public class Service extends Object implements Serializable
Some properties correspond to the ones listed in OpenID Provider Metadata in OpenID Connect Discovery 1.0
When getAccessTokenSignAlg()
returns a non-null value, access
tokens issued by this service become JWTs. The value returned by the
method is used as the signature algorithm of the JWTs. When the method
returns null, access tokens issued by this service are random strings as
before.
A JWT-based access token has the following claims.
claim name type description scope
string Space-delimited scope names. client_id
string Client ID. exp
integer Time at which this access token will expire. Seconds since the Unix epoch. iat
integer Time at which this access token was issued. Seconds since the Unix epoch. sub
string The subject (unique identifier) of the resource owner who approved issue of this access token. This claim does not exist or its value is null if this access token was issued by resource owner password credentials flow. iss
string The issuer identifier of this service. jti
string The unique identifier of this JWT. The value of this claim itself is the random-string version of this access token. cnf
object If this access token is bound to a client certificate, this claim is included. The type of its value is object and the sub object contains a
"x5t#S256"
claim. The value of the"x5t#S256"
claim is the X.509 Certificate SHA-256 thumbprint of the client certificate. See "3.1. JWT Certificate Thumbprint Confirmation Method" of RFC 8705 (OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens) for details.If this access token is bound to a public key of DPoP, this claim is included. The type of its value is object and the sub object contains a
"jkt"
claim. The value of the"jkt"
claim is the thumbprint of the public key. See "OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer" for details.aud
array If this access token has been generated with target resources, this claim is included. See "Resource Indicators for OAuth 2.0" for details. authorization_details
array If this access token has been generated with authorization_details
, this claim is included. See "OAuth 2.0 Rich Authorization Requests" for details.Visible (= not-hidden) extra properties of the access token are embedded in the JWT as custom claims. Regarding extra properties, see the Authlete API document.
The feature of JWT-based access token is available since Authlete 2.1. Access tokens issued by older Authlete versions are always random strings.
"Resource Indicators for OAuth 2.0" is supported since Authlete 2.2. The
resource
request parameter given to older Authlete versions is just ignored, so JWT-based access tokens won't include theaud
claim."OAuth 2.0 Rich Authorization Requests" is supported since Authlete 2.2. The
authorization_details
request parameter given to older Authlete versions is just ignored, so JWT-based access tokens won't include theauthorization_details
claim.
Constructor and Description |
---|
Service() |
Modifier and Type | Method and Description |
---|---|
long |
getAccessTokenDuration()
Get the duration of access tokens in seconds; the value of
expires_in in access token responses. |
JWSAlg |
getAccessTokenSignAlg()
Get the signature algorithm of access tokens.
|
String |
getAccessTokenSignatureKeyId()
Get the key ID to identify a JWK used for signing access tokens.
|
String |
getAccessTokenType()
Get the access token type; the value of
token_type in
access token responses. |
int |
getAllowableClockSkew()
Get the allowable clock skew between the server and clients in seconds.
|
long |
getApiKey()
Get the API key.
|
String |
getApiSecret()
Get the API secret.
|
Pair[] |
getAttributes()
Get attributes.
|
String |
getAuthenticationCallbackApiKey()
Get the API key to access the authentication callback endpoint.
|
String |
getAuthenticationCallbackApiSecret()
Get the API secret to access the authentication callback endpoint.
|
URI |
getAuthenticationCallbackEndpoint()
Get the URI of the authentication callback endpoint.
|
URI |
getAuthorizationEndpoint()
Get the URI of the authorization endpoint.
|
long |
getAuthorizationResponseDuration()
Get the duration of authorization response JWTs.
|
String |
getAuthorizationSignatureKeyId()
Get the key ID to identify a JWK used for signing authorization
responses using an asymmetric key.
|
URI |
getBackchannelAuthenticationEndpoint()
Get the URI of the backchannel authentication endpoint.
|
int |
getBackchannelAuthReqIdDuration()
Get the duration of backchannel authentication request IDs issued from
the backchannel authentication endpoint in seconds.
|
int |
getBackchannelPollingInterval()
Get the minimum interval between polling requests to the token endpoint
from client applications in seconds.
|
int |
getClientsPerDeveloper()
Get the number of client applications that one developer can create.
|
long |
getCreatedAt()
Get the time at which this service was created.
|
String |
getDescription()
Get the description.
|
String |
getDeveloperAuthenticationCallbackApiKey()
Get the API key to access the developer authentication callback endpoint.
|
String |
getDeveloperAuthenticationCallbackApiSecret()
Get the API secret to access the developer authentication callback endpoint.
|
URI |
getDeveloperAuthenticationCallbackEndpoint()
Get the URI of the developer authentication callback endpoint.
|
SnsCredentials[] |
getDeveloperSnsCredentials()
Get the list of SNS credentials that Authlete uses to support social login
at the developer console.
|
URI |
getDeviceAuthorizationEndpoint()
Get the URI of the device authorization endpoint.
|
int |
getDeviceFlowCodeDuration()
Get the duration of device verification codes and end-user verification
codes issued from the device authorization endpoint in seconds.
|
int |
getDeviceFlowPollingInterval()
Get the minimum interval between polling requests to the token endpoint
from client applications in seconds in device flow.
|
URI |
getDeviceVerificationUri()
Get the verification URI for the device flow.
|
URI |
getDeviceVerificationUriComplete()
Get the verification URI for the device flow with a placeholder for a
user code.
|
URI |
getEndSessionEndpoint()
Get the end session endpoint for the service.
|
long |
getIdTokenDuration()
Get the duration of ID tokens in seconds.
|
String |
getIdTokenSignatureKeyId()
Get the key ID to identify a JWK used for ID token signature using
an asymmetric key.
|
URI |
getIntrospectionEndpoint()
Get the URI of the introspection endpoint.
|
URI |
getIssuer()
Get the issuer identifier of this OpenID provider.
|
String |
getJwks()
Get the JSON Web Key Set of the service.
|
URI |
getJwksUri()
Get the URI of the service's JSON Web Key Set.
|
Pair[] |
getMetadata()
Get metadata.
|
long |
getModifiedAt()
Get the time at which this service was last modified.
|
NamedUri[] |
getMtlsEndpointAliases()
Get the MTLS endpoint aliases.
|
int |
getNumber()
Get the service number.
|
URI |
getPolicyUri()
Get the URI that this OpenID Provider provides to the person
registering the client to read about the OP's requirements on
how the Relying Party can use the data provided by the OP.
|
long |
getPushedAuthReqDuration()
Get the duration of pushed authorization requests.
|
URI |
getPushedAuthReqEndpoint()
Get the URI of the pushed authorization request endpoint.
|
long |
getRefreshTokenDuration()
Get the duration of refresh tokens in seconds.
|
URI |
getRegistrationEndpoint()
Get the URI of the registration endpoint.
|
URI |
getRegistrationManagementEndpoint()
Get the URI of the registration management endpoint.
|
URI |
getRevocationEndpoint()
Get the URI of the token revocation endpoint.
|
URI |
getServiceDocumentation()
Get the URI of a page containing human-readable information
that developers might want or need to know when using this
OpenID Provider.
|
String |
getServiceName()
Get the service name.
|
int |
getServiceOwnerNumber()
Get the service owner number.
|
SnsCredentials[] |
getSnsCredentials()
Get the list of SNS credentials that Authlete uses to support social login.
|
String[] |
getSupportedAcrs()
Get the supported ACRs (authentication context class references).
|
String[] |
getSupportedAuthorizationDataTypes()
Get the supported data types that can be used as values of the
"type" field in "authorization_details" . |
DeliveryMode[] |
getSupportedBackchannelTokenDeliveryModes()
Get the supported backchannel token delivery modes.
|
String[] |
getSupportedClaimLocales()
Get the supported claim locales.
|
String[] |
getSupportedClaims()
Get the supported claims.
|
ClaimType[] |
getSupportedClaimTypes()
Get the supported claim types.
|
Sns[] |
getSupportedDeveloperSnses()
Get the list of supported SNSes for social login at the developer console.
|
Display[] |
getSupportedDisplays()
Get the supported values of
display parameter passed to
the authorization endpoint. |
String[] |
getSupportedEvidence()
Get evidence supported by this service.
|
GrantType[] |
getSupportedGrantTypes()
Get the supported grant types.
|
String[] |
getSupportedIdentityDocuments()
Get identity documents supported by this service.
|
ClientAuthMethod[] |
getSupportedIntrospectionAuthMethods()
Get client authentication methods supported at the introspection endpoint.
|
ResponseType[] |
getSupportedResponseTypes()
Get the supported response types.
