001/*
002 * The contents of this file are subject to the terms of the Common Development and
003 * Distribution License (the License). You may not use this file except in compliance with the
004 * License.
005 *
006 * You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
007 * specific language governing permission and limitations under the License.
008 *
009 * When distributing Covered Software, include this CDDL Header Notice in each file and include
010 * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
011 * Header, with the fields enclosed by brackets [] replaced by your own identifying
012 * information: "Portions Copyrighted [year] [name of copyright owner]".
013 *
014 * Copyright 2015-2016 ForgeRock AS.
015 */
016
017package org.forgerock.openam.sts.rest.token.provider.oidc;
018
019import org.forgerock.json.JsonValue;
020import org.forgerock.openam.sts.TokenTypeId;
021
022/**
023 * OpenIdConnect tokens can include an Authentication Context Class Reference (acr) claim which indicates how the subject
024 * asserted by the OIDC token was authenticated. For the rest-sts, this will ultimately be a function of the input token
025 * in the token transformation invocation. A default implementation of this interface will be provided, but if users wish
026 * to customize the default mappings, or support a specific acr value for a custom token implementation, then they
027 * can implement this interface with a classpath-resident class, and specify the name of this class in the OpenIdConnectTokenConfig
028 * state associated with the published sts, and that class will be consulted to provide the value of the acr claim corresponding
029 * to the input token state.
030 *
031 * @supported.all.api
032 */
033public interface OpenIdConnectTokenAuthnContextMapper {
034    /**
035     * Returns the AuthnContext value corresponding to the TokenType inputToken.
036     * @param inputTokenType The TokenType validated as part of the token transformation
037     * @param inputToken The json representation of the validated token, as presented to the REST STS in the
038     *                   token transformation invocation. This state can be used by custom implementations of this interface
039     *                   to make more elaborate decisions regarding the returned AuthnContext class reference.
040     * @return A valid AuthnContext value, as specified in the acr claim here:
041     * http://openid.net/specs/openid-connect-core-1_0.html#IDToken
042     */
043    String getAuthnContextClassReference(TokenTypeId inputTokenType, JsonValue inputToken);
044
045}