org.forgerock.oauth.clients.oidc

Class OpenIDConnectClient

java.lang.Object

org.forgerock.oauth.clients.oauth2.OAuth2Client<OpenIDConnectClientConfiguration>

org.forgerock.oauth.clients.oidc.OpenIDConnectClient

All Implemented Interfaces:

OAuthClient

public class OpenIDConnectClient
extends OAuth2Client<OpenIDConnectClientConfiguration>

OpenID Connect Client Implementation that supports the Authorization Code Grant Flow.

Field Summary

Fields

Modifier and Type	Field and Description
static String	ID_TOKEN ID Token value associated with the authenticated session.
static String	NONCE Opaque value used to mitigate replay attacks.
static String	SUB Subject identifier.

Fields inherited from class org.forgerock.oauth.clients.oauth2.OAuth2Client

ACCESS_TOKEN, addExpireTime, AUTHORIZATION_CODE, AUTHORIZATION_HEADER, BASIC_AUTH, BEARER_TOKEN, CLIENT_ID, CLIENT_SECRET, CODE, DATA, EXPIRE_TIME, EXPIRES_IN, GRANT_TYPE, HTTP_GET, HTTP_POST, httpHandler, LANDING_PAGE, PKCE_CODE_CHALLENGE, PKCE_CODE_CHALLENGE_METHOD, PKCE_CODE_VERIFIER, random, REDIRECT_URI, REFRESH_TOKEN, RESPONSE_TYPE, SCOPE, STATE, timeService

Constructor Summary

Constructors

Constructor and Description
OpenIDConnectClient(Handler httpHandler, OpenIDConnectClientConfiguration config, Clock clock, SecureRandom random) Constructs an OpenIDConnectClient using a provided Handler and OpenIDConnectClientConfiguration.
OpenIDConnectClient(Handler httpHandler, OpenIDConnectClientConfiguration config, TimeService timeService, SecureRandom random) Deprecated.

Method Summary

Modifier and Type	Method and Description
protected Form	buildQuery(String nonce) Creates the query that will be passed to the request.
protected URI	createAuthRedirectUri(String state, String nonce) Deprecated. Use OpenIDConnectClient.createAuthRedirectUri(String, String, String) and specify a PKCE challenge.
protected URI	createAuthRedirectUri(String state, String pkceChallenge, String nonce) Creates a URI that the user agent will be redirected to for authentication and authorization.
protected String	createNonce() Generates a nonce value.
protected UserInfo	createUserInfoFromIdTokenJwtClaims(JwtClaimsSet jwtClaims) Creates an OpenIDConnectUserInfo object from id_token jwt Claims.
Promise<URI,OAuthException>	getAuthRedirect(DataStore dataStore, String data, URI landingPage) Return the URI that the user agent should be redirected to, to authenticate and authorize access.
protected static String	getIdToken(DataStore dataStore) Retrieves an id token from the data store.
protected JwtClaimsSet	getJwtClaimsSet(String idToken) Retrieves the claims associated with an id token while enforcing authenticity.
protected static String	getNonce(JsonValue storedData) Returns the nonce value store in the data store.
Promise<? extends OAuth2SessionInfo,OAuthException>	getSessionInfo(DataStore dataStore) Validate whether an Auth Server session is still active and valid.
Promise<UserInfo,OAuthException>	getUserInfo(DataStore dataStore) Return the authenticated user's info from the external authentication server.
Promise<JsonValue,OAuthException>	handlePostAuth(DataStore dataStore, Map<String,List<String>> requestParameters) Handle the data produced by the Auth Server as a result of a successful authentication and return the final redirect to the landing page specified in the OAuthClient.getAuthRedirect(DataStore, String, URI) call.
static SignedJwt	idTokenAsSignedJwt(String idToken) Returns the id_token as a SignedJwt.
protected static JsonValue	jwtClaimsAsJsonValue(JwtClaimsSet jwtClaims) Returns the jwt claims as a JsonValue.
protected Function<JsonValue,UserInfo,OAuthException>	mapToUserInfo(JwtClaimsSet jwtClaims) Maps a retrieved raw profile from the user info endpoint to an OpenIDConnectUserInfo object.
protected Function<JsonValue,JsonValue,OAuthException>	validateNonce(JsonValue storedData) Validates the nonce.
protected Function<JsonValue,JsonValue,OAuthException>	validateSub(DataStore dataStore) Validates the sub Claim in the UserInfo Response is an exact match to the sub Claim in the ID Token.

Methods inherited from class org.forgerock.oauth.clients.oauth2.OAuth2Client

addClientIdAndSecret, createAuthorizationState, createAuthRedirectUri, createPkceVerifier, createPostAuthResponse, createRequestForTokenEndpoint, createRequestForTokenEndpoint, createRequestForTokenRefresh, createRequestForUserInfoEndpoint, getAccessToken, getConfig, getFirstValueOrNull, mapToJsonValue, mapToUserInfo, refresh, storeResponse

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

ID_TOKEN

public static final String ID_TOKEN

ID Token value associated with the authenticated session.

See Also:

Constant Field Values

NONCE

public static final String NONCE

Opaque value used to mitigate replay attacks.

See Also:

Constant Field Values

SUB

public static final String SUB

Subject identifier.

See Also:

Constant Field Values

Constructor Detail

OpenIDConnectClient

@Deprecated
public OpenIDConnectClient(Handler httpHandler,
                                       OpenIDConnectClientConfiguration config,
                                       TimeService timeService,
                                       SecureRandom random)

Deprecated.

Constructs an OpenIDConnectClient using a provided Handler and OpenIDConnectClientConfiguration.

Parameters:

httpHandler - Handler used to make Http calls to auth and resource servers.

config - configuration that will be used to drive oauth flow.

timeService - time service.

random - SecureRandom.

OpenIDConnectClient

public OpenIDConnectClient(Handler httpHandler,
                           OpenIDConnectClientConfiguration config,
                           Clock clock,
                           SecureRandom random)

Constructs an OpenIDConnectClient using a provided Handler and OpenIDConnectClientConfiguration.

Parameters:

httpHandler - Handler used to make Http calls to auth and resource servers.

config - configuration that will be used to drive oauth flow.

clock - Clock instance

random - SecureRandom.

Method Detail

getIdToken

protected static final String getIdToken(DataStore dataStore)
                                  throws OAuthException

Retrieves an id token from the data store.

Parameters:

dataStore - store where the id token is stored.

Returns:

the id token.

Throws:

OAuthException - if no id token is found in the JsonValue.

jwtClaimsAsJsonValue

protected static final JsonValue jwtClaimsAsJsonValue(JwtClaimsSet jwtClaims)
                                               throws OAuthException

Returns the jwt claims as a JsonValue.

Parameters:

jwtClaims - jwt claims.

Returns:

jwt claims as a JsonValue.

Throws:

OAuthException - when object mapper error converting jwt claims to Map.

idTokenAsSignedJwt

public static final SignedJwt idTokenAsSignedJwt(String idToken)
                                          throws OAuthException

Returns the id_token as a SignedJwt.

Parameters:

idToken - id_token to reconstruct as a SignedJwt.

Returns:

id_token as a SignedJwt.

Throws:

OAuthException - when error reconstructing jwtToken.

getNonce

protected static final String getNonce(JsonValue storedData)

Returns the nonce value store in the data store.

Parameters:

storedData - the stored authentication and authorization information.

Returns:

nonce

getAuthRedirect

public Promise<URI,OAuthException> getAuthRedirect(DataStore dataStore,
                                                   String data,
                                                   URI landingPage)

Description copied from interface: OAuthClient

Return the URI that the user agent should be redirected to, to authenticate and authorize access.

Specified by:

getAuthRedirect in interface OAuthClient

Overrides:

getAuthRedirect in class OAuth2Client<OpenIDConnectClientConfiguration>

Parameters:

dataStore - The data store that contains information about the OAuth interaction.

data - A value which will be stored in the data store to be returned as part of the final landing page redirect response, this MUST be URI safe.

landingPage - The final page a user agent should be sent following successful authentication.

Returns:

Promise, with a type of URI, suitable for redirecting the user agent for external authentication and authorization and an Promise, with a type of OAuthException, when an error occurs.

handlePostAuth

public Promise<JsonValue,OAuthException> handlePostAuth(DataStore dataStore,
                                                        Map<String,List<String>> requestParameters)

Description copied from interface: OAuthClient

Handle the data produced by the Auth Server as a result of a successful authentication and return the final redirect to the landing page specified in the OAuthClient.getAuthRedirect(DataStore, String, URI) call. Validate the request as secure. The returned JsonValue response will also contain the data passed to OAuthClient.getAuthRedirect(DataStore, String, URI).

Specified by:

handlePostAuth in interface OAuthClient

Overrides:

handlePostAuth in class OAuth2Client<OpenIDConnectClientConfiguration>

Parameters:

dataStore - The data store that contains information about the OAuth interaction.

requestParameters - The request parameters containing the data produced by the external authentication server.

Returns:

Promise, with a type of JsonValue, containing the landing page and the data value that was stored in the data store during the OAuthClient.getAuthRedirect(DataStore, String, URI) call; Promise, with a type of OAuthException, when an error occurs.

getUserInfo

public Promise<UserInfo,OAuthException> getUserInfo(DataStore dataStore)

Description copied from interface: OAuthClient

Return the authenticated user's info from the external authentication server.

Specified by:

getUserInfo in interface OAuthClient

Overrides:

getUserInfo in class OAuth2Client<OpenIDConnectClientConfiguration>

Parameters:

dataStore - The data store that contains information about the OAuth interaction.

Returns:

Promise, with a type of UserInfo, containing the available user info. Promise, with a type of OAuthException, when an error occurs.

getSessionInfo

public Promise<? extends OAuth2SessionInfo,OAuthException> getSessionInfo(DataStore dataStore)

Description copied from interface: OAuthClient

Validate whether an Auth Server session is still active and valid.

Specified by:

getSessionInfo in interface OAuthClient

Overrides:

getSessionInfo in class OAuth2Client<OpenIDConnectClientConfiguration>

Parameters:

dataStore - The data store that contains information about the OAuth interaction.

Returns:

Promise, with a type of SessionInfo, representing information about the session. Promise, with a type of OAuthException, when an error occurs.

validateNonce

protected final Function<JsonValue,JsonValue,OAuthException> validateNonce(JsonValue storedData)

Validates the nonce.

Parameters:

storedData - the stored authentication and authorization information.

Returns:

the JsonValue that contained the nonce to inspect;

validateSub

protected final Function<JsonValue,JsonValue,OAuthException> validateSub(DataStore dataStore)

Validates the sub Claim in the UserInfo Response is an exact match to the sub Claim in the ID Token.

Parameters:

dataStore - data store holding authentication and authorization information.

Returns:

the JsonValue that contained the nonce to inspect;

mapToUserInfo

protected final Function<JsonValue,UserInfo,OAuthException> mapToUserInfo(JwtClaimsSet jwtClaims)

Maps a retrieved raw profile from the user info endpoint to an OpenIDConnectUserInfo object.

Parameters:

jwtClaims - jwt claims from an id_token.

Returns:

the raw profile retrieved as an OpenIDConnectUserInfo object.

createUserInfoFromIdTokenJwtClaims

protected final UserInfo createUserInfoFromIdTokenJwtClaims(JwtClaimsSet jwtClaims)
                                                     throws OAuthException

Creates an OpenIDConnectUserInfo object from id_token jwt Claims.

Parameters:

jwtClaims - jwt claims from an id_token.

Returns:

OpenIDConnectUserInfo object.

Throws:

OAuthException - if error occurs while converting the JwtClaimsSet to JsonValue.

createAuthRedirectUri

protected URI createAuthRedirectUri(String state,
                                    String pkceChallenge,
                                    String nonce)

Creates a URI that the user agent will be redirected to for authentication and authorization.

Parameters:

state - opaque value used to prevent CSRF attacks.

pkceChallenge - opaque value used to prevent code interception/injection attacks.

nonce - opaque value used to mitigate replay attacks of an id_token.

Returns:

URI

buildQuery

protected Form buildQuery(String nonce)

Creates the query that will be passed to the request. Override this method to customize which parameters are passed as part of the query. By default, NONCE is always passed in.

Parameters:

nonce - opaque value used to mitigate replay attacks of an id_token.

Returns:

the query

createAuthRedirectUri

@Deprecated
protected URI createAuthRedirectUri(String state,
                                                String nonce)

Deprecated. Use OpenIDConnectClient.createAuthRedirectUri(String, String, String) and specify a PKCE challenge.

Creates a URI that the user agent will be redirected to for authentication and authorization.

Overrides:

createAuthRedirectUri in class OAuth2Client<OpenIDConnectClientConfiguration>

Parameters:

state - opaque value used to prevent CSRF attacks.

nonce - opaque value used to mitigate replay attacks of an id_token.

Returns:

URI

createNonce

protected String createNonce()

Generates a nonce value.

Returns:

nonce value.

getJwtClaimsSet

protected JwtClaimsSet getJwtClaimsSet(String idToken)
                                throws OAuthException

Retrieves the claims associated with an id token while enforcing authenticity.

Parameters:

idToken - id_token.

Returns:

JwtClaimSet set of claims authorized by the user.

Throws:

OAuthException - when error occurs while verifying the user identity.