java.lang.Object
- net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
- - org.opensaml.profile.action.AbstractProfileAction
  - - org.opensaml.profile.action.AbstractConditionalProfileAction
    - - net.shibboleth.idp.profile.AbstractProfileAction
      - net.shibboleth.idp.plugin.oidc.op.profile.impl.AbstractOIDCRequestAction<com.nimbusds.oauth2.sdk.TokenRequest>
        
        net.shibboleth.idp.plugin.oidc.op.profile.impl.AbstractOIDCTokenRequestAction
        
        net.shibboleth.idp.plugin.oidc.op.profile.impl.AbstractOIDCTokenResponseAction
        
        net.shibboleth.idp.plugin.oidc.op.profile.impl.ValidateGrant

All Implemented Interfaces:

Component, DestructableComponent, InitializableComponent, ProfileAction, Aware, MessageSource, MessageSourceAware, Action
```
public class ValidateGrant
extends AbstractOIDCTokenResponseAction
```
Action that validates an authorization grant.
A grant is valid if it is successfully unwrapped, parsed as a code or refresh token, is unexpired, was issued to the expected client and has not been used before (authz code) or the authz code used to produce it has not been revoked (refresh token).

The validated claims from the grant are stored to response context via OIDCAuthenticationResponseContext.getAuthorizationGrantClaimsSet().

Note that the addition of support for the "client_credentials" grant type means that there may not in fact be a grant, or resulting claims set.

Field Summary

Fields
Modifier and Type	Field	Description
`private Function<ProfileRequestContext,Duration>`	`chainRevocationLifetimeLookupStrategy`	Lookup function to supply chain revocation lifetime.
`private DataSealer`	`dataSealer`	Data sealer for unwrapping authorization code.
`private org.slf4j.Logger`	`log`	Class logger.
`private Predicate<ProfileRequestContext>`	`refreshTokensEnabledPredicate`	Predicate used to indicate whether refresh tokens are enabled.
`private Function<ProfileRequestContext,net.shibboleth.idp.profile.context.RelyingPartyContext>`	`relyingPartyContextLookupStrategy`	Strategy used to locate the `RelyingPartyContext` associated with a given `ProfileRequestContext`.
`private ReplayCache`	`replayCache`	Message replay cache instance to use.
`private RevocationCache`	`revocationCache`	Message revocation cache instance to use.
`private net.shibboleth.idp.profile.context.RelyingPartyContext`	`rpCtx`	The RelyingPartyContext to operate on.

Constructor Summary

Constructors
Constructor Description

ValidateGrant(DataSealer sealer)
Constructor.

Method Summary

All Methods Instance Methods Concrete Methods
Modifier and Type	Method	Description
`protected void`	`doExecute(ProfileRequestContext profileRequestContext)`
`protected void`	`doInitialize()`
`protected boolean`	`doPreExecute(ProfileRequestContext profileRequestContext)`
`protected boolean`	`revokeChain(String id, Duration lifetime)`	Revokes the token chain with the given id, optionally with a given lifetime.
`void`	`setChainRevocationLifetimeLookupStrategy(Function<ProfileRequestContext,Duration> strategy)`	Set a lookup strategy for the chain revocation lifetime.
`void`	`setRefreshTokensEnabledPredicate(Predicate<ProfileRequestContext> predicate)`	Set the predicate used to indicate whether refresh tokens are enabled.
`void`	`setRelyingPartyContextLookupStrategy(Function<ProfileRequestContext,net.shibboleth.idp.profile.context.RelyingPartyContext> strategy)`	Set the strategy used to locate the `RelyingPartyContext` associated with a given `ProfileRequestContext`.
`void`	`setReplayCache(ReplayCache cache)`	Set the replay cache instance to use.
`void`	`setRevocationCache(RevocationCache cache)`	Set the revocation cache instance to use.

Methods inherited from class net.shibboleth.idp.plugin.oidc.op.profile.impl.AbstractOIDCTokenResponseAction
getMetadataContext, getOidcResponseContext

Methods inherited from class net.shibboleth.idp.plugin.oidc.op.profile.impl.AbstractOIDCTokenRequestAction
getTokenRequest

Methods inherited from class net.shibboleth.idp.plugin.oidc.op.profile.impl.AbstractOIDCRequestAction
getRequest

Methods inherited from class net.shibboleth.idp.profile.AbstractProfileAction
doExecute, execute, getMessage, getMessage, getMessage, getProfileContextLookupStrategy, getRequestContext, getResult, setMessageSource, setProfileContextLookupStrategy

Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction
getActivationCondition, setActivationCondition

Methods inherited from class org.opensaml.profile.action.AbstractProfileAction
doPostExecute, doPostExecute, execute, getHttpServletRequest, getHttpServletResponse, getLogPrefix, setHttpServletRequest, setHttpServletResponse

