BackchannelAuthenticationResponse extends ApiResponse
Response from Authlete's /api/backchannel/authentication API.
Authlete's /api/backchannel/authentication API returns JSON which can be
mapped to this class. The authorization server implementation should
retrieve the value of the action response parameter (which can be obtained
by getAction() method) from the response and take the following steps
according to the value.
When the value returned from getAction() method is
BackchannelAuthenticationAction::$BAD_REQUEST, it means that the
backchannel authentication request from the client application was wrong.
The authorization server implementation should generate a response to the
client application with 400 Bad Request and application/json.
The getResponseContent() method returns a JSON string which describes the
error, so it can be used as the entity body of the response.
The following illustrates the response which the authorization server implementation should generate and return to the client application.
HTTP/1.1 400 Bad Request
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
(The value returned from getResponseContent())
When the value returned from getAction() method is
BackchannelAuthenticationAction::$UNAUTHORIZED, it means that client
authentication of the backchannel authentication request failed. Note that
client authentication is always required at the backchannel authentication
endpoint. This implies that public clients are not allowed to use the
backchannel authentication endpoint.
The authorization server implementation should generate a response to the
client application with 401 Unauthorized and application/json.
The getResponseContent() method returns a JSON string which describes the
error, so it can be used as the entity body of the response.
The following illustrates the response which the authorization server implementation should generate and return to the client application.
HTTP/1.1 401 Unauthorized
WWW-Authenticate: (challenge)
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
(The value returned from getResponseContent())
When the value returned from getAction() method is
BackchannelAuthenticationAction::$INTERNAL_SERVER_ERROR, it means that the
API call from the authorization server implementation was wrong or that an
error occurred in Authlete.
In either case, from a viewpoint of the client application, it is an error
on the server side. Therefore, the authorization server implementation
should generate a response to the client application with
500 Internal Server Error and application/json.
The getResponseContent() method returns a JSON string which describes the
error, so it can be used as the entity body of the response.
The following illustrates the response which the authorization server implementation should generate and return to the client application.
HTTP/1.1 500 Internal Server Error
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
(The value returned from getResponseContent())
When the value returned from getAction() method is
BackchannelAuthenticationAction::$USER_IDENTIFICATION, it means that the
backchannel authentication request from the client application is valid. The
authorization server implementation has to follow the steps below.
-
[END-USER IDENTIFICATION]
The first step is to determine the subject (= unique identifier) of the end-user from whom the client application wants to get authorization.
According to the CIBA specification, a backchannel authentication request contains one (and only one) of the
login_hint_token,id_token_hintandlogin_hintrequest parameters as a hint by which the authorization server identifies the subject of an end-user.The authorization server implementation can know which hint is included in the backchannel authentication request by calling the
getHintType()method. The method returns aUserIdentificationHintTypeinstance that indicates which hint is included. For example, when the method returnsUserIdentificationHintType::$LOGIN_HINT, it means that the backchannel authentication request contains thelogin_hintrequest parameter as a hint.The
getHint()method returns the value of the hint. For example, when thegetHintType()method returnsLOGIN_HINT, thegetHint()method returns the value of thelogin_hintrequest parameter.It is up to the authorization server implementation how to determine the subject of the end-user from the hint. There are few things Authlete can help. Only one thing Authlete can do is to let the
getSub()method return the value of thesubclaim in theid_token_hintrequest parameter when the request parameter is used.
+ **[END-USER IDENTIFICATION ERROR]**
There are some cases where the authorization server implementation
encounters an error during the user identification process. In any error
case, the authorization server implementation has to return an HTTP
response with the `error` response parameter to the client application.
The following is an example of such error responses.
```
HTTP/1.1 400 Bad Request
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
{"error":"unknown_user_id"}
```
Authlete provides `/api/backchannel/authentication/fail` API that builds
the response body (JSON) of an error response. However, because it is
easy to build an error response manually, you may choose not to call the
API. One good thing in using the API is that the API call can trigger
deletion of the ticket which has been issued from Authlete's
`/api/backchannel/authentication` API. If you don't call
`/api/backchannel/authentication/fail` API, the ticket will continue to
exist in the database until it is cleaned up by the batch program after
the ticket expires.