|
ClientAuthMethod[] |
getSupportedRevocationAuthMethods()
Get client authentication methods supported at the revocation endpoint.
|
Scope[] |
getSupportedScopes()
Get the supported scopes.
|
ServiceProfile[] |
getSupportedServiceProfiles()
Get the supported service profiles.
|
Sns[] |
getSupportedSnses()
Get the list of supported SNSes for social login at the authorization
endpoint.
|
ClientAuthMethod[] |
getSupportedTokenAuthMethods()
Get the supported client authentication methods at the token endpoint.
|
String[] |
getSupportedTrustFrameworks()
Get trust frameworks supported by this service.
|
String[] |
getSupportedUiLocales()
Get the supported UI locales.
|
String[] |
getSupportedVerificationMethods()
Get verification methods supported by this service.
|
String[] |
getSupportedVerifiedClaims()
Get verified claims supported by this service.
|
URI |
getTokenEndpoint()
Get the URI of the token endpoint.
|
URI |
getTosUri()
Get the URI that the OpenID Provider provides to the person
registering the client to read about the OP's terms of service.
|
String[] |
getTrustedRootCertificates()
Get the list of root certificates trusted by this service for PKI-based
client mutual TLS authentication.
|
UserCodeCharset |
getUserCodeCharset()
Get the character set for end-user verification codes
(
user_code ) for Device Flow. |
int |
getUserCodeLength()
Get the length of end-user verification codes (
user_code ) for
Device Flow. |
URI |
getUserInfoEndpoint()
Get the URI of the user info endpoint.
|
String |
getUserInfoSignatureKeyId()
Get the key ID to identify a JWK used for user info signature using
an asymmetric key.
|
boolean |
isBackchannelBindingMessageRequiredInFapi()
Get the boolean flag which indicates whether the
binding_message
request parameter is always required whenever a backchannel authentication
request is judged as a request for Financial-grade API. |
boolean |
isBackchannelUserCodeParameterSupported()
Get the boolean flag which indicates whether the
"user_code"
request parameter is supported at the backchannel authentication
endpoint. |
boolean |
isClaimShortcutRestrictive()
Get the flag indicating whether claims specified by shortcut scopes
(e.g.
|
boolean |
isClientIdAliasEnabled()
Get the flag which indicates whether the 'Client ID Alias' feature
is enabled or not.
|
boolean |
isDirectAuthorizationEndpointEnabled()
Get the flag which indicates whether the direct authorization endpoint
is enabled or not.
|
boolean |
isDirectIntrospectionEndpointEnabled()
Get the flag which indicates whether the direct introspection endpoint
is enabled or not.
|
boolean |
isDirectJwksEndpointEnabled()
Get the flag which indicates whether the direct jwks endpoint
is enabled or not.
|
boolean |
isDirectRevocationEndpointEnabled()
Get the flag which indicates whether the direct revocation endpoint
is enabled or not.
|
boolean |
isDirectTokenEndpointEnabled()
Get the flag which indicates whether the direct token endpoint
is enabled or not.
|
boolean |
isDirectUserInfoEndpointEnabled()
Get the flag which indicates whether the direct userinfo endpoint
is enabled or not.
|
boolean |
isDynamicRegistrationSupported()
Get the flag which indicates whether the dynamic client registration is
supported.
|
boolean |
isErrorDescriptionOmitted()
Get the flag which indicates whether the
error_description
response parameter is omitted. |
boolean |
isErrorUriOmitted()
Get the flag which indicates whether the
error_uri response
parameter is omitted. |
boolean |
isIssSuppressed()
Get the flag indicating whether generation of the
iss response
parameter is suppressed. |
boolean |
isMissingClientIdAllowed()
Get the flag indicating whether token requests from public clients without
the
client_id request parameter are allowed when the client can be
guessed from authorization_code or refresh_token . |
boolean |
isMutualTlsValidatePkiCertChain()
Determine whether this service validates certificate chains during PKI-based
client mutual TLS authentication.
|
boolean |
isNbfOptional()
Get the flag indicating whether the
nbf claim in the request
object is optional even when the authorization request is regarded as
a FAPI-Part2 request. |
boolean |
isParRequired()
Get the flag indicating whether this service requires that clients use
the pushed authorization request endpoint.
|
boolean |
isPkceRequired()
Get the flag which indicates whether the use of Proof Key for Code
Exchange (PKCE) is always required for authorization requests
by Authorization Code Flow.
|
boolean |
isPkceS256Required()
Get the flag which indicates whether
S256 is always required
as the code challenge method whenever PKCE (RFC 7636) is used. |
boolean |
isRefreshTokenDurationKept()
Get the flag which indicates whether the remaining duration of the used
refresh token is taken over to the newly issued refresh token.
|
boolean |
isRefreshTokenKept()
Get the flag which indicates whether a refresh token remains valid
or gets renewed after its use.
|
boolean |
isRequestObjectRequired()
Get the flag indicating whether this service requires that authorization
requests always utilize a request object by using either
request
or request_uri request parameter. |
boolean |
isScopeRequired()
Get the flag indicating whether requests that request no scope are
rejected or not.
|
boolean |
isSingleAccessTokenPerSubject()
Get the flag which indicates whether the number of access tokens
per subject (and per client) is at most one or can be more.
|
boolean |
isTlsClientCertificateBoundAccessTokens()
Does this service support issuing TLS client certificate bound access tokens?
|
boolean |
isTraditionalRequestObjectProcessingApplied()
Get the flag indicating whether a request object is processed based on
rules defined in OpenID Connect Core 1.0 or JAR (JWT Secured
Authorization Request).
|
Service |
loadAttributes(Iterable<Pair> attributes)
Load attributes from an iterable.
|
Service |
setAccessTokenDuration(long duration)
Set the duration of access tokens in seconds; the value of
expires_in in access token responses. |
Service |
setAccessTokenSignAlg(JWSAlg alg)
Set the signature algorithm of access tokens.
|
Service |
setAccessTokenSignatureKeyId(String keyId)
Set the key ID to identify a JWK used for signing access tokens.
|
Service |
setAccessTokenType(String type)
Set the access token type; the value of
token_type in
access token responses. |
Service |
setAllowableClockSkew(int seconds)
Set the allowable clock skew between the server and clients in seconds.
|
Service |
setApiKey(long apiKey)
Set the API key.
|
Service |
setApiSecret(String apiSecret)
Set the API secret.
|
Service |
setAttributes(Pair[] attributes)
Set attributes.
|
Service |
setAuthenticationCallbackApiKey(String apiKey)
Set the API key to access the authentication callback endpoint.
|
Service |
setAuthenticationCallbackApiSecret(String apiSecret)
Set the API secret to access the authentication callback endpoint.
|
Service |
setAuthenticationCallbackEndpoint(URI endpoint)
Set the URI of the authentication callback endpoint.
|
Service |
setAuthorizationEndpoint(URI endpoint)
Set the URI of the authorization endpoint.
|
Service |
setAuthorizationResponseDuration(long duration)
Set the duration of authorization response JWTs.
|
Service |
setAuthorizationSignatureKeyId(String keyId)
Set the key ID to identify a JWK used for signing authorization responses
using an asymmetric key.
|
Service |
setBackchannelAuthenticationEndpoint(URI endpoint)
Set the URI of the backchannel authentication endpoint.
|
Service |
setBackchannelAuthReqIdDuration(int duration)
Set the duration of backchannel authentication request IDs issued from
the backchannel authentication endpoint in seconds.
|
Service |
setBackchannelBindingMessageRequiredInFapi(boolean required)
Set the boolean flag which indicates whether the
binding_message
request parameter is always required whenever a backchannel authentication
request is judged as a request for Financial-grade API. |
Service |
setBackchannelPollingInterval(int interval)
Set the minimum interval between polling requests to the token endpoint
from client applications in seconds.
|
Service |
setBackchannelUserCodeParameterSupported(boolean supported)
Set the boolean flag which indicates whether the
"user_code"
request parameter is supported at the backchannel authentication
endpoint. |
Service |
setClaimShortcutRestrictive(boolean restrictive)
Set the flag indicating whether claims specified by shortcut scopes
(e.g.
|
Service |
setClientIdAliasEnabled(boolean enabled)
Enable/disable the 'Client ID Alias' feature.
|
Service |
setClientsPerDeveloper(int count)
Set the number of client applications that one developer can create.
|
Service |
setCreatedAt(long createdAt)
Set the time at which this service was created.
|
Service |
setDescription(String description)
Set the description.
|
Service |
setDeveloperAuthenticationCallbackApiKey(String apiKey)
Set the API key to access the developer authentication callback endpoint.
|
Service |
setDeveloperAuthenticationCallbackApiSecret(String apiSecret)
Set the API secret to access the developer authentication callback endpoint.
|
Service |
setDeveloperAuthenticationCallbackEndpoint(URI endpoint)
Set the URI of the developer authentication callback endpoint.
|
Service |
setDeveloperSnsCredentials(SnsCredentials[] snsCredentials)
Set the list of SNS credentials that Authlete uses to support social login
at the developer console.
|
Service |
setDeviceAuthorizationEndpoint(URI endpoint)
Set the URI of the device authorization endpoint.
|
Service |
setDeviceFlowCodeDuration(int duration)
Set the duration of device verification codes and end-user verification
codes issued from the device authorization endpoint in seconds.
|
Service |
setDeviceFlowPollingInterval(int interval)
Set the minimum interval between polling requests to the token endpoint
from client applications in seconds in device flow.
|
Service |
setDeviceVerificationUri(URI uri)
Set the verification URI for the device flow.
|
Service |
setDeviceVerificationUriComplete(URI uri)
Set the verification URI for the device flow with a placeholder for a
user code.
|
Service |
setDirectAuthorizationEndpointEnabled(boolean enabled)
Set the flag which indicates whether the direct authorization endpoint
is enabled or not.
|
Service |
setDirectIntrospectionEndpointEnabled(boolean enabled)
Set the flag which indicates whether the direct introspection endpoint
is enabled or not.
|
Service |
setDirectJwksEndpointEnabled(boolean enabled)
Set the flag which indicates whether the direct jwks endpoint
is enabled or not.
|
Service |
setDirectRevocationEndpointEnabled(boolean enabled)
Set the flag which indicates whether the direct revocation endpoint
is enabled or not.
|
Service |
setDirectTokenEndpointEnabled(boolean enabled)
Set the flag which indicates whether the direct token endpoint
is enabled or not.
|
Service |
setDirectUserInfoEndpointEnabled(boolean enabled)
Set the flag which indicates whether the direct userinfo endpoint
is enabled or not.
|
Service |
setDynamicRegistrationSupported(boolean enabled)
Set the flag which indicates whether dynamic client registration is supported.
|
Service |
setEndSessionEndpoint(URI endSessionEndpoint)
Set the end session endpoint for the service.
|
Service |
setErrorDescriptionOmitted(boolean omitted)
Omit or embed the
error_description response parameter in
error responses. |
Service |
setErrorUriOmitted(boolean omitted)
Omit or embed the
error_uri response parameter in error
responses. |
Service |
setIdTokenDuration(long duration)
Set the duration of ID tokens in seconds.
|
Service |
setIdTokenSignatureKeyId(String keyId)
Set the key ID to identify a JWK used for ID token signature using
an asymmetric key.
|
Service |
setIntrospectionEndpoint(URI endpoint)
Set the URI of the introspection endpoint.
|
Service |
setIssSuppressed(boolean suppressed)
Set the flag indicating whether generation of the
iss response
parameter is suppressed. |
Service |
setIssuer(URI issuer)
Set the issuer identifier of this OpenID provider.
|
Service |
setJwks(String jwks)
Set the JSON Web Key Set of the service.
|
Service |
setJwksUri(URI uri)
Set the URI of the service's JSON Web Key Set.
|
Service |
setMetadata(Pair[] metadata)
Set metadata.
|
Service |
setMissingClientIdAllowed(boolean allowed)
Set the flag indicating whether token requests from public clients without
the
client_id request parameter are allowed when the client can be
guessed from authorization_code or refresh_token . |
Service |
setModifiedAt(long modifiedAt)
Set the time at which this service was last modified.
|
Service |
setMtlsEndpointAliases(NamedUri[] aliases)
Set the MTLS endpoint aliases.
|
Service |
setMutualTlsValidatePkiCertChain(boolean mutualTlsValidatePkiCertChain)
Set whether this service validates certificate chains during PKI-based
client mutual TLS authentication.
|
Service |
setNbfOptional(boolean optional)
Set the flag indicating whether the
nbf claim in the request
object is optional even when the authorization request is regarded as
a FAPI-Part2 request. |
Service |
setNumber(int number)
Set the service number.
|
Service |
setParRequired(boolean required)
Set the flag indicating whether this service requires that clients use
the pushed authorization request endpoint.
|
Service |
setPkceRequired(boolean required)
Set the flag which indicates whether the use of Proof Key for Code
Exchange (PKCE) is always required for authorization requests
by Authorization Code Flow.
|
Service |
setPkceS256Required(boolean required)
Set the flag which indicates whether
S256 is always required
as the code challenge method whenever PKCE (RFC 7636) is used. |
Service |
setPolicyUri(URI uri)
Set the URI that this OpenID Provider provides to the person
registering the client to read about the OP's requirements on
how the Relying Party can use the data provided by the OP.
|
Service |
setPushedAuthReqDuration(long duration)
Set the duration of pushed authorization requests.
|
Service |
setPushedAuthReqEndpoint(URI endpoint)
Set the URI of the pushed authorization request endpoint.
|
Service |
setRefreshTokenDuration(long duration)
Set the duration of refresh tokens in seconds.
|
Service |
setRefreshTokenDurationKept(boolean kept)
Set the flag which indicates whether the remaining duration of the used
refresh token is taken over to the newly issued refresh token.
|
Service |
setRefreshTokenKept(boolean kept)
Set the flag which indicates whether a refresh token remains valid
or gets renewed after its use.
|
Service |
setRegistrationEndpoint(URI endpoint)
Set the URI of the registration endpoint.
|
Service |
setRegistrationManagementEndpoint(URI endpoint)
Set the URI of the registration management endpoint.
|
Service |
setRequestObjectRequired(boolean required)
Set the flag indicating whether this service requires that authorization
requests always utilize a request object by using either
request
or request_uri request parameter. |
Service |
setRevocationEndpoint(URI endpoint)
Set the URI of the token revocation endpoint.
|
Service |
setScopeRequired(boolean required)
Set the flag indicating whether requests that request no scope are
rejected or not.
|
Service |
setServiceDocumentation(URI uri)
Set the URI of a page containing human-readable information
that developers might want or need to know when using this
OpenID Provider.
|
Service |
setServiceName(String serviceName)
Set the service name.
|
Service |
setServiceOwnerNumber(int serviceOwnerNumber)
Set the service owner number
|
Service |
setSingleAccessTokenPerSubject(boolean single)
Set the flag which indicates whether the number of access tokens
per subject (and per client) is at most one or can be more.
|
Service |
setSnsCredentials(SnsCredentials[] snsCredentials)
Set the list of SNS credentials that Authlete uses to support social login.
|
Service |
setSupportedAcrs(String[] acrs)
Set the supported ACRs (authentication context class references).
|
Service |
setSupportedAuthorizationDataTypes(String[] types)
Set the supported data types that can be used as values of the
"type" field in "authorization_details" . |
Service |
setSupportedBackchannelTokenDeliveryModes(DeliveryMode[] modes)
Get the supported backchannel token delivery modes.
|
Service |
setSupportedClaimLocales(String[] supportedClaimLocales)
Set the supported claim locales.
|
Service |
setSupportedClaims(String[] supportedClaims)
Set the supported claims.
|
Service |
setSupportedClaimTypes(ClaimType[] claimTypes)
Set the supported claim types.
|
Service |
setSupportedDeveloperSnses(Sns[] supportedSnses)
Set the list of supported SNSes for social login at the developer console.
|
Service |
setSupportedDisplays(Display[] displays)
Set the supported values of
display parameter passed to
the authorization endpoint. |
Service |
setSupportedEvidence(String[] evidence)
Set evidence supported by this service.
|
Service |
setSupportedGrantTypes(GrantType[] grantTypes)
Set the supported grant types.
|
Service |
setSupportedIdentityDocuments(String[] documents)
Set identity documents supported by this service.
|
Service |
setSupportedIntrospectionAuthMethods(ClientAuthMethod[] methods)
Set client authentication methods supported at the introspection endpoint.
|
Service |
setSupportedResponseTypes(ResponseType[] responseTypes)
Set the supported response types.
|
Service |
setSupportedRevocationAuthMethods(ClientAuthMethod[] methods)
Set client authentication methods supported at the revocation endpoint.
|
Service |
setSupportedScopes(Scope[] supportedScopes)
Set the supported scopes.
|
Service |
setSupportedServiceProfiles(Iterable<ServiceProfile> profiles)
Set the supported service profiles.
|
Service |
setSupportedServiceProfiles(ServiceProfile[] profiles)
Set the supported service profiles.
