Package io.jans.as.server.authorize.ws.rs

Class AuthorizeRestWebServiceImpl

java.lang.Object
io.jans.as.server.authorize.ws.rs.AuthorizeRestWebServiceImpl
All Implemented Interfaces:
AuthorizeRestWebService
@Path("/") public class AuthorizeRestWebServiceImpl extends Object implements AuthorizeRestWebService
Implementation for request authorization through REST web services.
Version:
March 17, 2022
Author:
Javier Rojas Blum

  • Constructor Details

    • AuthorizeRestWebServiceImpl

      public AuthorizeRestWebServiceImpl()

  • Method Details

    • requestAuthorizationGet

      public jakarta.ws.rs.core.Response requestAuthorizationGet(String scope, String responseType, String clientId, String redirectUri, String state, String responseMode, String nonce, String display, String prompt, Integer maxAge, String uiLocales, String idTokenHint, String loginHint, String acrValues, String amrValues, String request, String requestUri, String sessionId, String originHeaders, String codeChallenge, String codeChallengeMethod, String customResponseHeaders, String claims, String authReqId, String dpopJkt, String shouldReturnLogoutStatusJwt, String authorizationDetails, jakarta.servlet.http.HttpServletRequest httpRequest, jakarta.servlet.http.HttpServletResponse httpResponse, jakarta.ws.rs.core.SecurityContext securityContext)
      Description copied from interface: AuthorizeRestWebService
      Requests authorization.
      Specified by:
      requestAuthorizationGet in interface AuthorizeRestWebService
      Parameters:
      scope - The scope of the access request.
      responseType - The response type informs the authorization server of the desired response type: code, token, id_token a combination of them. The response type parameter is mandatory.
      clientId - The client identifier.
      redirectUri - Redirection URI
      state - An opaque value used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client. The parameter should be used for preventing cross-site request forgery.
      responseMode - Informs the Authorization Server of the mechanism to be used for returning parameters from the Authorization Endpoint. This use of this parameter is NOT RECOMMENDED when the Response Mode that would be requested is the default mode specified for the Response Type.
      nonce - A string value used to associate a user agent session with an ID Token, and to mitigate replay attacks.
      display - An ASCII string value that specifies how the Authorization Server displays the authentication page to the End-User.
      prompt - A space delimited list of ASCII strings that can contain the values login, consent, select_account, and none.
      maxAge - Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated.
      uiLocales - End-User's preferred languages and scripts for the user interface, represented as a space-separated list of BCP47 [RFC5646] language tag values, ordered by preference.
      idTokenHint - Previously issued ID Token passed to the Authorization Server as a hint about the End-User's current or past authenticated session with the Client.
      loginHint - Hint to the Authorization Server about the login identifier the End-User might use to log in (if necessary).
      acrValues - Requested Authentication Context Class Reference values. Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference.
      amrValues - Requested Authentication Methods References. JSON array of strings that are identifiers for authentication methods used in the authentication. For instance, values might indicate that both password and OTP authentication methods were used. The definition of particular values to be used in the amr Claim is beyond the scope of this specification.The amr value is an array of case sensitive strings.
      request - A JWT encoded OpenID Request Object.
      requestUri - An URL that points to an OpenID Request Object.
      sessionId - session id
      originHeaders - origin headers
      codeChallenge - PKCE code challenge
      codeChallengeMethod - PKCE code challenge method
      authReqId - A unique identifier to identify the CIBA authentication request made by the Client.
      dpopJkt - The value of the dpop_jkt authorization request parameter is the JSON Web Key (JWK) Thumbprint of the proof-of-possession public key using the SHA-256 hash function - the same value as used for the jkt confirmation method defined
      shouldReturnLogoutStatusJwt - If true is passed then AS returns back Logout Status JWT
      authorizationDetails - The request parameter authorization_details contains, in JSON notation, an array of objects. Each JSON object contains the data to specify the authorization requirements for a certain type of resource. The type of resource or access requirement is determined by the type field.
      httpRequest - http request
      securityContext - An injectable interface that provides access to security related information.
      Returns:

      When the responseType parameter is set to code:

      If the resource owner grants the access request, the authorization server issues an authorization code and delivers it to the client by adding the following parameters to the query component of the redirection URI using the application/x-www-form-urlencoded format:

      code
      The authorization code generated by the authorization server.
      state
      If the state parameter was present in the client authorization request. The exact value received from the client.

      When the responseType parameter is set to token:

      If the resource owner grants the access request, the authorization server issues an access token and delivers it to the client by adding the following parameters to the fragment component of the redirection URI using the application/x-www-form-urlencoded format.

      access_token
      The access token issued by the authorization server.
      token_type
      The type of the token issued. Value is case insensitive.
      expires_in
      The lifetime in seconds of the access token. For example, the value 3600 denotes that the access token will expire in one hour from the time the response was generated.
      scope
      The scope of the access token.
      state
      If the state parameter was present in the client authorization request. The exact value received from the client.

