Package com.authlete.common.dto

Class Service

  • All Implemented Interfaces:
    Serializable
    public class Service
extends Object
implements Serializable
    Information about a service.

    Some properties correspond to the ones listed in OpenID Provider Metadata in OpenID Connect Discovery 1.0

    JWT-based access token

    When getAccessTokenSignAlg() returns a non-null value, access tokens issued by this service become JWTs. The value returned by the method is used as the signature algorithm of the JWTs. When the method returns null, access tokens issued by this service are random strings as before.

    A JWT-based access token has the following claims.

    claim name type description
    scope string Space-delimited scope names.
    client_id string Client ID.
    exp integer Time at which this access token will expire. Seconds since the Unix epoch.
    iat integer Time at which this access token was issued. Seconds since the Unix epoch.
    sub string The subject (unique identifier) of the resource owner who approved issue of this access token. This claim does not exist or its value is null if this access token was issued by resource owner password credentials flow.
    iss string The issuer identifier of this service.
    jti string The unique identifier of this JWT. The value of this claim itself is the random-string version of this access token.
    cnf object

    If this access token is bound to a client certificate, this claim is included. The type of its value is object and the sub object contains a "x5t#S256" claim. The value of the "x5t#S256" claim is the X.509 Certificate SHA-256 thumbprint of the client certificate. See "3.1. JWT Certificate Thumbprint Confirmation Method" of RFC 8705 (OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens) for details.

    If this access token is bound to a public key of DPoP, this claim is included. The type of its value is object and the sub object contains a "jkt" claim. The value of the "jkt" claim is the thumbprint of the public key. See RFC 9449 OAuth 2.0 Demonstrating Proof of Possession (DPoP) for details.

    aud array If this access token has been generated with target resources, this claim is included. See RFC 8707 (Resource Indicators for OAuth 2.0) for details.
    authorization_details array If this access token has been generated with authorization_details, this claim is included. See RFC 9396 (OAuth 2.0 Rich Authorization Requests) for details.
    grant_id string The grant ID tied to this access token. This field may be set if the authorization request which created this access token included grant_id or grant_management_action=create. See "Grant Management for OAuth 2.0" for details about the request parameters.
    grant object

    The grant this access token has inherited. This field may be set if the authorization request which created this access token included grant_management_action=update. See "Grant Management for OAuth 2.0" for details about the request parameter.

    The format of this JSON object is the same as the response from the grant management endpoint which is defined in "Grant Management for OAuth 2.0".

    acr string The authentication context class of the user authentication that the authorization server performed during the course of issuing the access token. See RFC 9470 (OAuth 2.0 Step Up Authentication Challenge Protocol) for details.
    auth_time integer The time when the user authentication was performed for the access token. The value represents the number of seconds elapsed since the Unix epoch. See RFC 9470 (OAuth 2.0 Step Up Authentication Challenge Protocol) for details.
    grant_type string

    The grant type that was used for the issuance of the access token. Possible values are as follows.

    Value Since Authlete Version
    "authorization_code" 2.1.24, 2.2.36, 2.3
    "implicit" 2.1.24, 2.2.36, 2.3
    "password" 2.1.24, 2.2.36, 2.3
    "client_credentials" 2.1.24, 2.2.36, 2.3
    "urn:openid:params:grant-type:ciba" 2.1.24, 2.2.36, 2.3
    "urn:ietf:params:oauth:grant-type:device_code" 2.1.24, 2.2.36, 2.3
    "urn:ietf:params:oauth:grant-type:token-exchange" 2.3
    "urn:ietf:params:oauth:grant-type:jwt-bearer" 2.3
    "urn:ietf:params:oauth:grant-type:pre-authorized_code" 3.0

    Visible (= not-hidden) extra properties of the access token are embedded in the JWT as custom claims. Regarding extra properties, see the Authlete API document.

    The feature of JWT-based access token is available since Authlete 2.1. Access tokens issued by older Authlete versions are always random strings.

    RFC 8707 (Resource Indicators for OAuth 2.0) is supported since Authlete 2.2. The resource request parameter given to older Authlete versions is just ignored, so JWT-based access tokens won't include the aud claim.

    RFC 9396 (OAuth 2.0 Rich Authorization Requests) is supported since Authlete 2.2. The authorization_details request parameter given to older Authlete versions is just ignored, so JWT-based access tokens won't include the authorization_details claim.

    "Grant Management for OAuth 2.0" is supported since Authlete 2.3. The grant_id and grant_management_action request parameters given to older Authlete versions are just ignored, so JWT-based access token won't include the grant_id and grant claims.

    RFC 9470 (OAuth 2.0 Step Up Authentication Challenge Protocol) is supported since Authlete 2.3. JWT access tokens issued by older Authlete versions won't include the acr and auth_time claims.

    Some Authlete APIs (e.g. /api/auth/authorization/issue) recognize the jwtAtClaims request parameter since Authlete 2.3. Its format is JSON object. The content of the JSON object will be merged into the payload part of the JWT access token.

    See Also:
    OpenID Connect Discovery 1.0, RFC 8707 Resource Indicators for OAuth 2.0, RFC 9396 OAuth 2.0 Rich Authorization Requests, RFC 9470 OAuth 2.0 Step Up Authentication Challenge Protocol, Serialized Form

    • Constructor Detail

      • Service

        public Service()

    • Method Detail

      • getNumber

        public int getNumber()
        Get the service number.
        Returns:
        The service number.

      • setNumber

        public Service setNumber​(int number)
        Set the service number.
        Parameters:
        number - The service number.
        Returns:
        this object.

      • getServiceOwnerNumber

        public int getServiceOwnerNumber()
        Get the service owner number.
        Returns:
        The service owner number.

      • setServiceOwnerNumber

        public Service setServiceOwnerNumber​(int serviceOwnerNumber)
        Set the service owner number
        Parameters:
        serviceOwnerNumber - The service owner number.
        Returns:
        this object.

      • getServiceName

        public String getServiceName()
        Get the service name.
        Returns:
        The service name.

      • setServiceName

        public Service setServiceName​(String serviceName)
        Set the service name.
        Parameters:
        serviceName - The service name.
        Returns:
        this object.

      • getApiKey

        public long getApiKey()
        Get the API key.
        Returns:
        The API key.

      • setApiKey

        public Service setApiKey​(long apiKey)
        Set the API key.
        Parameters:
        apiKey - The API key.
        Returns:
        this object.

      • getApiSecret

        public String getApiSecret()
        Get the API secret.
        Returns:
        The API secret.

      • setApiSecret

        public Service setApiSecret​(String apiSecret)
        Set the API secret.
        Parameters:
        apiSecret - The API secret.
        Returns:
        this object.

      • getIssuer

        public URI getIssuer()
        Get the issuer identifier of this OpenID provider.
        Returns:
        The issuer identifier.

      • setIssuer

        public Service setIssuer​(URI issuer)
        Set the issuer identifier of this OpenID provider.
        Parameters:
        issuer - The issuer identifier.
        Returns:
        this object.

      • getAuthorizationEndpoint

        public URI getAuthorizationEndpoint()
        Get the URI of the authorization endpoint.
        Returns:
        The URI of the authorization endpoint.

      • setAuthorizationEndpoint

        public Service setAuthorizationEndpoint​(URI endpoint)
        Set the URI of the authorization endpoint.
        Parameters:
        endpoint - The URI of the authorization endpoint.
        Returns:
        this object.

      • getTokenEndpoint

        public URI getTokenEndpoint()
        Get the URI of the token endpoint.
        Returns:
        The URI of the token endpoint.

      • setTokenEndpoint

        public Service setTokenEndpoint​(URI endpoint)
        Set the URI of the token endpoint.
        Parameters:
        endpoint - The URI of the token endpoint.
        Returns:
        this object.

      • getRevocationEndpoint

        public URI getRevocationEndpoint()
        Get the URI of the token revocation endpoint.
        Returns:
        The URI of the token revocation endpoint.
        Since:
        1.16
        See Also:
        RFC 7009: OAuth 2.0 Token Revocation

      • getSupportedRevocationAuthMethods

        public ClientAuthMethod[] getSupportedRevocationAuthMethods()
        Get client authentication methods supported at the revocation endpoint.
        Returns:
        Client authentication methods supported at the revocation endpoint.
        Since:
        2.17

      • setSupportedRevocationAuthMethods

        public Service setSupportedRevocationAuthMethods​(ClientAuthMethod[] methods)
        Set client authentication methods supported at the revocation endpoint.
        Parameters:
        methods - Client authentication methods.
        Returns:
        this object.
        Since:
        2.17

      • setRevocationEndpoint

        public Service setRevocationEndpoint​(URI endpoint)
        Set the URI of the token revocation endpoint.
        Parameters:
        endpoint - The URI of the token revocation endpoint.
        Returns:
        this object.
        Since:
        1.16
        See Also:
        RFC 7009: OAuth 2.0 Token Revocation

      • getUserInfoEndpoint

        public URI getUserInfoEndpoint()
        Get the URI of the user info endpoint.
        Returns:
        The URI of the user info endpoint.

      • setUserInfoEndpoint

        public Service setUserInfoEndpoint​(URI endpoint)
        Set the URI of the user info endpoint.
        Parameters:
        endpoint - The URI of the user info endpoint.
        Returns:
        this object.

      • getJwksUri

        public URI getJwksUri()
        Get the URI of the service's JSON Web Key Set.
        Returns:
        The URI of the service's JSON Web Key Set.

      • setJwksUri

        public Service setJwksUri​(URI uri)
        Set the URI of the service's JSON Web Key Set.
        Parameters:
        uri - The URI of the service's JSON Web Key Set.
        Returns:
        this object.

      • getJwks

        public String getJwks()
        Get the JSON Web Key Set of the service.
        Returns:
        The JSON Web Key Set of the service.

      • setJwks

        public Service setJwks​(String jwks)
        Set the JSON Web Key Set of the service.
        Parameters:
        jwks - The JSON Web Key Set of the service.
        Returns:
        this object.

      • getRegistrationEndpoint

        public URI getRegistrationEndpoint()
        Get the URI of the registration endpoint.
        Returns:
        The URI of the registration endpoint.

      • setRegistrationEndpoint

        public Service setRegistrationEndpoint​(URI endpoint)
        Set the URI of the registration endpoint.
        Parameters:
        endpoint - The URI of the registration endpoint.
        Returns:
        this object.

      • getRegistrationManagementEndpoint

        public URI getRegistrationManagementEndpoint()
        Get the URI of the registration management endpoint. If dynamic client registration is supported, and this is set, this URI will be used as the basis of the client's management endpoint by appending /clientid/ to it as a path element. If this is unset, the value of registrationEndpoint will be used as the URI base instead.
        Returns:
        The base URI of the registration management endpoint.
        Since:
        2.39

      • setRegistrationManagementEndpoint

        public Service setRegistrationManagementEndpoint​(URI endpoint)
        Set the URI of the registration management endpoint. If dynamic client registration is supported, and this is set, this URI will be used as the basis of the client's management endpoint by appending /clientid/ to it as a path element. If this is unset, the value of registrationEndpoint will be used as the URI base instead.
        Parameters:
        endpoint - The base URI of the registration management endpoint.
        Returns:
        this object.
        Since:
        2.39

      • getSupportedScopes

        public Scope[] getSupportedScopes()
        Get the supported scopes.
        Returns:
        The supported scopes.

      • setSupportedScopes

        public Service setSupportedScopes​(Scope[] supportedScopes)
        Set the supported scopes.
        Parameters:
        supportedScopes - The supported scopes.
        Returns:
        this object.

      • getSupportedResponseTypes

        public ResponseType[] getSupportedResponseTypes()
        Get the supported response types.
        Returns:
        The supported response types.

      • setSupportedResponseTypes

        public Service setSupportedResponseTypes​(ResponseType[] responseTypes)
        Set the supported response types.
        Parameters:
        responseTypes - The supported response types.
        Returns:
        this object.

      • getSupportedGrantTypes

        public GrantType[] getSupportedGrantTypes()
        Get the supported grant types.
        Returns:
        The supported grant types.

      • setSupportedGrantTypes

        public Service setSupportedGrantTypes​(GrantType[] grantTypes)
        Set the supported grant types.
        Parameters:
        grantTypes - The supported grant types.
        Returns:
        this object.

      • getSupportedAcrs

        public String[] getSupportedAcrs()
        Get the supported ACRs (authentication context class references).
        Returns:
        The supported ACRs.

      • setSupportedAcrs

        public Service setSupportedAcrs​(String[] acrs)
        Set the supported ACRs (authentication context class references).
        Parameters:
        acrs - The supported ACRs.
        Returns:
        this object.

      • getSupportedTokenAuthMethods

        public ClientAuthMethod[] getSupportedTokenAuthMethods()
        Get the supported client authentication methods at the token endpoint.
        Returns:
        The supported client authentication methods.

      • setSupportedTokenAuthMethods

        public Service setSupportedTokenAuthMethods​(ClientAuthMethod[] methods)
        Set the number of client authentication methods at the token endpoint.
        Parameters:
        methods - The supported client authentication methods.
        Returns:
        this object.

      • getSupportedDisplays

        public Display[] getSupportedDisplays()
        Get the supported values of display parameter passed to the authorization endpoint.
        Returns:
        The supported values of display parameter.

      • setSupportedDisplays

        public Service setSupportedDisplays​(Display[] displays)
        Set the supported values of display parameter passed to the authorization endpoint.
        Parameters:
        displays - The supported values of display parameter.
        Returns:
        this object.

      • getSupportedClaimTypes

        public ClaimType[] getSupportedClaimTypes()
        Get the supported claim types.
        Returns:
        The supported claim types.

      • setSupportedClaimTypes

        public Service setSupportedClaimTypes​(ClaimType[] claimTypes)
        Set the supported claim types.
        Parameters:
        claimTypes - The supported claim types.
        Returns:
        this object.

      • getSupportedClaims

        public String[] getSupportedClaims()
        Get the supported claims.
        Returns:
        The supported claims.

      • setSupportedClaims

        public Service setSupportedClaims​(String[] supportedClaims)
        Set the supported claims.
        Parameters:
        supportedClaims - The supported claims.
        Returns:
        this object.

      • getServiceDocumentation

        public URI getServiceDocumentation()
        Get the URI of a page containing human-readable information that developers might want or need to know when using this OpenID Provider.
        Returns:
        The URI of the service documentation.

      • setServiceDocumentation

        public Service setServiceDocumentation​(URI uri)
        Set the URI of a page containing human-readable information that developers might want or need to know when using this OpenID Provider.
        Parameters:
        uri - The URI of the service documentation.
        Returns:
        this object.

      • getSupportedClaimLocales

        public String[] getSupportedClaimLocales()
        Get the supported claim locales.
        Returns:
        The supported claim locales.

      • setSupportedClaimLocales

        public Service setSupportedClaimLocales​(String[] supportedClaimLocales)
        Set the supported claim locales.
        Parameters:
        supportedClaimLocales - The supported claim locales.
        Returns:
        this object.

      • getSupportedUiLocales

        public String[] getSupportedUiLocales()
        Get the supported UI locales.
        Returns:
        The supported UI locales.

      • setSupportedUiLocales

        public Service setSupportedUiLocales​(String[] supportedUiLocales)
        Set the supported UI locales.
        Parameters:
        supportedUiLocales - The supported UI locales.
        Returns:
        this object.

      • getPolicyUri

        public URI getPolicyUri()
        Get the URI that this OpenID Provider provides to the person registering the client to read about the OP's requirements on how the Relying Party can use the data provided by the OP.
        Returns:
        The URI of the policy page.

      • setPolicyUri

        public Service setPolicyUri​(URI uri)
        Set the URI that this OpenID Provider provides to the person registering the client to read about the OP's requirements on how the Relying Party can use the data provided by the OP.
        Parameters:
        uri - The URI of the policy page.
        Returns:
        this object.

      • getTosUri

        public URI getTosUri()
        Get the URI that the OpenID Provider provides to the person registering the client to read about the OP's terms of service.
        Returns:
        The URI of the Terms-of-Service page.

      • setTosUri

        public Service setTosUri​(URI uri)
        Set the URI that the OpenID Provider provides to the person registering the client to read about the OP's terms of service.
        Parameters:
        uri - The URI of the Terms-of-Service page.
        Returns:
        this object.

      • getDescription

        public String getDescription()
        Get the description.
        Returns:
        The description.

      • setDescription

        public Service setDescription​(String description)
        Set the description.
        Parameters:
        description - The description.
        Returns:
        this object.

      • getAccessTokenSignAlg

        public JWSAlg getAccessTokenSignAlg()
        Get the signature algorithm of access tokens.

        When this method returns null, access tokens issued by this service are just random strings. On the other hand, when this method returns a non-null value, access tokens issued by this service are JWTs and the value returned from this method represents the signature algorithm of the JWTs. Regarding the format, see the description of this Service class.

        This feature is available since Authlete 2.1. Access tokens generated by older Authlete versions are always random strings.

        Returns:
        The signature algorithm of JWT-based access tokens. When null is returned, access tokens are not JWTs but just random strings.
        Since:
        2.37

      • setAccessTokenSignAlg

        public Service setAccessTokenSignAlg​(JWSAlg alg)
        Set the signature algorithm of access tokens.

        When null is set, access tokens issued by this service are just random strings. On the other hand, when a non-null value is set, access tokens issued by this service are JWTs and the value set by this method is used as the signature algorithm of the JWTs. Regarding the format, see the description of this Service class.

        This feature is available since Authlete 2.1. Access tokens generated by older Authlete versions are always random strings.

        Parameters:
        alg - The signature algorithm of JWT-based access tokens. When null is given, access tokens are not JWTs but just random strings. Note that symmetric algorithms (HS256, HS384 and HS512) are not supported.
        Returns:
        this object.
        Since:
        2.37

      • getAccessTokenDuration

        public long getAccessTokenDuration()
        Get the duration of access tokens in seconds; the value of expires_in in access token responses.
        Returns:
        The duration of access tokens in seconds.
        See Also:
        RFC 6749 (OAuth 2.0), 5.1. Successful Response

      • setAccessTokenDuration

        public Service setAccessTokenDuration​(long duration)
        Set the duration of access tokens in seconds; the value of expires_in in access token responses.
        Parameters:
        duration - The duration of access tokens in seconds.
        Returns:
        this object.
        See Also:
        RFC 6749 (OAuth 2.0), 5.1. Successful Response

      • getRefreshTokenDuration

        public long getRefreshTokenDuration()
        Get the duration of refresh tokens in seconds.
        Returns:
        The duration of refresh tokens in seconds.

      • setRefreshTokenDuration

        public Service setRefreshTokenDuration​(long duration)
        Set the duration of refresh tokens in seconds.
        Parameters:
        duration - The duration of refresh tokens in seconds.
        Returns:
        this object.

      • getIdTokenDuration

        public long getIdTokenDuration()
        Get the duration of ID tokens in seconds.
        Returns:
        The duration of ID tokens in seconds.

      • setIdTokenDuration

        public Service setIdTokenDuration​(long duration)
        Set the duration of ID tokens in seconds.
        Parameters:
        duration - The duration of ID tokens in seconds.
        Returns:
        this object.

      • getAuthorizationResponseDuration

        public long getAuthorizationResponseDuration()
        Get the duration of authorization response JWTs.

        Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) defines new values for the response_mode request parameter. They are query.jwt, fragment.jwt, form_post.jwt and jwt. If one of them is specified as the response mode, response parameters from the authorization endpoint will be packed into a JWT. This property is used to compute the value of the exp claim of the JWT.

        Returns:
        The duration of authorization response JWTs in seconds.
        Since:
        2.28

      • setAuthorizationResponseDuration

        public Service setAuthorizationResponseDuration​(long duration)
        Set the duration of authorization response JWTs.

        Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) defines new values for the response_mode request parameter. They are query.jwt, fragment.jwt, form_post.jwt and jwt. If one of them is specified as the response mode, response parameters from the authorization endpoint will be packed into a JWT. This property is used to compute the value of the exp claim of the JWT.

        Parameters:
        duration - The duration of authorization response JWTs in seconds.
        Returns:
        this object.
        Since:
        2.28

      • getPushedAuthReqDuration

        public long getPushedAuthReqDuration()
        Get the duration of pushed authorization requests.

        "OAuth 2.0 Pushed Authorization Requests" defines an endpoint (called "pushed authorization request endpoint") which client applications can register authorization requests into and get corresponding URIs (called "request URIs") from. The issued URIs represent the registered authorization requests. The client applications can use the URIs as the value of the request_uri request parameter in an authorization request.

        The value returned from this method represents the duration of registered authorization requests and is used as the value of the expires_in parameter in responses from the pushed authorization request endpoint.

        Returns:
        The duration of pushed authorization requests in seconds.
        Since:
        2.51

      • setPushedAuthReqDuration

        public Service setPushedAuthReqDuration​(long duration)
        Set the duration of pushed authorization requests.

        "OAuth 2.0 Pushed Authorization Requests" defines an endpoint (called "pushed authorization request endpoint") which client applications can register authorization requests into and get corresponding URIs (called "request URIs") from. The issued URIs represent the registered authorization requests. The client applications can use the URIs as the value of the request_uri request parameter in an authorization request.

        The value given to this method represents the duration of registered authorization requests and is used as the value of the expires_in parameter in responses from the pushed authorization request endpoint.

        Parameters:
        duration - The duration of pushed authorization requests.
        Returns:
        this object.
        Since:
        2.51

      • getAuthenticationCallbackEndpoint

        public URI getAuthenticationCallbackEndpoint()
        Get the URI of the authentication callback endpoint.
        Returns:
        The URI of the authentication callback endpoint.
        Since:
        1.1

      • setAuthenticationCallbackEndpoint

        public Service setAuthenticationCallbackEndpoint​(URI endpoint)
        Set the URI of the authentication callback endpoint.
        Parameters:
        endpoint - The URI of the authentication callback endpoint.
        Returns:
        this object.
        Since:
        1.1

      • getAuthenticationCallbackApiKey

        public String getAuthenticationCallbackApiKey()
        Get the API key to access the authentication callback endpoint.
        Returns:
        The API key to access the authentication callback endpoint.
        Since:
        1.1

      • setAuthenticationCallbackApiKey

        public Service setAuthenticationCallbackApiKey​(String apiKey)
        Set the API key to access the authentication callback endpoint.
        Parameters:
        apiKey - The API key to access the authentication callback endpoint.
        Returns:
        this object.
        Since:
        1.1

      • getAuthenticationCallbackApiSecret

        public String getAuthenticationCallbackApiSecret()
        Get the API secret to access the authentication callback endpoint.
        Returns:
        The API secret to access the authentication callback endpoint.
        Since:
        1.1

      • setAuthenticationCallbackApiSecret

        public Service setAuthenticationCallbackApiSecret​(String apiSecret)
        Set the API secret to access the authentication callback endpoint.
        Parameters:
        apiSecret - The API secret to access the authentication callback endpoint.
        Returns:
        this object.
        Since:
        1.1

      • getSupportedSnses

        public Sns[] getSupportedSnses()
        Get the list of supported SNSes for social login at the authorization endpoint.
        Returns:
        The list of SNSes.
        Since:
        1.3

      • setSupportedSnses

        public Service setSupportedSnses​(Sns[] supportedSnses)
        Set the list of supported SNSes for social login at the authorization endpoint.
        Parameters:
        supportedSnses - The list of SNSes.
        Returns:
        this object.
        Since:
        1.3

      • getSnsCredentials

        public SnsCredentials[] getSnsCredentials()
        Get the list of SNS credentials that Authlete uses to support social login.
        Returns:
        The list of SNS credentials.
        Since:
        1.3

      • setSnsCredentials

        public Service setSnsCredentials​(SnsCredentials[] snsCredentials)
        Set the list of SNS credentials that Authlete uses to support social login.
        Parameters:
        snsCredentials - The list of SNS credentials.
        Returns:
        this object.
        Since:
        1.3

      • getCreatedAt

        public long getCreatedAt()
        Get the time at which this service was created.
        Returns:
        The time at which this service was created. The value is represented as milliseconds since the UNIX epoch (1970-01-01).
        Since:
        1.6

      • setCreatedAt

        public Service setCreatedAt​(long createdAt)
        Set the time at which this service was created.
        Parameters:
        createdAt - The time at which this service was created.
        Returns:
        this object.
        Since:
        1.6

      • getModifiedAt

        public long getModifiedAt()
        Get the time at which this service was last modified.
        Returns:
        The time at which this service was last modified. The value is represented as milliseconds since the UNIX epoch (1970-01-01).
        Since:
        1.6

      • setModifiedAt

        public Service setModifiedAt​(long modifiedAt)
        Set the time at which this service was last modified.
        Parameters:
        modifiedAt - The time at which this service was modified.
        Returns:
        this object.
        Since:
        1.6

      • getMetadata

        public Pair[] getMetadata()
        Get metadata.

        The content of the returned array depends on contexts.


        Predefined Service Metadata
        Key Description
        "clientCount" The number of client applications which belong to this service.
        Returns:
        Metadata. The type is an array of Pair.
        Since:
        1.39

      • setMetadata

        public Service setMetadata​(Pair[] metadata)
        Set metadata.
        Parameters:
        metadata - Metadata. The type is an array of Pair. null may be returned.
        Returns:
        this object.
        Since:
        1.39

      • getDeveloperAuthenticationCallbackEndpoint

        public URI getDeveloperAuthenticationCallbackEndpoint()
        Get the URI of the developer authentication callback endpoint.
        Returns:
        The URI of the developer authentication callback endpoint.
        Since:
        1.9

      • setDeveloperAuthenticationCallbackEndpoint

        public Service setDeveloperAuthenticationCallbackEndpoint​(URI endpoint)
        Set the URI of the developer authentication callback endpoint.
        Parameters:
        endpoint - The URI of the developer authentication callback endpoint.
        Returns:
        this object.
        Since:
        1.9

      • getDeveloperAuthenticationCallbackApiKey

        public String getDeveloperAuthenticationCallbackApiKey()
        Get the API key to access the developer authentication callback endpoint.
        Returns:
        The API key to access the developer authentication callback endpoint.
        Since:
        1.9

      • setDeveloperAuthenticationCallbackApiKey

        public Service setDeveloperAuthenticationCallbackApiKey​(String apiKey)
        Set the API key to access the developer authentication callback endpoint.
        Parameters:
        apiKey - The API key to access the developer authentication callback endpoint.
        Returns:
        this object.
        Since:
        1.9

      • getDeveloperAuthenticationCallbackApiSecret

        public String getDeveloperAuthenticationCallbackApiSecret()
        Get the API secret to access the developer authentication callback endpoint.
        Returns:
        The API secret to access the developer authentication callback endpoint.
        Since:
        1.9

      • setDeveloperAuthenticationCallbackApiSecret

        public Service setDeveloperAuthenticationCallbackApiSecret​(String apiSecret)
        Set the API secret to access the developer authentication callback endpoint.
        Parameters:
        apiSecret - The API secret to access the developer authentication callback endpoint.
        Returns:
        this object.
        Since:
        1.9

      • getSupportedDeveloperSnses

        public Sns[] getSupportedDeveloperSnses()
        Get the list of supported SNSes for social login at the developer console.
        Returns:
        The list of SNSes.
        Since:
        1.10

      • setSupportedDeveloperSnses

        public Service setSupportedDeveloperSnses​(Sns[] supportedSnses)
        Set the list of supported SNSes for social login at the developer console.
        Parameters:
        supportedSnses - The list of SNSes.
        Returns:
        this object.
        Since:
        1.10

      • getDeveloperSnsCredentials

        public SnsCredentials[] getDeveloperSnsCredentials()
        Get the list of SNS credentials that Authlete uses to support social login at the developer console.
        Returns:
        The list of SNS credentials.
        Since:
        1.10

      • setDeveloperSnsCredentials

        public Service setDeveloperSnsCredentials​(SnsCredentials[] snsCredentials)
        Set the list of SNS credentials that Authlete uses to support social login at the developer console.
        Parameters:
        snsCredentials - The list of SNS credentials.
        Returns:
        this object.
        Since:
        1.10

      • getClientsPerDeveloper

        public int getClientsPerDeveloper()
        Get the number of client applications that one developer can create. 0 means that developers can create as many client applications as they want.
        Returns:
        The number of client applications that one developer can create. 0 means no limit.
        Since:
        1.16

      • setClientsPerDeveloper

        public Service setClientsPerDeveloper​(int count)
        Set the number of client applications that one developer can create. 0 means that developers can create as many client applications as they want.
        Parameters:
        count - The number of client applications that one developer can create. 0 means no limit.
        Returns:
        this object.
        Since:
        1.16

      • isDirectAuthorizationEndpointEnabled

        public boolean isDirectAuthorizationEndpointEnabled()
        Get the flag which indicates whether the direct authorization endpoint is enabled or not. The path of the endpoint is /api/auth/authorization/direct/{serviceApiKey}
        Returns:
        true if enabled.
        Since:
        1.16

      • setDirectAuthorizationEndpointEnabled

        public Service setDirectAuthorizationEndpointEnabled​(boolean enabled)
        Set the flag which indicates whether the direct authorization endpoint is enabled or not. The path of the endpoint is /api/auth/authorization/direct/{serviceApiKey}
        Parameters:
        enabled - true to enable the direct endpoint.
        Returns:
        this object.
        Since:
        1.16

      • isDirectTokenEndpointEnabled

        public boolean isDirectTokenEndpointEnabled()
        Get the flag which indicates whether the direct token endpoint is enabled or not. The path of the endpoint is /api/auth/token/direct/{serviceApiKey}
        Returns:
        true if enabled.
        Since:
        1.16

      • setDirectTokenEndpointEnabled

        public Service setDirectTokenEndpointEnabled​(boolean enabled)
        Set the flag which indicates whether the direct token endpoint is enabled or not. The path of the endpoint is /api/auth/token/direct/{serviceApiKey}
        Parameters:
        enabled - true to enable the direct endpoint.
        Returns:
        this object.
        Since:
        1.16

      • isDirectRevocationEndpointEnabled

        public boolean isDirectRevocationEndpointEnabled()
        Get the flag which indicates whether the direct revocation endpoint is enabled or not. The path of the endpoint is /api/auth/revocation/direct/{serviceApiKey}
        Returns:
        true if enabled.
        Since:
        1.16

      • setDirectRevocationEndpointEnabled

        public Service setDirectRevocationEndpointEnabled​(boolean enabled)
        Set the flag which indicates whether the direct revocation endpoint is enabled or not. The path of the endpoint is /api/auth/revocation/direct/{serviceApiKey}
        Parameters:
        enabled - true to enable the direct endpoint.
        Returns:
        this object.
        Since:
        1.16

      • isDirectUserInfoEndpointEnabled

        public boolean isDirectUserInfoEndpointEnabled()
        Get the flag which indicates whether the direct userinfo endpoint is enabled or not. The path of the endpoint is /api/auth/userinfo/direct/{serviceApiKey}
        Returns:
        true if enabled.
        Since:
        1.16

      • setDirectUserInfoEndpointEnabled

        public Service setDirectUserInfoEndpointEnabled​(boolean enabled)
        Set the flag which indicates whether the direct userinfo endpoint is enabled or not. The path of the endpoint is /api/auth/userinfo/direct/{serviceApiKey}
        Parameters:
        enabled - true to enable the direct endpoint.
        Returns:
        this object.
        Since:
        1.16

      • isDirectJwksEndpointEnabled

        public boolean isDirectJwksEndpointEnabled()
        Get the flag which indicates whether the direct jwks endpoint is enabled or not. The path of the endpoint is /api/service/jwks/get/direct/{serviceApiKey}
        Returns:
        true if enabled.
        Since:
        1.16

      • setDirectJwksEndpointEnabled

        public Service setDirectJwksEndpointEnabled​(boolean enabled)
        Set the flag which indicates whether the direct jwks endpoint is enabled or not. The path of the endpoint is /api/service/jwks/get/direct/{serviceApiKey}
        Parameters:
        enabled - true to enable the direct endpoint.
        Returns:
        this object.
        Since:
        1.16

      • isDirectIntrospectionEndpointEnabled

        public boolean isDirectIntrospectionEndpointEnabled()
        Get the flag which indicates whether the direct introspection endpoint is enabled or not. The path of the endpoint is /api/auth/introspection/direct/{serviceApiKey}
        Returns:
        true if enabled.
        Since:
        1.39

      • setDirectIntrospectionEndpointEnabled

        public Service setDirectIntrospectionEndpointEnabled​(boolean enabled)
        Set the flag which indicates whether the direct introspection endpoint is enabled or not. The path of the endpoint is /api/auth/introspection/direct/{serviceApiKey}
        Parameters:
        enabled - true to enable the direct endpoint.
        Returns:
        this object.
        Since:
        1.39

      • isSingleAccessTokenPerSubject

        public boolean isSingleAccessTokenPerSubject()
        Get the flag which indicates whether the number of access tokens per subject (and per client) is at most one or can be more.

        If this flag is true, an attempt to issue a new access token invalidates existing access tokens associated with the same subject and the same client.

        Even if this flag is false, invalidation of existing access tokens is executed if the singleAccessTokenPerSubject property of the target client is true. The property of Client is recognized by Authlete 2.3 onwards. (cf. Client.isSingleAccessTokenPerSubject())

        Note that, however, attempts by Client Credentials Flow do not invalidate existing access tokens because access tokens issued by Client Credentials Flow are not associated with any end-user's subject. Also note that an attempt by Refresh Token Flow invalidates the coupled access token only and this invalidation is always performed regardless of whether this flag is true or false.

        Returns:
        true if the number of access tokens per subject (and per client) is at most one.
        Since:
        1.20
        See Also:
        Client.isSingleAccessTokenPerSubject()

      • setSingleAccessTokenPerSubject

        public Service setSingleAccessTokenPerSubject​(boolean single)
        Set the flag which indicates whether the number of access tokens per subject (and per client) is at most one or can be more.

        If true is set, an attempt to issue a new access token invalidates existing access tokens associated with the same subject and the same client.

        Even if this flag is false, invalidation of existing access tokens is executed if the singleAccessTokenPerSubject property of the target client is true. The property of Client is recognized by Authlete 2.3 onwards. (cf. Client.setSingleAccessTokenPerSubject(boolean))

        Note that, however, attempts by Client Credentials Flow do not invalidate existing access tokens because access tokens issued by Client Credentials Flow are not associated with any end-user's subject. Also note that an attempt by Refresh Token Flow invalidates the coupled access token only and this invalidation is always performed regardless of whether this flag is true or false.

        Parameters:
        single - true to set the maximum number of access tokens per subject (and per client) to 1.
        Returns:
        this object.
        Since:
        1.20
        See Also:
        Client.setSingleAccessTokenPerSubject(boolean)

      • isPkceRequired

        public boolean isPkceRequired()
        Get the flag which indicates whether the use of Proof Key for Code Exchange (PKCE) is always required for authorization requests by Authorization Code Flow. See RFC 7636 (Proof Key for Code Exchange by OAuth Public Clients) for details.
        Returns:
        true if PKCE is always required for authorization requests by Authorization Code Flow.
        Since:
        1.21
        See Also:
        RFC 7636

      • setPkceRequired

        public Service setPkceRequired​(boolean required)
        Set the flag which indicates whether the use of Proof Key for Code Exchange (PKCE) is always required for authorization requests by Authorization Code Flow. See RFC 7636 (Proof Key for Code Exchange by OAuth Public Clients for details.
        Parameters:
        required - true to always require PKCE for authorization requests by Authorization Code Flow.
        Returns:
        this object.
        Since:
        1.21

      • isPkceS256Required

        public boolean isPkceS256Required()
        Get the flag which indicates whether S256 is always required as the code challenge method whenever PKCE (RFC 7636) is used.

        If this flag is true, code_challenge_method=S256 must be included in the authorization request whenever it includes the code_challenge request parameter. Neither omission of the code_challenge_method request parameter nor use of plain (code_challenge_method=plain) is allowed.

        Returns:
        true if S256 is always required as the code challenge method whenever PKCE is used.
        Since:
        2.46
        See Also:
        RFC 7636

      • setPkceS256Required

        public Service setPkceS256Required​(boolean required)
        Set the flag which indicates whether S256 is always required as the code challenge method whenever PKCE (RFC 7636) is used.

        If true is set, code_challenge_method=S256 must be included in the authorization request whenever it includes the code_challenge request parameter. Neither omission of the code_challenge_method request parameter nor use of plain (code_challenge_method=plain) is allowed.

        Parameters:
        required - true to require S256 as the code challenge method whenever PKCE is used.
        Returns:
        this object.
        Since:
        2.46
        See Also:
        RFC 7636

      • isRefreshTokenKept

        public boolean isRefreshTokenKept()
        Get the flag which indicates whether a refresh token remains valid or gets renewed after its use.
        Returns:
        true if a refresh token remains valid after its use. false if a new refresh token is issued after its use.
        Since:
        1.33

      • setRefreshTokenKept

        public Service setRefreshTokenKept​(boolean kept)
        Set the flag which indicates whether a refresh token remains valid or gets renewed after its use.
        Parameters:
        kept - true to keep a refresh token valid after its use. false to renew a refresh token after its use.
        Returns:
        this object.
        Since:
        1.33

      • isRefreshTokenDurationKept

        public boolean isRefreshTokenDurationKept()
        Get the flag which indicates whether the remaining duration of the used refresh token is taken over to the newly issued refresh token.
        Returns:
        true if the remaining duration of the used refresh token is taken over to the newly issued refresh token.
        Since:
        2.78

      • setRefreshTokenDurationKept

        public Service setRefreshTokenDurationKept​(boolean kept)
        Set the flag which indicates whether the remaining duration of the used refresh token is taken over to the newly issued refresh token.
        Parameters:
        kept - true to indicate that the remaining duration of the used refresh token is taken over to the newly issued refresh token.
        Returns:
        this object.

      • isRefreshTokenDurationReset

        public boolean isRefreshTokenDurationReset()
        Get the flag which indicates whether duration of refresh tokens are reset when they are used even if the refreshTokenKept property of this service (cf. isRefreshTokenKept()) is true (= even if "Refresh Token Continuous Use" is "Kept").

        This flag has no effect when the refreshTokenKept property is false. In other words, if this service issues a new refresh token on every refresh token request, the refresh token will have fresh duration (unless refreshTokenDurationKept is true) and this refreshTokenDurationReset property is not referenced.

        Returns:
        true if duration of refresh tokens are reset when they are used.
        Since:
        2.98

      • setRefreshTokenDurationReset

        public Service setRefreshTokenDurationReset​(boolean reset)
        Set the flag which indicates whether duration of refresh tokens are reset when they are used even if the refreshTokenKept property of this service (cf. isRefreshTokenKept()) is true (= even if "Refresh Token Continuous Use" is "Kept").

        This flag has no effect when the refreshTokenKept property is false. In other words, if this service issues a new refresh token on every refresh token request, the refresh token will have fresh duration (unless refreshTokenDurationKept is true) and this refreshTokenDurationReset property is not referenced.

        Parameters:
        reset - true to reset duration of refresh tokens when they are used.
        Returns:
        this object.
        Since:
        2.98

      • isErrorDescriptionOmitted

        public boolean isErrorDescriptionOmitted()
        Get the flag which indicates whether the error_description response parameter is omitted.

        According to RFC 6749, authorization servers may include the error_description response parameter in error responses. When this errorDescriptionOmitted property is true, Authlete does not embed the error_description response parameter in error responses.

        Returns:
        true if the error_description response parameter is omitted. false if the error_description response parameter is included in error responses from the authorization server.
        Since:
        1.39

      • setErrorDescriptionOmitted

        public Service setErrorDescriptionOmitted​(boolean omitted)
        Omit or embed the error_description response parameter in error responses.
        Parameters:
        omitted - true to omit the error_description response parameter. false to embed the parameter.
        Returns:
        this object.
        Since:
        1.39

      • isErrorUriOmitted

        public boolean isErrorUriOmitted()
        Get the flag which indicates whether the error_uri response parameter is omitted.

        According to RFC 6749, authorization servers may include the error_uri response parameter in error responses. When this errorUriOmitted property is true, Authlete does not embed the error_uri response parameter in error responses.

        Returns:
        true if the error_uri response parameter is omitted. false if the error_uri response parameter is included in error responses from the authorization server.
        Since:
        1.39

      • setErrorUriOmitted

        public Service setErrorUriOmitted​(boolean omitted)
        Omit or embed the error_uri response parameter in error responses.
        Parameters:
        omitted - true to omit the error_uri response parameter. false to embed the parameter.
        Returns:
        this object.
        Since:
        1.39

      • isClientIdAliasEnabled

        public boolean isClientIdAliasEnabled()
        Get the flag which indicates whether the 'Client ID Alias' feature is enabled or not.
        Returns:
        true if the 'Client ID Alias' feature is enabled. false if the feature is disabled.
        Since:
        2.2

      • setClientIdAliasEnabled

        public Service setClientIdAliasEnabled​(boolean enabled)
        Enable/disable the 'Client ID Alias' feature.

        When a new client is created, Authlete generates a numeric value and assigns it as a client ID to the newly created client. In addition to the client ID, each client can have a client ID alias. The client ID alias is, however, recognized only when this property (clientIdAliasEnabled) is true.

        Parameters:
        enabled - true to enable the 'Client ID Alias' feature. false to disable it.
        Returns:
        this object.
        Since:
        2.2

      • getAccessTokenSignatureKeyId

        public String getAccessTokenSignatureKeyId()
        Get the key ID to identify a JWK used for signing access tokens.

