AuthorizationRequestHandlerSpi
extends
UserClaimProvider
in
The base interface for Service Provider Interfaces for authorization request handlers.
This interface defines common methods inherited by NoInteractionHandlerSpi
and AuthorizationRequestDecisionHandlerSpi
interfaces.
Table of Contents
Methods
- getAcr() : string
- Get the authentication context class reference (ACR) that was satisfied when the end-user was authenticated.
- getProperties() : array<string|int, Property>
- Get arbitrary key-value pairs to be associated with an access token and/or an authorization code.
- getScopes() : array<string|int, string>
- Get the scopes to be associated with an access token and/or an authorization code.
- getSub() : string
- Get the value of the "sub" claim that will be embedded in an ID token.
- getUserAuthenticatedAt() : int
- Get the time when the end-user was authenticated.
- getUserClaimValue() : mixed
- Get the value of a claim of the user.
- getUserSubject() : string
- Get the subject (= unique identifier) of the end-user.
Methods
getAcr()
Get the authentication context class reference (ACR) that was satisfied when the end-user was authenticated.
public
getAcr() : string
The value returned from this method has an important meaning only when
the "acr"
claim is requested as an essential claim. See
5.5.1.1. Requesting the acr Claim
of OpenID Connect Core 1.0
for details.
Return values
string —The ACR that was satisfied when the end-user was authenticated. If
your system does not recognize ACR, null
should be returned.
getProperties()
Get arbitrary key-value pairs to be associated with an access token and/or an authorization code.
public
getProperties() : array<string|int, Property>
Properties returned from this method will appear as top-level entries (unless they are marked as hidden) in a JSON response from the authorization server as shown in 5.1. Successful Response of RFC 6749.
Keys listed below should not be used and they would be ignored on Authlete side even if they were used. It is because they are reserved in RFC 6749 and OpenID Connect Core 1.0.
-
access_token
-
token_type
-
expires_in
-
refresh_token
-
scope
-
error
-
error_description
-
error_uri
-
id_token
Note that there is an upper limit on the total size of properties. On Authlete side, the properties will be (1) converted to a multidimensional string array, (2) converted to JSON, (3) encrypted by AES/CBC/PKCS5Padding, (4) encoded by base64url, and then stored into the database. The length of the resultant string must not exceed 65,535 in bytes. This is the upper limit, but we think it is big enough.
Return values
array<string|int, Property> —Arbitrary key-value pairs to be associated with an access token.
getScopes()
Get the scopes to be associated with an access token and/or an authorization code.
public
getScopes() : array<string|int, string>
If null
is returned, the scopes specified in the original
authorization request from the client application are used. In other
cases, the specified scopes by this method will replace the original
scopes.
Even scopes that are not included in the original authorization request
can be specified. However, as an exception, the openid
scope is
ignored on Authlete server side if it is not included in the original
request. It is because the existence of the openid
scope considerably
changes the validation steps and because adding openid
triggers
generation of an ID token (although the client application has not
requested it) and the behavior is a major violation against the
specification.
If you add the offline_access
scope although it is not included in
the original request, keep in mind that the specification requires
explicit consent from the end-user for the scope
(11. Offline Access
of OpenID Connect Core 1.0).
When offline_access
is included in the original authorization request,
the current implementation of Authlete's /api/auth/authorization
API
checks whether the authorization request has come along with the
prompt
request parameter and its value includes consent
. However,
note that the implementation of Authlete's /api/auth/authorization/issue
API does not perform the same validation even if the offline_access
scope is newly added via this scopes
parameter.
Return values
array<string|int, string> —Scopes which replace the scopes of the original authorization
request. If null
is returned, the scopes will not be replaced.
getSub()
Get the value of the "sub" claim that will be embedded in an ID token.
public
getSub() : string
If this method returns null
, the value returned from getUserSubject()
will be used.
The main purpose of this method is to hide the actual value of the subject from client applications.
Return values
string —The value of the "sub"
claim.
getUserAuthenticatedAt()
Get the time when the end-user was authenticated.
public
getUserAuthenticatedAt() : int
Return values
int —The time when the current end-user was authenticated. The number of seconds since the Unix epoch (1970-Jan-1). 0 means that the time is unknown.
getUserClaimValue()
Get the value of a claim of the user.
public
getUserClaimValue(string $subject, string $claimName, string $languageTag) : mixed
This method may be called multiple times.
The value returned from this method must be able to be processed by
json_encode()
. In most cases, a string, a boolean value or an
integer should be returned. When $claimName
is "address"
, an
array which conforms to the format defined in
5.1.1. Address Claim
of OpenID Connect Core 1.0
should be returned. For example,
return array(
'country' => 'Japan',
'region' => 'Tokyo'
);
\Authlete\Dto\Address class can be used to generate an array that conforms to the specification.
// Create an instance of Address class and set property values.
$address = new Address();
$address->setCountry('Japan')->setRegion('Tokyo');
// Convert the Address instance into an array.
$array = $address->toArray();
Parameters
- $subject : string
-
The subject (= unique identifier) of a user.
- $claimName : string
-
A claim name such as
"name"
and"family_name"
. Standard claim names are listed in 5.1. Standard Claims of OpenID Connect Core 1.0. Constanct values that represent the standard claims are listed in \Authlete\Types\StandardClaims class. Note that the value of this argument ($claimName
) does NOT contain a language tag. - $languageTag : string
-
A language tag such as
"en"
and"ja"
. Implementations of this method should take this into consideration if possible. See 5.2. Claims Languages and Scripts of OpenID Connect Core 1.0 for details.
Return values
mixed —The value of the claim. null
if the value is not available.
The returned value must be able to be processed by json_encode()
.
getUserSubject()
Get the subject (= unique identifier) of the end-user.
public
getUserSubject() : string
It must consist of only ASCII letters and its length must not exceed 100.
Return values
string —The subject of the end-user.