public class Service extends Object implements Serializable
Some properties correspond to the ones listed in OpenID Provider Metadata in OpenID Connect Discovery 1.0
When getAccessTokenSignAlg()
returns a non-null value, access
tokens issued by this service become JWTs. The value returned by the
method is used as the signature algorithm of the JWTs. When the method
returns null, access tokens issued by this service are random strings as
before.
A JWT-based access token has the following claims.
claim name type description scope
string Space-delimited scope names. client_id
string Client ID. exp
integer Time at which this access token will expire. Seconds since the Unix epoch. iat
integer Time at which this access token was issued. Seconds since the Unix epoch. sub
string The subject (unique identifier) of the resource owner who approved issue of this access token. This claim does not exist or its value is null if this access token was issued by resource owner password credentials flow. iss
string The issuer identifier of this service. jti
string The unique identifier of this JWT. The value of this claim itself is the random-string version of this access token. cnf
object If this access token is bound to a client certificate, this claim is included. The type of its value is object and the sub object contains a
"x5t#S256"
claim. The value of the"x5t#S256"
claim is the X.509 Certificate SHA-256 thumbprint of the client certificate. See "3.1. JWT Certificate Thumbprint Confirmation Method" of RFC 8705 (OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens) for details.If this access token is bound to a public key of DPoP, this claim is included. The type of its value is object and the sub object contains a
"jkt"
claim. The value of the"jkt"
claim is the thumbprint of the public key. See "OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer" for details.aud
array If this access token has been generated with target resources, this claim is included. See RFC 8707 (Resource Indicators for OAuth 2.0) for details. authorization_details
array If this access token has been generated with authorization_details
, this claim is included. See "OAuth 2.0 Rich Authorization Requests" for details.grant_id
string The grant ID tied to this access token. This field may be set if the authorization request which created this access token included grant_id
orgrant_management_action=create
. See "Grant Management for OAuth 2.0" for details about the request parameters.grant
object The grant this access token has inherited. This field may be set if the authorization request which created this access token included
grant_management_action=update
. See "Grant Management for OAuth 2.0" for details about the request parameter.The format of this JSON object is the same as the response from the grant management endpoint which is defined in "Grant Management for OAuth 2.0".
acr
string The authentication context class of the user authentication that the authorization server performed during the course of issuing the access token. See "OAuth 2.0 Step-up Authentication Challenge Protocol" for details. auth_time
integer The time when the user authentication was performed for the access token. The value represents the number of seconds elapsed since the Unix epoch. See "OAuth 2.0 Step-up Authentication Challenge Protocol" for details. grant_type
string The grant type that was used for the issuance of the access token. Possible values are as follows.
Value Since Authlete Version "authorization_code"
2.1.24, 2.2.36, 2.3 "implicit"
2.1.24, 2.2.36, 2.3 "password"
2.1.24, 2.2.36, 2.3 "client_credentials"
2.1.24, 2.2.36, 2.3 "urn:openid:params:grant-type:ciba"
2.1.24, 2.2.36, 2.3 "urn:ietf:params:oauth:grant-type:device_code"
2.1.24, 2.2.36, 2.3 "urn:ietf:params:oauth:grant-type:token-exchange"
2.3 "urn:ietf:params:oauth:grant-type:jwt-bearer"
2.3 "urn:ietf:params:oauth:grant-type:pre-authorized_code"
3.0 Visible (= not-hidden) extra properties of the access token are embedded in the JWT as custom claims. Regarding extra properties, see the Authlete API document.
The feature of JWT-based access token is available since Authlete 2.1. Access tokens issued by older Authlete versions are always random strings.
"Resource Indicators for OAuth 2.0" (RFC 8707) is supported since Authlete 2.2. The
resource
request parameter given to older Authlete versions is just ignored, so JWT-based access tokens won't include theaud
claim."OAuth 2.0 Rich Authorization Requests" is supported since Authlete 2.2. The
authorization_details
request parameter given to older Authlete versions is just ignored, so JWT-based access tokens won't include theauthorization_details
claim."Grant Management for OAuth 2.0" is supported since Authlete 2.3. The
grant_id
andgrant_management_action
request parameters given to older Authlete versions are just ignored, so JWT-based access token won't include thegrant_id
andgrant
claims."OAuth 2.0 Step-up Authentication Challenge Protocol" is supported since Authlete 2.3. JWT access tokens issued by older Authlete versions won't include the
acr
andauth_time
claims.Some Authlete APIs (e.g.
/api/auth/authorization/issue
) recognize thejwtAtClaims
request parameter since Authlete 2.3. Its format is JSON object. The content of the JSON object will be merged into the payload part of the JWT access token.
Constructor and Description |
---|
Service() |
Modifier and Type | Method and Description |
---|---|
long |
getAccessTokenDuration()
Get the duration of access tokens in seconds; the value of
expires_in in access token responses. |
JWSAlg |
getAccessTokenSignAlg()
Get the signature algorithm of access tokens.
|
String |
getAccessTokenSignatureKeyId()
Get the key ID to identify a JWK used for signing access tokens.
|
String |
getAccessTokenType()
Get the access token type; the value of
token_type in
access token responses. |
int |
getAllowableClockSkew()
Get the allowable clock skew between the server and clients in seconds.
|
long |
getApiKey()
Get the API key.
|
String |
getApiSecret()
Get the API secret.
|
Pair[] |
getAttributes()
Get attributes.
|
String |
getAuthenticationCallbackApiKey()
Get the API key to access the authentication callback endpoint.
|
String |
getAuthenticationCallbackApiSecret()
Get the API secret to access the authentication callback endpoint.
|
URI |
getAuthenticationCallbackEndpoint()
Get the URI of the authentication callback endpoint.
|
URI[] |
getAuthorityHints()
Get the identifiers of entities that can issue entity statements for
this service.
|
URI |
getAuthorizationEndpoint()
Get the URI of the authorization endpoint.
|
long |
getAuthorizationResponseDuration()
Get the duration of authorization response JWTs.
|
String |
getAuthorizationSignatureKeyId()
Get the key ID to identify a JWK used for signing authorization
responses using an asymmetric key.
|
URI |
getBackchannelAuthenticationEndpoint()
Get the URI of the backchannel authentication endpoint.
|
int |
getBackchannelAuthReqIdDuration()
Get the duration of backchannel authentication request IDs issued from
the backchannel authentication endpoint in seconds.
|
int |
getBackchannelPollingInterval()
Get the minimum interval between polling requests to the token endpoint
from client applications in seconds.
|
int |
getClientsPerDeveloper()
Get the number of client applications that one developer can create.
|
long |
getCNonceDuration()
Get the duration of
c_nonce in seconds. |
long |
getCreatedAt()
Get the time at which this service was created.
|
long |
getCredentialDuration()
Get the default duration of verifiable credentials in seconds.
|
CredentialIssuerMetadata |
getCredentialIssuerMetadata()
Get the credential issuer metadata.
|
String |
getCredentialJwks()
Get the JWK Set document containing private keys that are used to sign
verifiable credentials.
|
URI |
getCredentialJwksUri()
Get the URL at which the JWK Set document of the credential issuer is
exposed.
|
long |
getCredentialOfferDuration()
Get the default duration of credential offers in seconds.
|
long |
getCredentialTransactionDuration()
Get the duration of transaction ID in seconds that may be issued as a
result of a credential request or a batch credential request.
|
String |
getDescription()
Get the description.
|
String |
getDeveloperAuthenticationCallbackApiKey()
Get the API key to access the developer authentication callback endpoint.
|
String |
getDeveloperAuthenticationCallbackApiSecret()
Get the API secret to access the developer authentication callback endpoint.
|
URI |
getDeveloperAuthenticationCallbackEndpoint()
Get the URI of the developer authentication callback endpoint.
|
SnsCredentials[] |
getDeveloperSnsCredentials()
Get the list of SNS credentials that Authlete uses to support social login
at the developer console.
|
URI |
getDeviceAuthorizationEndpoint()
Get the URI of the device authorization endpoint.
|
int |
getDeviceFlowCodeDuration()
Get the duration of device verification codes and end-user verification
codes issued from the device authorization endpoint in seconds.
|
int |
getDeviceFlowPollingInterval()
Get the minimum interval between polling requests to the token endpoint
from client applications in seconds in device flow.
|
URI |
getDeviceVerificationUri()
Get the verification URI for the device flow.
|
URI |
getDeviceVerificationUriComplete()
Get the verification URI for the device flow with a placeholder for a
user code.
|
URI |
getEndSessionEndpoint()
Get the end session endpoint for the service.
|
long |
getFederationConfigurationDuration()
Get the duration of the entity configuration in seconds.
|
String |
getFederationJwks()
Get the JWK Set document containing keys that are used to sign (1)
self-signed entity statement of this service and (2) the response from
signed_jwks_uri . |
URI |
getFederationRegistrationEndpoint()
Get the URI of the federation registration endpoint.
|
String |
getFederationSignatureKeyId()
Get the key ID to identify a JWK that should be used to sign the entity
configuration and the signed JWK Set.
|
URI |
getGrantManagementEndpoint()
Get the URL of the grant management endpoint.
|
Hsk[] |
getHsks()
Get information about keys managed on HSMs (Hardware Security Modules).
|
String |
getIdTokenAudType()
Get the type of the
aud claim in ID tokens. |
long |
getIdTokenDuration()
Get the duration of ID tokens in seconds.
|
String |
getIdTokenSignatureKeyId()
Get the key ID to identify a JWK used for ID token signature using
an asymmetric key.
|
URI |
getIntrospectionEndpoint()
Get the URI of the introspection endpoint.
|
String |
getIntrospectionSignatureKeyId()
Get the key ID of the key for signing introspection responses.
|
URI |
getIssuer()
Get the issuer identifier of this OpenID provider.
|
String |
getJwks()
Get the JSON Web Key Set of the service.
|
URI |
getJwksUri()
Get the URI of the service's JSON Web Key Set.
|
Pair[] |
getMetadata()
Get metadata.
|
long |
getModifiedAt()
Get the time at which this service was last modified.
|
NamedUri[] |
getMtlsEndpointAliases()
Get the MTLS endpoint aliases.
|
int |
getNumber()
Get the service number.
|
String |
getOrganizationName()
Get the human-readable name representing the organization that operates
this service.
|
URI |
getPolicyUri()
Get the URI that this OpenID Provider provides to the person
registering the client to read about the OP's requirements on
how the Relying Party can use the data provided by the OP.
|
String |
getPredefinedTransformedClaims()
Get the transformed claims predefined by this service in JSON format.
|
long |
getPushedAuthReqDuration()
Get the duration of pushed authorization requests.
|
URI |
getPushedAuthReqEndpoint()
Get the URI of the pushed authorization request endpoint.
|
long |
getRefreshTokenDuration()
Get the duration of refresh tokens in seconds.
|
URI |
getRegistrationEndpoint()
Get the URI of the registration endpoint.
|
URI |
getRegistrationManagementEndpoint()
Get the URI of the registration management endpoint.
|
String |
getResourceSignatureKeyId()
Get the key ID of a JWK containing the private key used by this service to
sign responses from the resource server, such as the userinfo endpoint and
responses sent to the RS signing endpoint.
|
URI |
getRevocationEndpoint()
Get the URI of the token revocation endpoint.
|
URI |
getServiceDocumentation()
Get the URI of a page containing human-readable information
that developers might want or need to know when using this
OpenID Provider.
|
String |
getServiceName()
Get the service name.
|
int |
getServiceOwnerNumber()
Get the service owner number.
|
URI |
getSignedJwksUri()
Get the URI of the endpoint that returns this service's JWK Set document in
the JWT format.
|
SnsCredentials[] |
getSnsCredentials()
Get the list of SNS credentials that Authlete uses to support social login.
|
String[] |
getSupportedAcrs()
Get the supported ACRs (authentication context class references).
|
AttachmentType[] |
getSupportedAttachments()
Get attachment types supported by this service.
|
String[] |
getSupportedAuthorizationDetailsTypes()
Get the supported authorization details types that can be used as values
of the
"type" field in "authorization_details" . |
DeliveryMode[] |
getSupportedBackchannelTokenDeliveryModes()
Get the supported backchannel token delivery modes.
|
String[] |
getSupportedClaimLocales()
Get the supported claim locales.
|
String[] |
getSupportedClaims()
Get the supported claims.
|
ClaimType[] |
getSupportedClaimTypes()
Get the supported claim types.
|
ClientRegistrationType[] |
getSupportedClientRegistrationTypes()
Get the client registration types supported by this service.
|
String[] |
getSupportedCustomClientMetadata()
Get custom client metadata supported by this service.
|
Sns[] |
getSupportedDeveloperSnses()
Get the list of supported SNSes for social login at the developer console.
|
String[] |
getSupportedDigestAlgorithms()
Get supported algorithms used to compute digest values of external
attachments.
|
Display[] |
getSupportedDisplays()
Get the supported values of
display parameter passed to
the authorization endpoint. |
String[] |
getSupportedDocuments()
Get document types supported by this service.
|
String[] |
getSupportedDocumentsCheckMethods()
Get document check methods supported by this service.
|
String[] |
getSupportedDocumentsMethods()
Get validation and verification processes supported by this service.
|
String[] |
getSupportedDocumentsValidationMethods()
Deprecated.
|
String[] |
getSupportedDocumentsVerificationMethods()
Deprecated.
|
String[] |
getSupportedElectronicRecords()
Get electronic record types supported by this service.
|
String[] |
getSupportedEvidence()
Get evidence supported by this service.
|
GrantType[] |
getSupportedGrantTypes()
Get the supported grant types.
|
String[] |
getSupportedIdentityDocuments()
Deprecated.
|
ClientAuthMethod[] |
getSupportedIntrospectionAuthMethods()
Get client authentication methods supported at the introspection endpoint.
|
JWEAlg[] |
getSupportedIntrospectionEncryptionAlgs()
Get the supported JWE
alg algorithms for encrypting introspection
responses. |
JWEEnc[] |
getSupportedIntrospectionEncryptionEncs()
Get the supported JWE
enc algorithms for encrypting introspection
response. |
JWSAlg[] |
getSupportedIntrospectionSignAlgs()
Get the supported JWS
alg algorithms for signing introspection
responses. |
Prompt[] |
getSupportedPromptValues()
Get the supported
prompt values. |
ResponseType[] |
getSupportedResponseTypes()
Get the supported response types.
|
ClientAuthMethod[] |
getSupportedRevocationAuthMethods()
Get client authentication methods supported at the revocation endpoint.
|
Scope[] |
getSupportedScopes()
Get the supported scopes.
|
ServiceProfile[] |
getSupportedServiceProfiles()
Get the supported service profiles.
|
Sns[] |
getSupportedSnses()
Get the list of supported SNSes for social login at the authorization
endpoint.
|
ClientAuthMethod[] |
getSupportedTokenAuthMethods()
Get the supported client authentication methods at the token endpoint.
|
String[] |
getSupportedTrustFrameworks()
Get trust frameworks supported by this service.
|
String[] |
getSupportedUiLocales()
Get the supported UI locales.
|
String[] |
getSupportedVerificationMethods()
Deprecated.
|
String[] |
getSupportedVerifiedClaims()
Get verified claims supported by this service.
|
URI |
getTokenEndpoint()
Get the URI of the token endpoint.
|
URI |
getTosUri()
Get the URI that the OpenID Provider provides to the person
registering the client to read about the OP's terms of service.
|
TrustAnchor[] |
getTrustAnchors()
Get the trust anchors that are referenced when this service resolves
trust chains of relying parties.
|
String[] |
getTrustedRootCertificates()
Get the list of root certificates trusted by this service for PKI-based
client mutual TLS authentication.
|
UserCodeCharset |
getUserCodeCharset()
Get the character set for end-user verification codes
(
user_code ) for Device Flow. |
int |
getUserCodeLength()
Get the length of end-user verification codes (
user_code ) for
Device Flow. |
URI |
getUserInfoEndpoint()
Get the URI of the user info endpoint.
|
String |
getUserInfoSignatureKeyId()
Get the key ID to identify a JWK used for user info signature using
an asymmetric key.
|
int |
getUserPinLength()
Get the default length of user PINs.
|
String |
getVerifiedClaimsValidationSchemaSet()
Get the name of the validation schema set that is used to validate the
content of
"verified_claims" . |
boolean |
isAccessTokenForExternalAttachmentEmbedded()
Get the flag indicating whether Authlete generates access tokens for
external attachments and embeds them in ID tokens and userinfo
responses.
|
boolean |
isBackchannelBindingMessageRequiredInFapi()
Get the boolean flag which indicates whether the
binding_message
request parameter is always required whenever a backchannel authentication
request is judged as a request for Financial-grade API. |
boolean |
isBackchannelUserCodeParameterSupported()
Get the boolean flag which indicates whether the
"user_code"
request parameter is supported at the backchannel authentication
endpoint. |
boolean |
isClaimShortcutRestrictive()
Get the flag indicating whether claims specified by shortcut scopes
(e.g.
|
boolean |
isClientIdAliasEnabled()
Get the flag which indicates whether the 'Client ID Alias' feature
is enabled or not.
|
boolean |
isDcrDuplicateSoftwareIdBlocked()
Get the flag indicating whether to block DCR (Dynamic Client Registration)
requests whose
software_id has already been used previously. |
boolean |
isDcrScopeUsedAsRequestable()
|
boolean |
isDirectAuthorizationEndpointEnabled()
Get the flag which indicates whether the direct authorization endpoint
is enabled or not.
|
boolean |
isDirectIntrospectionEndpointEnabled()
Get the flag which indicates whether the direct introspection endpoint
is enabled or not.
|
boolean |
isDirectJwksEndpointEnabled()
Get the flag which indicates whether the direct jwks endpoint
is enabled or not.
|
boolean |
isDirectRevocationEndpointEnabled()
Get the flag which indicates whether the direct revocation endpoint
is enabled or not.
|
boolean |
isDirectTokenEndpointEnabled()
Get the flag which indicates whether the direct token endpoint
is enabled or not.
|
boolean |
isDirectUserInfoEndpointEnabled()
Get the flag which indicates whether the direct userinfo endpoint
is enabled or not.
|
boolean |
isDynamicRegistrationSupported()
Get the flag which indicates whether the dynamic client registration is
supported.
|
boolean |
isErrorDescriptionOmitted()
Get the flag which indicates whether the
error_description
response parameter is omitted. |
boolean |
isErrorUriOmitted()
Get the flag which indicates whether the
error_uri response
parameter is omitted. |
boolean |
isFederationEnabled()
Get the flag indicating whether this service supports OpenID
Connect Federation 1.0.
|
boolean |
isFrontChannelRequestObjectEncryptionRequired()
Get the flag indicating whether encryption of request object is required
when the request object is passed through the front channel.
|
boolean |
isGrantManagementActionRequired()
Get the flag indicating whether every authorization request (and any
request serving as an authorization request such as CIBA backchannel
authentication request and device authorization request) must include
the
grant_management_action request parameter. |
boolean |
isHsmEnabled()
Get the flag indicating whether HSM (Hardware Security Module) support
is enabled for this service.
|
boolean |
isIdTokenReissuable()
Get the flag indicating whether to enable the feature of ID token
reissuance in the refresh token flow.
|
boolean |
isIssSuppressed()
Get the flag indicating whether generation of the
iss response
parameter is suppressed. |
boolean |
isJwtGrantByIdentifiableClientsOnly()
Get the flag indicating whether to prohibit unidentifiable clients from
using the grant type
"urn:ietf:params:oauth:grant-type:jwt-bearer"
(RFC 7523). |
boolean |
isJwtGrantEncryptedJwtRejected()
Get the flag indicating whether to reject token requests that use
an encrypted JWT as an authorization grant with the grant type
"urn:ietf:params:oauth:grant-type:jwt-bearer"
(RFC 7523). |
boolean |
isJwtGrantUnsignedJwtRejected()
Get the flag indicating whether to reject token requests that use
an unsigned JWT as an authorization grant with the grant type
"urn:ietf:params:oauth:grant-type:jwt-bearer"
(RFC 7523). |
boolean |
isLoopbackRedirectionUriVariable()
Get the flag indicating whether the port number component of redirection
URIs can be variable when the host component indicates loopback.
|
boolean |
isMissingClientIdAllowed()
Get the flag indicating whether token requests from public clients without
the
client_id request parameter are allowed when the client can be
guessed from authorization_code or refresh_token . |
boolean |
isMutualTlsValidatePkiCertChain()
Determine whether this service validates certificate chains during PKI-based
client mutual TLS authentication.
|
boolean |
isNbfOptional()
Get the flag indicating whether the
nbf claim in the request
object is optional even when the authorization request is regarded as
a FAPI-Part2 request. |
boolean |
isOpenidDroppedOnRefreshWithoutOfflineAccess()
Get the flag indicating whether to remove the
openid scope from
a new access token issued by the refresh token flow if the presented
refresh token does not contain the offline_access scope. |
boolean |
isParRequired()
Get the flag indicating whether this service requires that clients use
the pushed authorization request endpoint.
|
boolean |
isPkceRequired()
Get the flag which indicates whether the use of Proof Key for Code
Exchange (PKCE) is always required for authorization requests
by Authorization Code Flow.
|
boolean |
isPkceS256Required()
Get the flag which indicates whether
S256 is always required
as the code challenge method whenever PKCE (RFC 7636) is used. |
boolean |
isPreAuthorizedGrantAnonymousAccessSupported()
Get the flag indicating whether token requests using the pre-authorized
code grant flow by unidentifiable clients are allowed.
|
boolean |
isRefreshTokenDurationKept()
Get the flag which indicates whether the remaining duration of the used
refresh token is taken over to the newly issued refresh token.
|
boolean |
isRefreshTokenDurationReset()
Get the flag which indicates whether duration of refresh tokens are
reset when they are used even if the
refreshTokenKept property
of this service (cf. isRefreshTokenKept() ) is true
(= even if "Refresh Token Continuous Use" is "Kept"). |
boolean |
isRefreshTokenIdempotent()
Get the flag indicating whether refresh token requests with the same
refresh token can be made multiple times in quick succession and they
can obtain the same renewed refresh token within the short period.
|
boolean |
isRefreshTokenKept()
Get the flag which indicates whether a refresh token remains valid
or gets renewed after its use.
|
boolean |
isRequestObjectAudienceChecked()
Get the flag indicating whether Authlete checks whether the
aud
claim of request objects matches the issuer identifier of this service. |
boolean |
isRequestObjectEncryptionAlgMatchRequired()
Get the flag indicating whether the JWE
alg of encrypted request
object must match the request_object_encryption_alg client metadata
of the client that has sent the request object. |
boolean |
isRequestObjectEncryptionEncMatchRequired()
Get the flag indicating whether the JWE
enc of encrypted request
object must match the request_object_encryption_enc client metadata
of the client that has sent the request object. |
boolean |
isRequestObjectRequired()
Get the flag indicating whether this service requires that authorization
requests always utilize a request object by using either
request
or request_uri request parameter. |
boolean |
isRsResponseSigned()
Get whether the service signs responses from the resource server.
|
boolean |
isScopeRequired()
Get the flag indicating whether requests that request no scope are
rejected or not.
|
boolean |
isSingleAccessTokenPerSubject()
Get the flag which indicates whether the number of access tokens
per subject (and per client) is at most one or can be more.
|
boolean |
isTlsClientCertificateBoundAccessTokens()
Does this service support issuing TLS client certificate bound access tokens?
|
boolean |
isTokenExchangeByConfidentialClientsOnly()
Get the flag indicating whether to prohibit public clients from making
token exchange requests (cf. RFC 8693).
|
boolean |
isTokenExchangeByIdentifiableClientsOnly()
Get the flag indicating whether to prohibit unidentifiable clients from
making token exchange requests (cf. RFC 8693).
|
boolean |
isTokenExchangeByPermittedClientsOnly()
Get the flag indicating whether to prohibit clients which have no
explicit permission from making token exchange requests (cf.
RFC 8693).
|
boolean |
isTokenExchangeEncryptedJwtRejected()
Get the flag indicating whether to reject token exchange requests which
use encrypted JWTs as input tokens.
|
boolean |
isTokenExchangeUnsignedJwtRejected()
Get the flag indicating whether to reject token exchange requests which
use unsigned JWTs as input tokens.
|
boolean |
isTokenExpirationLinked()
Get the flag indicating whether the expiration date of an access token
never exceeds that of the corresponding refresh token.
|
boolean |
isTraditionalRequestObjectProcessingApplied()
Get the flag indicating whether a request object is processed based on
rules defined in OpenID Connect Core 1.0 or JAR (JWT Secured
Authorization Request).
|
boolean |
isUnauthorizedOnClientConfigSupported()
Get the flag indicating whether Authlete's
/api/client/registration
API uses UNAUTHORIZED
as a value of the action response parameter when appropriate. |
boolean |
isVerifiableCredentialsEnabled()
Get the flag indicating whether the feature of Verifiable Credentials
for this service is enabled or not.
|
Service |
loadAttributes(Iterable<Pair> attributes)
Load attributes from an iterable.
|
Service |
setAccessTokenDuration(long duration)
Set the duration of access tokens in seconds; the value of
expires_in in access token responses. |
Service |
setAccessTokenForExternalAttachmentEmbedded(boolean embedded)
Set the flag indicating whether Authlete generates access tokens for
external attachments and embeds them in ID tokens and userinfo
responses.
|
Service |
setAccessTokenSignAlg(JWSAlg alg)
Set the signature algorithm of access tokens.
|
Service |
setAccessTokenSignatureKeyId(String keyId)
Set the key ID to identify a JWK used for signing access tokens.
|
Service |
setAccessTokenType(String type)
Set the access token type; the value of
token_type in
access token responses. |
Service |
setAllowableClockSkew(int seconds)
Set the allowable clock skew between the server and clients in seconds.
|
Service |
setApiKey(long apiKey)
Set the API key.
|
Service |
setApiSecret(String apiSecret)
Set the API secret.
|
Service |
setAttributes(Pair[] attributes)
Set attributes.
|
Service |
setAuthenticationCallbackApiKey(String apiKey)
Set the API key to access the authentication callback endpoint.
|
Service |
setAuthenticationCallbackApiSecret(String apiSecret)
Set the API secret to access the authentication callback endpoint.
|
Service |
setAuthenticationCallbackEndpoint(URI endpoint)
Set the URI of the authentication callback endpoint.
|
Service |
setAuthorityHints(URI[] authorityHints)
Set the identifiers of entities that can issue entity statements for
this service.
|
Service |
setAuthorizationEndpoint(URI endpoint)
Set the URI of the authorization endpoint.
|
Service |
setAuthorizationResponseDuration(long duration)
Set the duration of authorization response JWTs.
|
Service |
setAuthorizationSignatureKeyId(String keyId)
Set the key ID to identify a JWK used for signing authorization responses
using an asymmetric key.
|
Service |
setBackchannelAuthenticationEndpoint(URI endpoint)
Set the URI of the backchannel authentication endpoint.
|
Service |
setBackchannelAuthReqIdDuration(int duration)
Set the duration of backchannel authentication request IDs issued from
the backchannel authentication endpoint in seconds.
|
Service |
setBackchannelBindingMessageRequiredInFapi(boolean required)
Set the boolean flag which indicates whether the
binding_message
request parameter is always required whenever a backchannel authentication
request is judged as a request for Financial-grade API. |
Service |
setBackchannelPollingInterval(int interval)
Set the minimum interval between polling requests to the token endpoint
from client applications in seconds.
|
Service |
setBackchannelUserCodeParameterSupported(boolean supported)
Set the boolean flag which indicates whether the
"user_code"
request parameter is supported at the backchannel authentication
endpoint. |
Service |
setClaimShortcutRestrictive(boolean restrictive)
Set the flag indicating whether claims specified by shortcut scopes
(e.g.
|
Service |
setClientIdAliasEnabled(boolean enabled)
Enable/disable the 'Client ID Alias' feature.
|
Service |
setClientsPerDeveloper(int count)
Set the number of client applications that one developer can create.
|
Service |
setCNonceDuration(long duration)
Set the duration of
c_nonce in seconds. |
Service |
setCreatedAt(long createdAt)
Set the time at which this service was created.
|
Service |
setCredentialDuration(long duration)
Set the default duration of verifiable credentials in seconds.
|
Service |
setCredentialIssuerMetadata(CredentialIssuerMetadata metadata)
Set the credential issuer metadata.
|
Service |
setCredentialJwks(String jwks)
Set the JWK Set document containing private keys that are used to sign
verifiable credentials.
|
Service |
setCredentialJwksUri(URI uri)
Set the URL at which the JWK Set document of the credential issuer is
exposed.
|
Service |
setCredentialOfferDuration(long duration)
Set the default duration of credential offers in seconds.
|
Service |
setCredentialTransactionDuration(long duration)
Set the duration of transaction ID in seconds that may be issued as a
result of a credential request or a batch credential request.
|
Service |
setDcrDuplicateSoftwareIdBlocked(boolean blocked)
Set the flag indicating whether to block DCR (Dynamic Client Registration)
requests whose
software_id has already been used previously. |
Service |
setDcrScopeUsedAsRequestable(boolean used)
|
Service |
setDescription(String description)
Set the description.
|
Service |
setDeveloperAuthenticationCallbackApiKey(String apiKey)
Set the API key to access the developer authentication callback endpoint.
|
Service |
setDeveloperAuthenticationCallbackApiSecret(String apiSecret)
Set the API secret to access the developer authentication callback endpoint.
|
Service |
setDeveloperAuthenticationCallbackEndpoint(URI endpoint)
Set the URI of the developer authentication callback endpoint.
|
Service |
setDeveloperSnsCredentials(SnsCredentials[] snsCredentials)
Set the list of SNS credentials that Authlete uses to support social login
at the developer console.
|
Service |
setDeviceAuthorizationEndpoint(URI endpoint)
Set the URI of the device authorization endpoint.
|
Service |
setDeviceFlowCodeDuration(int duration)
Set the duration of device verification codes and end-user verification
codes issued from the device authorization endpoint in seconds.
|
Service |
setDeviceFlowPollingInterval(int interval)
Set the minimum interval between polling requests to the token endpoint
from client applications in seconds in device flow.
|
Service |
setDeviceVerificationUri(URI uri)
Set the verification URI for the device flow.
|
Service |
setDeviceVerificationUriComplete(URI uri)
Set the verification URI for the device flow with a placeholder for a
user code.
|
Service |
setDirectAuthorizationEndpointEnabled(boolean enabled)
Set the flag which indicates whether the direct authorization endpoint
is enabled or not.
|
Service |
setDirectIntrospectionEndpointEnabled(boolean enabled)
Set the flag which indicates whether the direct introspection endpoint
is enabled or not.
|
Service |
setDirectJwksEndpointEnabled(boolean enabled)
Set the flag which indicates whether the direct jwks endpoint
is enabled or not.
|
Service |
setDirectRevocationEndpointEnabled(boolean enabled)
Set the flag which indicates whether the direct revocation endpoint
is enabled or not.
|
Service |
setDirectTokenEndpointEnabled(boolean enabled)
Set the flag which indicates whether the direct token endpoint
is enabled or not.
|
Service |
setDirectUserInfoEndpointEnabled(boolean enabled)
Set the flag which indicates whether the direct userinfo endpoint
is enabled or not.
|
Service |
setDynamicRegistrationSupported(boolean enabled)
Set the flag which indicates whether dynamic client registration is supported.
|
Service |
setEndSessionEndpoint(URI endSessionEndpoint)
Set the end session endpoint for the service.
|
Service |
setErrorDescriptionOmitted(boolean omitted)
Omit or embed the
error_description response parameter in
error responses. |
Service |
setErrorUriOmitted(boolean omitted)
Omit or embed the
error_uri response parameter in error
responses. |
Service |
setFederationConfigurationDuration(long duration)
Set the duration of the entity configuration in seconds.
|
Service |
setFederationEnabled(boolean enabled)
Set the flag indicating whether this service supports OpenID
Connect Federation 1.0.
|
Service |
setFederationJwks(String jwks)
Set the JWK Set document containing keys that are used to sign (1)
self-signed entity statement of this service and (2) the response from
signed_jwks_uri . |
Service |
setFederationRegistrationEndpoint(URI endpoint)
Set the URI of the federation registration endpoint.
|
Service |
setFederationSignatureKeyId(String keyId)
Set the key ID to identify a JWK that should be used to sign the entity
configuration and the signed JWK Set.
|
Service |
setFrontChannelRequestObjectEncryptionRequired(boolean required)
Set the flag indicating whether encryption of request object is required
when the request object is passed through the front channel.
|
Service |
setGrantManagementActionRequired(boolean required)
Set the flag indicating whether every authorization request (and any
request serving as an authorization request such as CIBA backchannel
authentication request and device authorization request) must include
the
grant_management_action request parameter. |
Service |
setGrantManagementEndpoint(URI endpoint)
Set the URL of the grant management endpoint.
|
Service |
setHsks(Hsk[] hsks)
Set information about keys managed on HSMs (Hardware Security Modules).
|
Service |
setHsmEnabled(boolean enabled)
Set the flag indicating whether HSM (Hardware Security Module) support
is enabled for this service.
|
Service |
setIdTokenAudType(String type)
Set the type of the
aud claim in ID tokens. |
Service |
setIdTokenDuration(long duration)
Set the duration of ID tokens in seconds.
|
Service |
setIdTokenReissuable(boolean reissuable)
Set the flag indicating whether to enable the feature of ID token
reissuance in the refresh token flow.
|
Service |
setIdTokenSignatureKeyId(String keyId)
Set the key ID to identify a JWK used for ID token signature using
an asymmetric key.
|
Service |
setIntrospectionEndpoint(URI endpoint)
Set the URI of the introspection endpoint.
|
Service |
setIntrospectionSignatureKeyId(String keyId)
Set the key ID of the key for signing introspection responses.
|
Service |
setIssSuppressed(boolean suppressed)
Set the flag indicating whether generation of the
iss response
parameter is suppressed. |
Service |
setIssuer(URI issuer)
Set the issuer identifier of this OpenID provider.
|
Service |
setJwks(String jwks)
Set the JSON Web Key Set of the service.
|
Service |
setJwksUri(URI uri)
Set the URI of the service's JSON Web Key Set.
|
Service |
setJwtGrantByIdentifiableClientsOnly(boolean only)
Set the flag indicating whether to prohibit unidentifiable clients from
using the grant type
"urn:ietf:params:oauth:grant-type:jwt-bearer"
(RFC 7523). |
Service |
setJwtGrantEncryptedJwtRejected(boolean rejected)
Set the flag indicating whether to reject token requests that use
an encrypted JWT as an authorization grant with the grant type
"urn:ietf:params:oauth:grant-type:jwt-bearer"
(RFC 7523). |
Service |
setJwtGrantUnsignedJwtRejected(boolean rejected)
Set the flag indicating whether to reject token requests that use
an unsigned JWT as an authorization grant with the grant type
"urn:ietf:params:oauth:grant-type:jwt-bearer"
(RFC 7523). |
Service |
setLoopbackRedirectionUriVariable(boolean variable)
Set the flag indicating whether the port number component of redirection
URIs can be variable when the host component indicates loopback.
|
Service |
setMetadata(Pair[] metadata)
Set metadata.
|
Service |
setMissingClientIdAllowed(boolean allowed)
Set the flag indicating whether token requests from public clients without
the
client_id request parameter are allowed when the client can be
guessed from authorization_code or refresh_token . |
Service |
setModifiedAt(long modifiedAt)
Set the time at which this service was last modified.
|
Service |
setMtlsEndpointAliases(NamedUri[] aliases)
Set the MTLS endpoint aliases.
|
Service |
setMutualTlsValidatePkiCertChain(boolean mutualTlsValidatePkiCertChain)
Set whether this service validates certificate chains during PKI-based
client mutual TLS authentication.
|
Service |
setNbfOptional(boolean optional)
Set the flag indicating whether the
nbf claim in the request
object is optional even when the authorization request is regarded as
a FAPI-Part2 request. |
Service |
setNumber(int number)
Set the service number.
|
Service |
setOpenidDroppedOnRefreshWithoutOfflineAccess(boolean dropped)
Set the flag indicating whether to remove the
openid scope from
a new access token issued by the refresh token flow if the presented
refresh token does not contain the offline_access scope. |
Service |
setOrganizationName(String name)
Set the human-readable name representing the organization that operates
this service.
|
Service |
setParRequired(boolean required)
Set the flag indicating whether this service requires that clients use
the pushed authorization request endpoint.
|
Service |
setPkceRequired(boolean required)
Set the flag which indicates whether the use of Proof Key for Code
Exchange (PKCE) is always required for authorization requests
by Authorization Code Flow.
|
Service |
setPkceS256Required(boolean required)
Set the flag which indicates whether
S256 is always required
as the code challenge method whenever PKCE (RFC 7636) is used. |
Service |
setPolicyUri(URI uri)
Set the URI that this OpenID Provider provides to the person
registering the client to read about the OP's requirements on
how the Relying Party can use the data provided by the OP.
|
Service |
setPreAuthorizedGrantAnonymousAccessSupported(boolean supported)
Set the flag indicating whether token requests using the pre-authorized
code grant flow by unidentifiable clients are allowed.
|
Service |
setPredefinedTransformedClaims(String claims)
Set the transformed claims predefined by this service in JSON format.
|
Service |
setPushedAuthReqDuration(long duration)
Set the duration of pushed authorization requests.
|
Service |
setPushedAuthReqEndpoint(URI endpoint)
Set the URI of the pushed authorization request endpoint.
|
Service |
setRefreshTokenDuration(long duration)
Set the duration of refresh tokens in seconds.
|
Service |
setRefreshTokenDurationKept(boolean kept)
Set the flag which indicates whether the remaining duration of the used
refresh token is taken over to the newly issued refresh token.
|
Service |
setRefreshTokenDurationReset(boolean reset)
Set the flag which indicates whether duration of refresh tokens are
reset when they are used even if the
refreshTokenKept property
of this service (cf. isRefreshTokenKept() ) is true
(= even if "Refresh Token Continuous Use" is "Kept"). |
Service |
setRefreshTokenIdempotent(boolean idempotent)
Set the flag indicating whether refresh token requests with the same
refresh token can be made multiple times in quick succession and they
can obtain the same renewed refresh token within the short period.
|
Service |
setRefreshTokenKept(boolean kept)
Set the flag which indicates whether a refresh token remains valid
or gets renewed after its use.
|
Service |
setRegistrationEndpoint(URI endpoint)
Set the URI of the registration endpoint.
|
Service |
setRegistrationManagementEndpoint(URI endpoint)
Set the URI of the registration management endpoint.
|
Service |
setRequestObjectAudienceChecked(boolean checked)
Set the flag indicating whether Authlete checks whether the
aud
claim of request objects matches the issuer identifier of this service. |
Service |
setRequestObjectEncryptionAlgMatchRequired(boolean required)
Set the flag indicating whether the JWE
alg of encrypted request
object must match the request_object_encryption_alg client metadata
of the client that has sent the request object. |
Service |
setRequestObjectEncryptionEncMatchRequired(boolean required)
Set the flag indicating whether the JWE
enc of encrypted request
object must match the request_object_encryption_enc client metadata
of the client that has sent the request object. |
Service |
setRequestObjectRequired(boolean required)
Set the flag indicating whether this service requires that authorization
requests always utilize a request object by using either
request
or request_uri request parameter. |
Service |
setResourceSignatureKeyId(String keyId)
Set the key ID of a JWK containing the private key used by this service to
sign responses from the resource server, such as the userinfo endpoint and
responses sent to the RS signing endpoint.
|
Service |
setRevocationEndpoint(URI endpoint)
Set the URI of the token revocation endpoint.
|
Service |
setRsResponseSigned(boolean signed)
Set whether the service signs responses from the resource server.
|
Service |
setScopeRequired(boolean required)
Set the flag indicating whether requests that request no scope are
rejected or not.
|
Service |
setServiceDocumentation(URI uri)
Set the URI of a page containing human-readable information
that developers might want or need to know when using this
OpenID Provider.
|
Service |
setServiceName(String serviceName)
Set the service name.
|
Service |
setServiceOwnerNumber(int serviceOwnerNumber)
Set the service owner number
|
Service |
setSignedJwksUri(URI uri)
Set the URI of the endpoint that returns this service's JWK Set document in
the JWT format.
|
Service |
setSingleAccessTokenPerSubject(boolean single)
Set the flag which indicates whether the number of access tokens
per subject (and per client) is at most one or can be more.
|
Service |
setSnsCredentials(SnsCredentials[] snsCredentials)
Set the list of SNS credentials that Authlete uses to support social login.
|
Service |
setSupportedAcrs(String[] acrs)
Set the supported ACRs (authentication context class references).
|
Service |
setSupportedAttachments(AttachmentType[] types)
Set attachment types supported by this service.
|
Service |
setSupportedAuthorizationDetailsTypes(String[] types)
Set the supported authorization details types that can be used as values
of the
"type" field in "authorization_details" . |
Service |
setSupportedBackchannelTokenDeliveryModes(DeliveryMode[] modes)
Get the supported backchannel token delivery modes.
|
Service |
setSupportedClaimLocales(String[] supportedClaimLocales)
Set the supported claim locales.
|
Service |
setSupportedClaims(String[] supportedClaims)
Set the supported claims.
|
Service |
setSupportedClaimTypes(ClaimType[] claimTypes)
Set the supported claim types.
|
Service |
setSupportedClientRegistrationTypes(ClientRegistrationType[] types)
Set the client registration types supported by this service.
|
Service |
setSupportedCustomClientMetadata(String[] metadata)
Set custom client metadata supported by this service.
|
Service |
setSupportedDeveloperSnses(Sns[] supportedSnses)
Set the list of supported SNSes for social login at the developer console.
|
Service |
setSupportedDigestAlgorithms(String[] algorithms)
Set supported algorithms used to compute digest values of external
attachments.
|
Service |
setSupportedDisplays(Display[] displays)
Set the supported values of
display parameter passed to
the authorization endpoint. |
Service |
setSupportedDocuments(String[] documents)
Set document types supported by this service.
|
Service |
setSupportedDocumentsCheckMethods(String[] methods)
Set document check methods supported by this service.
|
Service |
setSupportedDocumentsMethods(String[] methods)
Set validation and verification processes supported by this service.
|
Service |
setSupportedDocumentsValidationMethods(String[] methods)
Deprecated.
|
Service |
setSupportedDocumentsVerificationMethods(String[] methods)
Deprecated.
|
Service |
setSupportedElectronicRecords(String[] records)
Set electronic record types supported by this service.
|
Service |
setSupportedEvidence(String[] evidence)
Set evidence supported by this service.
|
Service |
setSupportedGrantTypes(GrantType[] grantTypes)
Set the supported grant types.
|
Service |
setSupportedIdentityDocuments(String[] documents)
Deprecated.
|
Service |
setSupportedIntrospectionAuthMethods(ClientAuthMethod[] methods)
Set client authentication methods supported at the introspection endpoint.
|
Service |
setSupportedIntrospectionEncryptionAlgs(JWEAlg[] algs)
Set the supported JWE
alg algorithms for encrypting introspection
responses. |
Service |
setSupportedIntrospectionEncryptionEncs(JWEEnc[] encs)
Set the supported JWE
enc algorithms for encrypting introspection
responses. |
Service |
setSupportedIntrospectionSignAlgs(JWSAlg[] algs)
Set the supported JWS
alg algorithms for signing introspection
responses. |
Service |
setSupportedPromptValues(Prompt[] promptValues)
Set the supported
prompt values. |
Service |
setSupportedResponseTypes(ResponseType[] responseTypes)
Set the supported response types.
|
Service |
setSupportedRevocationAuthMethods(ClientAuthMethod[] methods)
Set client authentication methods supported at the revocation endpoint.
|
Service |
setSupportedScopes(Scope[] supportedScopes)
Set the supported scopes.
|
Service |
setSupportedServiceProfiles(Iterable<ServiceProfile> profiles)
Set the supported service profiles.
|
Service |
setSupportedServiceProfiles(ServiceProfile[] profiles)
Set the supported service profiles.
|
Service |
setSupportedSnses(Sns[] supportedSnses)
Set the list of supported SNSes for social login at the authorization
endpoint.
|
Service |
setSupportedTokenAuthMethods(ClientAuthMethod[] methods)
Set the number of client authentication methods at the token endpoint.
|
Service |
setSupportedTrustFrameworks(String[] frameworks)
Set trust frameworks supported by this service.
|
Service |
setSupportedUiLocales(String[] supportedUiLocales)
Set the supported UI locales.
|
Service |
setSupportedVerificationMethods(String[] methods)
Deprecated.
|
Service |
setSupportedVerifiedClaims(String[] claims)
Set verified claims supported by this service.
|
Service |
setTlsClientCertificateBoundAccessTokens(boolean enabled)
Enable or disable support for TLS client certificate bound access tokens.
|
Service |
setTokenEndpoint(URI endpoint)
Set the URI of the token endpoint.
|
Service |
setTokenExchangeByConfidentialClientsOnly(boolean only)
Set the flag indicating whether to prohibit public clients from making
token exchange requests (cf. RFC 8693).
|
Service |
setTokenExchangeByIdentifiableClientsOnly(boolean only)
Set the flag indicating whether to prohibit unidentifiable clients from
making token exchange requests (cf. RFC 8693).
|
Service |
setTokenExchangeByPermittedClientsOnly(boolean only)
Set the flag indicating whether to prohibit clients which have no
explicit permission from making token exchange requests (cf.
RFC 8693).
|
Service |
setTokenExchangeEncryptedJwtRejected(boolean rejected)
Set the flag indicating whether to reject token exchange requests which
use encrypted JWTs as input tokens.
|
Service |
setTokenExchangeUnsignedJwtRejected(boolean rejected)
Set the flag indicating whether to reject token exchange requests which
use unsigned JWTs as input tokens.
|
Service |
setTokenExpirationLinked(boolean linked)
Set the flag indicating whether the expiration date of an access token
never exceeds that of the corresponding refresh token.
|
Service |
setTosUri(URI uri)
Set the URI that the OpenID Provider provides to the person
registering the client to read about the OP's terms of service.
|
Service |
setTraditionalRequestObjectProcessingApplied(boolean applied)
Set the flag indicating whether a request object is processed based on
rules defined in OpenID Connect Core 1.0 or JAR (JWT Secured
Authorization Request).
|
Service |
setTrustAnchors(TrustAnchor[] trustAnchors)
Set the trust anchors that are referenced when this service resolves
trust chains of relying parties.
|
Service |
setTrustedRootCertificates(String[] trustedRootCertificates)
Get the list of root certificates trusted by this service for PKI-based
client mutual TLS authentication.
|
Service |
setUnauthorizedOnClientConfigSupported(boolean supported)
Set the flag indicating whether Authlete's
/api/client/registration
API uses UNAUTHORIZED
as a value of the action response parameter when appropriate. |
Service |
setUserCodeCharset(UserCodeCharset charset)
Set the character set for end-user verification codes
(
user_code ) for Device Flow. |
Service |
setUserCodeLength(int length)
Set the length of end-user verification codes (
user_code ) for
Device Flow. |
Service |
setUserInfoEndpoint(URI endpoint)
Set the URI of the user info endpoint.
|
Service |
setUserInfoSignatureKeyId(String keyId)
Set the key ID to identify a JWK used for user info signature using
an asymmetric key.
|
Service |
setUserPinLength(int length)
Set the default length of user PINs.
|
Service |
setVerifiableCredentialsEnabled(boolean enabled)
Set the flag indicating whether the feature of Verifiable Credentials
for this service is enabled or not.
|
Service |
setVerifiedClaimsValidationSchemaSet(String schemaSet)
Set the name of the validation schema set that is used to validate the
content of
"verified_claims" . |
boolean |
supports(ServiceProfile profile)
Check if this service supports the specified profile.
|
boolean |
supportsAll(Iterable<ServiceProfile> profiles)
Check if this service supports all the specified service profiles.
|
boolean |
supportsAll(ServiceProfile... profiles)
Check if this service supports all the specified service profiles.
|
boolean |
supportsAny(Iterable<ServiceProfile> profiles)
Check if this service any of the specified service profiles.
|
boolean |
supportsAny(ServiceProfile... profiles)
Check if this service any of the specified service profiles.
|
public int getNumber()
public Service setNumber(int number)
number
- The service number.this
object.public int getServiceOwnerNumber()
public Service setServiceOwnerNumber(int serviceOwnerNumber)
serviceOwnerNumber
- The service owner number.this
object.public String getServiceName()
public Service setServiceName(String serviceName)
serviceName
- The service name.this
object.public long getApiKey()
public Service setApiKey(long apiKey)
apiKey
- The API key.this
object.public String getApiSecret()
public Service setApiSecret(String apiSecret)
apiSecret
- The API secret.this
object.public URI getIssuer()
public Service setIssuer(URI issuer)
issuer
- The issuer identifier.this
object.public URI getAuthorizationEndpoint()
public Service setAuthorizationEndpoint(URI endpoint)
endpoint
- The URI of the authorization endpoint.this
object.public URI getTokenEndpoint()
public Service setTokenEndpoint(URI endpoint)
endpoint
- The URI of the token endpoint.this
object.public URI getRevocationEndpoint()
public ClientAuthMethod[] getSupportedRevocationAuthMethods()
public Service setSupportedRevocationAuthMethods(ClientAuthMethod[] methods)
methods
- Client authentication methods.this
object.public Service setRevocationEndpoint(URI endpoint)
endpoint
- The URI of the token revocation endpoint.this
object.public URI getUserInfoEndpoint()
public Service setUserInfoEndpoint(URI endpoint)
endpoint
- The URI of the user info endpoint.this
object.public URI getJwksUri()
public Service setJwksUri(URI uri)
uri
- The URI of the service's JSON Web Key Set.this
object.public String getJwks()
public Service setJwks(String jwks)
jwks
- The JSON Web Key Set of the service.this
object.public URI getRegistrationEndpoint()
public Service setRegistrationEndpoint(URI endpoint)
endpoint
- The URI of the registration endpoint.this
object.public URI getRegistrationManagementEndpoint()
/clientid/
to it as a path element. If this is unset, the value of registrationEndpoint
will be used as the URI base instead.public Service setRegistrationManagementEndpoint(URI endpoint)
/clientid/
to it as a path element. If this is unset, the value of registrationEndpoint
will be used as the URI base instead.endpoint
- The base URI of the registration management endpoint.this
object.public Scope[] getSupportedScopes()
public Service setSupportedScopes(Scope[] supportedScopes)
supportedScopes
- The supported scopes.this
object.public ResponseType[] getSupportedResponseTypes()
public Service setSupportedResponseTypes(ResponseType[] responseTypes)
responseTypes
- The supported response types.this
object.public GrantType[] getSupportedGrantTypes()
public Service setSupportedGrantTypes(GrantType[] grantTypes)
grantTypes
- The supported grant types.this
object.public String[] getSupportedAcrs()
public Service setSupportedAcrs(String[] acrs)
acrs
- The supported ACRs.this
object.public ClientAuthMethod[] getSupportedTokenAuthMethods()
public Service setSupportedTokenAuthMethods(ClientAuthMethod[] methods)
methods
- The supported client authentication methods.this
object.public Display[] getSupportedDisplays()
display
parameter passed to
the authorization endpoint.display
parameter.public Service setSupportedDisplays(Display[] displays)
display
parameter passed to
the authorization endpoint.displays
- The supported values of display
parameter.this
object.public ClaimType[] getSupportedClaimTypes()
public Service setSupportedClaimTypes(ClaimType[] claimTypes)
claimTypes
- The supported claim types.this
object.public String[] getSupportedClaims()
public Service setSupportedClaims(String[] supportedClaims)
supportedClaims
- The supported claims.this
object.public URI getServiceDocumentation()
public Service setServiceDocumentation(URI uri)
uri
- The URI of the service documentation.this
object.public String[] getSupportedClaimLocales()
public Service setSupportedClaimLocales(String[] supportedClaimLocales)
supportedClaimLocales
- The supported claim locales.this
object.public String[] getSupportedUiLocales()
public Service setSupportedUiLocales(String[] supportedUiLocales)
supportedUiLocales
- The supported UI locales.this
object.public URI getPolicyUri()
public Service setPolicyUri(URI uri)
uri
- The URI of the policy page.this
object.public URI getTosUri()
public Service setTosUri(URI uri)
uri
- The URI of the Terms-of-Service page.this
object.public String getDescription()
public Service setDescription(String description)
description
- The description.this
object.public String getAccessTokenType()
token_type
in
access token responses.public Service setAccessTokenType(String type)
token_type
in
access token responses.type
- The access token type.this
object.public JWSAlg getAccessTokenSignAlg()
When this method returns null, access tokens issued by this service are
just random strings. On the other hand, when this method returns a
non-null value, access tokens issued by this service are JWTs and the
value returned from this method represents the signature algorithm of
the JWTs. Regarding the format, see the description of this
Service
class.
This feature is available since Authlete 2.1. Access tokens generated by older Authlete versions are always random strings.
public Service setAccessTokenSignAlg(JWSAlg alg)
When null is set, access tokens issued by this service are just random
strings. On the other hand, when a non-null value is set, access tokens
issued by this service are JWTs and the value set by this method is used
as the signature algorithm of the JWTs. Regarding the format, see the
description of this Service
class.
This feature is available since Authlete 2.1. Access tokens generated by older Authlete versions are always random strings.
public long getAccessTokenDuration()
expires_in
in access token responses.public Service setAccessTokenDuration(long duration)
expires_in
in access token responses.duration
- The duration of access tokens in seconds.this
object.public long getRefreshTokenDuration()
public Service setRefreshTokenDuration(long duration)
duration
- The duration of refresh tokens in seconds.this
object.public long getIdTokenDuration()
public Service setIdTokenDuration(long duration)
duration
- The duration of ID tokens in seconds.this
object.public long getAuthorizationResponseDuration()
Financial-grade API: JWT Secured Authorization Response Mode for
OAuth 2.0 (JARM) defines new values for the response_mode
request parameter. They are query.jwt
, fragment.jwt
,
form_post.jwt
and jwt
. If one of them is specified
as the response mode, response parameters from the authorization
endpoint will be packed into a JWT. This property is used to compute
the value of the exp
claim of the JWT.
public Service setAuthorizationResponseDuration(long duration)
Financial-grade API: JWT Secured Authorization Response Mode for
OAuth 2.0 (JARM) defines new values for the response_mode
request parameter. They are query.jwt
, fragment.jwt
,
form_post.jwt
and jwt
. If one of them is specified
as the response mode, response parameters from the authorization
endpoint will be packed into a JWT. This property is used to compute
the value of the exp
claim of the JWT.
duration
- The duration of authorization response JWTs in seconds.this
object.public long getPushedAuthReqDuration()
"OAuth 2.0 Pushed Authorization Requests" defines an endpoint (called
"pushed authorization request endpoint") which client applications can
register authorization requests into and get corresponding URIs (called
"request URIs") from. The issued URIs represent the registered
authorization requests. The client applications can use the URIs as the
value of the request_uri
request parameter in an authorization
request.
The value returned from this method represents the duration of registered
authorization requests and is used as the value of the expires_in
parameter in responses from the pushed authorization request endpoint.
public Service setPushedAuthReqDuration(long duration)
"OAuth 2.0 Pushed Authorization Requests" defines an endpoint (called
"pushed authorization request endpoint") which client applications can
register authorization requests into and get corresponding URIs (called
"request URIs") from. The issued URIs represent the registered
authorization requests. The client applications can use the URIs as the
value of the request_uri
request parameter in an authorization
request.
The value given to this method represents the duration of registered
authorization requests and is used as the value of the expires_in
parameter in responses from the pushed authorization request endpoint.
duration
- The duration of pushed authorization requests.this
object.public URI getAuthenticationCallbackEndpoint()
public Service setAuthenticationCallbackEndpoint(URI endpoint)
endpoint
- The URI of the authentication callback endpoint.this
object.public String getAuthenticationCallbackApiKey()
public Service setAuthenticationCallbackApiKey(String apiKey)
apiKey
- The API key to access the authentication callback endpoint.this
object.public String getAuthenticationCallbackApiSecret()
public Service setAuthenticationCallbackApiSecret(String apiSecret)
apiSecret
- The API secret to access the authentication callback endpoint.this
object.public Sns[] getSupportedSnses()
public Service setSupportedSnses(Sns[] supportedSnses)
supportedSnses
- The list of SNSes.this
object.public SnsCredentials[] getSnsCredentials()
public Service setSnsCredentials(SnsCredentials[] snsCredentials)
snsCredentials
- The list of SNS credentials.this
object.public long getCreatedAt()
public Service setCreatedAt(long createdAt)
createdAt
- The time at which this service was created.this
object.public long getModifiedAt()
public Service setModifiedAt(long modifiedAt)
modifiedAt
- The time at which this service was modified.this
object.public Pair[] getMetadata()
The content of the returned array depends on contexts.
Key | Description |
---|---|
"clientCount" |
The number of client applications which belong to this service. |
Pair
.public Service setMetadata(Pair[] metadata)
metadata
- Metadata. The type is an array of Pair
.
null
may be returned.this
object.public URI getDeveloperAuthenticationCallbackEndpoint()
public Service setDeveloperAuthenticationCallbackEndpoint(URI endpoint)
endpoint
- The URI of the developer authentication callback endpoint.this
object.public String getDeveloperAuthenticationCallbackApiKey()
public Service setDeveloperAuthenticationCallbackApiKey(String apiKey)
apiKey
- The API key to access the developer authentication callback endpoint.this
object.public String getDeveloperAuthenticationCallbackApiSecret()
public Service setDeveloperAuthenticationCallbackApiSecret(String apiSecret)
apiSecret
- The API secret to access the developer authentication callback endpoint.this
object.public Sns[] getSupportedDeveloperSnses()
public Service setSupportedDeveloperSnses(Sns[] supportedSnses)
supportedSnses
- The list of SNSes.this
object.public SnsCredentials[] getDeveloperSnsCredentials()
public Service setDeveloperSnsCredentials(SnsCredentials[] snsCredentials)
snsCredentials
- The list of SNS credentials.this
object.public int getClientsPerDeveloper()
public Service setClientsPerDeveloper(int count)
count
- The number of client applications that one developer can create.
0 means no limit.this
object.public boolean isDirectAuthorizationEndpointEnabled()
/api/auth/authorization/direct/{serviceApiKey}
true
if enabled.public Service setDirectAuthorizationEndpointEnabled(boolean enabled)
/api/auth/authorization/direct/{serviceApiKey}
enabled
- true
to enable the direct endpoint.this
object.public boolean isDirectTokenEndpointEnabled()
/api/auth/token/direct/{serviceApiKey}
true
if enabled.public Service setDirectTokenEndpointEnabled(boolean enabled)
/api/auth/token/direct/{serviceApiKey}
enabled
- true
to enable the direct endpoint.this
object.public boolean isDirectRevocationEndpointEnabled()
/api/auth/revocation/direct/{serviceApiKey}
true
if enabled.public Service setDirectRevocationEndpointEnabled(boolean enabled)
/api/auth/revocation/direct/{serviceApiKey}
enabled
- true
to enable the direct endpoint.this
object.public boolean isDirectUserInfoEndpointEnabled()
/api/auth/userinfo/direct/{serviceApiKey}
true
if enabled.public Service setDirectUserInfoEndpointEnabled(boolean enabled)
/api/auth/userinfo/direct/{serviceApiKey}
enabled
- true
to enable the direct endpoint.this
object.public boolean isDirectJwksEndpointEnabled()
/api/service/jwks/get/direct/{serviceApiKey}
true
if enabled.public Service setDirectJwksEndpointEnabled(boolean enabled)
/api/service/jwks/get/direct/{serviceApiKey}
enabled
- true
to enable the direct endpoint.this
object.public boolean isDirectIntrospectionEndpointEnabled()
/api/auth/introspection/direct/{serviceApiKey}
true
if enabled.public Service setDirectIntrospectionEndpointEnabled(boolean enabled)
/api/auth/introspection/direct/{serviceApiKey}
enabled
- true
to enable the direct endpoint.this
object.public boolean isSingleAccessTokenPerSubject()
If this flag is true
, an attempt to issue a new access
token invalidates existing access tokens associated with the
same subject and the same client.
Even if this flag is false
, invalidation of existing access
tokens is executed if the singleAccessTokenPerSubject
property of the target client is true
. The property of
Client
is recognized by Authlete 2.3 onwards. (cf.
Client.isSingleAccessTokenPerSubject()
)
Note that, however, attempts by Client Credentials Flow do not
invalidate existing access tokens because access tokens issued
by Client Credentials Flow are not associated with any end-user's
subject. Also note that an attempt by Refresh Token Flow
invalidates the coupled access token only and this invalidation
is always performed regardless of whether this flag is true
or false
.
true
if the number of access tokens per subject
(and per client) is at most one.Client.isSingleAccessTokenPerSubject()
public Service setSingleAccessTokenPerSubject(boolean single)
If true
is set, an attempt to issue a new access token
invalidates existing access tokens associated with the same
subject and the same client.
Even if this flag is false
, invalidation of existing access
tokens is executed if the singleAccessTokenPerSubject
property of the target client is true
. The property of
Client
is recognized by Authlete 2.3 onwards. (cf.
Client.setSingleAccessTokenPerSubject(boolean)
)
Note that, however, attempts by Client Credentials Flow do not
invalidate existing access tokens because access tokens issued
by Client Credentials Flow are not associated with any end-user's
subject. Also note that an attempt by Refresh Token Flow
invalidates the coupled access token only and this invalidation
is always performed regardless of whether this flag is true
or false
.
single
- true
to set the maximum number of access tokens
per subject (and per client) to 1.this
object.Client.setSingleAccessTokenPerSubject(boolean)
public boolean isPkceRequired()
true
if PKCE is always required for authorization
requests by Authorization Code Flow.public Service setPkceRequired(boolean required)
required
- true
to always require PKCE for authorization
requests by Authorization Code Flow.this
object.public boolean isPkceS256Required()
S256
is always required
as the code challenge method whenever PKCE (RFC 7636) is used.
If this flag is true
, code_challenge_method=S256
must
be included in the authorization request whenever it includes the
code_challenge
request parameter. Neither omission of the
code_challenge_method
request parameter nor use of plain
(code_challenge_method=plain
) is allowed.
true
if S256
is always required as the code
challenge method whenever PKCE is used.public Service setPkceS256Required(boolean required)
S256
is always required
as the code challenge method whenever PKCE (RFC 7636) is used.
If true
is set, code_challenge_method=S256
must be
included in the authorization request whenever it includes the
code_challenge
request parameter. Neither omission of the
code_challenge_method
request parameter nor use of plain
(code_challenge_method=plain
) is allowed.
required
- true
to require S256
as the code challenge
method whenever PKCE is used.this
object.public boolean isRefreshTokenKept()
true
if a refresh token remains valid after its use.
false
if a new refresh token is issued after its use.public Service setRefreshTokenKept(boolean kept)
kept
- true
to keep a refresh token valid after its use.
false
to renew a refresh token after its use.this
object.public boolean isRefreshTokenDurationKept()
true
if the remaining duration of the used refresh token
is taken over to the newly issued refresh token.public Service setRefreshTokenDurationKept(boolean kept)
kept
- true
to indicate that the remaining duration of the used
refresh token is taken over to the newly issued refresh token.this
object.public boolean isRefreshTokenDurationReset()
refreshTokenKept
property
of this service (cf. isRefreshTokenKept()
) is true
(= even if "Refresh Token Continuous Use" is "Kept").
This flag has no effect when the refreshTokenKept
property is
false
. In other words, if this service issues a new refresh
token on every refresh token request, the refresh token will have fresh
duration (unless refreshTokenDurationKept
is true) and this
refreshTokenDurationReset
property is not referenced.
true
if duration of refresh tokens are reset when they
are used.public Service setRefreshTokenDurationReset(boolean reset)
refreshTokenKept
property
of this service (cf. isRefreshTokenKept()
) is true
(= even if "Refresh Token Continuous Use" is "Kept").
This flag has no effect when the refreshTokenKept
property is
false
. In other words, if this service issues a new refresh
token on every refresh token request, the refresh token will have fresh
duration (unless refreshTokenDurationKept
is true) and this
refreshTokenDurationReset
property is not referenced.
reset
- true
to reset duration of refresh tokens when they are
used.this
object.public boolean isErrorDescriptionOmitted()
error_description
response parameter is omitted.
According to RFC 6749, authorization servers may include the error_description
response parameter in error responses. When this
errorDescriptionOmitted
property is true
, Authlete does
not embed the error_description
response parameter in error
responses.
true
if the error_description
response parameter
is omitted. false
if the error_description
response parameter is included in error responses from the
authorization server.public Service setErrorDescriptionOmitted(boolean omitted)
error_description
response parameter in
error responses.omitted
- true
to omit the error_description
response
parameter. false
to embed the parameter.this
object.public boolean isErrorUriOmitted()
error_uri
response
parameter is omitted.
According to RFC 6749, authorization servers may include the
error_uri
response parameter in error responses. When
this errorUriOmitted
property is true
, Authlete
does not embed the error_uri
response parameter in error
responses.
true
if the error_uri
response parameter
is omitted. false
if the error_uri
response parameter is included in error responses from
the authorization server.public Service setErrorUriOmitted(boolean omitted)
error_uri
response parameter in error
responses.omitted
- true
to omit the error_uri
response parameter.
false
to embed the parameter.this
object.public boolean isClientIdAliasEnabled()
true
if the 'Client ID Alias' feature is enabled.
false
if the feature is disabled.public Service setClientIdAliasEnabled(boolean enabled)
When a new client is created, Authlete generates a numeric value
and assigns it as a client ID to the newly created client. In
addition to the client ID, each client can have a client ID alias.
The client ID alias is, however, recognized only when this property
(clientIdAliasEnabled
) is true
.
enabled
- true
to enable the 'Client ID Alias' feature.
false
to disable it.this
object.public String getAccessTokenSignatureKeyId()
A JWK Set can be registered as a property of a Service. A JWK Set can
contain 0 or more JWKs (See RFC 7517 for details about JWK). Authlete Server has to pick up
one JWK for signing from the JWK Set when it generates a JWT-based
access token (see getAccessTokenSignAlg()
for details about
JWT-based access token). Authlete Server searches the registered JWK Set
for a JWK which satisfies conditions for access token signature. If the
number of JWK candidates which satisfy the conditions is 1, there is no
problem. On the other hand, if there exist multiple candidates, a
Key ID is
needed to be specified so that Authlete Server can pick up one JWK from
among the JWK candidates.
This accessTokenSignatureKeyId
property exists for the purpose
described above.
null
.public Service setAccessTokenSignatureKeyId(String keyId)
See the description of getAccessTokenSignatureKeyId()
for
details.
keyId
- A key ID of a JWK. This may be null
.this
object.public String getAuthorizationSignatureKeyId()
Financial-grade API: JWT Secured Authorization Response Mode for OAuth
2.0 (JARM) has added new values for the response_mode
request parameter. They are query.jwt
, fragment.jwt
,
form_post.jwt
and jwt
. If one of them is used, response
parameters returned from the authorization endpoint will be packed into
a JWT. The JWT is always signed. For the signature of the JWT, Authlete
Server has to pick up one JWK from the service's JWK Set.
Authlete Server searches the JWK Set for a JWK which satisfies conditions for authorization response signature. If the number of JWK candidates which satisfy the conditions is 1, there is no problem. On the other hand, if there exist multiple candidates, a Key ID is needed to be specified so that Authlete Server can pick up one JWK from among the JWK candidates. This property exists to specify the key ID.
null
.public Service setAuthorizationSignatureKeyId(String keyId)
See the description of getAuthorizationSignatureKeyId()
for details.
keyId
- A key ID of a JWK. This may be null
.this
object.public String getIdTokenSignatureKeyId()
A JWK Set can be registered as a property of a Service. A JWK Set can contain 0 or more JWKs (See RFC 7517 for details about JWK). Authlete Server has to pick up one JWK for signature from the JWK Set when it generates an ID token and signature using an asymmetric key. Authlete Server searches the registered JWK Set for a JWK which satisfies conditions for ID token signature. If the number of JWK candidates which satisfy the conditions is 1, there is no problem. On the other hand, if there exist multiple candidates, a Key ID is needed to be specified so that Authlete Server can pick up one JWK from among the JWK candidates.
This idTokenSignatureKeyId
property exists for the purpose
described above. For key rotation (OpenID Connect Core 1.0, 10.1.1. Rotation of Asymmetric Signing Keys), this mechanism is
needed.
null
.public Service setIdTokenSignatureKeyId(String keyId)
See the description of getIdTokenSignatureKeyId()
for details.
keyId
- A key ID of a JWK. This may be null
.this
object.public String getUserInfoSignatureKeyId()
A JWK Set can be registered as a property of a Service. A JWK Set can contain 0 or more JWKs (See RFC 7517 for details about JWK). Authlete Server has to pick up one JWK for signature from the JWK Set when it is required to sign user info (which is returned from UserInfo Endpoint) using an asymmetric key. Authlete Server searches the registered JWK Set for a JWK which satisfies conditions for user info signature. If the number of JWK candidates which satisfy the conditions is 1, there is no problem. On the other hand, if there exist multiple candidates, a Key ID is needed to be specified so that Authlete Server can pick up one JWK from among the JWK candidates.
This userInfoSignatureKeyId
property exists for the purpose
described above. For key rotation (OpenID Connect Core 1.0, 10.1.1. Rotation of Asymmetric Signing Keys), this mechanism is
needed.
null
.public Service setUserInfoSignatureKeyId(String keyId)
See the description of getUserInfoSignatureKeyId()
for details.
keyId
- A key ID of a JWK. This may be null
.this
object.public ServiceProfile[] getSupportedServiceProfiles()
public Service setSupportedServiceProfiles(ServiceProfile[] profiles)
profiles
- Supported service profiles.this
object.public Service setSupportedServiceProfiles(Iterable<ServiceProfile> profiles)
profiles
- Supported service profiles.this
object.public boolean supports(ServiceProfile profile)
null
is given, false
is returned.
If the supported service profiles are not set to this service,
false
is returned.profile
- A service profile.true
if this service supports the service profile.public boolean supportsAll(ServiceProfile... profiles)
null
is given, true
is returned.
If an empty array is given, true
is returned.profiles
- Service profiles.true
if this service supports all the specified
service profiles.public boolean supportsAll(Iterable<ServiceProfile> profiles)
null
is given, true
is returned.
If an empty collection is given, true
is returned.profiles
- Service profiles.true
if this service supports all the specified
service profiles.public boolean supportsAny(ServiceProfile... profiles)
null
is given, false
is returned.
If an empty array is given, false
is returned.profiles
- Service profiles.true
if this service supports any of the specified
service profiles.public boolean supportsAny(Iterable<ServiceProfile> profiles)
null
is given, false
is returned.
If an empty collection is given, false
is returned.profiles
- Service profiles.true
if this service supports any of the specified
service profiles.public boolean isTlsClientCertificateBoundAccessTokens()
true
if this service supports issuing TLS client
certificate bound access tokens.public Service setTlsClientCertificateBoundAccessTokens(boolean enabled)
enabled
- true
to enable TLS client certificate bound access tokens.this
object.public URI getIntrospectionEndpoint()
public Service setIntrospectionEndpoint(URI endpoint)
endpoint
- The URI of the introspection endpoint.this
object.public ClientAuthMethod[] getSupportedIntrospectionAuthMethods()
public Service setSupportedIntrospectionAuthMethods(ClientAuthMethod[] methods)
methods
- Client authentication methods.this
object.public boolean isMutualTlsValidatePkiCertChain()
true
if this service requires clients using PKI MTLS
to present their certificate chain to the API during authentication,
false
otherwise.public Service setMutualTlsValidatePkiCertChain(boolean mutualTlsValidatePkiCertChain)
mutualTlsValidatePkiCertChain
- true
if this service requires clients using PKI MTLS
to present their certificate chain to the API during authentication,
false
otherwise.this
object.public String[] getTrustedRootCertificates()
public Service setTrustedRootCertificates(String[] trustedRootCertificates)
trustedRootCertificates
- The list of root certificates trusted by this service in PEM format.this
object.public DeliveryMode[] getSupportedBackchannelTokenDeliveryModes()
backchannel_token_delivery_modes_supported
metadata.
Backchannel token delivery modes are defined in the specification of CIBA (Client Initiated Backchannel Authentication).
public Service setSupportedBackchannelTokenDeliveryModes(DeliveryMode[] modes)
backchannel_token_delivery_modes_supported
metadata.
Backchannel token delivery modes are defined in the specification of CIBA (Client Initiated Backchannel Authentication).
modes
- Supported backchannel token delivery modes.this
object.public URI getBackchannelAuthenticationEndpoint()
Backchannel authentication endpoint is defined in the specification of CIBA (Client Initiated Backchannel Authentication).
public Service setBackchannelAuthenticationEndpoint(URI endpoint)
Backchannel authentication endpoint is defined in the specification of CIBA (Client Initiated Backchannel Authentication).
endpoint
- The URI of the backchannel authentication endpoint.this
object.public boolean isBackchannelUserCodeParameterSupported()
"user_code"
request parameter is supported at the backchannel authentication
endpoint. This property corresponds to the
backchannel_user_code_parameter_supported
metadata.true
if the "user_code"
request parameter is
supported at the backchannel authentication endpoint.public Service setBackchannelUserCodeParameterSupported(boolean supported)
"user_code"
request parameter is supported at the backchannel authentication
endpoint. This property corresponds to the
backchannel_user_code_parameter_supported
metadata.supported
- true
to indicate that the "user_code"
request
parameter is supported.this
object.public int getBackchannelAuthReqIdDuration()
expires_in
property in responses from the
backchannel authentication endpoint.public Service setBackchannelAuthReqIdDuration(int duration)
expires_in
property in responses from the
backchannel authentication endpoint.duration
- The duration of backchannel authentication request IDs in
seconds.this
object.public int getBackchannelPollingInterval()
interval
property in responses from the backchannel
authentication endpoint.public Service setBackchannelPollingInterval(int interval)
interval
property in responses from the backchannel
authentication endpoint.interval
- The minimum interval between polling requests in seconds.
Must be in between 0 and 65,535.this
object.public boolean isBackchannelBindingMessageRequiredInFapi()
binding_message
request parameter is always required whenever a backchannel authentication
request is judged as a request for Financial-grade API.true
if the binding_message
request parameter
is required whenever a backchannel authentication request is
judged as a request for Financial-grade API.public Service setBackchannelBindingMessageRequiredInFapi(boolean required)
binding_message
request parameter is always required whenever a backchannel authentication
request is judged as a request for Financial-grade API.
The FAPI-CIBA profile requires that the authorization server "shall
ensure unique authorization context exists in the authorization request
or require a binding_message
in the authorization request"
(FAPI-CIBA, 5.2.2, 2). The simplest way to fulfill this requirement is
to set true
to this property.
If false
is set to this property, the binding_message
request parameter remains optional even in FAPI context, but in exchange,
your authorization server must implement a custom mechanism that ensures
each backchannel authentication request has unique context.
required
- true
to require the binding_message
request
parameter whenever a backchannel authentication request is
judged as a request for Financial-grade API.this
object.public int getAllowableClockSkew()
The clock skew is taken into consideration when time-related claims in
a JWT (e.g. "exp"
, "iat"
, "nbf"
) are verified.
public Service setAllowableClockSkew(int seconds)
The clock skew is taken into consideration when time-related claims in
a JWT (e.g. "exp"
, "iat"
, "nbf"
) are verified.
seconds
- Allowable clock skew in seconds. Must be in between 0 and
65,535.this
object.public boolean isDynamicRegistrationSupported()
true
if enabled.public Service setDynamicRegistrationSupported(boolean enabled)
enabled
- true
to enable dynamic client registrationthis
object.public URI getDeviceAuthorizationEndpoint()
Device authorization endpoint is defined in the specification of OAuth 2.0 Device Authorization Grant.
public Service setDeviceAuthorizationEndpoint(URI endpoint)
Device authorization endpoint is defined in the specification of OAuth 2.0 Device Authorization Grant.
endpoint
- The URI of the device authorization endpoint.this
object.public URI getDeviceVerificationUri()
verification_uri
parameter in responses from the
device authorization endpoint.public Service setDeviceVerificationUri(URI uri)
verification_uri
parameter in responses from the
device authorization endpoint.uri
- The verification URI.this
object.public URI getDeviceVerificationUriComplete()
verification_uri_complete
parameter in responses from the device
authorization endpoint.public Service setDeviceVerificationUriComplete(URI uri)
verification_uri_complete
parameter in responses from the device
authorization endpoint.
It is expected that the URI contains a fixed string USER_CODE
somewhere as a placeholder for a user code. For example, like the
following.
https://example.com/device?user_code=USER_CODE
The fixed string is replaced with an actual user code when Authlete
builds a verification URI with a user code for the
verification_uri_complete
parameter.
If this URI is not set, the verification_uri_complete
parameter
won't appear in device authorization responses.
uri
- The verification URI with a placeholder for a user code.this
object.public int getDeviceFlowCodeDuration()
expires_in
property in responses from
the device authorization endpoint.public Service setDeviceFlowCodeDuration(int duration)
expires_in
property in responses from
the device authorization endpoint.duration
- The duration of device verification codes and end-user
verification codes in seconds.this
object.public int getDeviceFlowPollingInterval()
interval
property in responses from the device
authorization endpoint.public Service setDeviceFlowPollingInterval(int interval)
interval
property in responses from the device
authorization endpoint.interval
- The minimum interval between polling requests in seconds in
device flow. Must be in between 0 and 65,535.this
object.public UserCodeCharset getUserCodeCharset()
user_code
) for Device Flow.user_code
) for Device Flow.public Service setUserCodeCharset(UserCodeCharset charset)
user_code
) for Device Flow.charset
- The character set for end-user verification codes
(user_code
) for Device Flow.this
object.public int getUserCodeLength()
user_code
) for
Device Flow.user_code
)
for Device Flow.public Service setUserCodeLength(int length)
user_code
) for
Device Flow.length
- The length of end-user verification codes (user_code
)
for Device Flow. The value must not be negative and must not
be larger than 255.this
object.public URI getPushedAuthReqEndpoint()
This property corresponds to the pushed_authorization_request_endpoint
metadata defined in "5. Authorization Server Metadata" of OAuth 2.0 Pushed Authorization Requests.
public Service setPushedAuthReqEndpoint(URI endpoint)
This property corresponds to the pushed_authorization_request_endpoint
metadata defined in "5. Authorization Server Metadata" of OAuth 2.0 Pushed Authorization Requests.
endpoint
- The URI of the pushed authorization request endpoint.this
object.public NamedUri[] getMtlsEndpointAliases()
This property corresponds to the mtls_endpoint_aliases
metadata
defined in "5. Metadata for Mutual TLS Endpoint Aliases" of OAuth 2.0 Mutual TLS Client Authentication and Certificate-Bound Access
Tokens.
public Service setMtlsEndpointAliases(NamedUri[] aliases)
This property corresponds to the mtls_endpoint_aliases
metadata
defined in "5. Metadata for Mutual TLS Endpoint Aliases" of OAuth 2.0 Mutual TLS Client Authentication and Certificate-Bound Access
Tokens.
The aliases will be embedded in the response from the discovery endpoint like the following.
{ ......, "mtls_endpoint_aliases": { "token_endpoint": "https://mtls.example.com/token", "revocation_endpoint": "https://mtls.example.com/revo", "introspection_endpoint": "https://mtls.example.com/introspect" } }
aliases
- MTLS endpoint aliases.this
object.public String[] getSupportedAuthorizationDetailsTypes()
"type"
field in "authorization_details"
.
This property corresponds to the
"authorization_details_types_supported"
server metadata.
See "OAuth 2.0 Rich Authorization Requests" (RAR) for details.
Note that the property name was renamed from supportedAuthorizationDataTypes
to supportedAuthorizationDetailsTypes
to align with the change
made by the 5th draft of the RAR specification.
public Service setSupportedAuthorizationDetailsTypes(String[] types)
"type"
field in "authorization_details"
.
This property corresponds to the
"authorization_details_types_supported"
server metadata.
See "OAuth 2.0 Rich Authorization Requests" (RAR) for details.
Note that the property name was renamed from supportedAuthorizationDataTypes
to supportedAuthorizationDetailsTypes
to align with the change
made by the 5th draft of the RAR specification.
types
- Supported authorization details types.this
object.public String[] getSupportedTrustFrameworks()
trust_frameworks_supported
server
metadata.public Service setSupportedTrustFrameworks(String[] frameworks)
trust_frameworks_supported
server
metadata.frameworks
- Trust frameworks supported by this service.this
object.public String[] getSupportedEvidence()
evidence_supported
server metadata.public Service setSupportedEvidence(String[] evidence)
evidence_supported
server metadata.evidence
- Evidence supported by this service.this
object.@Deprecated public String[] getSupportedIdentityDocuments()
id_documents_supported
server metadata.
The third implementer's draft of OpenID Connect for Identity Assurance 1.0 renamed the
id_documents_supported
server metadata to
documents_supported
.
getSupportedDocuments()
@Deprecated public Service setSupportedIdentityDocuments(String[] documents)
id_documents_supported
server metadata.
The third implementer's draft of OpenID Connect for Identity Assurance 1.0 renamed the
id_documents_supported
server metadata to
documents_supported
.
documents
- Identity documents supported by this service.this
object.setSupportedDocuments(String[])
public String[] getSupportedDocuments()
documents_supported
server metadata.
The third implementer's draft of OpenID Connect for Identity Assurance 1.0 renamed the
id_documents_supported
server metadata to
documents_supported
.
This property is recognized by Authlete 2.3 and newer versions.
public Service setSupportedDocuments(String[] documents)
documents_supported
server metadata.
The third implementer's draft of OpenID Connect for Identity Assurance 1.0 renamed the
id_documents_supported
server metadata to
documents_supported
.
This property is recognized by Authlete 2.3 and newer versions.
documents
- Document types supported by this service.this
object.@Deprecated public String[] getSupportedVerificationMethods()
id_documents_verification_methods_supported
server metadata.
The third implementer's draft of OpenID Connect for Identity Assurance 1.0 renamed the
id_documents_verification_methods_supported
server metadata to
documents_methods_supported
.
getSupportedDocumentsMethods()
@Deprecated public Service setSupportedVerificationMethods(String[] methods)
id_documents_verification_methods_supported
server metadata.
The third implementer's draft of OpenID Connect for Identity Assurance 1.0 renamed the
id_documents_verification_methods_supported
server metadata to
documents_methods_supported
.
methods
- Verification methods supported by this service.this
object.setSupportedDocumentsMethods(String[])
public String[] getSupportedDocumentsMethods()
documents_methods_supported
server metadata.
The third implementer's draft of OpenID Connect for Identity Assurance 1.0 renamed the
id_documents_verification_methods_supported
server metadata to
documents_methods_supported
.
This property is recognized by Authlete 2.3 and newer versions.
public Service setSupportedDocumentsMethods(String[] methods)
documents_methods_supported
server metadata.
The third implementer's draft of OpenID Connect for Identity Assurance 1.0 renamed the
id_documents_verification_methods_supported
server metadata to
documents_methods_supported
.
This property is recognized by Authlete 2.3 and newer versions.
methods
- Validation and verification processes supported by this service.this
object.@Deprecated public String[] getSupportedDocumentsValidationMethods()
documents_validation_methods_supported
server
metadata which was added by the third implementer's draft of OpenID Connect for Identity Assurance 1.0.
The fourth implementer's draft of OpenID Connect for Identity Assurance
1.0 replaced the documents_validation_methods_supported
server
metadata and the documents_verification_methods_supported
server
metadata with the documents_check_methods_supported
server
metadata.
@Deprecated public Service setSupportedDocumentsValidationMethods(String[] methods)
documents_validation_methods_supported
server
metadata which was added by the third implementer's draft of OpenID Connect for Identity Assurance 1.0.
The fourth implementer's draft of OpenID Connect for Identity Assurance
1.0 replaced the documents_validation_methods_supported
server
metadata and the documents_verification_methods_supported
server
metadata with the documents_check_methods_supported
server
metadata.
methods
- Document validation methods supported by this service.this
object.@Deprecated public String[] getSupportedDocumentsVerificationMethods()
documents_verification_methods_supported
server
metadata which was added by the third implementer's draft of OpenID Connect for Identity Assurance 1.0.
The fourth implementer's draft of OpenID Connect for Identity Assurance
1.0 replaced the documents_validation_methods_supported
server
metadata and the documents_verification_methods_supported
server
metadata with the documents_check_methods_supported
server
metadata.
@Deprecated public Service setSupportedDocumentsVerificationMethods(String[] methods)
documents_verification_methods_supported
server
metadata which was added by the third implementer's draft of OpenID Connect for Identity Assurance 1.0.
The fourth implementer's draft of OpenID Connect for Identity Assurance
1.0 replaced the documents_validation_methods_supported
server
metadata and the documents_verification_methods_supported
server
metadata with the documents_check_methods_supported
server
metadata.
methods
- Document verification methods supported by this service.this
object.public String[] getSupportedDocumentsCheckMethods()
documents_check_methods_supported
server
metadata which was added by the fourth implementer's draft of OpenID Connect for Identity Assurance 1.0.
The fourth implementer's draft of OpenID Connect for Identity Assurance
1.0 replaced the documents_validation_methods_supported
server
metadata and the documents_verification_methods_supported
server
metadata with the documents_check_methods_supported
server
metadata.
public Service setSupportedDocumentsCheckMethods(String[] methods)
documents_check_methods_supported
server
metadata which was added by the fourth implementer's draft of OpenID Connect for Identity Assurance 1.0.
The fourth implementer's draft of OpenID Connect for Identity Assurance
1.0 replaced the documents_validation_methods_supported
server
metadata and the documents_verification_methods_supported
server
metadata with the documents_check_methods_supported
server
metadata.
methods
- Document check methods supported by this service.this
object.public String[] getSupportedElectronicRecords()
electronic_records_supported
server metadata
which was added by the third implementer's draft of OpenID Connect for Identity Assurance 1.0.
If "electronic_record"
is included in the list of supported
evidence (cf. getSupportedEvidence()
, this property must have
at least one entry.
This property is recognized by Authlete 2.3 and newer versions.
public Service setSupportedElectronicRecords(String[] records)
electronic_records_supported
server metadata
which was added by the third implementer's draft of OpenID Connect for Identity Assurance 1.0.
If "electronic_record"
is included in the list of supported
evidence (cf. getSupportedEvidence()
, this property must have
at least one entry.
This property is recognized by Authlete 2.3 and newer versions.
records
- Electronic record types supported by this service.this
object.public String[] getSupportedVerifiedClaims()
claims_in_verified_claims_supported
server metadata.public Service setSupportedVerifiedClaims(String[] claims)
claims_in_verified_claims_supported
server metadata.claims
- Verified claims supported by this service.this
object.public AttachmentType[] getSupportedAttachments()
attachments_supported
server metadata
which was added by the third implementer's draft of OpenID Connect for Identity Assurance 1.0.
This property is recognized by Authlete 2.3 and newer versions.
public Service setSupportedAttachments(AttachmentType[] types)
attachments_supported
server metadata
which was added by the third implementer's draft of OpenID Connect for Identity Assurance 1.0.
This property is recognized by Authlete 2.3 and newer versions.
types
- Attachment types supported by this service.this
object.public String[] getSupportedDigestAlgorithms()
digest_algorithms_supported
server metadata which was added by
the third implementer's draft of OpenID Connect for Identity Assurance 1.0.
Possible values are listed in the Hash Algorithm Registry of IANA (Internet Assigned Numbers Authority).
If this service supports external attachments (cf. getSupportedAttachments()
), this property must include at least
"sha-256"
.
This property is recognized by Authlete 2.3 and newer versions.
public Service setSupportedDigestAlgorithms(String[] algorithms)
digest_algorithms_supported
server metadata which was added by
the third implementer's draft of OpenID Connect for Identity Assurance 1.0.
Possible values are listed in the Hash Algorithm Registry of IANA (Internet Assigned Numbers Authority).
If this service supports external attachments (cf. getSupportedAttachments()
), this property must include at least
"sha-256"
.
This property is recognized by Authlete 2.3 and newer versions.
algorithms
- Supported digest algorithms for external attachments.this
object.public boolean isMissingClientIdAllowed()
client_id
request parameter are allowed when the client can be
guessed from authorization_code
or refresh_token
.
This flag should not be set unless you have special reasons.
true
if token requests from public clients without the
client_id
request parameter are allowed in the authorization
code flow and the refresh token flow.public Service setMissingClientIdAllowed(boolean allowed)
client_id
request parameter are allowed when the client can be
guessed from authorization_code
or refresh_token
.
Don't set this flag unless you have special reasons.
allowed
- true
to allow token requests from public clients without
the client_id
request parameter in the authorization code
flow and the refresh token flow.this
object.public URI getEndSessionEndpoint()
null
if not set.public Service setEndSessionEndpoint(URI endSessionEndpoint)
endSessionEndpoint
- The end session endpoint, or null
if not set.this
object.public boolean isParRequired()
This property corresponds to the
require_pushed_authorization_requests
server metadata defined
in "OAuth 2.0 Pushed Authorization Requests".
true
if client of this service are required to use PAR.public Service setParRequired(boolean required)
This property corresponds to the
require_pushed_authorization_requests
server metadata defined
in "OAuth 2.0 Pushed Authorization Requests".
required
- true
to indicate that this service requires that clients
use the pushed authorization request endpoint.this
object.public boolean isRequestObjectRequired()
request
or request_uri
request parameter.
If this flag is true
and
isTraditionalRequestObjectProcessingApplied()
returns
false
, the value of require_signed_request_object
server
metadata of this service is reported as true
in the discovery
document. The metadata is defined in JAR (JWT Secured Authorization
Request). That require_signed_request_object
is true
means that authorization requests which don't conform to the JAR
specification are rejected.
true
if this service requires that authorization
requests always utilize a request object.public Service setRequestObjectRequired(boolean required)
request
or request_uri
request parameter.
See the description of isRequestObjectRequired()
for details.
required
- true
to require that authorization requests always
utilize a request object.this
object.public boolean isTraditionalRequestObjectProcessingApplied()
Differences between rules in OpenID Connect Core 1.0 and ones in JAR are as follows.
response_type
request parameter
exist outside a request object even if the request object includes
the request parameter.
scope
request parameter exist
outside a request object if the authorization request is an OIDC
request even if the request object includes the request parameter.
If this flag is false
and isRequestObjectRequired()
returns true
, the value of require_signed_request_object
server metadata of this service is reported as true
in the
discovery document. The metadata is defined in JAR (JWT Secured
Authorization Request). That require_signed_request_object
is
true
means that authorization requests which don't conform to
the JAR specification are rejected.
true
if rules defined in OpenID Connect Core 1.0 are
applied on processing a request object. false
if rules
defined in JAR (JWT Secured Authorization Request) are applied.public Service setTraditionalRequestObjectProcessingApplied(boolean applied)
See the description of isTraditionalRequestObjectProcessingApplied()
for details.
applied
- true
to apply rules defined in OpenID Connect Core 1.0
on processing a request object. false
to apply rules
defined in JAR instead.this
object.public boolean isClaimShortcutRestrictive()
profile
) are included in the issued ID token only when
no access token is issued.
To strictly conform to the description below excerpted from OpenID Connect Core 1.0 Section 5.4, this flag has to be true.
The Claims requested by the
profile
,address
, andphone
scope values are returned from the UserInfo Endpoint, as described in Section 5.3.2, when aresponse_type
value is used that results in an Access Token being issued. However, when no Access Token is issued (which is the case for theresponse_type
valueid_token
), the resulting Claims are returned in the ID Token.
true
if claims specified by shortcut scopes are included
in the issued ID token only when no access token is issued.
false
if the claims are included in the issued ID token
regardless of whether an access token is issued or not.public Service setClaimShortcutRestrictive(boolean restrictive)
profile
) are included in the issued ID token only when
no access token is issued.
To strictly conform to the description below excerpted from OpenID Connect Core 1.0 Section 5.4, this flag has to be true.
The Claims requested by the
profile
,address
, andphone
scope values are returned from the UserInfo Endpoint, as described in Section 5.3.2, when aresponse_type
value is used that results in an Access Token being issued. However, when no Access Token is issued (which is the case for theresponse_type
valueid_token
), the resulting Claims are returned in the ID Token.
restrictive
- true
to include claims specified by shortcut scopes
in the issued ID token only when no access token is issued.
false
to include the claims in the issued ID token
regardless of whether an access token is issued or not.this
object.public boolean isScopeRequired()
When a request has no explicit scope
parameter and the service's
pre-defined default scope set is empty, the authorization server regards
the request requests no scope. When this flag is true, requests that
request no scope are rejected.
The requirement below excerpted from RFC 6749 Section 3.3 does not explicitly mention the case where the default scope set is empty.
If the client omits the
scope
parameter when requesting authorization, the authorization server MUST either process the request using a pre-defined default value or fail the request indicating an invalid scope.
However, if you interpret "the default scope set exists but is empty" as "the default scope set does not exist" and want to strictly conform to the requirement above, this flag has to be true.
true
if the authorization server rejects requests that
request no scope. false
if the authorization server
admits requests that request no scope.public Service setScopeRequired(boolean required)
When a request has no explicit scope
parameter and the service's
pre-defined default scope set is empty, the authorization server regards
the request requests no scope. When this flag is true, requests that
request no scope are rejected.
The requirement below excerpted from RFC 6749 Section 3.3 does not explicitly mention the case where the default scope set is empty.
If the client omits the
scope
parameter when requesting authorization, the authorization server MUST either process the request using a pre-defined default value or fail the request indicating an invalid scope.
However, if you interpret "the default scope set exists but is empty" as "the default scope set does not exist" and want to strictly conform to the requirement above, this flag has to be true.
required
- true
to reject requests that request no scope.
false
to admit requests that request no scope.this
object.public boolean isNbfOptional()
nbf
claim in the request
object is optional even when the authorization request is regarded as
a FAPI-Part2 request.
The final version of Financial-grade API was approved in January, 2021.
The Part 2 of the final version has new requirements on lifetime of
request objects. They require that request objects contain an nbf
claim and the lifetime computed by exp - nbf
be no longer than
60 minutes.
Therefore, when an authorization request is regarded as a FAPI-Part2
request, the request object used in the authorization request must
contain an nbf
claim. Otherwise, the authorization server
rejects the authorization request.
When this flag is true
, the nbf
claim is treated as an
optional claim even when the authorization request is regarded as a
FAPI-Part2 request. That is, the authorization server does not perform
the validation on lifetime of the request object.
Skipping the validation is a violation of the FAPI specification. The reason why this flag has been prepared nevertheless is that the new requirements (which do not exist in the Implementer's Draft 2 released in October, 2018) have big impacts on deployed implementations of client applications and Authlete thinks there should be a mechanism whereby to make the migration from ID2 to Final smooth without breaking live systems.
true
if the nbf
claim is treated as an optional
claim even when the authorization request is regarded as a
FAPI-Part2 request.public Service setNbfOptional(boolean optional)
nbf
claim in the request
object is optional even when the authorization request is regarded as
a FAPI-Part2 request.
See the description of isNbfOptional()
for details about this
flag.
optional
- true
to treat the nbf
claim as an optional claim.this
object.public boolean isIssSuppressed()
iss
response
parameter is suppressed.
"OAuth 2.0 Authorization Server Issuer Identifier in Authorization
Response" has defined a new authorization response parameter,
iss
, as a countermeasure for a certain type of mix-up attacks.
The specification requires that the iss
response parameter
always be included in authorization responses unless JARM (JWT Secured
Authorization Response Mode) is used.
When this flag is true
, the authorization server does not include
the iss
response parameter in authorization responses. By turning
this flag on and off, developers of client applications can experiment
the mix-up attack and the effect of the iss
response parameter.
Note that this flag should not be true
in production environment
unless there are special reasons for it.
true
if the authorization server does not include the
iss
response parameter in authorization responses.public Service setIssSuppressed(boolean suppressed)
iss
response
parameter is suppressed.
See the description of isIssSuppressed()
for details about
this flag.
suppressed
- true
to make the authorization server suppress the
iss
response parameter.this
object.public Pair[] getAttributes()
The feature of "service attributes" is available since Authlete 2.2.
public Service setAttributes(Pair[] attributes)
The feature of "service attributes" is available since Authlete 2.2.
attributes
- Attributes.this
object.public Service loadAttributes(Iterable<Pair> attributes)
The feature of "service attributes" is available since Authlete 2.2.
attributes
- Attributes.this
object.public String[] getSupportedCustomClientMetadata()
Standard specifications define client metadata as necessary. The following are such examples.
Standard client metadata included in Client Registration Request and Client Update Request (cf. OIDC DynReg, RFC 7591 and RFC 7592) are, if supported by Authlete, stored into Authlete database. On the other hand, unrecognized client metadata are discarded.
By listing up custom client metadata in advance by using this property
(Service.supportedCustomClientMetadata
), Authlete can recognize
them and stores their values into the database. The stored custom client
metadata values can be referenced by Client.getCustomMetadata()
.
This property affects the behavior of /api/client/registration
API of Authlete 2.2 onwards.
Client.getCustomMetadata()
public Service setSupportedCustomClientMetadata(String[] metadata)
Standard specifications define client metadata as necessary. The following are such examples.
Standard client metadata included in Client Registration Request and Client Update Request (cf. OIDC DynReg, RFC 7591 and RFC 7592) are, if supported by Authlete, stored into Authlete database. On the other hand, unrecognized client metadata are discarded.
By listing up custom client metadata in advance by using this property
(Service.supportedCustomClientMetadata
), Authlete can recognize
them and stores their values into the database. The stored custom client
metadata values can be referenced by Client.getCustomMetadata()
.
This property affects the behavior of /api/client/registration
API of Authlete 2.2 onwards.
metadata
- Custom client metadata supported by this service.this
object.Client.getCustomMetadata()
public boolean isTokenExpirationLinked()
When a new access token is issued by a refresh token request (= a token
request with grant_type=refresh_token
), the expiration date of
the access token may exceed the expiration date of the corresponding
refresh token. This behavior itself is not wrong and may happen when
isRefreshTokenKept()
returns true
and/or when
isRefreshTokenDurationKept()
returns true
.
When this flag is true
, the expiration date of an access token
never exceeds that of the corresponding refresh token regardless of
the calculated duration based on other settings such as
getAccessTokenDuration()
,
ClientExtension.getAccessTokenDuration()
and the
access_token.duration
attribute of scopes.
It is technically possible to set a value which is bigger than the
duration of refresh tokens as the duration of access tokens although
it is strange. In the case, the duration of an access token becomes
longer than the duration of the refresh token which is issued together
with the access token. Even if the duration values are configured so,
if this flag is true
, the expiration date of the access token
does not exceed that of the refresh token. That is, the duration of
the access token will be shortened, and as a result, the access token
and the refresh token will have the same expiration date.
true
if the service assures that the expiration date
of an access token never exceeds that of the corresponding
refresh token.public Service setTokenExpirationLinked(boolean linked)
When a new access token is issued by a refresh token request (= a token
request with grant_type=refresh_token
), the expiration date of
the access token may exceed the expiration date of the corresponding
refresh token. This behavior itself is not wrong and may happen when
isRefreshTokenKept()
returns true
and/or when
isRefreshTokenDurationKept()
returns true
.
When this flag is true
, the expiration date of an access token
never exceeds that of the corresponding refresh token regardless of
the calculated duration based on other settings such as
getAccessTokenDuration()
,
ClientExtension.getAccessTokenDuration()
and the
access_token.duration
attribute of scopes.
It is technically possible to set a value which is bigger than the
duration of refresh tokens as the duration of access tokens although
it is strange. In the case, the duration of an access token becomes
longer than the duration of the refresh token which is issued together
with the access token. Even if the duration values are configured so,
if this flag is true
, the expiration date of the access token
does not exceed that of the refresh token. That is, the duration of
the access token will be shortened, and as a result, the access token
and the refresh token will have the same expiration date.
linked
- true
to assure that the expiration date of an access
token never exceeds that of the corresponding refresh token.this
object.public boolean isFrontChannelRequestObjectEncryptionRequired()
This flag does not affect the processing of request objects at the
Pushed Authorization Request Endpoint, which is defined in OAuth 2.0
Pushed Authorization Requests. Unecrypted request objects are
accepted at the endpoint even if this flag is true
.
This flag does not indicate whether a request object is always required.
There is a different flag, requestObjectRequired
, for the purpose.
See the description of isRequestObjectRequired()
for details.
Even if this flag is false
, encryption of request object is
required if the Client.frontChannelRequestObjectEncryptionRequired
flag is true
.
true
if encryption of request object is required when
the request object is passed through the front channel.isRequestObjectRequired()
,
Client.isFrontChannelRequestObjectEncryptionRequired()
public Service setFrontChannelRequestObjectEncryptionRequired(boolean required)
This flag does not affect the processing of request objects at the
Pushed Authorization Request Endpoint, which is defined in OAuth 2.0
Pushed Authorization Requests. Unecrypted request objects are
accepted at the endpoint even if this flag is true
.
This flag does not indicate whether a request object is always required.
There is a different flag, requestObjectRequired
, for the purpose.
See the description of isRequestObjectRequired()
for details.
Even if this flag is false
, encryption of request object is
required if the Client.frontChannelRequestObjectEncryptionRequired
flag is true
.
required
- true
to require that request objects passed through the
front channel be encrypted.this
object.isRequestObjectRequired()
,
Client.isFrontChannelRequestObjectEncryptionRequired()
public boolean isRequestObjectEncryptionAlgMatchRequired()
alg
of encrypted request
object must match the request_object_encryption_alg
client metadata
of the client that has sent the request object.
The request_object_encryption_alg
client metadata itself is defined
in OpenID Connect Dynamic Client Registration 1.0 as follows.
request_object_encryption_alg
OPTIONAL. JWE [JWE]
alg
algorithm [JWA] the RP is declaring that it may use for encrypting Request Objects sent to the OP. This parameter SHOULD be included when symmetric encryption will be used, since this signals to the OP that aclient_secret
value needs to be returned from which the symmetric key will be derived, that might not otherwise be returned. The RP MAY still use other supported encryption algorithms or send unencrypted Request Objects, even when this parameter is present. If both signing and encryption are requested, the Request Object will be signed then encrypted, with the result being a Nested JWT, as defined in [JWT]. The default, if omitted, is that the RP is not declaring whether it might encrypt any Request Objects.
The point here is "The RP MAY still use other supported encryption algorithms or send unencrypted Request Objects, even when this parameter is present."
The Client
's property that represents the client metadata is
Client.requestEncryptionAlg
. See the description of
Client.getRequestEncryptionAlg()
for details.
Even if this flag is false
, the match is required if the
Client.requestObjectEncryptionAlgMatchRequired
flag is true
.
true
if the JWE alg
of encrypted request object
must match the request_object_encryption_alg
client metadata.Client.getRequestEncryptionAlg()
,
Client.isRequestObjectEncryptionAlgMatchRequired()
public Service setRequestObjectEncryptionAlgMatchRequired(boolean required)
alg
of encrypted request
object must match the request_object_encryption_alg
client metadata
of the client that has sent the request object.
The request_object_encryption_alg
client metadata itself is defined
in OpenID Connect Dynamic Client Registration 1.0 as follows.
request_object_encryption_alg
OPTIONAL. JWE [JWE]
alg
algorithm [JWA] the RP is declaring that it may use for encrypting Request Objects sent to the OP. This parameter SHOULD be included when symmetric encryption will be used, since this signals to the OP that aclient_secret
value needs to be returned from which the symmetric key will be derived, that might not otherwise be returned. The RP MAY still use other supported encryption algorithms or send unencrypted Request Objects, even when this parameter is present. If both signing and encryption are requested, the Request Object will be signed then encrypted, with the result being a Nested JWT, as defined in [JWT]. The default, if omitted, is that the RP is not declaring whether it might encrypt any Request Objects.
The point here is "The RP MAY still use other supported encryption algorithms or send unencrypted Request Objects, even when this parameter is present."
The Client
's property that represents the client metadata is
Client.requestEncryptionAlg
. See the description of
Client.getRequestEncryptionAlg()
for details.
Even if this flag is false
, the match is required if the
Client.requestObjectEncryptionAlgMatchRequired
flag is true
.
required
- true
to require that the JWE alg
of encrypted
request object match the request_object_encryption_alg
client metadata.this
object.Client.getRequestEncryptionAlg()
,
Client.isRequestObjectEncryptionAlgMatchRequired()
public boolean isRequestObjectEncryptionEncMatchRequired()
enc
of encrypted request
object must match the request_object_encryption_enc
client metadata
of the client that has sent the request object.
The request_object_encryption_enc
client metadata itself is defined
in OpenID Connect Dynamic Client Registration 1.0 as follows.
request_object_encryption_enc
OPTIONAL. JWE
enc
algorithm [JWA] the RP is declaring that it may use for encrypting Request Objects sent to the OP. Ifrequest_object_encryption_alg
is specified, the default for this value isA128CBC-HS256
. Whenrequest_object_encryption_enc
is included,request_object_encryption_alg
MUST also be provided.
The Client
's property that represents the client metadata is
Client.requestEncryptionEnc
. See the description of
Client.getRequestEncryptionEnc()
for details.
Even if this flag is false
, the match is required if the
Client.requestObjectEncryptionEncMatchRequired
flag is true
.
true
if the JWE enc
of encrypted request object
must match the request_object_encryption_enc
client metadata.Client.getRequestEncryptionEnc()
,
Client.isRequestObjectEncryptionEncMatchRequired()
public Service setRequestObjectEncryptionEncMatchRequired(boolean required)
enc
of encrypted request
object must match the request_object_encryption_enc
client metadata
of the client that has sent the request object.
The request_object_encryption_enc
client metadata itself is defined
in OpenID Connect Dynamic Client Registration 1.0 as follows.
request_object_encryption_enc
OPTIONAL. JWE
enc
algorithm [JWA] the RP is declaring that it may use for encrypting Request Objects sent to the OP. Ifrequest_object_encryption_alg
is specified, the default for this value isA128CBC-HS256
. Whenrequest_object_encryption_enc
is included,request_object_encryption_alg
MUST also be provided.
The Client
's property that represents the client metadata is
Client.requestEncryptionEnc
. See the description of
Client.getRequestEncryptionEnc()
for details.
Even if this flag is false
, the match is required if the
Client.requestObjectEncryptionEncMatchRequired
flag is true
.
required
- true
to require that the JWE enc
of encrypted
request object match the request_object_encryption_enc
client metadata.this
object.Client.getRequestEncryptionEnc()
,
Client.isRequestObjectEncryptionEncMatchRequired()
public boolean isHsmEnabled()
When this flag is false, keys managed in HSMs are not used even if they
exist. In addition, /api/hsk/*
APIs reject all requests.
Even if this flag is true, HSM-related features do not work if the configuration of the Authlete server you are using does not support HSM.
true
if HSM support is enabled for this service.public Service setHsmEnabled(boolean enabled)
When this flag is false, keys managed in HSMs are not used even if they
exist. In addition, /api/hsk/*
APIs reject all requests.
Even if this flag is true, HSM-related features do not work if the configuration of the Authlete server you are using does not support HSM.
enabled
- true
to enable HSM support for this service.this
object.public Hsk[] getHsks()
This hsks
property is output only, meaning that hsks
in
requests to /api/service/create
API and /api/service/update
API do not have any effect. The contents of this property is controlled
only by /api/hsk/*
APIs.
public Service setHsks(Hsk[] hsks)
This hsks
property is output only, meaning that hsks
in
requests to /api/service/create
API and /api/service/update
API do not have any effect. The contents of this property is controlled
only by /api/hsk/*
APIs.
hsks
- Information about keys managed on HSMs.this
object.public URI getGrantManagementEndpoint()
public Service setGrantManagementEndpoint(URI endpoint)
endpoint
- The URL of the grant management endpoint.this
object.public boolean isGrantManagementActionRequired()
grant_management_action
request parameter.
This property corresponds to the grant_management_action_required
server metadata defined in "Grant Management
for OAuth 2.0".
Note that setting true
to this property will result in blocking
all public clients because the specification requires that grant
management be usable only by confidential clients for security reasons.
true
if every authorization request must include the
grant_management_action
request parameter.public Service setGrantManagementActionRequired(boolean required)
grant_management_action
request parameter.
This property corresponds to the grant_management_action_required
server metadata defined in "Grant Management
for OAuth 2.0".
Note that setting true
to this property will result in blocking
all public clients because the specification requires that grant
management be usable only by confidential clients for security reasons.
required
- true
to require every authorization request include the
grant_management_action
request parameter.this
object.public boolean isUnauthorizedOnClientConfigSupported()
/api/client/registration
API uses UNAUTHORIZED
as a value of the action
response parameter when appropriate.
See the description of setUnauthorizedOnClientConfigSupported(boolean)
for details.
true
if Authlete's /api/client/registration
uses
UNAUTHORIZED
as a value of the action
response
parameter when appropriate. false
if UNAUTHORIZED
is not used in any case.public Service setUnauthorizedOnClientConfigSupported(boolean supported)
/api/client/registration
API uses UNAUTHORIZED
as a value of the action
response parameter when appropriate.
The UNAUTHORIZED
enum value did not exist in the initial
implementation of the ClientRegistrationResponse.Action
enum.
This means that implementations of client configuration endpoint were
not able to conform to RFC 7592 strictly.
For backward compatibility (to avoid breaking running systems),
Authlete's /api/client/registration
API does not return the
UNAUTHORIZED
enum value if this flag is not turned on.
The steps an existing implementation of client configuration endpoint
has to do in order to conform to the requirement related to
"401 Unauthorized
" are as follows.
UNAUTHORIZED
action.
unauthorizedOnClientConfigSupported
flag.
supported
- true
to let Authlete's /api/client/registration
API use the UNAUTHORIZED
enum value when appropriate.
false
to prevent the UNAUTHORIZED
enum value
from being used.this
object.public boolean isDcrScopeUsedAsRequestable()
scope
request parameter
in dynamic client registration and update requests (RFC 7591 and
RFC 7592)
is used as scopes that the client can request.
Limiting the range of scopes that a client can request is achieved by
listing scopes in the client.extension.requestableScopes
property (cf. ClientExtension.getRequestableScopes()
) and
setting true
to the
client.extension.requestableScopesEnabled
property (cf.
ClientExtension.isRequestableScopesEnabled()
). This feature
is called "requestable scopes".
This property affects behaviors of /api/client/registration
and other family APIs.
true
if the scope
request parameter in dynamic
client registration and update requests is used to limit the
range of scopes that the client can request. false
if
Authlete does nothing special for the scope
request
parameter.public Service setDcrScopeUsedAsRequestable(boolean used)
scope
request parameter
in dynamic client registration and update requests (RFC 7591 and
RFC 7592)
is used as scopes that the client can request.
Limiting the range of scopes that a client can request is achieved by
listing scopes in the client.extension.requestableScopes
property (cf. ClientExtension.getRequestableScopes()
) and
setting true
to the
client.extension.requestableScopesEnabled
property (cf.
ClientExtension.isRequestableScopesEnabled()
). This feature
is called "requestable scopes".
This property affects behaviors of /api/client/registration
and other family APIs.
used
- true
to make Authlete treat the scope
request
parameter in dynamic client registration and update requests
as requestable scopes. false
to leave it to Authlete
(Authlete will do nothing special).this
object.public String getPredefinedTransformedClaims()
transformed_claims_predefined
server metadata.
See the description of setPredefinedTransformedClaims(String)
for details.
This predefinedTransformedClaims
property is available from
Authlete 2.3 onwards.
setPredefinedTransformedClaims(String)
public Service setPredefinedTransformedClaims(String claims)
transformed_claims_predefined
server metadata.
"Transformed Claims" is a specification that enables to define a "transformed claim" which transforms the value of an existing claim by applying "transformation functions".
The following example defines a transformed claim named 18_or_over
which uses the birthdate
claim as input and applies two
transformation functions, years_ago
and gte
. As a result
of the transformation, the transformed claim will have a boolean value.
{ "18_or_over": { "claim": "birthdate", "fn": [ "years_ago", [ "gte", 18 ] ] } }
A client application can request a predefined transformed claim by
prepending two colons (::
) to the name of a transformed claim.
The following is an example of the claims
request parameter
(OpenID Connect Core 1.0, 5.5. Requesting Claims using the "claims" Request Parameter) that
requests a predefined transformed claim named 18_or_over
to be
embedded in an ID token.
{ "id_token": { "::18_or_over": null } }
If the age of the user is 18 or over, the ID token will contain the transformed claim like below.
"::18_or_over": true
This predefinedTransformedClaims
property is available from
Authlete 2.3 onwards.
claims
- Predefined transformed claims in JSON format.this
object.public boolean isLoopbackRedirectionUriVariable()
When this flag is true, if the host component of a redirection URI
specified in an authorization request indicates loopback (to be precise,
when the host component is localhost
, 127.0.0.1
or
::1
), the port number component is ignored when the specified
redirection URI is compared to pre-registered ones. This behavior is
described in 7.3. Loopback
Interface Redirection of RFC 8252 OAuth 2.0 for
Native Apps.
3.1.2.3. Dynamic Configuration of RFC 6749 states
"If the client registration included the full redirection URI, the
authorization server MUST compare the two URIs using simple string
comparison as defined in [RFC3986] Section 6.2.1." Also, the
description of redirect_uri
in 3.1.2.1. Authentication Request of OpenID Connect
Core 1.0 states "This URI MUST exactly match one of the
Redirection URI values for the Client pre-registered at the OpenID
Provider, with the matching performed as described in Section 6.2.1 of
[RFC3986] (Simple String Comparison)." These "Simple String
Comparison" requirements are preceded by this flag. That is, even when
the conditions described in RFC 6749 and OpenID Connect Core 1.0 are
satisfied, the port number component of loopback redirection URIs can
be variable when this flag is true.
8.3. Loopback Redirect Considerations of RFC 8252 states as follows.
While redirect URIs using
localhost
(i.e.,"http://localhost:{port}/{path}"
) function similarly to loopback IP redirects described in Section 7.3, the use oflocalhost
is NOT RECOMMENDED. Specifying a redirect URI with the loopback IP literal rather thanlocalhost
avoids inadvertently listening on network interfaces other than the loopback interface. It is also less susceptible to client-side firewalls and misconfigured host name resolution on the user's device.
However, Authlete allows the port number component to be variable in
the case of localhost
, too. It is left to client applications
whether they use localhost
or a literal loopback IP address
(127.0.0.1
for IPv4 or ::1
for IPv6).
Section 7.3 and Section 8.3 of RFC 8252 state that
loopback redirection URIs use the "http"
scheme, but Authlete
allows the port number component to be variable in other cases (e.g.
in the case of the "https"
scheme), too.
public Service setLoopbackRedirectionUriVariable(boolean variable)
When this flag is true, if the host component of a redirection URI
specified in an authorization request indicates loopback (to be precise,
when the host component is localhost
, 127.0.0.1
or
::1
), the port number component is ignored when the specified
redirection URI is compared to pre-registered ones. This behavior is
described in 7.3. Loopback
Interface Redirection of RFC 8252 OAuth 2.0 for
Native Apps.
3.1.2.3. Dynamic Configuration of RFC 6749 states
"If the client registration included the full redirection URI, the
authorization server MUST compare the two URIs using simple string
comparison as defined in [RFC3986] Section 6.2.1." Also, the
description of redirect_uri
in 3.1.2.1. Authentication Request of OpenID Connect
Core 1.0 states "This URI MUST exactly match one of the
Redirection URI values for the Client pre-registered at the OpenID
Provider, with the matching performed as described in Section 6.2.1 of
[RFC3986] (Simple String Comparison)." These "Simple String
Comparison" requirements are preceded by this flag. That is, even when
the conditions described in RFC 6749 and OpenID Connect Core 1.0 are
satisfied, the port number component of loopback redirection URIs can
be variable when this flag is true.
8.3. Loopback Redirect Considerations of RFC 8252 states as follows.
While redirect URIs using
localhost
(i.e.,"http://localhost:{port}/{path}"
) function similarly to loopback IP redirects described in Section 7.3, the use oflocalhost
is NOT RECOMMENDED. Specifying a redirect URI with the loopback IP literal rather thanlocalhost
avoids inadvertently listening on network interfaces other than the loopback interface. It is also less susceptible to client-side firewalls and misconfigured host name resolution on the user's device.
However, Authlete allows the port number component to be variable in
the case of localhost
, too. It is left to client applications
whether they use localhost
or a literal loopback IP address
(127.0.0.1
for IPv4 or ::1
for IPv6).
Section 7.3 and Section 8.3 of RFC 8252 state that
loopback redirection URIs use the "http"
scheme, but Authlete
allows the port number component to be variable in other cases (e.g.
in the case of the "https"
scheme), too.
variable
- True to allow the port number component of loopback redirection
URIs to be variable.this
object.public boolean isRequestObjectAudienceChecked()
aud
claim of request objects matches the issuer identifier of this service.
Section 6.1. Passing a Request Object by Value of OpenID Connect Core 1.0 has the following statement.
The
aud
value SHOULD be or include the OP's Issuer Identifier URL.
Likewise, Section 4. Request Object of RFC 9101 (The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR)) has the following statement.
The value of
aud
should be the value of the authorization server (AS)issuer
, as defined in RFC 8414.
As excerpted above, validation on the aud
claim of request objects
is optional. However, if this flag is turned on, Authlete checks whether
the aud
claim of request objects matches the issuer identifier of
this service and raises an error if they are different.
true
if Authlete checks whether the aud
claim of
request objects matches the issuer identifier of this service.public Service setRequestObjectAudienceChecked(boolean checked)
aud
claim of request objects matches the issuer identifier of this service.
Section 6.1. Passing a Request Object by Value of OpenID Connect Core 1.0 has the following statement.
The
aud
value SHOULD be or include the OP's Issuer Identifier URL.
Likewise, Section 4. Request Object of RFC 9101 (The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR)) has the following statement.
The value of
aud
should be the value of the authorization server (AS)issuer
, as defined in RFC 8414.
As excerpted above, validation on the aud
claim of request objects
is optional. However, if this flag is turned on, Authlete checks whether
the aud
claim of request objects matches the issuer identifier of
this service and raises an error if they are different.
checked
- true
to make Authlete check whether the aud
claim
of request objects matches the issuer identifier of this service.this
object.public boolean isAccessTokenForExternalAttachmentEmbedded()
The third draft of OpenID Connect for Identity Assurance 1.0 introduced a new feature called "Attachments". The feature enables OpenID Providers to attach additional contents as parts of "evidence".
There are two types of attachments. One is "embedded attachment" where contents of attachments are base64-encoded and embedded in ID tokens and userinfo responses directly. The other is "external attachment" where contents of attachments are hosted on resource servers and URLs of them are embedded in ID tokens and userinfo responses.
When an OpenID Provider embeds URLs of external attachments in ID tokens and userinfo responses, it may optionally embed access tokens with which the client application accesses the external attachments.
The following is an example of "verified_claims"
that shows how
an access token is embedded. (A simplified version of an example in the
specification.)
"verified_claims": { "verification": { "trust_framework":"eidas", "evidence": [ { "type": "document", "attachments": [ { "desc": "Front of id document", "digest": { "alg": "sha-256", "value": "qC1zE5AfxylOFLrCnOIURXJUvnZwSFe5uUj8t6hdQVM=" }, "url": "https://example.com/attachments/pGL9yz4hZQ", "access_token": "ksj3n283dke", "exp": 1676552089 } ] } ] }, "claims": { "given_name": "Max", "family_name": "Mustermann", "birthdate": "1956-01-28" } }
Because it is developers (not Authlete) who prepare the content of
"verified_claims"
(cf. the "claims"
request parameter of
Authlete's /api/auth/authorization/issue
API), developers can
embed arbitrary access tokens for external attachments. However, it is
a burdensome task to prepare access tokens appropriately. The task can
be delegated to Authlete by setting true to this
accessTokenForExternalAttachmentEmbedded
property.
When this property is set to true, Authlete behaves as described below
for each element in the "attachments"
array.
"url"
property
because it means that the element is not an external attachment.
"access_token"
property.
"exp"
property,
its value is used to compute the duration. Otherwise, (1) the duration
of the ID token is used as the duration of the access token for the
external attachment in the case where the URL of the external attachment
is going to be embedded in an ID token, or (2) the remaining duration
of the access token which was presented at the userinfo endpoint is
used as the duration of the access token for the external attachment
in the case where the URL of the external attachment is going to be
embedded in a userinfo response.
resource
request parameter defined in
RFC 8707
(Resource Indicators for OAuth 2.0) were used.
"access_token"
and "exp"
properties
in the element whose values are the generated access token and the
computed duration.
Note that the expires_in
property was replaced with exp
after the 4th draft of the OpenID Connect for Identity Assurance 1.0
was published.
true
if Authlete generates access tokens for external
attachments and embeds them in ID tokens and userinfo responses.public Service setAccessTokenForExternalAttachmentEmbedded(boolean embedded)
The third draft of OpenID Connect for Identity Assurance 1.0 introduced a new feature called "Attachments". The feature enables OpenID Providers to attach additional contents as parts of "evidence".
There are two types of attachments. One is "embedded attachment" where contents of attachments are base64-encoded and embedded in ID tokens and userinfo responses directly. The other is "external attachment" where contents of attachments are hosted on resource servers and URLs of them are embedded in ID tokens and userinfo responses.
When an OpenID Provider embeds URLs of external attachments in ID tokens and userinfo responses, it may optionally embed access tokens with which the client application accesses the external attachments.
The following is an example of "verified_claims"
that shows how
an access token is embedded. (A simplified version of an example in the
specification.)
"verified_claims": { "verification": { "trust_framework":"eidas", "evidence": [ { "type": "document", "attachments": [ { "desc": "Front of id document", "digest": { "alg": "sha-256", "value": "qC1zE5AfxylOFLrCnOIURXJUvnZwSFe5uUj8t6hdQVM=" }, "url": "https://example.com/attachments/pGL9yz4hZQ", "access_token": "ksj3n283dke", "exp": 1676552089 } ] } ] }, "claims": { "given_name": "Max", "family_name": "Mustermann", "birthdate": "1956-01-28" } }
Because it is developers (not Authlete) who prepare the content of
"verified_claims"
(cf. the "claims"
request parameter of
Authlete's /api/auth/authorization/issue
API), developers can
embed arbitrary access tokens for external attachments. However, it is
a burdensome task to prepare access tokens appropriately. The task can
be delegated to Authlete by setting true to this
accessTokenForExternalAttachmentEmbedded
property.
When this property is set to true, Authlete behaves as described below
for each element in the "attachments"
array.
"url"
property
because it means that the element is not an external attachment.
"access_token"
property.
"exp"
property,
its value is used to compute the duration. Otherwise, (1) the duration
of the ID token is used as the duration of the access token for the
external attachment in the case where the URL of the external attachment
is going to be embedded in an ID token, or (2) the remaining duration
of the access token which was presented at the userinfo endpoint is
used as the duration of the access token for the external attachment
in the case where the URL of the external attachment is going to be
embedded in a userinfo response.
resource
request parameter defined in
RFC 8707
(Resource Indicators for OAuth 2.0) were used.
"access_token"
and "exp"
properties
in the element whose values are the generated access token and the
computed duration.
Note that the expires_in
property was replaced with exp
after the 4th draft of the OpenID Connect for Identity Assurance 1.0
was published.
embedded
- true
to make Authlete generate access tokens for external
attachments and embed them in ID tokens and userinfo responses.this
object.public boolean isRefreshTokenIdempotent()
This feature is available in Authlete 2.3 onwards.
true
if multiple refresh token requests in a short
period can obtain the same renewed refresh token.public Service setRefreshTokenIdempotent(boolean idempotent)
This feature is available in Authlete 2.3 onwards.
idempotent
- true
to enable multiple refresh token requests in a
short period to obtain the same renewed refresh token.this
object.public boolean isFederationEnabled()
If the feature of OpenID Connect Federation 1.0 is not enabled in the Authlete server on which this service is hosted, functions related to OpenID Connect Federation 1.0 are not usable regardless of the setting of this property.
OpenID Connect Federation 1.0 is supported by Authlete 2.3 onwards.
true
if this service supports OpenID Connect Federation 1.0.public Service setFederationEnabled(boolean enabled)
If the feature of OpenID Connect Federation 1.0 is not enabled in the Authlete server on which this service is hosted, functions related to OpenID Connect Federation 1.0 are not usable regardless of the setting of this property.
OpenID Connect Federation 1.0 is supported by Authlete 2.3 onwards.
enabled
- true
to enable the feature of OpenID Connect
Federation 1.0.this
object.public String getOrganizationName()
organization_name
server metadata that is defined in OpenID
Connect Federation 1.0.
If this property is not empty, the organization_name
property
appears in self-signed entity statements of this service.
public Service setOrganizationName(String name)
organization_name
server metadata that is defined in OpenID
Connect Federation 1.0.
If this property is not empty, the organization_name
property
appears in self-signed entity statements of this service.
name
- The name of the organization that operates this service.this
object.public URI[] getAuthorityHints()
authority_hints
property that appears in a self-signed entity statement that is defined
in OpenID Connect Federation 1.0.
OpenID providers participating in one or more federations are supposed to have authority hints. It is only trust anchors having no superiors that do not have authority hints.
Because the authority_hints
property in self-signed entity
statements of OpenID providers is mandatory, if this property is empty,
the configuration endpoint (/.well-known/openid-federation
)
cannot generate a valid entity statement. It means that OpenID
Connect Federation 1.0 does not work.
public Service setAuthorityHints(URI[] authorityHints)
authority_hints
property that appears in a self-signed entity statement that is defined
in OpenID Connect Federation 1.0.
OpenID providers participating in one or more federations are supposed to have authority hints. It is only trust anchors having no superiors that do not have authority hints.
Because the authority_hints
property in self-signed entity
statements of OpenID providers is mandatory, if this property is empty,
the configuration endpoint (/.well-known/openid-federation
)
cannot generate a valid entity statement. It means that OpenID
Connect Federation 1.0 does not work.
authorityHints
- Identifiers of entities that can issue entity statements
for this service.this
object.public TrustAnchor[] getTrustAnchors()
If this property is empty, client registration fails regardless of
whether its type is automatic
or explicit
. It means
that OpenID Connect Federation 1.0 does not work.
TrustAnchor
public Service setTrustAnchors(TrustAnchor[] trustAnchors)
If this property is empty, client registration fails regardless of
whether its type is automatic
or explicit
. It means
that OpenID Connect Federation 1.0 does not work.
trustAnchors
- The trust anchors that are referenced when this service resolves
trust chains of relying parties.this
object.TrustAnchor
public String getFederationJwks()
signed_jwks_uri
.
If this property is empty, this service cannot generate a valid self-signed entity statement. It means that OpenID Connect Federation 1.0 does not work.
signed_jwks_uri
.public Service setFederationJwks(String jwks)
signed_jwks_uri
.
If this property is empty, this service cannot generate a valid self-signed entity statement. It means that OpenID Connect Federation 1.0 does not work.
jwks
- The JWK Set document containing keys used to sign self-signed
entity statement and the response from signed_jwks_uri
.this
object.public String getFederationSignatureKeyId()
The entity configuration is a kind of JWT and published at
/.well-known/openid-federation
or at a variant location such as
/.well-known/openid-federation
{path_part_of_issuer}.
The signed JWK Set is also a kind of JWT and published at the URL
designated by the signed_jwks_uri
server metadata.
When this property is specified, Authlete will use the JWK having the specified key ID when signing the entity configuration and the signed JWK Set. Otherwise, when this property is omitted, there is no guarantee as to which JWK Authlete will choose.
null
.public Service setFederationSignatureKeyId(String keyId)
The entity configuration is a kind of JWT and published at
/.well-known/openid-federation
or at a variant location such as
/.well-known/openid-federation
{path_part_of_issuer}.
The signed JWK Set is also a kind of JWT and published at the URL
designated by the signed_jwks_uri
server metadata.
When this property is specified, Authlete will use the JWK having the specified key ID when signing the entity configuration and the signed JWK Set. Otherwise, when this property is omitted, there is no guarantee as to which JWK Authlete will choose.
keyId
- A key ID. May be null
.this
object.public long getFederationConfigurationDuration()
An OpenID provider that participates in an OpenID Connect federation
must publish its entity configuration at
/.well-known/openid-federation
or at a variant location such as
/.well-known/openid-federation{path_part_of_issuer}
.
An entity configuration is a kind of JWT. This property specifies the
duration of the JWT in seconds.
When the value of this property is 0, the default value determined by your Authlete server is used as the duration of the entity configuration.
public Service setFederationConfigurationDuration(long duration)
An OpenID provider that participates in an OpenID Connect federation
must publish its entity configuration at
/.well-known/openid-federation
or at a variant location such as
/.well-known/openid-federation{path_part_of_issuer}
.
An entity configuration is a kind of JWT. This property specifies the
duration of the JWT in seconds.
When the value of this property is 0, the default value determined by your Authlete server is used as the duration of the entity configuration.
duration
- The duration of the entity configuration in seconds.this
object.public URI getSignedJwksUri()
signed_jwks_uri
server metadata defined in OpenID
Connect Federation 1.0.
The JWT returned from the endpoint is signed with a key in the JWK Set
document specified by the federationJwks
property. Therefore, if
the federationJwks
property is not set up properly, the endpoint
won't return a valid response.
If this property is not empty, the signed_jwks_uri
property
appears in the openid_provider
property of this service's entity
configuration. And in that case, jwks_uri
does not appear in
exchange.
public Service setSignedJwksUri(URI uri)
signed_jwks_uri
server metadata defined in OpenID
Connect Federation 1.0.
The JWT returned from the endpoint is signed with a key in the JWK Set
document specified by the federationJwks
property. Therefore, if
the federationJwks
property is not set up properly, the endpoint
won't return a valid response.
If this property is not empty, the signed_jwks_uri
property
appears in the openid_provider
property of this service's entity
configuration. And in that case, jwks_uri
does not appear in
exchange.
uri
- The URI of the endpoint that returns this service's JWK Set
document in the JWT format.this
object.public URI getFederationRegistrationEndpoint()
federation_registration_endpoint
server
metadata that is defined in OpenID
Connect Federation 1.0.
If this service declares it supports the "explicit
" client
registration, this property must not be empty.
public Service setFederationRegistrationEndpoint(URI endpoint)
federation_registration_endpoint
server
metadata that is defined in OpenID
Connect Federation 1.0.
If this service declares it supports the "explicit
" client
registration, this property must not be empty.
endpoint
- The URI of the federation registration endpoint.this
object.public ClientRegistrationType[] getSupportedClientRegistrationTypes()
client_registration_types_supported
server metadata that is defined in OpenID
Connect Federation 1.0.
If this property includes EXPLICIT
, the federationRegistrationEndpoint
property must be
set up properly.
ClientRegistrationType
public Service setSupportedClientRegistrationTypes(ClientRegistrationType[] types)
client_registration_types_supported
server metadata that is defined in OpenID
Connect Federation 1.0.
If this property includes EXPLICIT
, the federationRegistrationEndpoint
property must be
set up properly.
types
- Client registration types supported by this service.this
object.ClientRegistrationType
public boolean isTokenExchangeByIdentifiableClientsOnly()
Section 2.1 of RFC 8692 OAuth 2.0 Token Exchange states as follows:
The supported methods of client authentication and whether or not to allow unauthenticated or unidentified clients are deployment decisions that are at the discretion of the authorization server.
Technically speaking, "unidentified" in the excerpted sentence means that a token exchange request contains no identifier of the client that made the request.
When this flag is set to true
, this service rejects token
exchange requests that contain no client identifier.
true
if this service rejects token exchange requests
that contain no client identifier.public Service setTokenExchangeByIdentifiableClientsOnly(boolean only)
Section 2.1 of RFC 8692 OAuth 2.0 Token Exchange states as follows:
The supported methods of client authentication and whether or not to allow unauthenticated or unidentified clients are deployment decisions that are at the discretion of the authorization server.
Technically speaking, "unidentified" in the excerpted sentence means that a token exchange request contains no identifier of the client that made the request.
When this flag is set to true
, this service rejects token
exchange requests that contain no client identifier.
only
- true
to reject token exchange requests that contain
no client identifier.this
object.public boolean isTokenExchangeByConfidentialClientsOnly()
Section 2.1 of RFC 8692 OAuth 2.0 Token Exchange states as follows:
The supported methods of client authentication and whether or not to allow unauthenticated or unidentified clients are deployment decisions that are at the discretion of the authorization server.
Technically speaking, "unauthenticated" in the excerpted sentence means that the client making a token exchange request is a public client and so client authentication for the client is not required at the token endpoint.
When this flag is set to true
, this service rejects token
exchange requests from public clients.
true
if this service rejects token exchange requests
from public clients.public Service setTokenExchangeByConfidentialClientsOnly(boolean only)
Section 2.1 of RFC 8692 OAuth 2.0 Token Exchange states as follows:
The supported methods of client authentication and whether or not to allow unauthenticated or unidentified clients are deployment decisions that are at the discretion of the authorization server.
Technically speaking, "unauthenticated" in the excerpted sentence means that the client making a token exchange request is a public client and so client authentication for the client is not required at the token endpoint.
When this flag is set to true
, this service rejects token
exchange requests from public clients.
only
- true
to reject token exchange requests from public
clients.this
object.public boolean isTokenExchangeByPermittedClientsOnly()
An administrator can give a client an explicit permission to make
token exchange requests by setting true
to the
tokenExchangePermitted
flag of the client (cf. ClientExtension.setTokenExchangePermitted(boolean)
).
When this flag (tokenExchangeByPermittedClientsOnly
) is set
to true
, this service rejects token exchange requests from
clients whose tokenExchangePermitted
flag is false
.
true
if this service rejects token exchange requests
from clients whose tokenExchangePermitted
flag is
false
.ClientExtension.isTokenExchangePermitted()
,
RFC 8693 OAuth 2.0 Token Exchangepublic Service setTokenExchangeByPermittedClientsOnly(boolean only)
An administrator can give a client an explicit permission to make
token exchange requests by setting true
to the
tokenExchangePermitted
flag of the client (cf. ClientExtension.setTokenExchangePermitted(boolean)
).
When this flag (tokenExchangeByPermittedClientsOnly
) is set
to true
, this service rejects token exchange requests from
clients whose tokenExchangePermitted
flag is false
.
only
- true
to reject token exchange requests from clients
whose tokenExchangePermitted
flag is false
.this
object.ClientExtension.setTokenExchangePermitted(boolean)
,
RFC 8693 OAuth 2.0 Token Exchangepublic boolean isTokenExchangeEncryptedJwtRejected()
When this tokenExchangeEncryptedJwtRejected
flag is true
,
token exchange requests which use encrypted JWTs as input tokens (subject
token and/or actor token) with the token type
"urn:ietf:params:oauth:token-type:jwt"
or the token type
"urn:ietf:params:oauth:token-type:id_token"
are rejected.
When this flag is false
, Authlete skips remaining validation
steps on an input token when Authlete detects that it is an encrypted
JWT.
See the description of TokenResponse
for details about validation
Authlete performs for token exchange requests.
true
if token exchange requests which use encrypted JWTs
as input tokens are rejected.TokenResponse
,
RFC 8693 OAuth 2.0 Token Exchangepublic Service setTokenExchangeEncryptedJwtRejected(boolean rejected)
When this tokenExchangeEncryptedJwtRejected
flag is true
,
token exchange requests which use encrypted JWTs as input tokens (subject
token and/or actor token) with the token type
"urn:ietf:params:oauth:token-type:jwt"
or the token type
"urn:ietf:params:oauth:token-type:id_token"
are rejected.
When this flag is false
, Authlete skips remaining validation
steps on an input token when Authlete detects that it is an encrypted
JWT.
See the description of TokenResponse
for details about validation
Authlete performs for token exchange requests.
rejected
- true
to reject token exchange requests which use
encrypted JWTs as input tokens.this
object.TokenResponse
,
RFC 8693 OAuth 2.0 Token Exchangepublic boolean isTokenExchangeUnsignedJwtRejected()
When this tokenExchangeUnsignedJwtRejected
flag is true
,
token exchange requests which use unsigned JWTs as input tokens (subject
token and/or actor token) with the token type
"urn:ietf:params:oauth:token-type:jwt"
or the token type
"urn:ietf:params:oauth:token-type:id_token"
are rejected.
When this flag is false
, Authlete skips remaining validation
steps on an input token when Authlete detects that it is an unsigned
JWT.
See the description of TokenResponse
for details about validation
Authlete performs for token exchange requests.
true
if token exchange requests which use unsigned JWTs
as input tokens are rejected.TokenResponse
,
RFC 8693 OAuth 2.0 Token Exchangepublic Service setTokenExchangeUnsignedJwtRejected(boolean rejected)
When this tokenExchangeUnsignedJwtRejected
flag is true
,
token exchange requests which use unsigned JWTs as input tokens (subject
token and/or actor token) with the token type
"urn:ietf:params:oauth:token-type:jwt"
or the token type
"urn:ietf:params:oauth:token-type:id_token"
are rejected.
When this flag is false
, Authlete skips remaining validation
steps on an input token when Authlete detects that it is an unsigned
JWT.
See the description of TokenResponse
for details about validation
Authlete performs for token exchange requests.
rejected
- true
to reject token exchange requests which use
unsigned JWTs as input tokens.this
object.TokenResponse
,
RFC 8693 OAuth 2.0 Token Exchangepublic boolean isJwtGrantByIdentifiableClientsOnly()
"urn:ietf:params:oauth:grant-type:jwt-bearer"
(RFC 7523).
RFC 7523 JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants states as follows:
JWT authorization grants may be used with or without client authentication or identification.
Technically speaking, "identification" in the excerpted sentence means that a token request contains an identifier of the client that made the request.
When this flag is set to true
, this service rejects token requests
that use the grant type "urn:ietf:params:oauth:grant-type:jwt-bearer"
but contain no client identifier.
true
if this service rejects token requests that use the
grant type "urn:ietf:params:oauth:grant-type:jwt-bearer"
but contain no client identifier.public Service setJwtGrantByIdentifiableClientsOnly(boolean only)
"urn:ietf:params:oauth:grant-type:jwt-bearer"
(RFC 7523).
RFC 7523 JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants states as follows:
JWT authorization grants may be used with or without client authentication or identification.
Technically speaking, "identification" in the excerpted sentence means that a token request contains an identifier of the client that made the request.
When this flag is set to true
, this service rejects token requests
that use the grant type "urn:ietf:params:oauth:grant-type:jwt-bearer"
but contain no client identifier.
only
- true
to reject token requests that use the grant type
"urn:ietf:params:oauth:grant-type:jwt-bearer"
but
contain no client identifier.this
service.public boolean isJwtGrantEncryptedJwtRejected()
"urn:ietf:params:oauth:grant-type:jwt-bearer"
(RFC 7523).
