Package com.authlete.common.dto

Class AuthorizationIssueRequest

  • All Implemented Interfaces:
    Serializable
    public class AuthorizationIssueRequest
extends Object
implements Serializable
    Request to Authlete's /auth/authorization/issue API.
    ticket (REQUIRED)

    The ticket issued by Authlete's /auth/authorization API to the service implementation. It is the value of "ticket" contained in the response from Authlete's /auth/authorization API (AuthorizationResponse).

    subject (CONDITIONALLY REQUIRED)

    The subject (= a user account managed by the service) who has granted authorization to the client application. This parameter is required unless the authorization request has come with response_type=none (which means the client application did not request any token to be returned). See "4. None Response Type" in OAuth 2.0 Multiple Response Type Encoding Practices for details about response_type=none.

    authTime (OPTIONAL)

    The time when the authentication of the end-user occurred.

    acr (OPTIONAL)

    The Authentication Context Class Reference performed for the end-user authentication.

    claims (OPTIONAL)

    The claims of the end-user (= pieces of information about the end-user) in JSON format. See OpenID Connect Core 1.0, 5.1. Standard Claims for details about the format.

    idtHeaderParams (OPTIONAL)

    JSON that represents additional JWS header parameters for ID tokens that may be issued based on the authorization request.

    properties (OPTIONAL)

    Extra properties to associate with an access token and/or an authorization code that may be issued by this request. Note that properties parameter is accepted only when Content-Type of the request is application/json, so don't use application/x-www-form-urlencoded if you want to specify properties parameter.

    scopes (OPTIONAL)

    Scopes to associate with an access token and/or an authorization code. If this field is null, the scopes specified in the original authorization request from the client application are used. In other cases, including the case of an empty array, the specified scopes will replace the original scopes contained in the original authorization request.

    Even scopes that are not included in the original authorization request can be specified. However, as an exception, "openid" scope is ignored on the server side if it is not included in the original request. It is because the existence of "openid" scope considerably changes the validation steps and because adding "openid" triggers generation of an ID token (although the client application has not requested it) and the behavior is a major violation against the specification.

    If you add "offline_access" scope although it is not included in the original request, keep in mind that the specification requires explicit consent from the user for the scope (OpenID Connect Core 1.0, 11. Offline Access). When "offline_access" is included in the original request, the current implementation of Authlete's /auth/authorization API checks whether the request has come along with prompt request parameter and the value includes "consent". However, note that the implementation of Authlete's /auth/authorization/issue API does not perform such checking if "offline_access" scope is added via this scopes parameter.

    sub (OPTIONAL)

    The value of the sub claim. If the value of this request parameter is not empty, it is used as the value of the sub claim. Otherwise, the value of the subject request parameter is used as the value of the sub claim. The main purpose of this parameter is to hide the actual value of the subject from client applications.

    Note that even if this sub parameter is not empty, the value of the subject request parameter is used as the value of the subject which is associated with the access token.

    authorizationDetails (OPTIONAL)

    The value of the authorization_details to associate with the token. If this value is null, the authorization details on the original request are used. If this value is set, its contents completely override the authorization details set in the original request.

    consentedClaims (OPTIONAL; Authlete 2.3 onwards)

    Claims that the user has consented for the client application to know. If this value is null or empty, Authlete computes the value from the consented scopes (e.g. profile) and the claims included in the JSON of the claims request parameter. See the description of setConsentedClaims(String[]) for details.

    claimsForTx (OPTIONAL; Authlete 2.3 onwards)

    Claim data that are referenced when Authlete computes values of transformed claims. See the description of setClaimsForTx(String) for details.

    verifiedClaimsForTx (OPTIONAL; Authlete 2.3 onwards)

    Verified claim data that are referenced when Authlete computes values of transformed claims. See the description of setVerifiedClaimsForTx(String[]) for details.

    jwtAtClaims (OPTIONAL; Authlete 2.3 onwards)

    Additional claims in JSON object format that are added to the payload part of the JWT access token. See the description of getJwtAtClaims() for details.

    accessToken (OPTIONAL; Authlete 2.2.27 onwards)

    The representation of an access token that may be issued as a result of the Authlete API call. See getAccessToken() for details.

    idTokenAudType (OPTIONAL; Authlete 2.3.3 onwards)

    The type of the aud claim of the ID token being issued. Valid values are "string" and "array".

    accessTokenDuration (OPTIONAL)

    The duration of the access token that may be issued as a result of the Authlete API call. See getAccessTokenDuration() for details.

    Author:
    Takahiko Kawasaki
    See Also:
    AuthorizationResponse, OpenID Connect Core 1.0, 5.1. Standard Claims, Serialized Form

    • Constructor Detail

      • AuthorizationIssueRequest

        public AuthorizationIssueRequest()

    • Method Detail

      • getTicket

        public String getTicket()
        Get the value of "ticket" which is the ticket issued by Authlete's /auth/authorization API to the service implementation.
        Returns:
        The ticket.

      • setTicket

        public AuthorizationIssueRequest setTicket​(String ticket)
        Set the value of "ticket" which is the ticket issued by Authlete's /auth/authorization API to the service implementation.
        Parameters:
        ticket - The ticket.
        Returns:
        this object.

      • getSubject

        public String getSubject()
        Get the value of "subject" which is the subject (= a user account managed by the service) who has granted authorization to the client application.

        This subject property is used as the value of the subject associated with the access token (if one is issued) and as the value of the sub claim in the ID token (if one is issued).

        Note that, if getSub() returns a non-empty value, it is used as the value of the sub claim in the ID token. However, even in such a case, the value of the subject associated with the access token is still the value of this subject property.

        Returns:
        The subject.
        See Also:
        getSub()

      • setSubject

        public AuthorizationIssueRequest setSubject​(String subject)
        Set the value of "subject" which is the subject (= a user account managed by the service) who has granted authorization to the client application.

        This subject property is used as the value of the subject associated with the access token (if one is issued) and as the value of the sub claim in the ID token (if one is issued).

        Note that, if a non-empty value is set by setSub(String) method, the value is used as the value of the sub claim in the ID token. However, even in such a case, the value of the subject associated with the access token is still the value set by this method.

        Parameters:
        subject - The subject.
        Returns:
        this object.
        Since:
        setSub(String)

      • getSub

        public String getSub()
        Get the value of the sub claim that should be used in the ID token which is to be issued. If this method returns null or its value is empty, the value of the subject is used. The main purpose of this sub property is to hide the actual value of the subject from client applications.

        Note that the value of the subject request parameter is used as the value of the subject associated with the access token regardless of whether this sub property is a non-empty value or not.

        Returns:
        The value of the sub claim.
        Since:
        1.35
        See Also:
        getSubject()

      • setSub

        public AuthorizationIssueRequest setSub​(String sub)
        Set the value of the sub claim that should be used in the ID token which is to be issued. If null (the default value) or an empty string is given, the value of the subject is used. The main purpose of this sub property is to hide the actual value of the subject from client applications.

        Note that the value of the subject request parameter is used as the value of the subject associated with the access token regardless of whether this sub property is a non-empty value or not.

        Parameters:
        sub - The value of the sub claim.
        Returns:
        this object.
        Since:
        1.35
        See Also:
        setSubject(String)

      • getAuthTime

        public long getAuthTime()
        Get the value of "authTime" which is the time when the authentication of the end-user occurred.
        Returns:
        The time when the end-user authentication occurred. It is the number of seconds since 1970-01-01.

      • setAuthTime

        public AuthorizationIssueRequest setAuthTime​(long authTime)
        Set the value of "authTime" which is the time when the authentication of the end-user occurred.
        Parameters:
        authTime - The time when the end-user authentication occurred. It is the number of seconds since 1970-01-01.
        Returns:
        this object.

      • getAcr

        public String getAcr()
        Get the value of "acr" which is the authentication context class reference value which the end-user authentication satisfied.
        Returns:
        The authentication context class reference.

      • setAcr

        public AuthorizationIssueRequest setAcr​(String acr)
        Set the value of "acr" which is the authentication context class reference value which the end-user authentication satisfied.
        Parameters:
        acr - The authentication context class reference.
        Returns:
        this object.

      • getClaims

        public String getClaims()
        Get the value of "claims" which is the claims of the subject in JSON format.
        Returns:
        The claims of the subject in JSON format. See the description of setClaims(String) for details about the format.
        See Also:
        setClaims(String)

      • setClaims

        public AuthorizationIssueRequest setClaims​(String claims)
        Set the value of "claims" which is the claims of the subject in JSON format.

        The service implementation is required to retrieve claims of the subject (= information about the end-user) from its database and format them in JSON format.

        For example, if "given_name" claim, "family_name" claim and "email" claim are requested, the service implementation should generate a JSON object like the following: 

         {
   "given_name": "Takahiko",
   "family_name": "Kawasaki",
   "email": "takahiko.kawasaki@example.com"
 }

        and set its String representation by this method.

