Class ClientRegistration
- java.lang.Object
-
- org.forgerock.openig.filter.oauth2.client.ClientRegistration
-
public final class ClientRegistration extends Object
A configuration for an OpenID Connect Provider. Options:{ "clientId" : expression [REQUIRED] "clientSecretId" : expression [REQUIRED - if private_key_jwt authentication method is NOT selected. ] "issuer" : String / Issuer [REQUIRED - the issuer name, or its inlined declaration, "scopes" : [ expressions ] [OPTIONAL - specific scopes to use for this client registration. ] "registrationHandler" : handler [OPTIONAL - by default it uses the 'ClientHandler' provided in heap. ] "tokenEndpointAuthMethod" : enum [OPTIONAL - default is Basic Authentication "client_secret_basic". ] "tokenEndpointAuthSigningAlg" : string [OPTIONAL - default to RS256 if private_key_jwt authentication method is selected. ] "privateKeyJwtSecretId" : expression [OPTIONAL - but REQUIRED if private_key_jwt authentication method is selected. ] "claims" : { [OPTIONAL - contains the claims used in private_key_jwt authentication. ] "aud" : String OR [Strings][OPTIONAL - default to the URL of the Authorization Server's Token endpoint.] } "jwtExpirationTimeout " : duration [OPTIONAL - default to 1 minute if private_key_jwt authentication method is selected. ] }
{ "name": "MyClientRegistration", "type": "ClientRegistration", "config": { "clientId": "OpenIG", "clientSecretId": "client.password.secret.id", "scopes": [ "openid", "profile" ], "issuer": "OpenAM" } }
{ "name": "MyClientRegistration", "type": "ClientRegistration", "config": { "clientId": "OpenIG", "clientSecretId": "client.password.secret.id", "scopes": [ "openid", "profile" ], "tokenEndpointAuthMethod": "client_secret_post", "issuer": { "name": "myIssuer", "type": "Issuer", "config": { "wellKnownEndpoint": "http://server.com:8090/openam/oauth2/.well-known/openid-configuration" } } } }
- clientSecretId: a label of a
Purpose
required to read aGenericSecret
required to authenticate the client whenSecretBasicClientAuthentication
orSecretPostClientAuthentication
are used. - clientSecret [Deprecated since 6.5 in favor of clientSecretId]:
credential required to authenticate the client when
SecretBasicClientAuthentication
orSecretPostClientAuthentication
are used. NOTE: If both clientSecret and clientSecretId are provided, the 'clientSecretId' has precedence.
- clientSecretId: a label of a
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
ClientRegistration.Heaplet
Creates and initializes a Client Registration object in a heap environment.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description Promise<JsonValue,OAuth2ErrorException>
getAccessToken(Context context, String code, String callbackUri)
Exchanges the authorization code for an access token and optional ID token, and then update the session state.String
getClientId()
Returns the client ID of this client registration.Issuer
getIssuer()
Returns theIssuer
for this client registration.String
getName()
Returns the name of this client registration.List<String>
getScopes()
Returns the list of scopes of this client registration.Promise<JsonValue,OAuth2ErrorException>
getUserInfo(Context context, org.forgerock.openig.filter.oauth2.client.OAuth2Session session)
Returns a Promise completed either with the json value of the user info obtained from the authorization server if the response from the authorization server has a status code of 200, or with an exception, meaning the access token may have expired.Promise<JsonValue,OAuth2ErrorException>
refreshAccessToken(Context context, org.forgerock.openig.filter.oauth2.client.OAuth2Session session)
Refreshes the actual access token, making a refresh request to the token end-point.
-
-
-
Constructor Detail
-
ClientRegistration
public ClientRegistration(String clientId, String name, List<String> scopes, Issuer issuer, Handler registrationHandler, org.forgerock.openig.filter.oauth2.client.ClientAuthentication clientAuthentication)
Creates a Client Registration.- Parameters:
clientId
- The ID of this client registration.name
- The name of this client registration. Can benull
. If it isnull
, the clientId is used.scopes
- The list of scopes for this client registration, notnull
.issuer
- TheIssuer
of this Client, notnull
.registrationHandler
- The handler used to send request to the AS.clientAuthentication
- TheClientAuthentication
to use, notnull
.
-
-
Method Detail
-
getName
public String getName()
Returns the name of this client registration.- Returns:
- the name of this client registration.
-
getAccessToken
public Promise<JsonValue,OAuth2ErrorException> getAccessToken(Context context, String code, String callbackUri)
Exchanges the authorization code for an access token and optional ID token, and then update the session state.- Parameters:
context
- The current context.code
- The authorization code.callbackUri
- The callback URI.- Returns:
- A promise completed with either the json content of the response if status return code of the response is 200 OK or with an OAuth2ErrorException in case of errors.
-
getClientId
public String getClientId()
Returns the client ID of this client registration.- Returns:
- the client ID.
-
getIssuer
public Issuer getIssuer()
Returns theIssuer
for this client registration.- Returns:
- the
Issuer
for this client registration.
-
refreshAccessToken
public Promise<JsonValue,OAuth2ErrorException> refreshAccessToken(Context context, org.forgerock.openig.filter.oauth2.client.OAuth2Session session)
Refreshes the actual access token, making a refresh request to the token end-point.- Parameters:
context
- The current context.session
- The current session.- Returns:
- A promise completed either with the JSON content of the response if status return code of the response is 200 OK, or with an OAuth2ErrorException if an error occurs when contacting the authorization server or if the returned response status code is different than 200 OK.
-
getScopes
public List<String> getScopes()
Returns the list of scopes of this client registration.- Returns:
- the the list of scopes of this client registration.
-
getUserInfo
public Promise<JsonValue,OAuth2ErrorException> getUserInfo(Context context, org.forgerock.openig.filter.oauth2.client.OAuth2Session session)
Returns a Promise completed either with the json value of the user info obtained from the authorization server if the response from the authorization server has a status code of 200, or with an exception, meaning the access token may have expired.- Parameters:
context
- The current context.session
- The current session to use.- Returns:
- A promise completed either with a JsonValue containing the requested user info, or with an OAuth2ErrorException if an error occurs when contacting the authorization server or if the returned response status code is different than 200 OK (That may signify that the access token has expired).
-
-