        A JWK Set can be registered as a property of a Service. A JWK Set can contain 0 or more JWKs (See RFC 7517 for details about JWK). Authlete Server has to pick up one JWK for signing from the JWK Set when it generates a JWT-based access token (see getAccessTokenSignAlg() for details about JWT-based access token). Authlete Server searches the registered JWK Set for a JWK which satisfies conditions for access token signature. If the number of JWK candidates which satisfy the conditions is 1, there is no problem. On the other hand, if there exist multiple candidates, a Key ID is needed to be specified so that Authlete Server can pick up one JWK from among the JWK candidates.

        This accessTokenSignatureKeyId property exists for the purpose described above.

        Returns:
        A key ID of a JWK. This may be null.
        Since:
        2.37

      • setAccessTokenSignatureKeyId

        public Service setAccessTokenSignatureKeyId​(String keyId)
        Set the key ID to identify a JWK used for signing access tokens.

        See the description of getAccessTokenSignatureKeyId() for details.

        Parameters:
        keyId - A key ID of a JWK. This may be null.
        Returns:
        this object.
        Since:
        2.37

      • getAuthorizationSignatureKeyId

        public String getAuthorizationSignatureKeyId()
        Get the key ID to identify a JWK used for signing authorization responses using an asymmetric key.

        Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) has added new values for the response_mode request parameter. They are query.jwt, fragment.jwt, form_post.jwt and jwt. If one of them is used, response parameters returned from the authorization endpoint will be packed into a JWT. The JWT is always signed. For the signature of the JWT, Authlete Server has to pick up one JWK from the service's JWK Set.

        Authlete Server searches the JWK Set for a JWK which satisfies conditions for authorization response signature. If the number of JWK candidates which satisfy the conditions is 1, there is no problem. On the other hand, if there exist multiple candidates, a Key ID is needed to be specified so that Authlete Server can pick up one JWK from among the JWK candidates. This property exists to specify the key ID.

        Returns:
        A key ID of a JWK. This may be null.
        Since:
        2.28

      • setAuthorizationSignatureKeyId

        public Service setAuthorizationSignatureKeyId​(String keyId)
        Set the key ID to identify a JWK used for signing authorization responses using an asymmetric key.

        See the description of getAuthorizationSignatureKeyId() for details.

        Parameters:
        keyId - A key ID of a JWK. This may be null.
        Returns:
        this object.
        Since:
        2.28

      • getIdTokenSignatureKeyId

        public String getIdTokenSignatureKeyId()
        Get the key ID to identify a JWK used for ID token signature using an asymmetric key.

        A JWK Set can be registered as a property of a Service. A JWK Set can contain 0 or more JWKs (See RFC 7517 for details about JWK). Authlete Server has to pick up one JWK for signature from the JWK Set when it generates an ID token and signature using an asymmetric key. Authlete Server searches the registered JWK Set for a JWK which satisfies conditions for ID token signature. If the number of JWK candidates which satisfy the conditions is 1, there is no problem. On the other hand, if there exist multiple candidates, a Key ID is needed to be specified so that Authlete Server can pick up one JWK from among the JWK candidates.

        This idTokenSignatureKeyId property exists for the purpose described above. For key rotation (OpenID Connect Core 1.0, 10.1.1. Rotation of Asymmetric Signing Keys), this mechanism is needed.

        Returns:
        A key ID of a JWK. This may be null.
        Since:
        2.1

      • setIdTokenSignatureKeyId

        public Service setIdTokenSignatureKeyId​(String keyId)
        Set the key ID to identify a JWK used for ID token signature using an asymmetric key.

        See the description of getIdTokenSignatureKeyId() for details.

        Parameters:
        keyId - A key ID of a JWK. This may be null.
        Returns:
        this object.
        Since:
        2.1

      • getUserInfoSignatureKeyId

        public String getUserInfoSignatureKeyId()
        Get the key ID to identify a JWK used for user info signature using an asymmetric key.

        A JWK Set can be registered as a property of a Service. A JWK Set can contain 0 or more JWKs (See RFC 7517 for details about JWK). Authlete Server has to pick up one JWK for signature from the JWK Set when it is required to sign user info (which is returned from UserInfo Endpoint) using an asymmetric key. Authlete Server searches the registered JWK Set for a JWK which satisfies conditions for user info signature. If the number of JWK candidates which satisfy the conditions is 1, there is no problem. On the other hand, if there exist multiple candidates, a Key ID is needed to be specified so that Authlete Server can pick up one JWK from among the JWK candidates.

        This userInfoSignatureKeyId property exists for the purpose described above. For key rotation (OpenID Connect Core 1.0, 10.1.1. Rotation of Asymmetric Signing Keys), this mechanism is needed.

        Returns:
        A key ID of a JWK. This may be null.
        Since:
        2.1

      • setUserInfoSignatureKeyId

        public Service setUserInfoSignatureKeyId​(String keyId)
        Set the key ID to identify a JWK used for user info signature using an asymmetric key.

        See the description of getUserInfoSignatureKeyId() for details.

        Parameters:
        keyId - A key ID of a JWK. This may be null.
        Returns:
        this object.
        Since:
        2.1

      • getSupportedServiceProfiles

        public ServiceProfile[] getSupportedServiceProfiles()
        Get the supported service profiles.
        Returns:
        Supported service profiles.
        Since:
        2.12

      • setSupportedServiceProfiles

        public Service setSupportedServiceProfiles​(ServiceProfile[] profiles)
        Set the supported service profiles.
        Parameters:
        profiles - Supported service profiles.
        Returns:
        this object.
        Since:
        2.12

      • setSupportedServiceProfiles

        public Service setSupportedServiceProfiles​(Iterable<ServiceProfile> profiles)
        Set the supported service profiles.
        Parameters:
        profiles - Supported service profiles.
        Returns:
        this object.
        Since:
        2.12

      • supports

        public boolean supports​(ServiceProfile profile)
        Check if this service supports the specified profile. If null is given, false is returned. If the supported service profiles are not set to this service, false is returned.
        Parameters:
        profile - A service profile.
        Returns:
        true if this service supports the service profile.
        Since:
        2.12

      • supportsAll

        public boolean supportsAll​(ServiceProfile... profiles)
        Check if this service supports all the specified service profiles. If null is given, true is returned. If an empty array is given, true is returned.
        Parameters:
        profiles - Service profiles.
        Returns:
        true if this service supports all the specified service profiles.
        Since:
        2.12

      • supportsAll

        public boolean supportsAll​(Iterable<ServiceProfile> profiles)
        Check if this service supports all the specified service profiles. If null is given, true is returned. If an empty collection is given, true is returned.
        Parameters:
        profiles - Service profiles.
        Returns:
        true if this service supports all the specified service profiles.
        Since:
        2.12

      • supportsAny

        public boolean supportsAny​(ServiceProfile... profiles)
        Check if this service any of the specified service profiles. If null is given, false is returned. If an empty array is given, false is returned.
        Parameters:
        profiles - Service profiles.
        Returns:
        true if this service supports any of the specified service profiles.
        Since:
        2.12

      • supportsAny

        public boolean supportsAny​(Iterable<ServiceProfile> profiles)
        Check if this service any of the specified service profiles. If null is given, false is returned. If an empty collection is given, false is returned.
        Parameters:
        profiles - Service profiles.
        Returns:
        true if this service supports any of the specified service profiles.
        Since:
        2.12

      • isTlsClientCertificateBoundAccessTokens

        public boolean isTlsClientCertificateBoundAccessTokens()
        Does this service support issuing TLS client certificate bound access tokens?
        Returns:
        true if this service supports issuing TLS client certificate bound access tokens.
        Since:
        2.19

      • setTlsClientCertificateBoundAccessTokens

        public Service setTlsClientCertificateBoundAccessTokens​(boolean enabled)
        Enable or disable support for TLS client certificate bound access tokens.
        Parameters:
        enabled - true to enable TLS client certificate bound access tokens.
        Returns:
        this object.
        Since:
        2.19

      • getIntrospectionEndpoint

        public URI getIntrospectionEndpoint()
        Get the URI of the introspection endpoint.
        Returns:
        The URI of the introspection endpoint.
        Since:
        2.13
        See Also:
        RFC 7662: OAuth 2.0 Token Introspection

      • setIntrospectionEndpoint

        public Service setIntrospectionEndpoint​(URI endpoint)
        Set the URI of the introspection endpoint.
        Parameters:
        endpoint - The URI of the introspection endpoint.
        Returns:
        this object.
        Since:
        2.13
        See Also:
        RFC 7662: OAuth 2.0 Token Introspection

      • getSupportedIntrospectionAuthMethods

        public ClientAuthMethod[] getSupportedIntrospectionAuthMethods()
        Get client authentication methods supported at the introspection endpoint.
        Returns:
        Client authentication methods supported at the introspection endpoint.
        Since:
        2.13

      • setSupportedIntrospectionAuthMethods

        public Service setSupportedIntrospectionAuthMethods​(ClientAuthMethod[] methods)
        Set client authentication methods supported at the introspection endpoint.
        Parameters:
        methods - Client authentication methods.
        Returns:
        this object.
        Since:
        2.13

      • isMutualTlsValidatePkiCertChain

        public boolean isMutualTlsValidatePkiCertChain()
        Determine whether this service validates certificate chains during PKI-based client mutual TLS authentication.
        Returns:
        true if this service requires clients using PKI MTLS to present their certificate chain to the API during authentication, false otherwise.
        Since:
        2.15

      • setMutualTlsValidatePkiCertChain

        public Service setMutualTlsValidatePkiCertChain​(boolean mutualTlsValidatePkiCertChain)
        Set whether this service validates certificate chains during PKI-based client mutual TLS authentication.
        Parameters:
        mutualTlsValidatePkiCertChain - true if this service requires clients using PKI MTLS to present their certificate chain to the API during authentication, false otherwise.
        Returns:
        this object.
        Since:
        2.15

      • getTrustedRootCertificates

        public String[] getTrustedRootCertificates()
        Get the list of root certificates trusted by this service for PKI-based client mutual TLS authentication.
        Returns:
        The list of root certificates trusted by this service in PEM format.
        Since:
        2.15

      • setTrustedRootCertificates

        public Service setTrustedRootCertificates​(String[] trustedRootCertificates)
        Get the list of root certificates trusted by this service for PKI-based client mutual TLS authentication.
        Parameters:
        trustedRootCertificates - The list of root certificates trusted by this service in PEM format.
        Returns:
        this object.
        Since:
        2.15

      • getSupportedBackchannelTokenDeliveryModes

        public DeliveryMode[] getSupportedBackchannelTokenDeliveryModes()
        Get the supported backchannel token delivery modes. This property corresponds to the backchannel_token_delivery_modes_supported metadata.

        Backchannel token delivery modes are defined in the specification of CIBA (Client Initiated Backchannel Authentication).

        Returns:
        Supported backchannel token delivery modes.
        Since:
        2.32

      • setSupportedBackchannelTokenDeliveryModes

        public Service setSupportedBackchannelTokenDeliveryModes​(DeliveryMode[] modes)
        Get the supported backchannel token delivery modes. This property corresponds to the backchannel_token_delivery_modes_supported metadata.

        Backchannel token delivery modes are defined in the specification of CIBA (Client Initiated Backchannel Authentication).

        Parameters:
        modes - Supported backchannel token delivery modes.
        Returns:
        this object.
        Since:
        2.32

      • getBackchannelAuthenticationEndpoint

        public URI getBackchannelAuthenticationEndpoint()
        Get the URI of the backchannel authentication endpoint.

        Backchannel authentication endpoint is defined in the specification of CIBA (Client Initiated Backchannel Authentication).

        Returns:
        The URI of the backchannel authentication endpoint.
        Since:
        2.32

      • setBackchannelAuthenticationEndpoint

        public Service setBackchannelAuthenticationEndpoint​(URI endpoint)
        Set the URI of the backchannel authentication endpoint.

        Backchannel authentication endpoint is defined in the specification of CIBA (Client Initiated Backchannel Authentication).

        Parameters:
        endpoint - The URI of the backchannel authentication endpoint.
        Returns:
        this object.
        Since:
        2.32

      • isBackchannelUserCodeParameterSupported

        public boolean isBackchannelUserCodeParameterSupported()
        Get the boolean flag which indicates whether the "user_code" request parameter is supported at the backchannel authentication endpoint. This property corresponds to the backchannel_user_code_parameter_supported metadata.
        Returns:
        true if the "user_code" request parameter is supported at the backchannel authentication endpoint.
        Since:
        2.32

      • setBackchannelUserCodeParameterSupported

        public Service setBackchannelUserCodeParameterSupported​(boolean supported)
        Set the boolean flag which indicates whether the "user_code" request parameter is supported at the backchannel authentication endpoint. This property corresponds to the backchannel_user_code_parameter_supported metadata.
        Parameters:
        supported - true to indicate that the "user_code" request parameter is supported.
        Returns:
        this object.
        Since:
        2.32

      • getBackchannelAuthReqIdDuration

        public int getBackchannelAuthReqIdDuration()
        Get the duration of backchannel authentication request IDs issued from the backchannel authentication endpoint in seconds. This is used as the value of the expires_in property in responses from the backchannel authentication endpoint.
        Returns:
        The duration of backchannel authentication request IDs in seconds.
        Since:
        2.32

      • setBackchannelAuthReqIdDuration

        public Service setBackchannelAuthReqIdDuration​(int duration)
        Set the duration of backchannel authentication request IDs issued from the backchannel authentication endpoint in seconds. This is used as the value of the expires_in property in responses from the backchannel authentication endpoint.
        Parameters:
        duration - The duration of backchannel authentication request IDs in seconds.
        Returns:
        this object.
        Since:
        2.32

      • getBackchannelPollingInterval

        public int getBackchannelPollingInterval()
        Get the minimum interval between polling requests to the token endpoint from client applications in seconds. This is used as the value of the interval property in responses from the backchannel authentication endpoint.
        Returns:
        The minimum interval between polling requests in seconds.
        Since:
        2.32

      • setBackchannelPollingInterval

        public Service setBackchannelPollingInterval​(int interval)
        Set the minimum interval between polling requests to the token endpoint from client applications in seconds. This is used as the value of the interval property in responses from the backchannel authentication endpoint.
        Parameters:
        interval - The minimum interval between polling requests in seconds. Must be in between 0 and 65,535.
        Returns:
        this object.
        Since:
        2.32

      • isBackchannelBindingMessageRequiredInFapi

        public boolean isBackchannelBindingMessageRequiredInFapi()
        Get the boolean flag which indicates whether the binding_message request parameter is always required whenever a backchannel authentication request is judged as a request for Financial-grade API.
        Returns:
        true if the binding_message request parameter is required whenever a backchannel authentication request is judged as a request for Financial-grade API.
        Since:
        2.48

      • setBackchannelBindingMessageRequiredInFapi

        public Service setBackchannelBindingMessageRequiredInFapi​(boolean required)
        Set the boolean flag which indicates whether the binding_message request parameter is always required whenever a backchannel authentication request is judged as a request for Financial-grade API.

        The FAPI-CIBA profile requires that the authorization server "shall ensure unique authorization context exists in the authorization request or require a binding_message in the authorization request" (FAPI-CIBA, 5.2.2, 2). The simplest way to fulfill this requirement is to set true to this property.

        If false is set to this property, the binding_message request parameter remains optional even in FAPI context, but in exchange, your authorization server must implement a custom mechanism that ensures each backchannel authentication request has unique context.

        Parameters:
        required - true to require the binding_message request parameter whenever a backchannel authentication request is judged as a request for Financial-grade API.
        Returns:
        this object.
        Since:
        2.48

      • getAllowableClockSkew

        public int getAllowableClockSkew()
        Get the allowable clock skew between the server and clients in seconds.

        The clock skew is taken into consideration when time-related claims in a JWT (e.g. "exp", "iat", "nbf") are verified.

        Returns:
        Allowable clock skew in seconds.
        Since:
        2.32

      • setAllowableClockSkew

        public Service setAllowableClockSkew​(int seconds)
        Set the allowable clock skew between the server and clients in seconds.

        The clock skew is taken into consideration when time-related claims in a JWT (e.g. "exp", "iat", "nbf") are verified.

        Parameters:
        seconds - Allowable clock skew in seconds. Must be in between 0 and 65,535.
        Returns:
        this object.
        Since:
        2.32

      • isDynamicRegistrationSupported

        public boolean isDynamicRegistrationSupported()
        Get the flag which indicates whether the dynamic client registration is supported.
        Returns:
        true if enabled.
        Since:
        2.39

      • setDynamicRegistrationSupported

        public Service setDynamicRegistrationSupported​(boolean enabled)
        Set the flag which indicates whether dynamic client registration is supported.
        Parameters:
        enabled - true to enable dynamic client registration
        Returns:
        this object.
        Since:
        2.39

      • getDeviceAuthorizationEndpoint

        public URI getDeviceAuthorizationEndpoint()
        Get the URI of the device authorization endpoint.

        Device authorization endpoint is defined in the specification of OAuth 2.0 Device Authorization Grant.

        Returns:
        The URI of the device authorization endpoint.
        Since:
        2.42

      • setDeviceAuthorizationEndpoint

        public Service setDeviceAuthorizationEndpoint​(URI endpoint)
        Set the URI of the device authorization endpoint.

        Device authorization endpoint is defined in the specification of OAuth 2.0 Device Authorization Grant.

        Parameters:
        endpoint - The URI of the device authorization endpoint.
        Returns:
        this object.
        Since:
        2.42

      • getDeviceVerificationUri

        public URI getDeviceVerificationUri()
        Get the verification URI for the device flow. This URI is used as the value of the verification_uri parameter in responses from the device authorization endpoint.
        Returns:
        The verification URI.
        Since:
        2.42

      • setDeviceVerificationUri

        public Service setDeviceVerificationUri​(URI uri)
        Set the verification URI for the device flow. This URI is used as the value of the verification_uri parameter in responses from the device authorization endpoint.
        Parameters:
        uri - The verification URI.
        Returns:
        this object.
        Since:
        2.42

      • getDeviceVerificationUriComplete

        public URI getDeviceVerificationUriComplete()
        Get the verification URI for the device flow with a placeholder for a user code. This URI is used to build the value of the verification_uri_complete parameter in responses from the device authorization endpoint.
        Returns:
        The verification URI with a placeholder for a user code.
        Since:
        2.42

      • setDeviceVerificationUriComplete

        public Service setDeviceVerificationUriComplete​(URI uri)
        Set the verification URI for the device flow with a placeholder for a user code. This URI is used to build the value of the verification_uri_complete parameter in responses from the device authorization endpoint.

        It is expected that the URI contains a fixed string USER_CODE somewhere as a placeholder for a user code. For example, like the following. 

         https://example.com/device?user_code=USER_CODE

        The fixed string is replaced with an actual user code when Authlete builds a verification URI with a user code for the verification_uri_complete parameter.

        If this URI is not set, the verification_uri_complete parameter won't appear in device authorization responses.

        Parameters:
        uri - The verification URI with a placeholder for a user code.
        Returns:
        this object.
        Since:
        2.42

      • getDeviceFlowCodeDuration

        public int getDeviceFlowCodeDuration()
        Get the duration of device verification codes and end-user verification codes issued from the device authorization endpoint in seconds. This is used as the value of the expires_in property in responses from the device authorization endpoint.
        Returns:
        The duration of device verification codes and end-user verification codes in seconds.
        Since:
        2.42

      • setDeviceFlowCodeDuration

        public Service setDeviceFlowCodeDuration​(int duration)
        Set the duration of device verification codes and end-user verification codes issued from the device authorization endpoint in seconds. This is used as the value of the expires_in property in responses from the device authorization endpoint.
        Parameters:
        duration - The duration of device verification codes and end-user verification codes in seconds.
        Returns:
        this object.
        Since:
        2.42

      • getDeviceFlowPollingInterval

        public int getDeviceFlowPollingInterval()
        Get the minimum interval between polling requests to the token endpoint from client applications in seconds in device flow. This is used as the value of the interval property in responses from the device authorization endpoint.
        Returns:
        The minimum interval between polling requests in seconds in device flow.
        Since:
        2.42

      • setDeviceFlowPollingInterval

        public Service setDeviceFlowPollingInterval​(int interval)
        Set the minimum interval between polling requests to the token endpoint from client applications in seconds in device flow. This is used as the value of the interval property in responses from the device authorization endpoint.
        Parameters:
        interval - The minimum interval between polling requests in seconds in device flow. Must be in between 0 and 65,535.
        Returns:
        this object.
        Since:
        2.42

      • getUserCodeCharset

        public UserCodeCharset getUserCodeCharset()
        Get the character set for end-user verification codes (user_code) for Device Flow.
        Returns:
        The character set for end-user verification codes (user_code) for Device Flow.
        Since:
        2.43

      • setUserCodeCharset

        public Service setUserCodeCharset​(UserCodeCharset charset)
        Set the character set for end-user verification codes (user_code) for Device Flow.
        Parameters:
        charset - The character set for end-user verification codes (user_code) for Device Flow.
        Returns:
        this object.
        Since:
        2.43

      • getUserCodeLength

        public int getUserCodeLength()
        Get the length of end-user verification codes (user_code) for Device Flow.
        Returns:
        The length of end-user verification codes (user_code) for Device Flow.
        Since:
        2.43

      • setUserCodeLength

        public Service setUserCodeLength​(int length)
        Set the length of end-user verification codes (user_code) for Device Flow.
        Parameters:
        length - The length of end-user verification codes (user_code) for Device Flow. The value must not be negative and must not be larger than 255.
        Returns:
        this object.
        Since:
        2.43

      • setMtlsEndpointAliases

        public Service setMtlsEndpointAliases​(NamedUri[] aliases)
        Set the MTLS endpoint aliases.

