Package org.forgerock.oauth2.core

Interface ClientRegistration

  • @SupportedAll
public interface ClientRegistration
    Models a client registration in the OAuth2 provider.
    Since:
    12.0.0

    • Method Detail

      • getRedirectUris

        Set<URI> getRedirectUris()
                  throws org.forgerock.oauth2.core.exceptions.ServerException
        Gets the registered redirect uris for the client.
        Returns:
        The redirect uris.
        Throws:
        org.forgerock.oauth2.core.exceptions.ServerException

      • allowWildcardsInLoopbackRedirectUris

        boolean allowWildcardsInLoopbackRedirectUris()
                                      throws org.forgerock.oauth2.core.exceptions.ServerException
        Gets whether or not the redirect uris are allowed to points to the loopback interface with a wildcard for the port value.
        Returns:
        true if the redirect uris are allowed to points to the loopback interface.
        Throws:
        org.forgerock.oauth2.core.exceptions.ServerException

      • getPostLogoutRedirectUris

        Set<URI> getPostLogoutRedirectUris()
                            throws org.forgerock.oauth2.core.exceptions.ServerException
        Gets the registered post logout redirect uris for the client.
        Returns:
        The redirect uris.
        Throws:
        org.forgerock.oauth2.core.exceptions.ServerException

      • getAllowedResponseTypes

        Set<String> getAllowedResponseTypes()
                             throws org.forgerock.oauth2.core.exceptions.ServerException
        Gets the allowed response types.
        Returns:
        The allowed response types.
        Throws:
        org.forgerock.oauth2.core.exceptions.ServerException

      • getClientId

        String getClientId()
        Gets the client's identifier.
        Returns:
        The client's id.

      • getClientSecret

        String getClientSecret()
                throws org.forgerock.oauth2.core.exceptions.ServerException
        Gets the client's secret.
        Returns:
        The client's secret.
        Throws:
        org.forgerock.oauth2.core.exceptions.ServerException

      • getAccessTokenType

        String getAccessTokenType()
        Gets the type of access token the client requires.
        Returns:
        The access token type.

      • getDisplayName

        String getDisplayName​(Locale locale)
               throws org.forgerock.oauth2.core.exceptions.ServerException
        Gets the display name of the client in the specified locale.
        Parameters:
        locale - The locale.
        Returns:
        The display name.
        Throws:
        org.forgerock.oauth2.core.exceptions.ServerException

      • getDisplayDescription

        String getDisplayDescription​(Locale locale)
                      throws org.forgerock.oauth2.core.exceptions.ServerException
        Gets the display description of the client in the specified locale.
        Parameters:
        locale - The locale.
        Returns:
        The display description.
        Throws:
        org.forgerock.oauth2.core.exceptions.ServerException

      • getScopeDescriptions

        Map<String,​String> getScopeDescriptions​(Locale locale)
                                       throws org.forgerock.oauth2.core.exceptions.ServerException
        Gets the display descriptions for the allowed and default scopes combined, in the specified locale.
        Parameters:
        locale - The locale.
        Returns:
        The descriptions of the allowed and default scopes combined.
        Throws:
        org.forgerock.oauth2.core.exceptions.ServerException

      • getClaimDescriptions

        Map<String,​String> getClaimDescriptions​(Locale locale)
                                       throws org.forgerock.oauth2.core.exceptions.ServerException
        Gets the display descriptions for the allowed and default scopes combined, in the specified locale.
        Parameters:
        locale - The locale.
        Returns:
        The descriptions of the allowed and default scopes combined.
        Throws:
        org.forgerock.oauth2.core.exceptions.ServerException

      • getClientUri

        String getClientUri​(Locale locale)
             throws org.forgerock.oauth2.core.exceptions.ServerException
        Get the client URI to use for the user's locale, or null if none is registered.
        Parameters:
        locale - The user's locale.
        Returns:
        The uri.
        Throws:
        org.forgerock.oauth2.core.exceptions.ServerException

      • getLogoUri

        String getLogoUri​(Locale locale)
           throws org.forgerock.oauth2.core.exceptions.ServerException
        Get the client's logo URI to use for the user's locale, or null if none is registered.
        Parameters:
        locale - The user's locale.
        Returns:
        The uri.
        Throws:
        org.forgerock.oauth2.core.exceptions.ServerException

      • getPolicyUri

        String getPolicyUri​(Locale locale)
             throws org.forgerock.oauth2.core.exceptions.ServerException
        Get the client's privacy policy URI to use for the user's locale, or null if none is registered.
        Parameters:
        locale - The user's locale.
        Returns:
        The uri.
        Throws:
        org.forgerock.oauth2.core.exceptions.ServerException

      • getDefaultScopes

        Set<String> getDefaultScopes()
                      throws org.forgerock.oauth2.core.exceptions.ServerException
        Gets the default scopes configured for the client.
        Returns:
        The default scopes.
        Throws:
        org.forgerock.oauth2.core.exceptions.ServerException

      • getAllowedScopes

        Set<String> getAllowedScopes()
                      throws org.forgerock.oauth2.core.exceptions.ServerException
        Gets the allowed scopes configured for the client.
        Returns:
        The allowed scopes.
        Throws:
        org.forgerock.oauth2.core.exceptions.ServerException

