java.lang.Object
- net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
- - org.opensaml.profile.action.AbstractProfileAction
  - - org.opensaml.profile.action.AbstractConditionalProfileAction
    - - net.shibboleth.idp.profile.AbstractProfileAction
      - net.shibboleth.idp.plugin.oidc.op.admin.impl.AbstractAdminApiProfileAction
        
        net.shibboleth.idp.plugin.oidc.op.admin.impl.IssueRegistrationAccessToken

All Implemented Interfaces:

Component, DestructableComponent, InitializableComponent, ProfileAction, Aware, MessageSource, MessageSourceAware, Action
```
public class IssueRegistrationAccessToken
extends AbstractAdminApiProfileAction
```
Action that issues access token to be used for the OIDC dynamic registration endpoint.
On success, AccessTokenResponse is built and attached as a message for the outbound message context. Also a proceed event is built. On error, a non-proceed event is built.

Several access control checks are made to named policies in the case that certain options are supplied.

Since:

3.1.0

Event:

EventIds.PROCEED_EVENT_ID, EventIds.INVALID_PROFILE_CTX, EventIds.IO_ERROR

Field Summary

Fields
Modifier and Type	Field	Description
`private AccessControlService`	`accessControlService`	Access control service.
`private String`	`clientId`	The client identifier.
`private Function<ProfileRequestContext,String>`	`clientIdLookupStrategy`	Lookup function for the client identifier.
`private String`	`clientIdPolicyName`	Name of access control policy governing clientId acceptance.
`private DataSealer`	`dataSealer`	Data sealer for handling access token.
`private Duration`	`defaultTokenLifetime`	The token lifetime.
`private IdentifierGenerationStrategy`	`idGenerator`	The identifier generator to use.
`private Function<ProfileRequestContext,IdentifierGenerationStrategy>`	`idGeneratorLookupStrategy`	Strategy used to locate the `IdentifierGenerationStrategy` to use.
`private String`	`issuer`	The token issuer.
`private Function<ProfileRequestContext,String>`	`issuerLookupStrategy`	Lookup function for the token issuer.
`private org.slf4j.Logger`	`log`	Class logger.
`private Map<String,net.shibboleth.oidc.metadata.policy.MetadataPolicy>`	`metadataPolicy`	The resolved metadata policy.
`private Function<ProfileRequestContext,Map<String,net.shibboleth.oidc.metadata.policy.MetadataPolicy>>`	`metadataPolicyLookupStrategy`	Lookup function for the metadata policy.
`private String`	`policyId`	The policy identifier.
`private Function<ProfileRequestContext,String>`	`policyIdLookupStrategy`	Lookup function for the policy identifier.
`private String`	`policyIdPolicyName`	Name of access control policy governing policyId acceptance.
`private String`	`policyLocation`	The policy location.
`private Function<ProfileRequestContext,String>`	`policyLocationLookupStrategy`	Lookup function for the policy location.
`private String`	`policyLocationPolicyName`	Name of access control policy governing policyLocation acceptance.
`private Function<ProfileRequestContext,String>`	`replacementLookupStrategy`	Lookup function for the flag signaling replacement use of the token.
`private Duration`	`tokenLifetime`	The token lifetime.
`private Function<ProfileRequestContext,String>`	`tokenLifetimeLookupStrategy`	Lookup function for the token lifetime.

Constructor Summary

Constructors
Constructor Description

IssueRegistrationAccessToken()
Constructor.

Method Summary

All Methods Instance Methods Concrete Methods
Modifier and Type	Method	Description
`private void`	`addAuthenticationClaims(ProfileRequestContext profileRequestContext, RegistrationClaimsSet.Builder builder)`	Decorate the token with authentication-related claims.
`private boolean`	`checkAccess(ProfileRequestContext profileRequestContext)`	Check access policies.
`protected void`	`doExecute(ProfileRequestContext profileRequestContext)`
`protected void`	`doInitialize()`
`protected boolean`	`doPreExecute(ProfileRequestContext profileRequestContext)`
`void`	`setAccessControlService(AccessControlService acs)`	Set the `AccessControlService` to use.
`void`	`setClientIdLookupStrategy(Function<ProfileRequestContext,String> strategy)`	Set a lookup strategy for the client identifier.
`void`	`setClientIdPolicyName(String name)`	Set an explicit policy name to apply governing clientId usage.
`void`	`setDefaultTokenLifetime(Duration lifetime)`	Set the default token lifetime.
`void`	`setIdentifierGeneratorLookupStrategy(Function<ProfileRequestContext,IdentifierGenerationStrategy> strategy)`	Set the strategy used to locate the `IdentifierGenerationStrategy` to use.
`void`	`setIssuerLookupStrategy(Function<ProfileRequestContext,String> strategy)`	Set a lookup strategy for the token issuer.
`void`	`setMetadataPolicyLookupStrategy(Function<ProfileRequestContext,Map<String,net.shibboleth.oidc.metadata.policy.MetadataPolicy>> strategy)`	Set a lookup strategy for the metadata policy.
`void`	`setPolicyIdLookupStrategy(Function<ProfileRequestContext,String> strategy)`	Set a lookup strategy for the relying party identifier.
`void`	`setPolicyIdPolicyName(String name)`	Set an explicit policy name to apply governing policyId usage.
`void`	`setPolicyLocationLookupStrategy(Function<ProfileRequestContext,String> strategy)`	Set a lookup strategy for the metadata policy location.
`void`	`setPolicyLocationPolicyName(String name)`	Set an explicit policy name to apply governing policyLocation usage.
`void`	`setReplacementLookupStrategy(Function<ProfileRequestContext,String> strategy)`	Set a lookup strategy for the flag signaling registration replacement is allowed.
`void`	`setSealer(DataSealer sealer)`	Set the data sealer for handling access token.
`void`	`setTokenLifetimeLookupStrategy(Function<ProfileRequestContext,String> strategy)`	Set a lookup strategy for the token lifetime.