|
Service |
setSupportedSnses(Sns[] supportedSnses)
Set the list of supported SNSes for social login at the authorization
endpoint.
|
Service |
setSupportedTokenAuthMethods(ClientAuthMethod[] methods)
Set the number of client authentication methods at the token endpoint.
|
Service |
setSupportedTrustFrameworks(String[] frameworks)
Set trust frameworks supported by this service.
|
Service |
setSupportedUiLocales(String[] supportedUiLocales)
Set the supported UI locales.
|
Service |
setSupportedVerificationMethods(String[] methods)
Set verification methods supported by this service.
|
Service |
setSupportedVerifiedClaims(String[] claims)
Set verified claims supported by this service.
|
Service |
setTlsClientCertificateBoundAccessTokens(boolean enabled)
Enable or disable support for TLS client certificate bound access tokens.
|
Service |
setTokenEndpoint(URI endpoint)
Set the URI of the token endpoint.
|
Service |
setTosUri(URI uri)
Set the URI that the OpenID Provider provides to the person
registering the client to read about the OP's terms of service.
|
Service |
setTraditionalRequestObjectProcessingApplied(boolean applied)
Set the flag indicating whether a request object is processed based on
rules defined in OpenID Connect Core 1.0 or JAR (JWT Secured
Authorization Request).
|
Service |
setTrustedRootCertificates(String[] trustedRootCertificates)
Get the list of root certificates trusted by this service for PKI-based
client mutual TLS authentication.
|
Service |
setUserCodeCharset(UserCodeCharset charset)
Set the character set for end-user verification codes
(
user_code ) for Device Flow. |
Service |
setUserCodeLength(int length)
Set the length of end-user verification codes (
user_code ) for
Device Flow. |
Service |
setUserInfoEndpoint(URI endpoint)
Set the URI of the user info endpoint.
|
Service |
setUserInfoSignatureKeyId(String keyId)
Set the key ID to identify a JWK used for user info signature using
an asymmetric key.
|
boolean |
supports(ServiceProfile profile)
Check if this service supports the specified profile.
|
boolean |
supportsAll(Iterable<ServiceProfile> profiles)
Check if this service supports all the specified service profiles.
|
boolean |
supportsAll(ServiceProfile... profiles)
Check if this service supports all the specified service profiles.
|
boolean |
supportsAny(Iterable<ServiceProfile> profiles)
Check if this service any of the specified service profiles.
|
boolean |
supportsAny(ServiceProfile... profiles)
Check if this service any of the specified service profiles.
|
public int getNumber()
public Service setNumber(int number)
number
- The service number.this
object.public int getServiceOwnerNumber()
public Service setServiceOwnerNumber(int serviceOwnerNumber)
serviceOwnerNumber
- The service owner number.this
object.public String getServiceName()
public Service setServiceName(String serviceName)
serviceName
- The service name.this
object.public long getApiKey()
public Service setApiKey(long apiKey)
apiKey
- The API key.this
object.public String getApiSecret()
public Service setApiSecret(String apiSecret)
apiSecret
- The API secret.this
object.public URI getIssuer()
public Service setIssuer(URI issuer)
issuer
- The issuer identifier.this
object.public URI getAuthorizationEndpoint()
public Service setAuthorizationEndpoint(URI endpoint)
endpoint
- The URI of the authorization endpoint.this
object.public URI getTokenEndpoint()
public Service setTokenEndpoint(URI endpoint)
endpoint
- The URI of the token endpoint.this
object.public URI getRevocationEndpoint()
public ClientAuthMethod[] getSupportedRevocationAuthMethods()
public Service setSupportedRevocationAuthMethods(ClientAuthMethod[] methods)
methods
- Client authentication methods.this
object.public Service setRevocationEndpoint(URI endpoint)
endpoint
- The URI of the token revocation endpoint.this
object.public URI getUserInfoEndpoint()
public Service setUserInfoEndpoint(URI endpoint)
endpoint
- The URI of the user info endpoint.this
object.public URI getJwksUri()
public Service setJwksUri(URI uri)
uri
- The URI of the service's JSON Web Key Set.this
object.public String getJwks()
public Service setJwks(String jwks)
jwks
- The JSON Web Key Set of the service.this
object.public URI getRegistrationEndpoint()
public Service setRegistrationEndpoint(URI endpoint)
endpoint
- The URI of the registration endpoint.this
object.public URI getRegistrationManagementEndpoint()
/clientid/
to it as a path element. If this is unset, the value of registrationEndpoint
will be used as the URI base instead.public Service setRegistrationManagementEndpoint(URI endpoint)
/clientid/
to it as a path element. If this is unset, the value of registrationEndpoint
will be used as the URI base instead.endpoint
- The base URI of the registration management endpoint.this
object.public Scope[] getSupportedScopes()
public Service setSupportedScopes(Scope[] supportedScopes)
supportedScopes
- The supported scopes.this
object.public ResponseType[] getSupportedResponseTypes()
public Service setSupportedResponseTypes(ResponseType[] responseTypes)
responseTypes
- The supported response types.this
object.public GrantType[] getSupportedGrantTypes()
public Service setSupportedGrantTypes(GrantType[] grantTypes)
grantTypes
- The supported grant types.this
object.public String[] getSupportedAcrs()
public Service setSupportedAcrs(String[] acrs)
acrs
- The supported ACRs.this
object.public ClientAuthMethod[] getSupportedTokenAuthMethods()
public Service setSupportedTokenAuthMethods(ClientAuthMethod[] methods)
methods
- The supported client authentication methods.this
object.public Display[] getSupportedDisplays()
display
parameter passed to
the authorization endpoint.display
parameter.public Service setSupportedDisplays(Display[] displays)
display
parameter passed to
the authorization endpoint.displays
- The supported values of display
parameter.this
object.public ClaimType[] getSupportedClaimTypes()
public Service setSupportedClaimTypes(ClaimType[] claimTypes)
claimTypes
- The supported claim types.this
object.public String[] getSupportedClaims()
public Service setSupportedClaims(String[] supportedClaims)
supportedClaims
- The supported claims.this
object.public URI getServiceDocumentation()
public Service setServiceDocumentation(URI uri)
uri
- The URI of the service documentation.this
object.public String[] getSupportedClaimLocales()
public Service setSupportedClaimLocales(String[] supportedClaimLocales)
supportedClaimLocales
- The supported claim locales.this
object.public String[] getSupportedUiLocales()
public Service setSupportedUiLocales(String[] supportedUiLocales)
supportedUiLocales
- The supported UI locales.this
object.public URI getPolicyUri()
public Service setPolicyUri(URI uri)
uri
- The URI of the policy page.this
object.public URI getTosUri()
public Service setTosUri(URI uri)
uri
- The URI of the Terms-of-Service page.this
object.public String getDescription()
public Service setDescription(String description)
description
- The description.this
object.public String getAccessTokenType()
token_type
in
access token responses.public Service setAccessTokenType(String type)
token_type
in
access token responses.type
- The access token type.this
object.public JWSAlg getAccessTokenSignAlg()
When this method returns null, access tokens issued by this service are
just random strings. On the other hand, when this method returns a
non-null value, access tokens issued by this service are JWTs and the
value returned from this method represents the signature algorithm of
the JWTs. Regarding the format, see the description of this
Service
class.
This feature is available since Authlete 2.1. Access tokens generated by older Authlete versions are always random strings.
public Service setAccessTokenSignAlg(JWSAlg alg)
When null is set, access tokens issued by this service are just random
strings. On the other hand, when a non-null value is set, access tokens
issued by this service are JWTs and the value set by this method is used
as the signature algorithm of the JWTs. Regarding the format, see the
description of this Service
class.
This feature is available since Authlete 2.1. Access tokens generated by older Authlete versions are always random strings.
public long getAccessTokenDuration()
expires_in
in access token responses.public Service setAccessTokenDuration(long duration)
expires_in
in access token responses.duration
- The duration of access tokens in seconds.this
object.public long getRefreshTokenDuration()
public Service setRefreshTokenDuration(long duration)
duration
- The duration of refresh tokens in seconds.this
object.public long getIdTokenDuration()
public Service setIdTokenDuration(long duration)
duration
- The duration of ID tokens in seconds.this
object.public long getAuthorizationResponseDuration()
Financial-grade API: JWT Secured Authorization Response Mode for
OAuth 2.0 (JARM) defines new values for the response_mode
request parameter. They are query.jwt
, fragment.jwt
,
form_post.jwt
and jwt
. If one of them is specified
as the response mode, response parameters from the authorization
endpoint will be packed into a JWT. This property is used to compute
the value of the exp
claim of the JWT.
public Service setAuthorizationResponseDuration(long duration)
Financial-grade API: JWT Secured Authorization Response Mode for
OAuth 2.0 (JARM) defines new values for the response_mode
request parameter. They are query.jwt
, fragment.jwt
,
form_post.jwt
and jwt
. If one of them is specified
as the response mode, response parameters from the authorization
endpoint will be packed into a JWT. This property is used to compute
the value of the exp
claim of the JWT.
duration
- The duration of authorization response JWTs in seconds.this
object.public long getPushedAuthReqDuration()
"OAuth 2.0 Pushed Authorization Requests" defines an endpoint (called
"pushed authorization request endpoint") which client applications can
register authorization requests into and get corresponding URIs (called
"request URIs") from. The issued URIs represent the registered
authorization requests. The client applications can use the URIs as the
value of the request_uri
request parameter in an authorization
request.
The value returned from this method represents the duration of registered
authorization requests and is used as the value of the expires_in
parameter in responses from the pushed authorization request endpoint.
public Service setPushedAuthReqDuration(long duration)
"OAuth 2.0 Pushed Authorization Requests" defines an endpoint (called
"pushed authorization request endpoint") which client applications can
register authorization requests into and get corresponding URIs (called
"request URIs") from. The issued URIs represent the registered
authorization requests. The client applications can use the URIs as the
value of the request_uri
request parameter in an authorization
request.
The value given to this method represents the duration of registered
authorization requests and is used as the value of the expires_in
parameter in responses from the pushed authorization request endpoint.
duration
- The duration of pushed authorization requests.this
object.public URI getAuthenticationCallbackEndpoint()
public Service setAuthenticationCallbackEndpoint(URI endpoint)
endpoint
- The URI of the authentication callback endpoint.this
object.public String getAuthenticationCallbackApiKey()
public Service setAuthenticationCallbackApiKey(String apiKey)
apiKey
- The API key to access the authentication callback endpoint.this
object.public String getAuthenticationCallbackApiSecret()
public Service setAuthenticationCallbackApiSecret(String apiSecret)
apiSecret
- The API secret to access the authentication callback endpoint.this
object.public Sns[] getSupportedSnses()
public Service setSupportedSnses(Sns[] supportedSnses)
supportedSnses
- The list of SNSes.this
object.public SnsCredentials[] getSnsCredentials()
public Service setSnsCredentials(SnsCredentials[] snsCredentials)
snsCredentials
- The list of SNS credentials.this
object.public long getCreatedAt()
public Service setCreatedAt(long createdAt)
createdAt
- The time at which this service was created.this
object.public long getModifiedAt()
public Service setModifiedAt(long modifiedAt)
modifiedAt
- The time at which this service was modified.this
object.public Pair[] getMetadata()
The content of the returned array depends on contexts.
Key | Description |
---|---|
"clientCount" |
The number of client applications which belong to this service. |
Pair
.public Service setMetadata(Pair[] metadata)
metadata
- Metadata. The type is an array of Pair
.
null
may be returned.this
object.public URI getDeveloperAuthenticationCallbackEndpoint()
public Service setDeveloperAuthenticationCallbackEndpoint(URI endpoint)
endpoint
- The URI of the developer authentication callback endpoint.this
object.public String getDeveloperAuthenticationCallbackApiKey()
public Service setDeveloperAuthenticationCallbackApiKey(String apiKey)
apiKey
- The API key to access the developer authentication callback endpoint.this
object.public String getDeveloperAuthenticationCallbackApiSecret()
public Service setDeveloperAuthenticationCallbackApiSecret(String apiSecret)
apiSecret
- The API secret to access the developer authentication callback endpoint.this
object.public Sns[] getSupportedDeveloperSnses()
public Service setSupportedDeveloperSnses(Sns[] supportedSnses)
supportedSnses
- The list of SNSes.this
object.public SnsCredentials[] getDeveloperSnsCredentials()
public Service setDeveloperSnsCredentials(SnsCredentials[] snsCredentials)
snsCredentials
- The list of SNS credentials.this
object.public int getClientsPerDeveloper()
public Service setClientsPerDeveloper(int count)
count
- The number of client applications that one developer can create.
0 means no limit.this
object.public boolean isDirectAuthorizationEndpointEnabled()
/api/auth/authorization/direct/{serviceApiKey}
true
if enabled.public Service setDirectAuthorizationEndpointEnabled(boolean enabled)
/api/auth/authorization/direct/{serviceApiKey}
enabled
- true
to enable the direct endpoint.this
object.public boolean isDirectTokenEndpointEnabled()
/api/auth/token/direct/{serviceApiKey}
true
if enabled.public Service setDirectTokenEndpointEnabled(boolean enabled)
/api/auth/token/direct/{serviceApiKey}
enabled
- true
to enable the direct endpoint.this
object.public boolean isDirectRevocationEndpointEnabled()
/api/auth/revocation/direct/{serviceApiKey}
true
if enabled.public Service setDirectRevocationEndpointEnabled(boolean enabled)
/api/auth/revocation/direct/{serviceApiKey}
enabled
- true
to enable the direct endpoint.this
object.public boolean isDirectUserInfoEndpointEnabled()
/api/auth/userinfo/direct/{serviceApiKey}
true
if enabled.public Service setDirectUserInfoEndpointEnabled(boolean enabled)
/api/auth/userinfo/direct/{serviceApiKey}
enabled
- true
to enable the direct endpoint.this
object.public boolean isDirectJwksEndpointEnabled()
/api/service/jwks/get/direct/{serviceApiKey}
true
if enabled.public Service setDirectJwksEndpointEnabled(boolean enabled)
/api/service/jwks/get/direct/{serviceApiKey}
enabled
- true
to enable the direct endpoint.this
object.public boolean isDirectIntrospectionEndpointEnabled()
/api/auth/introspection/direct/{serviceApiKey}
true
if enabled.public Service setDirectIntrospectionEndpointEnabled(boolean enabled)
/api/auth/introspection/direct/{serviceApiKey}
enabled
- true
to enable the direct endpoint.this
object.public boolean isSingleAccessTokenPerSubject()
If this flag is true
, an attempt to issue a new access
token invalidates existing access tokens associated with the
same subject and the same client.
Note that, however, attempts by Client Credentials Flow do not
invalidate existing access tokens because access tokens issued
by Client Credentials Flow are not associated with any end-user's
subject. Also note that an attempt by Refresh Token Flow
invalidates the coupled access token only and this invalidation
is always performed regardless of whether this flag is true
or false
.
true
if the number of access tokens per subject
(and per client) is at most one.public Service setSingleAccessTokenPerSubject(boolean single)
If true
is set, an attempt to issue a new access token
invalidates existing access tokens associated with the same
subject and the same client.
Note that, however, attempts by Client Credentials Flow do not
invalidate existing access tokens because access tokens issued
by Client Credentials Flow are not associated with any end-user's
subject. Also note that an attempt by Refresh Token Flow
invalidates the coupled access token only and this invalidation
is always performed regardless of whether this flag is true
or false
.
single
- true
to set the maximum number of access tokens
per subject (and per client) to 1.this
object.public boolean isPkceRequired()
true
if PKCE is always required for authorization
requests by Authorization Code Flow.public Service setPkceRequired(boolean required)
required
- true
to always require PKCE for authorization
requests by Authorization Code Flow.this
object.public boolean isPkceS256Required()
S256
is always required
as the code challenge method whenever PKCE (RFC 7636) is used.
If this flag is true
, code_challenge_method=S256
must
be included in the authorization request whenever it includes the
code_challenge
request parameter. Neither omission of the
code_challenge_method
request parameter nor use of plain
(code_challenge_method=plain
) is allowed.
true
if S256
is always required as the code
challenge method whenever PKCE is used.public Service setPkceS256Required(boolean required)
S256
is always required
as the code challenge method whenever PKCE (RFC 7636) is used.
If true
is set, code_challenge_method=S256
must be
included in the authorization request whenever it includes the
code_challenge
request parameter. Neither omission of the
code_challenge_method
request parameter nor use of plain
(code_challenge_method=plain
) is allowed.
required
- true
to require S256
as the code challenge
method whenever PKCE is used.this
object.public boolean isRefreshTokenKept()
true
if a refresh token remains valid after its use.
false
if a new refresh token is issued after its use.public Service setRefreshTokenKept(boolean kept)
kept
- true
to keep a refresh token valid after its use.
false
to renew a refresh token after its use.this
object.public boolean isRefreshTokenDurationKept()
true
if the remaining duration of the used refresh token
is taken over to the newly issued refresh token.public Service setRefreshTokenDurationKept(boolean kept)
kept
- true
to indicate that the remaining duration of the used
refresh token is taken over to the newly issued refresh token.this
object.public boolean isErrorDescriptionOmitted()
error_description
response parameter is omitted.
According to RFC 6749, authorization servers may include the error_description
response parameter in error responses. When this
errorDescriptionOmitted
property is true
, Authlete does
not embed the error_description
response parameter in error
responses.
true
if the error_description
response parameter
is omitted. false
if the error_description
response parameter is included in error responses from the
authorization server.public Service setErrorDescriptionOmitted(boolean omitted)
error_description
response parameter in
error responses.omitted
- true
to omit the error_description
response
parameter. false
to embed the parameter.this
object.public boolean isErrorUriOmitted()
error_uri
response
parameter is omitted.
According to RFC 6749, authorization servers may include the
error_uri
response parameter in error responses. When
this errorUriOmitted
property is true
, Authlete
does not embed the error_uri
response parameter in error
responses.
true
if the error_uri
response parameter
is omitted. false
if the error_uri
response parameter is included in error responses from
the authorization server.public Service setErrorUriOmitted(boolean omitted)
error_uri
response parameter in error
responses.omitted
- true
to omit the error_uri
response parameter.
false
to embed the parameter.this
object.public boolean isClientIdAliasEnabled()
true
if the 'Client ID Alias' feature is enabled.
false
if the feature is disabled.public Service setClientIdAliasEnabled(boolean enabled)
When a new client is created, Authlete generates a numeric value
and assigns it as a client ID to the newly created client. In
addition to the client ID, each client can have a client ID alias.
The client ID alias is, however, recognized only when this property
(clientIdAliasEnabled
) is true
.
enabled
- true
to enable the 'Client ID Alias' feature.
false
to disable it.this
object.public String getAccessTokenSignatureKeyId()
A JWK Set can be registered as a property of a Service. A JWK Set can
contain 0 or more JWKs (See RFC 7517 for details about JWK). Authlete Server has to pick up
one JWK for signing from the JWK Set when it generates a JWT-based
access token (see getAccessTokenSignAlg()
for details about
JWT-based access token). Authlete Server searches the registered JWK Set
for a JWK which satisfies conditions for access token signature. If the
number of JWK candidates which satisfy the conditions is 1, there is no
problem. On the other hand, if there exist multiple candidates, a
Key ID is
needed to be specified so that Authlete Server can pick up one JWK from
among the JWK candidates.
This accessTokenSignatureKeyId
property exists for the purpose
described above.
null
.public Service setAccessTokenSignatureKeyId(String keyId)
See the description of getAccessTokenSignatureKeyId()
for
details.
keyId
- A key ID of a JWK. This may be null
.this
object.public String getAuthorizationSignatureKeyId()
Financial-grade API: JWT Secured Authorization Response Mode for OAuth
2.0 (JARM) has added new values for the response_mode
request parameter. They are query.jwt
, fragment.jwt
,
form_post.jwt
and jwt
. If one of them is used, response
parameters returned from the authorization endpoint will be packed into
a JWT. The JWT is always signed. For the signature of the JWT, Authlete
Server has to pick up one JWK from the service's JWK Set.
Authlete Server searches the JWK Set for a JWK which satisfies conditions for authorization response signature. If the number of JWK candidates which satisfy the conditions is 1, there is no problem. On the other hand, if there exist multiple candidates, a Key ID is needed to be specified so that Authlete Server can pick up one JWK from among the JWK candidates. This property exists to specify the key ID.
null
.public Service setAuthorizationSignatureKeyId(String keyId)
See the description of getAuthorizationSignatureKeyId()
for details.
keyId
- A key ID of a JWK. This may be null
.this
object.public String getIdTokenSignatureKeyId()
A JWK Set can be registered as a property of a Service. A JWK Set can contain 0 or more JWKs (See RFC 7517 for details about JWK). Authlete Server has to pick up one JWK for signature from the JWK Set when it generates an ID token and signature using an asymmetric key. Authlete Server searches the registered JWK Set for a JWK which satisfies conditions for ID token signature. If the number of JWK candidates which satisfy the conditions is 1, there is no problem. On the other hand, if there exist multiple candidates, a Key ID is needed to be specified so that Authlete Server can pick up one JWK from among the JWK candidates.
This idTokenSignatureKeyId
property exists for the purpose
described above. For key rotation (OpenID Connect Core 1.0, 10.1.1. Rotation of Asymmetric Signing Keys), this mechanism is
needed.
null
.public Service setIdTokenSignatureKeyId(String keyId)
See the description of getIdTokenSignatureKeyId()
for details.
keyId
- A key ID of a JWK. This may be null
.this
object.public String getUserInfoSignatureKeyId()
A JWK Set can be registered as a property of a Service. A JWK Set can contain 0 or more JWKs (See RFC 7517 for details about JWK). Authlete Server has to pick up one JWK for signature from the JWK Set when it is required to sign user info (which is returned from UserInfo Endpoint) using an asymmetric key. Authlete Server searches the registered JWK Set for a JWK which satisfies conditions for user info signature. If the number of JWK candidates which satisfy the conditions is 1, there is no problem. On the other hand, if there exist multiple candidates, a Key ID is needed to be specified so that Authlete Server can pick up one JWK from among the JWK candidates.
This userInfoSignatureKeyId
property exists for the purpose
described above. For key rotation (OpenID Connect Core 1.0, 10.1.1. Rotation of Asymmetric Signing Keys), this mechanism is
needed.
null
.public Service setUserInfoSignatureKeyId(String keyId)
See the description of getUserInfoSignatureKeyId()
for details.
keyId
- A key ID of a JWK. This may be null
.this
object.public ServiceProfile[] getSupportedServiceProfiles()
public Service setSupportedServiceProfiles(ServiceProfile[] profiles)
profiles
- Supported service profiles.this
object.public Service setSupportedServiceProfiles(Iterable<ServiceProfile> profiles)
profiles
- Supported service profiles.this
object.public boolean supports(ServiceProfile profile)
null
is given, false
is returned.
If the supported service profiles are not set to this service,
false
is returned.profile
- A service profile.true
if this service supports the service profile.public boolean supportsAll(ServiceProfile... profiles)
null
is given, true
is returned.
If an empty array is given, true
is returned.profiles
- Service profiles.true
if this service supports all the specified
service profiles.public boolean supportsAll(Iterable<ServiceProfile> profiles)
null
is given, true
is returned.
If an empty collection is given, true
is returned.profiles
- Service profiles.true
if this service supports all the specified
service profiles.public boolean supportsAny(ServiceProfile... profiles)
null
is given, false
is returned.
If an empty array is given, false
is returned.profiles
- Service profiles.true
if this service supports any of the specified
service profiles.public boolean supportsAny(Iterable<ServiceProfile> profiles)
null
is given, false
is returned.
If an empty collection is given, false
is returned.profiles
- Service profiles.true
if this service supports any of the specified
service profiles.public boolean isTlsClientCertificateBoundAccessTokens()
true
if this service supports issuing TLS client
certificate bound access tokens.public Service setTlsClientCertificateBoundAccessTokens(boolean enabled)
enabled
- true
to enable TLS client certificate bound access tokens.this
object.public URI getIntrospectionEndpoint()
public Service setIntrospectionEndpoint(URI endpoint)
endpoint
- The URI of the introspection endpoint.this
object.public ClientAuthMethod[] getSupportedIntrospectionAuthMethods()
public Service setSupportedIntrospectionAuthMethods(ClientAuthMethod[] methods)
methods
- Client authentication methods.this
object.public boolean isMutualTlsValidatePkiCertChain()
true
if this service requires clients using PKI MTLS
to present their certificate chain to the API during authentication,
false
otherwise.public Service setMutualTlsValidatePkiCertChain(boolean mutualTlsValidatePkiCertChain)
mutualTlsValidatePkiCertChain
- true
if this service requires clients using PKI MTLS
to present their certificate chain to the API during authentication,
false
otherwise.this
object.public String[] getTrustedRootCertificates()
public Service setTrustedRootCertificates(String[] trustedRootCertificates)
trustedRootCertificates
- The list of root certificates trusted by this service in PEM format.this
object.public DeliveryMode[] getSupportedBackchannelTokenDeliveryModes()
backchannel_token_delivery_modes_supported
metadata.
Backchannel token delivery modes are defined in the specification of CIBA (Client Initiated Backchannel Authentication).
public Service setSupportedBackchannelTokenDeliveryModes(DeliveryMode[] modes)
backchannel_token_delivery_modes_supported
metadata.
Backchannel token delivery modes are defined in the specification of CIBA (Client Initiated Backchannel Authentication).
modes
- Supported backchannel token delivery modes.this
object.public URI getBackchannelAuthenticationEndpoint()
Backchannel authentication endpoint is defined in the specification of CIBA (Client Initiated Backchannel Authentication).
public Service setBackchannelAuthenticationEndpoint(URI endpoint)
Backchannel authentication endpoint is defined in the specification of CIBA (Client Initiated Backchannel Authentication).
endpoint
- The URI of the backchannel authentication endpoint.this
object.public boolean isBackchannelUserCodeParameterSupported()
"user_code"
request parameter is supported at the backchannel authentication
endpoint. This property corresponds to the
backchannel_user_code_parameter_supported
metadata.true
if the "user_code"
request parameter is
supported at the backchannel authentication endpoint.public Service setBackchannelUserCodeParameterSupported(boolean supported)
"user_code"
request parameter is supported at the backchannel authentication
endpoint. This property corresponds to the
backchannel_user_code_parameter_supported
metadata.supported
- true
to indicate that the "user_code"
request
parameter is supported.this
object.public int getBackchannelAuthReqIdDuration()
expires_in
property in responses from the
backchannel authentication endpoint.public Service setBackchannelAuthReqIdDuration(int duration)
expires_in
property in responses from the
backchannel authentication endpoint.duration
- The duration of backchannel authentication request IDs in
seconds.this
object.public int getBackchannelPollingInterval()
interval
property in responses from the backchannel
authentication endpoint.public Service setBackchannelPollingInterval(int interval)
interval
property in responses from the backchannel
authentication endpoint.interval
- The minimum interval between polling requests in seconds.
Must be in between 0 and 65,535.this
object.public boolean isBackchannelBindingMessageRequiredInFapi()
binding_message
request parameter is always required whenever a backchannel authentication
request is judged as a request for Financial-grade API.true
if the binding_message
request parameter
is required whenever a backchannel authentication request is
judged as a request for Financial-grade API.public Service setBackchannelBindingMessageRequiredInFapi(boolean required)
binding_message
request parameter is always required whenever a backchannel authentication
request is judged as a request for Financial-grade API.
The FAPI-CIBA profile requires that the authorization server "shall
ensure unique authorization context exists in the authorization request
or require a binding_message
in the authorization request"
(FAPI-CIBA, 5.2.2, 2). The simplest way to fulfill this requirement is
to set true
to this property.
If false
is set to this property, the binding_message
request parameter remains optional even in FAPI context, but in exchange,
your authorization server must implement a custom mechanism that ensures
each backchannel authentication request has unique context.
required
- true
to require the binding_message
request
parameter whenever a backchannel authentication request is
judged as a request for Financial-grade API.this
object.public int getAllowableClockSkew()
The clock skew is taken into consideration when time-related claims in
a JWT (e.g. "exp"
, "iat"
, "nbf"
) are verified.
public Service setAllowableClockSkew(int seconds)
The clock skew is taken into consideration when time-related claims in
a JWT (e.g. "exp"
, "iat"
, "nbf"
) are verified.
seconds
- Allowable clock skew in seconds. Must be in between 0 and
65,535.this
object.public boolean isDynamicRegistrationSupported()
true
if enabled.public Service setDynamicRegistrationSupported(boolean enabled)
enabled
- true
to enable dynamic client registrationthis
object.public URI getDeviceAuthorizationEndpoint()
Device authorization endpoint is defined in the specification of OAuth 2.0 Device Authorization Grant.
public Service setDeviceAuthorizationEndpoint(URI endpoint)
Device authorization endpoint is defined in the specification of OAuth 2.0 Device Authorization Grant.
endpoint
- The URI of the device authorization endpoint.this
object.public URI getDeviceVerificationUri()
verification_uri
parameter in responses from the
device authorization endpoint.public Service setDeviceVerificationUri(URI uri)
verification_uri
parameter in responses from the
device authorization endpoint.uri
- The verification URI.this
object.public URI getDeviceVerificationUriComplete()
verification_uri_complete
parameter in responses from the device
authorization endpoint.public Service setDeviceVerificationUriComplete(URI uri)
verification_uri_complete
parameter in responses from the device
authorization endpoint.
It is expected that the URI contains a fixed string USER_CODE
somewhere as a placeholder for a user code. For example, like the
following.
https://example.com/device?user_code=USER_CODE
The fixed string is replaced with an actual user code when Authlete
builds a verification URI with a user code for the
verification_uri_complete
parameter.
If this URI is not set, the verification_uri_complete
parameter
won't appear in device authorization responses.
uri
- The verification URI with a placeholder for a user code.this
object.public int getDeviceFlowCodeDuration()
expires_in
property in responses from
the device authorization endpoint.public Service setDeviceFlowCodeDuration(int duration)
expires_in
property in responses from
the device authorization endpoint.duration
- The duration of device verification codes and end-user
verification codes in seconds.this
object.public int getDeviceFlowPollingInterval()
interval
property in responses from the device
authorization endpoint.public Service setDeviceFlowPollingInterval(int interval)
interval
property in responses from the device
authorization endpoint.interval
- The minimum interval between polling requests in seconds in
device flow. Must be in between 0 and 65,535.this
object.public UserCodeCharset getUserCodeCharset()
user_code
) for Device Flow.user_code
) for Device Flow.public Service setUserCodeCharset(UserCodeCharset charset)
user_code
) for Device Flow.charset
- The character set for end-user verification codes
(user_code
) for Device Flow.this
object.public int getUserCodeLength()
user_code
) for
Device Flow.user_code
)
for Device Flow.public Service setUserCodeLength(int length)
user_code
) for
Device Flow.length
- The length of end-user verification codes (user_code
)
for Device Flow. The value must not be negative and must not
be larger than 255.this
object.public URI getPushedAuthReqEndpoint()
This property corresponds to the pushed_authorization_request_endpoint
metadata defined in "5. Authorization Server Metadata" of OAuth 2.0 Pushed Authorization Requests.
public Service setPushedAuthReqEndpoint(URI endpoint)
This property corresponds to the pushed_authorization_request_endpoint
metadata defined in "5. Authorization Server Metadata" of OAuth 2.0 Pushed Authorization Requests.
endpoint
- The URI of the pushed authorization request endpoint.this
object.public NamedUri[] getMtlsEndpointAliases()
This property corresponds to the mtls_endpoint_aliases
metadata
defined in "5. Metadata for Mutual TLS Endpoint Aliases" of OAuth 2.0 Mutual TLS Client Authentication and Certificate-Bound Access
Tokens.
public Service setMtlsEndpointAliases(NamedUri[] aliases)
This property corresponds to the mtls_endpoint_aliases
metadata
defined in "5. Metadata for Mutual TLS Endpoint Aliases" of OAuth 2.0 Mutual TLS Client Authentication and Certificate-Bound Access
Tokens.
The aliases will be embedded in the response from the discovery endpoint like the following.
{ ......, "mtls_endpoint_aliases": { "token_endpoint": "https://mtls.example.com/token", "revocation_endpoint": "https://mtls.example.com/revo", "introspection_endpoint": "https://mtls.example.com/introspect" } }
aliases
- MTLS endpoint aliases.this
object.public String[] getSupportedAuthorizationDataTypes()
"type"
field in "authorization_details"
.
This property corresponds to the
"authorization_data_types_supported"
metadata.
See "OAuth 2.0 Rich Authorization Requests" (RAR) for details.
public Service setSupportedAuthorizationDataTypes(String[] types)
"type"
field in "authorization_details"
.
This property corresponds to the
"authorization_data_types_supported"
metadata.
See "OAuth 2.0 Rich Authorization Requests" (RAR) for details.
types
- Supported data types.this
object.public String[] getSupportedTrustFrameworks()
trust_frameworks_supported
metadata.public Service setSupportedTrustFrameworks(String[] frameworks)
trust_frameworks_supported
metadata.frameworks
- Trust frameworks supported by this service.this
object.public String[] getSupportedEvidence()
evidence_supported
metadata.public Service setSupportedEvidence(String[] evidence)
evidence_supported
metadata.evidence
- Evidence supported by this service.this
object.public String[] getSupportedIdentityDocuments()
id_documents_supported
metadata.public Service setSupportedIdentityDocuments(String[] documents)
id_documents_supported
metadata.documents
- Identity documents supported by this service.this
object.public String[] getSupportedVerificationMethods()
id_documents_verification_methods_supported
metadata.public Service setSupportedVerificationMethods(String[] methods)
id_documents_verification_methods_supported
metadata.methods
- Verification methods supported by this service.this
object.public String[] getSupportedVerifiedClaims()
claims_in_verified_claims_supported
metadata.public Service setSupportedVerifiedClaims(String[] claims)
claims_in_verified_claims_supported
metadata.claims
- Verified claims supported by this service.this
object.public boolean isMissingClientIdAllowed()
client_id
request parameter are allowed when the client can be
guessed from authorization_code
or refresh_token
.
This flag should not be set unless you have special reasons.
true
if token requests from public clients without the
client_id
request parameter are allowed in the authorization
code flow and the refresh token flow.public Service setMissingClientIdAllowed(boolean allowed)
client_id
request parameter are allowed when the client can be
guessed from authorization_code
or refresh_token
.
Don't set this flag unless you have special reasons.
allowed
- true
to allow token requests from public clients without
the client_id
request parameter in the authorization code
flow and the refresh token flow.this
object.public URI getEndSessionEndpoint()
null
if not set.public Service setEndSessionEndpoint(URI endSessionEndpoint)
endSessionEndpoint
- The end session endpoint, or null
if not set.this
object.public boolean isParRequired()
This property corresponds to the
require_pushed_authorization_requests
server metadata defined
in "OAuth 2.0 Pushed Authorization Requests".
true
if client of this service are required to use PAR.public Service setParRequired(boolean required)
This property corresponds to the
require_pushed_authorization_requests
server metadata defined
in "OAuth 2.0 Pushed Authorization Requests".
required
- true
to indicate that this service requires that clients
use the pushed authorization request endpoint.this
object.public boolean isRequestObjectRequired()
request
or request_uri
request parameter.
If this flag is true
and
isTraditionalRequestObjectProcessingApplied()
returns
false
, the value of require_signed_request_object
server
metadata of this service is reported as true
in the discovery
document. The metadata is defined in JAR (JWT Secured Authorization
Request). That require_signed_request_object
is true
means that authorization requests which don't conform to the JAR
specification are rejected.
true
if this service requires that authorization
requests always utilize a request object.public Service setRequestObjectRequired(boolean required)
request
or request_uri
request parameter.
See the description of isRequestObjectRequired()
for details.
required
- true
to require that authorization requests always
utilize a request object.this
object.public boolean isTraditionalRequestObjectProcessingApplied()
Differences between rules in OpenID Connect Core 1.0 and ones in JAR are as follows.
response_type
request parameter
exist outside a request object even if the request object includes
the request parameter.
scope
request parameter exist
outside a request object if the authorization request is an OIDC
request even if the request object includes the request parameter.
If this flag is false
and isRequestObjectRequired()
returns true
, the value of require_signed_request_object
server metadata of this service is reported as true
in the
discovery document. The metadata is defined in JAR (JWT Secured
Authorization Request). That require_signed_request_object
is
true
means that authorization requests which don't conform to
the JAR specification are rejected.
true
if rules defined in OpenID Connect Core 1.0 are
applied on processing a request object. false
if rules
defined in JAR (JWT Secured Authorization Request) are applied.public Service setTraditionalRequestObjectProcessingApplied(boolean applied)
See the description of isTraditionalRequestObjectProcessingApplied()
for details.
applied
- true
to apply rules defined in OpenID Connect Core 1.0
on processing a request object. false
to apply rules
defined in JAR instead.this
object.public boolean isClaimShortcutRestrictive()
profile
) are included in the issued ID token only when
no access token is issued.
To strictly conform to the description below excerpted from OpenID Connect Core 1.0 Section 5.4, this flag has to be true.
The Claims requested by the
profile
,address
, andphone
scope values are returned from the UserInfo Endpoint, as described in Section 5.3.2, when aresponse_type
value is used that results in an Access Token being issued. However, when no Access Token is issued (which is the case for theresponse_type
valueid_token
), the resulting Claims are returned in the ID Token.
true
if claims specified by shortcut scopes are included
in the issued ID token only when no access token is issued.
false
if the claims are included in the issued ID token
regardless of whether an access token is issued or not.public Service setClaimShortcutRestrictive(boolean restrictive)
profile
) are included in the issued ID token only when
no access token is issued.
To strictly conform to the description below excerpted from OpenID Connect Core 1.0 Section 5.4, this flag has to be true.
The Claims requested by the
profile
,address
, andphone
scope values are returned from the UserInfo Endpoint, as described in Section 5.3.2, when aresponse_type
value is used that results in an Access Token being issued. However, when no Access Token is issued (which is the case for theresponse_type
valueid_token
), the resulting Claims are returned in the ID Token.
restrictive
- true
to include claims specified by shortcut scopes
in the issued ID token only when no access token is issued.
false
to include the claims in the issued ID token
regardless of whether an access token is issued or not.this
object.public boolean isScopeRequired()
When a request has no explicit scope
parameter and the service's
pre-defined default scope set is empty, the authorization server regards
the request requests no scope. When this flag is true, requests that
request no scope are rejected.
The requirement below excerpted from RFC 6749 Section 3.3 does not explicitly mention the case where the default scope set is empty.
If the client omits the
scope
parameter when requesting authorization, the authorization server MUST either process the request using a pre-defined default value or fail the request indicating an invalid scope.
However, if you interpret "the default scope set exists but is empty" as "the default scope set does not exist" and want to strictly conform to the requirement above, this flag has to be true.
true
if the authorization server rejects requests that
request no scope. false
if the authorization server
admits requests that request no scope.public Service setScopeRequired(boolean required)
When a request has no explicit scope
parameter and the service's
pre-defined default scope set is empty, the authorization server regards
the request requests no scope. When this flag is true, requests that
request no scope are rejected.
The requirement below excerpted from RFC 6749 Section 3.3 does not explicitly mention the case where the default scope set is empty.
If the client omits the
scope
parameter when requesting authorization, the authorization server MUST either process the request using a pre-defined default value or fail the request indicating an invalid scope.
However, if you interpret "the default scope set exists but is empty" as "the default scope set does not exist" and want to strictly conform to the requirement above, this flag has to be true.
required
- true
to reject requests that request no scope.
false
to admit requests that request no scope.this
object.public boolean isNbfOptional()
nbf
claim in the request
object is optional even when the authorization request is regarded as
a FAPI-Part2 request.
The final version of Financial-grade API was approved in January, 2021.
The Part 2 of the final version has new requirements on lifetime of
request objects. They require that request objects contain an nbf
claim and the lifetime computed by exp - nbf
be no longer than
60 minutes.
Therefore, when an authorization request is regarded as a FAPI-Part2
request, the request object used in the authorization request must
contain an nbf
claim. Otherwise, the authorization server
rejects the authorization request.
When this flag is true
, the nbf
claim is treated as an
optional claim even when the authorization request is regarded as a
FAPI-Part2 request. That is, the authorization server does not perform
the validation on lifetime of the request object.
Skipping the validation is a violation of the FAPI specification. The reason why this flag has been prepared nevertheless is that the new requirements (which do not exist in the Implementer's Draft 2 released in October, 2018) have big impacts on deployed implementations of client applications and Authlete thinks there should be a mechanism whereby to make the migration from ID2 to Final smooth without breaking live systems.
true
if the nbf
claim is treated as an optional
claim even when the authorization request is regarded as a
FAPI-Part2 request.public Service setNbfOptional(boolean optional)
nbf
claim in the request
object is optional even when the authorization request is regarded as
a FAPI-Part2 request.
See the description of isNbfOptional()
for details about this
flag.
optional
- true
to treat the nbf
claim as an optional claim.this
object.public boolean isIssSuppressed()
iss
response
parameter is suppressed.
"OAuth 2.0 Authorization Server Issuer Identifier in Authorization
Response" has defined a new authorization response parameter,
iss
, as a countermeasure for a certain type of mix-up attacks.
The specification requires that the iss
response parameter
always be included in authorization responses unless JARM (JWT Secured
Authorization Response Mode) is used.
When this flag is true
, the authorization server does not include
the iss
response parameter in authorization responses. By turning
this flag on and off, developers of client applications can experiment
the mix-up attack and the effect of the iss
response parameter.
Note that this flag should not be true
in production environment
unless there are special reasons for it.
true
if the authorization server does not include the
iss
response parameter in authorization responses.public Service setIssSuppressed(boolean suppressed)
iss
response
parameter is suppressed.
See the description of isIssSuppressed()
for details about
this flag.
suppressed
- true
to make the authorization server suppress the
iss
response parameter.this
object.public Pair[] getAttributes()
The feature of "service attributes" is available since Authlete 2.2.
public Service setAttributes(Pair[] attributes)
The feature of "service attributes" is available since Authlete 2.2.
attributes
- Attributes.this
object.Copyright © 2021. All rights reserved.