        See OpenID Connect Core 1.0, 5.1. Standard Claims for further details about the format.

        Parameters:
        claims - The claims of the subject in JSON format.
        Returns:
        this object.
        See Also:
        OpenID Connect Core 1.0, 5.1. Standard Claims

      • setClaims

        public AuthorizationIssueRequest setClaims​(Map<String,​Object> claims)
        Set the value of "claims" which is the claims of the subject. The argument is converted into a JSON string and passed to setClaims(String) method.
        Parameters:
        claims - The claims of the subject. Keys are claim names.
        Returns:
        this object.
        Since:
        1.24

      • getProperties

        public Property[] getProperties()
        Get the extra properties to associate with an access token and/or an authorization code which will be issued by this request.
        Returns:
        Extra properties.
        Since:
        1.30

      • setProperties

        public AuthorizationIssueRequest setProperties​(Property[] properties)
        Set extra properties to associate with an access token and/or an authorization code which will be issued by this request.

        Keys of extra properties will be used as labels of top-level entries in a JSON response containing an access token which is returned from an authorization server. An example is example_parameter, which you can find in 5.1. Successful Response in RFC 6749. The following code snippet is an example to set one extra property having example_parameter as its key and example_value as its value. 

         Property[] properties = { new Property("example_parameter", "example_value") };
 request.setProperties(properties);

        Keys listed below should not be used and they would be ignored on the server side even if they were used. It's because they are reserved in RFC 6749 and OpenID Connect Core 1.0.

        • access_token
        • token_type
        • expires_in
        • refresh_token
        • scope
        • error
        • error_description
        • error_uri
        • id_token

        Note that there is an upper limit on the total size of extra properties. On the server side, the properties will be (1) converted to a multidimensional string array, (2) converted to JSON, (3) encrypted by AES/CBC/PKCS5Padding, (4) encoded by base64url, and then stored into the database. The length of the resultant string must not exceed 65,535 in bytes. This is the upper limit, but we think it is big enough.

        Parameters:
        properties - Extra properties.
        Returns:
        this object.
        Since:
        1.30

      • getScopes

        public String[] getScopes()
        Get scopes to associate with an authorization code and/or an access token. If this method returns a non-null value, the set of scopes will be used instead of the scopes specified in the original authorization request.
        Returns:
        Scopes to replace the scopes specified in the original authorization request. When null is returned from this method, replacement is not performed.
        Since:
        1.34

      • setScopes

        public AuthorizationIssueRequest setScopes​(String[] scopes)
        Set scopes to associate with an authorization code and/or an access token. If null (the default value) is set, the scopes specified in the original authorization request from the client application are used. In other cases, including the case of an empty array, the scopes given to this method will replace the original scopes contained in the original request.

        Even scopes that are not included in the original authorization request can be specified. However, as an exception, "openid" scope is ignored on the server side if it is not included in the original request (to be exact, if "openid" was not included in the parameters request parameter of /api/auth/authorization API call). It is because the existence of "openid" scope considerably changes the validation steps and because adding "openid" triggers generation of an ID token (although the client application has not requested it) and the behavior is a major violation against the specification.

        If you add "offline_access" scope although it is not included in the original request, keep in mind that the specification requires explicit consent from the user for the scope (OpenID Connect Core 1.0, 11. Offline Access). When "offline_access" is included in the original request, the current implementation of Authlete's /api/auth/authorization API checks whether the request has come along with prompt request parameter and the value includes "consent". However, note that the implementation of Authlete's /api/auth/authorization/issue API does not perform such checking if "offline_access" scope is added via this scopes parameter.

        Value Effect
        null The scopes contained in the original authorization request are used.
        An empty array No scopes are associated with an authorization code and/or an access token. The scopes contained in the original authorization request are not used.
        A non-empty array of scope names Scopes listed in the array are associated with an authorization code and/or an access token.
        Parameters:
        scopes - Scopes to associate with an authorization code and/or an access token. If a non-null value is set, the original scopes requested by the client application are replaced.
        Returns:
        this object.
        Since:
        1.34

      • getIdtHeaderParams

        public String getIdtHeaderParams()
        Get JSON that represents additional JWS header parameters for ID tokens that may be issued based on the authorization request.
        Returns:
        JSON that represents additional JWS header parameters for ID tokens.
        Since:
        2.76

