.
        Since:
        2.38

      • setTlsClientAuthSanDns

        public Client setTlsClientAuthSanDns​(String tlsClientAuthSanDns)
        Set the string representation of the expected DNS subject alternative name of the certificate this client will use in mutual TLS authentication.

        See tls_client_auth_san_dns in "2.3. Dynamic Client Registration" in "Mutual TLS Profiles for OAuth Clients" for details.

        Parameters:
        name - The expected DNS subject alternative name of the client certificate.
        Returns:
        this object.
        Since:
        2.38

      • getTlsClientAuthSanUri

        public URI getTlsClientAuthSanUri()
        Get the string representation of the expected URI subject alternative name of the certificate this client will use in mutual TLS authentication.

        See tls_client_auth_san_uri in "2.3. Dynamic Client Registration" in "Mutual TLS Profiles for OAuth Clients" for details.

        Returns:
        The expected URI subject alternative name of the client certificate.
        Since:
        2.38

      • setTlsClientAuthSanUri

        public Client setTlsClientAuthSanUri​(URI tlsClientAuthSanUri)
        Set the string representation of the expected URI subject alternative name of the certificate this client will use in mutual TLS authentication.

        See tls_client_auth_san_uri in "2.3. Dynamic Client Registration" in "Mutual TLS Profiles for OAuth Clients" for details.

        Parameters:
        name - The expected URI subject alternative name of the client certificate.
        Returns:
        this object.
        Since:
        2.38

      • getTlsClientAuthSanIp

        public String getTlsClientAuthSanIp()
        Get the string representation of the expected IP address subject alternative name of the certificate this client will use in mutual TLS authentication.

        See tls_client_auth_san_ip in "2.3. Dynamic Client Registration" in "Mutual TLS Profiles for OAuth Clients" for details.

        Returns:
        The expected IP address subject alternative name of the client certificate.
        Since:
        2.38

      • setTlsClientAuthSanIp

        public Client setTlsClientAuthSanIp​(String tlsClientAuthSanIp)
        Set the string representation of the expected IP address subject alternative name of the certificate this client will use in mutual TLS authentication.

        See tls_client_auth_san_ip in "2.3. Dynamic Client Registration" in "Mutual TLS Profiles for OAuth Clients" for details.

        Parameters:
        name - The expected IP address subject alternative name of the client certificate.
        Returns:
        this object.
        Since:
        2.38

      • getTlsClientAuthSanEmail

        public String getTlsClientAuthSanEmail()
        Get the string representation of the expected email address subject alternative name of the certificate this client will use in mutual TLS authentication.

        See tls_client_auth_san_email in "2.3. Dynamic Client Registration" in "Mutual TLS Profiles for OAuth Clients" for details.

        Returns:
        The expected email address subject alternative name of the client certificate.
        Since:
        2.38

      • setTlsClientAuthSanEmail

        public Client setTlsClientAuthSanEmail​(String tlsClientAuthSanEmail)
        Set the string representation of the expected email address subject alternative name of the certificate this client will use in mutual TLS authentication.

        See tls_client_auth_san_email in "2.3. Dynamic Client Registration" in "Mutual TLS Profiles for OAuth Clients" for details.

        Parameters:
        name - The expected email address subject alternative name of the client certificate.
        Returns:
        this object.
        Since:
        2.38

      • isTlsClientCertificateBoundAccessTokens

        public boolean isTlsClientCertificateBoundAccessTokens()
        Does this client use TLS client certificate bound access tokens?
        Returns:
        true if this client uses TLS client certificate bound access tokens.
        Since:
        2.19

      • setTlsClientCertificateBoundAccessTokens

        public Client setTlsClientCertificateBoundAccessTokens​(boolean use)
        Set whether this client uses TLS client certificate bound access tokens or not.
        Parameters:
        use - true to indicate that this client uses TLS client certificate bound access tokens.
        Returns:
        this object.
        Since:
        2.19

      • getSelfSignedCertificateKeyId

        public String getSelfSignedCertificateKeyId()
        Get the key ID of a JWK containing a self-signed certificate of this client.

        See "2.2. Self-Signed Certificate Mutual TLS OAuth Client Authentication Method" in "OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens" for details.

        Returns:
        A key ID of a JWK. This may be null.
        Since:
        2.20

      • setSelfSignedCertificateKeyId

        public Client setSelfSignedCertificateKeyId​(String keyId)
        Set the key ID of a JWK containing a self-signed certificate of this client. Unless this value is set to null, Authlete uses this value to look up the corresponding JWK for client authentication using mutual TLS utilizing self-signed certificates.

        See "2.2. Self-Signed Certificate Mutual TLS OAuth Client Authentication Method" in "OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens" for details.

        Parameters:
        keyId - A key ID of a JWK. This may be null.
        Returns:
        this object.
        Since:
        2.20

      • getSoftwareId

        public String getSoftwareId()
        Get the unique identifier string assigned by the client developer or software publisher used by registration endpoints to identify the client software to be dynamically registered.

        This property corresponds to the software_id metadata defined in 2. Client Metadata of RFC 7591 (OAuth 2.0 Dynamic Client Registration Protocol).