Possible error cases that the authorization server implementation itself
has to handle are as follows. Other error cases have already been
covered by `/api/backchannel/authentication` API.
1. `expired_login_hint_token`:
The authorization server implementation detected that the hint
presented by the `login_hint_token` request parameter has expired.
Note that the format of `login_hint_token` is not described in the
CIBA Core spec at all and so there is no consensus on how to detect
expiration of `login_hint_token`. Interpretation of
`login_hint_token` is left to each authorization server
implementation.
2. `unknown_user_id`:
The authorization server implementation could not determine the
subject of the end-user by the presented hint.
3. `unauthorized_client`:
The authorization server implementation has custom rules to reject
backchannel authentication requests from some particular clients and
found that the client which has made the backchannel authentication
request is one of the particular clients.
Note that `/api/backchannel/authentication` API does not return
`"action":"USER_IDENTIFICATION"` in cases where the client does not
exist or client authentication has failed. Therefore, the
authorization server implementation will never have to use the error
code `unauthorized_client` unless the server has intentionally
implemented custom rules to reject backchannel authentication
requests based on clients.
4. `missing_user_code`:
The authorization server implementation has custom rules to require
that a backchannel authentication request include a user code for
some particular users and found that the user identified by the hint
is one of the particular users.
Note that `/api/backchannel/authentication` API does not return
`"action":"USER_IDENTIFICATION"` when both the
`backchannel_user_code_parameter_supported` metadata of the serveer
and the `backchannel_user_code_parameter` metadata of the client are
`true` and the backchannel authentication request does not include
the `user_code` request parameter. In this case,
`/api/backchannel/authentication` API returns
`"action":"BAD_REQUEST"` with JSON containing
`"error":"missing_user_code"`. Therefore, the authorization server
implementation will never have to use the error code
`missing_user_code` unless the server has intentionally implemented
custom rules to require a user code based on users even in the case
where the `backchannel_user_code_parameter` metadata of the client
which has made the backchannel authentication request is `false`.
5. `invalid_user_code`:
The authorization server implementation detected that the presented
user code is invalid.
Note that the format of `user_code` is not described in the CIBA
Core spec at all and so there is no consensus on how to judge
whether a user code is valid or not. It is up to each authorization
server implementation how to handle user codes.
6. `invalid_binding_message`:
The authorization server implementation detected that the presented
binding message is invalid.
Note that the format of `binding_message` is not described in the
CIBA Core spec at all and so there is no consensus on how to judge
whether a binding message is valid or not. It is up to each
authorization server implementation how to handle binding messages.
7. `invalid_target`:
The authorization server implementation rejects the requested target
resources.
The error code `invalid_target` is from RFC 8707 (Resource
Indicators for OAuth 2.0). The specification defines the `resource`
request parameter. By using the parameter, client applications can
request target resources that should be bound to the access token
being issued. If the authorization server wants to reject the
request, call `/api/backchannel/authentication/fail` API with
`INVALID_TARGET`.
Note that RFC 8707 is supported since Authlete 2.2. Older versions
don't recognize the `resource` request parameter, so
`getResources()` always returns null if the Authlete server you are
using is older than 2.2.
8. `access_denined`:
The authorization server implementation has custom rules to reject
backchannel authentication requests without asking the end-user and
respond to the client as if the end-user had rejected the request in
some particular cases and found that the backchannel authentication
request is one of the particular cases.
The authorization server implementation will never have to use the
error code `access_denied` at this timing unless the server has
intentionally implemented custom rules to reject backchannel
authentication requests without asking the end-user and respond to
the client as if the end-user had rejected the request.
+ **[AUTH_REQ_ID ISSUE]**
If the authorization server implementation has successfully determined
the subject of the end-user, the next action is to return an HTTP
response to the client application which contains `auth_req_id`.
Authlete provides `/api/backchannel/authentication/issue` API which
generates a JSON containing `auth_req_id`, so, your next action is (1)
call the API, (2) receive the response from the API, (3) build a
response to the client application using the content of the API
response, and (4) return the response to the client application. See the
description `/api/backchannel/authentication/issue` API for details.