      • setIdtHeaderParams

        public AuthorizationIssueRequest setIdtHeaderParams​(String params)
        Set JSON that represents additional JWS header parameters for ID tokens that may be issued based on the authorization request.
        Parameters:
        params - JSON that represents additional JWS header parameters for ID tokens.
        Returns:
        this object.
        Since:
        2.76

      • getAuthorizationDetails

        public AuthzDetails getAuthorizationDetails()
        Get the authorization details. This represents the value of the "authorization_details" request parameter which is defined in "OAuth 2.0 Rich Authorization Requests". If this parameter is set, it overrides the parameter in the original request.
        Returns:
        Authorization details.
        Since:
        2.99

      • setAuthorizationDetails

        public AuthorizationIssueRequest setAuthorizationDetails​(AuthzDetails authorizationDetails)
        Set the authorization details. This represents the value of the "authorization_details" request parameter which is defined in "OAuth 2.0 Rich Authorization Requests". If this parameter is set, it overrides the parameter in the original request.
        Parameters:
        authorizationDetails - Authorization details.
        Returns:
        this object.
        Since:
        2.99

      • getConsentedClaims

        public String[] getConsentedClaims()
        Get the claims that the user has consented for the client application to know.

        See the description of setConsentedClaims(String[]) for details.

        Returns:
        Consented claims.
        Since:
        3.7

      • setConsentedClaims

        public AuthorizationIssueRequest setConsentedClaims​(String[] claims)
        Set the claims that the user has consented for the client application to know.

        If the claims request parameter holds JSON, Authlete extracts claims from the JSON and embeds them in an ID token (cf. setClaims(String)). However, the claims are not necessarily identical to the set of claims that the user has actually consented for the client application to know.

        For example, if the user has allowed the profile scope to be tied to an access token being issued, it technically means that the user has consented for the client application to know the following claims based on the mapping defined in OpenID Connect Core 1.0 Section 5.4. Requesting Claims using Scope Values: name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale and updated_at. However, JSON of the claims request parameter does not necessarily include all the claims. It may be simply because the authorization server does not support other claims or because the authorization server intends to return requested claims from the UserInfo Endpoint instead of embedding them in an ID token, or for some other reasons. Therefore, Authlete does not assume that the claims in the JSON of the claims request parameter represent the complete set of consented claims.

        This consentedClaims request parameter (supported from Authlete 2.3) can be used to convey the exact set of consented claims to Authlete. Authlete saves the information into its database and makes them referrable in responses from the /api/auth/introspection API and the /api/auth/userinfo API.

        In addition, the information conveyed via this consentedClaims request parameter is used to compute the exact value of the claims parameter in responses from the Grant Management Endpoint, which is defined in Grant Management for OAuth 2.0.

        When this request parameter is missing or its value is empty, Authlete computes the set of consented claims from the consented scopes (e.g. profile) and the claims in the JSON of the claims request parameter although Authlete knows the possibility that the computed set may be different from the actual set of consented claims. Especially, the computed set may not include claims that the authorization server returns from the UserInfo Endpoint. Therefore, if you want to control the exact set of consented claims, utilize this request parameter.

        Parameters:
        claims - Consented claims.
        Returns:
        this object.
        Since:
        3.7

      • setClaimsForTx

        public AuthorizationIssueRequest setClaimsForTx​(String claims)
        Set values of claims requested indirectly by "transformed claims".

        A client application may request "transformed claims". Each of transformed claims uses an existing claim as input. As a result, to compute the value of a transformed claim, the value of the referenced existing claim is needed. This claimsForTx request parameter has to be used to provide values of existing claims for computation of transformed claims.

        A response from the /api/auth/authorization API may include the requestedClaimsForTx response parameter which is a list of claims that are referenced indirectly by transformed claims (cf. AuthorizationResponse.getRequestedClaimsForTx()). The authorization server implementation should prepare values of the claims listed in requestedClaimsForTx and pass them as the value of this claimsForTx request parameter.

        The following is an example of the value of this request parameter. 

         {
   "birthdate": "1970-01-23",
   "nationalities": [ "DEU", "USA" ]
 }

        This request parameter (claimsForTx) is recognized by Authlete 2.3 onwards.

