public class Service extends Object implements Serializable
Some properties correspond to the ones listed in OpenID Provider Metadata in OpenID Connect Discovery 1.0
When getAccessTokenSignAlg() returns a non-null value, access
tokens issued by this service become JWTs. The value returned by the
method is used as the signature algorithm of the JWTs. When the method
returns null, access tokens issued by this service are random strings as
before.
A JWT-based access token has the following claims.
claim name type description scopestring Space-delimited scope names. client_idstring Client ID. expinteger Time at which this access token will expire. Seconds since the Unix epoch. iatinteger Time at which this access token was issued. Seconds since the Unix epoch. substring The subject (unique identifier) of the resource owner who approved issue of this access token. This claim does not exist or its value is null if this access token was issued by resource owner password credentials flow. issstring The issuer identifier of this service. jtistring The unique identifier of this JWT. The value of this claim itself is the random-string version of this access token. cnfobject If this access token is bound to a client certificate, this claim is included. The type of its value is object and the sub object contains a
"x5t#S256"claim. The value of the"x5t#S256"claim is the X.509 Certificate SHA-256 thumbprint of the client certificate. See "3.1. JWT Certificate Thumbprint Confirmation Method" of RFC 8705 (OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens) for details.If this access token is bound to a public key of DPoP, this claim is included. The type of its value is object and the sub object contains a
"jkt"claim. The value of the"jkt"claim is the thumbprint of the public key. See "OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer" for details.audarray If this access token has been generated with target resources, this claim is included. See RFC 8707 (Resource Indicators for OAuth 2.0) for details. authorization_detailsarray If this access token has been generated with authorization_details, this claim is included. See "OAuth 2.0 Rich Authorization Requests" for details.grant_idstring The grant ID tied to this access token. This field may be set if the authorization request which created this access token included grant_idorgrant_management_action=create. See "Grant Management for OAuth 2.0" for details about the request parameters.grantobject The grant this access token has inherited. This field may be set if the authorization request which created this access token included
grant_management_action=update. See "Grant Management for OAuth 2.0" for details about the request parameter.The format of this JSON object is the same as the response from the grant management endpoint which is defined in "Grant Management for OAuth 2.0".
Visible (= not-hidden) extra properties of the access token are embedded in the JWT as custom claims. Regarding extra properties, see the Authlete API document.
The feature of JWT-based access token is available since Authlete 2.1. Access tokens issued by older Authlete versions are always random strings.
"Resource Indicators for OAuth 2.0" is supported since Authlete 2.2. The
resourcerequest parameter given to older Authlete versions is just ignored, so JWT-based access tokens won't include theaudclaim."OAuth 2.0 Rich Authorization Requests" is supported since Authlete 2.2. The
authorization_detailsrequest parameter given to older Authlete versions is just ignored, so JWT-based access tokens won't include theauthorization_detailsclaim."Grant Management for OAuth 2.0" is supported since Authlete 2.3. The
grant_idandgrant_management_actionrequest parameters given to older Authlete versions are just ignored, so JWT-based access token won't include thegrant_idandgrantclaims.
| Constructor and Description |
|---|
Service() |
| Modifier and Type | Method and Description |
|---|---|
long |
getAccessTokenDuration()
Get the duration of access tokens in seconds; the value of
expires_in in access token responses. |
JWSAlg |
getAccessTokenSignAlg()
Get the signature algorithm of access tokens.
|
String |
getAccessTokenSignatureKeyId()
Get the key ID to identify a JWK used for signing access tokens.
|
String |
getAccessTokenType()
Get the access token type; the value of
token_type in
access token responses. |
int |
getAllowableClockSkew()
Get the allowable clock skew between the server and clients in seconds.
|
long |
getApiKey()
Get the API key.
|
String |
getApiSecret()
Get the API secret.
|
Pair[] |
getAttributes()
Get attributes.
|
String |
getAuthenticationCallbackApiKey()
Get the API key to access the authentication callback endpoint.
|
String |
getAuthenticationCallbackApiSecret()
Get the API secret to access the authentication callback endpoint.
|
URI |
getAuthenticationCallbackEndpoint()
Get the URI of the authentication callback endpoint.
|
URI |
getAuthorizationEndpoint()
Get the URI of the authorization endpoint.
|
long |
getAuthorizationResponseDuration()
Get the duration of authorization response JWTs.
|
String |
getAuthorizationSignatureKeyId()
Get the key ID to identify a JWK used for signing authorization
responses using an asymmetric key.
|
URI |
getBackchannelAuthenticationEndpoint()
Get the URI of the backchannel authentication endpoint.
|
int |
getBackchannelAuthReqIdDuration()
Get the duration of backchannel authentication request IDs issued from
the backchannel authentication endpoint in seconds.
|
int |
getBackchannelPollingInterval()
Get the minimum interval between polling requests to the token endpoint
from client applications in seconds.
|
int |
getClientsPerDeveloper()
Get the number of client applications that one developer can create.
|
long |
getCreatedAt()
Get the time at which this service was created.
|
String |
getDescription()
Get the description.
|
String |
getDeveloperAuthenticationCallbackApiKey()
Get the API key to access the developer authentication callback endpoint.
|
String |
getDeveloperAuthenticationCallbackApiSecret()
Get the API secret to access the developer authentication callback endpoint.
|
URI |
getDeveloperAuthenticationCallbackEndpoint()
Get the URI of the developer authentication callback endpoint.
|
SnsCredentials[] |
getDeveloperSnsCredentials()
Get the list of SNS credentials that Authlete uses to support social login
at the developer console.
|
URI |
getDeviceAuthorizationEndpoint()
Get the URI of the device authorization endpoint.
|
int |
getDeviceFlowCodeDuration()
Get the duration of device verification codes and end-user verification
codes issued from the device authorization endpoint in seconds.
|
int |
getDeviceFlowPollingInterval()
Get the minimum interval between polling requests to the token endpoint
from client applications in seconds in device flow.
|
URI |
getDeviceVerificationUri()
Get the verification URI for the device flow.
|
URI |
getDeviceVerificationUriComplete()
Get the verification URI for the device flow with a placeholder for a
user code.
|
URI |
getEndSessionEndpoint()
Get the end session endpoint for the service.
|
URI |
getGrantManagementEndpoint()
Get the URL of the grant management endpoint.
|
Hsk[] |
getHsks()
Get information about keys managed on HSMs (Hardware Security Modules).
|
long |
getIdTokenDuration()
Get the duration of ID tokens in seconds.
|
String |
getIdTokenSignatureKeyId()
Get the key ID to identify a JWK used for ID token signature using
an asymmetric key.
|
URI |
getIntrospectionEndpoint()
Get the URI of the introspection endpoint.
|
URI |
getIssuer()
Get the issuer identifier of this OpenID provider.
|
String |
getJwks()
Get the JSON Web Key Set of the service.
|
URI |
getJwksUri()
Get the URI of the service's JSON Web Key Set.
|
Pair[] |
getMetadata()
Get metadata.
|
long |
getModifiedAt()
Get the time at which this service was last modified.
|
NamedUri[] |
getMtlsEndpointAliases()
Get the MTLS endpoint aliases.
|
int |
getNumber()
Get the service number.
|
URI |
getPolicyUri()
Get the URI that this OpenID Provider provides to the person
registering the client to read about the OP's requirements on
how the Relying Party can use the data provided by the OP.
|
String |
getPredefinedTransformedClaims()
Get the transformed claims predefined by this service in JSON format.
|
long |
getPushedAuthReqDuration()
Get the duration of pushed authorization requests.
|
URI |
getPushedAuthReqEndpoint()
Get the URI of the pushed authorization request endpoint.
|
long |
getRefreshTokenDuration()
Get the duration of refresh tokens in seconds.
|
URI |
getRegistrationEndpoint()
Get the URI of the registration endpoint.
|
URI |
getRegistrationManagementEndpoint()
Get the URI of the registration management endpoint.
|
URI |
getRevocationEndpoint()
Get the URI of the token revocation endpoint.
|
URI |
getServiceDocumentation()
Get the URI of a page containing human-readable information
that developers might want or need to know when using this
OpenID Provider.
|
String |
getServiceName()
Get the service name.
|
int |
getServiceOwnerNumber()
Get the service owner number.
|
SnsCredentials[] |
getSnsCredentials()
Get the list of SNS credentials that Authlete uses to support social login.
|
String[] |
getSupportedAcrs()
Get the supported ACRs (authentication context class references).
|
String[] |
getSupportedAuthorizationDetailsTypes()
Get the supported authorization details types that can be used as values
of the
"type" field in "authorization_details". |
DeliveryMode[] |
getSupportedBackchannelTokenDeliveryModes()
Get the supported backchannel token delivery modes.
|
String[] |
getSupportedClaimLocales()
Get the supported claim locales.
|
String[] |
getSupportedClaims()
Get the supported claims.
|
ClaimType[] |
getSupportedClaimTypes()
Get the supported claim types.
|
String[] |
getSupportedCustomClientMetadata()
Get custom client metadata supported by this service.
|
Sns[] |
getSupportedDeveloperSnses()
Get the list of supported SNSes for social login at the developer console.
|
Display[] |
getSupportedDisplays()
Get the supported values of
display parameter passed to
the authorization endpoint. |
String[] |
getSupportedEvidence()
Get evidence supported by this service.
|
GrantType[] |
getSupportedGrantTypes()
Get the supported grant types.
|
String[] |
getSupportedIdentityDocuments()
Get identity documents supported by this service.
|
ClientAuthMethod[] |
getSupportedIntrospectionAuthMethods()
Get client authentication methods supported at the introspection endpoint.
|
ResponseType[] |
getSupportedResponseTypes()
Get the supported response types.
|
ClientAuthMethod[] |
getSupportedRevocationAuthMethods()
Get client authentication methods supported at the revocation endpoint.
|
Scope[] |
getSupportedScopes()
Get the supported scopes.
|
ServiceProfile[] |
getSupportedServiceProfiles()
Get the supported service profiles.
|
Sns[] |
getSupportedSnses()
Get the list of supported SNSes for social login at the authorization
endpoint.
|
ClientAuthMethod[] |
getSupportedTokenAuthMethods()
Get the supported client authentication methods at the token endpoint.
|
String[] |
getSupportedTrustFrameworks()
Get trust frameworks supported by this service.
|
String[] |
getSupportedUiLocales()
Get the supported UI locales.
|
String[] |
getSupportedVerificationMethods()
Get verification methods supported by this service.
|
String[] |
getSupportedVerifiedClaims()
Get verified claims supported by this service.
|
URI |
getTokenEndpoint()
Get the URI of the token endpoint.
|
URI |
getTosUri()
Get the URI that the OpenID Provider provides to the person
registering the client to read about the OP's terms of service.
|
String[] |
getTrustedRootCertificates()
Get the list of root certificates trusted by this service for PKI-based
client mutual TLS authentication.
|
UserCodeCharset |
getUserCodeCharset()
Get the character set for end-user verification codes
(
user_code) for Device Flow. |
int |
getUserCodeLength()
Get the length of end-user verification codes (
user_code) for
Device Flow. |
URI |
getUserInfoEndpoint()
Get the URI of the user info endpoint.