        Returns:
        The unique identifier of the client software.
        Since:
        2.24

      • setSoftwareId

        public Client setSoftwareId​(String softwareId)
        Set a unique identifier string assigned by the client developer or software publisher used by registration endpoints to identify the client software to be dynamically registered.

        This property corresponds to the software_id metadata defined in 2. Client Metadata of RFC 7591 (OAuth 2.0 Dynamic Client Registration Protocol).

        Parameters:
        softwareId - A unique identifier of the client software.
        Returns:
        this object.
        Since:
        2.24

      • getSoftwareVersion

        public String getSoftwareVersion()
        Get the version identifier string for the client software identified by the software ID.

        This property corresponds to the software_version metadata defined in 2. Client Metadata of RFC 7591 (OAuth 2.0 Dynamic Client Registration Protocol).

        Returns:
        The version of the client software.
        Since:
        2.24

      • setSoftwareVersion

        public Client setSoftwareVersion​(String softwareVersion)
        Set a version identifier string for the client software identified by the software ID.

        This property corresponds to the software_version metadata defined in 2. Client Metadata of RFC 7591 (OAuth 2.0 Dynamic Client Registration Protocol).

        Parameters:
        softwareVersion - A version of the client software.
        Returns:
        this object.
        Since:
        2.24

      • getBcDeliveryMode

        public DeliveryMode getBcDeliveryMode()
        Get the backchannel token delivery mode. This property corresponds to the backchannel_token_delivery_mode metadata.

        The backchannel token delivery mode is defined in the specification of the CIBA (Client Initiated Backchannel Authentication).

        Returns:
        The backchannel token delivery mode.  @since 2.32

      • setBcDeliveryMode

        public Client setBcDeliveryMode​(DeliveryMode mode)
        Set the backchannel token delivery mode. This property corresponds to the backchannel_token_delivery_mode metadata.

        The backchannel token delivery mode is defined in the specification of CIBA (Client Initiated Backchannel Authentication).

        Parameters:
        mode - The backchannel token delivery mode.
        Returns:
        this object.
        Since:
        2.32

      • getBcNotificationEndpoint

        public URI getBcNotificationEndpoint()
        Get the backchannel client notification endpoint. This property corresponds to the backchannel_client_notification_endpoint metadata.

        The backchannel client notification endpoint is defined in the specification of CIBA (Client Initiated Backchannel Authentication).

        Returns:
        The backchannel client notification endpoint.  @since 2.32

      • setBcNotificationEndpoint

        public Client setBcNotificationEndpoint​(URI endpoint)
        Set the backchannel client notification endpoint. This property corresponds to the backchannel_client_notification_endpoint metadata.

        The backchannel client notification endpoint is defined in the specification of CIBA (Client Initiated Backchannel Authentication).

        Parameters:
        endpoint - The backchannel client notification endpoint.
        Returns:
        this object.  @since 2.32

      • getBcRequestSignAlg

        public JWSAlg getBcRequestSignAlg()
        Get the signature algorithm of the request to the backchannel authentication endpoint. This property corresponds to the backchannel_authentication_request_signing_alg metadata.
        Returns:
        The signature algorithm of the request to the backchannel authentication endpoint.
        Since:
        2.32

      • setBcRequestSignAlg

        public Client setBcRequestSignAlg​(JWSAlg alg)
        Set the signature algorithm of the request to the backchannel authentication endpoint. This property corresponds to the backchannel_authentication_request_signing_alg metadata.

        The specification of CIBA (Client Initiated Backchannel Authentication) allows asymmetric algorithms only.

        Parameters:
        alg - The signature algorithm of the request to the backchannel authentication endpoint.
        Returns:
        this object.  @since 2.32

      • isBcUserCodeRequired

        public boolean isBcUserCodeRequired()
        Get the boolean flag which indicates whether a user code is required when this client makes a backchannel authentication request. This property corresponds to the backchannel_user_code_parameter metadata.
        Returns:
        true if a user code is required when this client makes a backchannel authentication request.
        Since:
        2.32

      • setBcUserCodeRequired

        public Client setBcUserCodeRequired​(boolean required)
        Set the boolean flag which indicates whether a user code is required when this client makes a backchannel authentication request. This property corresponds to the backchannel_user_code_parameter metadata.
        Parameters:
        required - true to indicate that a user code is required when this client makes a backchannel authentication request.
        Returns:
        this object.
        Since:
        2.32

      • isDynamicallyRegistered

        public boolean isDynamicallyRegistered()
        Get the flag which indicates whether this client has been registered dynamically.
        Parameters:
        dynamicallyRegistered - true if the client has been registered dynamically.
        Returns:
        this object.
        Since:
        2.39

      • setDynamicallyRegistered

        public Client setDynamicallyRegistered​(boolean dynamicallyRegistered)
        Set the flag which indicates whether this client has been registered dynamically.
        Parameters:
        dynamicallyRegistered - true if the client has been registered dynamically.
        Returns:
        this object.
        Since:
        2.39

      • getRegistrationAccessTokenHash

        public String getRegistrationAccessTokenHash()
        Get the hash of the registration access token for this client.
        Returns:
        The hash of the registration access token for this client.
        Since:
        2.39

      • setRegistrationAccessTokenHash

        public Client setRegistrationAccessTokenHash​(String registrationAccessToken)
        Set the hash of the registration access token for this client.
        Parameters:
        registrationAccessToken - The hash of the registration access token for this client.
        Returns:
        this object.
        Since:
        2.39

      • getAuthorizationDetailsTypes

        public String[] getAuthorizationDetailsTypes()
        Get the authorization details types that this client may use as values of the "type" field in "authorization_details".