        This property corresponds to the mtls_endpoint_aliases metadata defined in "5. Metadata for Mutual-TLS Endpoint Aliases" of RFC 8705 OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens.

        The aliases will be embedded in the response from the discovery endpoint like the following. 

         {
     ......,
     "mtls_endpoint_aliases": {
         "token_endpoint":         "https://mtls.example.com/token",
         "revocation_endpoint":    "https://mtls.example.com/revo",
         "introspection_endpoint": "https://mtls.example.com/introspect"
     }
 }
        Parameters:
        aliases - MTLS endpoint aliases.
        Returns:
        this object.
        Since:
        2.49

      • getSupportedAuthorizationDetailsTypes

        public String[] getSupportedAuthorizationDetailsTypes()
        Get the supported authorization details types that can be used as values of the "type" field in "authorization_details".

        This property corresponds to the "authorization_details_types_supported" server metadata. See "OAuth 2.0 Rich Authorization Requests" (RAR) for details.

        Note that the property name was renamed from supportedAuthorizationDataTypes to supportedAuthorizationDetailsTypes to align with the change made by the 5th draft of the RAR specification.

        Returns:
        Supported authorization details types.
        Since:
        2.91

      • setSupportedAuthorizationDetailsTypes

        public Service setSupportedAuthorizationDetailsTypes​(String[] types)
        Set the supported authorization details types that can be used as values of the "type" field in "authorization_details".

        This property corresponds to the "authorization_details_types_supported" server metadata. See "OAuth 2.0 Rich Authorization Requests" (RAR) for details.

        Note that the property name was renamed from supportedAuthorizationDataTypes to supportedAuthorizationDetailsTypes to align with the change made by the 5th draft of the RAR specification.

        Parameters:
        types - Supported authorization details types.
        Returns:
        this object.
        Since:
        2.91

      • getSupportedTrustFrameworks

        public String[] getSupportedTrustFrameworks()
        Get trust frameworks supported by this service. This property corresponds to the trust_frameworks_supported server metadata.
        Returns:
        Trust frameworks supported by this service.
        Since:
        2.63
        See Also:
        OpenID Connect for Identity Assurance 1.0

      • setSupportedTrustFrameworks

        public Service setSupportedTrustFrameworks​(String[] frameworks)
        Set trust frameworks supported by this service. This property corresponds to the trust_frameworks_supported server metadata.
        Parameters:
        frameworks - Trust frameworks supported by this service.
        Returns:
        this object.
        Since:
        2.63
        See Also:
        OpenID Connect for Identity Assurance 1.0

      • getSupportedEvidence

        public String[] getSupportedEvidence()
        Get evidence supported by this service. This property corresponds to the evidence_supported server metadata.
        Returns:
        Evidence supported by this service.
        Since:
        2.63
        See Also:
        OpenID Connect for Identity Assurance 1.0

      • setSupportedEvidence

        public Service setSupportedEvidence​(String[] evidence)
        Set evidence supported by this service. This property corresponds to the evidence_supported server metadata.
        Parameters:
        evidence - Evidence supported by this service.
        Returns:
        this object.
        Since:
        2.63
        See Also:
        OpenID Connect for Identity Assurance 1.0

      • getSupportedDocuments

        public String[] getSupportedDocuments()
        Get document types supported by this service. This property corresponds to the documents_supported server metadata.

        The third implementer's draft of OpenID Connect for Identity Assurance 1.0 renamed the id_documents_supported server metadata to documents_supported.

        This property is recognized by Authlete 2.3 and newer versions.

        Returns:
        Document types supported by this service.
        Since:
        3.13
        See Also:
        OpenID Connect for Identity Assurance 1.0

      • setSupportedDocuments

        public Service setSupportedDocuments​(String[] documents)
        Set document types supported by this service. This property corresponds to the documents_supported server metadata.

        The third implementer's draft of OpenID Connect for Identity Assurance 1.0 renamed the id_documents_supported server metadata to documents_supported.

        This property is recognized by Authlete 2.3 and newer versions.

        Parameters:
        documents - Document types supported by this service.
        Returns:
        this object.
        Since:
        3.13
        See Also:
        OpenID Connect for Identity Assurance 1.0

      • getSupportedDocumentsMethods

        public String[] getSupportedDocumentsMethods()
        Get validation and verification processes supported by this service. This property corresponds to the documents_methods_supported server metadata.

        The third implementer's draft of OpenID Connect for Identity Assurance 1.0 renamed the id_documents_verification_methods_supported server metadata to documents_methods_supported.

        This property is recognized by Authlete 2.3 and newer versions.

        Returns:
        Validation and verification processes supported by this service.
        Since:
        3.13
        See Also:
        OpenID Connect for Identity Assurance 1.0

      • setSupportedDocumentsMethods

        public Service setSupportedDocumentsMethods​(String[] methods)
        Set validation and verification processes supported by this service. This property corresponds to the documents_methods_supported server metadata.

        The third implementer's draft of OpenID Connect for Identity Assurance 1.0 renamed the id_documents_verification_methods_supported server metadata to documents_methods_supported.

        This property is recognized by Authlete 2.3 and newer versions.

        Parameters:
        methods - Validation and verification processes supported by this service.
        Returns:
        this object.
        Since:
        3.13
        See Also:
        OpenID Connect for Identity Assurance 1.0

      • getSupportedDocumentsValidationMethods

        @Deprecated
public String[] getSupportedDocumentsValidationMethods()
        Deprecated.
        Get document validation methods supported by this service. This property corresponds to the documents_validation_methods_supported server metadata which was added by the third implementer's draft of OpenID Connect for Identity Assurance 1.0.

        The fourth implementer's draft of OpenID Connect for Identity Assurance 1.0 replaced the documents_validation_methods_supported server metadata and the documents_verification_methods_supported server metadata with the documents_check_methods_supported server metadata.

        Returns:
        Document validation methods supported by this service.
        Since:
        3.13
        See Also:
        OpenID Connect for Identity Assurance 1.0

      • setSupportedDocumentsValidationMethods

        @Deprecated
public Service setSupportedDocumentsValidationMethods​(String[] methods)
        Deprecated.
        Set document validation methods supported by this service. This property corresponds to the documents_validation_methods_supported server metadata which was added by the third implementer's draft of OpenID Connect for Identity Assurance 1.0.

        The fourth implementer's draft of OpenID Connect for Identity Assurance 1.0 replaced the documents_validation_methods_supported server metadata and the documents_verification_methods_supported server metadata with the documents_check_methods_supported server metadata.

        Parameters:
        methods - Document validation methods supported by this service.
        Returns:
        this object.
        Since:
        3.13
        See Also:
        OpenID Connect for Identity Assurance 1.0

      • getSupportedDocumentsVerificationMethods

        @Deprecated
public String[] getSupportedDocumentsVerificationMethods()
        Deprecated.
        Get document verification methods supported by this service. This property corresponds to the documents_verification_methods_supported server metadata which was added by the third implementer's draft of OpenID Connect for Identity Assurance 1.0.

        The fourth implementer's draft of OpenID Connect for Identity Assurance 1.0 replaced the documents_validation_methods_supported server metadata and the documents_verification_methods_supported server metadata with the documents_check_methods_supported server metadata.

        Returns:
        Document verification methods supported by this service.
        Since:
        3.13
        See Also:
        OpenID Connect for Identity Assurance 1.0

      • setSupportedDocumentsVerificationMethods

        @Deprecated
public Service setSupportedDocumentsVerificationMethods​(String[] methods)
        Deprecated.
        Set document verification methods supported by this service. This property corresponds to the documents_verification_methods_supported server metadata which was added by the third implementer's draft of OpenID Connect for Identity Assurance 1.0.

        The fourth implementer's draft of OpenID Connect for Identity Assurance 1.0 replaced the documents_validation_methods_supported server metadata and the documents_verification_methods_supported server metadata with the documents_check_methods_supported server metadata.

        Parameters:
        methods - Document verification methods supported by this service.
        Returns:
        this object.
        Since:
        3.13
        See Also:
        OpenID Connect for Identity Assurance 1.0

      • getSupportedDocumentsCheckMethods

        public String[] getSupportedDocumentsCheckMethods()
        Get document check methods supported by this service. This property corresponds to the documents_check_methods_supported server metadata which was added by the fourth implementer's draft of OpenID Connect for Identity Assurance 1.0.

        The fourth implementer's draft of OpenID Connect for Identity Assurance 1.0 replaced the documents_validation_methods_supported server metadata and the documents_verification_methods_supported server metadata with the documents_check_methods_supported server metadata.

        Returns:
        Document check methods supported by this service.
        Since:
        3.48
        See Also:
        OpenID Connect for Identity Assurance 1.0

      • setSupportedDocumentsCheckMethods

        public Service setSupportedDocumentsCheckMethods​(String[] methods)
        Set document check methods supported by this service. This property corresponds to the documents_check_methods_supported server metadata which was added by the fourth implementer's draft of OpenID Connect for Identity Assurance 1.0.

        The fourth implementer's draft of OpenID Connect for Identity Assurance 1.0 replaced the documents_validation_methods_supported server metadata and the documents_verification_methods_supported server metadata with the documents_check_methods_supported server metadata.

        Parameters:
        methods - Document check methods supported by this service.
        Returns:
        this object.
        Since:
        3.48
        See Also:
        OpenID Connect for Identity Assurance 1.0

      • getSupportedElectronicRecords

        public String[] getSupportedElectronicRecords()
        Get electronic record types supported by this service. This property corresponds to the electronic_records_supported server metadata which was added by the third implementer's draft of OpenID Connect for Identity Assurance 1.0.

        If "electronic_record" is included in the list of supported evidence (cf. getSupportedEvidence(), this property must have at least one entry.

        This property is recognized by Authlete 2.3 and newer versions.

        Returns:
        Electronic record types supported by this service.
        Since:
        3.13
        See Also:
        OpenID Connect for Identity Assurance 1.0

      • setSupportedElectronicRecords

        public Service setSupportedElectronicRecords​(String[] records)
        Set electronic record types supported by this service. This property corresponds to the electronic_records_supported server metadata which was added by the third implementer's draft of OpenID Connect for Identity Assurance 1.0.

        If "electronic_record" is included in the list of supported evidence (cf. getSupportedEvidence(), this property must have at least one entry.

        This property is recognized by Authlete 2.3 and newer versions.

        Parameters:
        records - Electronic record types supported by this service.
        Returns:
        this object.
        Since:
        3.13
        See Also:
        OpenID Connect for Identity Assurance 1.0

      • getSupportedVerifiedClaims

        public String[] getSupportedVerifiedClaims()
        Get verified claims supported by this service. This property corresponds to the claims_in_verified_claims_supported server metadata.
        Returns:
        Verified claims supported by this service.
        Since:
        2.63
        See Also:
        OpenID Connect for Identity Assurance 1.0

      • setSupportedVerifiedClaims

        public Service setSupportedVerifiedClaims​(String[] claims)
        Set verified claims supported by this service. This property corresponds to the claims_in_verified_claims_supported server metadata.
        Parameters:
        claims - Verified claims supported by this service.
        Returns:
        this object.
        Since:
        2.63
        See Also:
        OpenID Connect for Identity Assurance 1.0

      • setSupportedAttachments

        public Service setSupportedAttachments​(AttachmentType[] types)
        Set attachment types supported by this service. This property corresponds to the attachments_supported server metadata which was added by the third implementer's draft of OpenID Connect for Identity Assurance 1.0.

        This property is recognized by Authlete 2.3 and newer versions.

        Parameters:
        types - Attachment types supported by this service.
        Returns:
        this object.
        Since:
        3.13
        See Also:
        OpenID Connect for Identity Assurance 1.0

      • setSupportedDigestAlgorithms

        public Service setSupportedDigestAlgorithms​(String[] algorithms)
        Set supported algorithms used to compute digest values of external attachments. This property corresponds to the digest_algorithms_supported server metadata which was added by the third implementer's draft of OpenID Connect for Identity Assurance 1.0.

        Possible values are listed in the Hash Algorithm Registry of IANA (Internet Assigned Numbers Authority). If this service supports external attachments (cf. getSupportedAttachments()), this property must include at least "sha-256".

        This property is recognized by Authlete 2.3 and newer versions.

        Parameters:
        algorithms - Supported digest algorithms for external attachments.
        Returns:
        this object.
        Since:
        3.13
        See Also:
        OpenID Connect for Identity Assurance 1.0, Hash Algorithm Registry

      • isMissingClientIdAllowed

        public boolean isMissingClientIdAllowed()
        Get the flag indicating whether token requests from public clients without the client_id request parameter are allowed when the client can be guessed from authorization_code or refresh_token.

        This flag should not be set unless you have special reasons.

        Returns:
        true if token requests from public clients without the client_id request parameter are allowed in the authorization code flow and the refresh token flow.
        Since:
        2.68

      • setMissingClientIdAllowed

        public Service setMissingClientIdAllowed​(boolean allowed)
        Set the flag indicating whether token requests from public clients without the client_id request parameter are allowed when the client can be guessed from authorization_code or refresh_token.

        Don't set this flag unless you have special reasons.

        Parameters:
        allowed - true to allow token requests from public clients without the client_id request parameter in the authorization code flow and the refresh token flow.
        Returns:
        this object.
        Since:
        2.68

      • getEndSessionEndpoint

        public URI getEndSessionEndpoint()
        Get the end session endpoint for the service. This endpoint is used by clients to signal to the IdP that the user's session should be terminated.
        Returns:
        The end session endpoint, or null if not set.
        Since:
        2.69
        See Also:
        OpenID Connect Session Management 1.0, 5. RP-Initiated Logout

      • setEndSessionEndpoint

        public Service setEndSessionEndpoint​(URI endSessionEndpoint)
        Set the end session endpoint for the service. This endpoint is used by clients to signal to the IdP that the user's session should be terminated.
        Parameters:
        endSessionEndpoint - The end session endpoint, or null if not set.
        Returns:
        this object.
        Since:
        2.69
        See Also:
        OpenID Connect Session Management 1.0, 5. RP-Initiated Logout

      • isParRequired

        public boolean isParRequired()
        Get the flag indicating whether this service requires that clients use the pushed authorization request endpoint.

        This property corresponds to the require_pushed_authorization_requests server metadata defined in "OAuth 2.0 Pushed Authorization Requests".

        Returns:
        true if client of this service are required to use PAR.
        Since:
        2.77

      • setParRequired

        public Service setParRequired​(boolean required)
        Set the flag indicating whether this service requires that clients use the pushed authorization request endpoint.

        This property corresponds to the require_pushed_authorization_requests server metadata defined in "OAuth 2.0 Pushed Authorization Requests".

        Parameters:
        required - true to indicate that this service requires that clients use the pushed authorization request endpoint.
        Returns:
        this object.
        Since:
        2.77

      • isRequestObjectRequired

        public boolean isRequestObjectRequired()
        Get the flag indicating whether this service requires that authorization requests always utilize a request object by using either request or request_uri request parameter.

        If this flag is true and isTraditionalRequestObjectProcessingApplied() returns false, the value of require_signed_request_object server metadata of this service is reported as true in the discovery document. The metadata is defined in JAR (JWT Secured Authorization Request). That require_signed_request_object is true means that authorization requests which don't conform to the JAR specification are rejected.

        Returns:
        true if this service requires that authorization requests always utilize a request object.
        Since:
        2.80

      • setRequestObjectRequired

        public Service setRequestObjectRequired​(boolean required)
        Set the flag indicating whether this service requires that authorization requests always utilize a request object by using either request or request_uri request parameter.

        See the description of isRequestObjectRequired() for details.

        Parameters:
        required - true to require that authorization requests always utilize a request object.
        Returns:
        this object.
        Since:
        2.80

      • isTraditionalRequestObjectProcessingApplied

        public boolean isTraditionalRequestObjectProcessingApplied()
        Get the flag indicating whether a request object is processed based on rules defined in OpenID Connect Core 1.0 or JAR (JWT Secured Authorization Request).

        Differences between rules in OpenID Connect Core 1.0 and ones in JAR are as follows.

        • JAR requires that a request object be always signed.
        • JAR does not allow request parameters outside a request object to be referred to.
        • OIDC Core 1.0 requires that response_type request parameter exist outside a request object even if the request object includes the request parameter.
        • OIDC Core 1.0 requires that scope request parameter exist outside a request object if the authorization request is an OIDC request even if the request object includes the request parameter.

        If this flag is false and isRequestObjectRequired() returns true, the value of require_signed_request_object server metadata of this service is reported as true in the discovery document. The metadata is defined in JAR (JWT Secured Authorization Request). That require_signed_request_object is true means that authorization requests which don't conform to the JAR specification are rejected.

        Returns:
        true if rules defined in OpenID Connect Core 1.0 are applied on processing a request object. false if rules defined in JAR (JWT Secured Authorization Request) are applied.
        Since:
        2.80

      • setTraditionalRequestObjectProcessingApplied

        public Service setTraditionalRequestObjectProcessingApplied​(boolean applied)
        Set the flag indicating whether a request object is processed based on rules defined in OpenID Connect Core 1.0 or JAR (JWT Secured Authorization Request).

        See the description of isTraditionalRequestObjectProcessingApplied() for details.

        Parameters:
        applied - true to apply rules defined in OpenID Connect Core 1.0 on processing a request object. false to apply rules defined in JAR instead.
        Returns:
        this object.
        Since:
        2.80

      • isClaimShortcutRestrictive

        public boolean isClaimShortcutRestrictive()
        Get the flag indicating whether claims specified by shortcut scopes (e.g. profile) are included in the issued ID token only when no access token is issued.

        To strictly conform to the description below excerpted from OpenID Connect Core 1.0 Section 5.4, this flag has to be true.

        The Claims requested by the profile, email, address, and phone scope values are returned from the UserInfo Endpoint, as described in Section 5.3.2, when a response_type value is used that results in an Access Token being issued. However, when no Access Token is issued (which is the case for the response_type value id_token), the resulting Claims are returned in the ID Token.

        Returns:
        true if claims specified by shortcut scopes are included in the issued ID token only when no access token is issued. false if the claims are included in the issued ID token regardless of whether an access token is issued or not.
        Since:
        2.81

      • setClaimShortcutRestrictive

        public Service setClaimShortcutRestrictive​(boolean restrictive)
        Set the flag indicating whether claims specified by shortcut scopes (e.g. profile) are included in the issued ID token only when no access token is issued.

        To strictly conform to the description below excerpted from OpenID Connect Core 1.0 Section 5.4, this flag has to be true.

        The Claims requested by the profile, email, address, and phone scope values are returned from the UserInfo Endpoint, as described in Section 5.3.2, when a response_type value is used that results in an Access Token being issued. However, when no Access Token is issued (which is the case for the response_type value id_token), the resulting Claims are returned in the ID Token.

        Parameters:
        restrictive - true to include claims specified by shortcut scopes in the issued ID token only when no access token is issued. false to include the claims in the issued ID token regardless of whether an access token is issued or not.
        Returns:
        this object.

      • isScopeRequired

        public boolean isScopeRequired()
        Get the flag indicating whether requests that request no scope are rejected or not.

        When a request has no explicit scope parameter and the service's pre-defined default scope set is empty, the authorization server regards the request requests no scope. When this flag is true, requests that request no scope are rejected.

        The requirement below excerpted from RFC 6749 Section 3.3 does not explicitly mention the case where the default scope set is empty.

        If the client omits the scope parameter when requesting authorization, the authorization server MUST either process the request using a pre-defined default value or fail the request indicating an invalid scope.

        However, if you interpret "the default scope set exists but is empty" as "the default scope set does not exist" and want to strictly conform to the requirement above, this flag has to be true.

        Returns:
        true if the authorization server rejects requests that request no scope. false if the authorization server admits requests that request no scope.
        Since:
        2.81

      • setScopeRequired

        public Service setScopeRequired​(boolean required)
        Set the flag indicating whether requests that request no scope are rejected or not.

        When a request has no explicit scope parameter and the service's pre-defined default scope set is empty, the authorization server regards the request requests no scope. When this flag is true, requests that request no scope are rejected.

        The requirement below excerpted from RFC 6749 Section 3.3 does not explicitly mention the case where the default scope set is empty.

        If the client omits the scope parameter when requesting authorization, the authorization server MUST either process the request using a pre-defined default value or fail the request indicating an invalid scope.