+ **[END-USER AUTHENTICATION AND AUTHORIZATION]**
After sending a JSON containing `auth_req_id` back to the client
application, the authorization server implementation starts to
communicate with an authentication device of the end-user. It is assumed
that end-user authentication is performed on the authentication device
and the end-user confirms the content of the backchannel authentication
request and grants authorization to the client application if everything
is okay. The authorization server implementation must be able to receive
the result of the end-user authentication and authorization from the
authentication device.
How to communicate with an authentication device and achieve end-user
authentication and authorization is up to each authorization server
implementation, but the following request parameters of the backchannel
authentication request should be taken into consideration in any
implementation.
1. `acr_values`:
A backchannel authentication request may contain an array of ACRs
(Authentication Context Class References) in preference order. If
multiple authentication devices are registered for the end-user,
the authorization server implementation should take the ACRs into
consideration when selecting the best authentication device.
2. `scope`:
A backchannel authentication request always contains a list of
scopes. At least, `openid` is included in the list (otherwise
`/api/backchannel/authentication` API returns
`"action":"BAD_REQUEST"`). It would be better to show the requested
scopes to the end-user on the authentication device or somewhere
appropriate.
If the `scope` request parameter contains `address`, `email`,
`phone` and/or `profile`, they are interpreted as defined in
"5.4. Requesting Claims using Scope Values" of OpenID Connect Core
1.0. That is, they are expanded into a list of claim names.
The `getClaimNames()` method returns the expanded result.
3. `binding_message`:
A backchannel authentication request may contain a binding message.
It is a human readable identifier or message intended to be
displayed on both the consumption device (client application) and
the authentication device.
4. `user_code`:
A backchannel authentication request may contain a user code.
It is a secret code, such as password or pin, known only to the
end-user but verifiable by the authorization server. The user code
should be used to authorize sending a request to the authentication
device.
+ **[END-USER AUTHENTICATION AND AUTHORIZATION COMPLETION]**
After receiving the result of end-user authentication and authorization,
the authorization server implementation must call Authlete's
`/api/backchannel/authentication/complete` API to tell Authlete the
result and pass necessary data so that Authlete can generate an ID
token, an access token and optionally a refresh token. See the
description of the API for details.
+ **[CLIENT NOTIFICATION]**
When the backchannel token delivery mode is either "ping" or "push", the
authorization server implementation must send a notification to the
pre-registered notification endpoint of the client after the end-user
authentication and authorization. In this case, the `getAction()` method
`BackchannelAuthenticationCompleteResponse` (a response from
`/api/backchannel/authentication/complete` API) returns `NOTIFICATION`.
See the description of `/api/backchannel/authentication/complete` API
for details.
+ **[TOKEN REQUEST]**
When the backchannel token delivery mode is either "ping" or "poll", the
client application will make a token request to the token endpoint to
get an ID token, an access token and optionally a refresh token.
A token request that corresponds to a backchannel authentication request
uses `urn:openid:params:grant-type:ciba` as the value of the
`grant_type` request parameter. Authlete's `/api/auth/token` API
recognizes the grant type automatically and behaves properly, so the
existing token endpoint implementation does not have to be changed to
support CIBA.
Tags
Table of Contents
- copyFromArray() : mixed
- Copy the content of the given array into this object.
- copyToArray() : mixed
- Copy the content of this object into the given array.
- fromArray() : static
- Convert an array into an instance of this class.
- fromJson() : static
- Convert a JSON string into an instance of this class.
- getAcrs() : array<string|int, string>
- Get the list of ACR values requestsed by the backchannel authentication request.
- getAction() : BackchannelAuthenticationAction
- Get the next action that the implementation of the backchannel authentication endpoint should take.
- getBindingMessage() : string
- Get the binding message included in the backchannel authentication request. It is the value of the `binding_message` request parameter.
- getClaimNames() : array<string|int, string>
- Get the names of the claims which were requested indirectly via some special scopes. See [5.4. Requesting Claims using Scope Values](https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims) in [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims) for details.
- getClientId() : int|string
- Get the client ID of the client application that has made the backchannel authentication request.
