Package net.shibboleth.idp.plugin.oidc.op.oauth2.profile.impl

Class BuildAccessToken

java.lang.Object

net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

org.opensaml.profile.action.AbstractProfileAction

org.opensaml.profile.action.AbstractConditionalProfileAction

net.shibboleth.idp.profile.AbstractProfileAction

net.shibboleth.idp.plugin.oidc.op.profile.impl.AbstractOIDCResponseAction

net.shibboleth.idp.plugin.oidc.op.oauth2.profile.impl.BuildAccessToken

All Implemented Interfaces:

Component, DestructableComponent, InitializableComponent, ProfileAction, Aware, MessageSource, MessageSourceAware, Action

public class BuildAccessToken
extends AbstractOIDCResponseAction

Action that creates an Access Token, and stores it to an AccessTokenContext.

There are various cases handled across different grant types and orders of operation. The token may be produced solely for a third-party service to consume, or may also or instead be usable with the OP's UserInfo endpoint.

The action supports either opaque access tokens sealed under the IdP's secret key, or the RFC 9068 standard for JWT-based tokens.

Since:

3.1.0

Event:

EventIds.PROCEED_EVENT_ID, EventIds.MESSAGE_PROC_ERROR, EventIds.INVALID_MSG_CTX, EventIds.INVALID_PROFILE_CTX, EventIds.MESSAGE_PROC_ERROR, IdPEventIds.INVALID_ATTRIBUTE_CTX, IdPEventIds.INVALID_PROFILE_CONFIG, IdPEventIds.INVALID_SUBJECT_CTX

Field Summary

Fields

Modifier and Type	Field	Description
private Function<ProfileRequestContext,AccessTokenContext>	accessTokenContextCreationStrategy	Strategy used to create the subcontext to hold the token.
private AccessTokenContext	accessTokenCtx	Access token context.
private Function<ProfileRequestContext,Duration>	accessTokenLifetimeLookupStrategy	Strategy used to obtain the access token lifetime.
private Function<ProfileRequestContext,String>	accessTokenTypeLookupStrategy	Strategy used to obtain the access token type to issue.
private com.nimbusds.openid.connect.sdk.AuthenticationRequest	authenticationRequest	Authentication request in the case of such.
private Function<ProfileRequestContext,com.nimbusds.oauth2.sdk.id.ClientID>	clientIDLookupStrategy	Strategy used to obtain the original client ID.
private Function<ProfileRequestContext,OIDCAuthenticationResponseConsentContext>	consentContextLookupStrategy	Strategy used to locate the OIDCAuthenticationResponseConsentContext.
private Predicate<ProfileRequestContext>	consentEnabledPredicate	Predicate used to check if consent is enabled with a given ProfileRequestContext.
private DataSealer	dataSealer	Sealer to use for opaque tokens.
private IdentifierGenerationStrategy	idGenerator	The generator to use.
private Function<ProfileRequestContext,IdentifierGenerationStrategy>	idGeneratorLookupStrategy	Strategy used to locate the IdentifierGenerationStrategy to use.
private Function<ProfileRequestContext,String>	issuerLookupStrategy	Strategy used to obtain the response issuer value.
private boolean	jwtTokenType	Use a JWT for the token.
private org.slf4j.Logger	log	Class logger.
private BiFunction<ProfileRequestContext,Map<String,Object>,Map<String,Object>>	manipulationStrategy	The strategy used for manipulating the token claims set.
private net.shibboleth.idp.authn.context.SubjectContext	subjectCtx	Subject context.
private Function<ProfileRequestContext,OIDCAuthenticationResponseTokenClaimsContext>	tokenClaimsContextLookupStrategy	Strategy used to locate the OIDCAuthenticationResponseTokenClaimsContext.
private TokenClaimsSet	tokenClaimsSet	Authorize Code / Refresh Token the access token is based on, if any.
private Function<ProfileRequestContext,BiFunction<ProfileRequestContext,Map<String,Object>,Map<String,Object>>>	tokenClaimsSetManipulationStrategyLookupStrategy	Lookup function to supply strategy bi-function for manipulating token claims set.