|
String |
getUserInfoSignatureKeyId()
Get the key ID to identify a JWK used for user info signature using
an asymmetric key.
|
boolean |
isBackchannelBindingMessageRequiredInFapi()
Get the boolean flag which indicates whether the
binding_message
request parameter is always required whenever a backchannel authentication
request is judged as a request for Financial-grade API. |
boolean |
isBackchannelUserCodeParameterSupported()
Get the boolean flag which indicates whether the
"user_code"
request parameter is supported at the backchannel authentication
endpoint. |
boolean |
isClaimShortcutRestrictive()
Get the flag indicating whether claims specified by shortcut scopes
(e.g.
|
boolean |
isClientIdAliasEnabled()
Get the flag which indicates whether the 'Client ID Alias' feature
is enabled or not.
|
boolean |
isDcrScopeUsedAsRequestable()
|
boolean |
isDirectAuthorizationEndpointEnabled()
Get the flag which indicates whether the direct authorization endpoint
is enabled or not.
|
boolean |
isDirectIntrospectionEndpointEnabled()
Get the flag which indicates whether the direct introspection endpoint
is enabled or not.
|
boolean |
isDirectJwksEndpointEnabled()
Get the flag which indicates whether the direct jwks endpoint
is enabled or not.
|
boolean |
isDirectRevocationEndpointEnabled()
Get the flag which indicates whether the direct revocation endpoint
is enabled or not.
|
boolean |
isDirectTokenEndpointEnabled()
Get the flag which indicates whether the direct token endpoint
is enabled or not.
|
boolean |
isDirectUserInfoEndpointEnabled()
Get the flag which indicates whether the direct userinfo endpoint
is enabled or not.
|
boolean |
isDynamicRegistrationSupported()
Get the flag which indicates whether the dynamic client registration is
supported.
|
boolean |
isErrorDescriptionOmitted()
Get the flag which indicates whether the
error_description
response parameter is omitted. |
boolean |
isErrorUriOmitted()
Get the flag which indicates whether the
error_uri response
parameter is omitted. |
boolean |
isFrontChannelRequestObjectEncryptionRequired()
Get the flag indicating whether encryption of request object is required
when the request object is passed through the front channel.
|
boolean |
isGrantManagementActionRequired()
Get the flag indicating whether every authorization request (and any
request serving as an authorization request such as CIBA backchannel
authentication request and device authorization request) must include
the
grant_management_action request parameter. |
boolean |
isHsmEnabled()
Get the flag indicating whether HSM (Hardware Security Module) support
is enabled for this service.
|
boolean |
isIssSuppressed()
Get the flag indicating whether generation of the
iss response
parameter is suppressed. |
boolean |
isMissingClientIdAllowed()
Get the flag indicating whether token requests from public clients without
the
client_id request parameter are allowed when the client can be
guessed from authorization_code or refresh_token. |
boolean |
isMutualTlsValidatePkiCertChain()
Determine whether this service validates certificate chains during PKI-based
client mutual TLS authentication.
|
boolean |
isNbfOptional()
Get the flag indicating whether the
nbf claim in the request
object is optional even when the authorization request is regarded as
a FAPI-Part2 request. |
boolean |
isParRequired()
Get the flag indicating whether this service requires that clients use
the pushed authorization request endpoint.
|
boolean |
isPkceRequired()
Get the flag which indicates whether the use of Proof Key for Code
Exchange (PKCE) is always required for authorization requests
by Authorization Code Flow.
|
boolean |
isPkceS256Required()
Get the flag which indicates whether
S256 is always required
as the code challenge method whenever PKCE (RFC 7636) is used. |
boolean |
isRefreshTokenDurationKept()
Get the flag which indicates whether the remaining duration of the used
refresh token is taken over to the newly issued refresh token.
|
boolean |
isRefreshTokenDurationReset()
Get the flag which indicates whether duration of refresh tokens are
reset when they are used even if the
refreshTokenKept property
of this service (cf. isRefreshTokenKept()) is true
(= even if "Refresh Token Continuous Use" is "Kept"). |
boolean |
isRefreshTokenKept()
Get the flag which indicates whether a refresh token remains valid
or gets renewed after its use.
|
boolean |
isRequestObjectEncryptionAlgMatchRequired()
Get the flag indicating whether the JWE
alg of encrypted request
object must match the request_object_encryption_alg client metadata
of the client that has sent the request object. |
boolean |
isRequestObjectEncryptionEncMatchRequired()
Get the flag indicating whether the JWE
enc of encrypted request
object must match the request_object_encryption_enc client metadata
of the client that has sent the request object. |
boolean |
isRequestObjectRequired()
Get the flag indicating whether this service requires that authorization
requests always utilize a request object by using either
request
or request_uri request parameter. |
boolean |
isScopeRequired()
Get the flag indicating whether requests that request no scope are
rejected or not.
|
boolean |
isSingleAccessTokenPerSubject()
Get the flag which indicates whether the number of access tokens
per subject (and per client) is at most one or can be more.
|
boolean |
isTlsClientCertificateBoundAccessTokens()
Does this service support issuing TLS client certificate bound access tokens?
|
boolean |
isTokenExpirationLinked()
Get the flag indicating whether the expiration date of an access token
never exceeds that of the corresponding refresh token.
|
boolean |
isTraditionalRequestObjectProcessingApplied()
Get the flag indicating whether a request object is processed based on
rules defined in OpenID Connect Core 1.0 or JAR (JWT Secured
Authorization Request).
|
boolean |
isUnauthorizedOnClientConfigSupported()
Get the flag indicating whether Authlete's
/api/client/registration
API uses UNAUTHORIZED
as a value of the action response parameter when appropriate. |
Service |
loadAttributes(Iterable<Pair> attributes)
Load attributes from an iterable.
|
Service |
setAccessTokenDuration(long duration)
Set the duration of access tokens in seconds; the value of
expires_in in access token responses. |
Service |
setAccessTokenSignAlg(JWSAlg alg)
Set the signature algorithm of access tokens.
|
Service |
setAccessTokenSignatureKeyId(String keyId)
Set the key ID to identify a JWK used for signing access tokens.
|
Service |
setAccessTokenType(String type)
Set the access token type; the value of
token_type in
access token responses. |
Service |
setAllowableClockSkew(int seconds)
Set the allowable clock skew between the server and clients in seconds.
|
Service |
setApiKey(long apiKey)
Set the API key.
|
Service |
setApiSecret(String apiSecret)
Set the API secret.
|
Service |
setAttributes(Pair[] attributes)
Set attributes.
|
Service |
setAuthenticationCallbackApiKey(String apiKey)
Set the API key to access the authentication callback endpoint.
|
Service |
setAuthenticationCallbackApiSecret(String apiSecret)
Set the API secret to access the authentication callback endpoint.
|
Service |
setAuthenticationCallbackEndpoint(URI endpoint)
Set the URI of the authentication callback endpoint.
|
Service |
setAuthorizationEndpoint(URI endpoint)
Set the URI of the authorization endpoint.
|
Service |
setAuthorizationResponseDuration(long duration)
Set the duration of authorization response JWTs.
|
Service |
setAuthorizationSignatureKeyId(String keyId)
Set the key ID to identify a JWK used for signing authorization responses
using an asymmetric key.
|
Service |
setBackchannelAuthenticationEndpoint(URI endpoint)
Set the URI of the backchannel authentication endpoint.
|
Service |
setBackchannelAuthReqIdDuration(int duration)
Set the duration of backchannel authentication request IDs issued from
the backchannel authentication endpoint in seconds.
|
Service |
setBackchannelBindingMessageRequiredInFapi(boolean required)
Set the boolean flag which indicates whether the
binding_message
request parameter is always required whenever a backchannel authentication
request is judged as a request for Financial-grade API. |
Service |
setBackchannelPollingInterval(int interval)
Set the minimum interval between polling requests to the token endpoint
from client applications in seconds.
|
Service |
setBackchannelUserCodeParameterSupported(boolean supported)
Set the boolean flag which indicates whether the
"user_code"
request parameter is supported at the backchannel authentication
endpoint. |
Service |
setClaimShortcutRestrictive(boolean restrictive)
Set the flag indicating whether claims specified by shortcut scopes
(e.g.
|
Service |
setClientIdAliasEnabled(boolean enabled)
Enable/disable the 'Client ID Alias' feature.
|
Service |
setClientsPerDeveloper(int count)
Set the number of client applications that one developer can create.
|
Service |
setCreatedAt(long createdAt)
Set the time at which this service was created.
|
Service |
setDcrScopeUsedAsRequestable(boolean used)
|
Service |
setDescription(String description)
Set the description.
|
Service |
setDeveloperAuthenticationCallbackApiKey(String apiKey)
Set the API key to access the developer authentication callback endpoint.
|
Service |
setDeveloperAuthenticationCallbackApiSecret(String apiSecret)
Set the API secret to access the developer authentication callback endpoint.
|
Service |
setDeveloperAuthenticationCallbackEndpoint(URI endpoint)
Set the URI of the developer authentication callback endpoint.
|
Service |
setDeveloperSnsCredentials(SnsCredentials[] snsCredentials)
Set the list of SNS credentials that Authlete uses to support social login
at the developer console.
|
Service |
setDeviceAuthorizationEndpoint(URI endpoint)
Set the URI of the device authorization endpoint.
|
Service |
setDeviceFlowCodeDuration(int duration)
Set the duration of device verification codes and end-user verification
codes issued from the device authorization endpoint in seconds.
|
Service |
setDeviceFlowPollingInterval(int interval)
Set the minimum interval between polling requests to the token endpoint
from client applications in seconds in device flow.
|
Service |
setDeviceVerificationUri(URI uri)
Set the verification URI for the device flow.
|
Service |
setDeviceVerificationUriComplete(URI uri)
Set the verification URI for the device flow with a placeholder for a
user code.
|
Service |
setDirectAuthorizationEndpointEnabled(boolean enabled)
Set the flag which indicates whether the direct authorization endpoint
is enabled or not.
|
Service |
setDirectIntrospectionEndpointEnabled(boolean enabled)
Set the flag which indicates whether the direct introspection endpoint
is enabled or not.
|
Service |
setDirectJwksEndpointEnabled(boolean enabled)
Set the flag which indicates whether the direct jwks endpoint
is enabled or not.
|
Service |
setDirectRevocationEndpointEnabled(boolean enabled)
Set the flag which indicates whether the direct revocation endpoint
is enabled or not.
|
Service |
setDirectTokenEndpointEnabled(boolean enabled)
Set the flag which indicates whether the direct token endpoint
is enabled or not.
|
Service |
setDirectUserInfoEndpointEnabled(boolean enabled)
Set the flag which indicates whether the direct userinfo endpoint
is enabled or not.
|
Service |
setDynamicRegistrationSupported(boolean enabled)
Set the flag which indicates whether dynamic client registration is supported.
|
Service |
setEndSessionEndpoint(URI endSessionEndpoint)
Set the end session endpoint for the service.
|
Service |
setErrorDescriptionOmitted(boolean omitted)
Omit or embed the
error_description response parameter in
error responses. |
Service |
setErrorUriOmitted(boolean omitted)
Omit or embed the
error_uri response parameter in error
responses. |
Service |
setFrontChannelRequestObjectEncryptionRequired(boolean required)
Set the flag indicating whether encryption of request object is required
when the request object is passed through the front channel.