- getClientIdAlias() : string
- Get the client ID alias of the client application that has made the backchannel authentication request.
- getClientName() : string
- Get the name of the client application which has made the backchannel authentication request.
- getClientNotificationToken() : string
- Get the client notification token included in the backchannel authentication request. It is the value of the `client_notification_token` request parameter.
- getDeliveryMode() : DeliveryMode
- Get the backchannel token delivery mode of the client application.
- getHint() : string
- Get the value of the hint for end-user identification.
- getHintType() : DeliveryMode
- Get the type of the hint for end-user identification which was included in the backchannel authentication request.
- getRequestContext() : string
- Get the request context of the backchannel authentication request. It is the value of the `request_context` claim in the signed authentication request and its format is JSON. `request_context` is a new claim added by the FAPI-CIBA profile.
- getRequestedExpiry() : int
- Get the requested expiry for the authentication request ID (`auth_req_id`). It is the value of the `requested_expiry` request parameter.
- getResources() : array<string|int, string>
- Get the resources specified by the `resource` request parameters or by the `resource` property in the request object. If both are given, the values in the request object take precedence.
- getResponseContent() : string
- Get the content that can be used to generate a response to the client application.
- getResultCode() : string
- Get the code of the result of an Authlete API call.
- getResultMessage() : string
- Get the message of the result of an Authlete API call.
- getScopes() : array<string|int, Scope>
- Get the scopes requested by the backchannel authentication request.
- getSub() : string
- Get the value of the `sub` claim contained in the ID token hint included in the backchannel authentication request.
- getTicket() : string
- Get the ticket that is necessary for the implementation of the backchannel authentication endpoint to call `/api/backchannel/authentication/*` API.
- getUserCode() : string
- Get the user code included in the backchannel authentication request.
- getWarnings() : array<string|int, string>
- Get the warnings raised during processing the backchannel authentication request.
- isClientIdAliasUsed() : bool
- Get the flag which indicates whether the client ID alias was used in the backchannel authentication request.
- isUserCodeRequired() : bool
- Get the flag which indicates whether a user code is required.
- setAcrs() : BackchannelAuthenticationResponse
- Set the list of ACR values requestsed by the backchannel authentication request.
- setAction() : BackchannelAuthenticationResponse
- Set the next action that the implementation of the backchannel authentication endpoint should take.
- setBindingMessage() : BackchannelAuthenticationResponse
- Set the binding message included in the backchannel authentication request. It is the value of the `binding_message` request parameter.
- setClaimNames() : BackchannelAuthenticationResponse
- Set the names of the claims which were requested indirectly via some special scopes.
- setClientId() : BackchannelAuthenticationResponse
- Set the client ID of the client application that has made the backchannel authentication request.
- setClientIdAlias() : BackchannelAuthenticationResponse
- Set the client ID alias of the client application that has made the backchannel authentication request.
- setClientIdAliasUsed() : BackchannelAuthenticationResponse
- Set the flag which indicates whether the client ID alias was used in the backchannel authentication request.
- setClientName() : BackchannelAuthenticationResponse
- Set the name of the client application which has made the backchannel authentication request.
- setClientNotificationToken() : BackchannelAuthenticationResponse
- Set the client notification token included in the backchannel authentication request. It is the value of the `client_notification_token` request parameter.
- setDeliveryMode() : BackchannelAuthenticationResponse
- Set the backchannel token delivery mode of the client application.
- setHint() : BackchannelAuthenticationResponse
- Set the value of the hint for end-user identification.
- setHintType() : BackchannelAuthenticationResponse
- Set the type of the hint for end-user identification which was included in the backchannel authentication request.
- setRequestContext() : BackchannelAuthenticationResponse
- Set the request context of the backchannel authentication request. It is the value of the `request_context` claim in the signed authentication request and its format is JSON. `request_context` is a new claim added by the FAPI-CIBA profile.
- setRequestedExpiry() : BackchannelAuthenticationResponse
- Set the requested expiry for the authentication request ID (`auth_req_id`). It is the value of the `requested_expiry` request parameter.
- setResources() : BackchannelAuthenticationResponse
- Set the resources specified by the `resource` request parameters or by the `resource` property in the request object. If both are given, the values in the request object take precedence.
