Package net.shibboleth.idp.plugin.oidc.op.oauth2.profile.impl

Class ValidateAudience

java.lang.Object

net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

org.opensaml.profile.action.AbstractProfileAction

org.opensaml.profile.action.AbstractConditionalProfileAction

net.shibboleth.idp.profile.AbstractProfileAction

net.shibboleth.idp.plugin.oidc.op.profile.impl.AbstractOIDCRequestAction<com.nimbusds.openid.connect.sdk.AuthenticationRequest>

net.shibboleth.idp.plugin.oidc.op.profile.impl.AbstractOIDCAuthenticationRequestAction

net.shibboleth.idp.plugin.oidc.op.profile.impl.AbstractOIDCAuthenticationResponseAction

net.shibboleth.idp.plugin.oidc.op.oauth2.profile.impl.ValidateAudience

All Implemented Interfaces:

Component, DestructableComponent, InitializableComponent, ProfileAction, Aware, MessageSource, MessageSourceAware, Action

public class ValidateAudience
extends AbstractOIDCAuthenticationResponseAction

Action that validates requested resource/audience values against a computed set of "allowed" values and populates the resulting set into the OIDCAuthenticationResponseContext and a ProxiedRequesterContext.

This is an ordered list, so the first allowed value determines the "primary" audience of the eventual token.

Requesting values is optional. If the OP is an implied audience, then no other audience will be established, but if not then at least one audience must be permitted and the first permitted value will be assumed.

Event:

EventIds.PROCEED_EVENT_ID, EventIds.INVALID_PROFILE_CTX, OidcEventIds.INVALID_TARGET

Field Summary

Fields

Modifier and Type	Field	Description
private Function<ProfileRequestContext,List<String>>	allowedAudienceLookupStrategy	Strategy used to obtain the audience allowed for the client.
private org.slf4j.Logger	log	Class logger.
private Function<ProfileRequestContext,ProxiedRequesterContext>	proxiedRequesterContextCreationStrategy	Strategy used for locating/creating the proxy context.
private Function<ProfileRequestContext,String>	relyingPartyIdLookupStrategy	Strategy used to obtain the relying party ID.
private Function<ProfileRequestContext,List<String>>	requestedAudienceLookupStrategy	Strategy used to obtain the requested audience.
private Predicate<ProfileRequestContext>	selfAudienceCondition	Whether the request includes the OP as an audience.
private Function<ProfileRequestContext,OIDCAuthenticationResponseTokenClaimsContext>	tokenClaimsContextLookupStrategy	Strategy used to locate the OIDCAuthenticationResponseTokenClaimsContext.

Constructor Summary

Constructors

Constructor	Description
ValidateAudience()	Constructor.

Method Summary

Modifier and Type	Method	Description
protected void	doExecute(ProfileRequestContext profileRequestContext)
void	setAllowedAudienceLookupStrategy(Function<ProfileRequestContext,List<String>> strategy)	Set the strategy used to locate the allowed audience for the client.
void	setProxiedRequesterContextCreationStrategy(Function<ProfileRequestContext,ProxiedRequesterContext> strategy)	Set the strategy used to locate or create the ProxiedRequesterContext.
void	setRelyingPartyIdLookupStrategy(Function<ProfileRequestContext,String> strategy)	Set the strategy used to obtain the relying party ID.
void	setRequestedAudienceLookupStrategy(Function<ProfileRequestContext,List<String>> strategy)	Set the strategy used to locate the requested audience to validate.
void	setSelfAudienceCondition(Predicate<ProfileRequestContext> condition)	Set whether the OP is an implied audience for the token request.

Methods inherited from class net.shibboleth.idp.plugin.oidc.op.profile.impl.AbstractOIDCAuthenticationResponseAction

doPreExecute, getMetadataContext, getOidcResponseContext

Methods inherited from class net.shibboleth.idp.plugin.oidc.op.profile.impl.AbstractOIDCAuthenticationRequestAction

getAuthenticationRequest

Methods inherited from class net.shibboleth.idp.plugin.oidc.op.profile.impl.AbstractOIDCRequestAction

getRequest

Methods inherited from class net.shibboleth.idp.profile.AbstractProfileAction

doExecute, execute, getMessage, getMessage, getMessage, getProfileContextLookupStrategy, getRequestContext, getResult, setMessageSource, setProfileContextLookupStrategy

Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction

getActivationCondition, setActivationCondition

Methods inherited from class org.opensaml.profile.action.AbstractProfileAction

doPostExecute, doPostExecute, execute, getHttpServletRequest, getHttpServletResponse, getLogPrefix, setHttpServletRequest, setHttpServletResponse

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

destroy, doDestroy, doInitialize, initialize, isDestroyed, isInitialized

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent

initialize, isInitialized

Field Detail

log

@Nonnull
private org.slf4j.Logger log

Class logger.

relyingPartyIdLookupStrategy

@Nonnull
private Function<ProfileRequestContext,String> relyingPartyIdLookupStrategy

Strategy used to obtain the relying party ID.

requestedAudienceLookupStrategy

@Nullable
private Function<ProfileRequestContext,List<String>> requestedAudienceLookupStrategy

Strategy used to obtain the requested audience.

allowedAudienceLookupStrategy

@Nonnull
private Function<ProfileRequestContext,List<String>> allowedAudienceLookupStrategy

Strategy used to obtain the audience allowed for the client.

proxiedRequesterContextCreationStrategy

@Nonnull
private Function<ProfileRequestContext,ProxiedRequesterContext> proxiedRequesterContextCreationStrategy

Strategy used for locating/creating the proxy context.

selfAudienceCondition

@Nonnull
private Predicate<ProfileRequestContext> selfAudienceCondition

Whether the request includes the OP as an audience.

tokenClaimsContextLookupStrategy

@Nonnull
private Function<ProfileRequestContext,OIDCAuthenticationResponseTokenClaimsContext> tokenClaimsContextLookupStrategy

Strategy used to locate the OIDCAuthenticationResponseTokenClaimsContext.

Constructor Detail

ValidateAudience

public ValidateAudience()

Constructor.

Method Detail

setRelyingPartyIdLookupStrategy

public void setRelyingPartyIdLookupStrategy(@Nonnull
                                            Function<ProfileRequestContext,String> strategy)

Set the strategy used to obtain the relying party ID.

Parameters:

strategy - lookup strategy

setRequestedAudienceLookupStrategy

public void setRequestedAudienceLookupStrategy(@Nullable
                                               Function<ProfileRequestContext,List<String>> strategy)

Set the strategy used to locate the requested audience to validate.

Parameters:

strategy - lookup strategy

setAllowedAudienceLookupStrategy

public void setAllowedAudienceLookupStrategy(@Nonnull
                                             Function<ProfileRequestContext,List<String>> strategy)

Set the strategy used to locate the allowed audience for the client.

Parameters:

strategy - lookup strategy

setProxiedRequesterContextCreationStrategy

public void setProxiedRequesterContextCreationStrategy(@Nonnull
                                                       Function<ProfileRequestContext,ProxiedRequesterContext> strategy)

Set the strategy used to locate or create the ProxiedRequesterContext.

Parameters:

strategy - lookup/creation strategy

setSelfAudienceCondition

public void setSelfAudienceCondition(@Nonnull
                                     Predicate<ProfileRequestContext> condition)

Set whether the OP is an implied audience for the token request.

Parameters:

condition - condition to set

Since:

3.2.0

doExecute

protected void doExecute(@Nonnull
                         ProfileRequestContext profileRequestContext)

Overrides:

doExecute in class AbstractProfileAction