    • requestAuthorizationPost

      public jakarta.ws.rs.core.Response requestAuthorizationPost(String scope, String responseType, String clientId, String redirectUri, String state, String responseMode, String nonce, String display, String prompt, Integer maxAge, String uiLocales, String idTokenHint, String loginHint, String acrValues, String amrValues, String request, String requestUri, String sessionId, String originHeaders, String codeChallenge, String codeChallengeMethod, String customResponseHeaders, String claims, String authReqId, String dpopJkt, String shouldReturnLogoutStatusJwt, String authorizationDetails, jakarta.servlet.http.HttpServletRequest httpRequest, jakarta.servlet.http.HttpServletResponse httpResponse, jakarta.ws.rs.core.SecurityContext securityContext)
      Description copied from interface: AuthorizeRestWebService
      Requests authorization.
      Specified by:
      requestAuthorizationPost in interface AuthorizeRestWebService
      Parameters:
      scope - The scope of the access request.
      responseType - The response type informs the authorization server of the desired response type: code, token, id_token a combination of them. The response type parameter is mandatory.
      clientId - The client identifier.
      redirectUri - Redirection URI
      state - An opaque value used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client. The parameter should be used for preventing cross-site request forgery.
      responseMode - Informs the Authorization Server of the mechanism to be used for returning parameters from the Authorization Endpoint. This use of this parameter is NOT RECOMMENDED when the Response Mode that would be requested is the default mode specified for the Response Type.
      nonce - A string value used to associate a user agent session with an ID Token, and to mitigate replay attacks.
      display - An ASCII string value that specifies how the Authorization Server displays the authentication page to the End-User.
      prompt - A space delimited list of ASCII strings that can contain the values login, consent, select_account, and none.
      maxAge - Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated.
      uiLocales - End-User's preferred languages and scripts for the user interface, represented as a space-separated list of BCP47 [RFC5646] language tag values, ordered by preference.
      idTokenHint - Previously issued ID Token passed to the Authorization Server as a hint about the End-User's current or past authenticated session with the Client.
      loginHint - Hint to the Authorization Server about the login identifier the End-User might use to log in (if necessary).
      acrValues - Requested Authentication Context Class Reference values. Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference.
      amrValues - Requested Authentication Methods References. JSON array of strings that are identifiers for authentication methods used in the authentication. For instance, values might indicate that both password and OTP authentication methods were used. The definition of particular values to be used in the amr Claim is beyond the scope of this specification.The amr value is an array of case sensitive strings.
      request - A JWT encoded OpenID Request Object.
      requestUri - An URL that points to an OpenID Request Object.
      sessionId - session id
      originHeaders - origin headers
      codeChallenge - PKCE code challenge
      codeChallengeMethod - PKCE code challenge method
      authReqId - A unique identifier to identify the CIBA authentication request made by the Client.
      dpopJkt - The value of the dpop_jkt authorization request parameter is the JSON Web Key (JWK) Thumbprint of the proof-of-possession public key using the SHA-256 hash function - the same value as used for the jkt confirmation method defined
      shouldReturnLogoutStatusJwt - If true is passed then AS returns back Logout Status JWT
      authorizationDetails - The request parameter authorization_details contains, in JSON notation, an array of objects. Each JSON object contains the data to specify the authorization requirements for a certain type of resource. The type of resource or access requirement is determined by the type field.
      httpRequest - http request
      securityContext - An injectable interface that provides access to security related information.
      Returns:

      When the responseType parameter is set to code:

      If the resource owner grants the access request, the authorization server issues an authorization code and delivers it to the client by adding the following parameters to the query component of the redirection URI using the application/x-www-form-urlencoded format:

      code
      The authorization code generated by the authorization server.
      state
      If the state parameter was present in the client authorization request. The exact value received from the client.

      When the responseType parameter is set to token:

      If the resource owner grants the access request, the authorization server issues an access token and delivers it to the client by adding the following parameters to the fragment component of the redirection URI using the application/x-www-form-urlencoded format.

      access_token
      The access token issued by the authorization server.
      token_type
      The type of the token issued. Value is case insensitive.
      expires_in
      The lifetime in seconds of the access token. For example, the value 3600 denotes that the access token will expire in one hour from the time the response was generated.
      scope
      The scope of the access token.
      state
      If the state parameter was present in the client authorization request. The exact value received from the client.

    • checkPromptCreate

      public void checkPromptCreate(AuthzRequest authzRequest)

    • checkPromptLogin

      public void checkPromptLogin(AuthzRequest authzRequest)

    • checkOfflineAccessScopes

      public void checkOfflineAccessScopes(List<io.jans.as.model.common.ResponseType> responseTypes, List<io.jans.as.model.common.Prompt> prompts, io.jans.as.common.model.registration.Client client, Set<String> scopes)

    • getGenericRequestMap

      public static Map<String,String> getGenericRequestMap(jakarta.servlet.http.HttpServletRequest httpRequest)