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
destroy, doDestroy, initialize, isDestroyed, isInitialized

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent
initialize, isInitialized

Field Detail

log
```
@Nonnull
private org.slf4j.Logger log
```
Class logger.

dataSealer
```
@Nonnull
private final DataSealer dataSealer
```
Data sealer for unwrapping authorization code.

replayCache

@NonnullAfterInit
private ReplayCache replayCache

Message replay cache instance to use.

revocationCache

@NonnullAfterInit
private RevocationCache revocationCache

Message revocation cache instance to use.

relyingPartyContextLookupStrategy

@Nonnull
private Function<ProfileRequestContext,net.shibboleth.idp.profile.context.RelyingPartyContext> relyingPartyContextLookupStrategy

Strategy used to locate the RelyingPartyContext associated with a given ProfileRequestContext.

refreshTokensEnabledPredicate
```
@Nonnull
private Predicate<ProfileRequestContext> refreshTokensEnabledPredicate
```
Predicate used to indicate whether refresh tokens are enabled.

chainRevocationLifetimeLookupStrategy

@Nonnull
private Function<ProfileRequestContext,Duration> chainRevocationLifetimeLookupStrategy

Lookup function to supply chain revocation lifetime.

rpCtx

@Nullable
private net.shibboleth.idp.profile.context.RelyingPartyContext rpCtx

The RelyingPartyContext to operate on.

Constructor Detail

ValidateGrant

public ValidateGrant(@Nonnull @ParameterName(name="sealer")
                     DataSealer sealer)

Constructor.

Parameters:: sealer - sealer to decrypt/hmac authorize code.

Method Detail

setRelyingPartyContextLookupStrategy

public void setRelyingPartyContextLookupStrategy(@Nonnull
                                                 Function<ProfileRequestContext,net.shibboleth.idp.profile.context.RelyingPartyContext> strategy)

Set the strategy used to locate the RelyingPartyContext associated with a given ProfileRequestContext.

Parameters:: strategy - strategy used to locate the RelyingPartyContext associated with a given ProfileRequestContext

setRefreshTokensEnabledPredicate

public void setRefreshTokensEnabledPredicate(@Nonnull
                                             Predicate<ProfileRequestContext> predicate)

Set the predicate used to indicate whether refresh tokens are enabled.

Parameters:: predicate - predicate used to indicate whether refresh tokens are enabled.

setReplayCache

public void setReplayCache(@Nonnull
                           ReplayCache cache)

Set the replay cache instance to use.

Parameters:: cache - The replayCache to set.

setRevocationCache

public void setRevocationCache(@Nonnull
                               RevocationCache cache)

Set the revocation cache instance to use.

Parameters:: cache - The revocationCache to set.

setChainRevocationLifetimeLookupStrategy

public void setChainRevocationLifetimeLookupStrategy(@Nullable
                                                     Function<ProfileRequestContext,Duration> strategy)

Set a lookup strategy for the chain revocation lifetime.

Parameters:: strategy - What to set.

doInitialize
```
protected void doInitialize()
                     throws ComponentInitializationException
```
Overrides:

doInitialize in class AbstractInitializableComponent

Throws:

ComponentInitializationException

doPreExecute

protected boolean doPreExecute(@Nonnull
                               ProfileRequestContext profileRequestContext)

Overrides:: doPreExecute in class AbstractOIDCTokenResponseAction

doExecute

protected void doExecute(@Nonnull
                         ProfileRequestContext profileRequestContext)

Overrides:: doExecute in class AbstractProfileAction

revokeChain
```
protected boolean revokeChain(@Nonnull
                              String id,
                              @Nullable
                              Duration lifetime)
```
Revokes the token chain with the given id, optionally with a given lifetime. If the given lifetime is null, the default lifetime set to the RevocationCache is used.

Parameters:

id - The identifier to be revoked in RevocationCacheContexts.AUTHORIZATION_CODE context.

lifetime - The lifetime for the revocation

Returns:

The result returned by the RevocationCache

Class ValidateGrant

Field Summary

Constructor Summary

Method Summary

Methods inherited from class net.shibboleth.idp.plugin.oidc.op.profile.impl.AbstractOIDCTokenResponseAction

Methods inherited from class net.shibboleth.idp.plugin.oidc.op.profile.impl.AbstractOIDCTokenRequestAction

Methods inherited from class net.shibboleth.idp.plugin.oidc.op.profile.impl.AbstractOIDCRequestAction

Methods inherited from class net.shibboleth.idp.profile.AbstractProfileAction

Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction

Methods inherited from class org.opensaml.profile.action.AbstractProfileAction

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

Methods inherited from class java.lang.Object

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent