Package net.shibboleth.idp.plugin.oidc.op.userinfo.profile.impl

Class ParseAccessToken

java.lang.Object

net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

org.opensaml.profile.action.AbstractProfileAction

org.opensaml.profile.action.AbstractConditionalProfileAction

net.shibboleth.idp.profile.AbstractProfileAction

net.shibboleth.idp.plugin.oidc.op.profile.impl.AbstractOIDCRequestAction<com.nimbusds.openid.connect.sdk.UserInfoRequest>

net.shibboleth.idp.plugin.oidc.op.userinfo.profile.impl.AbstractOIDCUserInfoRequestAction

net.shibboleth.idp.plugin.oidc.op.userinfo.profile.impl.AbstractOIDCUserInfoValidationResponseAction

net.shibboleth.idp.plugin.oidc.op.userinfo.profile.impl.ParseAccessToken

All Implemented Interfaces:

Component, DestructableComponent, InitializableComponent, ProfileAction, Aware, MessageSource, MessageSourceAware, Action

public class ParseAccessToken
extends AbstractOIDCUserInfoValidationResponseAction

Action that parses an access token and initially populates the claims for later validation.

Signed JWTs are also signature-checked here.

The parsed token is stored to the response context retrievable as claims via OIDCAuthenticationResponseContext.getTokenClaimsSet(). Claims validation takes place later in order to allow for metadata and relying-party/profile config lookup to allow for pluggable validation, an overridden OP/issuer name, etc.

Since:

3.2.0

Event:

EventIds.PROCEED_EVENT_ID, OidcEventIds.INVALID_GRANT

Field Summary

Fields

Modifier and Type	Field	Description
private CredentialResolver	credentialResolver	Source of signing keys.
private DataSealer	dataSealer	Data sealer for unwrapping authorization code.
private org.slf4j.Logger	log	Class logger.
private com.nimbusds.jwt.SignedJWT	signedJWT	Copy of signed JWT for non-opaque access tokens.

Constructor Summary

Constructors

Constructor	Description
ParseAccessToken()

Method Summary

Modifier and Type	Method	Description
protected void	doExecute(ProfileRequestContext profileRequestContext)
protected void	doInitialize()
protected AccessTokenClaimsSet	parseAccessToken(com.nimbusds.oauth2.sdk.token.AccessToken token)	Attempt to parse token.
void	setCredentialResolver(CredentialResolver resolver)	Set the source of signing keys to use for JWT signature verification.
void	setDataSealer(DataSealer sealer)	Set the data sealer instance to use.

Methods inherited from class net.shibboleth.idp.plugin.oidc.op.userinfo.profile.impl.AbstractOIDCUserInfoValidationResponseAction

doPreExecute, getOidcResponseContext

Methods inherited from class net.shibboleth.idp.plugin.oidc.op.userinfo.profile.impl.AbstractOIDCUserInfoRequestAction

getUserInfoRequest

Methods inherited from class net.shibboleth.idp.plugin.oidc.op.profile.impl.AbstractOIDCRequestAction

getRequest

Methods inherited from class net.shibboleth.idp.profile.AbstractProfileAction

doExecute, execute, getMessage, getMessage, getMessage, getProfileContextLookupStrategy, getRequestContext, getResult, setMessageSource, setProfileContextLookupStrategy

Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction

getActivationCondition, setActivationCondition

Methods inherited from class org.opensaml.profile.action.AbstractProfileAction

doPostExecute, doPostExecute, execute, getHttpServletRequest, getHttpServletResponse, getLogPrefix, setHttpServletRequest, setHttpServletResponse

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

destroy, doDestroy, initialize, isDestroyed, isInitialized

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent

initialize, isInitialized

Field Detail

log

@Nonnull
private org.slf4j.Logger log

Class logger.

dataSealer

@NonnullAfterInit
private DataSealer dataSealer

Data sealer for unwrapping authorization code.

credentialResolver

@Nullable
private CredentialResolver credentialResolver

Source of signing keys.

signedJWT

@Nullable
private com.nimbusds.jwt.SignedJWT signedJWT

Copy of signed JWT for non-opaque access tokens.

Constructor Detail

ParseAccessToken

public ParseAccessToken()

Method Detail

setDataSealer

public void setDataSealer(@Nonnull
                          DataSealer sealer)

Set the data sealer instance to use.

Parameters:

sealer - sealer to use

setCredentialResolver

public void setCredentialResolver(@Nullable
                                  CredentialResolver resolver)

Set the source of signing keys to use for JWT signature verification.

Parameters:

resolver - signing key resolver

doInitialize

protected void doInitialize()
                     throws ComponentInitializationException

Overrides:

doInitialize in class AbstractInitializableComponent

Throws:

ComponentInitializationException

doExecute

protected void doExecute(@Nonnull
                         ProfileRequestContext profileRequestContext)

Overrides:

doExecute in class AbstractProfileAction

parseAccessToken

@Nullable
protected AccessTokenClaimsSet parseAccessToken(@Nonnull @NotEmpty
                                                com.nimbusds.oauth2.sdk.token.AccessToken token)

Attempt to parse token.

Parameters:

token - the token

Returns:

parsed claim set or null