org.forgerock.oauth2.core

Interface ClientRegistration

public interface ClientRegistration

Models a client registration in the OAuth2 provider.

Since:

12.0.0

Method Summary

Modifier and Type	Method and Description
OAuth2Jwt	decryptIdTokenHint(EncryptedJwt encryptedJwt) Decrypts the provided id_token_hint value.
String	getAccessTokenType() Gets the type of access token the client requires.
Set<GrantType>	getAllowedGrantTypes() Gets the allowed grant types configured for the client.
Set<String>	getAllowedResponseTypes() Gets the allowed response types.
Set<String>	getAllowedScopes() Gets the allowed scopes configured for the client.
Map<String,String>	getClaimDescriptions(Locale locale) Gets the display descriptions for the allowed and default scopes combined, in the specified locale.
X500Principal	getClientCertificateSubjectDn() Returns the Subject DN to expect when the client authenticates with a TLS client certificate.
String	getClientId() Gets the client's identifier.
String	getClientSecret() Gets the client's secret.
String	getClientSessionURI() Gets the client's session URI.
String	getClientUri(Locale locale) Get the client URI to use for the user's locale, or null if none is registered.
freemarker.template.Template	getCustomLoginUrlTemplate() Gets the custom login url template which will create the url to redirect resource owners to for authentication.
Set<String>	getCustomProperties() Retrieve the set of custom properties.
Set<String>	getDefaultScopes() Gets the default scopes configured for the client.
String	getDisplayDescription(Locale locale) Gets the display description of the client in the specified locale.
String	getDisplayName(Locale locale) Gets the display name of the client in the specified locale.
String	getLogoUri(Locale locale) Get the client's logo URI to use for the user's locale, or null if none is registered.
String	getPolicyUri(Locale locale) Get the client's privacy policy URI to use for the user's locale, or null if none is registered.
Set<URI>	getPostLogoutRedirectUris() Gets the registered post logout redirect uris for the client.
Set<URI>	getRedirectUris() Gets the registered redirect uris for the client.
Map<String,String>	getScopeDescriptions(Locale locale) Gets the display descriptions for the allowed and default scopes combined, in the specified locale.
String	getSubjectType() Gets the subject type of this client.
String	getTermsOfServiceUri(Locale locale) Get the client's terms of service URI to use for the user's locale, or null if none is registered.
String	getTokenEndpointAuthMethod() Gets the token_endpoint_auth_method configured for this client.
boolean	isCertificateBoundAccessTokensEnabled() Indicates whether this client wants its access tokens bound to the X.509 certificate it uses to authenticate to the token endpoint.
boolean	isConfidential() Gets whether the client is confidential or not.
boolean	isConsentImplied() Gets whether or not the client wants the OAuth2 implementation to skip asking the resource owner for consent.
boolean	isMixUpMitigationEnabled() Tells whether or not OAuth 2.0 IdP Mix-up mitigation has been enabled for this client.
boolean	verifyIdTokenSignedByUsWithConfiguredAlg(OAuth2Jwt jwt) Verifies that the supplied jwt is signed by AM using the algorithm the client has configured to use.
boolean	verifyIdTokenSignedByUsWithConfiguredAlg(OAuth2Jwt jwt, boolean includeExpiryCheck) Verifies that the supplied jwt is signed by AM using the algorithm the client has configured to use.
boolean	verifyJwtBearerForClientAuthentication(OAuth2Request request, OAuth2Jwt jwt) Verifies that the supplied jwt is signed by this client.
SignedJwt	verifyJwtRequestParameter(OAuth2Request request, Jwt jwt) Verifies that the supplied request parameter jwt is signed by this client.
Optional<PKIXCertPathValidatorResult>	verifyTlsClientCertificateAuthentication(OAuth2Request request, List<X509Certificate> certChain) Verifies that the supplied X.509 certificate chain is acceptable to authenticate this client.

Method Detail

getRedirectUris

Set<URI> getRedirectUris()

Gets the registered redirect uris for the client.

Returns:

The redirect uris.

getPostLogoutRedirectUris

Set<URI> getPostLogoutRedirectUris()

Gets the registered post logout redirect uris for the client.

Returns:

The redirect uris.

getAllowedResponseTypes

Set<String> getAllowedResponseTypes()

Gets the allowed response types.

Returns:

The allowed response types.

getClientId

String getClientId()

Gets the client's identifier.

Returns:

The client's id.

getClientSecret

String getClientSecret()

Gets the client's secret.

Returns:

The client's secret.

getAccessTokenType

String getAccessTokenType()

Gets the type of access token the client requires.

Returns:

The access token type.

getDisplayName

String getDisplayName(Locale locale)

Gets the display name of the client in the specified locale.

Parameters:

locale - The locale.

Returns:

The display name.

getDisplayDescription

String getDisplayDescription(Locale locale)

Gets the display description of the client in the specified locale.

Parameters:

locale - The locale.

Returns:

The display description.

getScopeDescriptions

Map<String,String> getScopeDescriptions(Locale locale)

Gets the display descriptions for the allowed and default scopes combined, in the specified locale.

Parameters:

locale - The locale.

Returns:

The descriptions of the allowed and default scopes combined.

getClaimDescriptions

Map<String,String> getClaimDescriptions(Locale locale)

Gets the display descriptions for the allowed and default scopes combined, in the specified locale.

Parameters:

locale - The locale.

Returns:

The descriptions of the allowed and default scopes combined.

getClientUri

String getClientUri(Locale locale)

Get the client URI to use for the user's locale, or null if none is registered.

Parameters:

locale - The user's locale.

Returns:

The uri.

getLogoUri

String getLogoUri(Locale locale)

Get the client's logo URI to use for the user's locale, or null if none is registered.

Parameters:

locale - The user's locale.

Returns:

The uri.

getPolicyUri

String getPolicyUri(Locale locale)

Get the client's privacy policy URI to use for the user's locale, or null if none is registered.

Parameters:

locale - The user's locale.

Returns:

The uri.

getTermsOfServiceUri

String getTermsOfServiceUri(Locale locale)

Get the client's terms of service URI to use for the user's locale, or null if none is registered.

Parameters:

locale - The user's locale.

Returns:

The uri.

getDefaultScopes

Set<String> getDefaultScopes()

Gets the default scopes configured for the client.

Returns:

The default scopes.

getAllowedScopes

Set<String> getAllowedScopes()

Gets the allowed scopes configured for the client.

Returns:

The allowed scopes.

getAllowedGrantTypes

Set<GrantType> getAllowedGrantTypes()

Gets the allowed grant types configured for the client.

Returns:

The allowed grant types.

isConfidential

boolean isConfidential()

Gets whether the client is confidential or not.

Returns:

true if the client is confidential.

getClientSessionURI

String getClientSessionURI()

Gets the client's session URI.

Returns:

The client's session URI.

getSubjectType

String getSubjectType()

Gets the subject type of this client. PAIRWISE or PUBLIC.

verifyJwtBearerForClientAuthentication

boolean verifyJwtBearerForClientAuthentication(OAuth2Request request,
                                               OAuth2Jwt jwt)
                                        throws InvalidRequestException

Verifies that the supplied jwt is signed by this client.

Throws:

InvalidRequestException

verifyTlsClientCertificateAuthentication

Optional<PKIXCertPathValidatorResult> verifyTlsClientCertificateAuthentication(OAuth2Request request,
                                                                               List<X509Certificate> certChain)

Verifies that the supplied X.509 certificate chain is acceptable to authenticate this client. The certificate chain should either be self-signed and correspond to the certificate registered by the client, or else should be signed by a CA trusted by the OAuth provider.

Parameters:

request - the request.

certChain - the certificate chain presented by the client.

Returns:

the validation result if the client is successfully authenticated, otherwise empty.

verifyJwtRequestParameter

SignedJwt verifyJwtRequestParameter(OAuth2Request request,
                                    Jwt jwt)
                             throws InvalidRequestException

Verifies that the supplied request parameter jwt is signed by this client.

Parameters:

request - the OAuth2 request

jwt - the request parameter

Returns:

the request parameter in a signed JWT format.

Throws:

InvalidRequestException

decryptIdTokenHint

OAuth2Jwt decryptIdTokenHint(EncryptedJwt encryptedJwt)

Decrypts the provided id_token_hint value.

Parameters:

encryptedJwt - The encrypted JWT.

Returns:

The decrypted JWT payload wrapped in OAuth2Jwt.

verifyIdTokenSignedByUsWithConfiguredAlg

boolean verifyIdTokenSignedByUsWithConfiguredAlg(OAuth2Jwt jwt)

Verifies that the supplied jwt is signed by AM using the algorithm the client has configured to use.

Parameters:

jwt - The JWT to verify.

Returns:

true if the verification was successful, false otherwise.

Throws:

ServerException - For failures with verification processing.

verifyIdTokenSignedByUsWithConfiguredAlg

boolean verifyIdTokenSignedByUsWithConfiguredAlg(OAuth2Jwt jwt,
                                                 boolean includeExpiryCheck)

Verifies that the supplied jwt is signed by AM using the algorithm the client has configured to use.

Parameters:

jwt - The JWT to verify.

includeExpiryCheck - Whether to include an expiry check, false allows expired JWTs to pass verification.

Returns:

true if the verification was successful, false otherwise.

Throws:

ServerException - For failures with verification processing.

isConsentImplied

boolean isConsentImplied()

Gets whether or not the client wants the OAuth2 implementation to skip asking the resource owner for consent.

Returns:

true if the client is configured to skip resource owner consent.

isMixUpMitigationEnabled

boolean isMixUpMitigationEnabled()

Tells whether or not OAuth 2.0 IdP Mix-up mitigation has been enabled for this client.

Returns:

true if the IdP mix-up mitigation is enabled for this client.

getCustomLoginUrlTemplate

freemarker.template.Template getCustomLoginUrlTemplate()

Gets the custom login url template which will create the url to redirect resource owners to for authentication.

Returns:

The custom login url template, or null if none for this client.

Throws:

ServerException - If the custom login url template setting could not be retrieved.

getTokenEndpointAuthMethod

String getTokenEndpointAuthMethod()

Gets the token_endpoint_auth_method configured for this client.

getClientCertificateSubjectDn

X500Principal getClientCertificateSubjectDn()

Returns the Subject DN to expect when the client authenticates with a TLS client certificate. This will be the client id if not value has been explicitly configured.

Returns:

the expected Subject DN.

isCertificateBoundAccessTokensEnabled

boolean isCertificateBoundAccessTokensEnabled()

Indicates whether this client wants its access tokens bound to the X.509 certificate it uses to authenticate to the token endpoint. If this setting is enabled then the client can also specify a different TLS certificate by using the cnf_key request parameter (even if it does not authenticate with a client cert to the token endpoint).

Returns:

true if access tokens should be bound to the client supplied X.509 certificate.

getCustomProperties

Set<String> getCustomProperties()

Retrieve the set of custom properties.

Returns:

Set of custom properties.

Throws:

ServerException - If any internal server error occurs.