        This property corresponds to the "authorization_details_types" metadata. See "OAuth 2.0 Rich Authorization Requests" (RAR) for details.

        Note that the property name was renamed from authorizationDataTypes to authorizationDetailsTypes to align with the change made by the 5th draft of the RAR specification.

        Returns:
        Authorization details types used in "authorization_details".
        Since:
        2.91

      • setAuthorizationDetailsTypes

        public Client setAuthorizationDetailsTypes​(String[] types)
        Set the authorization details types that this client may use as values of the "type" field in "authorization_details".

        This property corresponds to the "authorization_details_types" metadata. See "OAuth 2.0 Rich Authorization Requests" (RAR) for details.

        Note that the property name was renamed from authorizationDataTypes to authorizationDetailsTypes to align with the change made by the 5th draft of the RAR specification.

        Parameters:
        types - Authorization details types used in "authorization_details".
        Returns:
        this object.
        Since:
        2.91

      • isParRequired

        public boolean isParRequired()
        Get the flag indicating whether this client is required to use the pushed authorization request endpoint.

        This property corresponds to the require_pushed_authorization_requests client metadata defined in "OAuth 2.0 Pushed Authorization Requests".

        Returns:
        true if this client is required to use the pushed authorization request endpoint.
        Since:
        2.77

      • setParRequired

        public Client setParRequired​(boolean required)
        Set the flag indicating whether this client is required to use the pushed authorization request endpoint.

        This property corresponds to the require_pushed_authorization_requests client metadata defined in "OAuth 2.0 Pushed Authorization Requests".

        Parameters:
        required - true to indicate that this client is required to use the pushed authorization request endpoint.
        Returns:
        this object.
        Since:
        2.77

      • isRequestObjectRequired

        public boolean isRequestObjectRequired()
        Get the flag indicating whether authorization requests from this client are always required to utilize a request object by using either request or request_uri request parameter.

        If this flag is true and the service's isTraditionalRequestObjectProcessingApplied() returns false, authorization requests from this client are processed as if require_signed_request_object client metadata of this client is true. The metadata is defined in JAR (JWT Secured Authorization Request).

        Returns:
        true if authorization requests from this client are always required to utilize a request object.
        Since:
        2.80

      • setRequestObjectRequired

        public Client setRequestObjectRequired​(boolean required)
        Set the flag indicating whether authorization requests from this client are always required to utilize a request object by using either request or request_uri request parameter.

        See the description of isRequestObjectRequired() for details.

        Parameters:
        required - true to require that authorization requests from this client always utilize a request object.
        Returns:
        this object.
        Since:
        2.80

      • getAttributes

        public Pair[] getAttributes()
        Get attributes.

        The feature of "client attributes" is available since Authlete 2.2.

        Returns:
        Attributes.
        Since:
        2.87

      • setAttributes

        public Client setAttributes​(Pair[] attributes)
        Set attributes.

        The feature of "client attributes" is available since Authlete 2.2.

        Parameters:
        attributes - Attributes.
        Returns:
        this object.
        Since:
        2.87

      • loadAttributes

        public Client loadAttributes​(Iterable<Pair> attributes)
        Load attributes from an iterable.

        The feature of "client attributes" is available since Authlete 2.2.

        Parameters:
        attributes - Attributes.
        Returns:
        this object.
        Since:
        2.89

      • isFrontChannelRequestObjectEncryptionRequired

        public boolean isFrontChannelRequestObjectEncryptionRequired()
        Get the flag indicating whether encryption of request object is required when the request object is passed through the front channel.

        This flag does not affect the processing of request objects at the Pushed Authorization Request Endpoint, which is defined in RFC 9126 OAuth 2.0 Pushed Authorization Requests. Unecrypted request objects are accepted at the endpoint even if this flag is true.

        This flag does not indicate whether a request object is always required. There is a different flag, requestObjectRequired, for the purpose. See the description of isRequestObjectRequired() for details.

        Even if this flag is false, encryption of request object is required if the Service.frontChannelRequestObjectEncryptionRequired flag is true.

        Returns:
        true if encryption of request object is required when the request object is passed through the front channel.
        Since:
        2.96
        See Also:
        isRequestObjectRequired(), Service.isFrontChannelRequestObjectEncryptionRequired()

      • setFrontChannelRequestObjectEncryptionRequired

        public Client setFrontChannelRequestObjectEncryptionRequired​(boolean required)
        Set the flag indicating whether encryption of request object is required when the request object is passed through the front channel.

        This flag does not affect the processing of request objects at the Pushed Authorization Request Endpoint, which is defined in RFC 9126 OAuth 2.0 Pushed Authorization Requests. Unecrypted request objects are accepted at the endpoint even if this flag is true.

        This flag does not indicate whether a request object is always required. There is a different flag, requestObjectRequired, for the purpose. See the description of isRequestObjectRequired() for details.

        Even if this flag is false, encryption of request object is required if the Service.frontChannelRequestObjectEncryptionRequired flag is true.

        Parameters:
        required - true to require that request objects passed through the front channel be encrypted.
        Returns:
        this object.
        Since:
        2.96
        See Also:
        isRequestObjectRequired(), Service.isFrontChannelRequestObjectEncryptionRequired()

      • isRequestObjectEncryptionAlgMatchRequired

        public boolean isRequestObjectEncryptionAlgMatchRequired()
        Get the flag indicating whether the JWE alg of encrypted request object must match the request_object_encryption_alg client metadata.

        The request_object_encryption_alg client metadata itself is defined in OpenID Connect Dynamic Client Registration 1.0 as follows.

        request_object_encryption_alg

        OPTIONAL. JWE [JWE] alg algorithm [JWA] the RP is declaring that it may use for encrypting Request Objects sent to the OP. This parameter SHOULD be included when symmetric encryption will be used, since this signals to the OP that a client_secret value needs to be returned from which the symmetric key will be derived, that might not otherwise be returned. The RP MAY still use other supported encryption algorithms or send unencrypted Request Objects, even when this parameter is present. If both signing and encryption are requested, the Request Object will be signed then encrypted, with the result being a Nested JWT, as defined in [JWT]. The default, if omitted, is that the RP is not declaring whether it might encrypt any Request Objects.

        The point here is "The RP MAY still use other supported encryption algorithms or send unencrypted Request Objects, even when this parameter is present."

        The property that represents the client metadata is requestEncryptionAlg. See the description of getRequestEncryptionAlg() for details.

        Even if this flag is false, the match is required if the Service.requestObjectEncryptionAlgMatchRequired flag is true.

        Returns:
        true if the JWE alg of encrypted request object must match the request_object_encryption_alg client metadata.
        Since:
        2.96
        See Also:
        getRequestEncryptionAlg(), Service.isRequestObjectEncryptionAlgMatchRequired()

      • setRequestObjectEncryptionAlgMatchRequired

        public Client setRequestObjectEncryptionAlgMatchRequired​(boolean required)
        Set the flag indicating whether the JWE alg of encrypted request object must match the request_object_encryption_alg client metadata.

        The request_object_encryption_alg client metadata itself is defined in OpenID Connect Dynamic Client Registration 1.0 as follows.

        request_object_encryption_alg

        OPTIONAL. JWE [JWE] alg algorithm [JWA] the RP is declaring that it may use for encrypting Request Objects sent to the OP. This parameter SHOULD be included when symmetric encryption will be used, since this signals to the OP that a client_secret value needs to be returned from which the symmetric key will be derived, that might not otherwise be returned. The RP MAY still use other supported encryption algorithms or send unencrypted Request Objects, even when this parameter is present. If both signing and encryption are requested, the Request Object will be signed then encrypted, with the result being a Nested JWT, as defined in [JWT]. The default, if omitted, is that the RP is not declaring whether it might encrypt any Request Objects.

        The point here is "The RP MAY still use other supported encryption algorithms or send unencrypted Request Objects, even when this parameter is present."

        The property that represents the client metadata is requestEncryptionAlg. See the description of getRequestEncryptionAlg() for details.

        Even if this flag is false, the match is required if the Service.requestObjectEncryptionAlgMatchRequired flag is true.

        Parameters:
        required - true to require that the JWE alg of encrypted request object match the request_object_encryption_alg client metadata.
        Returns:
        this object.
        Since:
        2.96
        See Also:
        getRequestEncryptionAlg(), Service.isRequestObjectEncryptionAlgMatchRequired()

      • isRequestObjectEncryptionEncMatchRequired

        public boolean isRequestObjectEncryptionEncMatchRequired()
        Get the flag indicating whether the JWE enc of encrypted request object must match the request_object_encryption_enc client metadata.

        The request_object_encryption_enc client metadata itself is defined in OpenID Connect Dynamic Client Registration 1.0 as follows.

        request_object_encryption_enc

        OPTIONAL. JWE enc algorithm [JWA] the RP is declaring that it may use for encrypting Request Objects sent to the OP. If request_object_encryption_alg is specified, the default for this value is A128CBC-HS256. When request_object_encryption_enc is included, request_object_encryption_alg MUST also be provided.

        The property that represents the client metadata is requestEncryptionEnc. See the description of getRequestEncryptionEnc() for details.

        Even if this flag is false, the match is required if the Service.requestObjectEncryptionEncMatchRequired flag is true.

        Returns:
        true if the JWE enc of encrypted request object must match the request_object_encryption_enc client metadata.
        Since:
        2.96
        See Also:
        getRequestEncryptionEnc(), Service.isRequestObjectEncryptionEncMatchRequired()

      • setRequestObjectEncryptionEncMatchRequired

        public Client setRequestObjectEncryptionEncMatchRequired​(boolean required)
        Set the flag indicating whether the JWE enc of encrypted request object must match the request_object_encryption_enc client metadata.

        The request_object_encryption_enc client metadata itself is defined in OpenID Connect Dynamic Client Registration 1.0 as follows.

        request_object_encryption_enc

        OPTIONAL. JWE enc algorithm [JWA] the RP is declaring that it may use for encrypting Request Objects sent to the OP. If request_object_encryption_alg is specified, the default for this value is A128CBC-HS256. When request_object_encryption_enc is included, request_object_encryption_alg MUST also be provided.

        The property that represents the client metadata is requestEncryptionEnc. See the description of getRequestEncryptionEnc() for details.

        Even if this flag is false, the match is required if the Service.requestObjectEncryptionEncMatchRequired flag is true.

        Parameters:
        required - true to require that the JWE enc of encrypted request object match the request_object_encryption_enc client metadata.
        Returns:
        this object.
        Since:
        2.96
        See Also:
        getRequestEncryptionEnc(), Service.isRequestObjectEncryptionEncMatchRequired()

      • getDigestAlgorithm

        public String getDigestAlgorithm()
        Get the digest algorithm that this client requests the server to use when it computes digest values of external attachments, which may be referenced from within ID tokens or userinfo responses (or any place that can have the verified_claims claim).

        Possible values are listed in the Hash Algorithm Registry of IANA (Internet Assigned Numbers Authority), but the server does not necessarily support all the values there. When this property is omitted, "sha-256" is used as the default algorithm.

        This property corresponds to the digest_algorithm client metadata which was defined by the third implementer's draft of "OpenID Connect for Identity Assurance 1.0".

        This property is recognized by Authlete 2.3 and newer versions.

        Returns:
        The digest algorithm that this client requests the server to use when it computes digest values of external attachments.
        Since:
        3.13
        See Also:
        OpenID Connect for Identity Assurance 1.0, Hash Algorithm Registry

      • setDigestAlgorithm

        public Client setDigestAlgorithm​(String algorithm)
        Set the digest algorithm that this client requests the server to use when it computes digest values of external attachments, which may be referenced from within ID tokens or userinfo responses (or any place that can have the verified_claims claim).

        Possible values are listed in the Hash Algorithm Registry of IANA (Internet Assigned Numbers Authority), but the server does not necessarily support all the values there. When this property is omitted, "sha-256" is used as the default algorithm.

        This property corresponds to the digest_algorithm client metadata which was defined by the third implementer's draft of "OpenID Connect for Identity Assurance 1.0".

        This property is recognized by Authlete 2.3 and newer versions.

        Parameters:
        algorithm - The digest algorithm that this client requests the server to use when it computes digest values of external attachments.
        Returns:
        this object.
        Since:
        3.13
        See Also:
        OpenID Connect for Identity Assurance 1.0, Hash Algorithm Registry

      • isSingleAccessTokenPerSubject

        public boolean isSingleAccessTokenPerSubject()
        Get the flag which indicates whether the number of access tokens per subject (and per client) is at most one or can be more.

        If this flag is true, an attempt to issue a new access token invalidates existing access tokens associated with the same subject and the same client.

        Even if this flag is false, invalidation of existing access tokens is executed if the singleAccessTokenPerSubject property of the Service this client application belongs to is true. (cf. Service.isSingleAccessTokenPerSubject())

        Note that, however, attempts by Client Credentials Flow do not invalidate existing access tokens because access tokens issued by Client Credentials Flow are not associated with any end-user's subject. Also note that an attempt by Refresh Token Flow invalidates the coupled access token only and this invalidation is always performed regardless of whether this flag is true or false.

        Returns:
        true if the number of access tokens per subject (and per client) is at most one.
        Since:
        3.25, Authlete 2.3
        See Also:
        Service.isSingleAccessTokenPerSubject()

      • setSingleAccessTokenPerSubject

        public Client setSingleAccessTokenPerSubject​(boolean single)
        Set the flag which indicates whether the number of access tokens per subject (and per client) is at most one or can be more.

        If true is set, an attempt to issue a new access token invalidates existing access tokens associated with the same subject and the same client.

        Even if this flag is false, invalidation of existing access tokens is executed if the singleAccessTokenPerSubject property of the Service this client application belongs to is true. (cf. Service.setSingleAccessTokenPerSubject(boolean))

        Note that, however, attempts by Client Credentials Flow do not invalidate existing access tokens because access tokens issued by Client Credentials Flow are not associated with any end-user's subject. Also note that an attempt by Refresh Token Flow invalidates the coupled access token only and this invalidation is always performed regardless of whether this flag is true or false.

        Parameters:
        single - true to set the maximum number of access tokens per subject (and per client) to 1.
        Returns:
        this object.
        Since:
        3.25, Authlete 2.3
        See Also:
        Service.setSingleAccessTokenPerSubject(boolean)

      • getEntityId

        public URI getEntityId()
        Get the entity ID of this client.

        This property holds a non-null value only when this client has been registered by the mechanism defined in OpenID Federation 1.0.

        Returns:
        The entity ID.
        Since:
        3.33, Authlete 2.3
        See Also:
        OpenID Federation 1.0

      • setEntityId

        public Client setEntityId​(URI entityId)
        Set the entity ID of this client.

        This property holds a non-null value only when this client has been registered by the mechanism defined in OpenID Federation 1.0.

        Parameters:
        entityId - The entity ID.
        Returns:
        this object.
        Since:
        3.33, Authlete 2.3
        See Also:
        OpenID Federation 1.0

      • getTrustAnchorId

        public URI getTrustAnchorId()
        Get the entity ID of the trust anchor of the trust chain that was used when this client was registered or updated by the mechanism defined in OpenID Federation 1.0.
        Returns:
        The entity ID of the trust anchor.
        Since:
        3.33, Authlete 2.3
        See Also:
        OpenID Federation 1.0

      • setTrustAnchorId

        public Client setTrustAnchorId​(URI trustAnchorId)
        Set the entity ID of the trust anchor of the trust chain that was used when this client was registered or updated by the mechanism defined in OpenID Federation 1.0.
        Parameters:
        trustAnchorId - The entity ID of the trust anchor.
        Returns:
        this object.
        Since:
        3.33, Authlete 2.3
        See Also:
        OpenID Federation 1.0

      • getTrustChain

        public String[] getTrustChain()
        Get the trust chain that was used when this client was registered or updated by the mechanism defined in OpenID Federation 1.0.

        The elements in the array are entity statements that are ordered from the entity configuration of this client to the entity statement of the trust anchor. There may be one or more entity statements of intermediate entities in between. The format of the elements is a signed JWT (JWS).

        Returns:
        The trust chain.
        Since:
        3.33, Authlete 2.3
        See Also:
        OpenID Federation 1.0

      • setTrustChain

        public Client setTrustChain​(String[] trustChain)
        Set the trust chain that was used when this client was registered or updated by the mechanism defined in OpenID Federation 1.0.

        The elements in the array are entity statements that are ordered from the entity configuration of this client to the entity statement of the trust anchor. There may be one or more entity statements of intermediate entities in between. The format of the elements is a signed JWT (JWS).

        Parameters:
        trustChain - The trust chain.
        Returns:
        this object.
        Since:
        3.33, Authlete 2.3
        See Also:
        OpenID Federation 1.0

      • getTrustChainExpiresAt

        public long getTrustChainExpiresAt()
        Get the expiration time of the trust chain that was used when this client was registered or updated by the mechanism defined in OpenID Federation 1.0. The value is represented as milliseconds elapsed since the Unix epoch (1970-01-01).
        Returns:
        The expiration time of the trust chain.
        Since:
        3.33, Authlete 2.3
        See Also:
        OpenID Federation 1.0

      • setTrustChainExpiresAt

        public Client setTrustChainExpiresAt​(long expiresAt)
        Set the expiration time of the trust chain that was used when this client was registered or updated by the mechanism defined in OpenID Federation 1.0. The value is represented as milliseconds elapsed since the Unix epoch (1970-01-01).
        Parameters:
        expiresAt - The expiration time of the trust chain.
        Returns:
        this object.
        Since:
        3.33, Authlete 2.3
        See Also:
        OpenID Federation 1.0

      • getTrustChainUpdatedAt

        public long getTrustChainUpdatedAt()
        Get the time at which the trust chain was updated by the mechanism defined in OpenID Federation 1.0.
        Returns:
        The time at which the trust chain was updated.
        Since:
        3.33, Authlete 2.3
        See Also:
        OpenID Federation 1.0

      • setTrustChainUpdatedAt

        public Client setTrustChainUpdatedAt​(long updatedAt)
        Set the time at which the trust chain was updated by the mechanism defined in OpenID Federation 1.0.
        Parameters:
        updatedAt - The time at which the trust chain was updated.
        Returns:
        this object.
        Since:
        3.33, Authlete 2.3
        See Also:
        OpenID Federation 1.0

      • getOrganizationName

        public String getOrganizationName()
        Get the human-readable name representing the organization that manages this client. This property corresponds to the organization_name client metadata that is defined in OpenID Federation 1.0.
        Returns:
        The name of the organization that manages this client.
        Since:
        3.34, Authlete 2.3
        See Also:
        OpenID Federation 1.0

      • setOrganizationName

        public Client setOrganizationName​(String name)
        Set the human-readable name representing the organization that manages this client. This property corresponds to the organization_name client metadata that is defined in OpenID Federation 1.0.
        Parameters:
        name - The name of the organization that manages this client.
        Returns:
        this object.
        Since:
        3.34, Authlete 2.3
        See Also:
        OpenID Federation 1.0

      • getSignedJwksUri

        public URI getSignedJwksUri()
        Get the URI of the endpoint that returns this client's JWK Set document in the JWT format. This property corresponds to the signed_jwks_uri client metadata defined in OpenID Federation 1.0.
        Returns:
        The URI of the endpoint that returns this client's JWK Set document in the JWT format.
        Since:
        3.34, Authlete 2.3
        See Also:
        OpenID Federation 1.0

      • setSignedJwksUri

        public Client setSignedJwksUri​(URI uri)
        Set the URI of the endpoint that returns this client's JWK Set document in the JWT format. This property corresponds to the signed_jwks_uri client metadata defined in OpenID Federation 1.0.
        Parameters:
        uri - The URI of the endpoint that returns this client's JWK Set document in the JWT format.
        Returns:
        this object.
        Since:
        3.34, Authlete 2.3
        See Also:
        OpenID Federation 1.0

      • getClientRegistrationTypes

        public ClientRegistrationType[] getClientRegistrationTypes()
        Get the client registration types that the client has declared it may use.

        This property corresponds to the client_registration_types client metadata defined in OpenID Federation 1.0.

        Returns:
        Client registration types.
        Since:
        3.36, Authlete 2.3
        See Also:
        OpenID Federation 1.0

      • setClientRegistrationTypes

        public Client setClientRegistrationTypes​(ClientRegistrationType[] types)
        Set the client registration types that the client has declared it may use.

        This property corresponds to the client_registration_types client metadata defined in OpenID Federation 1.0.

        Parameters:
        types - Client registration types.
        Returns:
        this object.
        See Also:
        OpenID Federation 1.0

      • getRsSignedRequestKeyId

        public String getRsSignedRequestKeyId()
        Get the key ID of the JWK containing the public key used to verify HTTP message signatures signed by this client.

        When an HTTP message signature signed by this client includes the keyid parameter (RFC 9421 HTTP Message Signatures, Section 2.3. Signature Parameters), the specified key ID is used to identify the public key. If the parameter is missing, the value of this rsSignedRequestKeyId property is referenced as a fallback. If both are missing, HTTP message signature verification fails.

        The JWK identified by the key ID must include the alg property (RFC 7518 JSON Web Algorithms (JWA), Section 3.1. "alg" (Algorithm) Header Parameter Values for JWS).

        Returns:
        The key ID of the JWK containing the public key used to verify HTTP message signatures signed by this client.
        Since:
        3.39, Authlete 2.3

      • setRsSignedRequestKeyId

        public Client setRsSignedRequestKeyId​(String keyId)
        Set the key ID of the JWK containing the public key used to verify HTTP message signatures signed by this client.

        When an HTTP message signature signed by this client includes the keyid parameter (RFC 9421 HTTP Message Signatures, Section 2.3. Signature Parameters), the specified key ID is used to identify the public key. If the parameter is missing, the value of this rsSignedRequestKeyId property is referenced as a fallback. If both are missing, HTTP message signature verification fails.

        The JWK identified by the key ID must include the alg property (RFC 7518 JSON Web Algorithms (JWA), Section 3.1. "alg" (Algorithm) Header Parameter Values for JWS).

        Parameters:
        keyId - The key ID of the JWK containing the public key used to verify HTTP message signatures signed by this client.
        Returns:
        this object.
        Since:
        3.39, Authlete 2.3

      • isRsRequestSigned

        @Deprecated
public boolean isRsRequestSigned()
        Deprecated.
        Get whether the client is expected to sign requests to the resource server. If true, introspection requests and userinfo requests will be checked for a signature and the signature will be validated against the key identified by getRsSignedRequestKeyId().
        Returns:
        true if the client signs requests to the resource server, false otherwise.
        Since:
        3.39, Authlete 2.3

      • setRsRequestSigned

        @Deprecated
public Client setRsRequestSigned​(boolean signed)
        Deprecated.
        Set whether the client is expected to sign requests to the resource server. If true, introspection requests and userinfo requests will be checked for a signature and the will be signature validated against the key identified by getRsSignedRequestKeyId().
        Parameters:
        signed - true if the client signs requests to the resource server, false otherwise.
        Returns:
        this object.
        Since:
        3.39, Authlete 2.3

      • isAutomaticallyRegistered

        public boolean isAutomaticallyRegistered()
        Get the flag indicating whether this client was registered by the "automatic" client registration of OpenID Federation.
        Returns:
        true if this client was registered by the automatic client registration.
        Since:
        3.46, Authlete 2.3
        See Also:
        OpenID Federation 1.0

      • setAutomaticallyRegistered

        public Client setAutomaticallyRegistered​(boolean auto)
        Set the flag indicating whether this client was registered by the "automatic" client registration of OpenID Federation.
        Parameters:
        auto - true to indicate that this client was registered by the automatic client registration.
        Returns:
        this object.
        Since:
        3.46, Authlete 2.3
        See Also:
        OpenID Federation 1.0

      • isExplicitlyRegistered

        public boolean isExplicitlyRegistered()
        Get the flag indicating whether this client was registered by the "explicit" client registration of OpenID Federation.
        Returns:
        true if this client was registered by the explicit client registration.
        Since:
        3.46, Authlete 2.3
        See Also:
        OpenID Federation 1.0

      • setExplicitlyRegistered

        public Client setExplicitlyRegistered​(boolean explicit)
        Set the flag indicating whether this client was registered by the "explicit" client registration of OpenID Federation.
        Parameters:
        explicit - true to indicate that this client was registered by the explicit client registration.
        Returns:
        this object.
        Since:
        3.46, Authlete 2.3
        See Also:
        OpenID Federation 1.0

      • setDpopRequired

        public Client setDpopRequired​(boolean dpopRequired)
        Get the flag indicating whether this client requires DPoP access tokens.
        Parameters:
        required - true to indicate that this client requires DPoP access tokens.
        Returns:
        this object.
        Since:
        3.49, Authlete 2.3
        See Also:
        RFC 9449 OAuth 2.0 Demonstrating Proof of Possession (DPoP)

      • getCredentialOfferEndpoint

        public URI getCredentialOfferEndpoint()
        Get the URL of the credential offer endpoint at which this client (wallet) receives a credential offer from the credential issuer.