      • getAllowedGrantTypes

        Set<org.forgerock.oauth2.core.GrantType> getAllowedGrantTypes()
                                                       throws org.forgerock.oauth2.core.exceptions.ServerException
        Gets the allowed grant types configured for the client.
        Returns:
        The allowed grant types.
        Throws:
        org.forgerock.oauth2.core.exceptions.ServerException

      • isConfidential

        boolean isConfidential()
                throws org.forgerock.oauth2.core.exceptions.ServerException
        Gets whether the client is confidential or not.
        Returns:
        true if the client is confidential.
        Throws:
        org.forgerock.oauth2.core.exceptions.ServerException

      • isIdmDelegationEnabled

        boolean isIdmDelegationEnabled()
                        throws org.forgerock.oauth2.core.exceptions.ServerException
        Gets whether the client is confidential or not.
        Returns:
        true if the client is confidential.
        Throws:
        org.forgerock.oauth2.core.exceptions.ServerException

      • getClientSessionURI

        String getClientSessionURI()
                    throws org.forgerock.oauth2.core.exceptions.ServerException
        Gets the client's session URI.
        Returns:
        The client's session URI.
        Throws:
        org.forgerock.oauth2.core.exceptions.ServerException

      • getSubjectType

        String getSubjectType()
               throws org.forgerock.oauth2.core.exceptions.ServerException
        Gets the subject type of this client. PAIRWISE or PUBLIC.
        Throws:
        org.forgerock.oauth2.core.exceptions.ServerException

      • verifyJwtBearerForClientAuthentication

        boolean verifyJwtBearerForClientAuthentication​(OAuth2Request request,
                                               OAuth2Jwt jwt)
                                        throws InvalidRequestException,
                                               org.forgerock.oauth2.core.exceptions.ServerException
        Verifies that the supplied jwt is signed by this client.
        Throws:
        InvalidRequestException
        org.forgerock.oauth2.core.exceptions.ServerException

      • verifyTlsClientCertificateAuthentication

        Optional<PKIXCertPathValidatorResult> verifyTlsClientCertificateAuthentication​(OAuth2Request request,
                                                                               List<X509Certificate> certChain)
                                                                        throws org.forgerock.oauth2.core.exceptions.ServerException
        Verifies that the supplied X.509 certificate chain is acceptable to authenticate this client. The certificate chain should either be self-signed and correspond to the certificate registered by the client, or else should be signed by a CA trusted by the OAuth provider.
        Parameters:
        request - the request.
        certChain - the certificate chain presented by the client.
        Returns:
        the validation result if the client is successfully authenticated, otherwise empty.
        Throws:
        org.forgerock.oauth2.core.exceptions.ServerException

      • verifyJwtRequestParameter

        SignedJwt verifyJwtRequestParameter​(OAuth2Request request,
                                    Jwt jwt)
                             throws InvalidRequestException,
                                    org.forgerock.oauth2.core.exceptions.InvalidRequestParameterException,
                                    org.forgerock.oauth2.core.exceptions.ServerException
        Verifies that the supplied request parameter jwt is signed by this client.
        Parameters:
        request - the OAuth2 request
        jwt - the request parameter
        Returns:
        the request parameter in a signed JWT format.
        Throws:
        InvalidRequestException
        org.forgerock.oauth2.core.exceptions.InvalidRequestParameterException
        org.forgerock.oauth2.core.exceptions.ServerException

      • decryptIdTokenHint

        OAuth2Jwt decryptIdTokenHint​(EncryptedJwt encryptedJwt)
                      throws org.forgerock.oauth2.core.exceptions.ServerException
        Decrypts the provided id_token_hint value.
        Parameters:
        encryptedJwt - The encrypted JWT.
        Returns:
        The decrypted JWT payload wrapped in OAuth2Jwt.
        Throws:
        org.forgerock.oauth2.core.exceptions.ServerException

      • verifyIdTokenSignedByUsWithConfiguredAlg

        boolean verifyIdTokenSignedByUsWithConfiguredAlg​(OAuth2Jwt jwt)
                                          throws org.forgerock.oauth2.core.exceptions.ServerException
        Verifies that the supplied jwt is signed by AM using the algorithm the client has configured to use.
        Parameters:
        jwt - The JWT to verify.
        Returns:
        true if the verification was successful, false otherwise.
        Throws:
        org.forgerock.oauth2.core.exceptions.ServerException - For failures with verification processing.

      • verifyIdTokenSignedByUsWithConfiguredAlg

        boolean verifyIdTokenSignedByUsWithConfiguredAlg​(OAuth2Jwt jwt,
                                                 boolean includeExpiryCheck)
                                          throws org.forgerock.oauth2.core.exceptions.ServerException
        Verifies that the supplied jwt is signed by AM using the algorithm the client has configured to use.
        Parameters:
        jwt - The JWT to verify.
        includeExpiryCheck - Whether to include an expiry check, false allows expired JWTs to pass verification.
        Returns:
        true if the verification was successful, false otherwise.
        Throws:
        org.forgerock.oauth2.core.exceptions.ServerException - For failures with verification processing.

      • isConsentImplied

        boolean isConsentImplied()
                  throws org.forgerock.oauth2.core.exceptions.ServerException
        Gets whether or not the client wants the OAuth2 implementation to skip asking the resource owner for consent.
        Returns:
        true if the client is configured to skip resource owner consent.
        Throws:
        org.forgerock.oauth2.core.exceptions.ServerException

      • isMixUpMitigationEnabled

        boolean isMixUpMitigationEnabled()
                          throws org.forgerock.oauth2.core.exceptions.ServerException
        Tells whether or not OAuth 2.0 IdP Mix-up mitigation has been enabled for this client.
        Returns:
        true if the IdP mix-up mitigation is enabled for this client.
        Throws:
        org.forgerock.oauth2.core.exceptions.ServerException

      • getCustomLoginUrlTemplate

        freemarker.template.Template getCustomLoginUrlTemplate()
                                                throws org.forgerock.oauth2.core.exceptions.ServerException
        Gets the custom login url template which will create the url to redirect resource owners to for authentication.
        Returns:
        The custom login url template, or null if none for this client.
        Throws:
        org.forgerock.oauth2.core.exceptions.ServerException - If the custom login url template setting could not be retrieved.

      • getTokenEndpointAuthMethod

        String getTokenEndpointAuthMethod()
                           throws org.forgerock.oauth2.core.exceptions.ServerException
        Gets the token_endpoint_auth_method configured for this client.
        Throws:
        org.forgerock.oauth2.core.exceptions.ServerException

      • getClientCertificateSubjectDn

        X500Principal getClientCertificateSubjectDn()
                                     throws org.forgerock.oauth2.core.exceptions.ServerException
        Returns the Subject DN to expect when the client authenticates with a TLS client certificate. This will be the client id if not value has been explicitly configured.
        Returns:
        the expected Subject DN.
        Throws:
        org.forgerock.oauth2.core.exceptions.ServerException

      • isCertificateBoundAccessTokensEnabled

        boolean isCertificateBoundAccessTokensEnabled()
                                       throws org.forgerock.oauth2.core.exceptions.ServerException
        Indicates whether this client wants its access tokens bound to the X.509 certificate it uses to authenticate to the token endpoint. If this setting is enabled then the client can also specify a different TLS certificate by using the cnf_key request parameter (even if it does not authenticate with a client cert to the token endpoint).
        Returns:
        true if access tokens should be bound to the client supplied X.509 certificate.
        Throws:
        org.forgerock.oauth2.core.exceptions.ServerException

      • createTokenIntrospectionJwt

        Jwt createTokenIntrospectionJwt​(JwtClaimsSet claimsSet,
                                org.forgerock.oauth2.core.Client.TokenIntrospectionResponseFormat responseFormat)
                         throws org.forgerock.oauth2.core.exceptions.OAuth2Exception
        Create a token introspection response JWT.
        Parameters:
        claimsSet - the token claims
        responseFormat - the format for returning the token introspection response.
        Returns:
        a jwt representing the introspection response.
        Throws:
        org.forgerock.oauth2.core.exceptions.OAuth2Exception - A server exception if we were not able to create the jwt.

      • getTokenIntrospectionResponseFormat

        org.forgerock.oauth2.core.Client.TokenIntrospectionResponseFormat getTokenIntrospectionResponseFormat()
                                                                                               throws org.forgerock.oauth2.core.exceptions.ServerException
        The specified response format for the token introspection endpoint for this client.
        Returns:
        the selected response format.
        Throws:
        org.forgerock.oauth2.core.exceptions.ServerException

      • getTokenIntrospectionSignedResponseAlgorithm

        String getTokenIntrospectionSignedResponseAlgorithm()
                                             throws org.forgerock.oauth2.core.exceptions.ServerException
        Gets the token introspection signed response algorithm.
        Returns:
        The token introspection signed response algorithm.
        Throws:
        org.forgerock.oauth2.core.exceptions.ServerException - If any internal server error occurs.

      • getTokenIntrospectionEncryptedResponseAlgorithm

        String getTokenIntrospectionEncryptedResponseAlgorithm()
                                                throws org.forgerock.oauth2.core.exceptions.ServerException
        Gets the token introspection encrypted response algorithm that will be used to encrypt the Content Encryption Key and which will be represented by the 'alg' property of a JWE.
        Returns:
        The token introspection encrypted response algorithm.
        Throws:
        org.forgerock.oauth2.core.exceptions.ServerException - If any internal server error occurs.

      • getTokenIntrospectionEncryptedResponseEncryptionMethod

        String getTokenIntrospectionEncryptedResponseEncryptionMethod()
                                                       throws org.forgerock.oauth2.core.exceptions.ServerException
        Gets the token introspection encrypted response encryption method that will be used to encrypt the plaintext of a JWE and is represented by the 'enc' property.
        Returns:
        the token introspection encrypted response encryption algorithm.
        Throws:
        org.forgerock.oauth2.core.exceptions.ServerException - If any internal server error occurs.