        Parameters:
        claims - Values of claims requested indirectly by "transformed claims". The format is JSON.
        Returns:
        this object.
        Since:
        3.8
        See Also:
        OpenID Connect Advanced Syntax for Claims (ASC) 1.0, AuthorizationResponse.getRequestedClaimsForTx()

      • setClaimsForTx

        public AuthorizationIssueRequest setClaimsForTx​(Map<String,​Object> claims)
        Set the value of "claimsForTx" which is the claims of the subject. The argument is converted into a JSON string and passed to setClaimsForTx(String) method.
        Parameters:
        claims - The claims of the subject. Keys are claim names.
        Returns:
        this object.
        Since:
        3.9

      • setVerifiedClaimsForTx

        public AuthorizationIssueRequest setVerifiedClaimsForTx​(String[] claims)
        Set values of verified claims requested indirectly by "transformed claims".

        A client application may request "transformed claims". Each of transformed claims uses an existing claim as input. As a result, to compute the value of a transformed claim, the value of the referenced existing claim is needed. This verifiedClaimsForTx request parameter has to be used to provide values of existing claims for computation of transformed claims.

        A response from the /api/auth/authorization API may include the requestedVerifiedClaimsForTx response parameter which is a list of verified claims that are referenced indirectly by transformed claims (cf. AuthorizationResponse.getRequestedVerifiedClaimsForTx()). The authorization server implementation should prepare values of the verified claims listed in requestedVerifiedClaimsForTx and pass them as the value of this verifiedClaimsForTx request parameter.

        The following is an example of the value of this request parameter. 

         [
   "{\"birthdate\":\"1970-01-23\",\"nationalities\":[\"DEU\",\"USA\"]}"
 ]

        The reason that this verifiedClaimsForTx property is an array is that the "verified_claims" property in the claims request parameter of an authorization request can be an array like below. 

         {
   "transformed_claims": {
     "nationality_usa": {
       "claim": "nationalities",
       "fn": [
         [ "eq", "USA" ],
         "any"
       ]
     }
   },
   "id_token": {
     "verified_claims": [
       {
         "verification": { "trust_framework": { "value": "gold" } },
         "claims": { "::18_or_above": null }
       },
       {
         "verification": { "trust_framework": { "value": "silver" } },
         "claims": { ":nationality_usa": null }
       }
     ]
   }
 }

        For the example above, the value of this verifiedClaimsForTx property should be an array of size 2 and look like below. The first element is JSON including claims which have been verified under the trust framework "gold", and the second element is JSON including claims which have been verified under the trust framework "silver". 

         [
   "{\"birthdate\":\"1970-01-23\"}",
   "{\"nationalities\":[\"DEU\",\"USA\"]}"
 ]

        This request parameter (verifiedClaimsForTx) is recognized by Authlete 2.3 onwards.

        Parameters:
        claims - Values of verified claims requested indirectly by "transformed claims". The format of elements in the array is JSON.
        Returns:
        this object.
        Since:
        3.8
        See Also:
        OpenID Connect Advanced Syntax for Claims (ASC) 1.0, OpenID Connect for Identity Assurance 1.0, AuthorizationResponse.getRequestedVerifiedClaimsForTx()

      • setVerifiedClaimsForTx

        public AuthorizationIssueRequest setVerifiedClaimsForTx​(List<Map<String,​Object>> list)
        Set the value of "verifiedClaimsForTx" which is the verified claims of the subject. Each element in the given list is converted to a JSON string and a newly created string array containing the converted elements is passed to setVerifiedClaimsForTx(String[]).
        Parameters:
        list - List of clusters of verified claims.
        Returns:
        this object.
        Since:
        3.9

      • getJwtAtClaims

        public String getJwtAtClaims()
        Get the additional claims in JSON object format that are added to the payload part of the JWT access token.

        This request parameter has a meaning only when the format of access tokens issued by this service is JWT. In other words, it has a meaning only when the accessTokenSignAlg property of the Service holds a non-null value. See the description of the getAccessTokenSignAlg() method for details.

        Returns:
        Additional claims that are added to the payload part of the JWT access token.
        Since:
        3.23

      • setJwtAtClaims

        public AuthorizationIssueRequest setJwtAtClaims​(String claims)
        Set the additional claims in JSON object format that are added to the payload part of the JWT access token.

        This request parameter has a meaning only when the format of access tokens issued by this service is JWT. In other words, it has a meaning only when the accessTokenSignAlg property of the Service holds a non-null value. See the description of the getAccessTokenSignAlg() method for details.

        Parameters:
        claims - Additional claims that are added to the payload part of the JWT access token.
        Returns:
        this object.
        Since:
        3.23

      • getAccessToken

        public String getAccessToken()
        Get the representation of an access token that may be issued as a result of the Authlete API call.