        However, if you interpret "the default scope set exists but is empty" as "the default scope set does not exist" and want to strictly conform to the requirement above, this flag has to be true.

        Parameters:
        required - true to reject requests that request no scope. false to admit requests that request no scope.
        Returns:
        this object.
        Since:
        2.82

      • isNbfOptional

        public boolean isNbfOptional()
        Get the flag indicating whether the nbf claim in the request object is optional even when the authorization request is regarded as a FAPI-Part2 request.

        The final version of Financial-grade API was approved in January, 2021. The Part 2 of the final version has new requirements on lifetime of request objects. They require that request objects contain an nbf claim and the lifetime computed by exp - nbf be no longer than 60 minutes.

        Therefore, when an authorization request is regarded as a FAPI-Part2 request, the request object used in the authorization request must contain an nbf claim. Otherwise, the authorization server rejects the authorization request.

        When this flag is true, the nbf claim is treated as an optional claim even when the authorization request is regarded as a FAPI-Part2 request. That is, the authorization server does not perform the validation on lifetime of the request object.

        Skipping the validation is a violation of the FAPI specification. The reason why this flag has been prepared nevertheless is that the new requirements (which do not exist in the Implementer's Draft 2 released in October, 2018) have big impacts on deployed implementations of client applications and Authlete thinks there should be a mechanism whereby to make the migration from ID2 to Final smooth without breaking live systems.

        Returns:
        true if the nbf claim is treated as an optional claim even when the authorization request is regarded as a FAPI-Part2 request.
        Since:
        2.86

      • setNbfOptional

        public Service setNbfOptional​(boolean optional)
        Set the flag indicating whether the nbf claim in the request object is optional even when the authorization request is regarded as a FAPI-Part2 request.

        See the description of isNbfOptional() for details about this flag.

        Parameters:
        optional - true to treat the nbf claim as an optional claim.
        Returns:
        this object.
        Since:
        2.86

      • isIssSuppressed

        public boolean isIssSuppressed()
        Get the flag indicating whether generation of the iss response parameter is suppressed.

        "OAuth 2.0 Authorization Server Issuer Identifier in Authorization Response" has defined a new authorization response parameter, iss, as a countermeasure for a certain type of mix-up attacks.

        The specification requires that the iss response parameter always be included in authorization responses unless JARM (JWT Secured Authorization Response Mode) is used.

        When this flag is true, the authorization server does not include the iss response parameter in authorization responses. By turning this flag on and off, developers of client applications can experiment the mix-up attack and the effect of the iss response parameter.

        Note that this flag should not be true in production environment unless there are special reasons for it.

        Returns:
        true if the authorization server does not include the iss response parameter in authorization responses.
        Since:
        2.86

      • setIssSuppressed

        public Service setIssSuppressed​(boolean suppressed)
        Set the flag indicating whether generation of the iss response parameter is suppressed.

        See the description of isIssSuppressed() for details about this flag.

        Parameters:
        suppressed - true to make the authorization server suppress the iss response parameter.
        Returns:
        this object.
        Since:
        2.86

      • getAttributes

        public Pair[] getAttributes()
        Get attributes.

        The feature of "service attributes" is available since Authlete 2.2.

        Returns:
        Attributes.
        Since:
        2.87

      • setAttributes

        public Service setAttributes​(Pair[] attributes)
        Set attributes.

        The feature of "service attributes" is available since Authlete 2.2.

        Parameters:
        attributes - Attributes.
        Returns:
        this object.
        Since:
        2.87

      • loadAttributes

        public Service loadAttributes​(Iterable<Pair> attributes)
        Load attributes from an iterable.

        The feature of "service attributes" is available since Authlete 2.2.

        Parameters:
        attributes - Attributes.
        Returns:
        this object.
        Since:
        2.89

      • isTokenExpirationLinked

        public boolean isTokenExpirationLinked()
        Get the flag indicating whether the expiration date of an access token never exceeds that of the corresponding refresh token.

        When a new access token is issued by a refresh token request (= a token request with grant_type=refresh_token), the expiration date of the access token may exceed the expiration date of the corresponding refresh token. This behavior itself is not wrong and may happen when isRefreshTokenKept() returns true and/or when isRefreshTokenDurationKept() returns true.

        When this flag is true, the expiration date of an access token never exceeds that of the corresponding refresh token regardless of the calculated duration based on other settings such as getAccessTokenDuration(), ClientExtension.getAccessTokenDuration() and the access_token.duration attribute of scopes.

        It is technically possible to set a value which is bigger than the duration of refresh tokens as the duration of access tokens although it is strange. In the case, the duration of an access token becomes longer than the duration of the refresh token which is issued together with the access token. Even if the duration values are configured so, if this flag is true, the expiration date of the access token does not exceed that of the refresh token. That is, the duration of the access token will be shortened, and as a result, the access token and the refresh token will have the same expiration date.

        Returns:
        true if the service assures that the expiration date of an access token never exceeds that of the corresponding refresh token.
        Since:
        2.95

      • setTokenExpirationLinked

        public Service setTokenExpirationLinked​(boolean linked)
        Set the flag indicating whether the expiration date of an access token never exceeds that of the corresponding refresh token.

        When a new access token is issued by a refresh token request (= a token request with grant_type=refresh_token), the expiration date of the access token may exceed the expiration date of the corresponding refresh token. This behavior itself is not wrong and may happen when isRefreshTokenKept() returns true and/or when isRefreshTokenDurationKept() returns true.

        When this flag is true, the expiration date of an access token never exceeds that of the corresponding refresh token regardless of the calculated duration based on other settings such as getAccessTokenDuration(), ClientExtension.getAccessTokenDuration() and the access_token.duration attribute of scopes.

        It is technically possible to set a value which is bigger than the duration of refresh tokens as the duration of access tokens although it is strange. In the case, the duration of an access token becomes longer than the duration of the refresh token which is issued together with the access token. Even if the duration values are configured so, if this flag is true, the expiration date of the access token does not exceed that of the refresh token. That is, the duration of the access token will be shortened, and as a result, the access token and the refresh token will have the same expiration date.

        Parameters:
        linked - true to assure that the expiration date of an access token never exceeds that of the corresponding refresh token.
        Returns:
        this object.
        Since:
        2.95

      • isFrontChannelRequestObjectEncryptionRequired

        public boolean isFrontChannelRequestObjectEncryptionRequired()
        Get the flag indicating whether encryption of request object is required when the request object is passed through the front channel.

        This flag does not affect the processing of request objects at the Pushed Authorization Request Endpoint, which is defined in RFC 9126 OAuth 2.0 Pushed Authorization Requests. Unecrypted request objects are accepted at the endpoint even if this flag is true.

        This flag does not indicate whether a request object is always required. There is a different flag, requestObjectRequired, for the purpose. See the description of isRequestObjectRequired() for details.

        Even if this flag is false, encryption of request object is required if the Client.frontChannelRequestObjectEncryptionRequired flag is true.

        Returns:
        true if encryption of request object is required when the request object is passed through the front channel.
        Since:
        2.96
        See Also:
        isRequestObjectRequired(), Client.isFrontChannelRequestObjectEncryptionRequired()

      • setFrontChannelRequestObjectEncryptionRequired

        public Service setFrontChannelRequestObjectEncryptionRequired​(boolean required)
        Set the flag indicating whether encryption of request object is required when the request object is passed through the front channel.

        This flag does not affect the processing of request objects at the Pushed Authorization Request Endpoint, which is defined in RFC 9126 OAuth 2.0 Pushed Authorization Requests. Unecrypted request objects are accepted at the endpoint even if this flag is true.

        This flag does not indicate whether a request object is always required. There is a different flag, requestObjectRequired, for the purpose. See the description of isRequestObjectRequired() for details.

        Even if this flag is false, encryption of request object is required if the Client.frontChannelRequestObjectEncryptionRequired flag is true.

        Parameters:
        required - true to require that request objects passed through the front channel be encrypted.
        Returns:
        this object.
        Since:
        2.96
        See Also:
        isRequestObjectRequired(), Client.isFrontChannelRequestObjectEncryptionRequired()

      • isRequestObjectEncryptionAlgMatchRequired

        public boolean isRequestObjectEncryptionAlgMatchRequired()
        Get the flag indicating whether the JWE alg of encrypted request object must match the request_object_encryption_alg client metadata of the client that has sent the request object.

        The request_object_encryption_alg client metadata itself is defined in OpenID Connect Dynamic Client Registration 1.0 as follows.

        request_object_encryption_alg

        OPTIONAL. JWE [JWE] alg algorithm [JWA] the RP is declaring that it may use for encrypting Request Objects sent to the OP. This parameter SHOULD be included when symmetric encryption will be used, since this signals to the OP that a client_secret value needs to be returned from which the symmetric key will be derived, that might not otherwise be returned. The RP MAY still use other supported encryption algorithms or send unencrypted Request Objects, even when this parameter is present. If both signing and encryption are requested, the Request Object will be signed then encrypted, with the result being a Nested JWT, as defined in [JWT]. The default, if omitted, is that the RP is not declaring whether it might encrypt any Request Objects.

        The point here is "The RP MAY still use other supported encryption algorithms or send unencrypted Request Objects, even when this parameter is present."

        The Client's property that represents the client metadata is Client.requestEncryptionAlg. See the description of Client.getRequestEncryptionAlg() for details.

        Even if this flag is false, the match is required if the Client.requestObjectEncryptionAlgMatchRequired flag is true.

        Returns:
        true if the JWE alg of encrypted request object must match the request_object_encryption_alg client metadata.
        Since:
        2.96
        See Also:
        Client.getRequestEncryptionAlg(), Client.isRequestObjectEncryptionAlgMatchRequired()

      • setRequestObjectEncryptionAlgMatchRequired

        public Service setRequestObjectEncryptionAlgMatchRequired​(boolean required)
        Set the flag indicating whether the JWE alg of encrypted request object must match the request_object_encryption_alg client metadata of the client that has sent the request object.

        The request_object_encryption_alg client metadata itself is defined in OpenID Connect Dynamic Client Registration 1.0 as follows.

        request_object_encryption_alg

        OPTIONAL. JWE [JWE] alg algorithm [JWA] the RP is declaring that it may use for encrypting Request Objects sent to the OP. This parameter SHOULD be included when symmetric encryption will be used, since this signals to the OP that a client_secret value needs to be returned from which the symmetric key will be derived, that might not otherwise be returned. The RP MAY still use other supported encryption algorithms or send unencrypted Request Objects, even when this parameter is present. If both signing and encryption are requested, the Request Object will be signed then encrypted, with the result being a Nested JWT, as defined in [JWT]. The default, if omitted, is that the RP is not declaring whether it might encrypt any Request Objects.

        The point here is "The RP MAY still use other supported encryption algorithms or send unencrypted Request Objects, even when this parameter is present."

        The Client's property that represents the client metadata is Client.requestEncryptionAlg. See the description of Client.getRequestEncryptionAlg() for details.

        Even if this flag is false, the match is required if the Client.requestObjectEncryptionAlgMatchRequired flag is true.

        Parameters:
        required - true to require that the JWE alg of encrypted request object match the request_object_encryption_alg client metadata.
        Returns:
        this object.
        Since:
        2.96
        See Also:
        Client.getRequestEncryptionAlg(), Client.isRequestObjectEncryptionAlgMatchRequired()

      • isRequestObjectEncryptionEncMatchRequired

        public boolean isRequestObjectEncryptionEncMatchRequired()
        Get the flag indicating whether the JWE enc of encrypted request object must match the request_object_encryption_enc client metadata of the client that has sent the request object.

        The request_object_encryption_enc client metadata itself is defined in OpenID Connect Dynamic Client Registration 1.0 as follows.

        request_object_encryption_enc

        OPTIONAL. JWE enc algorithm [JWA] the RP is declaring that it may use for encrypting Request Objects sent to the OP. If request_object_encryption_alg is specified, the default for this value is A128CBC-HS256. When request_object_encryption_enc is included, request_object_encryption_alg MUST also be provided.

        The Client's property that represents the client metadata is Client.requestEncryptionEnc. See the description of Client.getRequestEncryptionEnc() for details.

        Even if this flag is false, the match is required if the Client.requestObjectEncryptionEncMatchRequired flag is true.

        Returns:
        true if the JWE enc of encrypted request object must match the request_object_encryption_enc client metadata.
        Since:
        2.96
        See Also:
        Client.getRequestEncryptionEnc(), Client.isRequestObjectEncryptionEncMatchRequired()

      • setRequestObjectEncryptionEncMatchRequired

        public Service setRequestObjectEncryptionEncMatchRequired​(boolean required)
        Set the flag indicating whether the JWE enc of encrypted request object must match the request_object_encryption_enc client metadata of the client that has sent the request object.

        The request_object_encryption_enc client metadata itself is defined in OpenID Connect Dynamic Client Registration 1.0 as follows.

        request_object_encryption_enc

        OPTIONAL. JWE enc algorithm [JWA] the RP is declaring that it may use for encrypting Request Objects sent to the OP. If request_object_encryption_alg is specified, the default for this value is A128CBC-HS256. When request_object_encryption_enc is included, request_object_encryption_alg MUST also be provided.

        The Client's property that represents the client metadata is Client.requestEncryptionEnc. See the description of Client.getRequestEncryptionEnc() for details.

        Even if this flag is false, the match is required if the Client.requestObjectEncryptionEncMatchRequired flag is true.

        Parameters:
        required - true to require that the JWE enc of encrypted request object match the request_object_encryption_enc client metadata.
        Returns:
        this object.
        Since:
        2.96
        See Also:
        Client.getRequestEncryptionEnc(), Client.isRequestObjectEncryptionEncMatchRequired()

      • isHsmEnabled

        public boolean isHsmEnabled()
        Get the flag indicating whether HSM (Hardware Security Module) support is enabled for this service.

        When this flag is false, keys managed in HSMs are not used even if they exist. In addition, /api/hsk/* APIs reject all requests.

        Even if this flag is true, HSM-related features do not work if the configuration of the Authlete server you are using does not support HSM.

        Returns:
        true if HSM support is enabled for this service.
        Since:
        2.97

      • setHsmEnabled

        public Service setHsmEnabled​(boolean enabled)
        Set the flag indicating whether HSM (Hardware Security Module) support is enabled for this service.

        When this flag is false, keys managed in HSMs are not used even if they exist. In addition, /api/hsk/* APIs reject all requests.

        Even if this flag is true, HSM-related features do not work if the configuration of the Authlete server you are using does not support HSM.

        Parameters:
        enabled - true to enable HSM support for this service.
        Returns:
        this object.
        Since:
        2.97

      • getHsks

        public Hsk[] getHsks()
        Get information about keys managed on HSMs (Hardware Security Modules).

        This hsks property is output only, meaning that hsks in requests to /api/service/create API and /api/service/update API do not have any effect. The contents of this property is controlled only by /api/hsk/* APIs.

        Returns:
        Information about keys managed on HSMs.
        Since:
        2.97

      • setHsks

        public Service setHsks​(Hsk[] hsks)
        Set information about keys managed on HSMs (Hardware Security Modules).

        This hsks property is output only, meaning that hsks in requests to /api/service/create API and /api/service/update API do not have any effect. The contents of this property is controlled only by /api/hsk/* APIs.

        Parameters:
        hsks - Information about keys managed on HSMs.
        Returns:
        this object.
        Since:
        2.97

      • getGrantManagementEndpoint

        public URI getGrantManagementEndpoint()
        Get the URL of the grant management endpoint.
        Returns:
        The URL of the grant management endpoint.
        Since:
        3.1
        See Also:
        Grant Management for OAuth 2.0

      • setGrantManagementEndpoint

        public Service setGrantManagementEndpoint​(URI endpoint)
        Set the URL of the grant management endpoint.
        Parameters:
        endpoint - The URL of the grant management endpoint.
        Returns:
        this object.
        Since:
        3.1
        See Also:
        Grant Management for OAuth 2.0

      • isGrantManagementActionRequired

        public boolean isGrantManagementActionRequired()
        Get the flag indicating whether every authorization request (and any request serving as an authorization request such as CIBA backchannel authentication request and device authorization request) must include the grant_management_action request parameter.

        This property corresponds to the grant_management_action_required server metadata defined in "Grant Management for OAuth 2.0".

        Note that setting true to this property will result in blocking all public clients because the specification requires that grant management be usable only by confidential clients for security reasons.

        Returns:
        true if every authorization request must include the grant_management_action request parameter.
        Since:
        3.1
        See Also:
        Grant Management for OAuth 2.0

      • setGrantManagementActionRequired

        public Service setGrantManagementActionRequired​(boolean required)
        Set the flag indicating whether every authorization request (and any request serving as an authorization request such as CIBA backchannel authentication request and device authorization request) must include the grant_management_action request parameter.

        This property corresponds to the grant_management_action_required server metadata defined in "Grant Management for OAuth 2.0".

        Note that setting true to this property will result in blocking all public clients because the specification requires that grant management be usable only by confidential clients for security reasons.

        Parameters:
        required - true to require every authorization request include the grant_management_action request parameter.
        Returns:
        this object.
        Since:
        3.1
        See Also:
        Grant Management for OAuth 2.0

      • setUnauthorizedOnClientConfigSupported

        public Service setUnauthorizedOnClientConfigSupported​(boolean supported)
        Set the flag indicating whether Authlete's /api/client/registration API uses UNAUTHORIZED as a value of the action response parameter when appropriate.

        The UNAUTHORIZED enum value did not exist in the initial implementation of the ClientRegistrationResponse.Action enum. This means that implementations of client configuration endpoint were not able to conform to RFC 7592 strictly.

        For backward compatibility (to avoid breaking running systems), Authlete's /api/client/registration API does not return the UNAUTHORIZED enum value if this flag is not turned on.

        The steps an existing implementation of client configuration endpoint has to do in order to conform to the requirement related to "401 Unauthorized" are as follows.

        1. Update the Authlete library (e.g. authlete-java-common) your system is using.
        2. Update your implementation of client configuration endpoint so that it can handle the UNAUTHORIZED action.
        3. Turn on this unauthorizedOnClientConfigSupported flag.
        Parameters:
        supported - true to let Authlete's /api/client/registration API use the UNAUTHORIZED enum value when appropriate. false to prevent the UNAUTHORIZED enum value from being used.
        Returns:
        this object.
        Since:
        3.4
        See Also:
        RFC 7592 OAuth 2.0 Dynamic Client Registration Management Protocol

      • setPredefinedTransformedClaims

        public Service setPredefinedTransformedClaims​(String claims)
        Set the transformed claims predefined by this service in JSON format. This property corresponds to the transformed_claims_predefined server metadata.

        "Transformed Claims" is a specification that enables to define a "transformed claim" which transforms the value of an existing claim by applying "transformation functions".

        The following example defines a transformed claim named 18_or_over which uses the birthdate claim as input and applies two transformation functions, years_ago and gte. As a result of the transformation, the transformed claim will have a boolean value. 

         {
   "18_or_over": {
     "claim": "birthdate",
     "fn": [
       "years_ago",
       [ "gte", 18 ]
     ]
   }
 }

        A client application can request a predefined transformed claim by prepending two colons (::) to the name of a transformed claim. The following is an example of the claims request parameter (OpenID Connect Core 1.0, 5.5. Requesting Claims using the "claims" Request Parameter) that requests a predefined transformed claim named 18_or_over to be embedded in an ID token. 

         {
   "id_token": {
     "::18_or_over": null
   }
 }

        If the age of the user is 18 or over, the ID token will contain the transformed claim like below. 

         "::18_or_over": true

        This predefinedTransformedClaims property is available from Authlete 2.3 onwards.

        Parameters:
        claims - Predefined transformed claims in JSON format.
        Returns:
        this object.
        Since:
        3.8
        See Also:
        OpenID Connect Advanced Syntax for Claims (ASC) 1.0

      • isLoopbackRedirectionUriVariable

        public boolean isLoopbackRedirectionUriVariable()
        Get the flag indicating whether the port number component of redirection URIs can be variable when the host component indicates loopback.

        When this flag is true, if the host component of a redirection URI specified in an authorization request indicates loopback (to be precise, when the host component is localhost, 127.0.0.1 or ::1), the port number component is ignored when the specified redirection URI is compared to pre-registered ones. This behavior is described in 7.3. Loopback Interface Redirection of RFC 8252 OAuth 2.0 for Native Apps.

        3.1.2.3. Dynamic Configuration of RFC 6749 states "If the client registration included the full redirection URI, the authorization server MUST compare the two URIs using simple string comparison as defined in [RFC3986] Section 6.2.1." Also, the description of redirect_uri in 3.1.2.1. Authentication Request of OpenID Connect Core 1.0 states "This URI MUST exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider, with the matching performed as described in Section 6.2.1 of [RFC3986] (Simple String Comparison)." These "Simple String Comparison" requirements are preceded by this flag. That is, even when the conditions described in RFC 6749 and OpenID Connect Core 1.0 are satisfied, the port number component of loopback redirection URIs can be variable when this flag is true.