- setResponseContent() : BackchannelAuthenticationResponse
- Set the content that can be used to generate a response to the client application.
- setResultCode() : ApiResponse
- Set the code of the result of an Authlete API call.
- setResultMessage() : ApiResponse
- Set the message of the result of an Authlete API call.
- setScopes() : BackchannelAuthenticationResponse
- Set the scopes requested by the backchannel authentication request.
- setSub() : BackchannelAuthenticationResponse
- Set the value of the `sub` claim contained in the ID token hint included in the backchannel authentication request.
- setTicket() : BackchannelAuthenticationResponse
- Set the ticket that is necessary for the implementation of the backchannel authentication endpoint to call `/api/backchannel/authentication/*` API.
- setUserCode() : BackchannelAuthenticationResponse
- Set the user code included in the backchannel authentication request.
- setUserCodeRequired() : BackchannelAuthenticationResponse
- Set the flag which indicates whether a user code is required.
- setWarnings() : BackchannelAuthenticationResponse
- Set the warnings raised during processing the backchannel authentication request.
- toArray() : array<string|int, mixed>
- Convert this object into an array.
- toJson() : string
- Convert this object into a JSON string.
Methods
copyFromArray()
Copy the content of the given array into this object.
public
copyFromArray(array<string|int, mixed> &$array) : mixed
Parameters
- $array : array<string|int, mixed>
Return values
mixed —copyToArray()
Copy the content of this object into the given array.
public
copyToArray(array<string|int, mixed> &$array) : mixed
Parameters
- $array : array<string|int, mixed>
Return values
mixed —fromArray()
Convert an array into an instance of this class.
public
static fromArray([array<string|int, mixed> $array = null ]) : static
This static function returns a new instance of this class.
If $array is null, null is returned.
Parameters
- $array : array<string|int, mixed> = null
-
An array
Return values
static —An instance of this class.
fromJson()
Convert a JSON string into an instance of this class.
public
static fromJson(string $json) : static
This static function returns a new instance of this class.
If $json is null or the type of $json is not string,
null is returned.
Parameters
- $json : string
-
A JSON string.
Return values
static —An instance of this class.
getAcrs()
Get the list of ACR values requestsed by the backchannel authentication request.
public
getAcrs() : array<string|int, string>
Basically, this method returns the value of the acr_values request
parameter in the backchannel authentication request. However, because
unsupported ACR values are dropped on Authlete side, if the acr_values
request parameter contains unrecognized ACR values, the list returned
by this method becomes different from the value of the acr_values
request parameter.
Return values
array<string|int, string> —The list of requested ACR values.
getAction()
Get the next action that the implementation of the backchannel authentication endpoint should take.
public
getAction() : BackchannelAuthenticationAction
Return values
BackchannelAuthenticationAction —The next action.
getBindingMessage()
Get the binding message included in the backchannel authentication request. It is the value of the `binding_message` request parameter.
public
getBindingMessage() : string
Return values
string —The binding message.
getClaimNames()
Get the names of the claims which were requested indirectly via some special scopes. See [5.4. Requesting Claims using Scope Values](https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims) in [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims) for details.
public
getClaimNames() : array<string|int, string>
Return values
array<string|int, string> —The names of the requested claims.
getClientId()
Get the client ID of the client application that has made the backchannel authentication request.
public
getClientId() : int|string
Return values
int|string —The client ID.
getClientIdAlias()
Get the client ID alias of the client application that has made the backchannel authentication request.
public
getClientIdAlias() : string
Return values
string —The client ID alias.
getClientName()
Get the name of the client application which has made the backchannel authentication request.
public
getClientName() : string
Return values
string —The name of the client application.
getClientNotificationToken()
Get the client notification token included in the backchannel authentication request. It is the value of the `client_notification_token` request parameter.
public
getClientNotificationToken() : string
When the backchannel token delivery mode is "ping" or "push", the backchannel authentication request must include a client notification token.