|
Service |
setGrantManagementActionRequired(boolean required)
Set the flag indicating whether every authorization request (and any
request serving as an authorization request such as CIBA backchannel
authentication request and device authorization request) must include
the
grant_management_action request parameter. |
Service |
setGrantManagementEndpoint(URI endpoint)
Set the URL of the grant management endpoint.
|
Service |
setHsks(Hsk[] hsks)
Set information about keys managed on HSMs (Hardware Security Modules).
|
Service |
setHsmEnabled(boolean enabled)
Set the flag indicating whether HSM (Hardware Security Module) support
is enabled for this service.
|
Service |
setIdTokenDuration(long duration)
Set the duration of ID tokens in seconds.
|
Service |
setIdTokenSignatureKeyId(String keyId)
Set the key ID to identify a JWK used for ID token signature using
an asymmetric key.
|
Service |
setIntrospectionEndpoint(URI endpoint)
Set the URI of the introspection endpoint.
|
Service |
setIssSuppressed(boolean suppressed)
Set the flag indicating whether generation of the
iss response
parameter is suppressed. |
Service |
setIssuer(URI issuer)
Set the issuer identifier of this OpenID provider.
|
Service |
setJwks(String jwks)
Set the JSON Web Key Set of the service.
|
Service |
setJwksUri(URI uri)
Set the URI of the service's JSON Web Key Set.
|
Service |
setMetadata(Pair[] metadata)
Set metadata.
|
Service |
setMissingClientIdAllowed(boolean allowed)
Set the flag indicating whether token requests from public clients without
the
client_id request parameter are allowed when the client can be
guessed from authorization_code or refresh_token. |
Service |
setModifiedAt(long modifiedAt)
Set the time at which this service was last modified.
|
Service |
setMtlsEndpointAliases(NamedUri[] aliases)
Set the MTLS endpoint aliases.
|
Service |
setMutualTlsValidatePkiCertChain(boolean mutualTlsValidatePkiCertChain)
Set whether this service validates certificate chains during PKI-based
client mutual TLS authentication.
|
Service |
setNbfOptional(boolean optional)
Set the flag indicating whether the
nbf claim in the request
object is optional even when the authorization request is regarded as
a FAPI-Part2 request. |
Service |
setNumber(int number)
Set the service number.
|
Service |
setParRequired(boolean required)
Set the flag indicating whether this service requires that clients use
the pushed authorization request endpoint.
|
Service |
setPkceRequired(boolean required)
Set the flag which indicates whether the use of Proof Key for Code
Exchange (PKCE) is always required for authorization requests
by Authorization Code Flow.
|
Service |
setPkceS256Required(boolean required)
Set the flag which indicates whether
S256 is always required
as the code challenge method whenever PKCE (RFC 7636) is used. |
Service |
setPolicyUri(URI uri)
Set the URI that this OpenID Provider provides to the person
registering the client to read about the OP's requirements on
how the Relying Party can use the data provided by the OP.
|
Service |
setPredefinedTransformedClaims(String claims)
Set the transformed claims predefined by this service in JSON format.
|
Service |
setPushedAuthReqDuration(long duration)
Set the duration of pushed authorization requests.
|
Service |
setPushedAuthReqEndpoint(URI endpoint)
Set the URI of the pushed authorization request endpoint.
|
Service |
setRefreshTokenDuration(long duration)
Set the duration of refresh tokens in seconds.
|
Service |
setRefreshTokenDurationKept(boolean kept)
Set the flag which indicates whether the remaining duration of the used
refresh token is taken over to the newly issued refresh token.
|
Service |
setRefreshTokenDurationReset(boolean reset)
Set the flag which indicates whether duration of refresh tokens are
reset when they are used even if the
refreshTokenKept property
of this service (cf. isRefreshTokenKept()) is true
(= even if "Refresh Token Continuous Use" is "Kept"). |
Service |
setRefreshTokenKept(boolean kept)
Set the flag which indicates whether a refresh token remains valid
or gets renewed after its use.
|
Service |
setRegistrationEndpoint(URI endpoint)
Set the URI of the registration endpoint.
|
Service |
setRegistrationManagementEndpoint(URI endpoint)
Set the URI of the registration management endpoint.
|
Service |
setRequestObjectEncryptionAlgMatchRequired(boolean required)
Set the flag indicating whether the JWE
alg of encrypted request
object must match the request_object_encryption_alg client metadata
of the client that has sent the request object. |
Service |
setRequestObjectEncryptionEncMatchRequired(boolean required)
Set the flag indicating whether the JWE
enc of encrypted request
object must match the request_object_encryption_enc client metadata
of the client that has sent the request object. |
Service |
setRequestObjectRequired(boolean required)
Set the flag indicating whether this service requires that authorization
requests always utilize a request object by using either
request
or request_uri request parameter. |
Service |
setRevocationEndpoint(URI endpoint)
Set the URI of the token revocation endpoint.
|
Service |
setScopeRequired(boolean required)
Set the flag indicating whether requests that request no scope are
rejected or not.
|
Service |
setServiceDocumentation(URI uri)
Set the URI of a page containing human-readable information
that developers might want or need to know when using this
OpenID Provider.
|
Service |
setServiceName(String serviceName)
Set the service name.
|
Service |
setServiceOwnerNumber(int serviceOwnerNumber)
Set the service owner number
|
Service |
setSingleAccessTokenPerSubject(boolean single)
Set the flag which indicates whether the number of access tokens
per subject (and per client) is at most one or can be more.
|
Service |
setSnsCredentials(SnsCredentials[] snsCredentials)
Set the list of SNS credentials that Authlete uses to support social login.
|
Service |
setSupportedAcrs(String[] acrs)
Set the supported ACRs (authentication context class references).
|
Service |
setSupportedAuthorizationDetailsTypes(String[] types)
Set the supported authorization details types that can be used as values
of the
"type" field in "authorization_details". |
Service |
setSupportedBackchannelTokenDeliveryModes(DeliveryMode[] modes)
Get the supported backchannel token delivery modes.
|
Service |
setSupportedClaimLocales(String[] supportedClaimLocales)
Set the supported claim locales.
|
Service |
setSupportedClaims(String[] supportedClaims)
Set the supported claims.
|
Service |
setSupportedClaimTypes(ClaimType[] claimTypes)
Set the supported claim types.
|
Service |
setSupportedCustomClientMetadata(String[] metadata)
Set custom client metadata supported by this service.
|
Service |
setSupportedDeveloperSnses(Sns[] supportedSnses)
Set the list of supported SNSes for social login at the developer console.
|
Service |
setSupportedDisplays(Display[] displays)
Set the supported values of
display parameter passed to
the authorization endpoint. |
Service |
setSupportedEvidence(String[] evidence)
Set evidence supported by this service.
|
Service |
setSupportedGrantTypes(GrantType[] grantTypes)
Set the supported grant types.
|
Service |
setSupportedIdentityDocuments(String[] documents)
Set identity documents supported by this service.
|
Service |
setSupportedIntrospectionAuthMethods(ClientAuthMethod[] methods)
Set client authentication methods supported at the introspection endpoint.
|
Service |
setSupportedResponseTypes(ResponseType[] responseTypes)
Set the supported response types.
|
Service |
setSupportedRevocationAuthMethods(ClientAuthMethod[] methods)
Set client authentication methods supported at the revocation endpoint.
|
Service |
setSupportedScopes(Scope[] supportedScopes)
Set the supported scopes.
|
Service |
setSupportedServiceProfiles(Iterable<ServiceProfile> profiles)
Set the supported service profiles.
|
Service |
setSupportedServiceProfiles(ServiceProfile[] profiles)
Set the supported service profiles.
|
Service |
setSupportedSnses(Sns[] supportedSnses)
Set the list of supported SNSes for social login at the authorization
endpoint.
|
Service |
setSupportedTokenAuthMethods(ClientAuthMethod[] methods)
Set the number of client authentication methods at the token endpoint.
|
Service |
setSupportedTrustFrameworks(String[] frameworks)
Set trust frameworks supported by this service.
|
Service |
setSupportedUiLocales(String[] supportedUiLocales)
Set the supported UI locales.
|
Service |
setSupportedVerificationMethods(String[] methods)
Set verification methods supported by this service.
|
Service |
setSupportedVerifiedClaims(String[] claims)
Set verified claims supported by this service.
|
Service |
setTlsClientCertificateBoundAccessTokens(boolean enabled)
Enable or disable support for TLS client certificate bound access tokens.
|
Service |
setTokenEndpoint(URI endpoint)
Set the URI of the token endpoint.
|
Service |
setTokenExpirationLinked(boolean linked)
Set the flag indicating whether the expiration date of an access token
never exceeds that of the corresponding refresh token.
|
Service |
setTosUri(URI uri)
Set the URI that the OpenID Provider provides to the person
registering the client to read about the OP's terms of service.
|
Service |
setTraditionalRequestObjectProcessingApplied(boolean applied)
Set the flag indicating whether a request object is processed based on
rules defined in OpenID Connect Core 1.0 or JAR (JWT Secured
Authorization Request).
|
Service |
setTrustedRootCertificates(String[] trustedRootCertificates)
Get the list of root certificates trusted by this service for PKI-based
client mutual TLS authentication.
|
Service |
setUnauthorizedOnClientConfigSupported(boolean supported)
Set the flag indicating whether Authlete's
/api/client/registration
API uses UNAUTHORIZED
as a value of the action response parameter when appropriate. |
Service |
setUserCodeCharset(UserCodeCharset charset)
Set the character set for end-user verification codes
(
user_code) for Device Flow. |
Service |
setUserCodeLength(int length)
Set the length of end-user verification codes (
user_code) for
Device Flow. |
Service |
setUserInfoEndpoint(URI endpoint)
Set the URI of the user info endpoint.
|
Service |
setUserInfoSignatureKeyId(String keyId)
Set the key ID to identify a JWK used for user info signature using
an asymmetric key.
|
boolean |
supports(ServiceProfile profile)
Check if this service supports the specified profile.
|
boolean |
supportsAll(Iterable<ServiceProfile> profiles)
Check if this service supports all the specified service profiles.
|
boolean |
supportsAll(ServiceProfile... profiles)
Check if this service supports all the specified service profiles.
|
boolean |
supportsAny(Iterable<ServiceProfile> profiles)
Check if this service any of the specified service profiles.
|
boolean |
supportsAny(ServiceProfile... profiles)
Check if this service any of the specified service profiles.