        8.3. Loopback Redirect Considerations of RFC 8252 states as follows.

        While redirect URIs using localhost (i.e., "http://localhost:{port}/{path}") function similarly to loopback IP redirects described in Section 7.3, the use of localhost is NOT RECOMMENDED. Specifying a redirect URI with the loopback IP literal rather than localhost avoids inadvertently listening on network interfaces other than the loopback interface. It is also less susceptible to client-side firewalls and misconfigured host name resolution on the user's device.

        However, Authlete allows the port number component to be variable in the case of localhost, too. It is left to client applications whether they use localhost or a literal loopback IP address (127.0.0.1 for IPv4 or ::1 for IPv6).

        Section 7.3 and Section 8.3 of RFC 8252 state that loopback redirection URIs use the "http" scheme, but Authlete allows the port number component to be variable in other cases (e.g. in the case of the "https" scheme), too.

        Returns:
        True if the port number component of loopback redirection URIs can be variable.
        Since:
        3.12
        See Also:
        RFC 8252 OAuth 2.0 for Native Apps, 7.3. Loopback Interface Redirection, RFC 8252 OAuth 2.0 for Native Apps, 8.3. Loopback Redirect Considerations

      • setLoopbackRedirectionUriVariable

        public Service setLoopbackRedirectionUriVariable​(boolean variable)
        Set the flag indicating whether the port number component of redirection URIs can be variable when the host component indicates loopback.

        When this flag is true, if the host component of a redirection URI specified in an authorization request indicates loopback (to be precise, when the host component is localhost, 127.0.0.1 or ::1), the port number component is ignored when the specified redirection URI is compared to pre-registered ones. This behavior is described in 7.3. Loopback Interface Redirection of RFC 8252 OAuth 2.0 for Native Apps.

        3.1.2.3. Dynamic Configuration of RFC 6749 states "If the client registration included the full redirection URI, the authorization server MUST compare the two URIs using simple string comparison as defined in [RFC3986] Section 6.2.1." Also, the description of redirect_uri in 3.1.2.1. Authentication Request of OpenID Connect Core 1.0 states "This URI MUST exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider, with the matching performed as described in Section 6.2.1 of [RFC3986] (Simple String Comparison)." These "Simple String Comparison" requirements are preceded by this flag. That is, even when the conditions described in RFC 6749 and OpenID Connect Core 1.0 are satisfied, the port number component of loopback redirection URIs can be variable when this flag is true.

        8.3. Loopback Redirect Considerations of RFC 8252 states as follows.

        While redirect URIs using localhost (i.e., "http://localhost:{port}/{path}") function similarly to loopback IP redirects described in Section 7.3, the use of localhost is NOT RECOMMENDED. Specifying a redirect URI with the loopback IP literal rather than localhost avoids inadvertently listening on network interfaces other than the loopback interface. It is also less susceptible to client-side firewalls and misconfigured host name resolution on the user's device.

        However, Authlete allows the port number component to be variable in the case of localhost, too. It is left to client applications whether they use localhost or a literal loopback IP address (127.0.0.1 for IPv4 or ::1 for IPv6).

        Section 7.3 and Section 8.3 of RFC 8252 state that loopback redirection URIs use the "http" scheme, but Authlete allows the port number component to be variable in other cases (e.g. in the case of the "https" scheme), too.

        Parameters:
        variable - True to allow the port number component of loopback redirection URIs to be variable.
        Returns:
        this object.
        Since:
        3.12
        See Also:
        RFC 8252 OAuth 2.0 for Native Apps, 7.3. Loopback Interface Redirection, RFC 8252 OAuth 2.0 for Native Apps, 8.3. Loopback Redirect Considerations

      • isRequestObjectAudienceChecked

        public boolean isRequestObjectAudienceChecked()
        Get the flag indicating whether Authlete checks whether the aud claim of request objects matches the issuer identifier of this service.

        Section 6.1. Passing a Request Object by Value of OpenID Connect Core 1.0 has the following statement.

        The aud value SHOULD be or include the OP's Issuer Identifier URL.

        Likewise, Section 4. Request Object of RFC 9101 (The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR)) has the following statement.

        The value of aud should be the value of the authorization server (AS) issuer, as defined in RFC 8414.

        As excerpted above, validation on the aud claim of request objects is optional. However, if this flag is turned on, Authlete checks whether the aud claim of request objects matches the issuer identifier of this service and raises an error if they are different.

        Returns:
        true if Authlete checks whether the aud claim of request objects matches the issuer identifier of this service.
        Since:
        3.14

      • setRequestObjectAudienceChecked

        public Service setRequestObjectAudienceChecked​(boolean checked)
        Set the flag indicating whether Authlete checks whether the aud claim of request objects matches the issuer identifier of this service.

        Section 6.1. Passing a Request Object by Value of OpenID Connect Core 1.0 has the following statement.

        The aud value SHOULD be or include the OP's Issuer Identifier URL.

        Likewise, Section 4. Request Object of RFC 9101 (The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR)) has the following statement.

        The value of aud should be the value of the authorization server (AS) issuer, as defined in RFC 8414.

        As excerpted above, validation on the aud claim of request objects is optional. However, if this flag is turned on, Authlete checks whether the aud claim of request objects matches the issuer identifier of this service and raises an error if they are different.

        Parameters:
        checked - true to make Authlete check whether the aud claim of request objects matches the issuer identifier of this service.
        Returns:
        this object.
        Since:
        3.14

      • isAccessTokenForExternalAttachmentEmbedded

        public boolean isAccessTokenForExternalAttachmentEmbedded()
        Get the flag indicating whether Authlete generates access tokens for external attachments and embeds them in ID tokens and userinfo responses.

        The third draft of OpenID Connect for Identity Assurance 1.0 introduced a new feature called "Attachments". The feature enables OpenID Providers to attach additional contents as parts of "evidence".

        There are two types of attachments. One is "embedded attachment" where contents of attachments are base64-encoded and embedded in ID tokens and userinfo responses directly. The other is "external attachment" where contents of attachments are hosted on resource servers and URLs of them are embedded in ID tokens and userinfo responses.

        When an OpenID Provider embeds URLs of external attachments in ID tokens and userinfo responses, it may optionally embed access tokens with which the client application accesses the external attachments.

        The following is an example of "verified_claims" that shows how an access token is embedded. (A simplified version of an example in the specification.) 

         "verified_claims": {
   "verification": {
     "trust_framework":"eidas",
     "evidence": [
       {
         "type": "document",
         "attachments": [
           {
             "desc": "Front of id document",
             "digest": {
               "alg": "sha-256",
               "value": "qC1zE5AfxylOFLrCnOIURXJUvnZwSFe5uUj8t6hdQVM="
             },
             "url": "https://example.com/attachments/pGL9yz4hZQ",
             "access_token": "ksj3n283dke",
             "exp": 1676552089
           }
         ]
       }
     ]
   },
   "claims": {
     "given_name": "Max",
     "family_name": "Mustermann",
     "birthdate": "1956-01-28"
   }
 }

        Because it is developers (not Authlete) who prepare the content of "verified_claims" (cf. the "claims" request parameter of Authlete's /api/auth/authorization/issue API), developers can embed arbitrary access tokens for external attachments. However, it is a burdensome task to prepare access tokens appropriately. The task can be delegated to Authlete by setting true to this accessTokenForExternalAttachmentEmbedded property.

        When this property is set to true, Authlete behaves as described below for each element in the "attachments" array.

        1. Ignores the element if it does not contain the "url" property because it means that the element is not an external attachment.
        2. Does nothing for the element if it already contains the "access_token" property.
        3. Computes the duration of the access token which is about to be generated. If the element already contains the "exp" property, its value is used to compute the duration. Otherwise, (1) the duration of the ID token is used as the duration of the access token for the external attachment in the case where the URL of the external attachment is going to be embedded in an ID token, or (2) the remaining duration of the access token which was presented at the userinfo endpoint is used as the duration of the access token for the external attachment in the case where the URL of the external attachment is going to be embedded in a userinfo response.
        4. Generates an access token which has the duration computed in the previous step. Also, the access token has the URL as an associated resource as if the resource request parameter defined in RFC 8707 (Resource Indicators for OAuth 2.0) were used.
        5. Puts the "access_token" and "exp" properties in the element whose values are the generated access token and the computed duration.

        Note that the expires_in property was replaced with exp after the 4th draft of the OpenID Connect for Identity Assurance 1.0 was published.

        Returns:
        true if Authlete generates access tokens for external attachments and embeds them in ID tokens and userinfo responses.
        Since:
        3.16, Authlete 2.3
        See Also:
        OpenID Connect for Identity Assurance 1.0

      • setAccessTokenForExternalAttachmentEmbedded

        public Service setAccessTokenForExternalAttachmentEmbedded​(boolean embedded)
        Set the flag indicating whether Authlete generates access tokens for external attachments and embeds them in ID tokens and userinfo responses.

        The third draft of OpenID Connect for Identity Assurance 1.0 introduced a new feature called "Attachments". The feature enables OpenID Providers to attach additional contents as parts of "evidence".

        There are two types of attachments. One is "embedded attachment" where contents of attachments are base64-encoded and embedded in ID tokens and userinfo responses directly. The other is "external attachment" where contents of attachments are hosted on resource servers and URLs of them are embedded in ID tokens and userinfo responses.

        When an OpenID Provider embeds URLs of external attachments in ID tokens and userinfo responses, it may optionally embed access tokens with which the client application accesses the external attachments.

        The following is an example of "verified_claims" that shows how an access token is embedded. (A simplified version of an example in the specification.) 

         "verified_claims": {
   "verification": {
     "trust_framework":"eidas",
     "evidence": [
       {
         "type": "document",
         "attachments": [
           {
             "desc": "Front of id document",
             "digest": {
               "alg": "sha-256",
               "value": "qC1zE5AfxylOFLrCnOIURXJUvnZwSFe5uUj8t6hdQVM="
             },
             "url": "https://example.com/attachments/pGL9yz4hZQ",
             "access_token": "ksj3n283dke",
             "exp": 1676552089
           }
         ]
       }
     ]
   },
   "claims": {
     "given_name": "Max",
     "family_name": "Mustermann",
     "birthdate": "1956-01-28"
   }
 }

        Because it is developers (not Authlete) who prepare the content of "verified_claims" (cf. the "claims" request parameter of Authlete's /api/auth/authorization/issue API), developers can embed arbitrary access tokens for external attachments. However, it is a burdensome task to prepare access tokens appropriately. The task can be delegated to Authlete by setting true to this accessTokenForExternalAttachmentEmbedded property.

        When this property is set to true, Authlete behaves as described below for each element in the "attachments" array.

        1. Ignores the element if it does not contain the "url" property because it means that the element is not an external attachment.
        2. Does nothing for the element if it already contains the "access_token" property.
        3. Computes the duration of the access token which is about to be generated. If the element already contains the "exp" property, its value is used to compute the duration. Otherwise, (1) the duration of the ID token is used as the duration of the access token for the external attachment in the case where the URL of the external attachment is going to be embedded in an ID token, or (2) the remaining duration of the access token which was presented at the userinfo endpoint is used as the duration of the access token for the external attachment in the case where the URL of the external attachment is going to be embedded in a userinfo response.
        4. Generates an access token which has the duration computed in the previous step. Also, the access token has the URL as an associated resource as if the resource request parameter defined in RFC 8707 (Resource Indicators for OAuth 2.0) were used.
        5. Puts the "access_token" and "exp" properties in the element whose values are the generated access token and the computed duration.

        Note that the expires_in property was replaced with exp after the 4th draft of the OpenID Connect for Identity Assurance 1.0 was published.

        Parameters:
        embedded - true to make Authlete generate access tokens for external attachments and embed them in ID tokens and userinfo responses.
        Returns:
        this object.
        Since:
        3.16, Authlete 2.3
        See Also:
        OpenID Connect for Identity Assurance 1.0

      • isRefreshTokenIdempotent

        public boolean isRefreshTokenIdempotent()
        Get the flag indicating whether refresh token requests with the same refresh token can be made multiple times in quick succession and they can obtain the same renewed refresh token within the short period.

        This feature is available in Authlete 2.3 onwards.

        Returns:
        true if multiple refresh token requests in a short period can obtain the same renewed refresh token.
        Since:
        3.21, Authlete 2.3

      • setRefreshTokenIdempotent

        public Service setRefreshTokenIdempotent​(boolean idempotent)
        Set the flag indicating whether refresh token requests with the same refresh token can be made multiple times in quick succession and they can obtain the same renewed refresh token within the short period.

        This feature is available in Authlete 2.3 onwards.

        Parameters:
        idempotent - true to enable multiple refresh token requests in a short period to obtain the same renewed refresh token.
        Returns:
        this object.
        Since:
        3.21, Authlete 2.3

      • isFederationEnabled

        public boolean isFederationEnabled()
        Get the flag indicating whether this service supports OpenID Federation 1.0.

        If the feature of OpenID Federation 1.0 is not enabled in the Authlete server on which this service is hosted, functions related to OpenID Federation 1.0 are not usable regardless of the setting of this property.

        OpenID Federation 1.0 is supported by Authlete 2.3 onwards.

        Returns:
        true if this service supports OpenID Federation 1.0.
        Since:
        3.22, Authlete 2.3
        See Also:
        OpenID Federation 1.0

      • setFederationEnabled

        public Service setFederationEnabled​(boolean enabled)
        Set the flag indicating whether this service supports OpenID Federation 1.0.

        If the feature of OpenID Federation 1.0 is not enabled in the Authlete server on which this service is hosted, functions related to OpenID Federation 1.0 are not usable regardless of the setting of this property.

        OpenID Federation 1.0 is supported by Authlete 2.3 onwards.

        Parameters:
        enabled - true to enable the feature of OpenID Federation 1.0.
        Returns:
        this object.
        Since:
        3.22, Authlete 2.3
        See Also:
        OpenID Federation 1.0

      • getOrganizationName

        public String getOrganizationName()
        Get the human-readable name representing the organization that operates this service. This property corresponds to the organization_name server metadata that is defined in OpenID Federation 1.0.

        If this property is not empty, the organization_name property appears in self-signed entity statements of this service.

        Returns:
        The name of the organization that operates this service.
        Since:
        3.22, Authlete 2.3
        See Also:
        OpenID Federation 1.0

      • setOrganizationName

        public Service setOrganizationName​(String name)
        Set the human-readable name representing the organization that operates this service. This property corresponds to the organization_name server metadata that is defined in OpenID Federation 1.0.

        If this property is not empty, the organization_name property appears in self-signed entity statements of this service.

        Parameters:
        name - The name of the organization that operates this service.
        Returns:
        this object.
        Since:
        3.22, Authlete 2.3
        See Also:
        OpenID Federation 1.0

      • getAuthorityHints

        public URI[] getAuthorityHints()
        Get the identifiers of entities that can issue entity statements for this service. This property corresponds to the authority_hints property that appears in a self-signed entity statement that is defined in OpenID Federation 1.0.

        OpenID providers participating in one or more federations are supposed to have authority hints. It is only trust anchors having no superiors that do not have authority hints.

        Because the authority_hints property in self-signed entity statements of OpenID providers is mandatory, if this property is empty, the configuration endpoint (/.well-known/openid-federation) cannot generate a valid entity statement. It means that OpenID Federation 1.0 does not work.

        Returns:
        Identifiers of entities that can issue entity statements for this service.
        Since:
        3.22, Authlete 2.3
        See Also:
        OpenID Federation 1.0

      • setAuthorityHints

        public Service setAuthorityHints​(URI[] authorityHints)
        Set the identifiers of entities that can issue entity statements for this service. This property corresponds to the authority_hints property that appears in a self-signed entity statement that is defined in OpenID Federation 1.0.

        OpenID providers participating in one or more federations are supposed to have authority hints. It is only trust anchors having no superiors that do not have authority hints.

        Because the authority_hints property in self-signed entity statements of OpenID providers is mandatory, if this property is empty, the configuration endpoint (/.well-known/openid-federation) cannot generate a valid entity statement. It means that OpenID Federation 1.0 does not work.

        Parameters:
        authorityHints - Identifiers of entities that can issue entity statements for this service.
        Returns:
        this object.
        Since:
        3.22, Authlete 2.3
        See Also:
        OpenID Federation 1.0

      • getTrustAnchors

        public TrustAnchor[] getTrustAnchors()
        Get the trust anchors that are referenced when this service resolves trust chains of relying parties.

        If this property is empty, client registration fails regardless of whether its type is automatic or explicit. It means that OpenID Federation 1.0 does not work.

        Returns:
        The trust anchors that are referenced when this service resolves trust chains of relying parties.
        Since:
        3.22, Authlete 2.3
        See Also:
        OpenID Federation 1.0, TrustAnchor

      • setTrustAnchors

        public Service setTrustAnchors​(TrustAnchor[] trustAnchors)
        Set the trust anchors that are referenced when this service resolves trust chains of relying parties.

        If this property is empty, client registration fails regardless of whether its type is automatic or explicit. It means that OpenID Federation 1.0 does not work.

        Parameters:
        trustAnchors - The trust anchors that are referenced when this service resolves trust chains of relying parties.
        Returns:
        this object.
        Since:
        3.22, Authlete 2.3
        See Also:
        OpenID Federation 1.0, TrustAnchor

      • getFederationJwks

        public String getFederationJwks()
        Get the JWK Set document containing keys that are used to sign (1) self-signed entity statement of this service and (2) the response from signed_jwks_uri.

        If this property is empty, this service cannot generate a valid self-signed entity statement. It means that OpenID Federation 1.0 does not work.

        Returns:
        The JWK Set document containing keys used to sign self-signed entity statement and the response from signed_jwks_uri.
        Since:
        3.22, Authlete 2.3
        See Also:
        OpenID Federation 1.0

      • setFederationJwks

        public Service setFederationJwks​(String jwks)
        Set the JWK Set document containing keys that are used to sign (1) self-signed entity statement of this service and (2) the response from signed_jwks_uri.

        If this property is empty, this service cannot generate a valid self-signed entity statement. It means that OpenID Federation 1.0 does not work.

        Parameters:
        jwks - The JWK Set document containing keys used to sign self-signed entity statement and the response from signed_jwks_uri.
        Returns:
        this object.
        Since:
        3.22, Authlete 2.3
        See Also:
        OpenID Federation 1.0

      • getFederationSignatureKeyId

        public String getFederationSignatureKeyId()
        Get the key ID to identify a JWK that should be used to sign the entity configuration and the signed JWK Set.

        The entity configuration is a kind of JWT and published at /.well-known/openid-federation or at a variant location such as /.well-known/openid-federation{path_part_of_issuer}.

        The signed JWK Set is also a kind of JWT and published at the URL designated by the signed_jwks_uri server metadata.

        When this property is specified, Authlete will use the JWK having the specified key ID when signing the entity configuration and the signed JWK Set. Otherwise, when this property is omitted, there is no guarantee as to which JWK Authlete will choose.

        Returns:
        A key ID. May be null.
        Since:
        3.31, Authlete 2.3
        See Also:
        OpenID Federation 1.0

      • setFederationSignatureKeyId

        public Service setFederationSignatureKeyId​(String keyId)
        Set the key ID to identify a JWK that should be used to sign the entity configuration and the signed JWK Set.

        The entity configuration is a kind of JWT and published at /.well-known/openid-federation or at a variant location such as /.well-known/openid-federation{path_part_of_issuer}.

        The signed JWK Set is also a kind of JWT and published at the URL designated by the signed_jwks_uri server metadata.

        When this property is specified, Authlete will use the JWK having the specified key ID when signing the entity configuration and the signed JWK Set. Otherwise, when this property is omitted, there is no guarantee as to which JWK Authlete will choose.

        Parameters:
        keyId - A key ID. May be null.
        Returns:
        this object.
        Since:
        3.31, Authlete 2.3
        See Also:
        OpenID Federation 1.0

      • getFederationConfigurationDuration

        public long getFederationConfigurationDuration()
        Get the duration of the entity configuration in seconds.

        An OpenID provider that participates in an OpenID Connect federation must publish its entity configuration at /.well-known/openid-federation or at a variant location such as /.well-known/openid-federation{path_part_of_issuer}. An entity configuration is a kind of JWT. This property specifies the duration of the JWT in seconds.

        When the value of this property is 0, the default value determined by your Authlete server is used as the duration of the entity configuration.

        Returns:
        The duration of the entity configuration in seconds.
        Since:
        3.31, Authlete 2.3
        See Also:
        OpenID Federation 1.0

      • setFederationConfigurationDuration

        public Service setFederationConfigurationDuration​(long duration)
        Set the duration of the entity configuration in seconds.

        An OpenID provider that participates in an OpenID Connect federation must publish its entity configuration at /.well-known/openid-federation or at a variant location such as /.well-known/openid-federation{path_part_of_issuer}. An entity configuration is a kind of JWT. This property specifies the duration of the JWT in seconds.

        When the value of this property is 0, the default value determined by your Authlete server is used as the duration of the entity configuration.

        Parameters:
        duration - The duration of the entity configuration in seconds.
        Returns:
        this object.
        Since:
        3.31, Authlete 2.3
        See Also:
        OpenID Federation 1.0

      • getSignedJwksUri

        public URI getSignedJwksUri()
        Get the URI of the endpoint that returns this service's JWK Set document in the JWT format. This property corresponds to the signed_jwks_uri server metadata defined in OpenID Federation 1.0.

        The JWT returned from the endpoint is signed with a key in the JWK Set document specified by the federationJwks property. Therefore, if the federationJwks property is not set up properly, the endpoint won't return a valid response.

        If this property is not empty, the signed_jwks_uri property appears in the openid_provider property of this service's entity configuration. And in that case, jwks_uri does not appear in exchange.

        Returns:
        The URI of the endpoint that returns this service's JWK Set document in the JWT format.
        Since:
        3.22, Authlete 2.3
        See Also:
        OpenID Federation 1.0

      • setSignedJwksUri

        public Service setSignedJwksUri​(URI uri)
        Set the URI of the endpoint that returns this service's JWK Set document in the JWT format. This property corresponds to the signed_jwks_uri server metadata defined in OpenID Federation 1.0.

        The JWT returned from the endpoint is signed with a key in the JWK Set document specified by the federationJwks property. Therefore, if the federationJwks property is not set up properly, the endpoint won't return a valid response.

        If this property is not empty, the signed_jwks_uri property appears in the openid_provider property of this service's entity configuration. And in that case, jwks_uri does not appear in exchange.

        Parameters:
        uri - The URI of the endpoint that returns this service's JWK Set document in the JWT format.
        Returns:
        this object.
        Since:
        3.22, Authlete 2.3
        See Also:
        OpenID Federation 1.0

      • getFederationRegistrationEndpoint

        public URI getFederationRegistrationEndpoint()
        Get the URI of the federation registration endpoint. This property corresponds to the federation_registration_endpoint server metadata that is defined in OpenID Federation 1.0.

        If this service declares it supports the "explicit" client registration, this property must not be empty.

        Returns:
        The URI of the federation registration endpoint.
        Since:
        3.22, Authlete 2.3
        See Also:
        OpenID Federation 1.0

      • setFederationRegistrationEndpoint

        public Service setFederationRegistrationEndpoint​(URI endpoint)
        Set the URI of the federation registration endpoint. This property corresponds to the federation_registration_endpoint server metadata that is defined in OpenID Federation 1.0.

        If this service declares it supports the "explicit" client registration, this property must not be empty.

        Parameters:
        endpoint - The URI of the federation registration endpoint.
        Returns:
        this object.
        Since:
        3.22, Authlete 2.3
        See Also:
        OpenID Federation 1.0

      • getSupportedClientRegistrationTypes

        public ClientRegistrationType[] getSupportedClientRegistrationTypes()
        Get the client registration types supported by this service. This property corresponds to the client_registration_types_supported server metadata that is defined in OpenID Federation 1.0.

        If this property includes EXPLICIT, the federationRegistrationEndpoint property must be set up properly.

        Returns:
        Client registration types supported by this service.
        Since:
        3.22, Authlete 2.3
        See Also:
        OpenID Federation 1.0, ClientRegistrationType

      • setSupportedClientRegistrationTypes

        public Service setSupportedClientRegistrationTypes​(ClientRegistrationType[] types)
        Set the client registration types supported by this service. This property corresponds to the client_registration_types_supported server metadata that is defined in OpenID Federation 1.0.

        If this property includes EXPLICIT, the federationRegistrationEndpoint property must be set up properly.

        Parameters:
        types - Client registration types supported by this service.
        Returns:
        this object.
        Since:
        3.22, Authlete 2.3
        See Also:
        OpenID Federation 1.0, ClientRegistrationType

      • isTokenExchangeByIdentifiableClientsOnly

        public boolean isTokenExchangeByIdentifiableClientsOnly()
        Get the flag indicating whether to prohibit unidentifiable clients from making token exchange requests (cf. RFC 8693).

        Section 2.1 of RFC 8692 OAuth 2.0 Token Exchange states as follows:

        The supported methods of client authentication and whether or not to allow unauthenticated or unidentified clients are deployment decisions that are at the discretion of the authorization server.

        Technically speaking, "unidentified" in the excerpted sentence means that a token exchange request contains no identifier of the client that made the request.

        When this flag is set to true, this service rejects token exchange requests that contain no client identifier.

        Returns:
        true if this service rejects token exchange requests that contain no client identifier.
        Since:
        3.26, Authlete 2.3
        See Also:
        RFC 8693 OAuth 2.0 Token Exchange

      • setTokenExchangeByIdentifiableClientsOnly

        public Service setTokenExchangeByIdentifiableClientsOnly​(boolean only)
        Set the flag indicating whether to prohibit unidentifiable clients from making token exchange requests (cf. RFC 8693).

        Section 2.1 of RFC 8692 OAuth 2.0 Token Exchange states as follows:

        The supported methods of client authentication and whether or not to allow unauthenticated or unidentified clients are deployment decisions that are at the discretion of the authorization server.

        Technically speaking, "unidentified" in the excerpted sentence means that a token exchange request contains no identifier of the client that made the request.

        When this flag is set to true, this service rejects token exchange requests that contain no client identifier.

        Parameters:
        only - true to reject token exchange requests that contain no client identifier.
        Returns:
        this object.
        Since:
        3.26, Authlete 2.3
        See Also:
        RFC 8693 OAuth 2.0 Token Exchange

      • isTokenExchangeByConfidentialClientsOnly

        public boolean isTokenExchangeByConfidentialClientsOnly()
        Get the flag indicating whether to prohibit public clients from making token exchange requests (cf. RFC 8693).

        Section 2.1 of RFC 8692 OAuth 2.0 Token Exchange states as follows:

        The supported methods of client authentication and whether or not to allow unauthenticated or unidentified clients are deployment decisions that are at the discretion of the authorization server.

        Technically speaking, "unauthenticated" in the excerpted sentence means that the client making a token exchange request is a public client and so client authentication for the client is not required at the token endpoint.

        When this flag is set to true, this service rejects token exchange requests from public clients.

        Returns:
        true if this service rejects token exchange requests from public clients.
        Since:
        3.26, Authlete 2.3
        See Also:
        RFC 8693 OAuth 2.0 Token Exchange

      • setTokenExchangeByConfidentialClientsOnly

        public Service setTokenExchangeByConfidentialClientsOnly​(boolean only)
        Set the flag indicating whether to prohibit public clients from making token exchange requests (cf. RFC 8693).

        Section 2.1 of RFC 8692 OAuth 2.0 Token Exchange states as follows:

        The supported methods of client authentication and whether or not to allow unauthenticated or unidentified clients are deployment decisions that are at the discretion of the authorization server.

        Technically speaking, "unauthenticated" in the excerpted sentence means that the client making a token exchange request is a public client and so client authentication for the client is not required at the token endpoint.

        When this flag is set to true, this service rejects token exchange requests from public clients.

        Parameters:
        only - true to reject token exchange requests from public clients.
        Returns:
        this object.
        Since:
        3.26, Authlete 2.3
        See Also:
        RFC 8693 OAuth 2.0 Token Exchange

      • isTokenExchangeByPermittedClientsOnly

        public boolean isTokenExchangeByPermittedClientsOnly()
        Get the flag indicating whether to prohibit clients which have no explicit permission from making token exchange requests (cf. RFC 8693).

        An administrator can give a client an explicit permission to make token exchange requests by setting true to the tokenExchangePermitted flag of the client (cf. ClientExtension.setTokenExchangePermitted(boolean)).

        When this flag (tokenExchangeByPermittedClientsOnly) is set to true, this service rejects token exchange requests from clients whose tokenExchangePermitted flag is false.

        Returns:
        true if this service rejects token exchange requests from clients whose tokenExchangePermitted flag is false.
        Since:
        3.26, Authlete 2.3
        See Also:
        ClientExtension.isTokenExchangePermitted(), RFC 8693 OAuth 2.0 Token Exchange

      • setTokenExchangeByPermittedClientsOnly

        public Service setTokenExchangeByPermittedClientsOnly​(boolean only)
        Set the flag indicating whether to prohibit clients which have no explicit permission from making token exchange requests (cf. RFC 8693).

        An administrator can give a client an explicit permission to make token exchange requests by setting true to the tokenExchangePermitted flag of the client (cf. ClientExtension.setTokenExchangePermitted(boolean)).

        When this flag (tokenExchangeByPermittedClientsOnly) is set to true, this service rejects token exchange requests from clients whose tokenExchangePermitted flag is false.

        Parameters:
        only - true to reject token exchange requests from clients whose tokenExchangePermitted flag is false.
        Returns:
        this object.
        Since:
        3.26, Authlete 2.3
        See Also:
        ClientExtension.setTokenExchangePermitted(boolean), RFC 8693 OAuth 2.0 Token Exchange

      • isTokenExchangeEncryptedJwtRejected

        public boolean isTokenExchangeEncryptedJwtRejected()
        Get the flag indicating whether to reject token exchange requests which use encrypted JWTs as input tokens.

        When this tokenExchangeEncryptedJwtRejected flag is true, token exchange requests which use encrypted JWTs as input tokens (subject token and/or actor token) with the token type "urn:ietf:params:oauth:token-type:jwt" or the token type "urn:ietf:params:oauth:token-type:id_token" are rejected.

        When this flag is false, Authlete skips remaining validation steps on an input token when Authlete detects that it is an encrypted JWT.

        See the description of TokenResponse for details about validation Authlete performs for token exchange requests.

        Returns:
        true if token exchange requests which use encrypted JWTs as input tokens are rejected.
        Since:
        3.27, Authlete 2.3
        See Also:
        TokenResponse, RFC 8693 OAuth 2.0 Token Exchange

      • setTokenExchangeEncryptedJwtRejected

        public Service setTokenExchangeEncryptedJwtRejected​(boolean rejected)
        Set the flag indicating whether to reject token exchange requests which use encrypted JWTs as input tokens.

        When this tokenExchangeEncryptedJwtRejected flag is true, token exchange requests which use encrypted JWTs as input tokens (subject token and/or actor token) with the token type "urn:ietf:params:oauth:token-type:jwt" or the token type "urn:ietf:params:oauth:token-type:id_token" are rejected.

        When this flag is false, Authlete skips remaining validation steps on an input token when Authlete detects that it is an encrypted JWT.

        See the description of TokenResponse for details about validation Authlete performs for token exchange requests.

        Parameters:
        rejected - true to reject token exchange requests which use encrypted JWTs as input tokens.
        Returns:
        this object.
        Since:
        3.27, Authlete 2.3
        See Also:
        TokenResponse, RFC 8693 OAuth 2.0 Token Exchange

      • isTokenExchangeUnsignedJwtRejected

        public boolean isTokenExchangeUnsignedJwtRejected()
        Get the flag indicating whether to reject token exchange requests which use unsigned JWTs as input tokens.

        When this tokenExchangeUnsignedJwtRejected flag is true, token exchange requests which use unsigned JWTs as input tokens (subject token and/or actor token) with the token type "urn:ietf:params:oauth:token-type:jwt" or the token type "urn:ietf:params:oauth:token-type:id_token" are rejected.

        When this flag is false, Authlete skips remaining validation steps on an input token when Authlete detects that it is an unsigned JWT.

        See the description of TokenResponse for details about validation Authlete performs for token exchange requests.

        Returns:
        true if token exchange requests which use unsigned JWTs as input tokens are rejected.
        Since:
        3.27, Authlete 2.3
        See Also:
        TokenResponse, RFC 8693 OAuth 2.0 Token Exchange

      • setTokenExchangeUnsignedJwtRejected

        public Service setTokenExchangeUnsignedJwtRejected​(boolean rejected)
        Set the flag indicating whether to reject token exchange requests which use unsigned JWTs as input tokens.

        When this tokenExchangeUnsignedJwtRejected flag is true, token exchange requests which use unsigned JWTs as input tokens (subject token and/or actor token) with the token type "urn:ietf:params:oauth:token-type:jwt" or the token type "urn:ietf:params:oauth:token-type:id_token" are rejected.

        When this flag is false, Authlete skips remaining validation steps on an input token when Authlete detects that it is an unsigned JWT.

        See the description of TokenResponse for details about validation Authlete performs for token exchange requests.

        Parameters:
        rejected - true to reject token exchange requests which use unsigned JWTs as input tokens.
        Returns:
        this object.
        Since:
        3.27, Authlete 2.3
        See Also:
        TokenResponse, RFC 8693 OAuth 2.0 Token Exchange

      • isJwtGrantEncryptedJwtRejected

        public boolean isJwtGrantEncryptedJwtRejected()
        Get the flag indicating whether to reject token requests that use an encrypted JWT as an authorization grant with the grant type "urn:ietf:params:oauth:grant-type:jwt-bearer" (RFC 7523).

        When this jwtGrantEncryptedJwtRejected flag is true, token requests that use an encrypted JWT as an authorization grant with the grant type "urn:ietf:params:oauth:grant-type:jwt-bearer" are rejected.

        When this flag is false, Authlete skips remaining validation steps on an input assertion when Authlete detects that it is an encrypted JWT.

        See the description of TokenResponse for details about validation Authlete performs for the grant type.

        Returns:
        true if token requests that use an encrypted JWT as an authorization grant with the grant type "urn:ietf:params:oauth:grant-type:jwt-bearer" are rejected.
        Since:
        3.30, Authlete 2.3
        See Also:
        TokenResponse, RFC 7521 Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants, RFC 7523 JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants

      • setJwtGrantEncryptedJwtRejected

        public Service setJwtGrantEncryptedJwtRejected​(boolean rejected)
        Set the flag indicating whether to reject token requests that use an encrypted JWT as an authorization grant with the grant type "urn:ietf:params:oauth:grant-type:jwt-bearer" (RFC 7523).

        When this jwtGrantEncryptedJwtRejected flag is true, token requests that use an encrypted JWT as an authorization grant with the grant type "urn:ietf:params:oauth:grant-type:jwt-bearer" are rejected.

        When this flag is false, Authlete skips remaining validation steps on an input assertion when Authlete detects that it is an encrypted JWT.

        See the description of TokenResponse for details about validation Authlete performs for the grant type.

        Parameters:
        rejected - true to reject token requests that use an encrypted JWT as an authorization grant with the grant type "urn:ietf:params:oauth:grant-type:jwt-bearer".
        Returns:
        this object.
        Since:
        3.30, Authlete 2.3
        See Also:
        TokenResponse, RFC 7521 Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants, RFC 7523 JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants

      • isJwtGrantUnsignedJwtRejected

        public boolean isJwtGrantUnsignedJwtRejected()
        Get the flag indicating whether to reject token requests that use an unsigned JWT as an authorization grant with the grant type "urn:ietf:params:oauth:grant-type:jwt-bearer" (RFC 7523).

        When this jwtGrantUnsignedJwtRejected flag is true, token requests that use an unsigned JWT as an authorization grant with the grant type "urn:ietf:params:oauth:grant-type:jwt-bearer" are rejected.

        When this flag is false, Authlete skips remaining validation steps on an input assertion when Authlete detects that it is an unsigned JWT.

        See the description of TokenResponse for details about validation Authlete performs for the grant type.

        Returns:
        true if token requests that use an unsigned JWT as an authorization grant with the grant type "urn:ietf:params:oauth:grant-type:jwt-bearer" are rejected.
        Since:
        3.30, Authlete 2.3
        See Also:
        TokenResponse, RFC 7521 Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants, RFC 7523 JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants

      • setJwtGrantUnsignedJwtRejected

        public Service setJwtGrantUnsignedJwtRejected​(boolean rejected)
        Set the flag indicating whether to reject token requests that use an unsigned JWT as an authorization grant with the grant type "urn:ietf:params:oauth:grant-type:jwt-bearer" (RFC 7523).

        When this jwtGrantUnsignedJwtRejected flag is true, token requests that use an unsigned JWT as an authorization grant with the grant type "urn:ietf:params:oauth:grant-type:jwt-bearer" are rejected.

        When this flag is false, Authlete skips remaining validation steps on an input assertion when Authlete detects that it is an unsigned JWT.

        See the description of TokenResponse for details about validation Authlete performs for the grant type.

        Parameters:
        rejected - true to reject token requests that use an unsigned JWT as an authorization grant with the grant type "urn:ietf:params:oauth:grant-type:jwt-bearer".
        Returns:
        this object.
        Since:
        3.30, Authlete 2.3
        See Also:
        TokenResponse, RFC 7521 Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants, RFC 7523 JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants

      • isDcrDuplicateSoftwareIdBlocked

        public boolean isDcrDuplicateSoftwareIdBlocked()
        Get the flag indicating whether to block DCR (Dynamic Client Registration) requests whose software_id has already been used previously.

        A DCR request may contain the software_id client metadata (which is defined in RFC 7591). The client metadata is saved in Authlete's database together with other client metadata.

        If this dcrDuplicateSoftwareIdBlocked flag is true, Authlete checks whether the value of the software_id client metadata included in a DCR request already exists in the database, and rejects the DCR request if one exists.

        Returns:
        true if DCR requests whose software_id has already been used previously are blocked.
        Since:
        3.32, Authlete 2.2.30
        See Also:
        RFC 7591 OAuth 2.0 Dynamic Client Registration Protocol

      • setDcrDuplicateSoftwareIdBlocked

        public Service setDcrDuplicateSoftwareIdBlocked​(boolean blocked)
        Set the flag indicating whether to block DCR (Dynamic Client Registration) requests whose software_id has already been used previously.

        A DCR request may contain the software_id client metadata (which is defined in RFC 7591). The client metadata is saved in Authlete's database together with other client metadata.

        If this dcrDuplicateSoftwareIdBlocked flag is true, Authlete checks whether the value of the software_id client metadata included in a DCR request already exists in the database, and rejects the DCR request if one exists.

        Parameters:
        blocked - true to block DCR requests whose software_id has already been used previously.
        Returns:
        this object.
        Since:
        3.32, Authlete 2.2.30
        See Also:
        RFC 7591 OAuth 2.0 Dynamic Client Registration Protocol

      • getResourceSignatureKeyId

        public String getResourceSignatureKeyId()
        Get the key ID of a JWK containing the private key used by this service to sign responses from the resource server, such as the userinfo endpoint and responses sent to the RS signing endpoint.
        Returns:
        The key ID.
        Since:
        3.39, Authlete 2.3

      • setResourceSignatureKeyId

        public Service setResourceSignatureKeyId​(String keyId)
        Set the key ID of a JWK containing the private key used by this service to sign responses from the resource server, such as the userinfo endpoint and responses sent to the RS signing endpoint.
        Parameters:
        keyId - The key ID.
        Returns:
        this object.
        Since:
        3.39, Authlete 2.3

      • isRsResponseSigned

        public boolean isRsResponseSigned()
        Get whether the service signs responses from the resource server. If true, userinfo issue responses and responses sent to the RS signing endpoint that are in relation to a client's signed request will be signed using the key identified by {getResourceSignatureKeyId().
        Returns:
        true if the services signs responses for the resource server, false otherwise.
        Since:
        3.39, Authlete 2.3

      • setRsResponseSigned

        public Service setRsResponseSigned​(boolean signed)
        Set whether the service signs responses from the resource server. If true, userinfo issue responses and responses sent to the RS signing endpoint that are in relation to a client's signed request will be signed using the key identified by {getResourceSignatureKeyId().
        Parameters:
        signed - true if the services signs responses for the resource server, false otherwise.
        Returns:
        this object.
        Since:
        3.39, Authlete 2.3

      • isOpenidDroppedOnRefreshWithoutOfflineAccess

        public boolean isOpenidDroppedOnRefreshWithoutOfflineAccess()
        Get the flag indicating whether to remove the openid scope from a new access token issued by the refresh token flow if the presented refresh token does not contain the offline_access scope.
        Returns:
        true if the openid scope is dropped when the presented refresh token does not contain the offline_access scope.
        Since:
        3.42, Authlete 2.2.36

      • setOpenidDroppedOnRefreshWithoutOfflineAccess

        public Service setOpenidDroppedOnRefreshWithoutOfflineAccess​(boolean dropped)
        Set the flag indicating whether to remove the openid scope from a new access token issued by the refresh token flow if the presented refresh token does not contain the offline_access scope.
        Parameters:
        dropped - true to drop the openid scope when the presented refresh token does not contain the offline_access scope.
        Returns:
        this object.
        Since:
        3.42, Authlete 2.2.36

      • isVerifiableCredentialsEnabled

        public boolean isVerifiableCredentialsEnabled()
        Get the flag indicating whether the feature of Verifiable Credentials for this service is enabled or not.
        Returns:
        true if the feature of Verifiable Credentials is enabled.
        Since:
        3.55, Authlete 3.0

      • setVerifiableCredentialsEnabled

        public Service setVerifiableCredentialsEnabled​(boolean enabled)
        Set the flag indicating whether the feature of Verifiable Credentials for this service is enabled or not.
        Parameters:
        enabled - true to indicate that the feature of Verifiable Credentials is enabled.
        Returns:
        this object.
        Since:
        3.55, Authlete 3.0

      • getCredentialOfferDuration

        public long getCredentialOfferDuration()
        Get the default duration of credential offers in seconds.

        When an API call to the /vci/offer/create API does not contain the duration request parameter or the value of the parameter is 0 or negative, the value of this property is used as the default value.

        If the value of this property is 0 or negative, the default value per Authlete server is used as the default value.

        Returns:
        The default duration of credential offers in seconds.
        Since:
        3.59, Authlete 3.0
        See Also:
        OpenID for Verifiable Credential Issuance, CredentialOfferCreateRequest.getDuration()

      • setCredentialOfferDuration

        public Service setCredentialOfferDuration​(long duration)
        Set the default duration of credential offers in seconds.

        When an API call to the /vci/offer/create API does not contain the duration request parameter or the value of the parameter is 0 or negative, the value of this property is used as the default value.

        If the value of this property is 0 or negative, the default value per Authlete server is used as the default value.

        Parameters:
        duration - The default duration of credential offers in seconds.
        Returns:
        this object.
        Since:
        3.59, Authlete 3.0
        See Also:
        OpenID for Verifiable Credential Issuance, CredentialOfferCreateRequest.setDuration(long)

      • getUserPinLength

        @Deprecated
public int getUserPinLength()
        Deprecated.
        Get the default length of user PINs.

        When an API call to the /vci/offer/create API does not contain the userPinLength request parameter or the value of the parameter is 0 or negative, the value of this property is used as the default value.

        If the value of this property is 0 or negative, the default value per Authlete server is used as the default value.

        NOTE: This property has been deprecated due to a breaking change of the OID4VCI specification. The /vci/offer/create API no longer recognizes the userPinLength request parameter.

        Returns:
        The default length of user PINs.
        Since:
        3.59, Authlete 3.0
        See Also:
        CredentialOfferCreateRequest#getUserPinLength()

      • setUserPinLength

        @Deprecated
public Service setUserPinLength​(int length)
        Deprecated.
        Set the default length of user PINs.

        When an API call to the /vci/offer/create API does not contain the userPinLength request parameter or the value of the parameter is 0 or negative, the value of this property is used as the default value.

        If the value of this property is 0 or negative, the default value per Authlete server is used as the default value.

        NOTE: This property has been deprecated due to a breaking change of the OID4VCI specification. The /vci/offer/create API no longer recognizes the userPinLength request parameter.

        Parameters:
        length - The default length of user PINs.
        Returns:
        this object.
        Since:
        3.59, Authlete 3.0
        See Also:
        CredentialOfferCreateRequest#setUserPinLength(int)

      • getIdTokenAudType

        public String getIdTokenAudType()
        Get the type of the aud claim in ID tokens. Valid values are as follows.
        Value Description
        "array" The type of the aud claim is always an array of strings.
        "string" The type of the aud claim is always a single string.
        null The type of the aud claim remains the same as before.

        Authlete APIs that may trigger ID token issuance may accept the idTokenAudType request parameter (e.g. AuthorizationIssueRequest.getIdTokenAudType()). Such request parameters take precedence over this service property.

        Returns:
        The type of the aud claim in ID tokens.
        Since:
        3.57, Authlete 2.3.3

      • setIdTokenAudType

        public Service setIdTokenAudType​(String type)
        Set the type of the aud claim in ID tokens. Valid values are as follows.
        Value Description
        "array" The type of the aud claim is always an array of strings.
        "string" The type of the aud claim is always a single string.
        null The type of the aud claim remains the same as before.

        Authlete APIs that may trigger ID token issuance may accept the idTokenAudType request parameter (e.g. AuthorizationIssueRequest.getIdTokenAudType()). Such request parameters take precedence over this service property.

        Parameters:
        type - The type of the aud claim in ID tokens.
        Returns:
        this object.
        Since:
        3.57, Authlete 2.3.3

      • getVerifiedClaimsValidationSchemaSet

        public String getVerifiedClaimsValidationSchemaSet()
        Get the name of the validation schema set that is used to validate the content of "verified_claims".

        Since version 2.3, Authlete validates the content of "verified_claims" based on the JSON schema files that accompany the specification (OpenID Connect for Identity Assurance 1.0). They are found in the /schema/ folder of the Git repository of the specification.

        Usually, Authlete uses the legitimate JSON schema files that conform to the specification. But, it is possible to make Authlete use a different set of JSON schema files by specifying a name of validation schema set through this property (Service.verifiedClaimsValidationSchemaSet).

        Authlete recognizes the following names of validation schema set at least.

        name description
        null Same as "standard".
        "standard" The set of the legitimate JSON schema files.
        "standard+id_document" A set of customized JSON schema files that mostly conform to the standard but additionally accept "id_document" as a valid name of evidence. This is for backward compatibility. Note that "id_document" was deprecated by Implementer's Draft 4 (cf. eKYC-IDA PR 152).
        Returns:
        The name of the validation schema set.
        Since:
        3.61, Authlete 2.3.4
        See Also:
        OpenID Connect for Identity Assurance 1.0, eKYC-IDA PR 152: removal of deprecated items - issue 1334

      • setVerifiedClaimsValidationSchemaSet

        public Service setVerifiedClaimsValidationSchemaSet​(String schemaSet)
        Set the name of the validation schema set that is used to validate the content of "verified_claims".

        Since version 2.3, Authlete validates the content of "verified_claims" based on the JSON schema files that accompany the specification (OpenID Connect for Identity Assurance 1.0). They are found in the /schema/ folder of the Git repository of the specification.

        Usually, Authlete uses the legitimate JSON schema files that conform to the specification. But, it is possible to make Authlete use a different set of JSON schema files by specifying a name of validation schema set through this property (Service.verifiedClaimsValidationSchemaSet).

        Authlete recognizes the following names of validation schema set at least.

        name description
        null Same as "standard".
        "standard" The set of the legitimate JSON schema files.
        "standard+id_document" A set of customized JSON schema files that mostly conform to the standard but additionally accept "id_document" as a valid name of evidence. This is for backward compatibility. Note that "id_document" was deprecated by Implementer's Draft 4 (cf. eKYC-IDA PR 152).
        Parameters:
        schemaSet - The name of the validation schema set.
        Returns:
        this object.
        Since:
        3.61, Authlete 2.3.4
        See Also:
        OpenID Connect for Identity Assurance 1.0, eKYC-IDA PR 152: removal of deprecated items - issue 1334

      • isPreAuthorizedGrantAnonymousAccessSupported

        public boolean isPreAuthorizedGrantAnonymousAccessSupported()
        Get the flag indicating whether token requests using the pre-authorized code grant flow by unidentifiable clients are allowed.

        This property corresponds to the pre-authorized_grant_anonymous_access_supported server metadata defined in "OpenID for Verifiable Credentials Issuance".

        Returns:
        true if token requests using the pre-authorized code grant flow by unidentifiable clients are allows.
        Since:
        3.62, Authlete 3.0
        See Also:
        OpenID for Verifiable Credentials Issuance

      • setPreAuthorizedGrantAnonymousAccessSupported

        public Service setPreAuthorizedGrantAnonymousAccessSupported​(boolean supported)
        Set the flag indicating whether token requests using the pre-authorized code grant flow by unidentifiable clients are allowed.

        This property corresponds to the pre-authorized_grant_anonymous_access_supported server metadata defined in "OpenID for Verifiable Credentials Issuance".

        Parameters:
        supported - true to allow unidentifiable clients to make token requests using the pre-authorized code grant flow.
        Returns:
        this object.
        Since:
        3.62, Authlete 3.0
        See Also:
        OpenID for Verifiable Credentials Issuance

      • getCnonceDuration

        public long getCnonceDuration()
        Get the duration of c_nonce in seconds.

        c_nonce is issued from the token endpoint of an authorization server in the pre-authorized code flow, and from the credential endpoint and the batch credential endpoint of a credential issuer. This property is used as the lifetime of the c_nonce.

        If the value of this property is 0 or negative, the default value per Authlete server is used as the default value.

        See OpenID for Verifiable Credentials Issuance for details about c_nonce.

        The getCNonceDuration() method added by the version 3.63 has been renamed to getCnonceDuration() by the version 3.90.

        Returns:
        The duration of c_nonce in seconds.
        Since:
        3.90, Authlete 3.0
        See Also:
        OpenID for Verifiable Credentials Issuance

      • setCnonceDuration

        public Service setCnonceDuration​(long duration)
        Set the duration of c_nonce in seconds.

        c_nonce is issued from the token endpoint of an authorization server in the pre-authorized code flow, and from the credential endpoint and the batch credential endpoint of a credential issuer. This property is used as the lifetime of the c_nonce.

        If the value of this property is 0 or negative, the default value per Authlete server is used as the default value.

        See OpenID for Verifiable Credentials Issuance for details about c_nonce.

        The setCNonceDuration(long) method added by the version 3.63 has been renamed to setCnonceDuration(long) by the version 3.90.

        Parameters:
        duration - The duration of c_nonce in seconds.
        Returns:
        this object.
        Since:
        3.90, Authlete 3.0
        See Also:
        OpenID for Verifiable Credentials Issuance

      • getCredentialTransactionDuration

        public long getCredentialTransactionDuration()
        Get the duration of transaction ID in seconds that may be issued as a result of a credential request or a batch credential request.

        If the value of this property is 0 or negative, the default value per Authlete server is used.

        Returns:
        The duration of transaction ID in seconds.
        Since:
        3.66, Authlete 3.0

      • setCredentialTransactionDuration

        public Service setCredentialTransactionDuration​(long duration)
        Set the duration of transaction ID in seconds that may be issued as a result of a credential request or a batch credential request.

        If the value of this property is 0 or negative, the default value per Authlete server is used.

        Parameters:
        duration - The duration of transaction ID in seconds.
        Returns:
        this object.
        Since:
        3.66, Authlete 3.0

      • getCredentialDuration

        public long getCredentialDuration()
        Get the default duration of verifiable credentials in seconds.

        Some Authlete APIs such as the /vci/single/issue API and the /vci/batch/issue API may issue one or more verifiable credentials. The value of this property specifies the default duration of such verifiable credentials.

        The value 0 indicates that verifiable credentials will not expire. In the case, verifiable credentials will not have a property that indicates the expiration time. For example, JWT-based verifiable credentials will not contain the "exp" claim (RFC 7519, Section 4.1.4).

        Authlete APIs that may issue verifiable credentials recognize a request parameter that can override the duration. For example, a request to the /vci/single/issue API (CredentialSingleIssueRequest) contains an "order" object (CredentialIssuanceOrder) that has a "credentialDuration" parameter (credentialDuration) that can override the default duration.

        Returns:
        The default duration of verifiable credentials in seconds.
        Since:
        3.67, Authlete 3.0

      • setCredentialDuration

        public Service setCredentialDuration​(long duration)
        Set the default duration of verifiable credentials in seconds.

        Some Authlete APIs such as the /vci/single/issue API and the /vci/batch/issue API may issue one or more verifiable credentials. The value of this property specifies the default duration of such verifiable credentials.

        The value 0 indicates that verifiable credentials will not expire. In the case, verifiable credentials will not have a property that indicates the expiration time. For example, JWT-based verifiable credentials will not contain the "exp" claim (RFC 7519, Section 4.1.4).

        Authlete APIs that may issue verifiable credentials recognize a request parameter that can override the duration. For example, a request to the /vci/single/issue API (CredentialSingleIssueRequest) contains an "order" object (CredentialIssuanceOrder) that has a "credentialDuration" parameter (credentialDuration) that can override the default duration.

        Parameters:
        duration - The default duration of verifiable credentials in seconds.
        Returns:
        this object.
        Since:
        3.67, Authlete 3.0

      • getCredentialJwks

        public String getCredentialJwks()
        Get the JWK Set document containing private keys that are used to sign verifiable credentials.

        Some Authlete APIs such as the /vci/single/issue API and the /vci/batch/issue API may issue one or more verifiable credentials. The content of this property is referred to by such APIs.

        Authlete APIs that may issue verifiable credentials recognize a request parameter that can specify the key ID of a private key that should be used for signing. For example, a request to the /vci/single/issue API (CredentialSingleIssueRequest) contains an "order" object (CredentialIssuanceOrder) that has a "signingKeyId" parameter (signingKeyId) that can specify the key ID of a private key to be used for signing. When a key ID is not specified, Authlete will select a private key automatically.

        If JWKs in the JWK Set do not contain the "kid" property (RFC 7517, Section 4.5) when this credentialJwks property is updated, Authlete will automatically insert the "kid" property into such JWKs. The JWK thumbprint (RFC 7638) computed with the SHA-256 hash algorithm is used as the value of the "kid" property.

        Returns:
        The JWK Set document containing private keys that are used to sign verifiable credentials.
        Since:
        3.67, Authlete 3.0
        See Also:
        RFC 7517 JSON Web Key (JWK)

      • setCredentialJwks

        public Service setCredentialJwks​(String jwks)
        Set the JWK Set document containing private keys that are used to sign verifiable credentials.

        Some Authlete APIs such as the /vci/single/issue API and the /vci/batch/issue API may issue one or more verifiable credentials. The content of this property is referred to by such APIs.

        Authlete APIs that may issue verifiable credentials recognize a request parameter that can specify the key ID of a private key that should be used for signing. For example, a request to the /vci/single/issue API (CredentialSingleIssueRequest) contains an "order" object (CredentialIssuanceOrder) that has a "signingKeyId" parameter (signingKeyId) that can specify the key ID of a private key to be used for signing. When a key ID is not specified, Authlete will select a private key automatically.

        If JWKs in the JWK Set do not contain the "kid" property (RFC 7517, Section 4.5) when this credentialJwks property is updated, Authlete will automatically insert the "kid" property into such JWKs. The JWK thumbprint (RFC 7638) computed with the SHA-256 hash algorithm is used as the value of the "kid" property.

        Parameters:
        jwks - The JWK Set document containing private keys that are used to sign verifiable credentials.
        Returns:
        this object.
        Since:
        3.67, Authlete 3.0
        See Also:
        RFC 7517 JSON Web Key (JWK)

      • isIdTokenReissuable

        public boolean isIdTokenReissuable()
        Get the flag indicating whether to enable the feature of ID token reissuance in the refresh token flow.

        If this property is true, the action response parameter in a response from the /auth/token API becomes ID_TOKEN_REISSUABLE when the following conditions are met.

        1. The flow of the token request is the refresh token flow.
        2. The scope set after processing the token request still contains the "openid" scope.
        3. The access token is associated with the subject of a user.
        4. The access token is associated with a client application.

        See the description of the TokenResponse class for details.

        Returns:
        true if the feature of ID token reissuance in the refresh token flow is enabled. false if the feature is disabled.
        Since:
        3.68, Authlete 2.3.8, Authlete 3.0
        See Also:
        TokenResponse

      • setIdTokenReissuable

        public Service setIdTokenReissuable​(boolean reissuable)
        Set the flag indicating whether to enable the feature of ID token reissuance in the refresh token flow.

        If this property is true, the action response parameter in a response from the /auth/token API becomes ID_TOKEN_REISSUABLE when the following conditions are met.

        1. The flow of the token request is the refresh token flow.
        2. The scope set after processing the token request still contains the "openid" scope.
        3. The access token is associated with the subject of a user.
        4. The access token is associated with a client application.

        See the description of the TokenResponse class for details.

        Parameters:
        reissuable - true to enable the feature of ID token reissuance in the refresh token flow. false to disable the feature.
        Returns:
        this object.
        Since:
        3.68, Authlete 2.3.8, Authlete 3.0
        See Also:
        TokenResponse

      • getIntrospectionSignatureKeyId

        public String getIntrospectionSignatureKeyId()
        Get the key ID of the key for signing introspection responses.
        Returns:
        The key ID of the key for signing introspection responses.
        Since:
        3.77, Authlete 3.0
        See Also:
        JWT Response for OAuth Token Introspection

      • setIntrospectionSignatureKeyId

        public Service setIntrospectionSignatureKeyId​(String keyId)
        Set the key ID of the key for signing introspection responses.
        Parameters:
        keyId - The key ID of the key for signing introspection responses.
        Returns:
        this object.
        Since:
        3.77, Authlete 3.0
        See Also:
        JWT Response for OAuth Token Introspection

      • getFapiModes

        public FapiMode[] getFapiModes()
        Get the FAPI modes for this service.

        When the value of this property is not null, Authlete always processes requests to this service based on the specified FAPI modes if the FAPI feature is enabled in Authlete and the FAPI profile is supported by this service.

        For instance, when this property is set to an array containing FAPI1_ADVANCED only, Authlete always processes requests to this service based on " Financial-grade API Security Profile 1.0 - Part 2: Advanced" if the FAPI feature is enabled in Authlete and the FAPI profile is supported by this service.

        Returns:
        The FAPI modes for this service.
        Since:
        3.80, Authlete 3.0
        See Also:
        Financial-grade API Security Profile 1.0 - Part 2: Advanced

      • setFapiModes

        public Service setFapiModes​(FapiMode[] modes)
        Set the FAPI modes for this service.

        When the value of this property is not null, Authlete always processes requests to this service based on the specified FAPI modes if the FAPI feature is enabled in Authlete and the FAPI profile is supported by this service.

        For instance, when this property is set to an array containing FAPI1_ADVANCED only, Authlete always processes requests to this service based on " Financial-grade API Security Profile 1.0 - Part 2: Advanced" if the FAPI feature is enabled in Authlete and the FAPI profile is supported by this service.

        Parameters:
        modes - The FAPI modes for this service.
        Returns:
        this object.
        Since:
        3.80, Authlete 3.0
        See Also:
        Financial-grade API Security Profile 1.0 - Part 2: Advanced

      • isDpopNonceRequired

        public boolean isDpopNonceRequired()
        Get the flag indicating whether to require DPoP proof JWTs to include the nonce claim whenever they are presented.

        DPoP-aware Authlete APIs such as the /auth/introspection API and the /auth/token API recognize the dpopNonceRequired request parameter, which enables API callers to require DPoP proof JWTs to include the nonce claim at runtime, even if this service property is false.

        Returns:
        true if DPoP proof JWTs are required to include the nonce claim whenever they are presented.
        Since:
        3.82, Authlete 3.0
        See Also:
        RFC 9449 OAuth 2.0 Demonstrating Proof of Possession (DPoP)

      • setDpopNonceRequired

        public Service setDpopNonceRequired​(boolean required)
        Set the flag indicating whether to require DPoP proof JWTs to include the nonce claim whenever they are presented.

        DPoP-aware Authlete APIs such as the /auth/introspection API and the /auth/token API recognize the dpopNonceRequired request parameter, which enables API callers to require DPoP proof JWTs to include the nonce claim at runtime, even if this service property is false.

        Parameters:
        required - true to require DPoP proof JWTs to include the nonce claim whenever they are presented.
        Returns:
        this object.
        Since:
        3.82, Authlete 3.0
        See Also:
        RFC 9449 OAuth 2.0 Demonstrating Proof of Possession (DPoP)

      • setDpopNonceDuration

        public Service setDpopNonceDuration​(long duration)
        Set the duration of nonce values for DPoP proof JWTs in seconds.
        Parameters:
        duration - The duration of nonce values for DPoP proof JWTs in seconds.
        Returns:
        this object.
        Since:
        3.82, Authlete 3.0
        See Also:
        RFC 9449 OAuth 2.0 Demonstrating Proof of Possession (DPoP)

      • getTokenBatchNotificationEndpoint

        public URI getTokenBatchNotificationEndpoint()
        Get the URI of the endpoint that receives token batch results.
        Returns:
        The URI of the endpoint that receives token batch results.
        Since:
        3.96, Authlete 3.0

      • setTokenBatchNotificationEndpoint

        public Service setTokenBatchNotificationEndpoint​(URI endpoint)
        Set the URI of the endpoint that receives token batch results.
        Parameters:
        endpoint - The URI of the endpoint that receives token batch results.
        Returns:
        this object.
        Since:
        3.96, Authlete 3.0

      • isClientAssertionAudRestrictedToIssuer

        public boolean isClientAssertionAudRestrictedToIssuer()
        Get the flag to determine to restrict the aud claim value in client assertions to the issuer of this service as a string.
        Returns:
        true if the aud claim value in client assertions is restricted to the issuer of this service as a string.
        Since:
        4.14, Authlete 3.0

      • setClientAssertionAudRestrictedToIssuer

        public Service setClientAssertionAudRestrictedToIssuer​(boolean restricted)
        Set the flag to determine whether to restrict the aud claim value in client assertions to the issuer of this service as a string.
        Parameters:
        restricted - true to restrict the aud claim value in client assertions to the issuer of this service as a string.
        Returns:
        this object.
        Since:
        4.14, Authlete 3.0