Return values
string —The client notification token.
getDeliveryMode()
Get the backchannel token delivery mode of the client application.
public
getDeliveryMode() : DeliveryMode
Return values
DeliveryMode —The backchannel token delivery mode.
getHint()
Get the value of the hint for end-user identification.
public
getHint() : string
When getHintType() returns
UserIdentificationHintType::$ID_TOKEN_HINT, this method returns the
value of the id_token_hint request parameter. Likewise, this method
returns the value of the login_hint request parameter when
getHintType() returns UserIdentificationHintType::$LOGIN_HINT, or
returns the value of the login_hint_token request parameter when
getHintType() returns UserIdentificationHintType::$LOGIN_HINT_TOKEN.
Return values
string —The value of the hint for end-user identification.
getHintType()
Get the type of the hint for end-user identification which was included in the backchannel authentication request.
public
getHintType() : DeliveryMode
When the backchannel authentication request contains id_token_hint,
this method returns UserIdentificationHintType::$ID_TOKEN_HINT.
Likewise, this method returns UserIndentificationHintType::$LOGIN_HINT
when the request contains login_hint, or returns
UserIdentificationHintType::$LOGIN_HINT_TOKEN when the request
contains login_hint_token.
Note that a backchannel authentication request must include one and
only one hint among id_token_hint, login_hint and
login_hint_token.
Return values
DeliveryMode —The type of the hint for end-user identification.
getRequestContext()
Get the request context of the backchannel authentication request. It is the value of the `request_context` claim in the signed authentication request and its format is JSON. `request_context` is a new claim added by the FAPI-CIBA profile.
public
getRequestContext() : string
This method returns null if the backchannel authentication request does
not include a request request parameter or the JWT specified by the
request parameter does not include a request_context claim.
Return values
string —The request context in JSON format.
getRequestedExpiry()
Get the requested expiry for the authentication request ID (`auth_req_id`). It is the value of the `requested_expiry` request parameter.
public
getRequestedExpiry() : int
Return values
int —The requested expiry in seconds.
getResources()
Get the resources specified by the `resource` request parameters or by the `resource` property in the request object. If both are given, the values in the request object take precedence.
public
getResources() : array<string|int, string>
Tags
Return values
array<string|int, string> —The target resources.
getResponseContent()
Get the content that can be used to generate a response to the client application.
public
getResponseContent() : string
When this method returns a non-null value, it is JSON containing error
information. When getAction() returns USER_IDENTIFICATION, this
method returns null.
Return values
string —The content of a response to the client.
getResultCode()
Get the code of the result of an Authlete API call.
public
getResultCode() : string
Return values
string —The result code.
getResultMessage()
Get the message of the result of an Authlete API call.
public
getResultMessage() : string
Return values
string —The result message.
getScopes()
Get the scopes requested by the backchannel authentication request.
public
getScopes() : array<string|int, Scope>
Basically, this method returns the value of the scope request parameter
in the backchannel authentication request. However, because unregistered
scopes are dropped on Authlete side, if the scope request parameter
contains unknown scopes, the list returned by this method becomes
different from the value of the scope request parameter.
Note that Scope.getDescription() method and Scope.getDescriptions()
method of each element (Scope instance) in the array returned from
this method always return null even if descriptions of the scopes are
registered.
Return values
array<string|int, Scope> —The requested scopes.
getSub()
Get the value of the `sub` claim contained in the ID token hint included in the backchannel authentication request.
public
getSub() : string
This method works only when the backchannel authentication request
contains the id_token_hint request parameter.
Return values
string —The value of the sub claim contained in the ID token hint.
getTicket()
Get the ticket that is necessary for the implementation of the backchannel authentication endpoint to call `/api/backchannel/authentication/*` API.
public
getTicket() : string
Return values
string —The ticket issued from /api/backchannel/authentication API.
getUserCode()
Get the user code included in the backchannel authentication request.
public
getUserCode() : string
It is the value of the user_code request parameter.
