Package net.shibboleth.idp.plugin.oidc.op.profile.impl

Class AddAttributesToClaimsSet

java.lang.Object

net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

org.opensaml.profile.action.AbstractProfileAction

org.opensaml.profile.action.AbstractConditionalProfileAction

net.shibboleth.idp.profile.AbstractProfileAction

net.shibboleth.idp.plugin.oidc.op.profile.impl.AbstractOIDCResponseAction

net.shibboleth.idp.plugin.oidc.op.profile.impl.AddAttributesToClaimsSet

All Implemented Interfaces:

Component, DestructableComponent, InitializableComponent, ProfileAction, Aware, MessageSource, MessageSourceAware, Action

public class AddAttributesToClaimsSet
extends AbstractOIDCResponseAction

Action that adds claims to a ClaimsSet. Claims are formed of resolved attributes having OIDC encoder. Action verifies user has consented to release attribute, if consent information is available. Actions will not add claims listed as reserved.

Field Summary

Fields

Modifier and Type	Field	Description
private boolean	addToIDTokenByDefault	Whether we can add claims to IDToken by default i.e.
private Set<String>	alwaysIncludedAttributes	Attributes to include in ID token no matter what.
private Function<ProfileRequestContext,Set<String>>	alwaysIncludedAttributesLookupStrategy	Strategy used to obtain the set of attribute IDs to include in the ID token in all cases.
private Function<ProfileRequestContext,net.shibboleth.idp.attribute.context.AttributeContext>	attributeContextLookupStrategy	Strategy used to locate the AttributeContext associated with a given ProfileRequestContext.
private net.shibboleth.idp.attribute.context.AttributeContext	attributeCtx	AttributeContext to use.
private com.nimbusds.openid.connect.sdk.claims.ClaimsSet	claimsSet	Claims Set to use.
private Function<ProfileRequestContext,OIDCAuthenticationResponseConsentContext>	consentContextLookupStrategy	Strategy used to locate the OIDCAuthenticationResponseConsentContext.
private Set<String>	deniedUserInfoAttributes	Attributes to omit from UserInfo token.
private Function<ProfileRequestContext,Set<String>>	deniedUserInfoAttributesLookupStrategy	Strategy used to obtain the set of attribute IDs to omit from the UserInfo token.
private boolean	ignoringUnencodableAttributes	Whether attributes that result in an AttributeEncodingException when being encoded should be ignored or result in an IdPEventIds.UNABLE_ENCODE_ATTRIBUTE transition.
private org.slf4j.Logger	log	Class logger.
private List<String>	reservedClaimNames	List of claim names that will not be added.
private Function<ProfileRequestContext,com.nimbusds.openid.connect.sdk.claims.ClaimsSet>	responseClaimsSetLookupStrategy	Strategy used to locate the response ClaimsSet associated with a given ProfileRequestContext.
private ReloadableService<net.shibboleth.idp.attribute.transcoding.AttributeTranscoderRegistry>	transcoderRegistry	Transcoder registry service object.

Constructor Summary

Constructors

Constructor	Description
AddAttributesToClaimsSet()	Constructor.

Method Summary

Modifier and Type	Method	Description
protected void	doExecute(ProfileRequestContext profileRequestContext)
protected void	doInitialize()
protected boolean	doPreExecute(ProfileRequestContext profileRequestContext)
private void	encodeAttribute(net.shibboleth.idp.attribute.transcoding.AttributeTranscoderRegistry registry, ProfileRequestContext profileRequestContext, net.shibboleth.idp.attribute.IdPAttribute attribute, Collection<net.minidev.json.JSONObject> results)	Access the registry of transcoding rules to transform the input attribute into claims.
void	setAlwaysIncludedAttributesLookupStrategy(Function<ProfileRequestContext,Set<String>> strategy)	Set the strategy used to obtain the set of attribute IDs always included in ID tokens.
void	setAttributeContextLookupStrategy(Function<ProfileRequestContext,net.shibboleth.idp.attribute.context.AttributeContext> strategy)	Set the strategy used to locate the AttributeContext associated with a given ProfileRequestContext.
void	setDeniedUserInfoAttributesLookupStrategy(Function<ProfileRequestContext,Set<String>> strategy)	Set the strategy used to obtain the set of attribute IDs to omit from UserInfo tokens.
void	setIgnoringUnencodableAttributes(boolean flag)	Set whether the attributes that result in an AttributeEncodingException when being encoded should be ignored or result in an IdPEventIds.UNABLE_ENCODE_ATTRIBUTE transition.
void	setOIDCAuthenticationResponseConsentContextLookupStrategy(Function<ProfileRequestContext,OIDCAuthenticationResponseConsentContext> strategy)	Set the strategy used to locate the OIDCAuthenticationResponseTokenClaimsContext associated with a given ProfileRequestContext.
void	setReservedClaimNames(List<String> claimNames)	Set list of claim names that will not be added.
void	setResponseClaimsSetLookupStrategy(Function<ProfileRequestContext,com.nimbusds.openid.connect.sdk.claims.ClaimsSet> strategy)	Set the strategy used to locate the response ClaimsSet associated with a given ProfileRequestContext.
void	setTranscoderRegistry(ReloadableService<net.shibboleth.idp.attribute.transcoding.AttributeTranscoderRegistry> registry)	Sets the registry of transcoding rules to apply to encode attributes.

Methods inherited from class net.shibboleth.idp.plugin.oidc.op.profile.impl.AbstractOIDCResponseAction

getMetadataContext, getOidcResponseContext

Methods inherited from class net.shibboleth.idp.profile.AbstractProfileAction

doExecute, execute, getMessage, getMessage, getMessage, getProfileContextLookupStrategy, getRequestContext, getResult, setMessageSource, setProfileContextLookupStrategy

Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction

getActivationCondition, setActivationCondition

Methods inherited from class org.opensaml.profile.action.AbstractProfileAction

doPostExecute, doPostExecute, execute, getHttpServletRequest, getHttpServletResponse, getLogPrefix, setHttpServletRequest, setHttpServletResponse

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

destroy, doDestroy, initialize, isDestroyed, isInitialized

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent

initialize, isInitialized

Field Detail

log

@Nonnull
private org.slf4j.Logger log

Class logger.

attributeContextLookupStrategy

@Nonnull
private Function<ProfileRequestContext,net.shibboleth.idp.attribute.context.AttributeContext> attributeContextLookupStrategy

Strategy used to locate the AttributeContext associated with a given ProfileRequestContext.

responseClaimsSetLookupStrategy

@Nonnull
private Function<ProfileRequestContext,com.nimbusds.openid.connect.sdk.claims.ClaimsSet> responseClaimsSetLookupStrategy

Strategy used to locate the response ClaimsSet associated with a given ProfileRequestContext.

consentContextLookupStrategy

@Nonnull
private Function<ProfileRequestContext,OIDCAuthenticationResponseConsentContext> consentContextLookupStrategy

Strategy used to locate the OIDCAuthenticationResponseConsentContext.

alwaysIncludedAttributesLookupStrategy

@Nonnull
private Function<ProfileRequestContext,Set<String>> alwaysIncludedAttributesLookupStrategy

Strategy used to obtain the set of attribute IDs to include in the ID token in all cases.

deniedUserInfoAttributesLookupStrategy

@Nonnull
private Function<ProfileRequestContext,Set<String>> deniedUserInfoAttributesLookupStrategy

Strategy used to obtain the set of attribute IDs to omit from the UserInfo token.

transcoderRegistry

@NonnullAfterInit
private ReloadableService<net.shibboleth.idp.attribute.transcoding.AttributeTranscoderRegistry> transcoderRegistry

Transcoder registry service object.

ignoringUnencodableAttributes

private boolean ignoringUnencodableAttributes

Whether attributes that result in an AttributeEncodingException when being encoded should be ignored or result in an IdPEventIds.UNABLE_ENCODE_ATTRIBUTE transition.

attributeCtx

@Nullable
private net.shibboleth.idp.attribute.context.AttributeContext attributeCtx

AttributeContext to use.

claimsSet

@Nullable
private com.nimbusds.openid.connect.sdk.claims.ClaimsSet claimsSet

Claims Set to use.

addToIDTokenByDefault

private boolean addToIDTokenByDefault

Whether we can add claims to IDToken by default i.e. response type is "id_token".

reservedClaimNames

@Nullable
@NonnullElements
private List<String> reservedClaimNames

List of claim names that will not be added.

alwaysIncludedAttributes

@Nullable
@NonnullElements
private Set<String> alwaysIncludedAttributes

Attributes to include in ID token no matter what.

deniedUserInfoAttributes

@Nullable
@NonnullElements
private Set<String> deniedUserInfoAttributes

Attributes to omit from UserInfo token.