        Basically, it is the Authlete server's role to generate an access token. However, some systems may have inflexible restrictions on the format of access tokens. Such systems may use this accessToken request parameter to specify the representation of an access token by themselves instead of leaving the access token generation task to the Authlete server.

        Usually, the Authlete server (1) generates a random 256-bit value, (2) base64url-encodes the value into a 43-character string, and (3) uses the resultant string as the representation of an access token. The Authlete implementation is written on the assumption that the 256-bit entropy is big enough. Therefore, make sure that the entropy of the value of the accessToken request parameter is big enough, too.

        The entropy does not necessarily have to be equal to or greater than 256 bits. For example, 192-bit random values (which will become 32-character strings when encoded by base64url) may be enough. However, note that if the entropy is too low, access token string values will collide and Authlete API calls will fail.

        When no access token is generated as a result of the Authlete API call, this accessToken request parameter is not used. Note that the Authlete API generates an access token only when the response_type request parameter of the authorization request contains token. In other cases, the Authlete API generates no access token.

        Returns:
        The representation of an access token that may be issued as a result of the Authlete API call.
        Since:
        3.24, Authlete 2.2.27

      • setAccessToken

        public AuthorizationIssueRequest setAccessToken​(String accessToken)
        Set the representation of an access token that may be issued as a result of the Authlete API call.

        Basically, it is the Authlete server's role to generate an access token. However, some systems may have inflexible restrictions on the format of access tokens. Such systems may use this accessToken request parameter to specify the representation of an access token by themselves instead of leaving the access token generation task to the Authlete server.

        Usually, the Authlete server (1) generates a random 256-bit value, (2) base64url-encodes the value into a 43-character string, and (3) uses the resultant string as the representation of an access token. The Authlete implementation is written on the assumption that the 256-bit entropy is big enough. Therefore, make sure that the entropy of the value of the accessToken request parameter is big enough, too.

        The entropy does not necessarily have to be equal to or greater than 256 bits. For example, 192-bit random values (which will become 32-character strings when encoded by base64url) may be enough. However, note that if the entropy is too low, access token string values will collide and Authlete API calls will fail.

        When no access token is generated as a result of the Authlete API call, this accessToken request parameter is not used. Note that the Authlete API generates an access token only when the response_type request parameter of the authorization request contains token. In other cases, the Authlete API generates no access token.

        Parameters:
        accessToken - The representation of an access token that may be issued as a result of the Authlete API call.
        Returns:
        this object.
        Since:
        3.24, Authlete 2.2.27

      • getIdTokenAudType

        public String getIdTokenAudType()
        Get the type of the aud claim of the ID token being issued. Valid values are as follows.
        Value Description
        "array" The type of the aud claim is always an array of strings.
        "string" The type of the aud claim is always a single string.
        null The type of the aud claim remains the same as before.

        This request parameter takes precedence over the idTokenAudType property of Service (cf. Service.getIdTokenAudType()).

        Returns:
        The type of the aud claim in ID tokens.
        Since:
        3.57, Authlete 2.3.3

      • setIdTokenAudType

        public AuthorizationIssueRequest setIdTokenAudType​(String type)
        Set the type of the aud claim of the ID token being issued. Valid values are as follows.
        Value Description
        "array" The type of the aud claim is always an array of strings.
        "string" The type of the aud claim is always a single string.
        null The type of the aud claim remains the same as before.

        This request parameter takes precedence over the idTokenAudType property of Service (cf. Service.getIdTokenAudType()).

        Parameters:
        type - The type of the aud claim in ID tokens.
        Returns:
        this object.
        Since:
        3.57, Authlete 2.3.3

      • getAccessTokenDuration

        public long getAccessTokenDuration()
        Get the duration of the access token that may be issued as a result of the Authlete API call.

        When this request parameter holds a positive integer, it is used as the duration of the access token. In other cases, this request parameter is ignored.

        Returns:
        The duration of the access token in seconds.
        Since:
        3.65, Authlete 2.2.41, Authlete 2.3.5, Authlete 3.0

      • setAccessTokenDuration

        public AuthorizationIssueRequest setAccessTokenDuration​(long duration)
        Set the duration of the access token that may be issued as a result of the Authlete API call.

        When this request parameter holds a positive integer, it is used as the duration of the access token. In other cases, this request parameter is ignored.

        Parameters:
        duration - The duration of the access token in seconds.
        Returns:
        this request parameter.
        Since:
        3.65, Authlete 2.2.41, Authlete 2.3.5, Authlete 3.0