Return values
string —The user code.
getWarnings()
Get the warnings raised during processing the backchannel authentication request.
public
getWarnings() : array<string|int, string>
Return values
array<string|int, string> —Warnings. This may be null.
isClientIdAliasUsed()
Get the flag which indicates whether the client ID alias was used in the backchannel authentication request.
public
isClientIdAliasUsed() : bool
Return values
bool —true if the client ID alias was used in the request.
isUserCodeRequired()
Get the flag which indicates whether a user code is required.
public
isUserCodeRequired() : bool
This method returns true when both the
backchannel_user_code_parameter metadata of the client
(Client.bcUserCodeRequired property) and the
backchannel_user_code_parameter_supported metadata of the service
(Service.backchannelUserCodeParameterSupported property) are true.
Return values
bool —true when a user code is required.
setAcrs()
Set the list of ACR values requestsed by the backchannel authentication request.
public
setAcrs([array<string|int, string> $acrs = null ]) : BackchannelAuthenticationResponse
Parameters
- $acrs : array<string|int, string> = null
-
The list of requested ACR values.
Return values
BackchannelAuthenticationResponse —$this object.
setAction()
Set the next action that the implementation of the backchannel authentication endpoint should take.
public
setAction([BackchannelAuthenticationAction $action = null ]) : BackchannelAuthenticationResponse
Parameters
- $action : BackchannelAuthenticationAction = null
-
The next action.
Return values
BackchannelAuthenticationResponse —$this object.
setBindingMessage()
Set the binding message included in the backchannel authentication request. It is the value of the `binding_message` request parameter.
public
setBindingMessage(string $message) : BackchannelAuthenticationResponse
Parameters
- $message : string
-
The binding message.
Return values
BackchannelAuthenticationResponse —$this object.
setClaimNames()
Set the names of the claims which were requested indirectly via some special scopes.
public
setClaimNames([array<string|int, string> $names = null ]) : BackchannelAuthenticationResponse
Parameters
- $names : array<string|int, string> = null
-
The names of the requested claims.
Return values
BackchannelAuthenticationResponse —$this object.
setClientId()
Set the client ID of the client application that has made the backchannel authentication request.
public
setClientId(int|string $clientId) : BackchannelAuthenticationResponse
Parameters
- $clientId : int|string
-
The client ID.
Return values
BackchannelAuthenticationResponse —$this object.
setClientIdAlias()
Set the client ID alias of the client application that has made the backchannel authentication request.
public
setClientIdAlias(string $alias) : BackchannelAuthenticationResponse
Parameters
- $alias : string
-
The client ID alias.
Return values
BackchannelAuthenticationResponse —$this object.
setClientIdAliasUsed()
Set the flag which indicates whether the client ID alias was used in the backchannel authentication request.
public
setClientIdAliasUsed(bool $used) : BackchannelAuthenticationResponse
Parameters
- $used : bool
-
trueto indicate that the client ID alias was used in the request.
Return values
BackchannelAuthenticationResponse —$this object.
setClientName()
Set the name of the client application which has made the backchannel authentication request.
public
setClientName(string $name) : BackchannelAuthenticationResponse
Parameters
- $name : string
-
The name of the client application.
Return values
BackchannelAuthenticationResponse —$this object.
setClientNotificationToken()
Set the client notification token included in the backchannel authentication request. It is the value of the `client_notification_token` request parameter.
public
setClientNotificationToken(string $token) : BackchannelAuthenticationResponse
When the backchannel token delivery mode is "ping" or "push", the backchannel authentication request must include a client notification token.
Parameters
- $token : string
-
The client notification token.
Return values
BackchannelAuthenticationResponse —$this object.
setDeliveryMode()
Set the backchannel token delivery mode of the client application.
public
setDeliveryMode([DeliveryMode $mode = null ]) : BackchannelAuthenticationResponse
Parameters
- $mode : DeliveryMode = null
-
The backchannel token delivery mode.
Return values
BackchannelAuthenticationResponse —$this object.
setHint()
Set the value of the hint for end-user identification.
public
setHint(string $hint) : BackchannelAuthenticationResponse
Parameters
- $hint : string
-
The value of the hint for end-user identification.
Return values
BackchannelAuthenticationResponse —$this object.
setHintType()
Set the type of the hint for end-user identification which was included in the backchannel authentication request.
public
setHintType([UserIdentificationHintType $hintType = null ]) : BackchannelAuthenticationResponse
Parameters
- $hintType : UserIdentificationHintType = null
-
The type of the hint for end-user identification.
Return values
BackchannelAuthenticationResponse —$this object.
setRequestContext()
Set the request context of the backchannel authentication request. It is the value of the `request_context` claim in the signed authentication request and its format is JSON. `request_context` is a new claim added by the FAPI-CIBA profile.
public
setRequestContext(string $context) : BackchannelAuthenticationResponse
Parameters
- $context : string
-
The request context in JSON format.
Return values
BackchannelAuthenticationResponse —$this object.
setRequestedExpiry()
Set the requested expiry for the authentication request ID (`auth_req_id`). It is the value of the `requested_expiry` request parameter.
public
setRequestedExpiry(int $seconds) : BackchannelAuthenticationResponse
Parameters
- $seconds : int
-
The requested expiry in seconds.
Return values
BackchannelAuthenticationResponse —$this object.
setResources()
Set the resources specified by the `resource` request parameters or by the `resource` property in the request object. If both are given, the values in the request object take precedence.
public
setResources([array<string|int, string> $resources = null ]) : BackchannelAuthenticationResponse
Parameters
- $resources : array<string|int, string> = null
-
The target resources.
Tags
Return values
BackchannelAuthenticationResponse —$this object.
setResponseContent()
Set the content that can be used to generate a response to the client application.
public
setResponseContent(string $responseContent) : BackchannelAuthenticationResponse
Parameters
- $responseContent : string
-
The content of a response to the client.
Return values
BackchannelAuthenticationResponse —$this object.
setResultCode()
Set the code of the result of an Authlete API call.
public
setResultCode(string $resultCode) : ApiResponse
Parameters
- $resultCode : string
-
The result code.
Return values
ApiResponse —$this object.
setResultMessage()
Set the message of the result of an Authlete API call.
public
setResultMessage(string $resultMessage) : ApiResponse
Parameters
- $resultMessage : string
-
The result message.
Return values
ApiResponse —$this object.
setScopes()
Set the scopes requested by the backchannel authentication request.
public
setScopes([array<string|int, Scope> $scopes = null ]) : BackchannelAuthenticationResponse
Parameters
- $scopes : array<string|int, Scope> = null
-
The requested scopes.
Return values
BackchannelAuthenticationResponse —$this object.
setSub()
Set the value of the `sub` claim contained in the ID token hint included in the backchannel authentication request.
public
setSub(string $sub) : BackchannelAuthenticationResponse
Parameters
- $sub : string
-
The value of the
subclaim contained in the ID token hint.
Return values
BackchannelAuthenticationResponse —$this object.
setTicket()
Set the ticket that is necessary for the implementation of the backchannel authentication endpoint to call `/api/backchannel/authentication/*` API.
public
setTicket(string $ticket) : BackchannelAuthenticationResponse
Parameters
- $ticket : string
-
The ticket issued from
/api/backchannel/authenticationAPI.
Return values
BackchannelAuthenticationResponse —$this object.
setUserCode()
Set the user code included in the backchannel authentication request.
public
setUserCode(string $code) : BackchannelAuthenticationResponse
Parameters
- $code : string
-
The user code.
Return values
BackchannelAuthenticationResponse —$this object.
setUserCodeRequired()
Set the flag which indicates whether a user code is required.
public
setUserCodeRequired(bool $required) : BackchannelAuthenticationResponse
Parameters
- $required : bool
-
trueto indicate that a user code is required.
Return values
BackchannelAuthenticationResponse —$this object.
setWarnings()
Set the warnings raised during processing the backchannel authentication request.
public
setWarnings([array<string|int, string> $warnings = null ]) : BackchannelAuthenticationResponse
Parameters
- $warnings : array<string|int, string> = null
-
Warnings
Return values
BackchannelAuthenticationResponse —$this object.
toArray()
Convert this object into an array.
public
toArray() : array<string|int, mixed>
Return values
array<string|int, mixed> —An array.
toJson()
Convert this object into a JSON string.
public
toJson(int $options) : string
Parameters
- $options : int
-
Options passed to
json_encode(). This parameter is optional and its default value is 0.
Return values
string —A JSON string.