        This property corresponds to the credential_offer_endpoint client metadata that is defined in OpenID for Verifiable Credential Issuance.

        Returns:
        The URL of the credential offer endpoint.
        Since:
        3.59, Authlete 3.0
        See Also:
        OpenID for Verifiable Credential Issuance

      • setCredentialOfferEndpoint

        public Client setCredentialOfferEndpoint​(URI endpoint)
        Set the URL of the credential offer endpoint at which this client (wallet) receives a credential offer from the credential issuer.

        This property corresponds to the credential_offer_endpoint client metadata that is defined in OpenID for Verifiable Credential Issuance.

        Parameters:
        endpoint - The URL of the credential offer endpoint.
        Returns:
        this object.
        Since:
        3.59, Authlete 3.0
        See Also:
        OpenID for Verifiable Credential Issuance

      • isLocked

        public boolean isLocked()
        Get the flag which indicates whether this client is locked.
        Returns:
        true if this client is locked.
        Since:
        3.75

      • setLocked

        public Client setLocked​(boolean locked)
        Set the flag which indicates whether this client is locked.
        Parameters:
        locked - true to indicate that this client is locked.
        Returns:
        this object.
        Since:
        3.75

      • getFapiModes

        public FapiMode[] getFapiModes()
        Get the FAPI modes for this client.

        When the value of this property is not null, Authlete always processes requests from this client based on the specified FAPI modes if the FAPI feature is enabled in Authlete, the FAPI profile is supported by the service, and the FAPI modes for the service are set to null.

        For instance, when this property is set to an array containing FAPI1_ADVANCED only, Authlete always processes requests from this client based on " Financial-grade API Security Profile 1.0 - Part 2: Advanced" if the FAPI feature is enabled in Authlete, the FAPI profile is supported by the service, and the FAPI modes for the service are set to null.

        Returns:
        The FAPI modes for this client.
        Since:
        3.80, Authlete 3.0
        See Also:
        Financial-grade API Security Profile 1.0 - Part 2: Advanced

      • setFapiModes

        public Client setFapiModes​(FapiMode[] modes)
        Set the FAPI modes for this client.

        When the value of this property is not null, Authlete always processes requests from this client based on the specified FAPI modes if the FAPI feature is enabled in Authlete, the FAPI profile is supported by the service, and the FAPI modes for the service are set to null.

        For instance, when this property is set to an array containing FAPI1_ADVANCED only, Authlete always processes requests from this client based on " Financial-grade API Security Profile 1.0 - Part 2: Advanced" if the FAPI feature is enabled in Authlete, the FAPI profile is supported by the service, and the FAPI modes for the service are set to null.

        Parameters:
        modes - The FAPI modes for this client.
        Returns:
        this object.
        Since:
        3.80, Authlete 3.0
        See Also:
        Financial-grade API Security Profile 1.0 - Part 2: Advanced

      • isCredentialResponseEncryptionRequired

        public boolean isCredentialResponseEncryptionRequired()
        Get the flag indicating whether credential responses to this client must be always encrypted or not.

        When this flag is true, credential requests from this client must always include encryption-related parameters such as credential_response_encryption_alg.

        Even if this flag is false, encryption-related parameters are always required when the service's credentialIssuerMetadata.requireCredentialResponseEncryption property is true.

        Returns:
        true if credential responses to this client must be always encrypted.
        Since:
        3.86, Authlete 3.0
        See Also:
        OpenID for Verifiable Credential Issuance

      • setCredentialResponseEncryptionRequired

        public Client setCredentialResponseEncryptionRequired​(boolean required)
        Set the flag indicating whether credential responses to this client must be always encrypted or not.

        When this flag is true, credential requests from this client must always include encryption-related parameters such as credential_response_encryption_alg.

        Even if this flag is false, encryption-related parameters are always required when the service's credentialIssuerMetadata.requireCredentialResponseEncryption property is true.

        Parameters:
        required - true to require credential requests from this client to always include encryption-related parameters such as credential_response_encryption_alg.
        Returns:
        this object.
        Since:
        3.86, Authlete 3.0
        See Also:
        OpenID for Verifiable Credential Issuance

      • toStandardMetadata

        public Map<String,​Object> toStandardMetadata()
        Get a Map instance that represents a set of standard client metadata.

        This method is an alias of toStandardMetadata(null).

        Returns:
        A Map instance that represents a set of standard client metadata.

      • isInScopeForTokenMigration

        public boolean isInScopeForTokenMigration()
        Get the value that indicates whether this Client is in scope for token migration.
        Returns:
        The value that indicates whether this Client is in scope for token migration.
        Since:
        Authlete 4.23

      • setInScopeForTokenMigration

        public Client setInScopeForTokenMigration​(boolean inScopeForTokenMigration)
        Sets the flag that indicates that this Client is in scope for token migration.
        Parameters:
        inScopeForTokenMigration - The new value for the flag to indicates whether this Client is in scope for token migration.
        Returns:
        The Client after setting the provided property.
        Since:
        Authlete 4.23