Package com.authlete.common.dto

Class BackchannelAuthenticationCompleteRequest

  • All Implemented Interfaces:
    Serializable
    public class BackchannelAuthenticationCompleteRequest
extends Object
implements Serializable
    Request to Authlete's /api/backchannel/authentication/complete API.

    After the implementation of the backchannel authentication endpoint returns JSON containing an auth_req_id to the client, the authorization server starts a background process that communicates with the authentication device of the end-user. On the authentication device, end-user authentication is performed and the end-user is asked whether they give authorization to the client or not. The authorization server will receive the result of end-user authentication and authorization from the authentication device.

    After the authorization server receives the result from the authentication device, or even in the case where the server gave up receiving a response from the authentication device for some reasons, the server should call the /api/backchannel/authentication/complete API to tell Authlete the result.

    When the end-user was authenticated and authorization was granted to the client by the end-user, the authorization server should call the API with result=AUTHORIZED. In this successful case, the subject request parameter is mandatory. If the token delivery mode is "push", the API will generate an access token, an ID token and optionally a refresh token. On the other hand, if the token delivery mode is "poll" or "ping", the API will just update the database record so that /api/auth/token API can generate tokens later.

    When the authorization server received the decision of the end-user from the authentication device and it indicates that the end-user has rejected to give authorization to the client, the authorization server should call the API with result=ACCESS_DENIED. In this case, if the token delivery mode is "push", the API will generate an error response that contains the error response parameter and optionally the error_description and error_uri response parameters (if the errorDescription and errorUri request parameters have been given). On the other hand, if the token delivery mode is "poll" or "ping", the API will just update the database record so that /api/auth/token API can generate an error response later. In any token delivery mode, the value of the error parameter will become access_denied.

    When the authorization server could not get the result of end-user authentication and authorization from the authentication device for some reasons, the authorization server should call the API with result=TRANSACTION_FAILED. In this error case, the API will behave in the same way as in the case of ACCESS_DENIED. The only difference is that expired_token is used as the value of the error parameter.

    Since:
    2.32
    See Also:
    Serialized Form

    • Constructor Detail

      • BackchannelAuthenticationCompleteRequest

        public BackchannelAuthenticationCompleteRequest()

    • Method Detail

      • getTicket

        public String getTicket()
        Get the ticket which is necessary to call Authlete's /api/backchannel/authentication/complete API.
        Returns:
        The ticket.

      • setTicket

        public BackchannelAuthenticationCompleteRequest setTicket​(String ticket)
        Set the ticket which is necessary to call Authlete's /api/backchannel/authentication/complete API. This request parameter is mandatory.
        Parameters:
        ticket - The ticket previously issued by Authlete's /api/backchannel/authentication API.
        Returns:
        this object.

      • getSubject

        public String getSubject()
        Get the subject (= unique identifier) of the end-user who has granted authorization to the client application.

        This subject property is used as the value of the subject associated with the access token and as the value of the sub claim in the ID token.

        Note that, if getSub() returns a non-empty value, it is used as the value of the sub claim in the ID token. However, even in the case, the value of the subject associated with the access token is still the value of this subject property.

        Returns:
        The subject (= unique identifier) of the end-user.
        See Also:
        getSub()

      • setSubject

        public BackchannelAuthenticationCompleteRequest setSubject​(String subject)
        Set the subject (= unique identifier) of the end-user who has granted authorization to the client application. This request parameter is mandatory when getResult() returns AUTHORIZED.

        This subject property is used as the value of the subject associated with the access token and as the value of the sub claim in the ID token.

        Note that, if getSub() returns a non-empty value, it is used as the value of the sub claim in the ID token. However, even in the case, the value of the subject associated with the access token is still the value set by this method.

        Parameters:
        subject - The subject (= unique identifier) of the end-user.
        Returns:
        this object.
        See Also:
        setSub(String)

      • getSub

        public String getSub()
        Get the value of the sub claim that should be used in the ID token. If this method returns null or its value is empty, the value returned by getSubject() is used as the value of the sub claim. The main purpose of this sub property is to hide the actual value of the subject from client applications.

        Note that the value of the subject request parameter is used as the value of the subject associated with the access token regardless of whether this sub property is a non-empty value or not. In other words, this sub property affects only the sub claim in the ID token.

        Returns:
        The value of the sub claim.
        See Also:
        getSubject()

      • setSub

        public BackchannelAuthenticationCompleteRequest setSub​(String sub)
        Set the value of the sub claim that should be used in the ID token. If this method returns null or its value is empty, the value returned by getSubject() is used as the value of the sub claim. The main purpose of this sub property is to hide the actual value of the subject from client applications.

        Note that the value of the subject request parameter is used as the value of the subject associated with the access token regardless of whether this sub property is a non-empty value or not. In other words, this sub property affects only the sub claim in the ID token.

        Parameters:
        sub - The value of the sub claim.
        Returns:
        this object.
        See Also:
        setSubject(String)

      • getAuthTime

        public long getAuthTime()
        Get the time at which the end-user was authenticated.
        Returns:
        The time at which the end-user was authenticated. It is the number of seconds since 1970-01-01.

      • setAuthTime

        public BackchannelAuthenticationCompleteRequest setAuthTime​(long authTime)
        Set the time at which the end-user was authenticated. When this request parameter holds a positive number, the auth_time claim will be embedded in the ID token.
        Parameters:
        authTime - The time at which the end-user was authenticated. It is the number of seconds since 1970-01-01.
        Returns:
        this object.

      • getAcr

        public String getAcr()
        Get the reference of the authentication context class which the end-user authentication satisfied.
        Returns:
        The authentication context class reference.

      • setAcr

        public BackchannelAuthenticationCompleteRequest setAcr​(String acr)
        Set the reference of the authentication context class which the end-user authentication satisfied. When this request parameter holds a non-null value, the acr claim will be embedded in the ID token.
        Parameters:
        acr - The authentication context class reference.
        Returns:
        this object.

      • getClaims

        public String getClaims()
        Get additional claims which will be embedded in the ID token.
        Returns:
        Additional claims in JSON format which will be embedded in the ID token. See the description of setClaims(String) for details about the format.
        See Also:
        setClaims(String)

      • setClaims

        public BackchannelAuthenticationCompleteRequest setClaims​(String claims)
        Set additional claims which will be embedded in the ID token.

        The authorization server implementation is required to retrieve values of requested claims of the end-user from its database and format them in JSON format.

        For example, if "given_name" claim, "family_name" claim and "email" claim are requested, the authorization server implementation should generate a JSON object like the following: 

         {
   "given_name": "Takahiko",
   "family_name": "Kawasaki",
   "email": "takahiko.kawasaki@example.com"
 }

        and set its string representation by this method.

        See OpenID Connect Core 1.0, 5.1. Standard Claims for further details about the format.

        Parameters:
        claims - Additional claims in JSON format.
        Returns:
        this object.
        See Also:
        OpenID Connect Core 1.0, 5.1. Standard Claims

      • getProperties

        public Property[] getProperties()
        Get the extra properties associated with the access token.
        Returns:
        Extra properties.

      • setProperties

        public BackchannelAuthenticationCompleteRequest setProperties​(Property[] properties)
        Set extra properties associated with the access token.

        Keys of extra properties will be used as labels of top-level entries in a JSON response returned from the authorization server. An example is example_parameter, which you can find in 5.1. Successful Response in RFC 6749. The following code snippet is an example to set one extra property having example_parameter as its key and example_value as its value. 

         Property[] properties = { new Property("example_parameter", "example_value") };
 request.setProperties(properties);

        Note that there is an upper limit on the total size of extra properties. On Authlete side, the properties will be (1) converted to a multidimensional string array, (2) converted to JSON, (3) encrypted by AES/CBC/PKCS5Padding, (4) encoded by base64url, and then stored into the database. The length of the resultant string must not exceed 65,535 in bytes. This is the upper limit, but we think it is big enough.

        Parameters:
        properties - Extra properties.
        Returns:
        this object.

      • getScopes

        public String[] getScopes()
        Get scopes associated with the access token. If this method returns a non-null value, the set of scopes will be used instead of the scopes specified in the original backchannel authentication request.
        Returns:
        Scopes to replace the scopes specified in the original backchannel authentication request with. When null is returned from this method, replacement is not performed.

      • setScopes

        public BackchannelAuthenticationCompleteRequest setScopes​(String[] scopes)
        Set scopes associated with the access token. If null (the default value) is set, the scopes specified in the original backchannel authentication request are used. In other cases, the scopes given to this method will replace the original scopes contained in the original request.

        Even scopes that are not included in the original request can be included.

        Note that because the CIBA specification requires "openid" as a mandatory scope, "openid" should be always included.

