Documentation

AuthorizationRequestDecisionHandlerSpi extends AuthorizationRequestHandlerSpi
in

Service Provider Interface for AuthorizationRequestDecisionHandler.

The constructor of AuthorizationRequestDecisionHandler requires an implementation of this interface.

AuthorizationRequestDecisionHandlerSpiAdapter is an empty implementation of this interface.

Tags
link
\Authlete\Laravel\Handler\AuthorizationRequestDecisionHandler

Table of Contents

Methods

getAcr()  : string
Get the authentication context class reference (ACR) that was satisfied when the end-user was authenticated.
getProperties()  : array<string|int, Property>
Get arbitrary key-value pairs to be associated with an access token and/or an authorization code.
getScopes()  : array<string|int, string>
Get the scopes to be associated with an access token and/or an authorization code.
getSub()  : string
Get the value of the "sub" claim that will be embedded in an ID token.
getUserAuthenticatedAt()  : int
Get the time when the end-user was authenticated.
getUserClaimValue()  : mixed
Get the value of a claim of the user.
getUserSubject()  : string
Get the subject (= unique identifier) of the end-user.
isClientAuthorized()  : bool
Get the end-user's decision on the authorization request.

Methods

getAcr()

Get the authentication context class reference (ACR) that was satisfied when the end-user was authenticated.

public getAcr() : string

The value returned from this method has an important meaning only when the "acr" claim is requested as an essential claim. See 5.5.1.1. Requesting the acr Claim of OpenID Connect Core 1.0 for details.

Return values
string

The ACR that was satisfied when the end-user was authenticated. If your system does not recognize ACR, null should be returned.

getProperties()

Get arbitrary key-value pairs to be associated with an access token and/or an authorization code.

public getProperties() : array<string|int, Property>

Properties returned from this method will appear as top-level entries (unless they are marked as hidden) in a JSON response from the authorization server as shown in 5.1. Successful Response of RFC 6749.

Keys listed below should not be used and they would be ignored on Authlete side even if they were used. It is because they are reserved in RFC 6749 and OpenID Connect Core 1.0.

  • access_token
  • token_type
  • expires_in
  • refresh_token
  • scope
  • error
  • error_description
  • error_uri
  • id_token

Note that there is an upper limit on the total size of properties. On Authlete side, the properties will be (1) converted to a multidimensional string array, (2) converted to JSON, (3) encrypted by AES/CBC/PKCS5Padding, (4) encoded by base64url, and then stored into the database. The length of the resultant string must not exceed 65,535 in bytes. This is the upper limit, but we think it is big enough.

Return values
array<string|int, Property>

Arbitrary key-value pairs to be associated with an access token.

getScopes()

Get the scopes to be associated with an access token and/or an authorization code.

public getScopes() : array<string|int, string>

If null is returned, the scopes specified in the original authorization request from the client application are used. In other cases, the specified scopes by this method will replace the original scopes.

Even scopes that are not included in the original authorization request can be specified. However, as an exception, the openid scope is ignored on Authlete server side if it is not included in the original request. It is because the existence of the openid scope considerably changes the validation steps and because adding openid triggers generation of an ID token (although the client application has not requested it) and the behavior is a major violation against the specification.

If you add the offline_access scope although it is not included in the original request, keep in mind that the specification requires explicit consent from the end-user for the scope (11. Offline Access of OpenID Connect Core 1.0).

When offline_access is included in the original authorization request, the current implementation of Authlete's /api/auth/authorization API checks whether the authorization request has come along with the prompt request parameter and its value includes consent. However, note that the implementation of Authlete's /api/auth/authorization/issue API does not perform the same validation even if the offline_access scope is newly added via this scopes parameter.

Return values
array<string|int, string>

Scopes which replace the scopes of the original authorization request. If null is returned, the scopes will not be replaced.

getSub()

Get the value of the "sub" claim that will be embedded in an ID token.

public getSub() : string

If this method returns null, the value returned from getUserSubject() will be used.

The main purpose of this method is to hide the actual value of the subject from client applications.

Return values
string

The value of the "sub" claim.

getUserAuthenticatedAt()

Get the time when the end-user was authenticated.

public getUserAuthenticatedAt() : int
Return values
int

The time when the current end-user was authenticated. The number of seconds since the Unix epoch (1970-Jan-1). 0 means that the time is unknown.

getUserClaimValue()

Get the value of a claim of the user.

public getUserClaimValue(string $subject, string $claimName, string $languageTag) : mixed

This method may be called multiple times.

The value returned from this method must be able to be processed by json_encode(). In most cases, a string, a boolean value or an integer should be returned. When $claimName is "address", an array which conforms to the format defined in 5.1.1. Address Claim of OpenID Connect Core 1.0 should be returned. For example,

return array(
    'country' => 'Japan',
    'region'  => 'Tokyo'
);

\Authlete\Dto\Address class can be used to generate an array that conforms to the specification.

// Create an instance of Address class and set property values.
$address = new Address();
$address->setCountry('Japan')->setRegion('Tokyo');

// Convert the Address instance into an array.
$array = $address->toArray();
Parameters
$subject : string

The subject (= unique identifier) of a user.

$claimName : string

A claim name such as "name" and "family_name". Standard claim names are listed in 5.1. Standard Claims of OpenID Connect Core 1.0. Constanct values that represent the standard claims are listed in \Authlete\Types\StandardClaims class. Note that the value of this argument ($claimName) does NOT contain a language tag.

$languageTag : string

A language tag such as "en" and "ja". Implementations of this method should take this into consideration if possible. See 5.2. Claims Languages and Scripts of OpenID Connect Core 1.0 for details.

Return values
mixed

The value of the claim. null if the value is not available. The returned value must be able to be processed by json_encode().

getUserSubject()

Get the subject (= unique identifier) of the end-user.

public getUserSubject() : string

It must consist of only ASCII letters and its length must not exceed 100.

Return values
string

The subject of the end-user.

isClientAuthorized()

Get the end-user's decision on the authorization request.

public isClientAuthorized() : bool
Return values
bool

true if the end-user has decided to grant authorization to the client application. Otherwise, if the end-user has denied the authorization request, false should be returned.


        

        
    




    

    

                                

                

                            
    

        On this page

        
    


                

                            

            

    

        

            
Search results