Class ClientRegistration


  • public final class ClientRegistration
    extends Object
    A configuration for an OpenID Connect Provider. Options:
     
     {
       "clientId"                     : expression        [REQUIRED]
       "clientSecretId"               : expression        [REQUIRED - if private_key_jwt authentication
                                                                      method is NOT selected. ]
       "issuer"                       : String / Issuer   [REQUIRED - the issuer name, or its inlined declaration,
       "scopes"                       : [ expressions ]   [OPTIONAL - specific scopes to use for this client
                                                                      registration. ]
       "registrationHandler"          : handler           [OPTIONAL - by default it uses the 'ClientHandler'
                                                                      provided in heap. ]
       "tokenEndpointAuthMethod"      : enum              [OPTIONAL - default is Basic Authentication
                                                                      "client_secret_basic". ]
       "tokenEndpointAuthSigningAlg"  : string            [OPTIONAL - default to RS256 if private_key_jwt authentication
                                                                      method is selected. ]
       "privateKeyJwtSecretId"        : expression        [OPTIONAL - but REQUIRED if private_key_jwt authentication
                                                                      method is selected. ]
       "claims"                       : {                 [OPTIONAL - contains the claims used in private_key_jwt
                                                                      authentication. ]
                 "aud"                : String OR [Strings][OPTIONAL - default to the URL of the Authorization Server's
                                                                      Token endpoint.]
       }
       "jwtExpirationTimeout "        : duration          [OPTIONAL - default to 1 minute if private_key_jwt
                                                                      authentication method is selected. ]
     }
     
     
    Example of use:
     
     {
         "name": "MyClientRegistration",
         "type": "ClientRegistration",
         "config": {
             "clientId": "OpenIG",
             "clientSecretId": "client.password.secret.id",
             "scopes": [
                 "openid",
                 "profile"
             ],
             "issuer": "OpenAM"
         }
     }
     
     
    or, with inlined Issuer declaration:
     
     {
         "name": "MyClientRegistration",
         "type": "ClientRegistration",
         "config": {
             "clientId": "OpenIG",
             "clientSecretId": "client.password.secret.id",
             "scopes": [
                 "openid",
                 "profile"
             ],
             "tokenEndpointAuthMethod": "client_secret_post",
             "issuer": {
                 "name": "myIssuer",
                 "type": "Issuer",
                 "config": {
                     "wellKnownEndpoint": "http://server.com:8090/openam/oauth2/.well-known/openid-configuration"
                 }
             }
         }
     }
     
     
    • clientSecretId: a label of a Purpose required to read a GenericSecret required to authenticate the client when SecretBasicClientAuthentication or SecretPostClientAuthentication are used.
    • clientSecret [Deprecated since 6.5 in favor of clientSecretId]: credential required to authenticate the client when SecretBasicClientAuthentication or SecretPostClientAuthentication are used. NOTE: If both clientSecret and clientSecretId are provided, the 'clientSecretId' has precedence.
    See Also:
    OpenID Connect Dynamic Client Registration 1.0 , OpenID Client Authentication
    • Constructor Detail

      • ClientRegistration

        public ClientRegistration​(String clientId,
                                  String name,
                                  List<String> scopes,
                                  Issuer issuer,
                                  Handler registrationHandler,
                                  org.forgerock.openig.filter.oauth2.client.ClientAuthentication clientAuthentication)
        Creates a Client Registration.
        Parameters:
        clientId - The ID of this client registration.
        name - The name of this client registration. Can be null. If it is null, the clientId is used.
        scopes - The list of scopes for this client registration, not null.
        issuer - The Issuer of this Client, not null.
        registrationHandler - The handler used to send request to the AS.
        clientAuthentication - The ClientAuthentication to use, not null.
    • Method Detail

      • getName

        public String getName()
        Returns the name of this client registration.
        Returns:
        the name of this client registration.
      • getAccessToken

        public Promise<JsonValue,​OAuth2ErrorException> getAccessToken​(Context context,
                                                                            String code,
                                                                            String callbackUri)
        Exchanges the authorization code for an access token and optional ID token, and then update the session state.
        Parameters:
        context - The current context.
        code - The authorization code.
        callbackUri - The callback URI.
        Returns:
        A promise completed with either the json content of the response if status return code of the response is 200 OK or with an OAuth2ErrorException in case of errors.
      • getClientId

        public String getClientId()
        Returns the client ID of this client registration.
        Returns:
        the client ID.
      • getIssuer

        public Issuer getIssuer()
        Returns the Issuer for this client registration.
        Returns:
        the Issuer for this client registration.
      • refreshAccessToken

        public Promise<JsonValue,​OAuth2ErrorException> refreshAccessToken​(Context context,
                                                                                org.forgerock.openig.filter.oauth2.client.OAuth2Session session)
        Refreshes the actual access token, making a refresh request to the token end-point.
        Parameters:
        context - The current context.
        session - The current session.
        Returns:
        A promise completed either with the JSON content of the response if status return code of the response is 200 OK, or with an OAuth2ErrorException if an error occurs when contacting the authorization server or if the returned response status code is different than 200 OK.
      • getScopes

        public List<String> getScopes()
        Returns the list of scopes of this client registration.
        Returns:
        the the list of scopes of this client registration.
      • getUserInfo

        public Promise<JsonValue,​OAuth2ErrorException> getUserInfo​(Context context,
                                                                         org.forgerock.openig.filter.oauth2.client.OAuth2Session session)
        Returns a Promise completed either with the json value of the user info obtained from the authorization server if the response from the authorization server has a status code of 200, or with an exception, meaning the access token may have expired.
        Parameters:
        context - The current context.
        session - The current session to use.
        Returns:
        A promise completed either with a JsonValue containing the requested user info, or with an OAuth2ErrorException if an error occurs when contacting the authorization server or if the returned response status code is different than 200 OK (That may signify that the access token has expired).