When this jwtGrantEncryptedJwtRejected
flag is true
,
token requests that use an encrypted JWT as an authorization grant with
the grant type "urn:ietf:params:oauth:grant-type:jwt-bearer"
are rejected.
When this flag is false
, Authlete skips remaining validation
steps on an input assertion when Authlete detects that it is an
encrypted JWT.
See the description of TokenResponse
for details about validation
Authlete performs for the grant type.
true
if token requests that use an encrypted JWT as
an authorization grant with the grant type
"urn:ietf:params:oauth:grant-type:jwt-bearer"
are
rejected.TokenResponse
,
RFC 7521
Assertion Framework for OAuth 2.0 Client Authentication and
Authorization Grants,
RFC 7523
JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication
and Authorization Grantspublic Service setJwtGrantEncryptedJwtRejected(boolean rejected)
"urn:ietf:params:oauth:grant-type:jwt-bearer"
(RFC 7523).
When this jwtGrantEncryptedJwtRejected
flag is true
,
token requests that use an encrypted JWT as an authorization grant with
the grant type "urn:ietf:params:oauth:grant-type:jwt-bearer"
are rejected.
When this flag is false
, Authlete skips remaining validation
steps on an input assertion when Authlete detects that it is an
encrypted JWT.
See the description of TokenResponse
for details about validation
Authlete performs for the grant type.
rejected
- true
to reject token requests that use an encrypted JWT
as an authorization grant with the grant type
"urn:ietf:params:oauth:grant-type:jwt-bearer"
.this
object.TokenResponse
,
RFC 7521
Assertion Framework for OAuth 2.0 Client Authentication and
Authorization Grants,
RFC 7523
JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication
and Authorization Grantspublic boolean isJwtGrantUnsignedJwtRejected()
"urn:ietf:params:oauth:grant-type:jwt-bearer"
(RFC 7523).
When this jwtGrantUnsignedJwtRejected
flag is true
,
token requests that use an unsigned JWT as an authorization grant with
the grant type "urn:ietf:params:oauth:grant-type:jwt-bearer"
are rejected.
When this flag is false
, Authlete skips remaining validation
steps on an input assertion when Authlete detects that it is an
unsigned JWT.
See the description of TokenResponse
for details about validation
Authlete performs for the grant type.
true
if token requests that use an unsigned JWT as
an authorization grant with the grant type
"urn:ietf:params:oauth:grant-type:jwt-bearer"
are
rejected.TokenResponse
,
RFC 7521
Assertion Framework for OAuth 2.0 Client Authentication and
Authorization Grants,
RFC 7523
JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication
and Authorization Grantspublic Service setJwtGrantUnsignedJwtRejected(boolean rejected)
"urn:ietf:params:oauth:grant-type:jwt-bearer"
(RFC 7523).
When this jwtGrantUnsignedJwtRejected
flag is true
,
token requests that use an unsigned JWT as an authorization grant with
the grant type "urn:ietf:params:oauth:grant-type:jwt-bearer"
are rejected.
When this flag is false
, Authlete skips remaining validation
steps on an input assertion when Authlete detects that it is an
unsigned JWT.
See the description of TokenResponse
for details about validation
Authlete performs for the grant type.
rejected
- true
to reject token requests that use an unsigned JWT
as an authorization grant with the grant type
"urn:ietf:params:oauth:grant-type:jwt-bearer"
.this
object.TokenResponse
,
RFC 7521
Assertion Framework for OAuth 2.0 Client Authentication and
Authorization Grants,
RFC 7523
JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication
and Authorization Grantspublic boolean isDcrDuplicateSoftwareIdBlocked()
software_id
has already been used previously.
A DCR request may contain the software_id
client metadata (which
is defined in RFC
7591). The client metadata is saved in Authlete's database together
with other client metadata.
If this dcrDuplicateSoftwareIdBlocked
flag is true
,
Authlete checks whether the value of the software_id
client
metadata included in a DCR request already exists in the database,
and rejects the DCR request if one exists.
true
if DCR requests whose software_id
has already
been used previously are blocked.public Service setDcrDuplicateSoftwareIdBlocked(boolean blocked)
software_id
has already been used previously.
A DCR request may contain the software_id
client metadata (which
is defined in RFC
7591). The client metadata is saved in Authlete's database together
with other client metadata.
If this dcrDuplicateSoftwareIdBlocked
flag is true
,
Authlete checks whether the value of the software_id
client
metadata included in a DCR request already exists in the database,
and rejects the DCR request if one exists.
blocked
- true
to block DCR requests whose software_id
has
already been used previously.this
object.public String getResourceSignatureKeyId()
public Service setResourceSignatureKeyId(String keyId)
keyId
- The key ID.this
object.public boolean isRsResponseSigned()
true
, userinfo issue responses and responses sent to the RS
signing endpoint that are in relation to a client's signed request will
be signed using the key identified by {getResourceSignatureKeyId()
.true
if the services signs responses for the resource server,
false
otherwise.public Service setRsResponseSigned(boolean signed)
true
, userinfo issue responses and responses sent to the RS
signing endpoint that are in relation to a client's signed request will
be signed using the key identified by {getResourceSignatureKeyId()
.signed
- true
if the services signs responses for the resource server,
false
otherwise.this
object.public boolean isOpenidDroppedOnRefreshWithoutOfflineAccess()
openid
scope from
a new access token issued by the refresh token flow if the presented
refresh token does not contain the offline_access
scope.true
if the openid
scope is dropped when
the presented refresh token does not contain the
offline_access
scope.public Service setOpenidDroppedOnRefreshWithoutOfflineAccess(boolean dropped)
openid
scope from
a new access token issued by the refresh token flow if the presented
refresh token does not contain the offline_access
scope.dropped
- true
to drop the openid
scope when
the presented refresh token does not contain the
offline_access
scope.this
object.public boolean isVerifiableCredentialsEnabled()
true
if the feature of Verifiable Credentials is enabled.public Service setVerifiableCredentialsEnabled(boolean enabled)
enabled
- true
to indicate that the feature of Verifiable Credentials
is enabled.this
object.public CredentialIssuerMetadata getCredentialIssuerMetadata()
public Service setCredentialIssuerMetadata(CredentialIssuerMetadata metadata)
metadata
- The credential issuer metadata.this
object.public long getCredentialOfferDuration()
When an API call to the /vci/offer/create
API does not contain
the duration
request parameter or the value of the parameter is
0 or negative, the value of this property is used as the default value.
If the value of this property is 0 or negative, the default value per Authlete server is used as the default value.
CredentialOfferCreateRequest.getDuration()
public Service setCredentialOfferDuration(long duration)
When an API call to the /vci/offer/create
API does not contain
the duration
request parameter or the value of the parameter is
0 or negative, the value of this property is used as the default value.
If the value of this property is 0 or negative, the default value per Authlete server is used as the default value.
duration
- The default duration of credential offers in seconds.this
object.CredentialOfferCreateRequest.setDuration(long)
public int getUserPinLength()
When an API call to the /vci/offer/create
API does not contain
the userPinLength
request parameter or the value of the parameter
is 0 or negative, the value of this property is used as the default value.
If the value of this property is 0 or negative, the default value per Authlete server is used as the default value.
CredentialOfferCreateRequest.getUserPinLength()
public Service setUserPinLength(int length)
When an API call to the /vci/offer/create
API does not contain
the userPinLength
request parameter or the value of the parameter
is 0 or negative, the value of this property is used as the default value.
If the value of this property is 0 or negative, the default value per Authlete server is used as the default value.
length
- The default length of user PINs.this
object.CredentialOfferCreateRequest.setUserPinLength(int)
public String getIdTokenAudType()
aud
claim in ID tokens.
Valid values are as follows.
Value Description "array"
The type of the aud
claim is always an array of strings."string"
The type of the aud
claim is always a single string.null The type of the aud
claim remains the same as before.
Authlete APIs that may trigger ID token issuance may accept the
idTokenAudType
request parameter (e.g.
AuthorizationIssueRequest.getIdTokenAudType()
). Such request
parameters take precedence over this service property.
aud
claim in ID tokens.public Service setIdTokenAudType(String type)
aud
claim in ID tokens.
Valid values are as follows.
Value Description "array"
The type of the aud
claim is always an array of strings."string"
The type of the aud
claim is always a single string.null The type of the aud
claim remains the same as before.
Authlete APIs that may trigger ID token issuance may accept the
idTokenAudType
request parameter (e.g.
AuthorizationIssueRequest.getIdTokenAudType()
). Such request
parameters take precedence over this service property.
type
- The type of the aud
claim in ID tokens.this
object.public Prompt[] getSupportedPromptValues()
prompt
values.prompt
values.public Service setSupportedPromptValues(Prompt[] promptValues)
prompt
values.promptValues
- The supported prompt
values.this
object.public String getVerifiedClaimsValidationSchemaSet()
"verified_claims"
.
Since version 2.3, Authlete validates the content of
"verified_claims"
based on the JSON schema files that accompany
the specification (OpenID Connect for Identity Assurance 1.0). They are found in the
/schema/
folder of the Git repository of the specification.
Usually, Authlete uses the legitimate JSON schema files that conform to
the specification. But, it is possible to make Authlete use a different
set of JSON schema files by specifying a name of validation schema set
through this property (Service.verifiedClaimsValidationSchemaSet
).
Authlete recognizes the following names of validation schema set at least.
name description null Same as "standard"
."standard"
The set of the legitimate JSON schema files. "standard+id_document"
A set of customized JSON schema files that mostly conform to the standard but additionally accept "id_document"
as a valid name ofevidence
. This is for backward compatibility. Note that"id_document"
was deprecated by Implementer's Draft 4 (cf. eKYC-IDA PR 152).
public Service setVerifiedClaimsValidationSchemaSet(String schemaSet)
"verified_claims"
.
Since version 2.3, Authlete validates the content of
"verified_claims"
based on the JSON schema files that accompany
the specification (OpenID Connect for Identity Assurance 1.0). They are found in the
/schema/
folder of the Git repository of the specification.
Usually, Authlete uses the legitimate JSON schema files that conform to
the specification. But, it is possible to make Authlete use a different
set of JSON schema files by specifying a name of validation schema set
through this property (Service.verifiedClaimsValidationSchemaSet
).
Authlete recognizes the following names of validation schema set at least.
name description null Same as "standard"
."standard"
The set of the legitimate JSON schema files. "standard+id_document"
A set of customized JSON schema files that mostly conform to the standard but additionally accept "id_document"
as a valid name ofevidence
. This is for backward compatibility. Note that"id_document"
was deprecated by Implementer's Draft 4 (cf. eKYC-IDA PR 152).
schemaSet
- The name of the validation schema set.this
object.public boolean isPreAuthorizedGrantAnonymousAccessSupported()
This property corresponds to the
pre-authorized_grant_anonymous_access_supported
server metadata
defined in "OpenID for Verifiable Credentials Issuance".
true
if token requests using the pre-authorized code
grant flow by unidentifiable clients are allows.public Service setPreAuthorizedGrantAnonymousAccessSupported(boolean supported)
This property corresponds to the
pre-authorized_grant_anonymous_access_supported
server metadata
defined in "OpenID for Verifiable Credentials Issuance".
supported
- true
to allow unidentifiable clients to make token
requests using the pre-authorized code grant flow.this
object.public long getCNonceDuration()
c_nonce
in seconds.
c_nonce
is issued from the token endpoint of an authorization
server in the pre-authorized code flow, and from the credential endpoint
and the batch credential endpoint of a credential issuer. This property
is used as the lifetime of the c_nonce
.
If the value of this property is 0 or negative, the default value per Authlete server is used as the default value.
See OpenID for Verifiable Credentials Issuance for details about c_nonce
.
c_nonce
in seconds.public Service setCNonceDuration(long duration)
c_nonce
in seconds.
c_nonce
is issued from the token endpoint of an authorization
server in the pre-authorized code flow, and from the credential endpoint
and the batch credential endpoint of a credential issuer. This property
is used as the lifetime of the c_nonce
.
If the value of this property is 0 or negative, the default value per Authlete server is used as the default value.
See OpenID for Verifiable Credentials Issuance for details about c_nonce
.
duration
- The duration of c_nonce
in seconds.this
object.public long getCredentialTransactionDuration()
If the value of this property is 0 or negative, the default value per Authlete server is used.
public Service setCredentialTransactionDuration(long duration)
If the value of this property is 0 or negative, the default value per Authlete server is used.
duration
- The duration of transaction ID in seconds.this
object.public long getCredentialDuration()
Some Authlete APIs such as the /vci/single/issue
API and the
/vci/batch/issue
API may issue one or more verifiable
credentials. The value of this property specifies the default duration
of such verifiable credentials.
The value 0 indicates that verifiable credentials will not expire.
In the case, verifiable credentials will not have a property that
indicates the expiration time. For example, JWT-based verifiable
credentials will not contain the "exp
" claim (RFC 7519, Section
4.1.4).
Authlete APIs that may issue verifiable credentials recognize a request
parameter that can override the duration. For example, a request to the
/vci/single/issue
API (CredentialSingleIssueRequest
)
contains an "order
" object (CredentialIssuanceOrder
)
that has a "credentialDuration
" parameter
(credentialDuration
)
that can override the default duration.
public Service setCredentialDuration(long duration)
Some Authlete APIs such as the /vci/single/issue
API and the
/vci/batch/issue
API may issue one or more verifiable
credentials. The value of this property specifies the default duration
of such verifiable credentials.
The value 0 indicates that verifiable credentials will not expire.
In the case, verifiable credentials will not have a property that
indicates the expiration time. For example, JWT-based verifiable
credentials will not contain the "exp
" claim (RFC 7519, Section
4.1.4).
Authlete APIs that may issue verifiable credentials recognize a request
parameter that can override the duration. For example, a request to the
/vci/single/issue
API (CredentialSingleIssueRequest
)
contains an "order
" object (CredentialIssuanceOrder
)
that has a "credentialDuration
" parameter
(credentialDuration
)
that can override the default duration.
duration
- The default duration of verifiable credentials in seconds.this
object.public String getCredentialJwks()
Some Authlete APIs such as the /vci/single/issue
API and the
/vci/batch/issue
API may issue one or more verifiable
credentials. The content of this property is referred to by such APIs.
Authlete APIs that may issue verifiable credentials recognize a request
parameter that can specify the key ID of a private key that should be
used for signing. For example, a request to the /vci/single/issue
API (CredentialSingleIssueRequest
) contains an "order
"
object (CredentialIssuanceOrder
) that has a "signingKeyId
"
parameter (signingKeyId
)
that can specify the key ID of a private key to be used for signing.
When a key ID is not specified, Authlete will select a private key
automatically.
If JWKs in the JWK Set do not contain the "kid
" property (RFC 7517, Section 4.5)
when this credentialJwks
property is updated, Authlete will
automatically insert the "kid
" property into such JWKs. The JWK
thumbprint (RFC
7638) computed with the SHA-256 hash algorithm is used as the value
of the "kid
" property.
public Service setCredentialJwks(String jwks)
Some Authlete APIs such as the /vci/single/issue
API and the
/vci/batch/issue
API may issue one or more verifiable
credentials. The content of this property is referred to by such APIs.
Authlete APIs that may issue verifiable credentials recognize a request
parameter that can specify the key ID of a private key that should be
used for signing. For example, a request to the /vci/single/issue
API (CredentialSingleIssueRequest
) contains an "order
"
object (CredentialIssuanceOrder
) that has a "signingKeyId
"
parameter (signingKeyId
)
that can specify the key ID of a private key to be used for signing.
When a key ID is not specified, Authlete will select a private key
automatically.
If JWKs in the JWK Set do not contain the "kid
" property (RFC 7517, Section 4.5)
when this credentialJwks
property is updated, Authlete will
automatically insert the "kid
" property into such JWKs. The JWK
thumbprint (RFC
7638) computed with the SHA-256 hash algorithm is used as the value
of the "kid
" property.
jwks
- The JWK Set document containing private keys that are used to
sign verifiable credentials.this
object.public URI getCredentialJwksUri()
The value of this property is referenced when Authlete's
/vci/jwtissuer
API generates the JSON representing the JWT
issuer metadata. The JSON will be generated like below.
{ "issuer": "getCredentialIssuerMetadata()
.getCredentialIssuer()
", "jwks_uri": "getCredentialJwksUri()
" }
AuthleteApi.credentialJwtIssuerMetadata(CredentialJwtIssuerMetadataRequest)
public Service setCredentialJwksUri(URI uri)
The value of this property is referenced when Authlete's
/vci/jwtissuer
API generates the JSON representing the JWT
issuer metadata. The JSON will be generated like below.
{ "issuer": "getCredentialIssuerMetadata()
.getCredentialIssuer()
", "jwks_uri": "getCredentialJwksUri()
" }
uri
- The URL at which the JWK Set document of the credential issuer
is exposed.this
object.AuthleteApi.credentialJwtIssuerMetadata(CredentialJwtIssuerMetadataRequest)
public boolean isIdTokenReissuable()
If this property is true
, the action
response parameter
in a response from the /auth/token
API becomes
ID_TOKEN_REISSUABLE
when the following conditions are met.
openid
" scope.
See the description of the TokenResponse
class for details.
true
if the feature of ID token reissuance in the
refresh token flow is enabled. false
if the feature
is disabled.TokenResponse
public Service setIdTokenReissuable(boolean reissuable)
If this property is true
, the action
response parameter
in a response from the /auth/token
API becomes
ID_TOKEN_REISSUABLE
when the following conditions are met.
openid
" scope.
See the description of the TokenResponse
class for details.
reissuable
- true
to enable the feature of ID token reissuance in
the refresh token flow. false
to disable the feature.this
object.TokenResponse
public JWSAlg[] getSupportedIntrospectionSignAlgs()
alg
algorithms for signing introspection
responses. This property corresponds to the introspection_signing_alg_values_supported
metadata defined in "7. Authorization Server Metadata" of "JWT Response for OAuth Token Introspection".alg
algorithms for signing
introspection responses.public Service setSupportedIntrospectionSignAlgs(JWSAlg[] algs)
alg
algorithms for signing introspection
responses. This property corresponds to the introspection_signing_alg_values_supported
metadata defined in "7. Authorization Server Metadata" of "JWT Response for OAuth Token Introspection".algs
- The supported JWS alg
algorithms for signing
introspection responses.this
object.public JWEAlg[] getSupportedIntrospectionEncryptionAlgs()
alg
algorithms for encrypting introspection
responses. This property corresponds to the introspection_encryption_alg_values_supported
metadata defined in "7. Authorization Server Metadata" of "JWT Response for OAuth Token Introspection".alg
algorithms for encrypting
introspection responses.public Service setSupportedIntrospectionEncryptionAlgs(JWEAlg[] algs)
alg
algorithms for encrypting introspection
responses. This property corresponds to the introspection_encryption_alg_values_supported
metadata defined in "7. Authorization Server Metadata" of "JWT Response for OAuth Token Introspection".algs
- The supported JWE alg
algorithms for encrypting
introspection responses.this
object.public JWEEnc[] getSupportedIntrospectionEncryptionEncs()
enc
algorithms for encrypting introspection
response. This property corresponds to the introspection_encryption_enc_values_supported
metadata defined in "7. Authorization Server Metadata" of "JWT Response for OAuth Token Introspection".enc
algorithms for encrypting
introspection responses.public Service setSupportedIntrospectionEncryptionEncs(JWEEnc[] encs)
enc
algorithms for encrypting introspection
responses. This property corresponds to the introspection_encryption_enc_values_supported
metadata defined in "7. Authorization Server Metadata" of "JWT Response for OAuth Token Introspection".encs
- The supported JWE enc
algorithms for encrypting
introspection responses.this
object.public String getIntrospectionSignatureKeyId()
public Service setIntrospectionSignatureKeyId(String keyId)
keyId
- The key ID of the key for signing introspection responses.this
object.Copyright © 2023. All rights reserved.