Constructor Summary

Constructors

Constructor	Description
BuildAccessToken()	Constructor.

Method Summary

Modifier and Type	Method	Description
protected void	doExecute(ProfileRequestContext profileRequestContext)
protected void	doInitialize()
protected boolean	doPreExecute(ProfileRequestContext profileRequestContext)
private com.nimbusds.jwt.JWTClaimsSet	sealClaims(com.nimbusds.jwt.JWTClaimsSet claims)	Rewrites a plaintext claimsset to hide custom claims used solely by the OP.
void	setAccessTokenContextCreationStrategy(Function<ProfileRequestContext,AccessTokenContext> strategy)	Set the strategy used to create the AccessTokenContext to use.
void	setAccessTokenLifetimeLookupStrategy(Function<ProfileRequestContext,Duration> strategy)	Set the strategy used to obtain the access token lifetime.
void	setAccessTokenTypeLookupStrategy(Function<ProfileRequestContext,String> strategy)	Set the strategy used to obtain the access token type.
void	setClientIDLookupStrategy(Function<ProfileRequestContext,com.nimbusds.oauth2.sdk.id.ClientID> strategy)	Set the strategy used to locate the original ClientID from the request.
void	setConsentEnabledPredicate(Predicate<ProfileRequestContext> predicate)	Set the predicate used to check if consent is enabled with a given ProfileRequestContext.
void	setDataSealer(DataSealer sealer)	Set DataSealer to use for opaque tokens.
void	setIdentifierGeneratorLookupStrategy(Function<ProfileRequestContext,IdentifierGenerationStrategy> strategy)	Set the strategy used to locate the IdentifierGenerationStrategy to use.
void	setIssuerLookupStrategy(Function<ProfileRequestContext,String> strategy)	Set the strategy used to locate the issuer value to use.
void	setOIDCAuthenticationResponseConsentContextLookupStrategy(Function<ProfileRequestContext,OIDCAuthenticationResponseConsentContext> strategy)	Set the strategy used to locate the OIDCAuthenticationResponseConsentContext associated with a given ProfileRequestContext.
void	setOIDCAuthenticationResponseTokenClaimsContextLookupStrategy(Function<ProfileRequestContext,OIDCAuthenticationResponseTokenClaimsContext> strategy)	Set the strategy used to locate the OIDCAuthenticationResponseTokenClaimsContext associated with a given ProfileRequestContext.
void	setTokenClaimsSetManipulationStrategyLookupStrategy(Function<ProfileRequestContext,BiFunction<ProfileRequestContext,Map<String,Object>,Map<String,Object>>> strategy)	Set the lookup function to supply strategy bi-function for manipulating token claims set.

Methods inherited from class net.shibboleth.idp.plugin.oidc.op.profile.impl.AbstractOIDCResponseAction

getMetadataContext, getOidcResponseContext

Methods inherited from class net.shibboleth.idp.profile.AbstractProfileAction

doExecute, execute, getMessage, getMessage, getMessage, getProfileContextLookupStrategy, getRequestContext, getResult, setMessageSource, setProfileContextLookupStrategy

Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction

getActivationCondition, setActivationCondition

Methods inherited from class org.opensaml.profile.action.AbstractProfileAction

doPostExecute, doPostExecute, execute, getHttpServletRequest, getHttpServletResponse, getLogPrefix, setHttpServletRequest, setHttpServletResponse

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

destroy, doDestroy, initialize, isDestroyed, isInitialized

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent

initialize, isInitialized

Field Detail

log

@Nonnull
private org.slf4j.Logger log

Class logger.

dataSealer

@NonnullAfterInit
private DataSealer dataSealer

Sealer to use for opaque tokens.

issuerLookupStrategy

@Nonnull
private Function<ProfileRequestContext,String> issuerLookupStrategy

Strategy used to obtain the response issuer value.

clientIDLookupStrategy

@Nonnull
private Function<ProfileRequestContext,com.nimbusds.oauth2.sdk.id.ClientID> clientIDLookupStrategy

Strategy used to obtain the original client ID.

accessTokenTypeLookupStrategy

@Nonnull
private Function<ProfileRequestContext,String> accessTokenTypeLookupStrategy

Strategy used to obtain the access token type to issue.

accessTokenLifetimeLookupStrategy

@Nonnull
private Function<ProfileRequestContext,Duration> accessTokenLifetimeLookupStrategy

Strategy used to obtain the access token lifetime.

idGeneratorLookupStrategy

@Nonnull
private Function<ProfileRequestContext,IdentifierGenerationStrategy> idGeneratorLookupStrategy

Strategy used to locate the IdentifierGenerationStrategy to use.

tokenClaimsContextLookupStrategy

@Nonnull
private Function<ProfileRequestContext,OIDCAuthenticationResponseTokenClaimsContext> tokenClaimsContextLookupStrategy

Strategy used to locate the OIDCAuthenticationResponseTokenClaimsContext.

consentContextLookupStrategy

@Nonnull
private Function<ProfileRequestContext,OIDCAuthenticationResponseConsentContext> consentContextLookupStrategy

Strategy used to locate the OIDCAuthenticationResponseConsentContext.

consentEnabledPredicate

@Nonnull
private Predicate<ProfileRequestContext> consentEnabledPredicate

Predicate used to check if consent is enabled with a given ProfileRequestContext.

accessTokenContextCreationStrategy

@Nonnull
private Function<ProfileRequestContext,AccessTokenContext> accessTokenContextCreationStrategy

Strategy used to create the subcontext to hold the token.

tokenClaimsSetManipulationStrategyLookupStrategy

@Nonnull
private Function<ProfileRequestContext,BiFunction<ProfileRequestContext,Map<String,Object>,Map<String,Object>>> tokenClaimsSetManipulationStrategyLookupStrategy

Lookup function to supply strategy bi-function for manipulating token claims set.

manipulationStrategy

@Nullable
private BiFunction<ProfileRequestContext,Map<String,Object>,Map<String,Object>> manipulationStrategy

The strategy used for manipulating the token claims set.

tokenClaimsSet

@Nullable
private TokenClaimsSet tokenClaimsSet

Authorize Code / Refresh Token the access token is based on, if any.

authenticationRequest

@Nullable
private com.nimbusds.openid.connect.sdk.AuthenticationRequest authenticationRequest

Authentication request in the case of such.

subjectCtx

@Nullable
private net.shibboleth.idp.authn.context.SubjectContext subjectCtx

Subject context.

jwtTokenType

private boolean jwtTokenType

Use a JWT for the token.

idGenerator

@Nullable
private IdentifierGenerationStrategy idGenerator

The generator to use.

accessTokenCtx

@Nullable
private AccessTokenContext accessTokenCtx

Access token context.

Constructor Detail

BuildAccessToken

public BuildAccessToken()

Constructor.

Method Detail

setDataSealer

public void setDataSealer(@Nullable
                          DataSealer sealer)

Set DataSealer to use for opaque tokens.

Parameters:

sealer - sealer to use for opaque tokens

setAccessTokenTypeLookupStrategy

public void setAccessTokenTypeLookupStrategy(@Nonnull
                                             Function<ProfileRequestContext,String> strategy)

Set the strategy used to obtain the access token type.

Parameters:

strategy - lookup strategy

setAccessTokenLifetimeLookupStrategy

public void setAccessTokenLifetimeLookupStrategy(@Nonnull
                                                 Function<ProfileRequestContext,Duration> strategy)

Set the strategy used to obtain the access token lifetime.

Parameters:

strategy - lookup strategy

setIdentifierGeneratorLookupStrategy

public void setIdentifierGeneratorLookupStrategy(@Nonnull
                                                 Function<ProfileRequestContext,IdentifierGenerationStrategy> strategy)

Set the strategy used to locate the IdentifierGenerationStrategy to use.

Parameters:

strategy - lookup strategy

setIssuerLookupStrategy

public void setIssuerLookupStrategy(@Nonnull
                                    Function<ProfileRequestContext,String> strategy)

Set the strategy used to locate the issuer value to use.

Parameters:

strategy - lookup strategy

setClientIDLookupStrategy

public void setClientIDLookupStrategy(@Nonnull
                                      Function<ProfileRequestContext,com.nimbusds.oauth2.sdk.id.ClientID> strategy)

Set the strategy used to locate the original ClientID from the request.

Parameters:

strategy - lookup strategy

setOIDCAuthenticationResponseTokenClaimsContextLookupStrategy

public void setOIDCAuthenticationResponseTokenClaimsContextLookupStrategy(@Nonnull
                                                                          Function<ProfileRequestContext,OIDCAuthenticationResponseTokenClaimsContext> strategy)

Set the strategy used to locate the OIDCAuthenticationResponseTokenClaimsContext associated with a given ProfileRequestContext.

Parameters:

strategy - lookup strategy

setOIDCAuthenticationResponseConsentContextLookupStrategy

public void setOIDCAuthenticationResponseConsentContextLookupStrategy(@Nonnull
                                                                      Function<ProfileRequestContext,OIDCAuthenticationResponseConsentContext> strategy)

Set the strategy used to locate the OIDCAuthenticationResponseConsentContext associated with a given ProfileRequestContext.

Parameters:

strategy - lookup strategy

setConsentEnabledPredicate

public void setConsentEnabledPredicate(@Nonnull
                                       Predicate<ProfileRequestContext> predicate)

Set the predicate used to check if consent is enabled with a given ProfileRequestContext.

Parameters:

predicate - predicate used to check if consent is enabled with a given ProfileRequestContext.

setAccessTokenContextCreationStrategy

public void setAccessTokenContextCreationStrategy(@Nonnull
                                                  Function<ProfileRequestContext,AccessTokenContext> strategy)

Set the strategy used to create the AccessTokenContext to use.

Parameters:

strategy - creation strategy

setTokenClaimsSetManipulationStrategyLookupStrategy

public void setTokenClaimsSetManipulationStrategyLookupStrategy(@Nonnull
                                                                Function<ProfileRequestContext,BiFunction<ProfileRequestContext,Map<String,Object>,Map<String,Object>>> strategy)

Set the lookup function to supply strategy bi-function for manipulating token claims set.

Parameters:

strategy - What to set

doInitialize

protected void doInitialize()
                     throws ComponentInitializationException

Overrides:

doInitialize in class AbstractInitializableComponent

Throws:

ComponentInitializationException

doPreExecute

protected boolean doPreExecute(@Nonnull
                               ProfileRequestContext profileRequestContext)

Overrides:

doPreExecute in class AbstractOIDCResponseAction

doExecute

protected void doExecute(@Nonnull
                         ProfileRequestContext profileRequestContext)

Overrides:

doExecute in class AbstractProfileAction

sealClaims

@Nonnull
private com.nimbusds.jwt.JWTClaimsSet sealClaims(@Nonnull
                                                 com.nimbusds.jwt.JWTClaimsSet claims)
                                          throws DataSealerException,
                                                 ParseException

Rewrites a plaintext claimsset to hide custom claims used solely by the OP.

Parameters:

claims - the input claims

Returns:

a rewritten claims set to use for the access token

Throws:

ParseException - if unable to parse a claims set

DataSealerException - if unable to seal the custom claims