Constructor Detail

AddAttributesToClaimsSet

AddAttributesToClaimsSet()

Constructor.

Method Detail

setTranscoderRegistry

public void setTranscoderRegistry(@Nonnull
                                  ReloadableService<net.shibboleth.idp.attribute.transcoding.AttributeTranscoderRegistry> registry)

Sets the registry of transcoding rules to apply to encode attributes.

Parameters:

registry - registry service interface

setIgnoringUnencodableAttributes

public void setIgnoringUnencodableAttributes(boolean flag)

Set whether the attributes that result in an AttributeEncodingException when being encoded should be ignored or result in an IdPEventIds.UNABLE_ENCODE_ATTRIBUTE transition.

Parameters:

flag - flag to set

setReservedClaimNames

public void setReservedClaimNames(List<String> claimNames)

Set list of claim names that will not be added.

Parameters:

claimNames - list of claim names that will not be added.

setResponseClaimsSetLookupStrategy

public void setResponseClaimsSetLookupStrategy(@Nonnull
                                               Function<ProfileRequestContext,com.nimbusds.openid.connect.sdk.claims.ClaimsSet> strategy)

Set the strategy used to locate the response ClaimsSet associated with a given ProfileRequestContext.

Parameters:

strategy - strategy used to locate the response ClaimsSet associated with a given ProfileRequestContext

setAttributeContextLookupStrategy

public void setAttributeContextLookupStrategy(@Nonnull
                                              Function<ProfileRequestContext,net.shibboleth.idp.attribute.context.AttributeContext> strategy)

Set the strategy used to locate the AttributeContext associated with a given ProfileRequestContext.

Parameters:

strategy - strategy used to locate the AttributeContext associated with a given ProfileRequestContext

setOIDCAuthenticationResponseConsentContextLookupStrategy

public void setOIDCAuthenticationResponseConsentContextLookupStrategy(@Nonnull
                                                                      Function<ProfileRequestContext,OIDCAuthenticationResponseConsentContext> strategy)

Set the strategy used to locate the OIDCAuthenticationResponseTokenClaimsContext associated with a given ProfileRequestContext.

Parameters:

strategy - lookup strategy

setAlwaysIncludedAttributesLookupStrategy

public void setAlwaysIncludedAttributesLookupStrategy(@Nonnull
                                                      Function<ProfileRequestContext,Set<String>> strategy)

Set the strategy used to obtain the set of attribute IDs always included in ID tokens.

Parameters:

strategy - lookup strategy

setDeniedUserInfoAttributesLookupStrategy

public void setDeniedUserInfoAttributesLookupStrategy(@Nonnull
                                                      Function<ProfileRequestContext,Set<String>> strategy)

Set the strategy used to obtain the set of attribute IDs to omit from UserInfo tokens.

Parameters:

strategy - lookup strategy

doInitialize

protected void doInitialize()
                     throws ComponentInitializationException

Overrides:

doInitialize in class AbstractInitializableComponent

Throws:

ComponentInitializationException

doPreExecute

protected boolean doPreExecute(@Nonnull
                               ProfileRequestContext profileRequestContext)

Overrides:

doPreExecute in class AbstractOIDCResponseAction

doExecute

protected void doExecute(@Nonnull
                         ProfileRequestContext profileRequestContext)

Overrides:

doExecute in class AbstractProfileAction

encodeAttribute

private void encodeAttribute(@Nonnull
                             net.shibboleth.idp.attribute.transcoding.AttributeTranscoderRegistry registry,
                             @Nonnull
                             ProfileRequestContext profileRequestContext,
                             @Nonnull
                             net.shibboleth.idp.attribute.IdPAttribute attribute,
                             @Nonnull @NonnullElements @Live
                             Collection<net.minidev.json.JSONObject> results)
                      throws net.shibboleth.idp.attribute.AttributeEncodingException

Access the registry of transcoding rules to transform the input attribute into claims.

Parameters:

registry - registry of transcoding rules

profileRequestContext - current profile request context

attribute - input attribute

results - collection to add results to

Throws:

net.shibboleth.idp.attribute.AttributeEncodingException - if a non-ignorable error occurs