|
public int getNumber()
public Service setNumber(int number)
number - The service number.this object.public int getServiceOwnerNumber()
public Service setServiceOwnerNumber(int serviceOwnerNumber)
serviceOwnerNumber - The service owner number.this object.public String getServiceName()
public Service setServiceName(String serviceName)
serviceName - The service name.this object.public long getApiKey()
public Service setApiKey(long apiKey)
apiKey - The API key.this object.public String getApiSecret()
public Service setApiSecret(String apiSecret)
apiSecret - The API secret.this object.public URI getIssuer()
public Service setIssuer(URI issuer)
issuer - The issuer identifier.this object.public URI getAuthorizationEndpoint()
public Service setAuthorizationEndpoint(URI endpoint)
endpoint - The URI of the authorization endpoint.this object.public URI getTokenEndpoint()
public Service setTokenEndpoint(URI endpoint)
endpoint - The URI of the token endpoint.this object.public URI getRevocationEndpoint()
public ClientAuthMethod[] getSupportedRevocationAuthMethods()
public Service setSupportedRevocationAuthMethods(ClientAuthMethod[] methods)
methods - Client authentication methods.this object.public Service setRevocationEndpoint(URI endpoint)
endpoint - The URI of the token revocation endpoint.this object.public URI getUserInfoEndpoint()
public Service setUserInfoEndpoint(URI endpoint)
endpoint - The URI of the user info endpoint.this object.public URI getJwksUri()
public Service setJwksUri(URI uri)
uri - The URI of the service's JSON Web Key Set.this object.public String getJwks()
public Service setJwks(String jwks)
jwks - The JSON Web Key Set of the service.this object.public URI getRegistrationEndpoint()
public Service setRegistrationEndpoint(URI endpoint)
endpoint - The URI of the registration endpoint.this object.public URI getRegistrationManagementEndpoint()
/clientid/
to it as a path element. If this is unset, the value of registrationEndpoint
will be used as the URI base instead.public Service setRegistrationManagementEndpoint(URI endpoint)
/clientid/
to it as a path element. If this is unset, the value of registrationEndpoint
will be used as the URI base instead.endpoint - The base URI of the registration management endpoint.this object.public Scope[] getSupportedScopes()
public Service setSupportedScopes(Scope[] supportedScopes)
supportedScopes - The supported scopes.this object.public ResponseType[] getSupportedResponseTypes()
public Service setSupportedResponseTypes(ResponseType[] responseTypes)
responseTypes - The supported response types.this object.public GrantType[] getSupportedGrantTypes()
public Service setSupportedGrantTypes(GrantType[] grantTypes)
grantTypes - The supported grant types.this object.public String[] getSupportedAcrs()
public Service setSupportedAcrs(String[] acrs)
acrs - The supported ACRs.this object.public ClientAuthMethod[] getSupportedTokenAuthMethods()
public Service setSupportedTokenAuthMethods(ClientAuthMethod[] methods)
methods - The supported client authentication methods.this object.public Display[] getSupportedDisplays()
display parameter passed to
the authorization endpoint.display parameter.public Service setSupportedDisplays(Display[] displays)
display parameter passed to
the authorization endpoint.displays - The supported values of display parameter.this object.public ClaimType[] getSupportedClaimTypes()
public Service setSupportedClaimTypes(ClaimType[] claimTypes)
claimTypes - The supported claim types.this object.public String[] getSupportedClaims()
public Service setSupportedClaims(String[] supportedClaims)
supportedClaims - The supported claims.this object.public URI getServiceDocumentation()
public Service setServiceDocumentation(URI uri)
uri - The URI of the service documentation.this object.public String[] getSupportedClaimLocales()
public Service setSupportedClaimLocales(String[] supportedClaimLocales)
supportedClaimLocales - The supported claim locales.this object.public String[] getSupportedUiLocales()
public Service setSupportedUiLocales(String[] supportedUiLocales)
supportedUiLocales - The supported UI locales.this object.public URI getPolicyUri()
public Service setPolicyUri(URI uri)
uri - The URI of the policy page.this object.public URI getTosUri()
public Service setTosUri(URI uri)
uri - The URI of the Terms-of-Service page.this object.public String getDescription()
public Service setDescription(String description)
description - The description.this object.public String getAccessTokenType()
token_type in
access token responses.public Service setAccessTokenType(String type)
token_type in
access token responses.type - The access token type.this object.public JWSAlg getAccessTokenSignAlg()
When this method returns null, access tokens issued by this service are
just random strings. On the other hand, when this method returns a
non-null value, access tokens issued by this service are JWTs and the
value returned from this method represents the signature algorithm of
the JWTs. Regarding the format, see the description of this
Service class.
This feature is available since Authlete 2.1. Access tokens generated by older Authlete versions are always random strings.
public Service setAccessTokenSignAlg(JWSAlg alg)
When null is set, access tokens issued by this service are just random
strings. On the other hand, when a non-null value is set, access tokens
issued by this service are JWTs and the value set by this method is used
as the signature algorithm of the JWTs. Regarding the format, see the
description of this Service class.
This feature is available since Authlete 2.1. Access tokens generated by older Authlete versions are always random strings.
public long getAccessTokenDuration()
expires_in in access token responses.public Service setAccessTokenDuration(long duration)
expires_in in access token responses.duration - The duration of access tokens in seconds.this object.public long getRefreshTokenDuration()
public Service setRefreshTokenDuration(long duration)
duration - The duration of refresh tokens in seconds.this object.public long getIdTokenDuration()
public Service setIdTokenDuration(long duration)
duration - The duration of ID tokens in seconds.this object.public long getAuthorizationResponseDuration()
Financial-grade API: JWT Secured Authorization Response Mode for
OAuth 2.0 (JARM) defines new values for the response_mode
request parameter. They are query.jwt, fragment.jwt,
form_post.jwt and jwt. If one of them is specified
as the response mode, response parameters from the authorization
endpoint will be packed into a JWT. This property is used to compute
the value of the exp claim of the JWT.
public Service setAuthorizationResponseDuration(long duration)
Financial-grade API: JWT Secured Authorization Response Mode for
OAuth 2.0 (JARM) defines new values for the response_mode
request parameter. They are query.jwt, fragment.jwt,
form_post.jwt and jwt. If one of them is specified
as the response mode, response parameters from the authorization
endpoint will be packed into a JWT. This property is used to compute
the value of the exp claim of the JWT.
duration - The duration of authorization response JWTs in seconds.this object.public long getPushedAuthReqDuration()
"OAuth 2.0 Pushed Authorization Requests" defines an endpoint (called
"pushed authorization request endpoint") which client applications can
register authorization requests into and get corresponding URIs (called
"request URIs") from. The issued URIs represent the registered
authorization requests. The client applications can use the URIs as the
value of the request_uri request parameter in an authorization
request.
The value returned from this method represents the duration of registered
authorization requests and is used as the value of the expires_in
parameter in responses from the pushed authorization request endpoint.
public Service setPushedAuthReqDuration(long duration)
"OAuth 2.0 Pushed Authorization Requests" defines an endpoint (called
"pushed authorization request endpoint") which client applications can
register authorization requests into and get corresponding URIs (called
"request URIs") from. The issued URIs represent the registered
authorization requests. The client applications can use the URIs as the
value of the request_uri request parameter in an authorization
request.
The value given to this method represents the duration of registered
authorization requests and is used as the value of the expires_in
parameter in responses from the pushed authorization request endpoint.
duration - The duration of pushed authorization requests.this object.public URI getAuthenticationCallbackEndpoint()
public Service setAuthenticationCallbackEndpoint(URI endpoint)
endpoint - The URI of the authentication callback endpoint.this object.public String getAuthenticationCallbackApiKey()
public Service setAuthenticationCallbackApiKey(String apiKey)
apiKey - The API key to access the authentication callback endpoint.this object.public String getAuthenticationCallbackApiSecret()
public Service setAuthenticationCallbackApiSecret(String apiSecret)
apiSecret - The API secret to access the authentication callback endpoint.this object.public Sns[] getSupportedSnses()
public Service setSupportedSnses(Sns[] supportedSnses)
supportedSnses - The list of SNSes.this object.public SnsCredentials[] getSnsCredentials()
public Service setSnsCredentials(SnsCredentials[] snsCredentials)
snsCredentials - The list of SNS credentials.this object.public long getCreatedAt()
public Service setCreatedAt(long createdAt)
createdAt - The time at which this service was created.this object.public long getModifiedAt()
public Service setModifiedAt(long modifiedAt)
modifiedAt - The time at which this service was modified.this object.public Pair[] getMetadata()
The content of the returned array depends on contexts.
| Key | Description |
|---|---|
"clientCount" |
The number of client applications which belong to this service. |
Pair.public Service setMetadata(Pair[] metadata)
metadata - Metadata. The type is an array of Pair.
null may be returned.this object.public URI getDeveloperAuthenticationCallbackEndpoint()
public Service setDeveloperAuthenticationCallbackEndpoint(URI endpoint)
endpoint - The URI of the developer authentication callback endpoint.this object.public String getDeveloperAuthenticationCallbackApiKey()
public Service setDeveloperAuthenticationCallbackApiKey(String apiKey)
apiKey - The API key to access the developer authentication callback endpoint.this object.public String getDeveloperAuthenticationCallbackApiSecret()
public Service setDeveloperAuthenticationCallbackApiSecret(String apiSecret)
apiSecret - The API secret to access the developer authentication callback endpoint.this object.public Sns[] getSupportedDeveloperSnses()
public Service setSupportedDeveloperSnses(Sns[] supportedSnses)
supportedSnses - The list of SNSes.this object.public SnsCredentials[] getDeveloperSnsCredentials()
public Service setDeveloperSnsCredentials(SnsCredentials[] snsCredentials)
snsCredentials - The list of SNS credentials.this object.public int getClientsPerDeveloper()
public Service setClientsPerDeveloper(int count)
count - The number of client applications that one developer can create.
0 means no limit.this object.public boolean isDirectAuthorizationEndpointEnabled()
/api/auth/authorization/direct/{serviceApiKey}true if enabled.public Service setDirectAuthorizationEndpointEnabled(boolean enabled)
/api/auth/authorization/direct/{serviceApiKey}enabled - true to enable the direct endpoint.this object.public boolean isDirectTokenEndpointEnabled()
/api/auth/token/direct/{serviceApiKey}true if enabled.public Service setDirectTokenEndpointEnabled(boolean enabled)
/api/auth/token/direct/{serviceApiKey}enabled - true to enable the direct endpoint.this object.public boolean isDirectRevocationEndpointEnabled()
/api/auth/revocation/direct/{serviceApiKey}true if enabled.public Service setDirectRevocationEndpointEnabled(boolean enabled)
/api/auth/revocation/direct/{serviceApiKey}enabled - true to enable the direct endpoint.this object.public boolean isDirectUserInfoEndpointEnabled()
/api/auth/userinfo/direct/{serviceApiKey}true if enabled.public Service setDirectUserInfoEndpointEnabled(boolean enabled)
/api/auth/userinfo/direct/{serviceApiKey}enabled - true to enable the direct endpoint.this object.public boolean isDirectJwksEndpointEnabled()
/api/service/jwks/get/direct/{serviceApiKey}true if enabled.public Service setDirectJwksEndpointEnabled(boolean enabled)
/api/service/jwks/get/direct/{serviceApiKey}enabled - true to enable the direct endpoint.this object.public boolean isDirectIntrospectionEndpointEnabled()
/api/auth/introspection/direct/{serviceApiKey}true if enabled.public Service setDirectIntrospectionEndpointEnabled(boolean enabled)
/api/auth/introspection/direct/{serviceApiKey}enabled - true to enable the direct endpoint.this object.public boolean isSingleAccessTokenPerSubject()
If this flag is true, an attempt to issue a new access
token invalidates existing access tokens associated with the
same subject and the same client.
Note that, however, attempts by Client Credentials Flow do not
invalidate existing access tokens because access tokens issued
by Client Credentials Flow are not associated with any end-user's
subject. Also note that an attempt by Refresh Token Flow
invalidates the coupled access token only and this invalidation
is always performed regardless of whether this flag is true or false.
true if the number of access tokens per subject
(and per client) is at most one.public Service setSingleAccessTokenPerSubject(boolean single)
If true is set, an attempt to issue a new access token
invalidates existing access tokens associated with the same
subject and the same client.
Note that, however, attempts by Client Credentials Flow do not
invalidate existing access tokens because access tokens issued
by Client Credentials Flow are not associated with any end-user's
subject. Also note that an attempt by Refresh Token Flow
invalidates the coupled access token only and this invalidation
is always performed regardless of whether this flag is true or false.
single - true to set the maximum number of access tokens
per subject (and per client) to 1.this object.public boolean isPkceRequired()
true if PKCE is always required for authorization
requests by Authorization Code Flow.public Service setPkceRequired(boolean required)
required - true to always require PKCE for authorization
requests by Authorization Code Flow.this object.public boolean isPkceS256Required()
S256 is always required
as the code challenge method whenever PKCE (RFC 7636) is used.
If this flag is true, code_challenge_method=S256 must
be included in the authorization request whenever it includes the
code_challenge request parameter. Neither omission of the
code_challenge_method request parameter nor use of plain
(code_challenge_method=plain) is allowed.
true if S256 is always required as the code
challenge method whenever PKCE is used.public Service setPkceS256Required(boolean required)
S256 is always required
as the code challenge method whenever PKCE (RFC 7636) is used.
If true is set, code_challenge_method=S256 must be
included in the authorization request whenever it includes the
code_challenge request parameter. Neither omission of the
code_challenge_method request parameter nor use of plain
(code_challenge_method=plain) is allowed.
required - true to require S256 as the code challenge
method whenever PKCE is used.this object.public boolean isRefreshTokenKept()
true if a refresh token remains valid after its use.
false if a new refresh token is issued after its use.public Service setRefreshTokenKept(boolean kept)
kept - true to keep a refresh token valid after its use.
false to renew a refresh token after its use.this object.public boolean isRefreshTokenDurationKept()
true if the remaining duration of the used refresh token
is taken over to the newly issued refresh token.public Service setRefreshTokenDurationKept(boolean kept)
kept - true to indicate that the remaining duration of the used
refresh token is taken over to the newly issued refresh token.this object.public boolean isRefreshTokenDurationReset()
refreshTokenKept property
of this service (cf. isRefreshTokenKept()) is true
(= even if "Refresh Token Continuous Use" is "Kept").
This flag has no effect when the refreshTokenKept property is
false. In other words, if this service issues a new refresh
token on every refresh token request, the refresh token will have fresh
duration (unless refreshTokenDurationKept is true) and this
refreshTokenDurationReset property is not referenced.
true if duration of refresh tokens are reset when they
are used.public Service setRefreshTokenDurationReset(boolean reset)
refreshTokenKept property
of this service (cf. isRefreshTokenKept()) is true
(= even if "Refresh Token Continuous Use" is "Kept").
This flag has no effect when the refreshTokenKept property is
false. In other words, if this service issues a new refresh
token on every refresh token request, the refresh token will have fresh
duration (unless refreshTokenDurationKept is true) and this
refreshTokenDurationReset property is not referenced.
reset - true to reset duration of refresh tokens when they are
used.this object.public boolean isErrorDescriptionOmitted()
error_description
response parameter is omitted.
According to RFC 6749, authorization servers may include the error_description response parameter in error responses. When this
errorDescriptionOmitted property is true, Authlete does
not embed the error_description response parameter in error
responses.
true if the error_description response parameter
is omitted. false if the error_description
response parameter is included in error responses from the
authorization server.public Service setErrorDescriptionOmitted(boolean omitted)
error_description response parameter in
error responses.omitted - true to omit the error_description response
parameter. false to embed the parameter.this object.public boolean isErrorUriOmitted()
error_uri response
parameter is omitted.
According to RFC 6749, authorization servers may include the
error_uri response parameter in error responses. When
this errorUriOmitted property is true, Authlete
does not embed the error_uri response parameter in error
responses.
true if the error_uri response parameter
is omitted. false if the error_uri
response parameter is included in error responses from
the authorization server.public Service setErrorUriOmitted(boolean omitted)
error_uri response parameter in error
responses.omitted - true to omit the error_uri response parameter.
false to embed the parameter.this object.public boolean isClientIdAliasEnabled()
true if the 'Client ID Alias' feature is enabled.
false if the feature is disabled.public Service setClientIdAliasEnabled(boolean enabled)
When a new client is created, Authlete generates a numeric value
and assigns it as a client ID to the newly created client. In
addition to the client ID, each client can have a client ID alias.
The client ID alias is, however, recognized only when this property
(clientIdAliasEnabled) is true.
enabled - true to enable the 'Client ID Alias' feature.
false to disable it.this object.public String getAccessTokenSignatureKeyId()
A JWK Set can be registered as a property of a Service. A JWK Set can
contain 0 or more JWKs (See RFC 7517 for details about JWK). Authlete Server has to pick up
one JWK for signing from the JWK Set when it generates a JWT-based
access token (see getAccessTokenSignAlg() for details about
JWT-based access token). Authlete Server searches the registered JWK Set
for a JWK which satisfies conditions for access token signature. If the
number of JWK candidates which satisfy the conditions is 1, there is no
problem. On the other hand, if there exist multiple candidates, a
Key ID is
needed to be specified so that Authlete Server can pick up one JWK from
among the JWK candidates.
This accessTokenSignatureKeyId property exists for the purpose
described above.
null.public Service setAccessTokenSignatureKeyId(String keyId)
See the description of getAccessTokenSignatureKeyId() for
details.
keyId - A key ID of a JWK. This may be null.this object.public String getAuthorizationSignatureKeyId()
Financial-grade API: JWT Secured Authorization Response Mode for OAuth
2.0 (JARM) has added new values for the response_mode
request parameter. They are query.jwt, fragment.jwt,
form_post.jwt and jwt. If one of them is used, response
parameters returned from the authorization endpoint will be packed into
a JWT. The JWT is always signed. For the signature of the JWT, Authlete
Server has to pick up one JWK from the service's JWK Set.
Authlete Server searches the JWK Set for a JWK which satisfies conditions for authorization response signature. If the number of JWK candidates which satisfy the conditions is 1, there is no problem. On the other hand, if there exist multiple candidates, a Key ID is needed to be specified so that Authlete Server can pick up one JWK from among the JWK candidates. This property exists to specify the key ID.
null.public Service setAuthorizationSignatureKeyId(String keyId)
See the description of getAuthorizationSignatureKeyId() for details.
keyId - A key ID of a JWK. This may be null.this object.public String getIdTokenSignatureKeyId()
A JWK Set can be registered as a property of a Service. A JWK Set can contain 0 or more JWKs (See RFC 7517 for details about JWK). Authlete Server has to pick up one JWK for signature from the JWK Set when it generates an ID token and signature using an asymmetric key. Authlete Server searches the registered JWK Set for a JWK which satisfies conditions for ID token signature. If the number of JWK candidates which satisfy the conditions is 1, there is no problem. On the other hand, if there exist multiple candidates, a Key ID is needed to be specified so that Authlete Server can pick up one JWK from among the JWK candidates.
This idTokenSignatureKeyId property exists for the purpose
described above. For key rotation (OpenID Connect Core 1.0, 10.1.1. Rotation of Asymmetric Signing Keys), this mechanism is
needed.
null.public Service setIdTokenSignatureKeyId(String keyId)
See the description of getIdTokenSignatureKeyId() for details.
keyId - A key ID of a JWK. This may be null.this object.public String getUserInfoSignatureKeyId()
A JWK Set can be registered as a property of a Service. A JWK Set can contain 0 or more JWKs (See RFC 7517 for details about JWK). Authlete Server has to pick up one JWK for signature from the JWK Set when it is required to sign user info (which is returned from UserInfo Endpoint) using an asymmetric key. Authlete Server searches the registered JWK Set for a JWK which satisfies conditions for user info signature. If the number of JWK candidates which satisfy the conditions is 1, there is no problem. On the other hand, if there exist multiple candidates, a Key ID is needed to be specified so that Authlete Server can pick up one JWK from among the JWK candidates.
This userInfoSignatureKeyId property exists for the purpose
described above. For key rotation (OpenID Connect Core 1.0, 10.1.1. Rotation of Asymmetric Signing Keys), this mechanism is
needed.
null.public Service setUserInfoSignatureKeyId(String keyId)
See the description of getUserInfoSignatureKeyId() for details.
keyId - A key ID of a JWK. This may be null.this object.public ServiceProfile[] getSupportedServiceProfiles()
public Service setSupportedServiceProfiles(ServiceProfile[] profiles)
profiles - Supported service profiles.this object.public Service setSupportedServiceProfiles(Iterable<ServiceProfile> profiles)
profiles - Supported service profiles.this object.public boolean supports(ServiceProfile profile)
null is given, false is returned.
If the supported service profiles are not set to this service,
false is returned.profile - A service profile.true if this service supports the service profile.public boolean supportsAll(ServiceProfile... profiles)
null is given, true is returned.
If an empty array is given, true is returned.profiles - Service profiles.true if this service supports all the specified
service profiles.public boolean supportsAll(Iterable<ServiceProfile> profiles)
null is given, true is returned.
If an empty collection is given, true is returned.profiles - Service profiles.true if this service supports all the specified
service profiles.public boolean supportsAny(ServiceProfile... profiles)
null is given, false is returned.
If an empty array is given, false is returned.profiles - Service profiles.true if this service supports any of the specified
service profiles.public boolean supportsAny(Iterable<ServiceProfile> profiles)
null is given, false is returned.
If an empty collection is given, false is returned.profiles - Service profiles.true if this service supports any of the specified
service profiles.public boolean isTlsClientCertificateBoundAccessTokens()
true if this service supports issuing TLS client
certificate bound access tokens.public Service setTlsClientCertificateBoundAccessTokens(boolean enabled)
enabled - true to enable TLS client certificate bound access tokens.this object.public URI getIntrospectionEndpoint()
public Service setIntrospectionEndpoint(URI endpoint)
endpoint - The URI of the introspection endpoint.this object.public ClientAuthMethod[] getSupportedIntrospectionAuthMethods()
public Service setSupportedIntrospectionAuthMethods(ClientAuthMethod[] methods)
methods - Client authentication methods.this object.public boolean isMutualTlsValidatePkiCertChain()
true if this service requires clients using PKI MTLS
to present their certificate chain to the API during authentication,
false otherwise.public Service setMutualTlsValidatePkiCertChain(boolean mutualTlsValidatePkiCertChain)
mutualTlsValidatePkiCertChain - true if this service requires clients using PKI MTLS
to present their certificate chain to the API during authentication,
false otherwise.this object.public String[] getTrustedRootCertificates()
public Service setTrustedRootCertificates(String[] trustedRootCertificates)
trustedRootCertificates - The list of root certificates trusted by this service in PEM format.this object.public DeliveryMode[] getSupportedBackchannelTokenDeliveryModes()
backchannel_token_delivery_modes_supported
metadata.
Backchannel token delivery modes are defined in the specification of CIBA (Client Initiated Backchannel Authentication).
public Service setSupportedBackchannelTokenDeliveryModes(DeliveryMode[] modes)
backchannel_token_delivery_modes_supported
metadata.
Backchannel token delivery modes are defined in the specification of CIBA (Client Initiated Backchannel Authentication).
modes - Supported backchannel token delivery modes.this object.public URI getBackchannelAuthenticationEndpoint()
Backchannel authentication endpoint is defined in the specification of CIBA (Client Initiated Backchannel Authentication).
public Service setBackchannelAuthenticationEndpoint(URI endpoint)
Backchannel authentication endpoint is defined in the specification of CIBA (Client Initiated Backchannel Authentication).
endpoint - The URI of the backchannel authentication endpoint.this object.public boolean isBackchannelUserCodeParameterSupported()
"user_code"
request parameter is supported at the backchannel authentication
endpoint. This property corresponds to the
backchannel_user_code_parameter_supported metadata.true if the "user_code" request parameter is
supported at the backchannel authentication endpoint.public Service setBackchannelUserCodeParameterSupported(boolean supported)
"user_code"
request parameter is supported at the backchannel authentication
endpoint. This property corresponds to the
backchannel_user_code_parameter_supported metadata.supported - true to indicate that the "user_code" request
parameter is supported.this object.public int getBackchannelAuthReqIdDuration()
expires_in property in responses from the
backchannel authentication endpoint.public Service setBackchannelAuthReqIdDuration(int duration)
expires_in property in responses from the
backchannel authentication endpoint.duration - The duration of backchannel authentication request IDs in
seconds.this object.public int getBackchannelPollingInterval()
interval property in responses from the backchannel
authentication endpoint.public Service setBackchannelPollingInterval(int interval)
interval property in responses from the backchannel
authentication endpoint.interval - The minimum interval between polling requests in seconds.
Must be in between 0 and 65,535.this object.public boolean isBackchannelBindingMessageRequiredInFapi()
binding_message
request parameter is always required whenever a backchannel authentication
request is judged as a request for Financial-grade API.true if the binding_message request parameter
is required whenever a backchannel authentication request is
judged as a request for Financial-grade API.public Service setBackchannelBindingMessageRequiredInFapi(boolean required)
binding_message
request parameter is always required whenever a backchannel authentication
request is judged as a request for Financial-grade API.
The FAPI-CIBA profile requires that the authorization server "shall
ensure unique authorization context exists in the authorization request
or require a binding_message in the authorization request"
(FAPI-CIBA, 5.2.2, 2). The simplest way to fulfill this requirement is
to set true to this property.
If false is set to this property, the binding_message
request parameter remains optional even in FAPI context, but in exchange,
your authorization server must implement a custom mechanism that ensures
each backchannel authentication request has unique context.
required - true to require the binding_message request
parameter whenever a backchannel authentication request is
judged as a request for Financial-grade API.this object.public int getAllowableClockSkew()
The clock skew is taken into consideration when time-related claims in
a JWT (e.g. "exp", "iat", "nbf") are verified.
public Service setAllowableClockSkew(int seconds)
The clock skew is taken into consideration when time-related claims in
a JWT (e.g. "exp", "iat", "nbf") are verified.
seconds - Allowable clock skew in seconds. Must be in between 0 and
65,535.this object.public boolean isDynamicRegistrationSupported()
true if enabled.public Service setDynamicRegistrationSupported(boolean enabled)
enabled - true to enable dynamic client registrationthis object.public URI getDeviceAuthorizationEndpoint()
Device authorization endpoint is defined in the specification of OAuth 2.0 Device Authorization Grant.
public Service setDeviceAuthorizationEndpoint(URI endpoint)
Device authorization endpoint is defined in the specification of OAuth 2.0 Device Authorization Grant.
endpoint - The URI of the device authorization endpoint.this object.public URI getDeviceVerificationUri()
verification_uri parameter in responses from the
device authorization endpoint.public Service setDeviceVerificationUri(URI uri)
verification_uri parameter in responses from the
device authorization endpoint.uri - The verification URI.this object.public URI getDeviceVerificationUriComplete()
verification_uri_complete parameter in responses from the device
authorization endpoint.public Service setDeviceVerificationUriComplete(URI uri)
verification_uri_complete parameter in responses from the device
authorization endpoint.
It is expected that the URI contains a fixed string USER_CODE
somewhere as a placeholder for a user code. For example, like the
following.
https://example.com/device?user_code=USER_CODE
The fixed string is replaced with an actual user code when Authlete
builds a verification URI with a user code for the
verification_uri_complete parameter.
If this URI is not set, the verification_uri_complete parameter
won't appear in device authorization responses.
uri - The verification URI with a placeholder for a user code.this object.public int getDeviceFlowCodeDuration()
expires_in property in responses from
the device authorization endpoint.public Service setDeviceFlowCodeDuration(int duration)
expires_in property in responses from
the device authorization endpoint.duration - The duration of device verification codes and end-user
verification codes in seconds.this object.public int getDeviceFlowPollingInterval()
interval property in responses from the device
authorization endpoint.public Service setDeviceFlowPollingInterval(int interval)
interval property in responses from the device
authorization endpoint.interval - The minimum interval between polling requests in seconds in
device flow. Must be in between 0 and 65,535.this object.public UserCodeCharset getUserCodeCharset()
user_code) for Device Flow.user_code) for Device Flow.public Service setUserCodeCharset(UserCodeCharset charset)
user_code) for Device Flow.charset - The character set for end-user verification codes
(user_code) for Device Flow.this object.public int getUserCodeLength()
user_code) for
Device Flow.user_code)
for Device Flow.public Service setUserCodeLength(int length)
user_code) for
Device Flow.length - The length of end-user verification codes (user_code)
for Device Flow. The value must not be negative and must not
be larger than 255.this object.public URI getPushedAuthReqEndpoint()
This property corresponds to the pushed_authorization_request_endpoint
metadata defined in "5. Authorization Server Metadata" of OAuth 2.0 Pushed Authorization Requests.
public Service setPushedAuthReqEndpoint(URI endpoint)
This property corresponds to the pushed_authorization_request_endpoint
metadata defined in "5. Authorization Server Metadata" of OAuth 2.0 Pushed Authorization Requests.
endpoint - The URI of the pushed authorization request endpoint.this object.public NamedUri[] getMtlsEndpointAliases()
This property corresponds to the mtls_endpoint_aliases metadata
defined in "5. Metadata for Mutual TLS Endpoint Aliases" of OAuth 2.0 Mutual TLS Client Authentication and Certificate-Bound Access
Tokens.
public Service setMtlsEndpointAliases(NamedUri[] aliases)
This property corresponds to the mtls_endpoint_aliases metadata
defined in "5. Metadata for Mutual TLS Endpoint Aliases" of OAuth 2.0 Mutual TLS Client Authentication and Certificate-Bound Access
Tokens.
The aliases will be embedded in the response from the discovery endpoint like the following.
{
......,
"mtls_endpoint_aliases": {
"token_endpoint": "https://mtls.example.com/token",
"revocation_endpoint": "https://mtls.example.com/revo",
"introspection_endpoint": "https://mtls.example.com/introspect"
}
}
aliases - MTLS endpoint aliases.this object.public String[] getSupportedAuthorizationDetailsTypes()
"type" field in "authorization_details".
This property corresponds to the
"authorization_details_types_supported" server metadata.
See "OAuth 2.0 Rich Authorization Requests" (RAR) for details.
Note that the property name was renamed from supportedAuthorizationDataTypes
to supportedAuthorizationDetailsTypes to align with the change
made by the 5th draft of the RAR specification.
public Service setSupportedAuthorizationDetailsTypes(String[] types)
"type" field in "authorization_details".
This property corresponds to the
"authorization_details_types_supported" server metadata.
See "OAuth 2.0 Rich Authorization Requests" (RAR) for details.
Note that the property name was renamed from supportedAuthorizationDataTypes
to supportedAuthorizationDetailsTypes to align with the change
made by the 5th draft of the RAR specification.
types - Supported authorization details types.this object.public String[] getSupportedTrustFrameworks()
trust_frameworks_supported metadata.public Service setSupportedTrustFrameworks(String[] frameworks)
trust_frameworks_supported metadata.frameworks - Trust frameworks supported by this service.this object.public String[] getSupportedEvidence()
evidence_supported metadata.public Service setSupportedEvidence(String[] evidence)
evidence_supported metadata.evidence - Evidence supported by this service.this object.public String[] getSupportedIdentityDocuments()
id_documents_supported metadata.public Service setSupportedIdentityDocuments(String[] documents)
id_documents_supported metadata.documents - Identity documents supported by this service.this object.public String[] getSupportedVerificationMethods()
id_documents_verification_methods_supported
metadata.public Service setSupportedVerificationMethods(String[] methods)
id_documents_verification_methods_supported
metadata.methods - Verification methods supported by this service.this object.public String[] getSupportedVerifiedClaims()
claims_in_verified_claims_supported
metadata.public Service setSupportedVerifiedClaims(String[] claims)
claims_in_verified_claims_supported
metadata.claims - Verified claims supported by this service.this object.public boolean isMissingClientIdAllowed()
client_id request parameter are allowed when the client can be
guessed from authorization_code or refresh_token.
This flag should not be set unless you have special reasons.
true if token requests from public clients without the
client_id request parameter are allowed in the authorization
code flow and the refresh token flow.public Service setMissingClientIdAllowed(boolean allowed)
client_id request parameter are allowed when the client can be
guessed from authorization_code or refresh_token.
Don't set this flag unless you have special reasons.
allowed - true to allow token requests from public clients without
the client_id request parameter in the authorization code
flow and the refresh token flow.this object.public URI getEndSessionEndpoint()
null if not set.public Service setEndSessionEndpoint(URI endSessionEndpoint)
endSessionEndpoint - The end session endpoint, or null if not set.this object.public boolean isParRequired()
This property corresponds to the
require_pushed_authorization_requests server metadata defined
in "OAuth 2.0 Pushed Authorization Requests".
true if client of this service are required to use PAR.public Service setParRequired(boolean required)
This property corresponds to the
require_pushed_authorization_requests server metadata defined
in "OAuth 2.0 Pushed Authorization Requests".
required - true to indicate that this service requires that clients
use the pushed authorization request endpoint.this object.public boolean isRequestObjectRequired()
request
or request_uri request parameter.
If this flag is true and
isTraditionalRequestObjectProcessingApplied() returns
false, the value of require_signed_request_object server
metadata of this service is reported as true in the discovery
document. The metadata is defined in JAR (JWT Secured Authorization
Request). That require_signed_request_object is true
means that authorization requests which don't conform to the JAR
specification are rejected.
true if this service requires that authorization
requests always utilize a request object.public Service setRequestObjectRequired(boolean required)
request
or request_uri request parameter.
See the description of isRequestObjectRequired() for details.
required - true to require that authorization requests always
utilize a request object.this object.public boolean isTraditionalRequestObjectProcessingApplied()
Differences between rules in OpenID Connect Core 1.0 and ones in JAR are as follows.
response_type request parameter
exist outside a request object even if the request object includes
the request parameter.
scope request parameter exist
outside a request object if the authorization request is an OIDC
request even if the request object includes the request parameter.
If this flag is false and isRequestObjectRequired()
returns true, the value of require_signed_request_object
server metadata of this service is reported as true in the
discovery document. The metadata is defined in JAR (JWT Secured
Authorization Request). That require_signed_request_object is
true means that authorization requests which don't conform to
the JAR specification are rejected.
true if rules defined in OpenID Connect Core 1.0 are
applied on processing a request object. false if rules
defined in JAR (JWT Secured Authorization Request) are applied.public Service setTraditionalRequestObjectProcessingApplied(boolean applied)
See the description of isTraditionalRequestObjectProcessingApplied()
for details.
applied - true to apply rules defined in OpenID Connect Core 1.0
on processing a request object. false to apply rules
defined in JAR instead.this object.public boolean isClaimShortcutRestrictive()
profile) are included in the issued ID token only when
no access token is issued.
To strictly conform to the description below excerpted from OpenID Connect Core 1.0 Section 5.4, this flag has to be true.
The Claims requested by the
profile,address, andphonescope values are returned from the UserInfo Endpoint, as described in Section 5.3.2, when aresponse_typevalue is used that results in an Access Token being issued. However, when no Access Token is issued (which is the case for theresponse_typevalueid_token), the resulting Claims are returned in the ID Token.
true if claims specified by shortcut scopes are included
in the issued ID token only when no access token is issued.
false if the claims are included in the issued ID token
regardless of whether an access token is issued or not.public Service setClaimShortcutRestrictive(boolean restrictive)
profile) are included in the issued ID token only when
no access token is issued.
To strictly conform to the description below excerpted from OpenID Connect Core 1.0 Section 5.4, this flag has to be true.
The Claims requested by the
profile,address, andphonescope values are returned from the UserInfo Endpoint, as described in Section 5.3.2, when aresponse_typevalue is used that results in an Access Token being issued. However, when no Access Token is issued (which is the case for theresponse_typevalueid_token), the resulting Claims are returned in the ID Token.
restrictive - true to include claims specified by shortcut scopes
in the issued ID token only when no access token is issued.
false to include the claims in the issued ID token
regardless of whether an access token is issued or not.this object.public boolean isScopeRequired()
When a request has no explicit scope parameter and the service's
pre-defined default scope set is empty, the authorization server regards
the request requests no scope. When this flag is true, requests that
request no scope are rejected.
The requirement below excerpted from RFC 6749 Section 3.3 does not explicitly mention the case where the default scope set is empty.
If the client omits the
scopeparameter when requesting authorization, the authorization server MUST either process the request using a pre-defined default value or fail the request indicating an invalid scope.
However, if you interpret "the default scope set exists but is empty" as "the default scope set does not exist" and want to strictly conform to the requirement above, this flag has to be true.
true if the authorization server rejects requests that
request no scope. false if the authorization server
admits requests that request no scope.public Service setScopeRequired(boolean required)
When a request has no explicit scope parameter and the service's
pre-defined default scope set is empty, the authorization server regards
the request requests no scope. When this flag is true, requests that
request no scope are rejected.
The requirement below excerpted from RFC 6749 Section 3.3 does not explicitly mention the case where the default scope set is empty.
If the client omits the
scopeparameter when requesting authorization, the authorization server MUST either process the request using a pre-defined default value or fail the request indicating an invalid scope.
However, if you interpret "the default scope set exists but is empty" as "the default scope set does not exist" and want to strictly conform to the requirement above, this flag has to be true.
required - true to reject requests that request no scope.
false to admit requests that request no scope.this object.public boolean isNbfOptional()
nbf claim in the request
object is optional even when the authorization request is regarded as
a FAPI-Part2 request.
The final version of Financial-grade API was approved in January, 2021.
The Part 2 of the final version has new requirements on lifetime of
request objects. They require that request objects contain an nbf
claim and the lifetime computed by exp - nbf be no longer than
60 minutes.
Therefore, when an authorization request is regarded as a FAPI-Part2
request, the request object used in the authorization request must
contain an nbf claim. Otherwise, the authorization server
rejects the authorization request.
When this flag is true, the nbf claim is treated as an
optional claim even when the authorization request is regarded as a
FAPI-Part2 request. That is, the authorization server does not perform
the validation on lifetime of the request object.
Skipping the validation is a violation of the FAPI specification. The reason why this flag has been prepared nevertheless is that the new requirements (which do not exist in the Implementer's Draft 2 released in October, 2018) have big impacts on deployed implementations of client applications and Authlete thinks there should be a mechanism whereby to make the migration from ID2 to Final smooth without breaking live systems.
true if the nbf claim is treated as an optional
claim even when the authorization request is regarded as a
FAPI-Part2 request.public Service setNbfOptional(boolean optional)
nbf claim in the request
object is optional even when the authorization request is regarded as
a FAPI-Part2 request.
See the description of isNbfOptional() for details about this
flag.
optional - true to treat the nbf claim as an optional claim.this object.public boolean isIssSuppressed()
iss response
parameter is suppressed.
"OAuth 2.0 Authorization Server Issuer Identifier in Authorization
Response" has defined a new authorization response parameter,
iss, as a countermeasure for a certain type of mix-up attacks.
The specification requires that the iss response parameter
always be included in authorization responses unless JARM (JWT Secured
Authorization Response Mode) is used.
When this flag is true, the authorization server does not include
the iss response parameter in authorization responses. By turning
this flag on and off, developers of client applications can experiment
the mix-up attack and the effect of the iss response parameter.
Note that this flag should not be true in production environment
unless there are special reasons for it.
true if the authorization server does not include the
iss response parameter in authorization responses.public Service setIssSuppressed(boolean suppressed)
iss response
parameter is suppressed.
See the description of isIssSuppressed() for details about
this flag.
suppressed - true to make the authorization server suppress the
iss response parameter.this object.public Pair[] getAttributes()
The feature of "service attributes" is available since Authlete 2.2.
public Service setAttributes(Pair[] attributes)
The feature of "service attributes" is available since Authlete 2.2.
attributes - Attributes.this object.public Service loadAttributes(Iterable<Pair> attributes)
The feature of "service attributes" is available since Authlete 2.2.
attributes - Attributes.this object.public String[] getSupportedCustomClientMetadata()
Standard specifications define client metadata as necessary. The following are such examples.
Standard client metadata included in Client Registration Request and Client Update Request (cf. OIDC DynReg, RFC 7591 and RFC 7592) are, if supported by Authlete, stored into Authlete database. On the other hand, unrecognized client metadata are discarded.
By listing up custom client metadata in advance by using this property
(Service.supportedCustomClientMetadata), Authlete can recognize
them and stores their values into the database. The stored custom client
metadata values can be referenced by Client.getCustomMetadata().
This property affects the behavior of /api/client/registration
API of Authlete 2.2 onwards.
Client.getCustomMetadata()public Service setSupportedCustomClientMetadata(String[] metadata)
Standard specifications define client metadata as necessary. The following are such examples.
Standard client metadata included in Client Registration Request and Client Update Request (cf. OIDC DynReg, RFC 7591 and RFC 7592) are, if supported by Authlete, stored into Authlete database. On the other hand, unrecognized client metadata are discarded.
By listing up custom client metadata in advance by using this property
(Service.supportedCustomClientMetadata), Authlete can recognize
them and stores their values into the database. The stored custom client
metadata values can be referenced by Client.getCustomMetadata().
This property affects the behavior of /api/client/registration
API of Authlete 2.2 onwards.
metadata - Custom client metadata supported by this service.this object.Client.getCustomMetadata()public boolean isTokenExpirationLinked()
When a new access token is issued by a refresh token request (= a token
request with grant_type=refresh_token), the expiration date of
the access token may exceed the expiration date of the corresponding
refresh token. This behavior itself is not wrong and may happen when
isRefreshTokenKept() returns true and/or when
isRefreshTokenDurationKept() returns true.
When this flag is true, the expiration date of an access token
never exceeds that of the corresponding refresh token regardless of
the calculated duration based on other settings such as
getAccessTokenDuration(),
ClientExtension.getAccessTokenDuration() and the
access_token.duration attribute of scopes.
It is technically possible to set a value which is bigger than the
duration of refresh tokens as the duration of access tokens although
it is strange. In the case, the duration of an access token becomes
longer than the duration of the refresh token which is issued together
with the access token. Even if the duration values are configured so,
if this flag is true, the expiration date of the access token
does not exceed that of the refresh token. That is, the duration of
the access token will be shortened, and as a result, the access token
and the refresh token will have the same expiration date.
true if the service assures that the expiration date
of an access token never exceeds that of the corresponding
refresh token.public Service setTokenExpirationLinked(boolean linked)
When a new access token is issued by a refresh token request (= a token
request with grant_type=refresh_token), the expiration date of
the access token may exceed the expiration date of the corresponding
refresh token. This behavior itself is not wrong and may happen when
isRefreshTokenKept() returns true and/or when
isRefreshTokenDurationKept() returns true.
When this flag is true, the expiration date of an access token
never exceeds that of the corresponding refresh token regardless of
the calculated duration based on other settings such as
getAccessTokenDuration(),
ClientExtension.getAccessTokenDuration() and the
access_token.duration attribute of scopes.
It is technically possible to set a value which is bigger than the
duration of refresh tokens as the duration of access tokens although
it is strange. In the case, the duration of an access token becomes
longer than the duration of the refresh token which is issued together
with the access token. Even if the duration values are configured so,
if this flag is true, the expiration date of the access token
does not exceed that of the refresh token. That is, the duration of
the access token will be shortened, and as a result, the access token
and the refresh token will have the same expiration date.
linked - true to assure that the expiration date of an access
token never exceeds that of the corresponding refresh token.this object.public boolean isFrontChannelRequestObjectEncryptionRequired()
This flag does not affect the processing of request objects at the
Pushed Authorization Request Endpoint, which is defined in OAuth 2.0
Pushed Authorization Requests. Unecrypted request objects are
accepted at the endpoint even if this flag is true.
This flag does not indicate whether a request object is always required.
There is a different flag, requestObjectRequired, for the purpose.
See the description of isRequestObjectRequired() for details.
Even if this flag is false, encryption of request object is
required if the Client.frontChannelRequestObjectEncryptionRequired
flag is true.
true if encryption of request object is required when
the request object is passed through the front channel.isRequestObjectRequired(),
Client.isFrontChannelRequestObjectEncryptionRequired()public Service setFrontChannelRequestObjectEncryptionRequired(boolean required)
This flag does not affect the processing of request objects at the
Pushed Authorization Request Endpoint, which is defined in OAuth 2.0
Pushed Authorization Requests. Unecrypted request objects are
accepted at the endpoint even if this flag is true.
This flag does not indicate whether a request object is always required.
There is a different flag, requestObjectRequired, for the purpose.
See the description of isRequestObjectRequired() for details.
Even if this flag is false, encryption of request object is
required if the Client.frontChannelRequestObjectEncryptionRequired
flag is true.
required - true to require that request objects passed through the
front channel be encrypted.this object.isRequestObjectRequired(),
Client.isFrontChannelRequestObjectEncryptionRequired()public boolean isRequestObjectEncryptionAlgMatchRequired()
alg of encrypted request
object must match the request_object_encryption_alg client metadata
of the client that has sent the request object.
The request_object_encryption_alg client metadata itself is defined
in OpenID Connect Dynamic Client Registration 1.0 as follows.
request_object_encryption_algOPTIONAL. JWE [JWE]
algalgorithm [JWA] the RP is declaring that it may use for encrypting Request Objects sent to the OP. This parameter SHOULD be included when symmetric encryption will be used, since this signals to the OP that aclient_secretvalue needs to be returned from which the symmetric key will be derived, that might not otherwise be returned. The RP MAY still use other supported encryption algorithms or send unencrypted Request Objects, even when this parameter is present. If both signing and encryption are requested, the Request Object will be signed then encrypted, with the result being a Nested JWT, as defined in [JWT]. The default, if omitted, is that the RP is not declaring whether it might encrypt any Request Objects.
The point here is "The RP MAY still use other supported encryption algorithms or send unencrypted Request Objects, even when this parameter is present."
The Client's property that represents the client metadata is
Client.requestEncryptionAlg. See the description of
Client.getRequestEncryptionAlg() for details.
Even if this flag is false, the match is required if the
Client.requestObjectEncryptionAlgMatchRequired flag is true.
true if the JWE alg of encrypted request object
must match the request_object_encryption_alg client metadata.Client.getRequestEncryptionAlg(),
Client.isRequestObjectEncryptionAlgMatchRequired()public Service setRequestObjectEncryptionAlgMatchRequired(boolean required)
alg of encrypted request
object must match the request_object_encryption_alg client metadata
of the client that has sent the request object.
The request_object_encryption_alg client metadata itself is defined
in OpenID Connect Dynamic Client Registration 1.0 as follows.
request_object_encryption_algOPTIONAL. JWE [JWE]
algalgorithm [JWA] the RP is declaring that it may use for encrypting Request Objects sent to the OP. This parameter SHOULD be included when symmetric encryption will be used, since this signals to the OP that aclient_secretvalue needs to be returned from which the symmetric key will be derived, that might not otherwise be returned. The RP MAY still use other supported encryption algorithms or send unencrypted Request Objects, even when this parameter is present. If both signing and encryption are requested, the Request Object will be signed then encrypted, with the result being a Nested JWT, as defined in [JWT]. The default, if omitted, is that the RP is not declaring whether it might encrypt any Request Objects.
The point here is "The RP MAY still use other supported encryption algorithms or send unencrypted Request Objects, even when this parameter is present."
The Client's property that represents the client metadata is
Client.requestEncryptionAlg. See the description of
Client.getRequestEncryptionAlg() for details.
Even if this flag is false, the match is required if the
Client.requestObjectEncryptionAlgMatchRequired flag is true.
required - true to require that the JWE alg of encrypted
request object match the request_object_encryption_alg
client metadata.this object.Client.getRequestEncryptionAlg(),
Client.isRequestObjectEncryptionAlgMatchRequired()public boolean isRequestObjectEncryptionEncMatchRequired()
enc of encrypted request
object must match the request_object_encryption_enc client metadata
of the client that has sent the request object.
The request_object_encryption_enc client metadata itself is defined
in OpenID Connect Dynamic Client Registration 1.0 as follows.
request_object_encryption_encOPTIONAL. JWE
encalgorithm [JWA] the RP is declaring that it may use for encrypting Request Objects sent to the OP. Ifrequest_object_encryption_algis specified, the default for this value isA128CBC-HS256. Whenrequest_object_encryption_encis included,request_object_encryption_algMUST also be provided.
The Client's property that represents the client metadata is
Client.requestEncryptionEnc. See the description of
Client.getRequestEncryptionEnc() for details.
Even if this flag is false, the match is required if the
Client.requestObjectEncryptionEncMatchRequired flag is true.
true if the JWE enc of encrypted request object
must match the request_object_encryption_enc client metadata.Client.getRequestEncryptionEnc(),
Client.isRequestObjectEncryptionEncMatchRequired()public Service setRequestObjectEncryptionEncMatchRequired(boolean required)
enc of encrypted request
object must match the request_object_encryption_enc client metadata
of the client that has sent the request object.
The request_object_encryption_enc client metadata itself is defined
in OpenID Connect Dynamic Client Registration 1.0 as follows.
request_object_encryption_encOPTIONAL. JWE
encalgorithm [JWA] the RP is declaring that it may use for encrypting Request Objects sent to the OP. Ifrequest_object_encryption_algis specified, the default for this value isA128CBC-HS256. Whenrequest_object_encryption_encis included,request_object_encryption_algMUST also be provided.
The Client's property that represents the client metadata is
Client.requestEncryptionEnc. See the description of
Client.getRequestEncryptionEnc() for details.
Even if this flag is false, the match is required if the
Client.requestObjectEncryptionEncMatchRequired flag is true.
required - true to require that the JWE enc of encrypted
request object match the request_object_encryption_enc
client metadata.this object.Client.getRequestEncryptionEnc(),
Client.isRequestObjectEncryptionEncMatchRequired()public boolean isHsmEnabled()
When this flag is false, keys managed in HSMs are not used even if they
exist. In addition, /api/hsk/* APIs reject all requests.
Even if this flag is true, HSM-related features do not work if the configuration of the Authlete server you are using does not support HSM.
true if HSM support is enabled for this service.public Service setHsmEnabled(boolean enabled)
When this flag is false, keys managed in HSMs are not used even if they
exist. In addition, /api/hsk/* APIs reject all requests.
Even if this flag is true, HSM-related features do not work if the configuration of the Authlete server you are using does not support HSM.
enabled - true to enable HSM support for this service.this object.public Hsk[] getHsks()
This hsks property is output only, meaning that hsks in
requests to /api/service/create API and /api/service/update
API do not have any effect. The contents of this property is controlled
only by /api/hsk/* APIs.
public Service setHsks(Hsk[] hsks)
This hsks property is output only, meaning that hsks in
requests to /api/service/create API and /api/service/update
API do not have any effect. The contents of this property is controlled
only by /api/hsk/* APIs.
hsks - Information about keys managed on HSMs.this object.public URI getGrantManagementEndpoint()
public Service setGrantManagementEndpoint(URI endpoint)
endpoint - The URL of the grant management endpoint.this object.public boolean isGrantManagementActionRequired()
grant_management_action request parameter.
This property corresponds to the grant_management_action_required
server metadata defined in "Grant Management
for OAuth 2.0".
Note that setting true to this property will result in blocking
all public clients because the specification requires that grant
management be usable only by confidential clients for security reasons.
true if every authorization request must include the
grant_management_action request parameter.public Service setGrantManagementActionRequired(boolean required)
grant_management_action request parameter.
This property corresponds to the grant_management_action_required
server metadata defined in "Grant Management
for OAuth 2.0".
Note that setting true to this property will result in blocking
all public clients because the specification requires that grant
management be usable only by confidential clients for security reasons.
required - true to require every authorization request include the
grant_management_action request parameter.this object.public boolean isUnauthorizedOnClientConfigSupported()
/api/client/registration
API uses UNAUTHORIZED
as a value of the action response parameter when appropriate.
See the description of setUnauthorizedOnClientConfigSupported(boolean)
for details.
true if Authlete's /api/client/registration uses
UNAUTHORIZED as a value of the action response
parameter when appropriate. false if UNAUTHORIZED
is not used in any case.public Service setUnauthorizedOnClientConfigSupported(boolean supported)
/api/client/registration
API uses UNAUTHORIZED
as a value of the action response parameter when appropriate.
The UNAUTHORIZED enum value did not exist in the initial
implementation of the ClientRegistrationResponse.Action enum.
This means that implementations of client configuration endpoint were
not able to conform to RFC 7592 strictly.
For backward compatibility (to avoid breaking running systems),
Authlete's /api/client/registration API does not return the
UNAUTHORIZED enum value if this flag is not turned on.
The steps an existing implementation of client configuration endpoint
has to do in order to conform to the requirement related to
"401 Unauthorized" are as follows.
UNAUTHORIZED action.
unauthorizedOnClientConfigSupported flag.
supported - true to let Authlete's /api/client/registration
API use the UNAUTHORIZED enum value when appropriate.
false to prevent the UNAUTHORIZED enum value
from being used.this object.public boolean isDcrScopeUsedAsRequestable()
scope request parameter
in dynamic client registration and update requests (RFC 7591 and
RFC 7592)
is used as scopes that the client can request.
Limiting the range of scopes that a client can request is achieved by
listing scopes in the client.extension.requestableScopes
property (cf. ClientExtension.getRequestableScopes()) and
setting true to the
client.extension.requestableScopesEnabled property (cf.
ClientExtension.isRequestableScopesEnabled()). This feature
is called "requestable scopes".
This property affects behaviors of /api/client/registration
and other family APIs.
true if the scope request parameter in dynamic
client registration and update requests is used to limit the
range of scopes that the client can request. false if
Authlete does nothing special for the scope request
parameter.public Service setDcrScopeUsedAsRequestable(boolean used)
scope request parameter
in dynamic client registration and update requests (RFC 7591 and
RFC 7592)
is used as scopes that the client can request.
Limiting the range of scopes that a client can request is achieved by
listing scopes in the client.extension.requestableScopes
property (cf. ClientExtension.getRequestableScopes()) and
setting true to the
client.extension.requestableScopesEnabled property (cf.
ClientExtension.isRequestableScopesEnabled()). This feature
is called "requestable scopes".
This property affects behaviors of /api/client/registration
and other family APIs.
used - true to make Authlete treat the scope request
parameter in dynamic client registration and update requests
as requestable scopes. false to leave it to Authlete
(Authlete will do nothing special).this object.public String getPredefinedTransformedClaims()
transformed_claims_predefined
server metadata.
See the description of setPredefinedTransformedClaims(String)
for details.
This predefinedTransformedClaims property is available from
Authlete 2.3 onwards.
setPredefinedTransformedClaims(String)public Service setPredefinedTransformedClaims(String claims)
transformed_claims_predefined
server metadata.
"Transformed Claims" is a specification that enables to define a "transformed claim" which transforms the value of an existing claim by applying "transformation functions".
The following example defines a transformed claim named 18_or_over
which uses the birthdate claim as input and applies two
transformation functions, years_ago and gte. As a result
of the transformation, the transformed claim will have a boolean value.
{
"18_or_over": {
"claim": "birthdate",
"fn": [
"years_ago",
[ "gte", 18 ]
]
}
}
A client application can request a predefined transformed claim by
prepending two colons (::) to the name of a transformed claim.
The following is an example of the claims request parameter
(OpenID Connect Core 1.0, 5.5. Requesting Claims using the "claims" Request Parameter) that
requests a predefined transformed claim named 18_or_over to be
embedded in an ID token.
{
"id_token": {
"::18_or_over": null
}
}
If the age of the user is 18 or over, the ID token will contain the transformed claim like below.
"::18_or_over": true
This predefinedTransformedClaims property is available from
Authlete 2.3 onwards.
claims - Predefined transformed claims in JSON format.this object.Copyright © 2021. All rights reserved.