        Parameters:
        scopes - Scopes associated with the access token. If a non-null value is set, the original scopes requested by the client application are replaced.
        Returns:
        this object.

      • getIdtHeaderParams

        public String getIdtHeaderParams()
        Get JSON that represents additional JWS header parameters for the ID token.
        Returns:
        JSON that represents additional JWS header parameters for the ID token.
        Since:
        2.79

      • setIdtHeaderParams

        public BackchannelAuthenticationCompleteRequest setIdtHeaderParams​(String params)
        Set JSON that represents additional JWS header parameters for the ID token.
        Parameters:
        params - JSON that represents additional JWS header parameters for the ID token.
        Returns:
        this object.
        Since:
        2.79

      • getConsentedClaims

        public String[] getConsentedClaims()
        Get the claims that the user has consented for the client application to know.

        See the description of setConsentedClaims(String[]) for details.

        Returns:
        Consented claims.
        Since:
        3.7

      • setConsentedClaims

        public BackchannelAuthenticationCompleteRequest setConsentedClaims​(String[] claims)
        Set the claims that the user has consented for the client application to know.

        If the claims request parameter holds JSON, Authlete extracts claims from the JSON and embeds them in an ID token (cf. setClaims(String)). However, the claims are not necessarily identical to the set of claims that the user has actually consented for the client application to know.

        For example, if the user has allowed the profile scope to be tied to an access token being issued, it technically means that the user has consented for the client application to know the following claims based on the mapping defined in OpenID Connect Core 1.0 Section 5.4. Requesting Claims using Scope Values: name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale and updated_at. However, JSON of the claims request parameter does not necessarily include all the claims. It may be simply because the authorization server does not support other claims or because the authorization server intends to return requested claims from the UserInfo Endpoint instead of embedding them in an ID token, or for some other reasons. Therefore, Authlete does not assume that the claims in the JSON of the claims request parameter represent the complete set of consented claims.

        This consentedClaims request parameter (supported from Authlete 2.3) can be used to convey the exact set of consented claims to Authlete. Authlete saves the information into its database and makes them referrable in responses from the /api/auth/introspection API and the /api/auth/userinfo API.

        In addition, the information conveyed via this consentedClaims request parameter is used to compute the exact value of the claims parameter in responses from the Grant Management Endpoint, which is defined in Grant Management for OAuth 2.0.

        When this request parameter is missing or its value is empty, Authlete computes the set of consented claims from the consented scopes (e.g. profile) and the claims in the JSON of the claims request parameter although Authlete knows the possibility that the computed set may be different from the actual set of consented claims. Especially, the computed set may not include claims that the authorization server returns from the UserInfo Endpoint. Therefore, if you want to control the exact set of consented claims, utilize this request parameter.

        Parameters:
        claims - Consented claims.
        Returns:
        this object.
        Since:
        3.7

      • getErrorDescription

        public String getErrorDescription()
        Get the description of the error. This corresponds to the error_description property in the response to the client.
        Returns:
        The description of the error.

      • setErrorDescription

        public BackchannelAuthenticationCompleteRequest setErrorDescription​(String description)
        Set the description of the error. This corresponds to the error_description property in the response to the client.

        If this optional request parameter is given, its value is used as the value of the error_description property, but it is used only when the result is not AUTHORIZED.

        To comply with the specification strictly, the description must not include characters outside the set %x20-21 / %x23-5B / %x5D-7E.

        Parameters:
        description - The description of the error.
        Returns:
        this object.

      • getErrorUri

        public URI getErrorUri()
        Get the URI of a document which describes the error in detail. This corresponds to the error_uri property in the response to the client.
        Returns:
        The URI of a document which describes the error in detail.

      • setErrorUri

        public BackchannelAuthenticationCompleteRequest setErrorUri​(URI uri)
        Set the URI of a document which describes the error in detail. This corresponds to the error_uri property in the response to the client.

        If this optional request parameter is given, its value is used as the value of the error_uri property, but it is used only when the result is not AUTHORIZED.

        Parameters:
        uri - The URI of a document which describes the error in detail.
        Returns:
        this object.

      • getJwtAtClaims

        public String getJwtAtClaims()
        Get the additional claims in JSON object format that are added to the payload part of the JWT access token.

        This request parameter has a meaning only when the format of access tokens issued by this service is JWT. In other words, it has a meaning only when the accessTokenSignAlg property of the Service holds a non-null value. See the description of the getAccessTokenSignAlg() method for details.

        Returns:
        Additional claims that are added to the payload part of the JWT access token.
        Since:
        3.23

      • setJwtAtClaims

        public BackchannelAuthenticationCompleteRequest setJwtAtClaims​(String claims)
        Set the additional claims in JSON object format that are added to the payload part of the JWT access token.

        This request parameter has a meaning only when the format of access tokens issued by this service is JWT. In other words, it has a meaning only when the accessTokenSignAlg property of the Service holds a non-null value. See the description of the getAccessTokenSignAlg() method for details.

        Parameters:
        claims - Additional claims that are added to the payload part of the JWT access token.
        Returns:
        this object.
        Since:
        3.23

      • getAccessToken

        public String getAccessToken()
        Get the representation of an access token that may be issued as a result of the Authlete API call.

        Basically, it is the Authlete server's role to generate an access token. However, some systems may have inflexible restrictions on the format of access tokens. Such systems may use this accessToken request parameter to specify the representation of an access token by themselves instead of leaving the access token generation task to the Authlete server.

        Usually, the Authlete server (1) generates a random 256-bit value, (2) base64url-encodes the value into a 43-character string, and (3) uses the resultant string as the representation of an access token. The Authlete implementation is written on the assumption that the 256-bit entropy is big enough. Therefore, make sure that the entropy of the value of the accessToken request parameter is big enough, too.

        The entropy does not necessarily have to be equal to or greater than 256 bits. For example, 192-bit random values (which will become 32-character strings when encoded by base64url) may be enough. However, note that if the entropy is too low, access token string values will collide and Authlete API calls will fail.

        When no access token is generated as a result of the Authlete API call, this accessToken request parameter is not used. Note that the Authlete API generates an access token only when the flow is CIBA PUSH. In the cases of CIBA POLL and CIBA PING, an access token is generated at the token endpoint.

        Returns:
        The representation of an access token that may be issued as a result of the Authlete API call.
        Since:
        3.24, Authlete 2.2.27

      • setAccessToken

        public BackchannelAuthenticationCompleteRequest setAccessToken​(String accessToken)
        Set the representation of an access token that may be issued as a result of the Authlete API call.

        Basically, it is the Authlete server's role to generate an access token. However, some systems may have inflexible restrictions on the format of access tokens. Such systems may use this accessToken request parameter to specify the representation of an access token by themselves instead of leaving the access token generation task to the Authlete server.

        Usually, the Authlete server (1) generates a random 256-bit value, (2) base64url-encodes the value into a 43-character string, and (3) uses the resultant string as the representation of an access token. The Authlete implementation is written on the assumption that the 256-bit entropy is big enough. Therefore, make sure that the entropy of the value of the accessToken request parameter is big enough, too.

        The entropy does not necessarily have to be equal to or greater than 256 bits. For example, 192-bit random values (which will become 32-character strings when encoded by base64url) may be enough. However, note that if the entropy is too low, access token string values will collide and Authlete API calls will fail.

        When no access token is generated as a result of the Authlete API call, this accessToken request parameter is not used. Note that the Authlete API generates an access token only when the flow is CIBA PUSH. In the cases of CIBA POLL and CIBA PING, an access token is generated at the token endpoint.

        Parameters:
        accessToken - The representation of an access token that may be issued as a result of the Authlete API call.
        Returns:
        this object.
        Since:
        3.24, Authlete 2.2.27

      • getIdTokenAudType

        public String getIdTokenAudType()
        Get the type of the aud claim of the ID token being issued. Valid values are as follows.
        Value Description
        "array" The type of the aud claim is always an array of strings.
        "string" The type of the aud claim is always a single string.
        null The type of the aud claim remains the same as before.

        This request parameter takes precedence over the idTokenAudType property of Service (cf. Service.getIdTokenAudType()).

        Returns:
        The type of the aud claim in ID tokens.
        Since:
        3.57, Authlete 2.3.3

      • setIdTokenAudType

        public BackchannelAuthenticationCompleteRequest setIdTokenAudType​(String type)
        Set the type of the aud claim of the ID token being issued. Valid values are as follows.
        Value Description
        "array" The type of the aud claim is always an array of strings.
        "string" The type of the aud claim is always a single string.
        null The type of the aud claim remains the same as before.

        This request parameter takes precedence over the idTokenAudType property of Service (cf. Service.getIdTokenAudType()).

        Parameters:
        type - The type of the aud claim in ID tokens.
        Returns:
        this object.
        Since:
        3.57, Authlete 2.3.3