Methods inherited from class net.shibboleth.idp.plugin.oidc.op.admin.impl.AbstractAdminApiProfileAction
getObjectMapper, sendError, setObjectMapper

Methods inherited from class net.shibboleth.idp.profile.AbstractProfileAction
doExecute, execute, getMessage, getMessage, getMessage, getProfileContextLookupStrategy, getRequestContext, getResult, setMessageSource, setProfileContextLookupStrategy

Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction
getActivationCondition, setActivationCondition

Methods inherited from class org.opensaml.profile.action.AbstractProfileAction
doPostExecute, doPostExecute, execute, getHttpServletRequest, getHttpServletResponse, getLogPrefix, setHttpServletRequest, setHttpServletResponse

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
destroy, doDestroy, initialize, isDestroyed, isInitialized

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent
initialize, isInitialized

Field Detail

log
```
@Nonnull
private org.slf4j.Logger log
```
Class logger.

dataSealer

@NonnullAfterInit
private DataSealer dataSealer

Data sealer for handling access token.

idGeneratorLookupStrategy

@Nonnull
private Function<ProfileRequestContext,IdentifierGenerationStrategy> idGeneratorLookupStrategy

Strategy used to locate the IdentifierGenerationStrategy to use.

accessControlService

@NonnullAfterInit
private AccessControlService accessControlService

Access control service.

policyLocationPolicyName
```
@Nullable
@NotEmpty
private String policyLocationPolicyName
```
Name of access control policy governing policyLocation acceptance.

policyIdPolicyName
```
@Nullable
@NotEmpty
private String policyIdPolicyName
```
Name of access control policy governing policyId acceptance.

clientIdPolicyName
```
@Nullable
@NotEmpty
private String clientIdPolicyName
```
Name of access control policy governing clientId acceptance.

metadataPolicyLookupStrategy

@NonnullAfterInit
private Function<ProfileRequestContext,Map<String,net.shibboleth.oidc.metadata.policy.MetadataPolicy>> metadataPolicyLookupStrategy

Lookup function for the metadata policy.

tokenLifetimeLookupStrategy

@Nonnull
private Function<ProfileRequestContext,String> tokenLifetimeLookupStrategy

Lookup function for the token lifetime.

issuerLookupStrategy

@NonnullAfterInit
private Function<ProfileRequestContext,String> issuerLookupStrategy

Lookup function for the token issuer.

policyLocationLookupStrategy

@Nonnull
private Function<ProfileRequestContext,String> policyLocationLookupStrategy

Lookup function for the policy location.

policyIdLookupStrategy

@Nonnull
private Function<ProfileRequestContext,String> policyIdLookupStrategy

Lookup function for the policy identifier.

clientIdLookupStrategy

@Nonnull
private Function<ProfileRequestContext,String> clientIdLookupStrategy

Lookup function for the client identifier.

replacementLookupStrategy
```
@Nonnull
private Function<ProfileRequestContext,String> replacementLookupStrategy
```
Lookup function for the flag signaling replacement use of the token.

idGenerator

@Nullable
private IdentifierGenerationStrategy idGenerator

The identifier generator to use.

metadataPolicy

@Nullable
private Map<String,net.shibboleth.oidc.metadata.policy.MetadataPolicy> metadataPolicy

The resolved metadata policy.

issuer
```
@Nonnull
private String issuer
```
The token issuer.

policyLocation

@Nullable
private String policyLocation

The policy location.

policyId
```
@Nullable
private String policyId
```
The policy identifier.

clientId
```
@Nullable
private String clientId
```
The client identifier.

defaultTokenLifetime

@Nullable
private Duration defaultTokenLifetime

The token lifetime.

tokenLifetime

@Nullable
private Duration tokenLifetime

The token lifetime.

Constructor Detail
- IssueRegistrationAccessToken
```
public IssueRegistrationAccessToken()
```
  Constructor.

Method Detail

setSealer

public void setSealer(@Nonnull
                      DataSealer sealer)

Set the data sealer for handling access token.

Parameters:: sealer - data sealer.

setAccessControlService

public void setAccessControlService(@Nonnull
                                    AccessControlService acs)

Set the AccessControlService to use.

Parameters:: acs - service to use

setIdentifierGeneratorLookupStrategy

public void setIdentifierGeneratorLookupStrategy(@Nonnull
                                                 Function<ProfileRequestContext,IdentifierGenerationStrategy> strategy)

Set the strategy used to locate the IdentifierGenerationStrategy to use.

Parameters:: strategy - lookup strategy

setIssuerLookupStrategy

public void setIssuerLookupStrategy(@Nonnull
                                    Function<ProfileRequestContext,String> strategy)

Set a lookup strategy for the token issuer.

Parameters:: strategy - lookup strategy

setMetadataPolicyLookupStrategy

public void setMetadataPolicyLookupStrategy(@Nonnull
                                            Function<ProfileRequestContext,Map<String,net.shibboleth.oidc.metadata.policy.MetadataPolicy>> strategy)

Set a lookup strategy for the metadata policy.

Parameters:: strategy - lookup strategy

setTokenLifetimeLookupStrategy

public void setTokenLifetimeLookupStrategy(@Nonnull
                                           Function<ProfileRequestContext,String> strategy)

Set a lookup strategy for the token lifetime.

Parameters:: strategy - lookup strategy

setPolicyLocationLookupStrategy

public void setPolicyLocationLookupStrategy(@Nonnull
                                            Function<ProfileRequestContext,String> strategy)

Set a lookup strategy for the metadata policy location.

Parameters:: strategy - lookup strategy

setPolicyIdLookupStrategy

public void setPolicyIdLookupStrategy(@Nonnull
                                      Function<ProfileRequestContext,String> strategy)

Set a lookup strategy for the relying party identifier.

Parameters:: strategy - lookup strategy

setClientIdLookupStrategy

public void setClientIdLookupStrategy(@Nonnull
                                      Function<ProfileRequestContext,String> strategy)

Set a lookup strategy for the client identifier.

Parameters:: strategy - lookup strategy

setReplacementLookupStrategy

public void setReplacementLookupStrategy(@Nonnull
                                         Function<ProfileRequestContext,String> strategy)

Set a lookup strategy for the flag signaling registration replacement is allowed.

Parameters:: strategy - lookup strategy

setPolicyLocationPolicyName

public void setPolicyLocationPolicyName(@Nullable @NotEmpty
                                        String name)

Set an explicit policy name to apply governing policyLocation usage.

Parameters:: name - policy name

setPolicyIdPolicyName

public void setPolicyIdPolicyName(@Nullable @NotEmpty
                                  String name)

Set an explicit policy name to apply governing policyId usage.

Parameters:: name - policy name

setClientIdPolicyName

public void setClientIdPolicyName(@Nullable @NotEmpty
                                  String name)

Set an explicit policy name to apply governing clientId usage.

Parameters:: name - policy name

setDefaultTokenLifetime

public void setDefaultTokenLifetime(@Nonnull
                                    Duration lifetime)

Set the default token lifetime.

Parameters:: lifetime - token lifetime

doInitialize
```
protected void doInitialize()
                     throws ComponentInitializationException
```
Overrides:

doInitialize in class AbstractAdminApiProfileAction

Throws:

ComponentInitializationException

doPreExecute

protected boolean doPreExecute(@Nonnull
                               ProfileRequestContext profileRequestContext)

Overrides:: doPreExecute in class AbstractAdminApiProfileAction

doExecute

protected void doExecute(@Nonnull
                         ProfileRequestContext profileRequestContext)

Overrides:: doExecute in class AbstractProfileAction

checkAccess

private boolean checkAccess(@Nonnull
                            ProfileRequestContext profileRequestContext)

Check access policies.

Parameters:: profileRequestContext - current profile request context
Returns:: true iff checks pass

addAuthenticationClaims

private void addAuthenticationClaims(@Nonnull
                                     ProfileRequestContext profileRequestContext,
                                     @Nonnull
                                     RegistrationClaimsSet.Builder builder)

Decorate the token with authentication-related claims.

Parameters:: profileRequestContext - profile request context; builder - claims set builder

Class IssueRegistrationAccessToken

Field Summary

Constructor Summary

Method Summary

Methods inherited from class net.shibboleth.idp.plugin.oidc.op.admin.impl.AbstractAdminApiProfileAction

Methods inherited from class net.shibboleth.idp.profile.AbstractProfileAction

Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction

Methods inherited from class org.opensaml.profile.action.AbstractProfileAction

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

Methods inherited from class java.lang.Object

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent